Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Taming HIPAA Compliance For Hospital Systems
Quick Take
On this Episode of Compliance Unfiltered, the CU Guys delve into the complexities of HIPAA compliance for hospital systems. Adam discusses the dual nature of hospital compliance, highlighting both the advantages of early adoption and the challenges posed by the complexity of hospital systems.
The conversation covers the intricacies of managing multiple compliance standards, the inefficiencies and costs associated with manual compliance processes, and the importance of maintaining control over compliance data.
Adam emphasizes the need for hospital systems to regularly update their compliance controls to align with current technologies and reduce risks.
All this, and more, on this week’s Compliance Unfiltered!
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process.
Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the Torbjorn movement to your compliance time piece, Mr. Adam Goslin. How the heck are you, sir? Ha ha ha.
I’m doing good obviously i’m in a i’m in a different realm right now cuz i have any idea the hell you talking about.
Don’t worry about it. It is high horology watch speak for us watch nerds, but it is quite a compliment. I’ll tell you that. Today, Adam, we’re going to be talking about taming. That’s right. Taming, HIPAA compliance for hospital systems. What makes compliance so challenging for hospital systems?
Well, when it comes to data security, protection of information, the hospital systems have it both good and bad. They’ve got it good because they were on the forefront of compliance activities when data security first was becoming a thing, but was one of the earliest security and compliance standards in existence. The hospitals have had a long time to both know and understand the importance of data security and it’s not a hard sell to internal folks, leadership, et cetera, that they actually need to take this stuff seriously. But they also have it bad because when you’re talking about a hospital system, you’re talking about something that is astoundingly complex. Complying with HIPAA isn’t just a simple thing, snap your fingers and poof your compliant, but there’s a good amount of chaos that reigns over those hospital system compliance engagements as a result of just the sheer complexity.
Well, how is compliance more complicated for these folks?
Well, when you start talking about the hospital system, there’s a whole bunch of different complicating factors that put the compliance efforts right up there in the Dante’s Circles of Hell, if you will. For most of the hospital systems, they’ve got things like, it’s not typically just HIPAA. I’m just going to give you at bare minimum. At bare minimum, they’re taking payments from people. You’ve got at least HIPAA and PCI, but there may be others. A lot of times, what it’ll depend on is what arenas that the hospital system’s into. As an example, if they’re doing research projects and doing work with the government and taking grant money, and now all of a sudden, I’ve got different compliance standards that are coming into play. You’ve got multiple medical campuses that are involved. You’ve got siloed systems within the hospitals that have developed over time. You’ve got compliance teams that are dispersed across shifts that are around the clock. Most of the hospital systems, there are departments that are working 24-7, 365. You’ve got manual or outdated compliance management systems. You’ve got data systems that aren’t playing well together in the sandbox. Because there’s so many complexities to the overall view of the hospital system itself, managing compliance is a very chaotic reality that doesn’t really feel fully controlled for most of those folks. The compliance managers, they’re doing their best to try to keep things under control and keep things contained. At the end of the day, it is a costly endeavor for the hospital system.
And no doubt about that. What makes the hospital system compliance more costly, though?
Well, in a lot of cases, managing the compliance in that hospital environment is a lot more costly than especially the hospital administrators realize. There’s a lot of folks who look at the cost as out-of-pocket costs. This is how much we’re physically paying for compliance, and my challenge would be to think about it differently, because as you look at the amount, you’ve heard the expression time is money, well, for all of the inherent inefficiencies in a compliance engagement, all of that blown wasted kind of manual time, that generates inefficiencies that are really ratcheting up the operational costs. You know, could I do something more effective with those people’s time than embarking on a horrifyingly inefficient compliance endeavor? The inefficiencies, really when you think about it across the course of the whole engagement, it’s really leading up toward weeks or months of kind of blown time. Now, the question becomes, is it weeks or months of blown time that even blew into what’s worse, overtime, you know, arena, et cetera, don’t know, but no matter what, if it’s just a full-time resource, if they’re spending whatever, they’re spending 500 hours on compliance where they could be spending 200 hours on compliance, hey, guess what? Now I’ve got extra time that I can go use somewhere else.
