Tuesday, August 09, 2005

Gonna Teach You to Love Me

Do you need to be a tech to understand and supervise compliance? This entry in Computer World chronicles the frustrations of a manager trying to deal with a non-technical person in the role of compliance officer.

"We were at an impasse created by that long-ago misunderstanding about the nature of the ISO position. When the HIPAA security rule went into effect, covered entities such as my agency were required to designate someone to handle ISO responsibilities. Many covered entities noticed that roughly 80% of the policies and plans required by the HIPAA security rule are categorized as "administrative," only 5% or so are categorized as "technical," and the rest are categorized as "physical."

Here's the misunderstanding: Even though the bulk of the policies are deemed administrative, implementing the policies is primarily a technical exercise. I believe -- and many may argue with me -- that writing a good policy requires a solid understanding of what technologies are available to implement the plan. You need some technical knowledge to be able to visualize the plan. You can't say, "Thou shalt do thus" and not be able to "do thus."

I believe that compliance management can be done by non-technical people, but it is difficult, and the same sort of flexibility and trainability that makes for a good employee in every other role is indispensable here. If your compliance officer isn't technical, they need to be willing and able to get at least a foundation of technical understanding. Just as anyone else would be expected to grow into their position, so should the non-technical compliance officer make every effort to at least learn the basics. It sounds like this one was given the opportunity, and failed to step up to the plate.

No comments: