Do I Need a HIPAA Compliance Consultant?

HIPAA compliance is serious, especially when you consider the possibility of government fines, increased oversight, and reputational damage that violations of the law can cause.

HIPAA Compliance Consultant

An entire industry has evolved to help companies achieve and maintain compliance with HIPAA’s rules and regulations, but what is the best path for your organization? Do you need the services of a HIPAA compliance consultant to be HIPAA compliant?

Do I Need a HIPAA Compliance Consultant? – What the Law Demands

Reading through the HIPAA regulations may seem like an exercise in futility for most people, especially if you aren’t fluent in regulatory doublespeak. Making matters worse, the HIPAA guidelines are designed to cover an almost impossibly wide range of businesses. 

A one-person medical practice, a multi-billion dollar insurance company, an IT managed service provider, and even a document shredding service have HIPAA responsibilities. If they create, access, use, process, transmit, or destroy protected health information (PHI) in physical or electronic (ePHI) formats, they must comply with HIPAA.

HIPAA regulators attempted to make things clearer a few years ago when they released a list outlining Seven Foundational Elements of HIPAA Compliance

  1. Implementing written policies, procedures, and standards of conduct.
  2. Designating a compliance officer and compliance committee.
  3. Conducting effective training and education.
  4. Developing effective lines of communication.
  5. Conducting internal monitoring and auditing.
  6. Enforcing standards through well-publicized disciplinary guidelines.
  7. Responding promptly to detected offenses and undertaking corrective action.

The process of achieving those seven elements is very different for each organization listed above. Because no two organizations are the same, there will likely be unique challenges for similar practices within the same specialty.

Do I Need a HIPAA Compliance Consultant? – Counting the Cost

When using a service such as a consulting company, the estimated cost of HIPAA compliance ranges from $4,000 to $78,000+ depending on your organization’s size and your current environment.

If you are a single-location healthcare organization with a small number of employees, using a HIPAA consulting service would cost:

  • $2,000 for Risk Analysis and Management Plan
  • $1,000 – $8,000 for Remediation 
  • $1,000 – $2,000 for Training and Policy Development

Total: $4,000 – $12,000

If you are a multi-location healthcare organization or you have a large number of employees, using a HIPAA consulting service would cost:

  • $20,000+ for Risk Analysis and Management Plan 
  • $8,000+ for Remediation (dependent on your current security posture)
  • $5,000+ for Training and Policy Development
  • $40,000+ for Onsite Audit
  • $800 for Vulnerability Scans
  • $5,000+ for Penetration Testing

Total: $78,000+

Some companies offer pieces of HIPAA compliance for a lower cost, but that won’t make you fully compliant. 

These companies charge:

$15,000 for HIPAA Compliance Assessment which includes:

  • Scoping
  • Project Management
  • Risk Assessment
  • Testing and Analysis
  • Reporting

$10,000 for HIPAA Gap Assessment which includes:

  • Scoping
  • Project Management
  • Risk Assessment
  • Controls Identification
  • Testing and Analysis
  • Remediation Roadmap
  • Reporting

$8,000 for HIPAA Remediation, which includes:

  • Remediation Planning
  • Prioritizing
  • Policy and Procedures
  • Project Management
  • Expert Advice

If you choose to go with a consultant, remember that HIPAA regulations require organizations to conduct an annual security risk assessment (SRA) along with regular reviews of policies and procedures to ensure that organizational and regulatory standards are being maintained.

There are also requirements for annual employee training, including recording the attestation of training for all employees, due diligence for all business associates, including signed Business Associate Agreements (BAAs), and anonymous breach reporting capabilities for employee whistleblowers. Where will the consultants be when these items need to be addressed?

Do I Need a HIPAA Compliance Consultant? – A Different Path

Compliancy Group offers a solution that meets all seven fundamental elements of HIPAA compliance at a fraction of the cost of hiring a consultant. We combine our industry-best software solution, “The Guard,” with guidance from Quickstart Guides to lead you through the steps to make your organization fully HIPAA compliant

You gain understanding and peace of mind in your compliance status through:

  • Simplified assessments that fulfill the requirements of the annual SRA and provide a clear picture of your current level of compliance
  • Automated gap identification and remediation plans that reference specific sections of HIPAA in the U.S. Code
  • Audit-tested policies and procedures, prepared by compliance attorneys and personalized to the individual requirements of your organization
  • Annual training for all employees that meets HIPAA requirements and records of all employee training attestations
  • Comprehensive tracking of all Business Associate Agreements with streamlined vetting procedures to satisfy due diligence requirements
  • Anonymous breach reporting as required by HIPAA for employees and incident response support in the event of a breach or audit