You may take a number of different approaches to complying with the HIPAA Privacy Rule:

DOING IT YOURSELF:

This approach is recommended for only the very largest and the very smallest organizations.

Large Organizations. While any organization with in-house legal staff certainly has the legal capability to bring the organization into compliance, whether to do so is a resource question that only the organization itself can answer. In-house compliance will require that in-house counsel be diverted from their normal tasks (1) to familiarize themselves with the regulations and the accompanying government commentary and guidance and (2) to supervise actual compliance work. Whether coming into compliance in-house is more cost-effective than outsourcing this task is a question only the organization can answer.

Small Organizations. Very small organizations (one-to-two person physician groups, small medical billing organizations) may wish to come into compliance by themselves, perhaps with the help of a do-it-yourself guide. CAUTION: Be sure that the guide you use is written by an attorney licensed to practice law in the State of California. Any guide you use will advise you on how to comply with HIPAA in California, which is the practice of law. You would not go to an unlicensed doctor. Do not take HIPAA advice from an unlicensed consultant. In addition, be aware that large parts of the HIPAA Privacy law do not require that you follow any particular policies and procedures. If, however, your do-it-yourself policies and procedures manual states that you will follow certain policies and procedures, you must do so. In the long run, it may be cheaper to choose an option that will give you privacy policies and procedures based on the way YOU actually work rather than being forced to change the way you function to meet a one-size-fits-all solution.

USE A SPECIALIZED FIRM:

JK Health Information Privacy Advisors specializes in helping California healthcare organizations come into compliance by the April 2003 deadline with the new federal regulations governing the privacy of healthcare information. The firm performs all the legal AND non-legal tasks needed to bring your organization -- whether a solo practice or a large healthcare organization -- into compliance with the HIPAA Privacy Rule. The firm brings the credentials and depth of experience of a larger law firm to the task of HIPAA compliance unencumbered by the costs and constraints of those firms. The firm prides itself on the flexibility to structure the kind of cost structure -- hourly, fixed-fee, project-based -- that will fit into your organization’s current financial plan. For a complimentary consultation, email the firm at info@jkhipa.com or call Kazu Sano at (415) 773-2861.

USE A GENERAL-PRACTICE LAW FIRM:

Farming compliance out to a law firm is certainly a recommended option. Law firms have access to a pool of talent with very strong analytic and legal skills. In addition, any large law firm with a health law practice will have someone with HIPAA compliance experience.

Be wary, however, of claims that only large law firms can meet the needs of large health care organizations. That claim may be true with respect to transactions requiring specialized knowledge in a broad range of subjects (a transaction having issues involving labor law, regulatory compliance, M&A, and securities, for example). It is less true in a regulatory compliance situation like HIPAA compliance, which requires a specialized knowledge of a particular area.

DO NOTHING:

This is not a recommended approach, although certain healthcare organizations seem to be adopting this approach. Some count on a deadline extension similar to the one for transaction and code sets. Others believe that they are not financially able to take on the expense of compliance and calculate that their odds of suffering a compliance audit are sufficiently low to risk waiting until cash flow allows compliance.

Be aware of the following. First, HIPAA is the law, and there are penalties for failure to comply.

Second, plaintiffs’ attorneys will undoubtedly try to sue healthcare organizations for their failure to comply. No organization should consider itself too large to attract the attention of plaintiff's attorneys. For example, using the same law (the Unfair Business Practices law, section 17200 et seq. of the Business & Professions Code) that would be used to target healthcare organizations, plaintiff’s attorneys have sued tobacco companies and large grocery store chains. In addition, no organization should consider itself too small to attract the attention of plaintiff’s attorneys. For example, using the same law, plaintiff's attorneys recently sued small minority video-store owners in California for violating copyright laws because they rented bootleg copies of foreign television shows.

At the end of the day, you can come into compliance now on your own terms with the help of someone with the flexibility to structure the kind of payment plan that will fit into your organization’s current financial plan. Or you can come into compliance later, under threat of court order and under the guidance of someone else’s attorney.