For healthcare organizations, HIPAA compliance is becoming a risk management challenge. Outsourcing can support the compliance officer with added talent, experience and flexibility to handle growing responsibilities of compliance requirements.

Outsourcing Advantage
Outsourcing in the healthcare industry has been used successfully in everything from medical billing, transcription and payroll to data center hosting. The strategy has often focused on cost effectiveness by shifting the cost of non-core activities outside the organization.

Today, however, many healthcare organizations are approaching outsourcing from a different perspective. Instead of viewing sourcing as only cost savings with transfer of control, they are approaching outsourcing as a means of cost effectively adding talent, expertise and performance. This approach leverages consulting specialized skills and best practices, while blending with internal capabilities.

Outsourcing and HIPAA
Healthcare organizations have witnessed the increased responsibilities of the HIPAA privacy and security officer over the past 8 years from that of HIPAA program support and training, to a role comparable to a risk manager. Compliance officer tasks now include; the multi-year rollout of the HITECH Act, implementing annual audits, developing new data breach planning, upgrading policies and procedures, managing business associate agreements and effectively disseminating privacy and security standards across all business units.

In addition, new regulations and guidance documents require the compliance officer to analyze research of federal and state regulations. Health and Human Services for example implement regulatory change via a process of public Notice of Proposed Rulemaking (NPRM) for modifying privacy and security rules, compliance and investigations, imposition of civil money penalties, and procedures for hearings issued under HIPAA, all of which must be monitored closely to maintain compliance relevancy and accuracy in a HIPAA program. Privacy and security oversight has reached a new level of demand.

Today, healthcare organizations find the compliance officer often overwhelmed with critical compliance tasks. The added support of outsourcing expertise becomes an attractive tool in ensuring strategic compliance goals are achieved.

How HIPAA Analytics Can Help
By teaming with HIPAA Analytics, the healthcare organization is able to add specialized skills and experience to do the heavy lifting of required compliance audits, implementation of initiatives and special projects, allowing the compliance officer to manage core compliance duties.

In addition to reducing the compliance office workload, HIPAA Analytics also benefits the organization with knowledge sharing that improves compliance performance, including the ability to -

• Leverage the strengths of experts to achieve compliance goals
• Accelerate implementation and oversight of privacy and security
• Improve quality, reduce costs and strengthen controls
• Gain compliance efficiencies across all departments and facilities
• Increase availability of compliance services
• Establish common support across business units and facilities
• Gain knowledge transfer, standardization and best practices
• Analytics that identify root cause of issues and actionable insight
• Assistance in producing predictable compliance outcomes

HealthCheck services are designed to meet specific “client defined” analysis of their HIPAA compliance program. HealthCheck services provide an objective and professional approach to gain valuable insight.

Client Defined Analysis
In today’s expanding HIPAA compliance environment, staying on top of privacy and security regulations recently amended by the HITECH Act, updating policies and procedures, or conducting an annual audit can be daunting. In fact, many healthcare administrators and management explain that the duties of compliance are often given to those who already have core business responsibilities, causing even more strain on the effectiveness of the compliance program.

In response, HIPAA Analytics created the HIPAA HealthCheck service, an assessment designed to provide healthcare clients with the flexibility to define an examination of specific areas of concern within their compliance program. Every HealthCheck examination provides the client with -

• Compliance clarity and answers for the client organization
• Delivers actionable insight to remediate areas of concern
• Improves the compliance program with recommended best practices
• Provides assurances that the compliance program has received a review by an independent, subject matter expert

Performance and Insight
More than examining for deficiencies, HealthCheck services approach client examinations with a focus on analytics that provide rich insight into the compliance program. By digging deeper into the root cause of issues and uncovering business/compliance process patterns, HealthCheck helps validate client concerns, assess options and predict compliance performance.