There’s a lot of stress involved in these engagements as well. You’ve got the potential stress of overtime for people trying to get their stuff done on top of their normal daily job, the chaotic work environment. You’ve got potentials for people needing additional time off or not feeling well or medical costs, overruns, things along those lines. Certainly as the stress and the chaotic nature of these engagements goes up, then you’ve got increased possibility of staff turnover, which then would create a greater workload on the staff, additional hiring costs and training costs, things like that. Every time that you flip over personnel, you’ve now got new compliance personnel that need to be trained, onboarding is inefficient. It’s a bumpy process. All of these people running into the same issues their predecessors did, et cetera. This is just off the cuff, starting to line up, where do the costs come in? The costs for these hospital systems start going up when they’re layering additional standards. We talked about it before. They’re going to be taking credit card payments for services from patients, but they might have high tech. They might have CMS. They might have HICP, other standards that come into play. Every time you’re layering these additional standards onto the compliance pile, it’s just going to serve to further exacerbate the complication that these organizations have to go through. You may have long ago decided, hey, this is just the way that compliance is. We have to do it this way. And the team effectively is just doing the same thing over and over and over again, using human will and tenacity to basically overcome all of the efficiencies in the existing compliance engagement.
And there’s always that hope, right? Hey, we’re going to make this better. It’s going to be more efficient and whatnot. You’re kind of limited by how efficient you can make the process, especially when there’s internal manual systems involved, whether it’s tracking things through a spreadsheet, whether it is drop zones for data and information and flow of things to the compliance folks. So whether it’s people dropping into a certain place on SharePoint or putting on a file server or updating you in a meeting or sending you an email, et cetera, there’s a ton of different ways that data and information ends up coming over to the folks in the compliance arena. And that’s part of the reason why TCT made a compliance management system so that it doesn’t have to suck and that will reduce the wasted overhead by about 65% on average on engagement. And it has an even better impact when you’re talking about a complicated environment like the hospital system that we’re kind of targeting in on right now.
Why is HIPAA compliance pose a risk when it comes to managing?
Well, HIPAA is, you know, HIPAA is a standard that’s been out for quite some period of time. You know, just because of its nature, HIPAA was initially generated basically to serve everybody from single sole practitioners to, you know, full-blown health systems. And as a result, the HIPAA, you know, directional guidance for how to do, you know, the goals of the objectives of HIPAA are very directional in nature, which allows a broad spectrum of solutions for folks that are within the, you know, within these medical systems to be able to take in terms of the approach. You know, every organization is different, but, you know, my bad or my assertion is that in many cases, they started with a series of controls way back in the day. And there’s a good possibility that some of those controls haven’t seen evolution, you know, in some period of time. It’s rinse and repeat. We’re trying to, you know, make things as efficient as we can on these engagements. So, you know, but because of how long ago those HIPAA controls were adopted, you know, there’s a real good likelihood that there’s a dusting off that’s needed, you know, an alignment to, you know, current technology, alignment to new attack vectors, et cetera. So, you know, if it’s been a while since your medical organization really went, you know, kind of eyeball deep and looking at, you know, our various controls, our overall program, et cetera, then you could be at an increased risk because the way that you had done it back in the day really needs to be, you know, needs to be updated. So certainly on a regular basis, making sure that the other hospital systems are basically sitting down and taking a fresh look at their, you know, at their controls, how they’re going about doing it, where their information data is stored, et cetera, you know, and bouncing it all up against one another. Doing that regularly will go a long way to reducing the level of risk that the hospital system is subject to.
That makes sense. Now, how is operational compliance made more complicated?
