South Florida Hospital News
Tuesday December 10, 2019

test 2

December 2018 - Volume 15 - Issue 6



Maximizing Technology in Compliance

A compliance department’s relationship with technology can be a bit, well, complicated. Every compliance department faces headaches caused by technology implemented or used inappropriately, and trusting technology to help resolve those problems can feel a bit naïve. Yet, listening to some sales pitches could make a person think that one magical purchase can resolve every issue.

Given this tension, the best approach seems to be one that considers what compliance actually does, finds what works for those activities, and doesn’t forget the risks that new technology can create.
The Proper Role for Technology
“We cannot solve our problems with the same level of thinking that created them.” - Albert Einstein
On a regular basis, I receive calls from very concerned clients who fear that they are not complying with particular laws. These folks have dug deeply, researched, and found more than a few requirements of HIPAA, The Gramm-Leach-Bliley Act (GLBA), anti-kickback statutes or some other regulation that they are not meeting. Within a few minutes, however, I can provide the “magic” solution – complete compliance at no cost. How? They were not subject to the law in the first place. They got so lost in the details, they forgot to ask the basic question.
This may be a tendency that we can all see in ourselves – when first facing a problem, we recognize the bigger issues and plan to address them, but once we start digging into the details, we forget the context. It is like spending hours learning how to use a new smartphone only to realize it can’t make a call.
Looking at an example specific to compliance, Governance, Risk Management and Compliance (GRC) software can provide an amazing tool for compliance officers to integrate and manage IT operations. By tracking policies and activities of an entity, GRC helps meet regulatory requirements.
Of course, GRC has limits:
• It is only as good as the risks and activities identified and tracked;
• GRC can give a false sense of security if not used regularly and well; and
• It does not replace policies and training, etc.
These limitations create risks that seem obvious at first, but can be forgotten as soon as we take the bow off the software and get lost in the details of how the thing works.
Before implementing any technology, a company should keep in mind the limits of the technology and build in structures to ensure that humans are checking it, doing the tasks technology cannot address and occasionally taking a step back to rethink whether the entire process makes sense. For example, acquiring logging software to track use of an IT system can increase risk if no human actually looks at the logs generated.
Some Potential Solutions
The flip side of getting lost in new toys is to overlook the potential for relatively simple technology to solve complex issues. For example, I have had more than one client-vendor decide to stop providing services to health care organizations. Why? Too many regulatory issues that are too expensive to address – particularly involving HIPAA. Full compliance with HIPAA requires not just privacy policies, but also a full IT risk assessment, risk management process and IT security program. A small company providing simple services that involve health information (e.g., a mailing service sending out patient letters) is required to meet most of the same requirements as a larger organization, no matter how “scalable” the security rules may be. The cost for a full risk assessment from a consultant, plus hiring a lawyer to create policies and procedures to address risks and comply with HIPAA, not to mention the training of workforce members, can be tens to hundreds-of-thousands of dollars.
In response, my firm developed a tool we offer to clients that combines an IT assessment platform (to review a client’s security as well as HIPAA compliance) with behind-the-scenes document management in order to reduce the cost and the time required to comply with HIPAA. Our clients have found that the new tool consolidates several steps (risk assessment, policy and document generation and risk management), simplifies the process and significantly reduces costs. This solution is not dependent on cutting-edge technology, but uses current technologies in novel and elegant ways to meet particular needs.
Making IT All Fit
Compliance departments can face overwhelming challenges from technology: Either it is creating risks or is offering an overwhelming array of options. Each new tool provides a temptation to overreact, get lost in the details or crawl under the nearest blanket and hope it goes away. In the end, however, by remembering the big issues, keeping humans in charge and applying a bit of creativity, a savvy compliance department can find and utilize the right tools for the enterprise.

Roy Wyman is a partner of Nelson Mullins Riley & Scarborough LLP in Nashville and is a member of the healthcare regulatory and transactional team. He can be reached at or (615) 664-5362.

Share |