Mature Compliance Program (MCP)


The mature compliance program (“MCP”) components enumerated below are all included in your Subscription: (1) either in Expresso® (3LP’s SaaS compliance software); or (2) as part of your curated content library. They represent a comprehensive list of mature components that we developed since launching 3LP. 

The list is not intended to be exhaustive, but from 3LP’s perspective, represents the most mission-critical components of an MCP. Under the HIPAA Safe Harbor Act, signed into law by President Trump in January 2021, having an MCP program mandates the HHS/OCR consider leniency in civil monetary penalties (“CMPs”) levied due to a breach.

Although the examples below are mostly HIPAA specific, almost all apply to all the regimes that we support (e.g., HIPAA, CPRA, 42 CFR Part2 and GDPR).


Personnel Designations

Under HIPAA covered entities (“CEs”), and business associates (“BAs”) must designate personnel responsible for HIPAA policies, and procedures, and for answering questions about their notice of privacy practices (“NOPP”) in writing. It is recommended that these designations be placed in a workforce member’s personnel file. The titles of the persons or offices responsible for receiving and processing requests for access, restrictions, amendments, and disclosures, need also be designated and maintained, in writing. Without these designations, and the proper training, your Workforce members will not be able to answer an auditor’s Foundational set of questions, such as: (1) who is your privacy office; (2) who is your security officer; (3) who do workforce report incidents to; and do you even know what an incident is?

The same is true for CPRA where individual Workforce members should be named to handle specific consumer requests (e.g., notice, disclosure, opt-out, limitations, etc.). These individuals should likewise be trained to handle the request from cradle to grave, providing documentation as the request flows through the organization. Workforce management should be required to report on the status of request. For example, how many are completed per period; (2) how many are in process; (3) recurring errors occurred during processing; (4) number of consumer complaints; etc.

This is no trivial matter. Regulations require it and auditors, for obvious reasons, consider it to be important. Notice that a simple requirement review would likely not help you anticipate these questions. auditors are lawyers. To anticipate these questions, you need to think like a lawyer. Our Subscription provides model forms that help with these designations. The naming of a CO (“CO”) is required by both the HIPAA Privacy Rule and Security Rule. The CO title should be added to the workforce member’s personnel file. In addition, the file should contain the CO’s job responsibilities and organizational chain of command.

For larger organizations, CO refers to the CO because the compliance challenge will generally require a group of stakeholders, especially with respect to privacy regimes. For obvious reasons having a CO (Officer or Office) is an essential part of compliance governance.

CO Responsibilities and Policy

Your CO, the executive team, managers, and Workforce members are responsible for the enforcement of these Policies. We refer to this individual as your CO (either your Compliance Officer of your Compliance Office depending on the organization) because their responsibilities generally encompass more than a single regime as well as compliance with state laws and regulations.  Your CO functions as the point person for the executive team with respect to compliance enforcement.

You should always assign and maintain a CO. This individual’s job description will be updated to reflect that the individual’s responsibilities include, but are not limited to, the following: (1) training members of your Workforce, including those members of your Workforce that require specialized training; (2) writing and/or reviewing all privacy policies and procedures and ensuring that they remain updated as per applicable law; (3) interacting with state and federal agencies and corporate counsel as required; (4) developing and enforcing your sanctions policy in collaboration with Human Resources; (5) investigating security incidents and notifying patients and other stakeholders of a breach when warranted by applicable law; (6) managing all security related breaches; and (7) otherwise administering your compliance initiatives.

Methodology Based on Industry Standards

Your compliance initiative should apply NIST standards wherever applicable. If you have a Risk Management Framework (“RMF”) then it should have been derived either from NIST or some other internationally recognized organization that provides best practices. Much of your remediation documentation should be derived from best practices as well. For example, the HIPAA Safe Harbor Act (“Act”) requires HHS to consider whether organizations have implemented “recognized cybersecurity best practices” when investigating a Breach. HHS is required to be lenient with their civil monetary penalties (“CMPs”) if your compliance initiative has met all basic technical safeguard requirements. Under the Act. Our Subscription is based on NIST best practices. It is likely that an MCP will be a mitigating factor across regimes.


Measuring, Monitoring & Reporting:

The adage that “you can’t manage what you don’t measure” applies to every compliance initiative. If you cannot show an Auditor the status of your Program as it exists today, then you are providing them visible demonstrable evidence (“VDE”) that you have no means to monitor your Program in real time. 3LP Scorecards provide evidence that your Program is continuously being measured and therefore status may be readily determined.

The adage that “you can’t manage what you don’t measure” applies to every compliance initiative. If you cannot show an auditor the status of your compliance initiatives as it exists today, then you are providing them visible demonstrable evidence (“VDE”) that you have no means to monitor your compliance initiative in real-time. 3LP Scorecards provide evidence that your compliance initiative is continuously being measured and therefore status may be readily determined. The Scorecard below applies to the HIPAA Privacy Rule but has scorecards for all regimes we support.



