Effectively gathering and making use of compliance related data

What kind of story is your data saying about your organization? Ask yourself the following questions: How are you currently measuring and reporting on complaint data? Do you have the ability to demonstrate trends by month, quarter, response time, or complaint category? What is your monthly failure rating for collector calls? How are you effectively measuring the effects of improvements made to your overall Compliance Management System?

If at this point you’ve done the planning, completed the risk assessment, drafted and implemented your policies and procedures, it’s time to begin the monitoring phase of your CMS cycle of continuous improvement. Compliance data analytics is a powerful way to perform this monitoring as well as allow you to visualize and communicate with others inside the organization the status of our overall compliance posture.

So in the chaos of our hectic lives, where do we start? How do you know that your controls established within policies and procedures are being followed? And, what exactly does Compliance Analytics look like?

Start by mapping the regulatory requirements to your operational objectives. After you’ve identified the requirements that apply to you, map them to your processes. Apply a risk level to each process and begin to gather the measurable data. Investigate the use of tools you may have (spreadsheets or database applications) or tools you may be able to purchase and begin the analysis. Develop dashboard style reports that provide a visual demonstration for easily identifying trends.

What data should you begin capturing? Well, as it relates to third party debt collection activities, complaints, call monitoring, and training results are all categories involving processes that maintain heightened risk factors, therefore are typically a good place to start.

Complaint tracking and resolution is a requirement of the CFPB. Chief Compliance Officers are responsible for ensuring that complaints are addressed in a timely manner as well as communicated to the board and senior management on a periodic basis. Compliant review and analysis is the most effective way of identifying weaknesses in your CMS. Consider ways in which you can utilize the data you are already collecting to develop reports demonstrating trends in the data.

Call analytics is another telling data element. By utilizing the results of call monitoring, you will be able to determine if FDCPA and UDAAP policies and procedures are effective and followed. It will help you identify areas in need of improvements as well as discover additional training needs. Over time, you will be able to see the visual representation and measure the effects of changes and improvements.

Employee training results can also be useful if training programs and tests are constructed in such a way that allows you to determine results by topic. Measuring on a regular basis can help paint the picture of your overall compliance posture and the knowledge level of your employees. A strong employee training system is based on score rather than pass/fail. By analyzing your employee training results, you can identify weaknesses and opportunities for retraining. Taking it to the next level, you can focus in on where the employees are struggling and if the appropriate employees were tested.

 

As the world continues to be pressured with information security challenges, over the last 12 months, major compliance frameworks have recently been updated or are currently updating. In today’s current climate, incidents and breaches are occurring more frequently, and at a much larger scale. With this in mind, many entities have realized these threats and are beginning to closely analyze the gaps in the current frameworks (HIPAA, ISO 27001:2013, FISMA/NIST 800-53, PCI DSS v3.0). Our number one business goal is to protect any critical assets, so it’s important to understand all of these changes and the impact they have on your organization. The most notable updates have been to the HIPAA, ISO 27001, FISMA, and PCI DSS frameworks.

Why should these updates be important to you? Let’s face it – it’s the new reality. Almost every industry is having the “compliance discussion”. Security threats aren’t just for big companies anymore, and the fines and loss of business can be an unfortunate impact of not being compliant.

HIPAA

Let’s begin with the healthcare industry. The HIPAA law strives to address the protection of patient information. We want to keep information private. That is what we are most after. The Security Rule enables privacy by establishing the approach of how to protect information so privacy can be obtained. Last September, the Omnibus Rule became effective to strengthen the Business Associate requirement. All covered entities are now required to ensure that their Business Associates are HIPAA compliant, and these BA’s can now be held directly responsible by the Department of Health and Human Services for their compliance. Where do you begin in assessing your vendors? Conduct a risk assessment of all vendors and determine which are the most at risk and monitor accordingly.

