Does your health IT software vendor have a dedicated team that manages risk? A team that integrates the privacy, compliance, quality, and information-security organisations into a single functional unit?

For most vendors, the answer is no, because the people who would comprise such a team are often distributed among other teams. 

For example, the chief compliance officer (CCO) and chief privacy officer (CPO) roles often fall under the purview of the legal department; the chief information security officer (CISO) tends to report to the chief information officer (CIO); and the chief medical officer (CMO) often reports into the product department, or has their own separate reporting structure.

Consider that: the CCO and CPO; the CISO; and the CMO—who, by most accounts, shouldwork closely together—usually don’t work closely together due to the competing priorities of their respective departments.

And what about a vendor’s quality-control initiatives, like process improvement, risk monitoring, audits, certifications, and more? Which team handles those?

Since there’s no industry best practice yet, the answer to that question tends to be all over the place, varying from vendor to vendor. Is it operations? Finance? Business transformation? Human resources?

By not having a single, dedicated team managing risk, a vendor creates a dysfunctional organisation that ends up extending the timelines for satisfying new regulations and customer requirements, while making themselves liable to ignore critical clinical safety, privacy, security, efficiency, and operational deficiencies.

So, how might your health IT software vendor go about addressing these issues, if they were so inclined?

There are a few things they would need to recognise first:

  1. The roles responsible for assuring privacy, clinical risk, compliance, and security have a lot of crossover functionality, as many privacy issues can also be clinical-risk issues, information-security issues can also be compliance issues, and so on. Placing the roles that address those issues in a single organisation—rather than holed up separately in various silos—can instantly create a lot of valuable synergy that reduces risk, improves efficiency, and increases client satisfaction. 
  2. A real opportunity is created when the same team responsible for security, risk, and assurance—who are already charged with implementing a large number of controls required by the various industry regulations such as HIPAA, HITRUST, and ISO—is also responsible for quality. Adding a chief quality officer (CQO) to the team creates a holistic view of processes, process monitoring, and process improvement that’s generally difficult for a CCO, CPO, CISO, or CMO—who are typically preoccupied with tactical concerns—to comprehend, maintain, and improve on their own. 
  3. Once your vendor has recognised these issues, they should begin looking at all the other risks that could potentially affect not just you as a client with patients to protect, but them as a vendor with a reputation to protect. This is where your vendor will recognise the competing priorities within departments that lead to dysfunction in protecting your organisation’s most valuable asset: the patient’s medical data.

By assembling all of these roles into a single team, your health IT software vendor can provide a tiered approach to protection that effectively surrounds your health IT data; applies a tactical security, data-loss prevention, and file-integrity focus to it; and wraps enterprise risk management, clinical safety, and compliance around the health IT data, too.

At this point, your vendor should refer to the seven elements of an effective compliance program; implement comprehensive programs for incident and crisis management and clinical safety; and then wrap an assurance piece around those programs.

This assurance piece accounts for all the industry regulations and requirements—everything from best practices to government regulations around the globe, like GDPR in EMEA, HITRUST, HITECH, and the new 21st Century Cures Act—and utilises this newly assembled team of information security, clinical safety, compliance, and quality experts to take action, ensuring conformity to regulations and driving process improvement throughout the organisation.

Once your health IT software vendor has a single team that’s organised in this way—filled with subject matter experts from various domains working closely together, communicating consistently, and understanding your entire risk structure—your vendor will be able to contribute more to your risk-compliance initiatives than ever before.

With an autonomous team that manages its own reporting line outside of the operations, services, and product departments, your vendor will be set to succeed without the conventional corporate structures that brought about these questions—questions about who handles what—in the first place. Your vendor will have established a true system of checks and balances, where the security, compliance, clinical safety, and quality risks are addressed by a single department that doesn’t have to worry about whether their priorities align with the priorities of other departments.

The benefits of this approach will be incalculable. Not only will it be possible for your vendor to address any issues relating to security, risk, and assurance in a prompt and complete manner, but a strong “book of knowledge” will be established within the new team, one informed by not only your vendor’s experience with your case but with all of its client’s cases, which will give your vendor the ability to resolve your challenges quickly and allow you to continue maintaining a strong focus on the business of making patients well.