How to Choose the Right HIPAA Consultant for You: HIPAA & HITECH Act Blog by Jonathan P. Tomes with Guest Commentator Alice M. McCart

JonTomesAlice picIf you need or think that you may need a qualified HIPAA consultant but have no idea how or where to begin to look for one, consider this three-step process:
1. Decide what your purpose is for hiring a HIPAA consultant.
2. Search in accordance with your purpose.
3. Nail down credentials of possible candidates.

1. Decide what your purpose is for hiring a HIPAA consultant. You may find yourself in need of a qualified HIPAA consultant for one or more reasons, such as any of the following, among others:
a. To train your workforce, as required under HIPAA.
b. To help you complete/update your written Risk Analysis, as required under HIPAA.
c. To help you draft and implement your HIPAA policies and procedures, based on your written Risk Analysis, including those required under HIPAA, those that are addressable under HIPAA, and those that are optional but that you need in your situation even though HIPAA nowhere mentions them.
d. To square away your HIPAA IT issues.
e. To serve on your side as an expert witness in litigation.
f. To represent you in a breach or complaint investigation or an audit by the Department of Health and Human Services (“DHHS”).
g. To get you totally compliant.

2. Search in accordance with your purpose. Once you have decided on your purpose for hiring a HIPAA consultant, you will be able to use that purpose to help you search for a qualified HIPAA consultant to help you achieve your goal(s). First, consider that not all HIPAA consultants are created equal, so buyer, beware:
a. Some HIPAA consultants are attorneys, and most attorneys do not know anything at all about HIPAA even if they call themselves HIPAA consultants.
b. Some HIPAA consultants are health information management (“HIM”) types, who likely know quite a bit about recordkeeping but who may not know anything at all about the law, particularly HIPAA as that law changes.
c. Some HIPAA consultants are IT types, who may know a lot about systems, pen testing, meeting Meaningful Use requirements in an EHR, how to build a HIPAA compliant patient portal, and so forth, but may not know much of anything about law, required policies and procedures, or recordkeeping.
d. Some HIPAA consultants are merely unqualified people who call themselves HIPAA consultants in order to jump on the HIPAA bandwagon with its big bucks, but who do not know anything in depth about HIPAA law, required policies and procedures, risk analysis, recordkeeping, or IT.
Second, once you have decided what type of HIPAA consultant would be mostly likely able to help you achieve your goals, consider the following search resources, among others:
a. Google or other search engines.
b. Professional associations in your area of practice who may have lists of HIPAA consultants to recommend.
c. Colleagues in other practices or specialties who may have found someone to help them with their HIPAA issues.
d. Health care seminar/webinar companies, who often provide bios of their speakers.
e. Lists of people who have been certified to appear as expert witnesses on HIPAA in individual cases.

3. Nail down credentials of possible candidates. Once you have found possible candidates, nail down their credentials or lack thereof:
a. References from their HIPAA consulting clients.
b. Bios, resumes, and CVs, including lists of books and articles published when and by whom.
c. Licensure status, complaints against them, and any other public information.
d. Phone calls and/or in-person interviews with possible candidates to find out how long they have been HIPAA consultants, how many clients they have, what their track record is for their HIPAA clients against the feds, whether they have ever been certified as an expert witness in litigation in the area where you need help, whether they have received awards and accolades for their HIPAA consulting work (make sure to verify accuracy of any such reports), where they received their HIPAA training and from whom.

Part of your problem is that DHHS has no qualification process or rules for who can call themselves HIPAA consultants. But if you use these three steps, (1) decide what your purpose is for hiring a HIPAA consultant, (2) search in accordance with your purpose, and (3) nail down credentials of possible candidates, you should be able to find and hire a qualified HIPAA consultant to help you achieve your HIPAA compliance goals. Of course, watch out for glaring errors and red flags, such as someone who tells you that, if a policy or procedure is addressable under HIPAA, it means that you don’t have to do it. Run away from that wannabe as fast as you can and keep looking.

Of course, you could save yourself a lot of work and time and money if you would simply hire my favorite nationally recognized HIPAA consultant, expert witness, trainer, and so forth: Jonathan P. Tomes. He is available at

Jon has written a new sample Photographing, Videotaping, Filming, Video Recording Policy, and it is now available for you on the Premium Member section of It recommends obtaining a written consent and a model release. Both of those samples are also available on the Premium Member section. A sample model release is also available on the HIPAA Documents Resource Center CD, 6th edition.

seo by: k.c. seo