Health care compliance is a dynamic and growing burden. Managing and proving compliance with complex, changing and even conflicting regulatory requirements is difficult. And it must be incorporated at the individual employee level – at the point where the work is done. Health care carries a high and unique burden for both regulatory and legally driven compliance due to the dangerous nature of its work.
HIPAA (Health Insurance Portability and Accountability Act of 1996), ICD-10 and more recently HITECH (Health Information Technology for Economic and Clinical Health Act in 2009) are part of health care’s rising burden. The HITECH Act was not intended to derail health care IT plans, add complexity or increase IT costs in health care. The Health Information Trust Alliance (HITRUST) gives health care IT organizations a Common Security Framework (CSF) with a prescriptive approach that provides controls and supporting requirements, clearly defining how organizations meet the objectives of the framework. While HITRUST compliance provides the health care industry an opportunity to receive monetary awards from the government, it still is more compliance.
Ensuring that the rules are followed by everyone is hard. Policies define a compliance state and processes are meant to provide a way to work that supports being in compliance. For IT, change management is the primary process that ensures effective compliance. A Committee such as a CAB (Change Advisory Board) reviews proposed changes to IT for safety, accuracy, completeness and compliance. Internal governance may perform periodic reviews of the documented policies, assess how they are applied in daily operations and make suggestions for improvement. Audit validates the relative success of compliance activities. Audit activity, like compliance, has a policy set and defined processes to provide a consistent way that will yield reliable determinations.
But policy and process only are not sufficient today. Manually tracking changes and release plans in today’s complex environments is inefficient and inaccurate. Adapting processes to changing compliance needs is time consuming, and getting the organization to adopt the changes in their day-to-day work is difficult.
There is a better way. Leveraging technology applications such as ticketing, change and configuration management systems and workflow automation can significantly increase IT’s ability to ensure compliance with policies by automating the way the work is delivered – with compliance essentially already “baked” in as the work flows step by step. And changing compliance is a lot easier too. When compliance requirements change, policy and processes are updated as needed, and those changes are then put into the technology and workflow –thereby changing the work before it is delivered – and essentially “automating” adoption of the changed compliance.
Audit reporting can also be automated by building the standard reporting functionality into the technology and updating it in the same way, as compliance reporting needs change. Running a series of change reports using the information in the corporate CMDB will produce the required data because the compliance policies defined what information was to be recorded. It is the internal controls that make this possible. For example, policies generally require that each change proposed has the affected CI(s) associated with it. Once approved, a change is made and the CIs are automatically updated and verified/reconciled to ensure the correct information has been captured. Since a full audit trail has been created, proving compliance as a “by product” of automated change and configuration processes can be done easily.
What can health care IT do to meet compliance, speed service and reduce costs?
An enterprise automation solution with policy definition, end-to-end processes and effective technology can deliver on all these needs.
Related information: the benefits of IT transformation in enterprise healtcare – a case study (no registration required).
About the Authors -
Michael has more than 12 years of international consulting experience in various IT industries, including airline, banking, oil and gas, telecom and health care. Michael started as a software engineer before joining HP Consulting and Integration ITSM team for several years and then moved to PricewaterhouseCoopers as a manager.
Michael is a PMP, with ITIL Foundation and two ITIL intermediate certifications (OSA and PPO); he passed the Certification in the Governance of the Enterprise IT (CGEIT). He earned his Bachelors in Computer Science from the American University in Cairo.
CEO and Co-Founder of Evergreen Systems, Don has more than 20 years of experience in leading, building, managing and operating technology companies. He has led market development and shaped the technical direction of business units focused on internal and external support center solutions, network management systems, complex networks and workflow/document management solutions.
Before co-founding Evergreen, Don was Executive Vice President and the third employee of Global Management Systems, Inc. (GMSI), recognized by Inc. Magazine as in the top 100 on their list of the 500 fastest growing, privately held firms in the U.S. Don is a graduate of the College of William and Mary.