Components of a Mature Compliance Program

Introduction

This article discusses what we believe comprises the components of a mature compliance program. One, that by its very existence, will almost certainly reduce the magnitude of civil monetary penalties (“CMPs”) should OCR deem it necessary to levy one against your organization. These are the components that we would expect an OCR auditor would expect to see that your organization has a mature compliance program (“Program”). This article describes a representative list of components but not an exhaustive one.

Methodology Based on Industry Standards

Your Program (e.g., Checklists) should be applying NIST standards wherever applicable. If you have a Risk Management Framework (“RMF”) then it should have been derived either from NIST or some other internationally recognizable standard. Much of your remediation documentation should be standards was as well.

For example, the HIPAA Safe Harbor Act Amends Subtitle D of the HITECH Act to require HHS to consider whether organizations have “recognized cybersecurity practices” in place when investigating a data breach, and to be lenient with their fines or other enforcement actions if the practice has met all basic technical safeguard requirements. NIST, the organization responsible for providing U.S. government agencies with cybersecurity methodologies, frameworks, protocols, and other assistance, is certainly an institution recognized globally for providing privacy and security best practices.

Therefore, showing that your organization, although perhaps negligent in a particular instance, has consistently followed best practices despite being derelict on this one occasion. First following best practices is an indication of a mature compliance program. Second, as the HIPAA Safe Harbor Act expressly states, this alone enables leniency with their fines. Although this Act is limited to Breaches, the same would likely apply to other violations. Why? Because a mature compliance initiative is direct evidence that the organization in question has made a good faith effort to comply.

Measuring and Monitoring

The business adage widely accepted across subject matter domains that “you can’t manage what you don’t measure” applies to every compliance initiative we can imagine. If you cannot show an auditor the status of your Program as it exists today, then you are providing them visible demonstrable evidence that you have no means to monitor your Program. Scorecards if used, provide evidence that our Program is continuously being measured and therefore Program status may be readily determined. Scorecards are used to report Program status to senior management periodically and upon request.

Compliance Repository

Without the ability to demonstrate a “single version of the truth” then you won’t be able to quickly provide an auditor a sense that compliance artifacts (e.g., policies, process, training, etc.) are readily available to staff and readily producible to the auditor. The auditor is likely to assume that in fact there is no “single version” of the truth and that compliance artifacts may be scattered across the organization in a manner that not only is not readily accessible but provides for a chaotic takeover transfer process during workforce transition; assuming the auditor concludes the artifacts in question exist at all.

Incident Management

Without a robust Incident Management process there is no evidence that you can identify Breaches, and therefore your Breach Notification process is either non-existent, ad hoc, immature or you have purposely decided not to track Incidents. Why would you do the latter? Because having trained thousands of stakeholders and sold products into the compliance space for well over a decade, we are aware that many providers, of all sizes, simply decide to “deep six” small breaches. The last thing they want is to have a record of which ones were analyzed because that simply becomes fodder for an auditor to review.

This strategy is simply too clever by half. For example, a highly competent OCR auditor (and they are all highly competent) understands that ambulatory practices are small breach factories. The routine sends PHI inadvertently to the wrong patient. Attempting to claim that you have had no incidents, let alone breaches, over the one to five years will be quickly detected for what it is, an outright lie. Your mature program well demonstrated until now, just blew up in your face.

Risk Assessments with Evidence-Based Remediation

This is not 2010. You don’t get an “A” for effort simply because you can produce risk assessments, even one based on best practices. Where the “rubber meets the road” is the degree to which these assessments have led to actual, verifiable, remediation efforts. In short, if you can’t produce visible, demonstrable, evidence (“VDE”) of remediation for High/Medium risks then that risk assessment you produced is worthless and so is any inference of the maturity of your program.

Training

An auditor will want to discuss your training: (1) How often does it occurs; (2) what it consists of; and (3) whether you produce VDE that it occurred. Where are your process results captured that show when Dr. Smith was last trained and what he was trained on? The auditor will want to know if you have Phishing training in place. Why? Because the latter remains the number one vector of entry for ransomware attacks and these attacks continue to grow within the healthcare industry writ large. Just “feel good dumbed down” pre-HITECH Act training will no longer suffice. Lack of Phishing training, for example, sends the message loud and clear that your organization has no idea how readily the bad guys can exploit vulnerabilities to your network.

Conclusion

The list above is far from exhaustive, but all taken together demonstrate signs of a mature compliance program that could lead to reduced CMPs down the road. Missing just one will likely throw the “mature program” inference out the window. Making an auditor much less willing to give your organization the benefit of the doubt. In fact, it is likely to give them probable cause to dig deeper.