With few exceptions in today's highly regulated business world, compliance with privacy protection mandates and...
IT obligations are inextricably intertwined: Whether it's in healthcare, finance, government, law enforcement or any other field, an organization's separate departments share certain compliance obligations. But despite their common goals, the day-to-day compliance functions and the identification and ranking of IT priorities have been historically isolated from each other. There are signs, however, that businesses and industries are starting to see the benefits of the convergence of IT and compliance procedures.
It's important to clarify that because there are so many business processes included in compliance that differ between industries, when I say "compliance" I mean the obligation for an organization to meet the legal or industry regulatory standards for proper data use, disclosure and protection. Some examples of these regulatory requirements are contained within the Health Information Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley-Act (GLBA), and Payment Card Industry Data Security Standard (PCI-DSS). I will focus here on the healthcare industry and HIPAA, but with the exceptions of the finance field -- where the convergence happened in large part some time ago -- my observations about the continued convergence of IT and compliance procedures apply to other industries as well.
Within the healthcare field, the following staff members and departments should all be involved in compliance efforts: company executives, assigned compliance professionals, health information managers (HIMs), risk managers, IT, facilities, human resources and legal. These personnel often operate in high-walled silos and if they get together at all, they often go for long periods without ever discussing the mutual requirements they must meet.
When I've asked IT pros about HIPAA Security Rule compliance within their organization, they've typically responded with, "That is the compliance officer's realm" or "Risk handles compliance." If you ask executives about the IT functions required under the Security Rule, you will very often get, "The IT folks assure us they follow industry security best practices." Or "I have no idea what they do; it is all Greek to me."
IT personnel -- and executives -- often have too much trust that someone else is taking care of compliance. They're also often all too willing to remain ignorant of any IT-specific issue that might be even slightly outside their domain.
The IT and business benefits of compliance
It's just as dangerous if a company looks at compliance as simply a set of check boxes needed to satisfy legal or industry regulation requirements. These folks will often do just that: Check the box and move on. Others see compliance as an undue set of rules promulgated by bureaucrats and resist complying at all. They see the rules as impractical and unnecessary or outside of their normal budgets and priorities so they'll ignore them altogether. Then there are those who see regulations as a necessary evil to break the habit of inaction by those who always have other priorities.
It's important to remember that regulatory requirements can be a driving force toward taking prudent actions to improve adherence to overall information governance. "The first mistake is focusing on the goal of compliance rather than the bigger picture," said Sharon Lewis CEO/executive director at the California Health Information Association (CHIA). "Compliance with the regulations doesn't equal security or proper information governance. We must align health information management, information technology, risk and compliance to meet the broad set of obligations we have today."
Lewis' big-picture view is one that seems to be growing within the healthcare community, and one that naturally should lead to better cooperation across departments. The inherent desire for improved patient outcomes, as well as to avoid the very public data breaches, ransomware, fines and corrective actions that have occurred in the past couple of years, have woken up the industry. Healthcare executives and practitioners have finally begun to see that the highest-value asset they possess, beyond their patients, is the data they create and maintain. The ability to leverage and protect the data both reside within the realm of IT data access, functionality and management.
The privacy and security conundrum
While auditors have been inquiring about the security and availability of information systems for a long time, their lack of IT knowledge depth often places them at the mercy of the IT department's willingness to share and be forthright. Sometimes, it's left to privacy and security officers (many times the same individual) to corral the various parties and to try to stitch together a united front. This is all done in the face of competing initiatives and confusing messages from the executives at the top. I very often hear executives saying, "I want compliance and security, but they cannot change the way we work." Basically, this translates to "I really don't want compliance and security. I just want to be seen talking about it." This attitude seems to be changing, however, as executives are losing their jobs after security or compliance breaches result in massive fines, lawsuits and loss of customer confidence for the company.
"There is no question that there is a convergence happening," he said. "Over time people have begun to get that a compliance program is a positive for proper information lifecycle management and doesn't stymie growth. Rather, it promotes and increases growth."
"One of our goals at CHIA is to be recognized as healthcare experts where we translate data into health intelligence," Lewis said. "When you look at the lifecycle of information, it is really so much bigger than simple compliance -- it's a challenge to align Medicare, coding, administration, HIPAA and other regulatory obligations."
There is evidence that leadership is starting to see the writing on the wall. There have been enough news stories on consumer privacy issues in recent months to cause the healthcare industry to reflect, and it is beginning to look to groups like CHIA and HCCA for help to implement the changes.
"At HCCA we have put together a track for IT for next year's conferences to recognize and advance the convergence of IT and compliance," Lewis said. "We always work to be out in front, but we are seeking the early adopters who are the crossovers with both IT and compliance to help us educate the masses."
So it does appear that the convergence of IT and compliance procedures is happening. The question is will healthcare organizations strive to make sure patient outcomes and privacy are of equal priority?
In some situations, IT personnel are coming to the table kicking and screaming, but others are embracing the role. Lewis said while IT will play a key role in the successful convergence, she cautioned against the potential for worsening siloes.
"While I truly support the need for leadership and encourage the initiative, we need to all work together to prevent any one group from controlling the process and limiting the immense possibilities we could all share," Lewis said.
More on IT and compliance strategy:
IT struggles with BYOD, consumerization compliance
IT compliance clashes with DevOps' automation ideals
IT systems compliance broadened by Regulation SCI