This article first appeared in HCPro Briefings on HIPAA, September 1, 2015 and is reproduced with permission.
by Chris Apgar, CISSP
There are a number of tools on the market to assist covered entities (CE) and business associates (BA) in addressing their compliance needs. Solutions range from large governance, risk, and compliance programs to tools that assist in the development of a compliance program. When it comes to ongoing compliance management, Ostendio's My Virtual Compliance ManagerTM (MyVCMTM) offers a solution that is more than just a tool for an occasional look at the compliance stance of an organization.
A number of significant enhancements have been made since Ostendio first launched MyVCM a year and a half ago. The tool is more robust and can be used as a compliance management tool as well as a repository for compliance-related documentation, such as training material, executed BA agreements (BAA), and risk analysis reports.
One of the keys to demonstrating compliance is the ability to produce supporting documentation. Centralizing documentation also helps with contract management, tracking of workforce training, policy versioning, and so forth.
MyVCM supports assignment of compliance-related activities, such as policy reviews and updates, periodically conducting a risk analysis, and assessing the compliance of BAs. Users who are assigned tasks can update documentation related to a given task and record its completion. Reports can be generated for management to track task completion and follow up with users who have not finished tasks in a timely manner.
If a user is terminated or assigned to a different role, MyVCM prevents deleting the user until all tasks assigned to that user are reassigned. This supports continued compliance activity that could have otherwise been disrupted due to overlooking necessary compliance task reassignment.
Organizations must track certification and licensing renewal. MyVCM supports tracking certification and licensing, as well as associated training. For example, if a course is needed for continuing education to maintain a certification, the course can be loaded into MyVCM and attendance can be tracked. Also, if the training is external to the organization, such as training through a certifying body, a link to the training can be loaded into MyVCM and attendance tracked.
To keep senior management apprised of the compliance stance of the organization, MyVCM can be used to produce compliance reports that clearly and concisely document the overall compliance of the organization. Reporting can be accomplished at a high level, including detailed reporting related to vendor management, tardiness of individuals or departments in addressing compliance tasks, and so forth.
MyVCM also has a number of dashboards that provide a quick look at compliance status and outstanding tasks. The dashboard and report interfaces are user-friendly, supporting fast and accurate access to needed information.
Audit logs are generated to assist in monitoring who is accessing the tool, activities performed in MyVCM, and who has completed required training. It's relatively easy to generate a host of audit reports that help track compliance activities and assess appropriate system access.
One of the features that differentiates MyVCM from much of the competition is the strong vendor management functionality. In addition to centrally storing BAAs, MyVCM can be used to generate compliance questionnaires to distribute to the BAs. This helps document due diligence and serves as a barometer - how compliant are your BAs anyway?
Organizations who use MyVCM can set vendors up to provide direct input into the tool, allowing them to complete compliance audit questionnaires. This standardizes the vendor assessment process and serves as a way to track vendor compliance.
Ostendio has set up a trusted network for MyVCM users. This provides a confidential method for users to share compliance-related information. It also helps encourage vendors to complete their compliance questionnaires because other CEs or upstream BAs can access the completed questionnaires. That means vendors only need to complete the compliance questionnaire once for multiple customers. As the user base grows, this feature will increase in value. The more BAs and CEs who use this tool, the more readily vendor compliance information will be accessible.
MyVCM supports uploading a file containing a number of new users versus entering each user into the tool manually. When a new customer with a large number of users signs on to MyVCM, new user setup is streamlined. Each user is assigned unique credentials, and MyVCM can support single sign-on through Microsoft, Google, Yahoo, and LinkedIn. This results in fewer passwords to remember, and hopefully lessen the perceived need to write those passwords down in a place where they can be discovered.
MyVCM pricing is targeted toward small to large CEs and BAs. Pricing is based on the number of users licenses needed or "per users per month." In the end, the cost is outweighed by the compliance and security insurance provided and the simplification of ongoing compliance program maintenance. Ostendio also offers nonprofits with 10 or fewer users free use of MyVCM.
Ostendio's MyVCM won't make you HIPAA compliant (and Ostendio doesn't claim it will); however, it will help you build a sound compliance program and perform ongoing maintenance of compliance- related documentation. More information can be found at www.ostendio.com.
Editor's note: Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.