Well, you know, in healthcare, everybody’s, you know, used to, you know, particular, you know, kind of cornerstones, HIPAA training and retraining, you know, rarely do you see a focus on operational compliance. And what I mean by that is, you know, there’s certain tasks that need to be done that should be done or need to be done every day, every week, every month, every quarter, twice a year, once a year. You know, and these activities need to be completed on a schedule just to, in order to truly align with the controls that you have in place that are supposed to be governing the system. When you’ve got multiple compliance standards that you need to go in and meet, you know, it’s damn near impossible to keep up with all of the various things that people need to be done, need to do, when they need to be done, you know, have they been done, are they overdue, you know, which requirements are we behind on, et cetera. And then now you start layering in for a hospital system, you know, they’ve got multiple departments, clinics, medical campuses, you know, people on, you know, three different, you know, three different shifts, you know, et cetera. And so, you know, it’s challenging to hold all of this together and making sure nothing slipped, you know, slipping through the cracks. And the only problem is, is that once you get to the end of your kind of annual compliance audit and the assessor is, you know, going through doing their thing, it’s unfortunately at that time that you end up figuring out, oh crap, Sally forgot to do this and Bob forgot to do that, you know, whatever it may be. And you know, the risk is that because we’re not staying on top of what we needed to do, you know, the risk is that the hospital is, you know, is moving out of, you know, out of their compliance stance. So you know, it’s critical for these organizations, you want to proactively track and manage the operational compliance items so you’re not falling behind and falling out of compliance. It’s one of the, it’s one of the material benefits of the, of the TCT portal. I wish that more folks would, you know, kind of use this to their advantage, but you know, we, gosh, we launched in 2015, I think it was sometime in 2016, we launched the operational mode for any compliance standard, basically, you know, serving up to the folks that are on the engagement, hey, it’s time to do this. It’s time to do that. So all of those monthly, daily, weekly, quarterly tasks, we can go ahead and put them into an operational mode where the system’s prompting the team for, hey, it’s time to do these things, just actually gathering up the evidence, et cetera. And what it does for the organization is it ends up reducing that risk of controls and, you know, control activity, slipping through the cracks, you know, not getting done and running into a problem once you get to the, you know, to kind of the backend of the, you know, of the engagement you’re sitting in front of your assessor.
It’s really the entire reason why I created that operational mode. I was tired of, I was tired of showing up to the annual assessment and, you know, and having things that the assessor was expecting that weren’t done. Sure.
Now, you always say that it’s important to control your compliance data. As we’re thinking about this situation, tell us a little bit more.
Sure. Well, for a lot of organizations, the assessment firm that’s coming in to go in and do the annual assessment, they’ve got their process for how they do things. They’ve got their systems and where they want the data, evidence, or information loaded to, etc. And if you think about it from the one side, hey, it’s convenient to just, hey, the assessor says we need to use their system. It’s convenient. It’s sitting right there. We can just go load our stuff up to it. We don’t have to pay for anything, etc. Sounds like a great idea out of the gate.
But we need to remain cognizant of the disadvantages of that. For the assessor, sure, it’s great. They get to maximize their efficiency, da, da, da, da, da. All that fun stuff. But looking at it from the organization’s perspective that’s subject to compliance, it basically means that your master repository for your data and information is now over with your assessor. What happens if the person that you knew and loved over at your assessment firm retires, moves on, gets promoted, is no longer operationally involved, and now you’re dealing with somebody that isn’t as good as the person that used to run your engagement. What happens if the organization just decides they’re going to go to a different assessment firm? What happens if you have multiple compliance standards and multiple assessors? Oh my God, now I’ve got to go ahead and replicate and duplicate stuff off to multiple systems, etc. So at the end of the day, I am a huge proponent of the organization subject to compliance maintaining the control over their own compliance data, sharing that with their vendors at the end of the day. At the end of the day, the assessors are vendors to the compliant organization, sharing that information with their vendors through their tool. That way, if something happens, if you need to switch assessors, no matter what, the organization subject to compliance is the one that is gaining the material benefit of the readiness for the assessment. Worst case scenario, you can figure out how to get the information off your system over to your assessor systems, type of a deal, but it does pose the possibility that the organization could include their assessor in the workflow within the TCT portal and just have everything flowing naturally so that their control evidence provisioners can provision that data. You can put it through a workflow step of internal QA and then flow it directly over to your assessor as well. So the assertion here is that we want to be able to reduce duplication. So we talked about that secondary certification notion of PCI as an example. Well, evidence that I’ve gathered up for PCI, I could port over to my HIPAA track. Evidence that I’ve collected up for HIPAA, I could port over to my PCI track. So I can share information and data and whatnot, but the options are dramatically improved for the organization that maintains the control over their compliance data and uses it to their benefit.
how does the structure of a hospital system complicate their compliance?
