The compliance environment continues to get more complicated and more difficult to understand. As we move forward, we must be flexible in our response to this ever-changing environment. While there are many factors making compliance more complicated, this article focuses on three: an increasing number of agencies involved in compliance, resources, and misunderstanding our mission.
A key area making compliance more difficult is the increasing numbers of agencies involved in regulating the healthcare industry. Healthcare organizations must no longer be just concerned about the Office of Civil Rights for HIPAA enforcement; we must now be concerned about enforcement from other agencies like the FTC. And just because one agency says your cybersecurity practices are sufficient does not mean the other agencies will agree. The FTC states that vulnerable or exposed date is an unfair business practice. The FTC can also determine that a company’s security practices were unreasonable or likely to cause harm to consumers without any tangible harm to the consumer. Any insufficient practices are enforceable under Section 5 of the FTC Act. Since 2015, The FTC has agreements with nine companies enforcing cybersecurity. The FTC has released guidance for businesses. Further, the OCR has issued guidance on HIPAA's intersection with the FTC. We must, therefore, review what the FTC has published and compared that with what the OCR has published and continues to publish.
"One way we can become aware of projects is to inject ourselves into the procurement process"
Then there is always the fight for resources, both money, and manpower. We are constantly under pressure to reduce our budget and to review the necessity for our headcount. I remember a question my CEO asked when we were implementing a patient privacy portal: “Can you reduce headcount?” Our senior executives are continually bombarded with requests for more: more money, more people, more supplies, etc. Our challenge is to make sure our senior executives understand the risks and consequences of non-compliance. We need to communicate in terms they understand. They understand risk as they live risk every day. For example, they may not know what “encryption” is, but they will know the risk of not encrypting when you explain to them the OCR has fined institutions in the hundreds of thousands of dollars for not encrypting. With this information, they can then make informed decisions on whether to purchase a new MRI or purchase encryption.
I always tell people that I have two objectives: Protect the patient, protect the institution and I cannot do one without the other. For instance, when we find billing errors and stop those bills from going out until they are fixed, finance sees us blocking revenue. We need to work with the CFO and her organization to ensure that they understand why we are not automatically forwarding bills. We are also seen as blocking innovation when we say we need to take a deeper look at projects that pose risk to the organization One way we can become aware of projects is to inject ourselves into the procurement process so that we become aware of projects early in the process. We can then provide our guidance on the project that will accomplish the project’s objectives as well as protecting the institution.
The compliance landscape is only getting more complicated. As the organization responsible for knowing and maintaining compliance with this ever-changing environment, we need to continue to be innovative in keeping current with these regulations so that we may continue to protect the patient and protect the institution.