Why HIPAA Compliance is a Continual Improvement Project
By now you may have realized that HIPAA compliance is not a "one and done" proposition. For a HIPAA compliance initiative to be effective, it must be Agile. Agile describes a set of principles for development wherein requirements and solutions evolve over time. To evolve means to change.
Agile started out as a software development methodology. However, it has moved into a host of other disciplines including marketing, business planning, product launches, etc. It is a methodology that has also been embraced in other compliance spaces. For example, the US Sentencing Commission Guidelines on sentencing organizations identifies the requirements of an Effective Compliance and Ethics Program to include, among other things:
- an organizational culture that encourages ethical conduct and a commitment to compliance with the law;
oversight of the implementation and effectiveness of the compliance and ethics program by the organization's governing authority;
effective training programs; and
- periodic assessment of the risk of criminal conduct and appropriate steps to design, implement, or modify each requirement to reduce the risk of criminal conduct identified.
What Does Agile Methodology Look Like in HIPAA?
You won't see the term Agile in the HIPAA regulations, or any HHS guidelines for that matter. Yet, it is the implementation methodology that makes the most sense for HIPAA compliance.
Agile compliance is a group of methods based on an iterative and incremental approach where compliance solutions evolve through collaboration between cross-functional teams.
Let's break this down. Your compliance initiative cannot evolve until it has begun. Meaning --- get started! You cannot afford to wait for the perfect time, the perfect compliance officer, the perfect IT consultant or the perfect budget. If you are reading this and thinking that HIPAA regulations are so complicated that you don't even know were to start, check out our August 2015 Newsletter. As you begin implementation of your compliance initiative, you'll see how it is a project which must evolve over time (more on that below). You'll also see why it really does take a team approach which requires management's involvement. Depending on your organization, it could be a team of 2 or 200. One thing is for sure, your compliance officer cannot do this alone.
Agile promotes adaptive planning, evolutionary development and implementation, and a time-boxed iterative approach which encourages rapid and flexible response to changing regulations and operational environments that are quickly morphing. In other words, make peace with change. That is, your compliance initiative may look very different on paper than it does in practice; your compliance initiative today may be crude compared to what it will be a few months from now. That is why it cannot be a static project. You have to continuously take stock of where you are. This is why Risk Assessments are critical; they are intended to help you reduce Risks to a level that is reasonable and appropriate.
Agile is a conceptual framework that promotes foreseen interactions throughout the implementation cycle and acknowledges that due to a changing operational, technical, and regulatory environment the implementation cycle never ends. In other words, it's a marathon, not a sprint. Actually, it isn't even a marathon because there is no finish line. There simply won't come a time when your compliance initiative is done. It may be done for now, but not done for good.
Agile compliance is how an Organization goes about changing its compliance DNA. Albert Einstein said that you cannot solve a problem with the same thinking that created it. Accept that HIPAA compliance is a continual improvement project, and it will change the way you approach your HIPAA initiative.
The HIPAA Survival Guide Subscription Plan
Now Includes Expresso™The Risk Assessment Express