Outsourcing HIPAA is a very attractive option for smaller businesses. You may wonder, is outsourcing my HIPAA compliance worth it? In many cases, the answer is yes. The starting salary for someone with experience in information & cyber security with certifications, it can start at 110K+ a year. When you factor in the need for someone with HIPAA compliance experience, that can push that number upwards even more.
When you factor in the benefits such as health insurance, PTO, training, taxes and other expenses required to have someone on staff full-time, it can push upwards of 200K a year. If you’re a small office, that can be too much. You can spend a fraction of that if you outsource your HIPAA compliance to a knowledgeable, experienced 3rd party.
You don’t really need a full-time onsite staff member to handle only your HIPAA compliance. Many companies will chose to have the person that handles HIPAA compliance handle other tasks as well such as system administration, development or other related tasks. This then becomes an issue – especially when those tasks take up more time that takes away from managing HIPAA compliance.
Outsourcing will allow you to focus on what you do best, provide health care services. You can initially put policies, procedures and technology in place but they will still need constant monitoring and management and that’s where outsourcing will help you fill in the gaps. Some reasons to consider outsourcing include:
- IT Security is not a core competency of your business, and you do not have the appropriate staff to handle it.
- Attracting and retaining top talent is time consuming and expensive.
- Outsourcing can make it easier to manage your HIPPA compliance costs but converting variable costs to fixed costs.
- Outsourcing is often cheaper than hiring full-time staff
- The cost to continually train full-time staff can get expensive
- Outside expertise is readily available and willing to help
- Outsourcing will allow you to have experts at your disposal whenever questions arise regarding the latest HIPAA & HITECH regulations
- You have access to security trending intelligence that would otherwise be impossible to acquire with full-time staff.
Some of the more common tasks that health care organizations outsource are:
- HIPAA Privacy & Security gap analysis
- Risk analysis
- Penetration testing
- Vulnerability Assessments
- Information Risk Assessments
- Policy & Procedure development
- Server & workstation security
- Web application security
- Employee awareness training
- Incident response management
- Contingency & Disaster recovery plan development
- Ongoing security audits
- Breach notification activities
- Ongoing network and systems security monitoring
It’s important to note that “outsourcing” is not the same as “offshoring”. Offshoring means sending work to another country that has the resources available to do work that’s not available in the US. We highly recommend you avoid offshoring something like HIPAA compliance as these providers may not have the necessary background to fully understand the US HIPAA compliance rules and regulations.
However, offshoring may be a good choice for any custom software development if you have a low budget. But again, you will get what you pay for. It will require someone with HIPAA compliance knowledge to review anything that the offshore team develops. It may not be fully HIPAA compliant if the requirements provided to the offshore team are not clear and concise and outline the HIPAA requirements that it must meet.