HIPAA consulting services are usually firms of compliance specialists with a deep understanding of the Health Insurance Portability and Accountability Act and the accompanying legislation. Usually each firm has a group of consultants specializing in various aspects of the Act, with their areas of expertise incorporating risk assessments, training and incident management.
The job of a HIPAA consulting services firm is to help Covered Entities (CEs) and Business Associates (BAs) with the compilation and enforcement of HIPAA compliant policies and plans. The firm´s involvement in a group’s compliance efforts is no guarantee that a breach of PHI will not happen, but it can be a mitigating factor in all OCR investigations.
Who Requires HIPAA Consulting Services?
Most companies do, if only to review policies and strategies in order to identify any gaps or areas in which compliance efforts could be enhanced. The Privacy and Security Rules are particularly complex, and a different pair of eyes can often see things that a team of legal experts reviews.
One issue with engaging a HIPAA consulting services firm is estimating the benefit if a CE or BA does not subsequently suffer a breach of PHI. What chances are that it would have suffered a breach anyway? Of course, experiencing a breach of PHI after a consultant has reviewed a CE´s policies and strategies is not necessarily the fault of the consultant. It could have been due to an act by a specific employee.
Is HIPAA Consulting Expensive?
That depends on the range of the CE or BA, its “compliance complexity” and the level of assistance needed. HIPAA consulting fees can vary from a few hundred dollars into the tens of thousands according to whether a consultant is needed to review a handful of documents to ensure they are compliant, or whether the CE or BA needs start to end HIPAA guidance.
Regardless of the expense of HIPAA consulting, it can be a worthwhile addition. It only takes one flaw in HIPAA compliance policies or strategies for a breach of PHI to occur and the OCR to issue a major fine. Even without a breach taking place, a CE or BA can be issued a fine for non-compliance with HIPAA following a review or other investigation.
How Do I Know if I Require HIPAA Consulting Services?
As a CE or BA, you should have a security awareness and training program based upon the outcomes of HIPAA risk assessments. The easiest and most cost-efficient way of finding out if you need HIPAA consulting services is to have a consultant overlook your training programs. If there is anything you still need from your training programs, the likelihood is there is room for improvement in other place in your HIPAA compliance efforts.