ISO 27001

ISO 27001 can be considered the grandfather of all information security frameworks. Most new publications reference ISO 27001 as a starting point, as this framework is internationally recognized and applicable. The ISO 27001:2013 update provides specific requirements for establishing, implementing, maintaining, and continually improving an information security management system. Your information security management process must be a system that is continually operating and improving based on changing risks. The core change is not revolution, but rather evolution. The standard has been reorganized and more harmonized and has made risk assessment focus a key change to the standard. Requirements for management commitment and preventative action have also be revised, with a greater emphasis on setting the objectives, monitoring performance, and metrics.

FISMA

The FISMA Act is a set of guidelines for selecting and specifying security controls for information systems that process, store, or transmit Federal information. The Act references that NIST publishes Special Publications as important updates that should be referred to. NIST 800-53 is specifically pointed towards as a reference for how to select controls and what it is that you need to implement for your systems. NIST 800-53 expects the important element of risk assessment to determine which controls apply, to what degree they should be applied, and what areas specifically should be considered. Learn more about the FISMA audit process.

PCI DSS

The payment card industry is probably what we’ve been hearing the most about. With all of the current breaches targeting retailers and service providers, the council has sought out to address the causes of these breaches and strengthen the industry. The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS v3.0 is an update to the security standard, and is available for implementation this year. Compliance with v2.0 is still an option only through January 2015. There were three major updates to the PCI DSS. There is a new Penetration Testing requirement that states an implemented penetration testing plan should be in place to verify that controls are operational and effective. Service Provider responsibilities have also been updated. Since security is a shared responsibility, service providers are now required to include written vendor acknowledgement for each DSS requirement for which they’re responsible. The last major change in PCI DSS v3.0 is in regards to password requirements and the enhanced awareness to ensure password security. Learn more about PCI DSS compliance audits.

It’s important to ask yourself, which of these frameworks apply to me? Which apply to my vendors? Performing a Risk Assessment can help you determine what is important to you and your organization, allowing you to assess from there. Security is no longer passive. Technology is evolving quickly, along with techniques used by hackers. As the compliance frameworks continue to update, it’s important to understand that security must now be active and always evolving.

Are you wondering whether you need to conduct an internal audit? Are you wondering why you need an internal audit? Are you looking for information on where to begin the internal audit process? In this webinar, speakers Jessie Skibbe, Chief Compliance Officer of KirkpatrickPrice, and Dawn Vogel, the Director of Internal Audit for Great Lakes Higher Education Corporation, give an overview of why you need an internal audit, where to start, how to maintain auditor independence, what to audit and how often, and how to develop an audit report, along with other useful resources for internal audit staff.

Why Do I Need an Internal Audit?

According to the CFPB Supervision and Examination Manual v.2, “In assigning a consumer compliance rating, all relevant factors must be evaluated and weighed. In general, these factors include the nature and extent of present compliance with federal consumer financial law, the commitment of management to compliance and its ability and willingness to take the necessary steps to assure compliance, and the adequacy of systems, including internal procedures, controls, and audit activities designed to ensure compliance on a routine and consistent basis.”

What are the Essential Steps to an Internal Audit?

In this webinar, you’ll learn about the following four steps to an internal audit:

  • Establish a framework utilizing a risk-based approach
  • Establish controls and work steps
  • Develop an audit schedule
  • Distribute the audit report

If you are unsure of the steps that your organization needs to take in constructing an internal audit framework, KirkpatrickPrice offers a variety of audits including the CFPB readiness audit, which reviews the overall design of your organization’s policies, procedures, and documents. It also reviews the operational effectiveness by testing controls to ensure compliance with CFPB examination procedures. By working together to ensure that your organizations compliance management system adheres to CFPB regulations, KirkpatrickPrice will help prepare you for future audit reports and assist you in creating a stronger culture of compliance for your organization.

To learn more about what you can expect working as a Chief Compliance Officer or ways that KirkpatrickPrice can assist you in constructing an internal audit framework, watch the full webinar. For more information, contact us today.

