The Why of Compliance

We often get the question, "How far do we have to go to stay in compliance?" While the question is well-meaning, there’s a basic misunderstanding at its root. Compliance isn't really the end goal—it's just a measurement framework. Privacy protection, trust, and security are the goals. Especially when it comes to things like patient privacy. 

Leaning in 

Roman Emperor Marcus Aurelius is credited with the phrase "The obstacle is the way. What stands in the way, becomes the way." And so it goes for compliance in healthcare. Rather than create multiple sets of rules for compliance regimes and confuse everyone, the smart approach creates the best, single set of rules that meets and exceeds standards set for us by the industries we work in. Healthcare, finance, and insert your privacy concerns here. 

Healthcare is known to have some of the strictest standards, in large part driven by the Health Insurance Portability and Accountability Act (HIPAA) that became law in the United States in 1996. Each year, the HIPAA standard tightens the guidelines for protecting privacy and establishing trust between each custodial relationship that an individual's healthcare data might have.  

Working with the understanding that this standard is designed to provide the best protective actions possible under the law for our client's patients and customers allows our business stakeholders and our technical teams to align on the system controls, policies, and procedures that make the HIPAA standard actionable. Each year, recertification processes allow us to check in and generate a report card on how we are doing and where we need to improve. Spoiler alert: there are always improvement opportunities. It's a constant learning process, and one that makes DCG ONE a better, sharper business. 

Alphabet soup 

All of these acronyms and frameworks, whether they be SOC 2 Type II, NIST 800-53, HITRUST i1, or HIPAA are different lenses to look at the same set of circumstances (we call them "controls"), and are interested in the same basic questions: 

• Are you doing the things you need to be doing to run a secure business and protect your customers' data?  

• Can you prove it?  

While this often means quite a bit of work for our security team, it's work that is worth doing. Without knowing what questions to ask, without someone continuing to evolve the compliance frameworks to fit with current business needs, and without continually being able to "prove it,” there would be a lot of fumbling in the dark trying to figure out what works and what doesn’t. And that potentially leaves patients’ privacy exposed. 

Whatever your industry, compliance frameworks provide the space to establish what the business needs are and what are the most secure ways to support those needs. But the focus always needs to be on those goals, whether it’s security, privacy, trust, or all of the above. Without that, it's just theater.  

Have a compliance question? We would love to hear from you!  Drop us a line at [email protected].