It’s sometimes hard to believe that the acronym GRC (Governance, Risk, Compliance) has been around for less than 20 years. Developed as a response to the financial shenanigans discovered when the dot.com bubble burst, GRC has evolved into an integrated collection of capabilities that enable an organization to achieve objectives reliably, address uncertainty, and act with integrity.
Today GRC has expanded far beyond the original core concepts and must be a consideration for any organization seeking to grow its business. HIPAA and GRC go hand in hand for companies operating in the healthcare sector.
HIPAA & GRC – A Brief History
GRC was coined in 2003 by what was then called the “Open Compliance and Ethics Group” (OREG), a non-profit think tank with the stated goals of ”…achieving a world where every organization and every person strives to achieve objectives, address uncertainty and act with integrity.”
OREG defined this approach to business as “Principled Performance®,” and GRC was designed to be the means to achieve this. By leveraging the common governance, performance, risk management, compliance, and audit capabilities, organizations can achieve business objectives while managing uncertainty and acting with integrity.
HIPAA & GRC – The Compliance Crossroad
The compliance component of GRC refers to how an organization responds to the boundaries that limit its actions. These boundaries fall into two general categories:
- Voluntary – These are the self-imposed boundaries chosen by the organization internally, such as defined standards of service, contractual agreements, or statements of values. Think of them as actions taken that define the organization’s character, what they strive to be, or how they act when no one is watching.
- Mandatory – These are the boundaries imposed upon an organization externally through laws and regulations. HIPAA compliance is a prime example of a mandatory boundary faced by an organization in the healthcare area.
There are consequences to violating either type of boundary. Acting in a manner inconsistent with voluntary boundaries can hurt an organization’s culture and reputation. The damage caused can be compared to termites attacking a home – unseen but ultimately costly.
Violating mandatory boundaries like HIPAA rules and regulations can certainly lead to severe penalties such as fines, increased regulatory oversight, and even criminal charges. When they occur, they are often widely publicized and sometimes result in the failure of the business.
Using the “Principled Performance” management strategy, operational decisions are made that treat voluntary and mandatory boundaries as “no go” zones because they represent promises made.
HIPAA & GRC – Risk is Not a Game
One definition of risk management is “the forecasting and evaluation of financial risks together with the identification of procedures to avoid or minimize their impact.” Using that definition, risk management works hand in hand with compliance.
One of HIPAA’s primary concerns is restricting the access of a patient’s protected health information (PHI) to the patient and those authorized to possess the information.
HIPAA’s Privacy Rule, Security Rule, and Breach Notification Rule define the standards of compliance that must be achieved to protect PHI. But even if an organization is fully compliant with policies, access controls, and training, today’s digital world has created new risk vectors.
Cybercrimes such as phishing, malware, and ransomware continue to increase at nearly exponential rates. Companies today must consider the risk of their computer network being compromised or crippled and its effect on their business. They also must consider the possible fallout if they have not taken the necessary steps to prevent or limit this exposure by failing to comply with regulations like HIPAA.