Overcoming HIPAA Compliance Chaos in a Hospital System

When it comes to data security and protection of personal information, hospital systems have it good — and they have it bad. 

Hospitals and medical centers have it good, because they were on the forefront of compliance when data security first became a thing. HIPAA was one of the first security and compliance standards to gain widespread adoption. Hospitals know and understand the importance of data security, and it isn’t a tough sell to get cooperation from staff outside of the compliance program.

But hospitals also have it bad, because the hospital system is incredibly complex. Complying with HIPAA is no simple engagement that can be easily managed. Chaos reigns over hospital compliance engagements.

If you’re going to have a successful compliance program at your hospital, you’ll need to address the compliance complexities that are making life miserable for you and your team. Let’s take a look at a few of those challenges.

Hospitals’ Complex Compliance

Hospital systems and medical centers have a litany of complicating factors that rank compliance management alongside one of Dante’s circles of hell:

• Multiple compliance standards to meet
• Multiple medical campuses
• Siloed systems and departments within hospitals
• Evidence provisioners dispersed across shifts around the clock
• Manual or outdated compliance management systems
• Data systems that don’t play well together

The list goes on.

Because hospitals have so many complexities, compliance management has become a massively chaotic reality that is never fully controlled. Compliance managers do their best to tamp down the beast and keep it contained, but the cost is high.

Costly Compliance

In most cases, managing compliance in a hospital environment is a far more costly affair than hospital administrators realize. This is why we recommend to leadership at compliant organizations to really dig in and understand the pain points that go unnoticed by leadership within their own teams. For example:

• Manual processes create inefficiencies that ratchet up operational costs. 
• Simply pulling the status of “where are we” is a multiple hour extravaganza.
• Those inefficiencies pile up to demand weeks (or months) of overtime.
• The stress of overtime and a chaotic work environment lead to increased PTO and medical costs.
• Staff turnover increases, creating a greater workload on staff and adding hiring costs.
• New compliance personnel need to be trained, and onboarding is an inefficient, bumpy process that slows down the entire team.

These costs increase exponentially with every additional compliance standard that your hospital goes up against. You may have started with HIPAA alone, but now you have multiple standards your organization must comply with. Depending on your medical facility, there’s also HITECH, CMS, HICP, and others. You may even need to go up against PCI DSS or ISO 27001.

You may have long ago decided that this is simply the way compliance engagements are. Successful compliance management means gritting your teeth and pushing through the annual compliance cycle with all of your strength, hoping each time that you successfully stumble across that finish line with enough buffer to catch your breath before beginning all over again.

TCT was founded on the belief that compliance management shouldn’t have to suck. So we built a system that makes security and compliance engagements up to 65% more efficient. Better yet, our greatest impact is on environments like hospitals and medical centers, which have to navigate incredibly complex compliance engagements.

HIPAA Controls In Need Of Overhaul

HIPAA was created to be directional in nature, so that it could be leveraged to govern a wide range of medical organizations and contexts. A directional approach puts you in the driver’s seat to determine for yourself exactly how you’ll fulfill the requirement. Every organization is different, so each hospital fulfills HIPAA requirements differently.

However, many organizations adopted HIPAA controls ages ago, and those controls likely need to be dusted off and updated for today’s technologies and attack vectors. If it’s been years since your medical organization has reviewed your HIPAA controls, you may actually be at an increased risk, because your directional approach has become outdated.

On a regular basis, be sure to conduct a fresh review of the controls you use to fulfill HIPAA requirements. Better yet, put your controls up against a strong and prescriptive compliance framework like the PCI DSS to validate the appropriateness and effectiveness of your controls.

Operational Compliance Overwhelm

In the healthcare industry, everyone becomes used to certain cornerstones, such as HIPAA training and retraining. Rarely do you see a focus on operational compliance. Operational compliance refers to the sets of activities that need to be completed every day, every week, monthly, quarterly, semi-annually, and annually. These activities must be completed on schedule in order to appropriately maintain your compliant status.

When you have multiple compliance standards to meet, it can be damn near impossible to keep track of all the activities that various personnel are assigned to. 

• Who’s supposed to be fulfilling what? 
• What items are overdue? 
• Were these items completed correctly with appropriate evidence? 

Add to that the layers of multiple departments, clinics, and medical campuses under your purview, and it doesn’t take much for requirements to slip through the cracks unnoticed — until your annual audit comes around and your Assessor asks for missing reports that never got completed at all or are partially in place. 

Just like that, your hospital could be out of compliance.

It’s critical to proactively track and manage those operational compliance items so that you don’t fall behind and fall out of compliance. 

This is where the beauty of TCT Portal comes into play. With TCT Portal, you can define your own controls, map them to all of your compliance standards, and automate them in Operational Mode so that your compliance program becomes a streamlined, automated process that practically runs itself. 

You’ll never be in danger of controls slipping through the cracks or personnel saying they didn’t know they had an assignment to do. And you’ll easily be able to see anything that’s behind schedule in the real-time status dashboard.

Who Controls Your Data?

Many Assessment Firms provide their own proprietary compliance tools for you to use. On the one hand, it’s convenient to leverage a third-party tool, because you don’t have to pay for it or go through a purchasing process yourself. However, you should be aware of the inherent disadvantages.

From your Assessor’s perspective, a proprietary auditing system makes a lot of sense for them. The firm wants to maximize consistency across all their engagements, because it helps increase efficiency and makes them more competitive. If you’re looking at it from their perspective of efficiency, it’s a perfectly reasonable scenario. But not if you’re the client.

Who Controls Your Compliance Data? (It’s Not You)

For you, it means you’re giving up control of your data. You should have complete control over your information. If you’re using an Assessor’s system, the information is in their hands. You have access to it, but you don’t have control over it. What if you switch firms? What happens to that information? 

You may be able to get an ugly, unusable export from your Assessor, but what good will that do? Do you really want to be in a position of inefficiently managing your own home grown internal storage solution redundantly to the ultimate point of truth for your compliance engagement (i.e., the compliance management system of record)?

If you have multiple Assessors for multiple compliance standards, that means you have multiple tools to work with — which multiplies the redundant work you have to do for each Assessor. 

You need to make your compliance world better every way you can, and that includes leveraging your own compliance management system. You need to own the system that you use for compliance management, then share that information with your Assessors. 

When you own your own system, your compliance program becomes more efficient. You’re able to do things in a streamlined way, because you can make the compliance tool fit your organization — not the other way around. You can give all of your Assessors access to your own compliance management system, but now it’s under your control. You’ve eliminated duplicate work, your system follows your own workflow, and you have complete control of your information. 

Remember, your Assessors are third party vendors. They work for you. You have the right to control your information, and you have the right to decide what system that information will be on.

Tracking Data from Multiple Sites

When you have a hospital system with multiple locations, tracking the evidence from each location can be unimaginably messy. In a manual spreadsheet, the jerryrigging becomes monstrously difficult to manage, and it’s easy to add evidence under the wrong location. Tracking each piece of evidence is painfully onerous. It can take hours just to know what’s missing from which location and who is responsible for it.

TCT Portal eliminates the hours of manual tracking and stress by giving you the ability to split your controls and organize information down to the requirement, location and assigned control owner level. Let’s say you need to confirm DVR storage for video of your entrances, and you need to be able to do that across ten different hospitals or medical campuses. In TCT Portal, you can split that control by location and assign it to the right person at each location. So under one requirement, you have ten buckets — one for each location. 

Related: How to Reduce Compliance Complexity By Splitting Your Controls

You can collect all of that evidence simultaneously and have it flow through the compliance system. Your internal compliance team can easily review that information as it comes in and provide additional recommendations or requests back to the correct evidence submitter, as needed. 

The process is streamlined, clear, and without the sh*tstorm that usually reigns in complex compliance programs.

Better yet, you can automatically map the evidence from your request list to any standards or certifications you’re using. With this single consolidated list, when you submit evidence on that track, it is automatically populated to all of your target standards — HIPAA, HITECH, CMS, you name it. All of your stuff is consolidated into one location, and is then populated within TCT Portal everywhere it needs to be, no matter how many standards or certifications you need to meet.

Communication Challenges

One of the challenges for healthcare is to manage all of the people and personnel on an engagement. Hospitals don’t close at 5:00pm. In that setting, it becomes even more challenging to organize and communicate with teams that are working different shifts from each other. How do you effectively follow up with personnel, or nudge them about items they’re assigned to? 

When you use automated compliance management technology, the system itself can do that for you. TCT Portal sends automated reminders to team members that have upcoming or outstanding items to be completed. This allows a compliance manager to focus on more important tasks than nagging personnel who may or may not even be working the same shift. 

Stop doing all the exhausting cat herding you’ve been wasting time on and let the system do it for you.

Using the Wrong System for Your Needs

Because HIPAA has been around so long, there’s a plethora of software options for implementing and managing your HIPAA compliance program. Many of these programs were developed in the early days of HIPAA, but they haven’t kept up with technological advances and they are now cumbersome and inadequate — but those systems remain embedded within the hospital’s compliance program. 

In other cases, hospitals still use the good ol’ spreadsheet method to attempt to manage their data and compliance activities. 

Many vendors approach HIPAA as if all you have to do is check the boxes, pull a couple of levers, and POOF you’re compliant. They intend to design a system that makes HIPAA compliance easy and templated, yet leveraging these systems actually increases risk for the organization and provides a false sense of security. The tooling is designed to make life easier, but easier doesn’t always mean done right. You may not be applying the appropriate level of strength to your control set.

In addition, these simplistic HIPAA tools aren’t equipped to manage additional compliance standards. If you have to comply with CMS, HICP, PCI DSS or ISO 27001, those tools won’t get you very far.

For these organizations, it gets complicated, because you need to be able to proactively manage all of the various requirements you’re going up against. 

With TCT Portal, you have the ability to define your own controls to meet the requirements of HIPAA and other standards. And that means that you can run your compliance engagements the way you want — not the way a third-party vendor thinks you should.

TCT Portal also gives you a live dashboard that shows the current status, across all of your target certifications and standards, in real time. You can see with just a glance what items are completed, what items are outstanding, who is assigned to what tasks, and more. Because the status is in live, you know exactly what’s going on right now. Instead of spending hours just gathering information and sorting through it, you can have a complete picture of the entire engagement, immediately.

Compliance Management Doesn’t Have to Suck

Compliance management in the hospital environment may be incredibly complex, but it doesn’t have to be incredibly painful. Follow these best practices and you’ll gain compliance sanity that reduces stress, operational costs, and inefficiencies.

TCT Portal was designed to provide the greatest results under complex compliance scenarios. Schedule a personalized demo today!