6 Steps to Continuous Risk and Compliance Management
Risk management process in healthcare is complex due to the nature of the industry and factors such as the explosion in use of technology; vulnerabilities arising from these myriads of technology leading to cybersecurity threats; and regulatory, legal, and reimbursement requirements. With the pressure to remain compliant, the healthcare industry must approach risk management from a broad perspective by implementing sound enterprise risk management (ERM) programs. Here we provide you with a step-by-step guide to simplify your healthcare compliance and data risk security. This guide will focus on:
- Why corporate compliance in healthcare is critical
- Areas that healthcare organizations should focus on for compliance
- 6 steps to implementing a simple and nimble healthcare compliance and data security risk program
- Cost analysis of implementing a comprehensive compliance and risk management solution
Importance of Corporate Compliance in Healthcare
A well-structured healthcare Enterprise Risk Management and compliance program is critical in the current healthcare climate. Having such a program promotes a comprehensive framework for making risk management decisions that maximize value protection, including putting in place safeguards to mitigate cybersecurity threats and sensitive data exposure or leaks. This is essential in a time of continual changes to regulatory requirements and associated audits, and penalties for non-compliance.
In reinforcing the need for corporate compliance programs in healthcare, The Office for Civil Rights (OCR) created guidelines that healthcare organizations can follow to begin to develop compliance programs that meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA). The guidelines, “The Seven Fundamental Elements of an Effective Compliance Program”, outline those elements that the OCR considers are essential in a corporate compliance program. The “Seven Elements” include:
- Implementing written policies, procedures, and standard operating protocols
- Designating a primary compliance officer and compliance committee/s
- Conducting effective training and education
- Developing effective lines of communication
- Conducting internal monitoring and auditing
- Enforcing standards through well-publicized disciplinary guidelines
- Responding promptly to detected incidents, offenses, and undertaking required corrective action
In addition to meeting HIPAA requirements, these “Seven Elements” also apply to the numerous other regulatory and security requirements that healthcare organizations must comply with such as the Medicare Access and CHIP Reauthorization Act (MACRA), the Payment Card Industry (PCI) data security standard, and the Federal Information Security Management Act (FISMA).
Areas of Focus for Compliance for Healthcare Organizations
Corporate compliance in healthcare and risk management must be organization-wide, however, there are some areas that are critical for all organizations to focus on. These include:
DARK WEB SECURITY MONITORING AND LEAK PREVENTION
Medical records can sell for 20 to 50 times more than other kinds of identity theft records. Sound compliance practices must take the dark web into account, and healthcare stakeholders should implement systems that can quickly and easily identify any compromised credentials or indications of stolen data and provide direction on actions to be taken.
SENSITIVE DATA PROTECTIONS
Healthcare organizations have a multitude of sensitive data which pose a security risk especially when being shared/accessed outside of internal protected systems. A good compliance program will include end point and data protection technology tools, encryption of local copies of data, and identification of sensitive data with rules governing access and distribution.
INTERNAL IT ASSET RISK AND COMPLIANCE MONITORING
All technological tools/assets used in healthcare pose a security risk and are susceptible to vulnerability threats. Healthcare security managers must implement consistent and regular monitoring and scanning of these assets to determine whether any have been compromised.
THIRD PARTY COMPLIANCE MONITORING
Third party vendors and contractors perform critical functions for the healthcare industry and are privy to sensitive health information. To comply with regulatory requirements, healthcare organizations need to have systems in place to monitor Business Associate (BA) compliance, and also perform regular sanctions and exclusion checks on all providers and contractors working with their organization.
STAFF COMPLIANCE MONITORING AND TRAINING
A 2018 report found that internal threats accounted for 56% of all data breaches in healthcare. Healthcare organizations must implement a solid risk and compliance program to include regular training of staff on their responsibilities to meeting HIPAA, patient privacy rights, and other compliance requirements. These activities must be tracked, monitored, and have audit trails to prove that the healthcare organization has conducted this training and sanction checking.
With all these areas of compliance to attend to, and the increasing threats of cyber attacks coupled with regulatory oversight, healthcare organizations need a solid and well-thought-out process to address compliance. A comprehensive ERM is essential and includes identification of key parties who will be responsible for addressing each of the different areas. Full buy-in is critical from all members of the organization to make any compliance program successful.