Phase 2 of HIPAA Audit Program Expected in 2015

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has always enforced HIPAA compliance. Recently, they have announced plans to proceed with Phase 2 of the HIPAA audit program, a more proactive approach to overseeing HIPAA compliance.

Supervision is coming. The OCR is determined to begin performing periodic audits to ensure that Covered Entities and Business Associates are complying with the HIPAA Privacy, Security, and Breach Notification Standards. The purpose of this new oversight approach is to monitor that efforts are being made to provide regulatory protections and individual rights, identify best practices as well as common risks and vulnerabilities, and to encourage consistent awareness of compliance obligations.

This new phase of audits is expected to begin in 2015 and any Covered Entity and their Business Associates are subject to be audited. This includes Covered Entities such as health plans of all types, health care clearinghouses, individual and organizational providers. Business Associates are selected through their Covered Entities and includes Health Information Organizations, E-prescribing Gateways, Personal Health Record Vendors, and Entities providing Data Transmission Services for PHI and that require routine access to such PHI.

A pool of 550-800 Covered Entities will be selected to complete a pre-audit survey. Following the review of the results, approximately 350 Covered Entities will be audited as well as their Business Associates. In other words, if you’re a Business Associate working for a high profile entity, you will get a visit from the OCR.

With these audits beginning in a few months, it’s important to begin prioritizing accordingly. These comprehensive onsite audits will focus on specific findings from Phase 1 of the audit program. The OCR has announced specific plans to focus on the following:

• Security Risk Analysis and Management
• Breach Content and Effectiveness of Notifications/Reporting to CE
• Privacy Notices and Access to Records
• Proper Safeguards and Adequate Training of Policies and Procedures
• Device and Media Controls, Transmission Security
• Encryption/Decryption and Physical Access Controls

Use this time to find gaps in your Policies & Procedures and start remediating from there. Do you have someone overseeing your compliance efforts? It’s important to make sure your organization is establishing and implementing physical, administrative, and technical safeguards to protect PHI. If compliance and security are important things among the culture of your organization, it should begin by the tone from the top. Every individual in your organization needs to understand what HIPAA compliance is and the “dos and don’ts“ of everyday operations through comprehensive training. Your compliance program needs to be organized and deliberate to properly demonstrate compliance with the HIPAA Rules. Complete a Risk Assessment to determine what remediations to your Policies & Procedures need to be prioritized.

Has your organization implemented the new Omnibus Rule? Your program should reflect your privacy and security practices. Do you know who your vendors are? Make sure the companies you’re partnering with can be trusted. So what if you have all necessary controls in place to protect PHI if the companies you’re working with aren’t doing the same?

The time to start planning is now. This enhanced scrutiny of your privacy and security controls is inevitable. Engage a third party auditor. Conduct an internal Mock Audit. Don’t be surprised by a visit from the OCR.

For more information about HIPAA Compliance or help with preparing for Phase 2, contact us today.

Vendors and Risk Assessments

Are you looking to find out more about how to ensure that your organization is meeting vendor compliance management requirements? This webinar provides an overview of ways that you can ensure that your organization is performing an effective risk assessment.

In this webinar, Joseph Kirkpatrick introduces and gives an overview of external guidance’s that may serve to be potentially useful for your organization to establish or refine your risk management policies and procedures:

Additionally, Brett Soldevila, COO for Security Credit Services, LLC, addresses various other ways that organizations can evaluate and address risk within their company and their vendors. He discusses how trends in the concept of risk management can be traced back to the implementation of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the Sarbanes-Oxley Act of 2002 (SOX). He also covers various ways to analyze risk throughout your company and vendors. Brett recommends performing the following to analyze risk within your company and your vendors:

  • Enterprise-wide risk assessment
  • Data security risk assessment
  • Third party vendor risk assessment

Tony Bailey, Director of Business and Strategic Development at Cornerstone Support, also gives an overview of the importance of third-party validation in regard to vendor selection.

To learn more about vendor compliance management and how your organization can conduct effective risk assessments, contact us today.