Frameworks

Our Subscription Plan comes with a number of Compliance Frameworks but you can also purchase them as individual products:

Overview

What is a framework, and more specifically in this context, a compliance analytical framework? The short answer is that it is a way to “attack” a particular compliance problem or issue. Analytical frameworks have been widely adopted across industries, ranging from legal to technology, and almost any domain you can think of in between. An analytical framework combines reusable solutions with analysis patterns, research, useful organizational techniques, and specific examples of successful approaches; it is similar to having your own personal library, which can be tailored specifically to your organization’s experience and background.

Analytical frameworks, from our perspective, are most useful when an organization is confronting a difficult problem that is either entirely new, or for some reason has taken on additional complexity. Frameworks provide guidance on how to think through and solve a problem, based upon the experience of others. An analytical framework is not a cookbook methodology or solution; there are no cookbook solutions to wicked problems, but rather a road-map from a fellow traveler that has already crossed the same (or similar) territory.

Breach Notification

Our Breach Notification Framework is intended to deliver guidance, including tools, techniques, templates, and other reusable components that help you navigate, and make sense out of, this new terrain. It is intended as a knowledge transfer vehicle that will allow you to derive the HITECH / HIPAA /Omnibus Rule breach notification compliance solution that works best within your organization.

Compliance_Continuum_2

This Framework is also designed in a way that lends itself to modification as appropriate. The compliance continuum depicted above is our metaphor for the iterative process required to achieve the goal of full compliance. Almost universally, organizations will have to settle for building a good compliance story, since the economic reality of budget and resource constraints will make even this objective a challenging one, regardless of an organization’s size. This Framework is intended to move an organization along the compliance continuum, in a practical and effective manner, keeping in mind that compliance risk is only one of many challenges that the healthcare industry confronts.

Contingency

Our  Contingency Framework (“Framework”) is designed to help HIPAA stakeholders (i.e. covered entities or business associates, collectively “Stakeholders”) meet the requirements of HIPAA Administrative Safeguards standard §164.308(a)(7)(i) (“Contingency Standard”) and its five implementation specifications ("Controls”). All five Controls fall under §164.308(a)(7)(i)(ii) as follows:


(A) Data Backup Plan (Required). Establish and implement procedures to create, retrieve and maintain exact copies of electronic protected health information (“ePHI”).
(B) Disaster Recovery Plan (Required). Establish (and implement as needed) procedures to restore any loss of data.
(C) Emergency Mode Operation Plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protecting the security of ePHI while operating in emergency mode.
(D) Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans.
(E) Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other Contingency Plan components.


These Controls are now generally referred to as “Business Continuity” across industries. This is the term used in this Framework when referring to the Contingency Standard writ large. The intent is to describe a fictional corporation (“ABC, Inc.”) to discuss various aspects of Business Continuity. For many organizations, the policies, processes, and tracking mechanisms adopted for ABC, Inc. will be ready to use out-of-the-box. For large organizations, this Framework will likely serve as a conceptual model, but may need modifications so that it scales appropriately.

Business Continuity is a very complex topic; however, similar to the manner in which other wicked problems are attacked, the most important thing that any Stakeholder can do is to fail forward fast; that is, to put a foundational solution in place and then proceed to refine it over time as specific requirements manifest.

Breach Response

Our Breach Response Framework is intended to deliver guidance, including tools, techniques, templates, and other reusable components that help you navigate, and understand our recommended breach response approach. It is intended as a knowledge transfer vehicle that will allow you to derive the solution that best fits your organization’s requirements. It is also our hope that stakeholders will use this Framework as a handbook during breach response to ensure that all their bases are covered.

The Framework is also designed in a way that lends itself to modification as appropriate. The compliance continuum depicted below is our metaphor for the iterative process necessary to achieve the goal of full compliance. Almost universally, organizations will have to settle for building a good compliance story over time, since the economic reality of budget and resource constraints will make even this objective a challenging one, regardless of the organization’s size.

The Framework is also intended to move an organization along the compliance continuum, in a practical and effective manner, keeping in mind that breach response risk is only one of many challenges that the industry confronts.