Keeping pace with compliance
Compliance is marked by ever-increasing complexity and an abundance of information. Software solutions are helping to ease the burden by automating and documenting the processes that are required for compliance.
When the Employee Benefits Division for the state of Arkansas selected software from Compliance 360 as its compliance platform, the main goal was to use it for the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The division is responsible for life and health insurance plans and for employees of the state and the public school systems, and maintains numerous health-related records. Deputy Executive Director George Platt was first tasked to ensure compliance with HIPAA, but he has since expanded his department’s use of Compliance 360 to cover other areas of information management.
HIPAA addresses privacy and security of medical records as well as protecting employees’ health coverage after they leave their jobs. "We use the built-in audit and assessment function for HIPAA compliance," says Platt, "which ensures that only those individuals who are authorized to see the data can access it." The HIPAA component automates the workflow for compliance and maintains all the associated documents in a central repository.
Compliance 360 is delivered through a software as a service (SaaS) model, with the software hosted off-site and accessed via a Web browser. Having a centralized system was important to the Employee Benefits Division because its constituents are scattered throughout nearly 150 state agencies and more than 300 school districts.
"We can pull up a policy at any time from any location," says Platt, "or present FAQs in response to questions raised by members." The centralized system ensures that a consistent message about privacy and operational issues is delivered throughout the organization.
Data related to the organization’s information management and compliance programs are drawn from many different systems and integrated into one interface. "Most of our users are unaware that they are dealing with a compliance system," notes Platt, "and we like the fact that they do not have to log into a separate system."
The organization’s knowledge repository now contains contractual and other administrative information, for example. When the time comes to notify procurement employees that a request for proposal (RFP) needs to be issued, they receive an e-mail. If an employee wants to search for a policy, he or she simply uses the search window and types in key words or a document number.
With its information and compliance functionality located off-site, the division has the assurance of business continuity. "If something happened to the building we are in," says Platt, "we have a roadmap to start up again, because our processes are documented, along with all the job descriptions for each function." The business information from which Compliance 360 draws its content is also backed up in a separate location.
In the future, Platt plans to make use of the risk management component of Compliance 360. "We need to make sure that the millions of dollars in our insurance plans are managed responsibly," he notes. "Risk management is a more proactive approach that extends beyond compliance where we can minimize the potential for financial or other loss."
The most important part of a compliance and risk management system, according to Platt, is putting the thought into it in advance. "Building the system is easy compared to figuring out the information and processes that you need," he says. "Once we did that—and it’s really an ongoing process—the Compliance 360 solution provided the technology to bring together the different pieces in a very effective way."
Compliance has changed dramatically over the past decade in terms of the number of people and the number of laws involved. "Today, compliance is part of everyone’s job," says Steve McGraw, CEO of Compliance 360. "We try to make it easy for the casual users to do their part." Compliance 360 provides links to more than 250,000 laws and regulations, and clients can select which parts of the content they will use to populate their directories. "The federal laws are relatively static," he continues, "but the state laws are fairly dynamic and need to be updated often."
Targeting potential problems
The software provides several features that foster continuous improvement in managing the compliance process. "People can report a problem anonymously through our software," McGraw says. "Then the organization can start identifying risks related to the complaint." They can track the remediation process, fix it and note the date, then test the process.
"The software flags issues for further examination," he observes. "If high expenses are seen in overseas employees, it could be due to an intensified sales effort or to payment of bribes, which could be a Foreign Corruption Act violation." The software lets organizations target potential problems and resolve them quickly.
Axentis developed Axentis Enterprise, an on-demand product to provide a broad technology platform to address all areas of governance, risk management and compliance (GRC). Additionally, Axentis has solution suites tailored to cover specific domains of GRC, such as: Sarbanes-Oxley; information privacy; IT governance, ethics and integrity; and legal and regulatory. For each area, the software supports U.S. Sentencing Commission (USSC) guidelines for an effective