%20formatted-1.png?width=2528&height=739&name=SIGNiX%20Logo%20Main%20(white)%20formatted-1.png)
It’s a complicated world out there, and the never ending changes in technology and regulation keep everyone on their toes and/or fearful of what they missed. When it comes to compliance, whether you’re implementing EHR technology, e-signature technology or really any new system or process, there’s a laundry list of regulations to follow. You have HIPAA, the HITECH Act, the Meaningful Use Rule, PCI DSS and the list goes on. I call it the alphabet soup of compliance. As often happens, regulatory compliance may by siloed by each of those acronyms leaving more of an opportunity to miss something or to duplicate efforts creating confusion for staff and customers.
I was recently on a call with a client to review a security risk analysis report I wrote 
for them and was asked if the risk analysis covered HIPAA or also addressed things like safety risks to employees. I told my client that the risk analysis was broader than just HIPAA. The report addressed not as much regulatory risk but just plain what you really need to worry about as far as what’s out there that can harm your organization and your customers. If the risk analysis only covered HIPAA risk, there really should be yet another risk analysis to address non-HIPAA compliance risks which would amount to a waste of resources and the possibility that something will slip through the cracks. This is a good example of what can occur if compliance efforts become siloed.
All organizations out there are not subject to more than one set of regulations. A good place to start when evaluating a compliance program is to develop a spreadsheet of all of the regulations that an organization needs to comply with, what is different between regulations as far as requirements and what is the same. As an example, if an organization for contractual reasons needs to comply with HIPAA and survive ISO 27001 certification, it’s a good idea to start with what the similarities and differences are between HIPAA and ISO. (See Appendix A for an example.)
As you can see, many HIPAA and ISO requirements are the same. ISO certification is more proscriptive than HIPAA compliance requirements but at a glance you can see that work you’ve already done, such as drafting policies and procedures, will help comply with other regulatory and contractual requirements. This is a simplified version of comparing different compliance requirements, but it can be expanded to encompass all of the regulations you need to comply with.
As an example, I had a conversation with one of the developers who worked on the Kaiser patient portal development. The developer told me the Kaiser team created a spreadsheet listing all of the state laws Kaiser needed to comply with across the country, picked the most stringent requirement, like rules around where minors’ privacy rights started and stopped. That simplified the project and helped Kaiser comply with multiple state regulatory requirements rather than developing a solution state-by-state.
Sometimes that approach is not practical or even logical, but it’s a good place to start. An example of when making sure the whole organization complies with HIPAA is not necessarily a good idea would be a HIPAA hybrid entity. If an organization provides patient care and decides to develop a new EHR that will be used by other covered entities, it’s wise to make sure the whole organization complies with the HIPAA Security Rule. It doesn’t necessarily make sense to require the whole organization to comply with the HIPAA Privacy Rule. The business associate side of the house doesn’t need worry about things like making a Notice of Privacy Practices available to its EHR customers. This is a situation where a spreadsheet would help focus the whole organization on the information security compliance requirements but only address the HIPAA Privacy Rule requirements for the part of the organization that is a covered entity. If you don’t need to comply with the rule, why go through the compliance effort?
Healthcare compliance is an ongoing and ever-changing process. If you can make it easier, why not do it! Siloing compliance results in more work, more chance of missing a requirement and more confusion.
Chris Apgar is the CEO and President of Apgar & Associates, a HIPAA privacy, information security, HITECH and regulatory compliance consulting firm. He is a nationally recognized expert and educational instructor on information security, privacy, HIPAA, the HITECH Act, state privacy law and electronic health information exchange. He’s a frequent instructor and panelist for leading national industry groups such as AISHealth, HCPro, HIMSS, Healthcare IT News, and HCCA.
To learn about using HIPPA and 21 CRF Part 11compliant Independent E-Signatures™, download this free fact sheet.