Well, I mean, in the case of a compliance system, and I talked about this a little bit earlier on, but, you know, you’ve got multiple locations, you know, doing any type of tracking for evidence that needs to be provisioned across multiple, you know, multiple different units within the hospital system, you know, that makes the tracking and managing, et cetera, unbelievably messy in a manual spreadsheet if that’s the, you know, kind of the internal tool of choice, especially if that’s that, you know, the rigging of the sheet, the tracking and managing of it, the amount of time that literally is just set on fire manually updating this, you know, this spreadsheet, just tracking who’s got what’s where, what’s been submitted, was it good, did it get sent to the assessor, did it get rejected, all of that, you know, is just an absolute waste of time on these engagements. So, you know, tracking all of that is painful, and you’re going to be blowing hours weekly because for most of the organizations, when they are, you know, going in and doing this, they’ll have, depending on where they’re at in their compliance cycle, they’ll have one, maybe more meetings internally a week, you know, on where are we at, who’s got what, what state are we in, et cetera.
And then you’ve got the separate meeting with your assessor, right? So, you know, let’s say I’m really getting, you know, getting to the kind of crescendo of my, of my annual assessment, I could have two meetings internally weekly, I could have a third with the assessor, and every time I’m going in, I’m making these manual updates, et cetera. So, you know, you want to go ahead and just reduce, you know, reduce that. The other cool part is that with the automation of the TCT portal, you’ve got the ability to go in, like, let’s say I need DVR, I need to prove out DVR storage or even camera views across multiple, you know, multiple buildings. And well, guess what? I can now track within the system, building one, building two, building three, building four, building five, building six, all of which will, you know, be a separate, unique bucket that can move through the system that will empirically track that, yes, I got all of the, you know, kind of video, video evidence from all of the buildings except building three, you know, type of thing. Hey, guess what? You know, now I’ve got the ability to track this, assign it to, you know, unique individuals, you know, and whatnot. Maybe I’ve got, you know, somebody at each of these various locations that, you know, that I want. Like, you know, I don’t know if mentally, if you’re kind of thinking, oh, well, this is just, yeah, it’s a big chunk of land, but there’s a lot of buildings. Well, that may not be the scenario. It may very well be that you have buildings that are spread across a city. You may have buildings that are spread across, you know, different cities. You could even have, you know, buildings that are spread across different states. It just, you know, it may not all be right there, local, et cetera, and you very well may need to have different people at different places that are, you know, provisioning evidence.
The best part is once you go in and get all this stuff set up, you know, now I can have all of those locations, all operating simultaneously, gathering their evidence, putting it into the system, moving it up the workflow, internal QA is actively grabbing and processing through things, pushing those over to the assessor. And the best part is if you’ve got the assessor right into that, right into that tool, well, now I know instantaneously, did they reject something? Was there something wrong? And, you know, blah, blah, blah. I mean, the level of efficiency you get on these engagements is just ridiculous. And the best part is, is that once I now get to, you know, the notion of I’ve gathered up all of my information for HIPAA or for PCI, you know, now I can go ahead and use mappings from within the system to map the evidence from one location to another. You know, another possibility that exists within the TCT portal, in many cases, you know, the hospital systems will have, you know, kind of experienced this insanity, created their own, you know, kind of, I’ll call it a document request list, a unique list of stuff they need to be able to support whatever the compliance engagements are. That’s one of the best parts about TCT portal is they can literally take the list that they’re familiar with and go ahead and get that loaded into the, you know, into the compliance management system, you know, and use things that are in a format that they’re familiar with and then map that off to HIPAA and off to PCI. So we just, we have a ton of options and capabilities to help the poor folks in the, you know, in the hospital system space.
No doubt, no doubt. Now, I’m sure communication is a breeze on these engagements, right? Apologies if any of the sarcasm dripped on you there. Ha ha ha ha ha!
Yeah, no, it’s just kind of, you know, harkening back to what I was just going through with all of these layers of complication. You know, you’ve got, you know, in many cases, the core compliance team, you know, is, you know, they’re all, you know, mostly on one shift, right, day shift or whatever, you know, but you’ve got people that you’re gathering information, evidence from, etc., that might be on, you know, second or third shift, you know, and whatnot. So, you know, it makes the communication even more challenging.
