The compliance environment continues to get more complicated and more difficult to understand. As we move forward, we must be flexible in our response to this ever-changing environment. While there are many factors making compliance more complicated, this article focuses on three: increasing number of agencies involved in compliance, resources and misunderstanding our mission.
"One way we can become aware of projects is to inject ourselves into the procurement process"
A key area making compliance more difficult is the increasing numbers of agencies involved in regulating the healthcare industry. Healthcare organizations must no longer be just concerned about the Office of Civil Rights for HIPAA enforcement; we must now be concerned about enforcement from other agencies like the FTC. And just because one agency says your cybersecurity practices are sufficient does not mean the other agencies will agree. The FTC states that vulnerable or exposed date is an unfair business practice. The FTC can also determine that a company’s security practices were unreasonable or likely to cause harm to consumers without any tangible harm to the consumer. Any insufficient practices are enforceable under Section 5 of the FTC act. Since 2015, The FTC has agreements with nine companies enforcing cybersecurity. The FTC has released guidance for businesses. Further the OCR has issued guidance on HIPAAs intersection with the FTC. We must, therefore, review what the FTC has published and compare that with what the OCR has published and continues to publish.
Then there is always the fight for resources, both money and manpower. We are constantly under pressure to reduce our budget and to review the necessity for our head count. I remember a question my CEO asked when we were implementing a patient privacy portal: “Can you reduce headcount?” Our senior executives are continually bombarded with requests for more: more money, more people, more supplies, etc. Our challenge is to make sure our senior executives understand the risks and consequences of non-compliance. We need to communicate in terms they understand. They understand risk as they live risk every day. For example, they may not know what “encryption” is, but they will know the risk of not encrypting when you explain to them the OCR has fined institutions in the hundreds of thousands of dollars for not encrypting. With this information, they can then make informed decisions on whether to purchase a new MRI or purchase encryption.
This brings me to my third point: most people do not understand what we do, what our mission is. To help with this, I always tell people that I have two objectives: Protect the patient, protect the institution and I cannot do one without the other. For instance, when we find billing errors and stop those bills from going out until they are fixed, finance sees us blocking revenue. Hardly ever are we seen as preventing large fines had we allowed those bills to move forward for payment. We need to work with the CFO and her organization to ensure that they understand why we are not automatically forwarding bills. We are also seen as blocking innovation when we say we need to take a deeper look at projects that pose risk to the organization. Because of this of this thought process, we are not members of the project teams and, therefore, cannot provide input into the project until we find out about the project which usually not until the project has already been approved. One way we can become aware of projects is to inject ourselves into the procurement process so that we become aware of projects early in the process. We can then provide our guidance on the project that will accomplish the project’s objectives as well as protecting the institution.
The compliance landscape is only getting more complicated. As the organization responsible for knowing and maintaining compliance with this ever changing environment, we need to continue to be innovative in keeping current with these regulations so that we may continue to protect the patient and protect the institution.