HHS' Methodology Guidance
has once again provided guidance
on the importance of having a methodology to develop, implement, and maintain a comprehensive compliance program ("Program"). The objective of your HIPAA compliance initiative ("HCI") should be to build your Program over time, especially if you are interested in an establishing a "Culture of Compliance!"
did not directly use the word "methodology," there was no need to. The guidance does not reference any specific sections of the HIPAA Privacy, Security, or Breach Notification Rules ("the Rules" or "Rules"). However, if you peruse the guidance with any sort of rigor, you quickly understand that it is all about methodology; the latter being exactly what HHS intended to convey in partnership with the Health Care Compliance Association ("HCCA
The commentary (see here
) provided by the HIPAA Survival Guide
("HSG") pursuant to HHS' guidance helps describe the methodology that is built into our Subscription Plan. The HSG Subscription Plan is not a set of loosely joined software, products, templates and tools, but rather all of it is underpinned by a methodology that helps you establish the kind of Program HHS is interested in seeing stakeholders adopt. Beyond the shameless plug, the idea is that you should be asking your compliance consultants whether or not they have a methodology, and if so, how does it help you build and sustain the requisite Program over time?
Change is Hard
Most HIPAA compliance initiatives fail because of people and process challenges
, which have very little to do with the underlying technologies required to remediate cybersecurity vulnerabilities, and almost everything to do with the kind of social complexity that we often write about (i.e. which lies at the heart of wicked problems). An HCI implementation includes so much more than technology that to call it a technology project is itself a misnomer. HCI implementations are more aptly described as change projects and change is hard. Just ask any one of your colleagues who have successfully (or not) navigated the white water rapids that now surround you. Because change is hard we need a methodology to guide us along the way.
Why a Methodology?
Change of this magnitude (i.e. an HCI) is inherently chaotic. There are simply no cookbooks, no maps, no videos, no books, no webinars, no conferences and certainly no newsletters capable of providing a step by step approach applicable to all providers or even most. Each solution will be different than the next because each organization is different.
We understand that an industry whose very foundation rests on the scientific method will have a difficult time accepting the fact that heuristics is the best we can do. In fact, for many within healthcare it is clearly anathema to suggest that sufficient study of the problem will not only lead to poor results, it will lead right off the cliff to certain failure. The "form a committee to form a committee to study the problem" will lead to death by a thousand cuts. We have seen this movie before and it doesn't have a happy ending.
In short, to solve a wicked problem you must fail fast in order to succeed. Why? Because problems this complex can't even be defined, let alone solved, without a better understanding of where you are today as compared to where you need to be. To solve this wicked problem you must act more and study less. That is the point that Lee Iacocca made when he took a chainsaw to the Mustang (probably urban legend). Get busy doing! Break some ground!
Even though you will be applying heuristics, you still require a methodology for guidance. Otherwise it will be like jumping out of an airplane without a parachute...the ride might be fun but you are not going to like the result!
An Agile Compliance Methodology
Agile compliance is a group of methods based on an iterative and incremental approach where compliance solutions evolve through collaboration between cross-functional teams. Agile promotes adaptive planning, evolutionary development and implementation, and a time-boxed iterative approach which encourages rapid and flexible response to changing regulations and operational environments that are quickly morphing.
Agile is a conceptual framework that promotes foreseen interactions throughout the implementation cycle and acknowledges that due to a changing operational, technical, and regulatory environment, the implementation cycle never ends. Agile compliance is how an Organization goes about changing its compliance DNA. Ultimately, Agile will be defined as how your Organization continuously iterates through your compliance initiative. Each organization's definition of Agile will share common principles but will otherwise be unique to the organization.
Why Agile Methodologies Prevail?
The answer to this question was hinted at in the introduction to this article. Agile is a lightweight methodology that enables organizations to effectively deal with the complexity contained in wicked problems. Given the amount of transformational change that the healthcare industry is currently undergoing, a linear "engineering" centric methodology is almost guaranteed to fail. Your organization will be in a state of perpetual analysis/paralysis, talking about compliance but not producing visible, demonstrable evidence of same.