Compliance, like much of life, takes ongoing effort
Okay, folks. Time for a reality check for what data protection compliance involves.
You know what’s often tedious and hard? Well, a lot of things in life.
- Brushing your teeth and flossing every day. But, you need to do it, or your teeth will rot and fall out. Unless you are physically incapable, you can’t have someone else brush and floss your teeth every day for you. You’ve got to accept that having healthy teeth takes time and repetition. If you don’t stay on top of it, you’ll lose your teeth and have stinky breath. A dentist can help you with this, but he or she cannot simply do it all for you.
- Doing your income taxes. In the U.S. you must submit your state and Federal income tax returns every year. If you have your own business you must keep track of all your expenses and revenues in order to accomplish this. If you keep on top of it, and track all your expenses and revenues on an on-going basis, this is not such a hard and complicated task. If you don’t stay on top of it, though, you end up trying to remember and track down all your documentation at tax time, often leaving out something important, and ending up paying more than what you really would have needed to pay if you had just been diligent on an ongoing basis and documented everything as you went along throughout the year. An accountant can help you with this, but he or she cannot simply do it all for you unless, of course, you employ them full time.
- Exercising and staying fit. If you want to stay healthy and fit you must exercise regularly and eat healthy and nutritious food. It is not always fun to do. Sometimes wish I could eat that entire super supreme pan pizza. But, if I did, I would risk some serious health problems, especially if I did it often, and I would need to exercise even more to get rid of the excess calories. And, I also often dread doing my exercising, and don’t even want to start. But, if I didn’t I know I would soon start getting out of shape, and feeling bad, so I got ahead and exercise and feel great afterwards. No one else can exercise for me. I could have an exercise buddy, or a personal trainer, help me, but ultimately I’ve got to watch my own eating and exercising myself.
There are many things in life that take ongoing attention and upkeep. In addition to those described above, a few more include: Keeping your home in good repair, keeping your vehicles running, keeping up with your homework at school, making sure your fire extinguishers and smoke alarms stay in good working order, and the list goes on and on. You must do many things yourself (e.g., health checkups are done to your body not to someone else’s; you must do your own homework and take your own tests; etc.). You can get help doing some of these things, but for the most part it is up to you to make sure they get done to an acceptable level. You are ultimately accountable.
Likewise, regulatory authorities hold organizations ultimately accountable for being in compliance with all their wide range of data protection regulations, laws, and contractual commitments.
“Can you do this for us?”
I work with a lot of healthcare covered entities (CEs) and business associates (BAs). I speak with even more of them. A couple of weeks ago I was speaking with a BA client for whom I had created all their HIPAA information security and privacy, policies, procedures, and ongoing compliance work plan and compliance documentation list. When reviewing the ongoing compliance activities, they asked me, “Can you do this for us?” Here is a condensed (our discussion lasted almost two hours) and de-identified account of that conversation.
Me: “Well, sure I can help you, and create much of the documentation for you if you want to tell me what you’ve done and when you’ve done it on an ongoing basis, instead of documenting all your activities, logs, etc. yourself.”
Them: “No, that’s not what we mean. We’d like for you to actually do all of the compliance activities for us. How long do you think it will take you to be finished?”
Me: “Well, let’s think about all your compliance requirements; do you want me to take your training for you? You want me to perform your risk assessments, and then do all the risk mitigation actions for you? You want me to ensure all your information assets are physically secured for you? You want me to set up systems logs to track who has accessed the records containing PHI for you? You want me to validate the identities of those calling to access PHI records for you? You want me to make data backups for you? Do you want me to sit beside each of your employees throughout every workday and enter choose and enter their passwords for them, and do all the other compliance activities for them that are involved in each of their daily job activities? You know, I can keep going with this; I’d basically end up asking you about all the activities all your various employees need to do on a daily basis that involve the systems, applications and all forms of PHI that you work with during your business activities.”
Them: “Oh.” Pause. “So you’re saying we have to actually do things EVERY day to meet compliance?”
Me: “Yes, you must actually do what your policies and procedures say you are doing on an ongoing basis. I can guide you in your activities, and help you know and understand your obligations, but ultimately, you are responsible for actually doing what your policies and procedures say you are doing. You must actually do, every day, what you say in those documents that you are doing.”
Them: “But can’t we get certified that we are HIPAA compliant and then not worry about that? We’ve seen some vendors selling such certifications.”
Me: “No one can be certified for being in compliance, beyond a single point in time, with most laws, regulations or contractual requirements; the more complex the legal requirements, the less able any organization is for being certified, beyond the day on which the certification occurred, as being in full compliance. Compliance levels change as changes within your business occur. And then, of course, you cannot certify that humans, your workers, will always follow all requirements each and every day and never make mistakes, and never do anything bad. Human behavior cannot be certified to meet compliance, and most of HIPAA compliance relies upon human behavior. You should know that the Department of Health and Human Services (HHS) doesn’t recognize such certifications because they know that no organization could ever be certified because of the human issues and related complexities; much less maintain that certification without continuing to do ongoing compliance activities.”
Them: “But the HHS has a list of certified encryption solutions on their site. They apparently recognize certifications, then.”
Me: “Certifying technology, for how it is engineered and remains in that static engineered state, is much different than certifying the ongoing activities of an organization, where there are often changes within the business environment, and new services and products being offered, and where personnel are subject to making mistakes, doing bad things on purpose, doing things as a result of simply not knowing better, etc.”
At the end of our long discussion they said they understood, then, that HIPAA compliance is an ongoing, constant process that must be incorporated into their daily work activities.
Bottom line for organizations of all sizes…
I know it is hard for most organizations initially meet compliance with all regulatory requirements, maintaining compliance on an ongoing basis. But keeping information secure and meeting ongoing data protection compliance is now a basic business responsibility, in this world where more data is created in the previous two days than was created between the beginning of time through 2003, and where privacy breaches happen increasingly far too often.
Ensuring employee safety requirements, having professional insurance, doing business recording keeping, and so on are simply actions that are accepted as actions that must be done as part of having a business; and now organizations with personal information must also simply take actions to comply with their associated data protection legal requirements.
Your organization is ultimately responsible for integrating information safeguards and ongoing compliance into your everyday work activities. You cannot expect someone else to do everything for you. You cannot expect a tool or product you use one time, or a purchased “certified HIPAA compliant” banner to maintain your compliance on an ongoing basis. It is ultimately the responsibility of you and your personnel to doing the actions necessary, on an ongoing basis, to remain in compliance with your legal data protection requirements.
Small and mid-sized organizations often don’t have the time or budget to have someone on staff dedicated to full time information security and privacy compliance. However, you cannot just ignore your responsibilities. In such situations there are solutions available that will provide you with ongoing assistance, and in an effective and compliant manner. You can get help from me, and others, but ultimately you are completely accountable. Don’t believe anyone who tries to convince you otherwise. They are just selling you magic compliance beans that will lead to big trouble with your regulatory and client giants.
Always remember: When it comes to information security and privacy compliance, you must actually DO what you SAY in your policies and procedures on an ongoing basis.
This post was written as part of the IBM for Midsize Business (http://Goo.gl/t3fgW ) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.
Tags: awareness, BA, BAA, breach, business associate, CE, compliance, covered entity, data protection, HIPAA, HITECH, IBM, Information Security, information technology, infosec, IT security, midmarket, non-compliance, Omnibus, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy breach, privacy laws, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, security, systems security, training