This article describes the features and functionality that an organization should seek in a Compliance Tracking System ("CTS") in order to show visible demonstrable evidence that it is serious about meeting its HITECH/HIPAA compliance obligations.
We have often written about the concept that compliance is a process and that simply having policies and procedures in place, although necessary, is woefully insufficient with respect to demonstrating process due diligence over time. In short, in addition to providing assistance in the creation and management of policies and procedures, a Compliance Tracking System should also allow an organization to manage its compliance processes and to demonstrate evidence that it is doing so.
Historically, the kind of system that we describe in this article has either been home grown or purchased and implemented at a cost only affordable to large Covered Entities and Business Associates. Mid-size organizations have, out of economic necessity, simply done without. In a world prior to the enactment of the HITECH Act, where HIPAA enforcement was lax to non-existent, lack of a Compliance Tracking System did not pose the kind of potential risks that it does today (i.e. given HITECH's enhanced enforcement tools and corresponding penalties).
Further, the evolution and maturation of software-as-a-service ("SaaS") has made it possible for software vendors to offer feature rich applications at a price point accessible to all. The following are what we believe to be the must have features of a Compliance Tracking System by category:
A Compliance Tracking System should allow you to manage and track all the compliance information for a given patient in a centralized and readily accessible manner, including: restrictions, authorizations, disclosures, incidents, personal representatives and other documentation necessary to comply with HITECH/HIPAA. The move to electronic health records, and the momentum gathering around the empowered patient, will make it far more likely that patients and other stakeholders will request access to such information. Covered Entities and Business Associates must be positioned to respond accordingly.
HITECH has dramatically increased the number of "cooks in the compliance kitchen" by making Business Associates ("BA") directly liable for compliance with both the HIPAA Privacy Rule and the HIPAA Security Rule, either by statute or contractually, in addition to HITECH's Breach Notification Rule. A Compliance Tracking System should allow a Covered Entity ("CE") to perform due diligence on a Business Associate's compliance initiative via questionnaires and other tools, as well as manage and track the contractual arrangement between the parties. Further, a Compliance Tracking System should allow a Covered Entity to manage and track security incidents that have occurred wherein a Covered Entity's protected health information ("PHI") is under a Business Associate's control.
Audits, Gaps, & Remediations
Because of the daunting nature of the regulations, most Covered Entities and Business Associates will find it difficult to effectively conduct internal compliance audits and to prepare for external audits, which are now mandatory under HITECH (although the methodology for selecting who gets audited and how still remains an HHS action item). Any Compliance Tracking System worth buying should address the audit issue head on, both from a gap identification and remediation perspective, and from the perspective of what evidence is provided to an HHS auditor and/or to a court of law. A Compliance Tracking System with functionality that clearly identifies, via questionnaires and other tools, the gaps between your “as is” compliance state and what the regulations require, is essential. In addition, the Compliance Tracking System should provide action plans that will help drive your remediation initiatives and track where your organization is with respect to closure regarding these efforts. In short, the Compliance Tracking System must help you manage and track the process you are following to achieve compliance.
The term “security incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system (see 45 CFR § 164.304). Notice that an attempt qualifies as an Incident. That is one of the reasons that all Incidents should be tracked as part of a rigorous compliance initiative. Tracking Incidents is obviously a key part of the compliance process, and shows visible demonstrable evidence that your organization is serious about its compliance initiative.
A Compliance Tracking System should allow your organization to track Incidents whether they occur internally or wherein the PHI allegedly breached is under the control of a Business Associate (of course business associates are also now on the hook statutorily for Incident tracking). Incidents must be tracked so that stakeholders can be notified (i.e. patients, HHS, and the media) as required by law, when (not if) a breach of unsecured PHI occurs. To better understand Incident tracking and notification see our Breach Notification Framework.
Training is a requirement of both the HIPAA Privacy Rule and the HIPAA Security Rule. Clearly organizations usually indicate in their policies and procedures that they will conduct training for their workforce, but very few actually track the training that has been conducted. A Compliance Tracking System should enable such tracking and provide alerts that correspond to the policy when further training is required. In addition, part of the training should include ensuring that the entire workforce is familiar with the organization's policies and procedures and should verify and log that each member of the workforce has read them. This should be done every time a new employee is hired and whenever the policy and procedures change. Without such a tracking system an organization's sanction policy will be less than optimal because a workforce member could always claim that they have not been trained appropriately. Again, the point here is that a Compliance Tracking System should capture process documentation, including tracking the process that an organization has selected for privacy and security training. Without such tracking enabled an organization will have a difficult time making a good faith argument that it has complied with this aspect of the regulations.
It is essential that a Compliance Tracking System not only capture an organization's compliance processes but also easily allow it to report on the information that has been tracked. Clearly the old adage that you "can't manage what you don't measure" applies. A Compliance Tracking System with strong reporting functionality is mission critical with respect to an organization's ability to manage its compliance initiative and, moreover, facilitates the organization's interaction with outside agencies during an external audit. Further, from the perspective of the HIPAA Privacy Officer and HIPAA Security Officer, it allows an individual to report to other organizational stakeholders regarding the organization's ongoing efforts to achieve full compliance. Achieving full compliance is a daunting task. Reporting functionality makes visible the amount of effort and commitment required to achieve this goal. It also allows the organization to track who is doing what with respect to different aspects of its compliance initiative.
Document Version Control
Policies, procedures, business associate contracts, restrictions, authorizations and any number of similar compliance documents change over time. It is critical that a Compliance Tracking System provide the ability to track past versions of these documents otherwise it is next to impossible to determine which version of the document was in effect at a certain point in time (i.e. manual efforts to track versions quickly prove unsatisfactory). Although there are expensive version control systems in the marketplace, a Compliance Tracking System should provide native support so that all compliance related documents can be referenced in a single database and linked to the appropriate document stakeholders (e.g. patients, business associates, etc.).
Many Covered Entities and Business Associates will have the need to track distinct organizational facilities (e.g. divisions or wholly owned entities) separately for business and/or reporting reasons. Further, a Covered Entity may choose to track geographically disperse physical locations separately because different state laws may apply (i.e. in addition to HITECH/HIPAA). A Compliance Tracking System should allow multi-facility support and the ability to seamlessly switch between facilities for ease of corporate governance at the highest levels. In short, a Compliance Tracking System should provide a business entity with a big picture view of all its compliance initiatives from within one application, despite the fact the individual facilities are tracked separately.
A Compliance Tracking System, like any other mission critical system, must provide a robust set of security features based on roles and responsibilities. Certainly an "ordinary" member of the workforce should not be allowed to modify policies and procedures and other important compliance documents. Security must be designed into the application and not provided as a simplistic bolt-on after the fact. The system owner (e.g. the HIPAA Privacy Officer or HIPAA Security Officer) must be capable of readily assigning security access on a need to know granular basis.