How the hell do I get everybody onto calls and, you know, and, you know, and hunt them down, etc., they’re on different shifts, different buildings, different cities, different states, you know, and whatnot. It’s astronomically challenging. Well, you know, when you go in to, you know, leveraging compliance automation capability and pairing that with, you know, with a really complicated scenario, you know, now you can consolidate all of that communication into one spot. You can put out a centralized training program for everybody how to do what they need to do and whatnot, assign it to the right people. The best part is, is that the portal will wake up each morning and do the nagging work for you. You know, it used to be that you’d have to go hunt down, you know, Bob or Sally and hey, I still need your stuff. You said you were going to get it done last week, you know, etc. The cool part is, is that the system will automate the nag factor. So, every morning it will send these guys an email. Hey, you still got five items that are open as long as they’re not ignoring their email, which does happen. But as long as they’re not ignoring their email, you know, the system is reminding them of things that need to be done, you know, every time that, you know, there’s a status change. So, let’s say they move it up for internal audit. The internal audit team can go in, review that item, reject it back down through the system and you’ve got the capability to nudge people on your team, which will send them a unique email saying, hey, you’ve been nudged on this item, go in and take a look at it. But now I can take all of the things that I would normally have to, you know, do cat herding for, like calling these people to say, hey, I still need your stuff. Or every morning sending everybody an email with, you know, we still need your stuff, you know, et cetera. You’ve eliminated that. All the back and forth communication around whose hands is it in, what status is it in, et cetera. You’re now using the system to automate all of that. It’s awesome when that happens.
No doubt, what happens when a hospital system is using the wrong system for managing their compliance?
Well, uh, we, we’ve hit on it in a number of different ways. Um, you know, there, there’s a couple of different options. I think I beat the hell out of the notion of using spreadsheets, manual emails and, you know, doing everything manually. But even when you go in and you pick a, you know, you go in and you pick a system that’s that’s, you know, we’ll call it one step better than the spreadsheet. You know, there’s a lot of vendors that will approach HIPAA, you know, it’s a, it’s a check the box function. You know, if I put all the check boxes in the right spot. You know, they, and all the little lights turn green, poof, we’re compliant, uh, you know, type of a thing. And, and they’re trying to make it easy to get to the point where you can get the piece of paper that says you’re compliant. The difference in my mind’s eye is that that same tooling isn’t necessarily enforcing the fact that we are actually doing these controls. We have evidence to back up the fact that we are doing those controls. Those, the evidence for those controls has gone through the internal QA process has been blessed by the, you know, blessed at line item by location, by the assessor, you know, et cetera, uh, you know, and, and the other problem with the, with, you know, kind of the, the easy EZ HIPAA compliance tooling is that in many cases, it’s literally, it’s a HIPAA tool, right? That’s not your PCI tool. It’s not a tool for CMS, HICP, ISO 27001, you know, et cetera. So sure, you get the, you get the benefit of the, of the easy PZ tool, but you know, you don’t have the, uh, don’t get all the other benefits that you, that you would in terms of being able to kind of run your engagement the way you want, you know, the live dashboarding capabilities within the portal, you know, we’ll give you the capability to see both your HIPAA engagement and your PCI and your CMS, et cetera. So, you know, it really brings a lot to the table, uh, for, for the organization, but it’s definitely something I would challenge organizations to kind of think through.
And I think that makes sense, Adam. Parting shots and thoughts for the folks this week.
Well, long story, really, really, really, really short, if you haven’t got the memo by this point in the game, uh, you know, really, I, I would encourage hospital system, take, take a fresh look at your, you know, kind of at your structure, take a fresh look globally at the complications you have at how, uh, how many different standards and certifications you’re going up against. Uh, you know, in, in, in really looking at the controls that you have in place against, you know, kind of today’s technology, today’s, today’s capabilities and, you know, and whatnot, and, you know, really look at building efficiencies into your overall program. Um, you know, I, I, I have yet to have conversations with an organization where we haven’t been able to, uh, you know, find and gain efficiencies on engagements and in many cases, substantial, uh, you know, uh, substantial gains in terms of, of efficiency and effectiveness. I know that hospital systems need to do a lot with a little, uh, and so why don’t we maximize that, that capability for them to do just that. Not right there.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
