What is the least expensive way I can get my company HIPAA Certified?
A common question posed to Ask Erik involves how small organizations can get “HIPAA certified” quickly and with minimal expense. These questions stem from desperation (people know that they are not compliant), fear (people know that non-compliance is extremely risky in terms of potential fines and bad publicity, not to mention risk to their customers/patients), lack of an understanding of HIPAA (they do not really know what getting “HIPAA certified” means), and lack of resources (time and money are both scarce). Organizations in this situation know that they need to take steps for compliance ASAP, but they may not know what those steps are and really want to allocate the minimum possible time or money towards them.
What does getting “HIPAA Certified” mean?
The first hurdle is that there is no official, government-sanctioned HIPAA certification program. So, there is no way to be officially “HIPAA certified” and thus be “all set.” What you really must do is strive to be HIPAA-compliant in all aspects of your business that deal with Protected Health Information (PHI) and strive to keep up with your changing organization and the changing compliance landscape over time.
So how can I be HIPAA-compliant?
This is an ongoing process, but here are some steps to get started:
- Identify someone in your organization (or an outside consultant) who will be your company’s Security and Compliance Officer. This person will be charged with knowing or getting up to speed with HIPAA’s requirements and determining how they apply to your organization in particular.
- The Security and Compliance Officer then:
- Reviews all of your organization’s policies and revises or expands them to cover the documentation, staff management, and other requirements of HIPAA.
- Performs a detailed Risk Analysis of all of your systems, vendors, and practices to determine the risk that PHI could be lost or fall into unauthorized hands.
- Makes a remediation plan. This is essentially a cost-benefit analysis where the risks are ranked and solutions determined that can mitigate each risk.
- Start changing your business operations. Begin modifying how things work so that you can maximally mitigate the risk of breaches of PHI and meet compliance with the other requirements of HIPAA (e.g. do not share logins to email systems).
What you’ll probably find is that a lot of changes are needed, and some are much more expensive or difficult to implement than others. Be that as it may, you really need to have a plan to address everything significant and set reasonable timeframe to come into compliance. If some of your practices are very risky, you may need to suspend or alter them immediately in order to protect PHI until safer replacements can be established.
If you get audited by Health and Human Services, all of your documentation, your risk analyses, your plans and time frames, and the steps you have already taken… these all go a long way to show that you are working proactively towards compliance.
Here is a brief checklist of the things that need to be done to get your organization to meet HIPAA Compliance: A HIPAA-compliance checklist.
But what makes me HIPAA-compliant?
Your organization can be considered HIPAA-compliant if it follows all of the requirements of HIPAA, and if it follows or documents why it chooses not to follow all of the suggested (addressable) requirements of HIPAA. It can be considered HIPAA-compliant if it has appropriate policies in place, appropriate training for employees, low risk of beach, and performs and documents required periodic tasks such as yearly risk analyses, disaster recovery/business continuity testing, etc. It will remain compliant if it keeps up with changes in the laws, keeps HIPAA business associate agreements with all vendors through which your PHI flows, and continues to minimize risk as much as possible without neglecting any important issues.
If you can do all of that and be sure that you have “got it right,” then you can call yourself HIPAA-compliant.
That sounds really hard. Can anything make it easier or faster?
Becoming and remaining HIPAA-compliant takes a lot of time and effort. If it’s not feasible for you to do this yourself, there are two things that can help:
Outsource: Use Vendors for Services
Once you’ve identified where PHI is stored and/or transmitted in your organization, consider if you could outsource some or all of those functions to third-party companies. For most business functions, there are third-party organizations that can provide those services to you for a fee, and do it in a way that ensures that that service is handled in a HIPAA-compliant manner.
Good examples of this include: email services, web hosting and web development, faxing, IT infrastructure support, medical billing, texting (SMS), video conferencing, data backups and storage, HIPAA training, penetration testing, etc.
Each function that you outsource to another company is one less that you need to worry about. As long as that company has a good reputation, you establish a HIPAA business associate agreement with them, and you use their services as intended, then that aspect of your business gets the HIPAA-compliant checkmark.
The more that you can outsource, the simpler your HIPAA-compliance requirements can become.
Beware — use of a vendor that provides a HIPAA-compliant service does not make you HIPAA-compliant. You have a lot of other obligations to meet such as training, documentation, administrative reviews, etc. Use of a vendor does, however, significantly reduce the number of things that you have to worry about and can simplify the rest of your ongoing HIPAA-compliance effort.
If you do not have the resources in your organization to learn the ins and outs of HIPAA, keep up with it, preform the necessary reviews, make the needed policies, train your employees, and do everything else that is required, then you really need to get some outside professional help. There are many companies that you can hire that will review your current state of affairs, determine your current risk and make a report of the gaps you need to fill on your way to compliance. They can then assist you in prioritizing and filling these compliance gaps and, if they do not do it themselves, finding other companies to help with your ongoing compliance needs such as HIPAA training for yourself and your staff, auditing of policies and computer service logs, vetting vendors, etc. Here are a few (there are many out there if you do a Google search):
Professional help is not cheap. You can expect to spend $5,000 to $15,000 (or more) during the first year to get the process going and get all of the initial analyses in place. The cost varies greatly based on who you choose as a vendor, how complex your organizations operations are, and what if anything you have already done on the path to compliance.
When you are done and when you have remediated all of the significant gaps that they have identified, they may provide you with a kind of “seal of approval” that says that they have determined that your business operations appear to meet the requirements and best practices for HIPAA. This is what many people are looking for when they ask about being “HIPAA certified” — something they can point to and say “ya, we’re good!”
These seals are useful and show that an organization is working on their compliance and that a third party agrees that they are in good shape at the moment. However, they are not official statements and they do not really ensure that you are safe from a breach of HIPAA, that your employees are always doing the right thing, or even that you truly had the third-party organization audit everything that should have been reviewed. So, when looking at seals of approval, take them with a small bottle of salt.
How much time and cost is involved?
This is a question that is hard to answer ahead of time. If you are a small healthcare practice and hire someone to take care of everything for you, the initial work could be 1-2 months and cost that $5,000-$15,000. If you are able to outsource aspects of your business, this may simplify your initial and ongoing compliance work and cost while probably making those aspects of your organization safer than if you tried to do it all yourself.
What you end up with is a trade-off between time and money. The more time you spend on HIPAA, the more you can do and the less the cost of external help may be. However, navigating compliance by yourself, especially if your real job does not involve security and compliance, is probably a bad idea. Inexperience coupled with lack of time will inevitably lead you astray. You may not identify all of the risks to PHI, or you may not understand certain nuances of the HIPAA requirements, or you might make trade-offs in favor of spending less time or money on compliance in ways that leave you much more open to breach than you imagine. If you have a breach or if you get audited, these things will come to light. They look worse for you than if you had someone with more experience helping you.
You don’t want to be your own lawyer in court, especially if you’re not a lawyer. You probably don’t want to be your own HIPAA compliance officer either if you don’t routinely deal with IT, security, and compliance.
If HIPAA compliance is something that you have to deal with, you have to do it right. Ignoring all or part of HIPAA is termed “willful neglect” and will land you the highest fines — $50,000 per each datum breached. That is $1 million dollars for 20 email messages. By that comparison, the cost to becoming HIPAA-compliant is negligible and well worth the investment.