With all the rules and regulations surrounding the compliance alphabet soup in play today, it will take more than one person to bring your company in line. We’ve laid out the multiple roles needed to up your compliance game, especially when it comes to Health Insurance Portability and Accountability Act (HIPAA), PCI compliance, HITECH Act and General Data Protection Regulation (GDPR). These are rule sets that apply to everyone and are national standards.
Take HIPAA for example. HIPAA ensures the confidentiality of anything involving a client’s health records. If you think about it from the client’s perspective it’s a pretty scary thought that your medical records could be exposed for all to see. That’s why the Department of Health and Human Services have worked so hard to keep client safety regulated.
Your first line of defense against compliance failures is the technology in use and the team you have to maintain it. Consult with your IT team to discuss:
- Email Encryption: How are emails and files that go in and out of your office protected from falling into nefarious hands and revealing identifying private information?
- Data Encryption: How do you collect and retain credit card information? Are there any gaps where that information could be stored?
- Firewall: Are you protecting your company data and communications using a screen door that is easily opened by hackers, or are you using a multi-level security system preventing intrusions?
- Backups: How often, when and where is your precious company information backed up? Can you test your backups to prove that they are effective? Is your current backup plan compliant with regards to customer data which needs to be encrypted at rest for HIPAA
- Data Availability and Storage: Who has access to your data? Only certain individuals in your company should be able to access all data, such as, financial records or payment information. How are you restricting access on your network or within line of business applications to ensure safety?
- Physical Access: Who can actually, physically, access computer systems and servers and walk out the door with them? Do you train your staff to lock their screens every time they leave their desks? Are you using privacy filters on appropriate screens to avoid wandering eyes?
Internal Compliance Officer
While this may not need to be a full-time role within your organization, you should have a compliance champion on staff. Your Managed Service Provider (MSP) can absolutely set you up for success, but they are not around to police your staff every hour of the workday.
The Compliance Officer is responsible for ensuring that your staff follows important compliance policies, maintains vigilance surrounding compliance, keeps documentation up to date, and works with authorities if necessary. Specifically, they:
- Watch for employees falling into bad habits, like leaving computers unlocked or sending credit card data willy-nilly throughout the organization.
- Conduct/coordinate online or in-person training to keep compliance top of mind. We recommend quarterly training, at least, in addition to proper education as soon as a new employee comes on board.
- Maintain all the documentation required for compliance, like backup plans and communication standards.
- Liaison with federal and state regulators, as necessary to prevent or mitigate an issue (with the support of your IT Team and legal team).
You can have the best technology, the most intense compliance officer, and still completely fail at compliance if your employees are not onboard. At the end of the day, it comes down to successful employee implementation and clear communication. In order to get employee buy-in, here is what we recommend:
- Gather everyone together: When you first make tweaks to your company’s security protocols to ensure compliance, explain why to your team. If they suddenly all need to remember 16-character passwords, replace those passwords every 90 days and have 5-minute time outs on their systems; they’d appreciate understanding that it’s not because you’re paranoid. You can utilize your IT Team to conduct this meeting.
- Send regular reminders: It’s simple to fall into what’s “easier” rather than compliant. Consider sending a weekly or monthly compliance tip to all of your staff to keep it top of mind.
- Conduct ongoing trainings: These trainings should be mandatory, involve your IT team, and vary enough to stay interesting. Quarterly should be sufficient unless some regulation change calls for additional meetings.
- Multi-departmental planning: Different teams have different uses for data. For example, what makes the salesperson tick may make it impossible for accounting to operate within compliance. When it comes to collecting information that must be compliant, every department must be involved in process development to create smooth operation within rules and regulations.
Compliance is not a one-person game. It involves the whole company and IT team engagement to really be successful. If you’d like to learn more about how a Managed Service Provider (MSP) can ensure your compliant at all times, contact The TNS Group today.