HIPAA Compliance Consulting
Combining legal training with practical experience, our consultants have assisted clients with HIPAA compliance since the regulations were initially proposed in the late 1990s. Our experience has taught us that a “check-the-box” approach to HIPAA compliance is simply not sufficient.
INCompliance has an established reputation for assisting clients with the development of effective HIPAA compliance programs, conducting thorough, personalized audits and assessments of existing HIPAA compliance programs, and helping our clients execute effective breach investigation and remediation.
As a result of our proactive focus, our clients have experienced fewer investigations and violations than other covered entities. We are proud that virtually all of our clients facing complaints and investigations in the past have been able to resolve them expeditiously and have avoided costly penalties and enforcement actions.
it’s not just a top-down or bottom-up approach that works – it’s both. Training is an essential catalyst for creating a culture of compliance. To this end, we offer meaningful training opportunities, both onsite and online, for our clients’ workforces, ensuring that HIPAA policies and procedures are fully understood by the workforce, and effectively executed.
Our training options include general HIPAA courses for the entire workforce, as well as in-depth courses for employees who are more closely involved in the day-to-day management of the organization’s HIPAA compliance program. We provide detailed training for HIPAA privacy officers specific to the key role they play in the compliance program, including management of the individual rights processes, oversight of the training program, and breach investigation, notification and remediation.
is one of flexibility and scalability. We do not attempt to provide a “one size fits all” program or assessment, nor do we recommend a “cookie-cutter” solution for the wide array of entities that are subject to HIPAA. Our HIPAA consulting services are customized to best meet the needs of each client, based on its structure, size and the unique issues the client faces.
For clients who do not have written policies and procedures in place (which is the first step in developing a HIPAA compliance program), or for those who have policies and procedures that are out of date, are not being used or are not comprehensive or well-developed, we will create a complete, customized set of written policies and procedures and assist the client with the implementation of these policies and procedures. We also regularly create policy and procedure sets for entities operating as business associates.
Our audits and assessments of privacy and/or security programs are typically conducted in three phases (though we are happy to work with clients on alternative structures). The first phase consists of familiarizing ourselves with the operations and philosophy of the organization and conducting a thorough desk audit of the organization’s written HIPAA policies, procedures and other relevant written documentation. The second phase is a comprehensive assessment of all aspects of the organization’s HIPAA compliance program, including an on-site audit of relevant day-to-day business practices to determine whether the policies have been operationalized and whether there are sufficient monitoring programs in place. Finally, in the third phase, we prepare a comprehensive final assessment report designed to assist the organization with correcting the compliance issues identified in the assessment and to achieve full compliance with the privacy and/or security regulations. We also offer best practices in our reports that the client may wish to implement. Each of these steps is tailored to meet the goals and needs of the client.
In the event that sensitive data is compromised, we know that time is of the essence. We work with our clients to quickly identify the source of the incident, analyze whether a reportable breach has occurred, assist with required notifications and implement remedial actions. We guide our clients through each step in this process to ensure that the breach is handled in a fully compliant manner, and that the organization is prepared should regulators choose to investigate the breach.
INCompliance offers a web-based online HIPAA self-assessment program. The program includes a detailed step-by-step process for developing a HIPAA compliance program, including templates for all required policies and documents, helpful tools and checklists. The program also includes five hours of consulting time with an INCompliance attorney-consultant, which may be used at the subscriber’s discretion.
INCompliance’s HIPAA Section-by-Section resource eliminates the need to search through the Federal Register or review the Health and Human Services (HHS) website for updated HIPAA guidance. The HIPAA Section-by Section resource includes the full, unabridged text of each section of the federal HIPAA Privacy and Security Regulations coupled with the relevant commentary in an easy to read format, and the content is updated as the Regulations are amended or new guidance is issued.
Failure to terminate access of departing employee leads to HIPAA penalty
December 2018
HIPAA settlement highlights need for caution when speaking with media
November 2018
Lights, camera, HIPAA! HHS announces settlement related to “Boston Med”
August 2018
Judge upholds fourth largest HIPAA penalty of $4.3 million for Texas cancer center
June 2018
Doctor pleads guilty to providing protected health information to drug maker
March 2018
Reminder: Notice of 2017 small HIPAA breaches due to HHS soon
February 2018
HIPAA enforcement actions highlight importance of maintaining and auditing security practices
April 2017
OIG publishes Resource Guide for measuring compliance program effectiveness
March 2017
Are your HIPAA practices in sync with today’s technology? Three notable HIPAA enforcement actions in 2017
February 2017
OCR releases HIPAA guidance on cloud computing services
October 2016
OCR announces new initiative to investigate HIPAA breaches affecting fewer than 500 individuals
August 2016
OCR launches HIPAA Phase 2 Audits and announces deadline and focus areas
July 2016
Failure to execute a BAA results in $1.55 million fine for Minnesota hospital system
March 2016
New guidance and information from OCR and ONC on patient access to medical information
March 2016
Could this be you? ALJ Upholds $239,000 HIPAA Penalty for Lincare, Inc.
February 2016
HIPAA settlement with University of Washington Medicine highlights need for organization-wide risk analysis
December 2015
Government brings HIPAA criminal charges against drug company employees
November 2015
Anthem Announces Largest Ever Health Care Industry Cyber Attack
February 2015
Don’t Let This Be You: Provider Agrees to a $150,000 HIPAA Settlement in Potential Security Breach Matter
December 2014
HIPAA Back-to-Basics Bulletin Series: HIPAA Privacy Training
August 2014
Hospital System Discloses HIPAA Breach Affecting 4.5 Million Individuals
August 2014
$800,000 HIPAA Settlement in Alleged Medical Record Dumping Matter
June 2014
HHS Reports HIPAA Breaches Increased Substantially and Predicts More Enforcement in 2014
June 2014
HIPAA Back-too-Basics Bulletin Series: HIPAA Compliance in the Social Media Era
June 2014
HIPAA Back-to-Basics Bulletin Series: Roles and Key Functions of Privacy and Security Officers
May 2014
HHS Announces Second Round of HIPAA Audits
April 2014
HIPAA Back-to-Basics Bulletin Series: Security Risk Analysis
March 2014
HHS Announces First HIPAA Settlement with a County Government
March 2014
HHS Issues Guidelines on HIPAA and Sharing Information Related to Mental Health
February 2014
HIPPA Back-to-Basics Bulletin Series: Annual Breach Reporting Deadline March 1
February 2014
Analysis of Final HIPAA Omnibus Rule: Notice of Privacy Practices
February 2013
Analysis of Final HIPAA Omnibus Rule: Research, GINA, Hybrid Entities and Other Miscellaneous Provisions
February 2013
Analysis of Final HIPAA Omnibus Rule: Enforcement Provisions
February 2013
Analysis of the Final HIPAA Omnibus Rule: Individual Rights Regarding Restrictions and Access
February 2013
Business Associates and Business Associate Agreements
February 2013
HHS Releases New Sample HIPAA Business Associate Agreement
January 2013
Analysis of the Final HIPAA Omnibus Rule: Changes to Marketing, Sale of PHI and Fundraising Requirements
January 2013
Once More into the Breach: Major Changes in the HIPAA Breach Notification Requirements
January 2013
What You Will and Won’t Find In the Final Omnibus HIPAA Rule
January 2013
Final Omnibus HIPAA Rule Issued by HHS
January 2013
OCR’s First-Ever Settlement for a Breach Affecting Fewer Than 500 People
January 2013
New HIPAA Tools for Mobile Devices
December 2012
Computer Viruses Pose Security and HIPAA Challenges
October 2012
CMS Has HIPAA Breaches Too
October 2012
Another Costly HIPAA Breach
September 2012
Protecting Multimedia PHI
August 2012
OCR HIPAA Audit Contractor Comments on First Round of Audits
July 2012
Despite What GAO Says – OCR has a Plan
HIPAA Audit Protocols and OCR’s Plan for Future HIPAA Audits
July 2012
Office of Management and Budget Extends Review of Final HIPAA Regulations
June 2012
First Enforcement Action Under HITECH Breach Rules Results in $1.5M Settlement
March 2012
Hospital Pays $865,000 to Settle HIPAA Complaints
July 2011
Proposed Rule Modifies HIPAA’s Accounting of Disclosures Requirements
July 2011
HHS Announces Second Penalty for Violations of HIPAA Privacy Rule
February 2011
Civil Monetary Penalty for Violations of HIPAA Privacy Rule
February 2011
Final Guidance on HIPAA Security Rule Risk Analysis Released
August 2010
New HIPAA-HITECH Proposed Regulations Issued
July 2010
HHS Posts List of Reported HIPAA Breaches Affecting 500 or More Individuals
February 2010
We conducted an HHS “mock audit” of privacy and security compliance and continue to provide ongoing assistance with all aspects of the hospital’s HIPAA compliance program. The hospital felt that this exercise was truly valuable, as it confirmed that they have a strong HIPAA compliance program in place. Because we also identified areas where the documentation of their program could be better, they were able to gain valuable information and make necessary changes through a mock audit rather than an actual HHS audit.
