One of the biggest challenges in small to mid-size healthcare organizations in developing the role of a Security Compliance Officer is recognizing the real responsibilities of that position. In many instances, I’ve seen the job assigned to whichever member of management appears to have spare time in their current job. Frequently, these duties are delegated to the poor HR Director whose role is sometimes viewed as nonrevenue generating overhead and therefore he or she “probably” has spare time to pick up another overhead task or two. Alternatively, the job gets dumped on the Office Manager of a medical practice who is already overwhelmed with handling staffing, client relations, billing and general administration tasks and the last thing they want is more work.
Compliance and Security should never be treated as a part-time job or an add-on to another position. It’s too important and the consequences of not doing the job well can be quite expensive when a breach occurs. Healthcare is one of the few fields with direct reporting responsibilities to the federal government for security and privacy and the penalties for poor execution of those responsibilities can be severe.
In early 2018, Fresenius Medical Care of North America paid a $3.5 million settlement to HHS/OCR. OCR’s investigation revealed FMCNA failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all its ePHI. They also impermissibly disclosed the ePHI of patients by providing unauthorized access for a purpose not permitted by HIPAA Privacy Rules.
Defining Responsibilities:
When creating the role of Compliance Officer in your healthcare practice, it’s essential to start with defining the responsibilities and authority for the position. That last part, “the authority” of the position, is often the most under-appreciated. Creating a position that is in effect “a toothless tiger” is a formula for failure for your organization. They have to be given the responsibility and the power to get the job done right.
The primary duty of any compliance officer is to ensure your company complies with all applicable industry, state and federal regulations with a particular emphasis on HIPAA compliance. Compliance officers must understand how to interpret these regulations and know how they fit into your business operations. This is NOT a responsibility that anyone should be expected to learn on the job. Compliance Officers are also responsible for reviewing the current and prospective risks a practice faces for exposure of organizational and patient information. Identified risks, once discovered, must be addressed and passed along to high-level executives to establish internal controls to minimize exposure. Security and Compliance Officers must also research, develop, implement, test and review an organization’s information security to protect information and prevent unauthorized access.
Their job should be to create and manage an on-going organization-wide Security Awareness program. They are responsible for developing and maintaining all compliance documentation and Risk Assessments to meet HIPAA reporting requirements. They must work with vendors, outside consultants and other business partners to improve information security within the organization and any place your data passes through or resides.
They also must create and maintain an Event Reporting and Management system to report, record, investigate and resolve any reported data breaches and communicate with HHS/OCR when a suspected breach occurs. It’s their job to ensure that the access control, disaster recovery, business continuity, incident response and risk management needs of your organization are met. The urge to “figure it out if it happens” is a recipe for disaster because, by then, it is already too late. Your disaster has already happened. The point of the job is to keep it from happening in the first place. Their job is also to lead incident response teams to contain, investigate exposures when they happen, and then adjust organizational practices to prevent future recurrences.
Creating a Workable Security and Compliance Budget
Management has to recognize the need to fund security and compliance efforts and provide a sufficient budget to pay for the security management process. You should expect to budget funds for skills improvement training for your Compliance Officer and their staff. They’ll need a management system to track your policies, procedures, documentation and training efforts. Expect that a good Compliance Manager will also require funds for ongoing security awareness training for your staff since over 90% of all security breaches originate with human errors. They will need security monitoring tools to ensure the safety of your confidential data.
Taking Advantage of 3rd Party Security Resources
Your management must recognize that no matter how proficient your Compliance Manager becomes, they’ll always need help in areas outside of their skillset. Most often these will include the technical risk assessments of your IT infrastructure. Most non-technical Compliance Managers won’t have the depth of experience to accurately assess the technical complications of a comprehensive IT Risk Assessment. This is better left to experienced professionals who can dig into the technical aspects of your network defense mechanisms.
Even if your in-house Compliance Managers have some experience in IT, it’s best to let a 3rd party conduct your Risk Assessments. Letting your IT people evaluate their work is a terrible idea. If they made a mistake putting together your security system, it’s likely they’ll miss the errors when reviewing their handiwork. Smaller organizations might consider sub-contracting out portions or all of the technical and administrative work to third parties that specialize in HIPAA security practices and establish a reporting relationship for them to a member of upper management.
These arrangements are typically called Virtual-CIOs or Virtual Security Officers. Management retains the title and responsibility but the contractor does all of the compliance and security heavy lifting efforts for your organization. This alternative can be a very cost-effective alternative to hiring another expensive member of management. The key is finding an experienced Security-centric IT consultant skilled in your field. Ask for references and samples of their previous work.
A word of caution about cloud-based services: don’t just assume that because you’ve off-loaded your patient management system to a cloud provider that you’re off the hook and compliance is now their responsibility. You’re the covered entity and the responsibility for the security of your patient data is and always will be yours. If they screw up and expose your data, you’re still on the hook. The same is true if you use an outsourced IT team. In both cases, they are just Business Associates (sub-contractors). They are responsible to a point but your Compliance Manager has to hold them to standards of performance to protect your data because, if there is a breach, it’s going to be your name on the line!
About the Author:
Jeff Hoffman is President of ACT Network Solutions, a Managed Security Services company near Chicago specializing in HIPAA Risk Management and author of the book “Intruders at the Gate: A Guide For Protecting Your Network From Hackers.” You can send any questions or comments to jhoffman@actnetworksolutions.com.
By Jeff Hoffman, President ACT Network Solutions
