Thursday, January 22, 2009

3 I's

There's no avoiding it; there's a new sheriff in town. With the coming change of administration, and a congress far more open to the idea of regulation, spurred by the recent problems in the lending sector, there is little doubt that we will be seeing a spate of new regulations and regulatory bodies, as well as an increase in the enforcement of existing regulations, such as Sarbanes-Oxley, HIPAA, and GBLA.


The last few years have been full enough of regulatory landmines for the unsuspecting IT department. At the same time though, enforcement has been lax. For example, under HIPAA, which has a complaint-driven enforcement process, there have been over 32,000 complaints over the last five years, but fewer than a dozen prosecutions. In fact, according to Inspector General of HHS, the Center for Medicare and Medicaid, an enforcement entity, "had not implemented proactive compliance reviews and therefore had no effective way to determine whether covered entities were complying with HIPAA Security Rule provisions."


Look for this to change, perhaps dramatically. HHS has already started an audit program, and several statements by various heads of congressional committees have indicated that for regulatory slackers, the party is over.


So what does this mean for those poor souls charged with maintaining regulatory compliance in organizations which, up until now haven't really felt all that much pressure? For many it means changing the view they have had about compliance. Careful planning and fresh approaches will be the key to coping with new regulation as well as old regulations newly enforced.


Invisibility, Integration, and Integrity. These need to become our new watchwords as we move forward into the unknown territory of compliance. Most important is invisibility. No matter what systems, programs rules or processes we come up with, if they are not designed to impact the end user as little as possible, then they will be bypassed. History has shown us that as little as one extra step in a work sequence will cause end-users to find ways to bypass or ignore them, unless the user perceives the added step as needed to perform their primary work function. Nowhere is this more evident than in healthcare, where regulatory steps, especially HIPAA related, are seen by many as timewasters and barriers to providing care to patients. If the end user experience is not included in compliance planning, then whatever solutions chosen will inevitably fail.


Compliance solutions need to integrate with existing systems, including technical, organizational, and workflow systems. A tacked on compliance solution will be resource wasting, time wasting, and ultimately ignored. Email solutions, for example, should use existing systems for both secure and non-secure communications, instead of creating a new and separate system just to handle secure communication. Relying on end-users to judge which of two parallel systems to use leads to frustration at best. Systems should be chosen to maximize ease of integration with what already is in use.


Usually when IT security people talk about integrity, they are talking about keeping your data consistent, but in this case I am using it in the ethical sense. You cannot expect your end users to comply if you aren't. You can pretty much expect that any shortcut or bypass you use will be found and exploited by your users, too. Set that example, talk to your users and make certain that what you do is what they should be doing, too.


Three I's: invisibility, integration, and integrity. Keep these in mind as you plan, implement and administer your compliance solutions and you will find the entire journey to compliance land much, much smoother.

10 comments:

Hipaa Compilance said...

Enforcement of compliance regulation is must for many organizations but implementing, establishing and maintaining of same is a tough task due to complexity and cost. Hipaa Compliance provides a wonderful and valuable template suite which any organization, small or big, can use to meet their compliance requirements for Sarbanes Oxley (SOX), FISMA, ISO 17799 or any other regulation/standards requiring business impact analysis, risk assessment, disaster recovery planning (DRP), business continuity plan (BCP) and Testing & Revision of Plan.

Adria Stembridge said...

When storing notes/comments entered by health workers, does HIPAA mandate that each note be stored separately in a database? The legacy system I work with stores all notes in a single blob - users are required to add their initials and date manually. Does this has to be changed per HIPAA regs? thanks!

Marcin Kurzawa said...

HIPAA email free trial accounts are available at http://securemedical.net and http://mdemail.net

Compliance Automation said...

Compliance solutions is an approach that helps ensure that investments deliver benefits beyond meeting and fulfilling a single compliance requirement.
Nice mention of great information.
Thanks for sharing and keep posting more like this.

Regards,
Helm360

emily said...

That was really informative post. While searching online services for HIPAA testing and compliance services I came across your blog. Thanks for sharing all this information. Looking forward to read such informative post in future.

Animesh Singh said...
This comment has been removed by the author.
Animesh Singh said...

Thanks for the FANTASTIC post! This information is really good and thanks a ton for sharing it I m looking forward desperately for the next post of yours..
HIPAA Privacy Training

Amarjeet Prasad said...

Fantastic blog! I dont think Ive seen all the angles of this subject the way youve pointed them out. Youre a true star, a rock star man. Youve got so much to say and know so much about the subject that I think you should just teach a class about it...HaHa!
HIPAA Certification

Anonymous said...

Found a great resource of HIPAA Compliance information along with HIPAA Forms and Posters.
HIPAA Laws &Compliance
HIPAA Posters

Amarjeet Prasad said...

i just wanna thank you for sharing your information and your site or blog this is simple but nice article I've ever seen like it i learn something today...

HIPAA Training
HIPAA Certification