Incremental Improvement
The science of risk management has taught us that compliance is not a one time effort, but a continuous process. Healthcare organizations seldom require a major overhaul of their compliance program, rather improving their program in well thought incremental steps. HealthCheck services are geared to delivering compliance guidance for incremental steps to improve client privacy and security performance.

HealthCheck Defined Services
Every defined client project begins with a client meeting to verify project focus and complete the readiness questionnaire. Next steps include initial scoping and statement of work. The formal process assists in ensuring that project expectations, such as tasks, milestones and deliverables are in sync with the fixed price project. Steps in the project include -

• Initial client meeting
• Define project focus
• Outline initial project scope, tasks, milestones and deliverables
• Statement of work reviewed and approved
• Begin compliance program review including, business process/compliance, policies and procedures, interviews, facility review, business associate impact and training and awareness review
• Submit interim report and remediation recommendations for review
• Submit final report
• Provide management presentation of final report

The HIPAA Audit
More than a simple gap assessment, HIPAA audits are designed to assess an organizations risk management and regulatory effectiveness.

Healthcare organizations have witnessed the increased responsibilities of the HIPAA privacy and security officer over the past 8 years from that of HIPAA program support and training, to a role comparable to a risk manager. Compliance officer tasks now include; the multi-year roll out of the HITECH Act, implementing annual audits, developing new data breach planning, upgrading policies and procedures, managing business associate agreements and effectively disseminating privacy and security standards across all business units.

We believe that healthcare organizations must be proactive in identifying, managing, and controlling existing and future regulatory risks. To ensure each audit delivers value, HIPAA Analytics begins each engagement by working with the client to develop an audit plan that includes –

• The expectations or goal of the audit
• Assessing external events, such as new regulations and how they impact the organization
• Analytics that assist with benchmarking and metrics for quality improvement
• Documentation of strengths, weaknesses, opportunities, and threats
• Ensure that audit coverage will provide early warning of risk indicators
• Capture and share knowledge and best practices for use throughout the organization
• Address the need for continual learning and training elements to improve business judgment, and  perspective
• Provide balance, independence, objectivity, and value

Audit Scope
A HIPAA audit identifies all relevant privacy and security risks the organization faces, details the risks within each area, and categorizes them by priority. With such an assessment, management can make informed decisions regarding risk mitigation and allocations of risk management resources. In a typical audit, areas of assessment include, privacy and security policies and procedures, business operations/compliance process, management, staff and volunteer interviews, review of all business units, technology/security side operations, examination of business associate and subcontractor agreements, business operations/compliance PHI usage and training and awareness programs.

HIPAA Analytics also provides healthcare organizations with the flexibility of audit focus, for example, audit examinations include -

• Meaningful Use Core Measure 15 security risk analysis
• Privacy and security audit report and opinion letter Attesting that HIPAA controls are suitably designed and operational
• HIPAA/HITECH business associate audit that provides assurances to their healthcare customers that they meet or exceed HIPAA requirements.
• Audit of Protected Health Information (PHI), providing organization wide inventory of PHI, business process and risk assessment
• Audit of Data Breach Plan management and effectiveness
• Required periodic HIPAA security evaluation
• Review of the HIPAA Contingency Plan, including, Data Backup Plan, Disaster Recovery Plan, Emergency Mode Operations Plan, Testing and Revision Procedure and Applications and Data Criticality Analysis

HIPAA Privacy and Security Attestation
The audit attestation is a widely recognized standard, “attesting” that a healthcare organization or business associate has had its HIPAA privacy and security policies, procedures and business process examined by an independent consulting firm, and that the examination concluded that the organization met or exceeded HIPAA requirements.

The attestation audit is conducted on-site and is customized to the specific business operation and the customers they serve.

How HIPAA Analytics Can Help
More than examining for deficiencies, our audit services approach client examinations with a focus on analytics that provide rich insight into the compliance program. By digging deeper into the root cause of issues and uncovering business/compliance process patterns, our audits help validate client concerns, assess options and predict compliance performance.