Today, compliance is largely manual. It is a once-in-a-year ritual where an organization scrambles to gather evidence for an impending audit. Upon completion of the audit, people heave a sigh of relief until the next audit cycle. However, in today’s complex and ever changing regulatory environment, there is a dire need for automation and a need for continuous compliance. Manually managing compliance or non-compliance is not an option anymore.
This is the second post in a series of topics and discussions about handling Health Insurance Portability and Accountability Act (HIPAA) compliance. We discuss the impact of HIPAA on continuous compliance. In subsequent articles, we will show how Assertion – a compliance automation platform, can be used to automate HIPAA.
HIPAA covered entities (health providers, health plans, health care clearinghouses) are vulnerable to compliance failures as identified by the Office for Civil Rights (OCR). This vulnerability extends to business associates and non-healthcare organizations that provide health benefits to their employees. The cost cuts to OCR’s budget presented in the 2018 Congressional Justification also reflect changes to the way OCR will be able to respond to compliance issues.
The changes listed here represent the new objectives that are aligned with the Department’s 2018 strategic plan.
- Raising compliance awareness and understanding through public education, corrective action, and policy updates
- Enhancing the efficiency of operations that manage outreach programs, resources, education, and processes
Overall, the goal of the OCR is to protect the privacy and security of individually identifiable health information. Enforcement activities will shift to cover the enforcement of health information privacy which means that failure to comply will become more expensive to an organization.
Continuous compliance means undertaking the initiative to verify that everyone and everything that interacts with an organization is HIPAA compliant according to the policies and procedures established by the organization. These verification initiatives include,
- routine assessments of the administrative, technical, and physical risks for an organization
- increasing visibility of data flows through social and mobile technology
- increasing awareness of business associate agreements,state laws, vendor products and services
OCR requires all covered entities to implement policies and procedures to protect health information and ensure compliance to the Final Privacy Rule. Maintaining continuous monitoring places a huge burden on healthcare organization’s time, budget, and resources. Organizations may struggle to implement risk analysis requirements and prepare for OCR audits that span across administrative, personnel, and technical departments. Not all organizations can afford to rely on vendors and software tools for auditing due to the cost of vendor services, maintaining skilled resources to use software tools, and increasing complexity of implementing disparate systems. Even if organizations can afford to implement tools and services, they may find compliance enforcement is critical and audits need to be even more comprehensive to cover all areas of their organization.
If an organization relies on legacy systems, policies and procedures will need to cover the necessity, usage, and administration of these systems. A reliable audit trail and technical compliance is even more critical and there is a high risk associated with maintaining these systems. Employee monitoring of these systems in particular will provide very meaningful analytics about user behavior and usage.
Legacy systems must be up-gradable to current servers or completely redesigned to so that monitoring is feasible. Additionally, accessibility to shared repositories, spreadsheets, databases, and other personal productivity tools will need to be verified. Despite of the availability of tools, employees will create records to assist them in their activities. Auditing how employees use software and tools during routine downtime are also valuable and organizations may discover the need to implement automated downtime solutions to satisfy policies and procedures.
Cyber-crime is another administrative, physical, and technical area that requires prevention and benefits from continuous compliance. Increasing attacks on healthcare organizations are prompting the OCR to create new recommendations for covered entities in the space of social media, texting, and encryption.
The Departments of Commerce and Homeland Security address the opportunities and challenges organizations face in a “Report on Enhancing the Resilience of the Internet and Communications” published on May 30. The Departments suggests the following list of actions that stakeholders should consider in addition to their ongoing activities which is expressly stated in the “Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats.”
- Goal 1: Identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace.
- Goal 2: Promote innovation in the infrastructure for dynamic adaptation to evolving threats.
- Goal 3: Promote innovation at the edge of the network to prevent, detect, and mitigate automated, distributed attacks.
- Goal 4: Promote and support coalitions between the security, infrastructure, and operational technology communities domestically and around the world.
- Goal 5: Increase awareness and education across the ecosystem.
An organization that has the onerous task of maintaining compliance will find that they have either no tools, few tools, or too many tools to manage their diverse regulations. Many compliance tools exist, however they are widely unused by covered entities due in part to lack of proper knowledge and education, the cost to implement, the application to only specific segments in the organization, and no mandates requiring the use of such tools. As the cost of compliance failure becomes more expensive, it benefits an organization to consider implementing a comprehensive automated solution, like Assertion, that will not leave gaps in the process.
Next up, the role of AI in compliance automation.
Administrative, Technical, and Physical Safeguards
Office for Civil Rights 2018 Congressional Justification
Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats
Cisco’s Cloud and Managed Services Program (CMSP) is a coveted designation for Cisco Partners. It gives the Partner the right to display “Powered by Cisco”