As the stakes rise for meeting HIPAA Privacy, Security and Breach Notification rules, it’s becoming more important for healthcare organizations to have a coordinated strategy for identifying and addressing all the regulations and standards that apply.

As my column discussed yesterday, because compliance is an essential element of every healthcare business model, it’s imperative to have a cross-organizational compliance program in place that establishes a coordinated effort across departmental boundaries. Compliance accuracy is important because of the potential high costs associated with possible fines, penalties and lawsuits.

Developing a cross-organizational compliance program formally assigns the accountability and responsibility for proactively identifying and complying with regulations and standards that apply to the organization.

In terms of the characteristics of an effective cross-organizational compliance program, five primary areas should be addressed:

  • Organizational alignment
  • Training
  • Communication
  • Research and review
  • Governance, risk management and compliance oversight

Yesterday, we discussed organizational alignment, training and communication. Today, we’ll touch on the characteristics of research and review, and then governance, risk management and compliance oversight.

Research and Review
The compliance officer should continually review the organization’s operations and practices for compliance with applicable regulations and standards. A compliance officer should develop tests and other methods to gauge the effectiveness of the organization’s compliance program. The methods should minimally include:

  • Self-initiated or internal requests for research of individual matters. Conduct research of individual regulatory-related matters using available reference materials and resources, including applicable federal regulation, official staff commentary, General Counsel Opinion Letters, and trade regulatory guides, manuals and periodicals. Document and communicate the matter, resources used, finding, and resolution or recommendation, supporting the analysis and conclusions reached upon thorough investigation and sound reasoning. Response and recommendation for action should be based on regulatory requirements, and should include consideration of applicable penalties, streamlining efforts, cost effectiveness, safety and soundness, and proper maintenance of the internal control structure.
  • Compliance reviews. On an ongoing basis, perform compliance reviews of organizational functions, operations and practices for compliance with applicable regulations and standards, ensuring that each area and operation is evaluated as to its overall state of compliance. Compliance reviews may be performed in a variety of ways, from reviewing a single regulatory requirement to reviewing overall compliance with requirements of applicable regulations and standards. Compliance with a specific regulation or standard may be reviewed on an enterprise wide basis, or a specific department may be reviewed for compliance with all of the regulations and standards applicable to its operation. Regardless of how compliance reviews are approached and performed, documentation should be maintained to support the work and conclusions reached, and to demonstrate the organization's compliance efforts for self-evaluation. Compliance reviews should be conducted using appropriate, effective and reliable means to determine results, including third-party reviews, random sampling and compliance checklists.
  • Continuous reviews. Policies and procedures, agreements and disclosures, and all other related material should be reviewed by the Compliance Officer prior to finalization and publication to ensure compliance with applicable regulations and standards.
  • New and revised regulatory and standard requirements. Material received regarding new or amended regulations or standards impacting the organization should be distributed to all affected areas in a timely manner. An analysis of the impact of any changes should accompany the material provided, along with recommendations for necessary action to achieve compliance. A task force should be established comprising of representatives from the affected areas to ensure implementation of all necessary changes.

Governance, Risk Management and Compliance Oversight
Implementing a compliance monitoring, tracking and management system such as a Governance, Risk Management and Compliance (GRC) solution facilitates the coordinated review of applicable regulations and standards while providing oversight and helping achieve and maintain overall compliance. GRC solutions provide a centralized compliance management perspective and are supported by a set of capabilities that can improve your organization's ability to effectively address compliance requirements. Organizations can also reduce compliance reporting costs by applying GRC automation to the management of written policy content, the assessment of process-oriented controls and the audit of technical configuration settings. GRC encompasses three primary disciplines:

  • Governance. Establishes decision structures and tracking mechanisms; determines how decisions are made, who makes the decisions, who is accountable and how the results of decisions are measured and monitored. The governance process may involve C-level executives, boards and steering committees.
  • Risk management. Creates the ability to uncover risk, mitigate adverse effects, and identify opportunities for improvement. Risk management activities should be comprehensive and ongoing to deal with a constantly evolving threat environment and the risk management process allows greater oversight and accountability.
  • Compliance. Establishes and monitors security controls; ensures adherence to identified regulations, standards and internal policies; provides mappings of control requirements to regulations and standards; and assessing and reporting compliance.

With a GRC solution in place, organizations are able to:

  • Decompose each regulation and standard
  • Define the organization’s strategy for achieving compliance
  • Identify distributed compliance owners with respect to portions of each regulation and standard
  • Associate information security policies and procedures with requirements
  • Identify technology or process provisions to be used to achieve compliance

GRC solutions can provide compliance reporting with the ability to roll up compliance data in a form that is acceptable to auditors. The security controls and policy mapping function, in combination with the ability to automate the collection of control information, are both key capabilities in the area of compliance reporting.

GRC solutions can also provide compliance dashboarding that can support the organization in making decisions based on compliance information. Dashboards are based on the current state of process compliance, technical control compliance, vulnerabilities and the business use of evaluated IT assets.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access

Brian Evans

Brian Evans

Evans, CISSP, CISM, CISA, CGEIT, Senior Managing Consultant with IBM Security Services, assists healthcare organizations in building regulatory compliant information security programs.