Kusserow’s Corner: Outsourcing the HIPAA Privacy Officer

Under HIPAA, every covered entity, health care provider, health plan, or clearing house must have a Privacy Officer (PO). The duties and responsibilities are formidable and require a wide knowledge and expertise that is often difficult to find within an organization. This is especially true when the individual is doing the work as a secondary duty to other responsibilities, such as the Compliance Officer, HIM Director, or Security Officer. At the same time, hiring someone to be exclusively devoted to this area may be prohibitively expensive for the ongoing duties once the program has been established. Few possess the needed range of knowledge in a large organization, much less smaller one, and must complement efforts with or rely on outside expertise for HIPAA compliance. In light of the PO’s key duties and responsibilities, many organizations consider the benefits of outsourcing the function to experts.

Key Privacy Officer Responsibilities

POs are required to oversee all ongoing activities related to the development, implementation, and maintenance of the organization’s privacy policies and key documents addressing confidentiality and privacy requirements in accordance with applicable federal and state laws. These include confidentiality consent and authorization forms, information notices, and other materials describing policies and requirements. The PO has to stay current with all state and federal HIPAA requirements and ensure they are being met. The job doesn’t end there because the officer must lead activities to promote employee awareness of individual and organizational obligations. HIPAA privacy requirements apply to health information that can be used, viewed, or shared. So, everyone with any degree of access to this information must know their obligations to protect it. Employee HIPAA training must reach permanent and temporary or contract-based staff members, as well as volunteers and, in particular, physicians; training is not a one-time event. The PO fosters HIPAA privacy awareness on an ongoing basis and promotes awareness, as well as stays abreast of updates to requirements at both state and federal levels. The PO must also oversee the monitoring of data access, conduct risk assessments and investigations into breaches, and handle complaints. Any major suspected breaches will likely take precedent over all other duties, and if confirmed and affecting 500 or more patients, breaches must be promptly reported to the media and the HHS Office of Civil Rights. Lastly, the PO in an effective HIPAA program must interface and work together well with the Security Official.

In a large organization, there may be several people assigned to the PO to handle all these administrative tasks. In smaller organizations, the amount of time and effort will likely be part time and intermittent. The person selected to be designated as the PO may face an impossible mission, with too much responsibility and challenged by lack of sufficient skill sets and resources.

Designating an Outside Expert to be the Privacy Officer

In today’s challenging regulatory environment, there has been a growing trend of outsourcing functions that are not at the core of the mission of the organization. Many health care organizations have turned to outside experts as the Designated Compliance Officer and more recently the Designated Privacy Officer (DPO). In particular, smaller organizations that cannot afford to have a full-time qualified PO to carry out all the duties and responsibilities of the office consider outsourcing a reasonable alternative. The use of DPOs may arise for a variety of reasons, but mostly comes from the realization that the organization just does not have the size to warrant having a full time PO, and using someone part time as a secondary duty does not work because of the need to stay current with the complexities of the laws and regulations. The decision to outsource the whole program to recognized experts has a lot of advantages:

  • The organization is not paying the loaded cost of a full time W-2 employee
  • DPOs are more efficient and qualified, with no learning curve on HIPAA
  • DPOs bring detailed knowledge of federal and state laws/regulations
  • DPOs have expertise in HIPAA/HITECH privacy and security compliance
  • DPOs have experience in dealing with privacy issues in various settings
  • Effective DPOs strengthen risk posture
  • Lower fixed costs and reduced staff workload

There are a lot of questions that should be asked to determine whether an outsourced DPO makes sense for the organization. Once these are answered, and if the decision is to outsource the compliance activities, it is critical that the party engaged to perform this service be properly qualified, experienced, and certified in this area. Such consultants can be more efficient when carrying out duties. For most organizations, this can be a part time engagement. The consideration whether to use a DPO is largely driven by the size and complexity of an organization. The larger the organization, the less attractive is the idea of outsourcing to a DPO. Conversely, the smaller the organization, the more likely that the DPO concept may be the right answer, but may not necessarily need to engage a full time DCO.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Copyright © 2014 Strategic Management Services, LLC. Published with permission.