HIPAA Compliance Consulting
Combining legal training with practical experience, our consultants have assisted clients with HIPAA compliance since the regulations were initially proposed in the late 1990s. Our experience has taught us that a “check-the-box” approach to HIPAA compliance is simply not sufficient.
INCompliance has an established reputation for assisting clients with the development of effective HIPAA compliance programs, conducting thorough, personalized audits and assessments of existing HIPAA compliance programs, and helping our clients execute effective breach investigation and remediation.
As a result of our proactive focus, our clients have experienced fewer investigations and violations than other covered entities. We are proud that virtually all of our clients facing complaints and investigations in the past have been able to resolve them expeditiously and have avoided costly penalties and enforcement actions.
it’s not just a top-down or bottom-up approach that works – it’s both. Training is an essential catalyst for creating a culture of compliance. To this end, we offer meaningful training opportunities, both onsite and online, for our clients’ workforces, ensuring that HIPAA policies and procedures are fully understood by the workforce, and effectively executed.
Our training options include general HIPAA courses for the entire workforce, as well as in-depth courses for employees who are more closely involved in the day-to-day management of the organization’s HIPAA compliance program. We provide detailed training for HIPAA privacy officers specific to the key role they play in the compliance program, including management of the individual rights processes, oversight of the training program, and breach investigation, notification and remediation.
is one of flexibility and scalability. We do not attempt to provide a “one size fits all” program or assessment, nor do we recommend a “cookie-cutter” solution for the wide array of entities that are subject to HIPAA. Our HIPAA consulting services are customized to best meet the needs of each client, based on its structure, size and the unique issues the client faces.
For clients who do not have written policies and procedures in place (which is the first step in developing a HIPAA compliance program), or for those who have policies and procedures that are out of date, are not being used or are not comprehensive or well-developed, we will create a complete, customized set of written policies and procedures and assist the client with the implementation of these policies and procedures. We also regularly create policy and procedure sets for entities operating as business associates.
Our audits and assessments of privacy and/or security programs are typically conducted in three phases (though we are happy to work with clients on alternative structures). The first phase consists of familiarizing ourselves with the operations and philosophy of the organization and conducting a thorough desk audit of the organization’s written HIPAA policies, procedures and other relevant written documentation. The second phase is a comprehensive assessment of all aspects of the organization’s HIPAA compliance program, including an on-site audit of relevant day-to-day business practices to determine whether the policies have been operationalized and whether there are sufficient monitoring programs in place. Finally, in the third phase, we prepare a comprehensive final assessment report designed to assist the organization with correcting the compliance issues identified in the assessment and to achieve full compliance with the privacy and/or security regulations. We also offer best practices in our reports that the client may wish to implement. Each of these steps is tailored to meet the goals and needs of the client.
In the event that sensitive data is compromised, we know that time is of the essence. We work with our clients to quickly identify the source of the incident, analyze whether a reportable breach has occurred, assist with required notifications and implement remedial actions. We guide our clients through each step in this process to ensure that the breach is handled in a fully compliant manner, and that the organization is prepared should regulators choose to investigate the breach.
INCompliance offers a web-based online HIPAA self-assessment program. The program includes a detailed step-by-step process for developing a HIPAA compliance program, including templates for all required policies and documents, helpful tools and checklists. The program also includes five hours of consulting time with an INCompliance attorney-consultant, which may be used at the subscriber’s discretion.
INCompliance’s HIPAA Section-by-Section resource eliminates the need to search through the Federal Register or review the Health and Human Services (HHS) website for updated HIPAA guidance. The HIPAA Section-by Section resource includes the full, unabridged text of each section of the federal HIPAA Privacy and Security Regulations coupled with the relevant commentary in an easy to read format, and the content is updated as the Regulations are amended or new guidance is issued.
Final Omnibus HIPAA Rule Issued by HHS
New HIPAA Tools for Mobile Devices
CMS Has HIPAA Breaches Too
Another Costly HIPAA Breach
Protecting Multimedia PHI
We conducted an HHS “mock audit” of privacy and security compliance and continue to provide ongoing assistance with all aspects of the hospital’s HIPAA compliance program. The hospital felt that this exercise was truly valuable, as it confirmed that they have a strong HIPAA compliance program in place. Because we also identified areas where the documentation of their program could be better, they were able to gain valuable information and make necessary changes through a mock audit rather than an actual HHS audit.
We performed a HIPAA privacy assessment for a large governmental agency charged with managing the mental health and substance abuse delivery system, processing claims and funding treatment providers. This organization was best categorized as a health plan for HIPAA purposes, although it also offered some programs which constituted treatment and educational programs, in addition to having some unique programs that were not covered by HIPAA, such as housing services. The assessment included an on-site visit, which was spread over several days, as well as a desk audit. At the conclusion of the engagement, we prepared an extensive, detailed report for the client that outlined the compliance risks and offered recommended solutions. We were subsequently retained under a separate engagement to assist the client with implementing our recommendations, including widespread revision of the written policies and procedures.
We performed a HIPAA privacy assessment for a company which provides certain care management services, acting as a business associate of health plans. This complex organization acted as both a provider, and a business associate of health plans. The assessment included an on-site visit and a desk audit. During the on-site visit, we identified several unique issues which arose as a result of their dual roles as provider and health plan business associate. At the conclusion of the engagement, we prepared an extensive, detailed report for the client that outlined the compliance risks and offered recommended solutions. We were able to establish a creative solution for one of the identified issues that allowed them to manage the issue without extensive restructuring of their operations.
We performed a HIPAA privacy assessment for a company which provided benefits management services for a limited category of benefits. This engagement included an on-site visit and a desk audit. During the on-site visit, we were able to identify, through employee interviews, practices that presented compliance risks, of which the privacy officer had been unaware prior to the assessment. At the conclusion of the engagement, we prepared an extensive, detailed report for the client that outlined the compliance risks and offered recommended solutions.
We conducted a privacy and security assessment of all of the university’s health care components, utilizing the HHS protocols and our own checklists and forms. The audit included the university’s clinical operations, academic programs and employee and student health plans. According to the client, the audit was invaluable in assisting it in identifying covered functions and reviewing a myriad of unique issues related to the university’s various clinics, academic programs and health plans. The information provided during the process itself, as well as in report and recommendations, provided valuable guidance. Although the university had a robust compliance program in place prior to the audit, the university has made revisions and improvements to strengthen its HIPAA Privacy Compliance Program as a result of the audit recommendations. The university continues to refer to the report and recommendations as it adds new clinics and programs.
INCompliance has provided HIPAA privacy consulting services to this organization for many years. We initially helped them review their overall operations (including their employee and retiree health plans) and determined which aspects of their operations were covered entities, reviewed current policies and practices with respect to the disclosure of information, and assisted with the development of new written HIPAA policies and procedures. We continue to regularly assist in analyzing issues as they arise. The organization is somewhat unique in that it is a public retirement system that offers health care coverage, in addition to pension benefits, to retirees, and it also offers an employee health plan to its employees. According to the client, our consultants’ knowledge and expertise have been very valuable in assisting them in sorting through their compliance obligations, in an environment that does not always easily fit into the traditional mold of a covered entity.