Kusserow on Compliance: Is outsourcing HIPAA privacy worth considering?

The Ninth Annual Healthcare Compliance Benchmark Survey, conducted by SAI Global and Strategic Management Services, revealed that the highest-ranking priority focus for 2018 was dealing with data breaches. Nearly 75 percent of the 388 responding organizations reported that the compliance office had taken the responsibility for HIPAA Privacy. The Survey also indicated compliance office resources were being strained in meeting all their responsibilities. This was underscored with the reported fact that 75 percent of compliance offices were staffed with five or fewer staff, with one third of offices having only a one person staff.

Kash Chopra, JD, MBA, has outsourced a number of data protection officers (DPOs) in a variety of organizations, as result of the fact that many compliance offices don’t have the experience and knowledge to address the wide range of duties and responsibilities of privacy offices. This is consistent with a growing trend of outsourcing functions that are not at the core of the mission of the organization. When providing outsourced DPOs, they are normally placed under direction of the compliance officer. Most of the DPOs she has provided work at or below an average of 20 hours per week with most of the work being performed remotely.  What makes this possible is that  DPOs already have expertise and are current on state and Federal requirements, as well as what is needed in the development, implementation, and maintenance of privacy policies and key documents that address privacy requirements. The DPO will know how to address and oversee the monitoring of data access and investigations as well as breaches and complaints. Among the advantages of using DPOs are:

  1. Permits compliance officers to focus on other compliance areas
  2. Not paying the loaded cost of a fulltime W-2 employee
  3. DPOs are more efficient with no learning curve on HIPAA
  4. Bring experience and detailed knowledge of federal and state laws/regulations
  5. Experience in dealing with privacy issues
  6. Better risk protection
  7. Lower fixed costs and reduced staff workload
  8. Expertise in HIPAA/HITECH privacy and security compliance

Chopra can be reached at KChopra@strategicm.com or (703) 535-1413 for more information about using HIPAA experts to serve as a DPO.


Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.