How to Pick a HIPAA Helper: Ask 3 Questions
by Dr. Jeff Brown
While compliance with the HIPAA rule can be accomplished on one’s own, healthcare providers increasingly choose to streamline the process by seeking outside help. The market is flush with HIPAA compliance vendors selling consulting and software services, making the task of selecting an appropriate resource daunting.
Having answers to the following three questions gives you the best chance at finding a useful HIPAA service and forging a lasting relationship.
How much time will I need to commit?
You are in practice to help patients, but you are in business to generate an income. Therefore, it is critical to maximize time spent performing revenue generating activities and minimize time spent on non-revenue generating activities, such as HIPAA compliance.
With each vendor you investigate, determine how much time you’ll need to commit to get fully compliant; the more time required, the less valuable a service. Be sure to account for hidden time expenditures. For example, consultants often promote they save time by doing a bunch of work for you. However, HIPAA compliance is very practice specific and you’ll need to spend a lot of time relaying information to the consultant before they can get any "work" done.
Or worse, the service utilizes a time wasting risk assessment tool; which leads to the next question.
Will I truly be compliant using the service?
Continuously ask yourself this question; do not ask the vendor because you’ll get a Yes every time.
There are three telltale signs a service will leave you non-compliant. If you spot any of the below three attributes, immediately eliminate the vendor as your potential HIPAA helper.
- A risk assessment is utilized in lieu of a Risk Analysis. A risk assessment is NOT a requirement and it’s NOT a HIPAA Risk Analysis (which absolutely is required). A risk assessment is a gap analysis and easily identified by numerous yes/no questions culminating in a colorful spreadsheet displaying areas where you lack compliance. Not only does the risk assessment waste valuable time (remember, it’s not required), it can lead to legal ramifications because it can be used as evidence you knew you were not compliant in particular areas. (Read more about this topic.)
- The service includes generic HIPAA staff training in the form of online videos. The HIPAA rule is very clear your staff training must be specific to your practice. While some topics can be standardized across all offices, and can therefore be a generic video, other topics are impossible to standardize. For example, Emergency Operations is a required annual HIPAA staff training topic and it is impossible to duplicate the content across multiple healthcare facilities using the same video.
- You are given a generic HIPAA policies and procedures manual. Just like HIPAA training, many of your policies and procedures must be specific to your individual practice location. Even if you share office space with other independent practitioners, your individual practice is unique so your policies and procedures must be unique, too.
How much will it cost me?
You likely operate a small business and must be cost conscious. Look for vendors who cater to small practices, as their pricing usually reflects the customers they want to attract. Vendors who service large healthcare entities make far more money on big clients and tend to focus time and energy on those clients, not you.
Focus your search on HIPAA compliance software tools because software is becoming more affordable. A good software application can service countless clients at once—something traditional consulting can’t do—which keeps cost down. However, just because something is computer based doesn’t automatically make it the right fit for your practice. Be aware, not all software products are equal. Many are still time consuming and can leave you non-compliant.
In and of itself, meeting HIPAA compliance requirements is daunting, but you can change that narrative with the right outside help. Now that you know what questions to ask, find a useful vendor to help you accomplish HIPAA compliance in less time and at little cost.
DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice based on particular situations.