What are HIPAA Consulting Services?
HIPAA consulting services are typically firms of compliance experts with a deep understanding of the Health Insurance Portability and Accountability Act and associated legislation. Usually each firm has a team of consultants specializing in various aspects of the Act, with their areas of expertise including risk assessments, training and incident management.
The role of a HIPAA consulting services firm is to assist Covered Entities (CEs) and Business Associates (BAs) with the compilation and enforcement of HIPAA compliant policies and strategies. The firm´s involvement in an organization´s compliance efforts is no guarantee that a breach of PHI will not occur, but it can be a mitigating factor in subsequent OCR investigations.
Who Needs HIPAA Consulting Services?
Ideally everybody. Not necessarily to guide CEs and BAs along the complex path of compliance from start to finish, but sometimes just to review policies and strategies in order to identify any gaps or areas in which compliance efforts could be improved. The Privacy and Security Rules are particularly complex, and a fresh pair of eyes can often see things that a team of legal experts overlooks.
One problem with engaging a HIPAA consulting services firm is evaluating the benefit if a CE or BA does not subsequently suffer a breach of PHI. What is the likelihood it would have suffered a breach anyway? Of course, suffering a breach of PHI after a consultant has reviewed a CE´s policies and strategies is not necessarily the fault of the consultant. It could have been due to an act by a rogue employee.
How Much Does HIPAA Consulting Cost?
That depends on the size of the CE or BA, its “compliance complexity” and the level of assistance required. HIPAA consulting fees can range from a few hundred dollars into the tens of thousands according to whether a consultant is required to review a handful of documents to ensure they are compliant, or whether the CE or BA needs start to finish HIPAA guidance.
Regardless of the cost of HIPAA consulting, it can be a worthwhile investment. It only takes one avoidable gap in HIPAA compliance policies or strategies for a breach of PHI to occur and the OCR to issue a considerable fine. Even without a breach occurring, a CE or BA can be issued a fine for non-compliance with HIPAA following an audit or other investigation.
How Do I Know if I Need HIPAA Consulting Services?
As a CE or BA, you should have a security awareness and training program based upon the results of HIPAA risk assessments. The simplest and most cost-efficient way of finding out if you need HIPAA consulting services is to have a consultant review your training programs. If there is anything missing from your training programs, the likelihood is there is room for improvement elsewhere in your HIPAA compliance efforts.
Alternatively, download and read our HIPAA Compliance Guide. Our comprehensive guide includes insights into the Privacy, Security and Breach Notification Rules, information about HIPAA compliance audits and audit controls, and links to other valuable sources of information. If you are up to speed with everything in our HIPAA Compliance Guide, it is likely you will not need HIPAA consulting services. However, it may still be in your best interests to make sure.