So many people are struggling to get caught up on their compliance obligations because they just don’t have the time or resources to deal with it. We hear this so often I felt it was time to write an article on how we respond to the request. There are several points we discuss with the person asking. Here is an example conversation.
Can you just do it for me? I don’t have the authority to mandate compliance for your workforce. No one, not even your staff, can “do” your HIPAA compliance if management, owners, etc don’t buy in, mandate and enforce the policies and procedures. Are you asking me to do it for you because you think it is just some report you have to file from time to time? Then, no I can’t do that for you at all. HIPAA compliance is an ongoing, management mandated process to protect your business and your patient’s privacy. It is not a report I draw up and you put on a shelf somewhere in case someone asks for it.
OK, I will buy in and enforce whatever you tell me to do, can you do the rest? No one can assemble your policies and procedures without involving some (or all) members of your workforce in the process of data collection, workflow analysis, current policy and procedures review (both formal and informal), IT systems review and analysis, and much more. Only you and your staff truly know how your business runs day in and day out. If we just come in and give you a list of things to do and none of your staff is involved in the process it isn’t going to be followed well, if at all. You have to invest resources in the analysis and data collection to create the proper policies and procedures to fit your organization and make sure they are reasonable and appropriate for your environment.
Fine, I will commit some time from two of my staff members. Can you do it next Wednesday? In most offices, they are so far behind on what they need to do there is no way it can be reviewed in a day. We tried that approach and it failed miserably because of the sheer volume of details to review and questions to ask. There are parts that can get done in a day but no, one day with two people will not get it done. Also, you need to understand you have to commit resources to your compliance on an ongoing basis. It is not a one time thing.
What if I just hire you to do all that for me after you figure out what my policies and procedures should be? Can we get some certification and just be done with it? I have not found a small practice yet that will give up that much control nor be willing to pay for the service at that level. HHS and OCR do not offer HIPAA certification nor do they recognize any third-party HIPAA certifications.
I can’t afford to pay thousands of dollars for this. What kind of costs are we talking about? Based on the experiences we have had in small CE and BA offices, it takes weeks, usually months, of dedicated effort to get all the documentation and training they need in place just to make compliance a normal part of their business activity. After that point, there will be additional work to implement all the changes to your compliance plus the ongoing measuring, monitoring and training required to maintain your compliance. We can’t charge a flat fee service because we never know how much work is required in any office until we get well into the analysis. When we tried flat fee assistance in small offices we kept having to expand the scope of the work and add more fees. Both of us are unhappy when that happens. You definitely don’t want to pay us hourly to do all of this for you. In many cases, we could spend well over 100 hours doing the level of review, analysis, documentation and training required.
What is it you can offer me if you aren’t going to do it for me? Here is what we can do for you. We can HELP you do the work. We can guide you and direct you in the process. Our approach involves your own staff who is being trained along the way as we go through the entire process. They can work on it with the time you just agreed to allocate each week (at least a few hours). It is much better for your actual HIPAA compliance program in your day-to-day business and a better way to budget for the costs of getting you caught up. We focus on building the tools you need to make HIPAA compliance a much easier thing to manage than what you have been doing so far.
There are companies who offer outsourcing of Privacy and Security Officer duties. We aren’t one of them. I know everyone wants the easiest way through this process but I also believe the process should result in actual compliance activity improvements. If there isn’t a good amount of internal participation there will never be a Culture of Compliance. Without a Culture of Compliance there just won’t be much real compliance activity going on in a small office. I will have my team send you a proposal ASAP. You just need to tell me some more about your business for us to get things rolling.