Why Healthcare Organizations Need Third Party Support for Regulatory Interpretations
By Scott Whyte, Advisor & Former Chief Strategy Officer
Part One: Understanding Regulatory Frameworks
Like many of you, I have been a healthcare leader, in my case as a CIO and then later VP of a one of the nation’s largest provider organizations. Seldom a day went by where I didn’t experience some concerns about how to improve our security and compliance. If you’ve ever tweaked your back, it’s like that – you appear to be going on about your other business but it’s always on your mind, and it’s usually a bit painful.
My key compliance concern working for a large provider system was HIPAA and the enormous reputational risks associated with a security incident or straying from compliance. Written years before we had the healthcare cloud, machine learning, and artificial intelligence — not to mention the data sprawl resulting from the use of the digitization of healthcare, HIPAA (The Health Insurance Portability and Accountability Act) came into force in 1996. HIPAA requires expert interpretation and can often be confusing or vague in light of today’s technology. Plus, healthcare organizations are expected to adapt to changing guidelines as they’re added over time. Since HIPAA was enacted, we’ve seen the Privacy Rule in 2002, the Security Rule in 2003, the Breach Notification in 2007, the HITECH Act in 2009. Most recently, the Final Rule has further strengthened the privacy and security protections for PHI. You can browse that 138-page Final Rule, formally known as Title 45 CFR 164, in the Federal Register.
I suspect most of us can’t make it through the language in this documentation, and would struggle (at best) to explain what it means to our colleagues in our strategic leadership meetings.
But not understanding the intent of the regulations doesn’t exempt you from the consequences of violating HIPAA any more than telling the police officer who pulled you over that you didn’t know you were doing 65 mph in a 45-mph zone. And in fact, if you are fighting the urge to invoke ostrich and hide your head in the sand, think again: HIPAA’s highest penalties are for willful neglect.
For many of us in healthcare, HIPAA is just one iceberg in our sea of regulations. Working across international borders or with citizens of countries outside the US means complying with the General Data Protection Regulation (GDPR). There are 99 Articles in GDPR and if you botch complying with any one of them, the fine can be as much as $20 million or 4% of your global annual revenue. As a provider executive, we were never– even at our brightest moments– sitting on $20 million we didn’t have prioritized for other imperatives, including patient care.
Part Two: The Advantage of Partnering with a Healthcare Exclusive Cloud Expert
ClearDATA can help solve your regulatory framework challenges
The good news is you don’t have to be an expert; you just have to know one. At ClearDATA, we employ industry experts in HIPAA, GDPR, NIST, ISO, GxP and other regulatory frameworks who specialize in translating the guidelines into meaningful advice for our customers. We’ve worked with hundreds of healthcare organizations both large and small to help maintain an environment where their PHI is protected and they are meeting HIPAA and other regulatory frameworks.
When we founded ClearDATA, we committed to one and only one focus: healthcare. Because we are healthcare-exclusive, we have been able to gain both broad and deep expertise in understanding healthcare’s regulatory landscape. Think of us as the Sherpa to your Mt. Everest of compliance.
We’ve done this long enough and well enough that we know the way safely up the mountain, and back down…every day. We are the established expert on the healthcare cloud and can provide you the tools you need to be able to fit square pegs like machine learning, artificial intelligence and big data into HIPAA’s round holes, whether on AWS, Google, or Microsoft.
What this means for you:
- We can translate the regulatory language of HIPAA, GDPR and others and map them to checks in the Compliance Dashboard so you can look and see your compliance stature in a user friendly interface, rather than comb through pages and pages of regulations and wonder if you are taking what HIPAA calls “reasonable” measures to protect patents. I’ll show you a view of that in just a moment.
- We have built a base of customers and partners that agree with the regulation mapping we offer, and are using the same standards in their businesses. Showing an auditor you are using the same guidelines as hundreds of other respected healthcare organizations under the umbrella of ClearDATA’s HITRUST certification can go a long way in easing doubts.
- We can provide you with DevOps automation that stays in front of ever-changing features on the public cloud. Some clouds release hundreds of new features in a quarter. Our team is working full time to understand what those are and create automated safeguards that help protect your compliance posture as you innovate on the cloud.
A healthcare platform and solutions to keep you safe as you innovate in the cloud
The ClearDATA Healthcare Security and Compliance Platform™ is built on a foundation of HITRUST and includes services and software that meet you where you are on your cloud journey. Our healthcare compliance software, ClearDATA Comply™, brings this expertise to bear on the issue of privacy, security and compliance by providing two key products: Automated Safeguards and the Compliance Dashboard.
ClearDATA Comply Automated Safeguards are IP we developed to ensure our customers and their developers can work natively with public cloud services (AWS, Google, or Microsoft) while we provide technical controls configured to help keep them in compliance with healthcare’s complex regulatory frameworks. Think of them as automated guardrails and if your organization does something that causes you to drift out of compliance, automation alerts, notifies and remediates the issue.
The Compliance Dashboard available through ClearDATA Comply is an intuitive interface that provides internal stakeholders (including CISOs, InfoSec teams, Compliance and Risk teams) as well as external stakeholders (including auditors and legal teams) the opportunity to view their compliance posture across their assets in the public cloud at any time. It provides a near-real time view as well as a historical record and is expertly mapped to specific compliance frameworks, allowing the customer to select one set of regulations or multiple including HIPAA, GDPR and GxP. ClearDATA Comply is also available for Kubernetes across multiple clouds. Here’s a preview of the Compliance Dashboard.
To learn more, request a demo and our team can walk you through all of the features that you’ll be able to access to monitor your compliance posture 24/7. Here’s a preview of how you can access and use the Compliance Dashboard inside your organization.
The ClearDATA Compliance Dashboard gives insight into your data inventory, while also proving the extent to which measures are in place to protect it. This is mapped to multiple compliance disciplines and provides you with a clear, concise, actionable and auditable view of your environment. You can view this status at a more granular level by moving from your full environment, to a selected group of assets or even individual asset.
Depending on the market you sell into or the customers you serve, your framework will vary. You select the regulatory framework, and instantly see your compliance status. In the Compliance Dashboard you can toggle between frameworks to compare your posture varies from one to the next i.e., HIPAA, GDPR, NIST.
The Compliance Dashboard can simplify the process of demonstrating your culture of compliance based upon IT requirements including virus scans, intrusion detection, logging, back up and encryptions, all of which are some of the many checks visible in the Compliance Dashboard.
This is just a sampling of the ways the Compliance Dashboard can simplify your work and demonstrate your compliance. Our customers tell us this expert interpretation of regulations brings enormous value and allows them to monitor compliance and focus on innovation.
Contact us today to learn how you can protect your organization and gain peace of mind.