Ask HIPAA Compliance Software Vendors These 3 Questions
While compliance with the HIPAA rule can be accomplished on one’s own, healthcare providers and business associates increasingly choose to streamline the process by seeking outside help. The market is flush with HIPAA compliance software vendors selling HIPAA solutions, making the task of selecting an appropriate resource daunting.
Having answers to the following three questions gives you the best chance at finding a useful HIPAA compliance software service and forging a lasting relationship.
How much time will I need to commit?
You are in practice to help patients, but you are in business to generate revenue. Therefore, it is critical to maximize time spent performing revenue generating activities and minimize time spent on non-revenue generating activities, such as HIPAA compliance.
With each software vendor you investigate, determine how much time you’ll need to commit to get fully compliant; the more time required, the less valuable a service. Be sure to account for hidden time expenditures. For example, one-on-one coaching calls is often promoted as a benefit; however, the more time you're on the phone relaying information to a coach is time spent not helping patients.
Or worse, the HIPAA compliance software vendor utilizes a time wasting risk assessment tool; which leads to the next question.
Will I truly be compliant using the service?
Continuously ask yourself this question. Do not ask the software vendor because you’ll get a Yes every time.
There are three telltale signs a service will leave you non-compliant. If you spot any of the below three attributes, immediately eliminate the vendor as your potential HIPAA compliance helper.
- A risk assessment is utilized in lieu of a risk analysis. A risk assessment is NOT a requirement and it’s NOT a HIPAA risk analysis (which absolutely is required). A risk assessment is a gap analysis and easily identified by numerous Yes/No questions culminating in a colorful spreadsheet displaying areas where you lack compliance. Not only does the risk assessment waste valuable time (remember, it’s not required), it can lead to legal ramifications because it can be used as evidence you knew you were not compliant in particular areas. Read more
- The service includes generic HIPAA staff training in the form of online videos. The HIPAA rule is very clear your staff training must be specific to your practice. While some topics can be standardized across all offices, and can therefore be a generic video, other topics are impossible to standardize. For example, Emergency Operations is a required annual HIPAA staff training topic and it is impossible to duplicate the content across multiple healthcare facilities using the same video.
- You are given a generic HIPAA policies and procedures. Just like training, many of your HIPAA policies and procedures must be specific to your individual business location. Even if you share office space with other independent practitioners, your individual practice is unique so your policies and procedures must be unique, too.
How much will it cost me?
You likely operate a small business and must be cost conscious. Look for HIPAA compliance software vendors who cater to small- and medium-sized businesses, as their pricing usually reflects the customers they want to attract. Software vendors who service large healthcare entities make far more money on big clients and tend to focus time and energy on those clients, not you.
Fortunately, software solutions tend to be more affordable than traditional consulting services. However, just because something is computer based doesn’t automatically make it the right fit for your practice. Be aware, not all software products are equal. Many are still time consuming and can leave you non-compliant.
In and of itself, meeting HIPAA compliance requirements is daunting, but you can change that narrative with the right software tool. Now that you know what questions to ask, find a useful software vendor to help you accomplish HIPAA compliance in less time and at little cost.
by Dr. Jeff Brown
Jeff Brown, DC, is CEO at HIPAAMATE and dedicated to making HIPAA compliance comfortable for small- and medium-sized healthcare practices and business associates. Dr. Brown’s career spans private practice, compliance consulting, and software product management for three healthcare technology companies.
DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice based on particular situations.