As CFO and COO of our privacy and security compliance consulting firm, every year I’m on the receiving end of email promotions and pop-up ads for tax preparation software. DIY, guaranteed, “We’ll take the hit for the audit if it happens” software. I have to admit, if privacy and security compliance software were as comprehensive, interactive and penalty-proof, we’d do a lot of thumb twiddling. Thankfully (for us) the apps aren’t there yet.
What makes tax preparation software so workable is that it’s highly interactive and intuitive. You’re told if you made a mistake, or if a deduction is in the wrong place, even if you should itemize vs taking the standard deduction. You’re guided by the hand start-to-finish, with triggers and excellent logic branches throughout.
On the compliance software side, there remains a challenge. That said, Chris and I are very much in favor of automation both to support your compliance program activities, and to provide transparency between you and your business partners. We work with several vendors whose digital apps are solid, supportive and easy to use, from privacy and security task management to documentation management.
The caveat is this: Technology cannot be your compliance program. For example:
- You can document that you’re on-task, but you also need to be able to demonstrate that you’ve completed the actions that you checked off.
- You can establish a password protocol, but how do you know it’s a good password protocol?
- You can assure an auditor that you know who has access to what, but where is the audit trail to back it up and assure appropriate access?
- And most importantly – you can firmly believe that you’ve completed a security risk analysis for meaningful use – but your online risk assessment is not the HIPAA Security Risk Analysis the auditors want to see.
If you still aren’t convinced, answer this question honestly, “Are you ready for Round 2 HIPAA Audits?” Because until privacy and security technology can make the leap to intuitive hand-holding through the myriad compliance requirements, the best path to compliance remains a combination of supportive automation and old-fashioned, subjective, ongoing people work. Who knows, maybe the ideal technology will arrive just in time for my retirement. A consultant can dream.
Julia Huddleston, CIPP/CIPM, is CFO / COO Apgar & Associates and a Certified Information Privacy Manager as well as a Certified Information Privacy Professional. She works with clients on compliance assessments, security risk analysis and policy and procedure review and implementation. Apgar and Associates can help you with questions and concerns about your privacy and security compliance program at 877-376-1981.
