While there is a focus in today’s industry on achieving HIPAA compliance, the biggest effort is maintaining the standards required by the designation. However, the fortunate truth is that with proper planning—for efficient execution of maintenance activities—this effort can be avoided. Preparation for those activities also reduces the risk of compliance violations.
Changing the way an organization thinks about compliance activities makes compliance a natural outcome of process automation, and not an ongoing challenge. In this article we are going to discuss how using a process automation tool like Blue Relay takes the effort and worry out of HIPAA compliance.
What is HIPAA Compliance?
HIPAA Compliance applies to any company that works with client health care information.
Compliance is necessary to keep client health information secure and private.
Background
Achieving and maintaining a wide variety of compliance levels is a core function of most organizations offering business to business (B2B) products or services. As an important example, HIPAA compliance is a top priority in the health care industry, and notably many of their associated product and service providers (or ‘Business Associates’).
While achieving HIPAA compliance can be challenging for organizations, remaining HIPAA compliant and ensuring consistency across all activities and processes has the potential to be the bulk of the lifetime effort—but it is also where the real value is obtained for all parties.
To support our discussion, let’s consider the HIPAA compliance lifecycle. While there are hundreds of renditions of the specifics, we see the core elements of the lifecycle as follows:
HIPPA Compliance Lifecycle
- Risk Assessment
- Remediation
- Policy Update
- Program Education
- Policy Maintenance
- Education Refresh
- Process Diligence
- Even Monitoring Automation
- Tracking and Visibility
It would be nice to think of the entire program as linear—with a simple machine running unattended into the future, but in reality it is a continuous cycle requiring nurturing and updating. The graphic below illustrates this ongoing process and its key components.
Becoming versus Maintaining HIPAA Compliance
Many organizations view the process of becoming compliant as the main activity for their HIPAA compliance program. In most cases this activity requires—or can be accelerated by—a skilled third party like Third Rock. The third-party completes a risk assessment and guides a team’s remediation program. The initial project is of course key to identifying the controls in place for the organization, assessing the risks associated with any deficiencies, and proposing steps to correct the deficiencies and reduce each risk.
A good third-party service provider will continue on as your partner in your HIPAA compliance journey and define the policies necessary for maintenance in the long term, and in most cases help with education of you team members (the darker arrows in the compliance lifecycle above). Even with an ongoing service provider relationship offering periodic assessments and improvements, it is the day-to-day execution that is guaranteed to exist for years—or decades to come. A clear strategy for long term compliance program maintenance will help reduce the ongoing resource consumption AND mitigate risk of non-compliance (with all of the associated costs and impacts).
Compliance Program Implementation
Implementation of most compliance programs consists of the following activities:
Risk Assessment
Identify the controls and activities (or the absence of them) that introduce risk to the intellectual property and assets of an organization.
Remediation Plan & Implementation
Identify the technology investments, alterations, training, and process implementation required to reduce or eliminate the risks identified by the risk assessment.
Policy Update
Define the elements of the remediation plan as well as existing controls required to reduce or eliminate the risks. These are living documents—integrated into the activities and decisions of the entire organization.
Program Education
Elevate the knowledge and activity compliance of all human elements within the organization as part of the remediation plan.
Measure, Track and Repeat.
Measure and track the results of the remediation program to validate successful execution and identify risks for future remediation and improvement.
So why isn’t this the complete picture? The answer is that the definitions above are really the starting point of your compliance program. The implementation of the proper process and tools that ensure ongoing compliance is the most important component of the compliance program success.
Compliance Program Maintenance
Once the initial definition of your HIPAA compliance program and associated controls is complete, it is critical to ensure compliance on an ongoing basis. This is where compliance programs can “go off the rails”. The elements of ongoing continuous compliance should comprise:
Policy and Control Management
A content management solution with version tracking and content analysis is essential to managing the evolving requirements, implementation responsibilities, and tasks. Flexible automation of review and approval lifecycles for all compliance stakeholders are table stakes for the content management solution.
Continuous Learning
As policies and controls change and evolve, education for team members becomes a constant challenge. A learning delivery and management platform is essential to track education completion, including alerts to ensure ongoing compliance of the learning function.
Process Due Diligence and Orchestration
Activity to support compliance must be tracked for execution according to standards, including business and technology aspects. Again, automation of basic and necessary capabilities will avoid oversight in activities that are repetitive and frequently monotonous.
Control Management and Tracking
Implementing a solution to track and validate all technical controls and configurations is also an essential element of your organization’s ongoing compliance programs.
Event Response Orchestration
Implementing toolsets to assist with and—where necessary—enforce process provides the necessary assurance that the risks associated with high impact events are mitigated according to your carefully-crafted and well-defined processes.
Visibility, Tracking and Activity Audit
Your organization needs the ability to provide visibility, tracking and activity audit as a means to prove the effectiveness of your HIPAA compliance program, build confidence in the program, and enable continuous improvement aspirations
HIPAA Compliance Example
We—the creators of Blue Relay—have direct experience with implementing compliance controls through their HIPAA compliance program. Third Rock performed the risk assessments, remediation plans and policy development. Additionally, Third Rock also provided ongoing assistance with policy updates as compliance requirements evolved as part of software and service businesses.
The compliance team successfully implemented the policies and controls, but quickly learned how easy it was to open up risks with any minor deviations from defined processes and procedures. To address this challenge, they leveraged a set of simple, inexpensive components, with Blue Relay providing the automation, orchestration, tracking and verification of the compliance program.
Conclusion
In addition to the confidence created by their automation efforts, the orchestration offered by automation provided Indelllient with improved compliance with the suite of activities defined by their policies, particularly those with longer periodic implementation cycles.
In short, our efforts and investments would not have realized maximal return in terms of risk mitigation, without the tools necessary to streamline ongoing compliance automation—and without Blue Relay.