HIPAA Compliance Beyond Spreadsheets

Learn the efficiencies HIPAA compliance unveils

Does your HIPAA compliance approach enable efficiencies and time savings across your compliance team?  If not, it’s time to evaluate an “audit once, report many” approach to assessments and testing.

When we think about compliance it’s typically centered around frameworks, regulations, standards, and laws. It becomes a constant battle to keep everything up to date with the pace of change – not only from regulatory bodies but from the market itself. No one wakes up in the morning thinking today will be the same as yesterday, so this idea of constant change is one that keeps us up at night, but also sparks innovation. 

There are 17 expected changes coming to HIPAA regulations in 2021. For each one of those, you need to assess:

  1. How and where does this change impact my business?
  2. What is the level of impact?
  3. How do I implement policy and control changes to meet compliance?

In addition to compliance changes, penalties could shift, with increases expected for violations. So having proactive compliance and mitigation efforts can be used to prevent fines from violations.

Historical approach to managing HIPAA compliance

In many situations, compliance and internal audit teams use spreadsheets to manage HIPAA, in addition to other compliance programs focused on HITRUST, NIST, ISO, and PCI. In our experience, this is more of a historical approach to documenting controls, assessing the effectiveness, and ultimately achieving compliance. This method allows the compliance team to ask a variety of questions, categorize those questions, and rate responses to each question. While on the surface, this approach seems effective, once you dive into the exercise, the pain points immediately arise. 

Most common pain points associated with HIPAA compliance spreadsheet management:

  • Inability to activate mitigation plans for failed safeguards
  • No due date or communication reminders provided for assessors
  • Workflow reviews and approvals bottleneck
  • Zero dynamic scoring logic

While spreadsheets provide numerical weights and formula calculations, spreadsheet users miss opportunities to visualize the scoring logic. From a reporting perspective, the assessor would want to roll the scoring from each question in a HIPAA security assessment into the related category. For example, the team would want to see how many Technical Safeguard questions were flagged in the review as ineffective. This is is the data that provides focus, speed, and agility in mitigations. 

The limitations of spreadsheets are not secret by any means. Connecting data points to the right team members responsible for managing a finding, automating items such as email notifications, tasking, tracking, and resolving findings is just outside of the scope of its capabilities. The administrative burden of managing all the elements and communication challenges is real. Not to mention the always difficult process of maintaining a single source of truth for documentation that is accessible to the responsible stakeholder, plus managing the version history of the document. 

How teams scale HIPAA compliance

Using technology to manage HIPAA compliance provides three key benefits:

  1. Increased frequency of data collection
  2. Connect and relate data points 
  3. Surface immediate findings

These benefits are key for compliance teams looking for real-time tracking and awareness in the following areas: 

  • Compliance status & mitigation progress
  • Identifying gaps of non-compliance
  • Communication Alerts of upcoming assessments

The challenges faced when it comes to tracking, measuring, and reporting on HIPAA are applicable to the other efforts of compliance teams. One could replace a HIPAA tracking spreadsheet with just about any control framework or control library in use. Every regulation or framework may have a different relationship hierarchy, however, which means understanding the structure of your compliance data is important.

The end goal is to demonstrate compliance with each regulation applicable to your department, business unit, company. The overarching regulation – whether it is HIPAA, HITRUST, ISO, or others – will likely have multiple citations, requirements, standards (depending on your terminology) and each one of those standards will have a list of control procedures. It can become difficult to visualize those data relationships using spreadsheets and why businesses preparing for the future are utilizing technology.

See how connected compliance programs work in an automation and reporting platform by exploring Onspring’s Compliance Management Solution.

About the author

Beth Strobel GRC Subject Matter Expert at Onspring

Beth Strobel
Director at Onspring & Treasurer at Women in Security
15 years GRC experience