Compliance Software Guide
IT compliance software….. Regulatory compliance software…… HR compliance software…. Audit compliance software…. Compliance software solutions seem to exist for every problem, every regulation, every law, governing known human affairs….What is compliance software, and what should a business consider when deciding to purchase one?
What Should a Business Consider Before Purchasing Compliance Software?
Fortunately, buyers seeking to purchase software that can assist them with some kind of compliance, can narrow down the possible options by asking a series of questions. These questions are:
- What law or regulation must be complied with?
- Must the entity comply with the entire amount of that law or regulation?
- What is necessary to achieve compliance with the law or regulation?
What Compliance Software Should be Considered for Purchase?
Healthcare providers, health plans, and healthcare clearinghouses must comply with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA is a law – that is, it began as a bill that was passed by Congress and signed by the President. The HIPAA law designated a federal agency to implement regulations regarding privacy and security of individually identifiable health information. This agency, the Department of Health and Human Services (HHS) implemented the following four regulations:
- The HIPAA Privacy Rule
- The HIPAA Security Rule
- The HIPAA Breach Notification Rule
- The HIPAA Omnibus Rule
Collectively, these four regulations comprise the requirements with which healthcare providers, health plans, and healthcare clearinghouses (all of which are examples of what HIPAA defines as “covered entities) must comply. A related category of organizations known as business associates – defined as persons or entities (other than a member of the workforce of a covered entity) who perform functions or activities on behalf of, or provide certain services to, a covered entity – must also comply with the regulations, if and to the extent these organization’s services or activities involve access to protected health information (PHI).
Generally, both covered entities and business associates must each comply with all four of the above regulations. How covered entities and business associates must comply with the Privacy Rule deserves a word: If a business associate contracts to provide services to the covered entity with regard to fulfilling individual rights or other obligations of the covered entity under the Privacy Rule, then the business associate must fulfill such obligation in accordance with the Privacy Rule’s requirements. This means that a business associate must comply with the Privacy Rule, to the extent it contracts to perform covered entity functions for which Privacy Rule compliance is needed.
Compliance with each of the four regulations involves meeting specified standards imposed by each regulation:
- The HIPAA Privacy Rule sets national standards which must be adopted by healthcare providers, health plans, and healthcare clearinghouses that conduct healthcare transactions electronically. The HIPAA Privacy Rule standards help to ensure the privacy of patients and is protected.
- The HIPAA Security Rule sets standards which ensure the confidentiality, integrity, and availability of electronic protected health information (PHI). The Security Rule requires safeguards to be implemented to keep electronic protected health information secure at all times and protected against unauthorized access.
- The HIPAA Breach Notification Rule sets standards for reporting security breaches where healthcare information has been accessed by or disclosed to unauthorized individuals or has otherwise been exposed.
- The HIPAA Omnibus Rule sets additional standards for compliance with the other rules.
What Is Compliancy Group’s Compliance Software: The Guard™?
Compliancy Group’s Software as a Service compliance tracking tool, The Guard™, allows covered entities and business associates to cover the entirety of each regulation for which the law mandates compliance. The Guard™ addresses the full spectrum of the standards needed to comply with each regulation. The Guard™ compliance software simplifies the process of becoming HIPAA compliant, so you can confidently focus on your business.
Clients, using The Guard™ compliance software, go through the process of HIPAA compliance guided by Compliancy Group’s Compliance CoachesTM. Compliancy Group is the only organization that offers guided support throughout the entire HIPAA compliance implementation process. Compliance Coaches facilitate implementation through 5 to 8 sessions, each lasting 30 minutes. Coaches are also available to answer any questions that may come up between sessions.
These sessions walk clients through:
- Six required self-audits: HHS requires covered entities (CEs) to complete six self-audits annually. Business associates (BAs) are required to complete five annual audits. The required audits are as follows:
- Security risk assessment
- Security standards audit
- Asset & device audit
- Physical site audit
- HITECH subtitle D audit
- Privacy assessment (not required for business associates)
- Gap identification & remediation plans: Completing the self-audits allows for gaps in physical, technical, and administrative safeguards to be identified. The Guard then creates remediation plans to address the identified gaps. A remediation plan is a written plan that specifies how gaps will be closed.
- Developing customized policies and procedures: Proper PHI maintenance, receipt, and transmission, requires an organization to develop and implement written policies and procedures. These policies and procedures must be periodically updated to account for any changes to business practices. In addition, the policies and procedures must be specific to an organization’s particular operating environment. Clients, working with their Compliance CoachesTM, develop policies and procedures that address the HIPAA requirements
- Employee training & attestation: Employees must be trained annually on an organization’s policies and procedures, and applicable HIPAA requirements. HHS requires employee training to be documented. The GuardTM provides for tracking of individual employee training, enabling organizations to monitor an employee’s progress. The GuardTM enables employees to legally attest that they have read and understood HIPAA requirements, and the organization’s policies and procedures.
- Business associate management: Before choosing a business associate, healthcare organizations must vet their vendors. The GuardTM gives healthcare organizations the ability to send their vendors self-audits that will identify the business associate’s gaps. BAs must agree to close those gaps with remediation plans to be HIPAA compliant. Additionally, business associate agreements (BAAs), templates for which are provided by The GuardTM, must be signed between covered entities and business associates. These agreements must be signed by both parties before any PHI can be shared between the entities. A BAA limits the liability for both parties if a breach should occur, by stating that the parties each agree to be HIPAA compliant, and that each agrees to be legally responsible for its own compliance obligations. A BAA also indicates who is responsible for reporting a breach, should one occur. Without a signed BAA and adequate vendor vetting, both parties could be held accountable in the event of a HIPAA violation.
Incident response: As part of the HIPAA regulations, healthcare organizations must report breaches. Employees must be able to report breaches anonymously. The GuardTM permits employees to do this. In addition, in the event of a HIPAA audit, organizations must be able to provide documentation that they satisfied HIPAA legal obligations. The GuardTM documents everything that is necessary to demonstrate an organization’s “good faith effort” towards HIPAA compliance.