6 steps to implementing a simple and nimble healthcare compliance and data security risk program
With all the requirements and threats facing the healthcare industry, it can seem overwhelming for an organization to also establish a consistent, effective and easy enterprise compliance and risk process. Below, we provide you with 6 steps to follow to help you implement a simple and nimble healthcare compliance and data security risk program.
1.Establish your risk and compliance leadership committees
Determine the key individuals who will lead the risk and compliance team including someone responsible for each area of risk such as third-party vendors, employee compliance, and internal IT assets. Use the “Seven Elements” to identify high level concerns such as:
- Does the organization have the proper policies and processes outlined for each area?
- Does the organization have proper staff training plans in place?
- Is there a feedback loop in place to communicate activities?
- Does the organization have a strong process for taking corrective action?
2. Determine internal risk and compliance capabilities
Carefully evaluate the technical and resource competencies that exist within the organization to best determine what types of systems to implement. A web-enabled solution with faster and easier implementation timelines may be ideal for an organization with limited IT resources. It may also be advisable to choose a solution that can proactively and regularly check employees and vendors for exclusions and sanctions to reduce the administrative and resource burden on the organization.
3. Establish a healthcare risk and compliance solutions assessment and budget
Next, evaluate the cost of various solutions on the market that can competently address the issues identified based on your organizational needs, timelines, and budgetary constraints. Some solutions may require more internal IT support than others so be sure to consider your available IT resources before choosing a solution. Other factors to consider include:
- Can results for a security and vulnerability scan be easily incorporated into your HIPAA compliance audit?
- Will information from exclusion and sanctions checks be easily flagged and help update the compliance oversight processes as required by the Office of Inspector General (OIG)?
- Can vendor audits for security be integrated with the OCR requirements for vendor compliance with HIPAA?
- Are the proper systems in place to integrate all compliance and risk activities that will roll up into an overall report on security posture at the entity level and allow for easy identification of the highest risk and cost issues to allow prioritization?
Be sure to choose a solution that provides insight into how to resolve and remediate areas of risk and non-compliance identified, and the cost of doing so.
4. Conduct a baseline assessment
A baseline assessment of the risk profile of the organization should be conducted once the availability of internal resources and tools have been determined. Included in the baseline assessment should be an initial compliance audit of important frameworks such as HIPAA and MACRA, and a security review of the assets in the organization. Use the results to create a prioritized list for compliance and security vulnerabilities.
5. Initial risk prioritization and resource analysis
The prioritized list of compliance and security vulnerabilities created from the baseline assessment should be used to determine which areas to address first. In the risk analysis and prioritization process, ask questions such as:
- Are there proper continuous monitoring activities in place to conduct vulnerability analysis and scans?
- Are there remediation processes in place to address these vulnerabilities and processes to continuously monitor?
It may be necessary to hire consultants to address specific areas if the resources are not available internally to do this in a timely manner.
6. Confirm Repeatable Process with Continuous Reporting and Insight
The compliance and security management process should include regular assessments for new vulnerabilities and allow for easily resetting resources and budget for areas of concern. A solid ERM program must have the ability to conduct regular checks, remediate, and re-check.
Cost Analysis of Implementing a Healthcare Compliance and Risk Management Solution
Some cost factors to be considered when making plans to implement a comprehensive compliance and risk management program include:
- Cost of fines for non-compliance: in the US, the average cost of a breach is $7.91 million with the average cost of penalties for a HIPAA violation being over $1.5 million per violation.
- Damaged reputation costs: the cost of a damaged reputation can be significant in the highly competitive healthcare marketplace where consumers can easily choose to avoid an organization that they believe may expose their healthcare data to breaches.
- Costs of inadequate compliance and risk solutions and services: ensure solutions purchased as part of an overall ERM program provide maximum return on investment and are easy to integrate and quick to implement to avoid having to expend more in human resources for integration, and so that implementation can occur before your systems become exposed to additional threats.
Implementing a sustainable, repeatable, and effective continuous healthcare compliance and risk management process is critical for healthcare stakeholders and organizations. Being able to bring all distributed compliance activities together consistently allows the key management team to understand areas of vulnerability, prioritize risk, and focus on highest impact remediation activities. Strong healthcare technology solutions can assist in reducing the overall cost of compliance and risk management processes and assure regular and adaptable action to new compliance threats.