Compliance Repository

If you can’t demonstrate a “single version of the truth” you won’t be able to quickly provide an auditor a sense that compliance artifacts (e.g., policies, processes, training, etc.) are readily available to staff and readily producible to the auditor. The auditor is likely to assume that in fact there is “no single version of the truth” and that compliance artifacts may be scatted across devices if they exist at all. Before an auditor generally requires you to provide the latest version of compliance documentation and not a “compendiums of all entity policies of procedures (i.e., forget anachronistic “audit books”). Your single version of the truth is contained in Expresso®’s Compliance Repository.


Incident Management

Without a robust Incident Management process there is no evidence that you can identify Breaches; therefore, your Breach Notification process is either non-existent, ad hoc, immature or you have purposely decided not to track Incidents. Why would you do the latter? Because having trained thousands of stakeholders and sold products into the compliance space for well over a decade, we are aware that many providers, of all sizes, simply decide to “deep six” small breaches. The last thing they want is to have a record of which ones were analyzed because that simply becomes fodder for an auditor to review.

This strategy is simply too clever by half. For example, a highly competent auditor (and they are all highly competent) understands that ambulatory practices are small breach factories. The practice may often send PHI inadvertently to the wrong patient. Attempting to claim that you have had no incidents, let alone Breaches, over one to five years will be quickly detected for what it is, an outright lie. Analogously stating that you have had no CPRA complaints with request processing over the same period of time seems implausible on its face.



An auditor will want to discuss your training: (1) how often it occurs; (2) what it consists of; and (3) whether you can produce VDE that it occurred. Where are your process results that show when Dr. Smith was last trained and what he was trained on? The auditor will ask about Phishing training. Why? Because the latter remains the number one vector of entry for ransomware attacks in the healthcare industry writ large, and in just about every other industry.


Compliance Equation® 

Is the Compliance Equation® met for each one of the regime’s requirements? This is where the rubber meets the road, if you can’t show process results for each requirement then an auditor is going to assume that you don’t have the processes in place, and therefore you are violating the respective requirement(s). Policies (an organization’s intentions) + Processes (actualized in your organization that underpin the Policy) + Tracking Mechanisms (that capture Process Results) = Visible Demonstrable Evidence (“VDE”). All three elements are required with auditors placing the most significant weight on the third. The NIST Risk Equation is depicted graphically below. It provides a grammar for calculating a Risk for any compliance regime. Analogously your Compliance Equation® provides a grammar for determining whether you are in compliance with a regime requirement (e.g. Policy + Processes that underpin the Policy + Tracking Mechanism to capture Process Results = Compliance).



A self-audit program is an important part of your overall health information privacy, security, and breach notification compliance activities. You can be sure that when an auditor visits your facility, they come with a rigorous audit process in hand. For example, OCR uses its audit protocol to assess your HIPAA compliance efforts. The self-audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through an auditor’s ongoing complaint investigations and compliance reviews, and enable your organization to get out in front of problems before they result in breaches (and other violations).


Business Partner Vetting (“BPV”) 

Both the Security and Privacy Rules mandate that you get “satisfactory assurances” from your business associates, and the latter from theirs. Satisfactory assurances mean more than having a BAA and less than yearly onsite inspections. The best practice that the industry has converged upon is sending out questionnaires and asking for additional reports. As you might imagine this is a tedious process, averaging about twenty (20) hours per vendor per year. It's not just a question of the hidden costs, which are considerable, but the manual ad hoc nature of the process is error-prone, potentially costing your organization millions in reputation damages if you get it wrong.

CPRA also requires BPV although the context is obviously quite different because of the objective of each regime.



Governance is defined as the decisions and actions of the people who run your compliance programs. It is how the executive team controls risks by assigning risk management to various executives that possess subject matter expertise in a particular domain. For example, financial risk is usually assigned to the Chief Financial Officer; employment risks are assigned to the VP of Human Resources, Privacy and Security risk to the Chief Information and Security Officer, etc. The challenge is that each one of these silos generally uses a different set of semantics for what a risk is and how it should be calculated. 3LP has adopted the NIST universal grammar for how risk should be calculated, as identified in the graphic below:

This methodology for calculating the subjective value of a Risk provides a universal grammar that can be used with any compliance regime. For example, we have used it with Expresso® for GDPR, CCPA, and HIPAA Privacy Rule gap analysis. To have a mature program a risk should be calculated in the same way for the HIPAA Security Rule as it is for the HIPAA Privacy Rule. The same way for GDPR as it is for CCPA. NIST has done the heavy lifting with its grammar but unfortunately, this grammar is not widely understood as having universal applicability and therefore has not been widely adopted. The challenge is that if each compliance does not agree on how to calculate risk, then effective communication becomes nearly impossible.

The same can be said regarding the Compliance Equation® as discussed above. The equation mandates the elements required to comply with any regime requirement, yet few recognize its universal applicability, and therefore, like the NIST universal grammar for calculating risk, it has not been widely adopted.

Words matter. Having a clear set of terms of art is an indication that an organization’s compliance program is mature.


A mature compliance program demonstrates that an organization is managing risks in a methodical rigorous manner. It provides a compelling message to an auditor that the organization takes compliance seriously, as required by applicable law. It also demonstrates that this commitment to compliance is valued by the organization, because without the support of the senior management team, maturity cannot be achieved and therefore becomes nothing more than a meaningless platitude.