We performed a HIPAA privacy assessment for a large governmental agency charged with managing the mental health and substance abuse delivery system, processing claims and funding treatment providers. This organization was best categorized as a health plan for HIPAA purposes, although it also offered some programs which constituted treatment and educational programs, in addition to having some unique programs that were not covered by HIPAA, such as housing services. The assessment included an on-site visit, which was spread over several days, as well as a desk audit. At the conclusion of the engagement, we prepared an extensive, detailed report for the client that outlined the compliance risks and offered recommended solutions. We were subsequently retained under a separate engagement to assist the client with implementing our recommendations, including widespread revision of the written policies and procedures.
We performed a HIPAA privacy assessment for a company which provides certain care management services, acting as a business associate of health plans. This complex organization acted as both a provider, and a business associate of health plans. The assessment included an on-site visit and a desk audit. During the on-site visit, we identified several unique issues which arose as a result of their dual roles as provider and health plan business associate. At the conclusion of the engagement, we prepared an extensive, detailed report for the client that outlined the compliance risks and offered recommended solutions. We were able to establish a creative solution for one of the identified issues that allowed them to manage the issue without extensive restructuring of their operations.
We performed a HIPAA privacy assessment for a company which provided benefits management services for a limited category of benefits. This engagement included an on-site visit and a desk audit. During the on-site visit, we were able to identify, through employee interviews, practices that presented compliance risks, of which the privacy officer had been unaware prior to the assessment. At the conclusion of the engagement, we prepared an extensive, detailed report for the client that outlined the compliance risks and offered recommended solutions.
We conducted a privacy and security assessment of all of the university’s health care components, utilizing the HHS protocols and our own checklists and forms. The audit included the university’s clinical operations, academic programs and employee and student health plans. According to the client, the audit was invaluable in assisting it in identifying covered functions and reviewing a myriad of unique issues related to the university’s various clinics, academic programs and health plans. The information provided during the process itself, as well as in report and recommendations, provided valuable guidance. Although the university had a robust compliance program in place prior to the audit, the university has made revisions and improvements to strengthen its HIPAA Privacy Compliance Program as a result of the audit recommendations. The university continues to refer to the report and recommendations as it adds new clinics and programs.
INCompliance has provided HIPAA privacy consulting services to this organization for many years. We initially helped them review their overall operations (including their employee and retiree health plans) and determined which aspects of their operations were covered entities, reviewed current policies and practices with respect to the disclosure of information, and assisted with the development of new written HIPAA policies and procedures. We continue to regularly assist in analyzing issues as they arise. The organization is somewhat unique in that it is a public retirement system that offers health care coverage, in addition to pension benefits, to retirees, and it also offers an employee health plan to its employees. According to the client, our consultants’ knowledge and expertise have been very valuable in assisting them in sorting through their compliance obligations, in an environment that does not always easily fit into the traditional mold of a covered entity.
Chris Bennington
Beth Kastner
Josh Gilbert
Addison Hutcheson
Allen Killworth
Receive updates from our consultants regarding the latest compliance topics.