HIPAA may show up in areas you haven’t seen before. If you are assessed by any other organization or for any other reason, HIPAA questions may start showing up.

We have heard or seen HIPAA showing up in many new areas like:

  • Insurance Policy Applications
  • Partnership Negotiations
  • Funding discussions
  • URAC accredidation (formerly known as the Utilization Review Accreditation Commission)

This episode is a discussion on why HIPAA is showing up in other places and why we expect that trend to continue.


HIPAA Assessments In Other Places Now, Really?

Don’t think it is just the OCR or HHS who may be asking you about your HIPAA compliance. The times they continue to change. More places keep showing up where HIPAA is creeping into the mix. It is like a ooze of compliance filling holes that people didn’t know existed.

HIPAA Ooze.  Maybe like the Mutant Ninja Turtle Ooze.

Utilization Review Accreditation Commission (URAC) audit now asking for specific HIPAA compliance evidence.

  • Updates every 3 years
  • 3 years ago little if any HIPAA references
  • Risk Analysis and other specifics included now
  • Prospects and Clients for BAs asking for HIPAA compliance proof.

Multiple requests for details on the compliance and security programs for software companies.

You maintain HIPAA compliance, not attain it.

You can be HIPAA compliant one day and not the next.

BA due diligence questions from long standing clients are going to be showing up for BAs that are going to be surprised.  HIPAA assessments will start to matter much more than many of them think they do today.

Venture capital folks will be asking to see HIPAA compliance evidence for healthcare IT companies before their investment.  HIPAA assessments will help them have some indication of the breach liabilities they may be taking on with an investment or loan.

Just a matter of time before patients will be asking about it as they vet you against other providers. Do you really work miracles so spectacular that I am willing to give up my privacy?

What about a potential new hire or partner asking about it. Would you want to join an organization that isn’t doing the work?  What if you tied yourself to a group and never asked about it. Three months after you start there is a major breach.  Years of legal responses to OCR, dealing with reputation issues and monitoring protections for patients, fines and CAPs will be required. It is worth asking before making those commitments.

As we mentioned before: The climate of data breaches will only continue moving more businesses under the requirement to meet these types of obligations.


David’s soapbox moment for this episode.  Knowing you can help solve these major privacy and security problems you see happening in an office and all they want to ask about is cost.  It isn’t just about HIPAA compliance it is about the investment in taking care of your business no matter what business you are in.

HIPAA-critical much?

Financial Firms Take Note article.  (The part David tried to move to the top.)