HIPAA PRIVACY COMPLIANCE STRATEGIES FOR SMALL AND MID-SIZED ORGANIZATIONS
The size of the regulations, the details and the many aspects of it can be overwhelming. What's a small or mid-sized employer to do?
- Ignore the regulations and hope no one complains. Although this option may be tempting, there are substantial penalties for non-compliance and the Department of Labor has stated that they will respond to complaints. To borrow the title of a book by Rick Page, "Hope is Not a Strategy."
- Retain legal counsel. Certainly safe, however, the attorneys who can actually help (i.e., who know anything about HIPAA Privacy) may be with the big law firms and might come with big fees.
- Hire a consultant. This also might be expensive but the bigger problem is that, if the consultant does most of the work for you, you do not have any internal experts who actually understand the regulations.
- Do it yourself. Don't be so sure that this is the most cost-effective solution.
The Department of Health & Human Services suggests that it will take 960 hours of work to comply. Do you have the time and money to have your employees do it all? Can you afford to pull them off their other jobs? You may not even have anyone with the expertise to do all that would be required. Mistakes could result in higher costs or even penalties later on.
- Purchase a suitable "kit," follow the recommended procedures and ask your attorney to review your final "product." This three-pronged approach may be the best option for most organizations. Your employees get "educated," systems get updated as regulations change, and step-by-step instruction is provided providing a less costly and less time consuming way of handling an onerous task. It will still take time to learn the basics and to customize the forms and templates that are provided and run them by your attorney, but your employees will ultimately become experts in HIPAA compliance and you will have saved yourself an enormous amount of time and money. This will also allow you to reduce your risk of fines or legal action.
We have been weighing the pros and cons of each of these options for quite some time and searching for a way to make complying with the HIPAA Privacy regulations as simple as possible. We'd be glad to share with you what we have found to be the most suitable solution for the small- to mid-size employer.