What is compliance? What are compliance risks? What is a compliance framework and how does it relate to compliance risks? This post aims to explain these topics by using a law that Americans are familiar with.

Basically, compliance is complying with a set of rules, which can be from a law, regulation, or company policy. A compliance risk is the risk of being non-compliant with the rules. A compliance framework is the set of actions taken to reduce the risk of non-compliance, the mechanisms to detect potential non-compliance and the approach to respond to non-compliance to prevent future issues.

To think about compliance risk and frameworks, let’s consider the requirement in the United States for protection and confidential handling of protected health information (one aspect of HIPAA); HIPAA is a law that most Americans may be familiar with.

For this example, let’s consider healthcare providers that will handle protected health information. What should a healthcare provider do to make sure it is compliant with this HIPAA mandate? It should evaluate the compliance risks, and then develop a set of actions to reduce the risk of non-compliance. Consider these three different types of healthcare providers: a large medical group that provides mental health services with four locations and numerous administrative and medical staff; a medical office of a single podiatrist; and a medical office with four doctors that perform plastic surgery. Even before going deeper into considering their specific risks, it’s probably clear that the overall risk profile differs in these three examples; therefore, it makes sense for each healthcare provider to define the appropriate compliance framework tailored to the risks specific to their situation.

A key word in the preceding sentence is appropriate. What is an appropriate compliance framework? To determine that, evaluate and assess the activities or situations that provide a risk of non-compliance for likelihood and impact.  Then design an appropriate framework to prevent, detect, and respond to potential and real occurrences of non-compliance, focusing on the highest risk activities or situations.

At a high level, non-compliant access to protected health information could arise in three ways- via verbal discussions, written documents, and electronically. Let’s look at each of these high-level risks and identify activities/situations that could lead to that risk, then consider actions that could be taken to reduce the risk of these activities or situations occurring.

Verbal Discussions

Activity/situational risk questions: -Are other patients able to hear conversations pertaining to others’ protected health information? -Are only staff who need to know information privy to hearing it?

Possible mitigating actions: -Designing office layout to reduce ability to overhear conversations -Providing training and awareness including periodic reminders -Implementing new or modifying existing procedures -Modeling of appropriate behavior by managers/senior staff

Written Documents

Activity/situational risk questions: -Are medical records stored on desks or tabletops accessible/visible to individuals (staff and patients) walking by? -Are medical records under lock and key during off hours with controlled access?  -How many staff have access to medical records- many or few?

Possible mitigating actions: -Ensuring records are secured when not in use -Designing office layout to reduce access to in-use documents -Defining proper destruction techniques -Providing training and awareness including periodic reminders -Implementing new or modifying existing procedures -Modeling of appropriate behavior by managers/senior staff

Electronic Access

Activity/situational risk questions: -Is there an online medical portal that stores patient data? If so, is it available to both patients and healthcare providers? -Is there a third party involved? E.g. do they provide software or oversee or provide administrative support for the portal’s technology?

Possible mitigating actions: -Restricting access to those staff who need it -Ensuring access controls are maintained as staff and roles change -Preventing sharing of access (e.g. each user gets a unique login and password) -Automatic logging out of systems due to inactivity -Ensuring IT and information security/cybersecurity technical specifics are considered -Performing due diligence on any involved third parties -Providing training and awareness including periodic reminders -Implementing new or modifying existing procedures -Modeling of appropriate behavior by managers/senior staff

The next step is to decide what mitigating actions to implement.  It is impractical to control for every single risk, so focus on the highest risks first.  To determine where to focus, consider both impact and likelihood. In addition to the activities and situations discussed above, consider: Are there many patients or relatively few? Could the medical information be desirable to outside individuals for a specific, nefarious purpose (e.g. if the healthcare provider is a cosmetic surgery office in Beverly Hills with high-profile clients)? Is the information particularly sensitive (e.g. consider the sensitivity of the protected health information housed in a podiatry office compared with a medical facility that treats patients with substance abuse and offers mental health counselling)? Consideration of these factors and how much risk the company is willing to accept informs what mitigating actions should be taken.  Early focus should be on the highest-risk activities, and over time less critical risks can be addressed.

Now that the most important risks have been identified and mitigating actions have been agreed-upon, consider how to detect any issues or control gaps.  For example, when modifying or creating procedures, design them such that any non-compliance could be detected, and make them auditable. Set up periodic reviews for topics such as access controls.

In addition to actions to prevent and detect non-compliance, all good compliance frameworks must have mechanisms to report potential issues (and staff must be comfortable doing so) and to respond to issues so that problems are fixed, not just for the current issue but also to prevent future problems.  The entire framework should be reviewed periodically, both on a set timeline and when there are changes to the regulations or the business.

Hopefully this example to demonstrate what compliance, compliance risks and compliance frameworks are makes these concepts clearer to anyone new to the topic.