10 Steps to a Quality Privacy Program: Part One
By Deidre Rodriguez, CIPP/US
In the May edition of The Privacy Advisor, I wrote an article on the “Ten Steps to a Quality Privacy Program: Taking Your Program to the Next Level.”
This is the first of a series of articles that will drill down on each recommended step in an effort to help those just getting started on or revamping existing policies. For the full list of all 10 steps, read more here.
Step 1: Creating Roadmaps of Regulatory and/or Contractual Requirements
In order to have a sound compliance or privacy program, one first must know the rules. Creating a map of these requirements will help ensure that organizations are aware of the rules that apply to them and will create a method for showing them how they should comply with each provision.
A roadmap or crosswalk of the organization’s requirements can be as simple or complex as the organization desires. For some, a simple spreadsheet with tabs for each applicable law, audit protocol, contractual requirement or any other applicable provision that requires compliance can be developed. Include the applicable citation, language from regulation, audit protocol or specific contract language. For example, a privacy office within a healthcare company may want to create a map with a tab specifically for HIPAA and the corresponding Office of Civil Rights (OCR) Audit Protocol. The organization would go through a thorough process of identifying a tab for each other federal privacy law, then creating similar tabs with applicable state privacy laws on down to any contractual provisions to which that office is responsible for adhering. Larger organizations may choose to develop a more sophisticated map or choose to utilize their existing vendor governance, risk or compliance tools or other technological solutions.
Once the requirements have been identified and included in the map, the next step is to document how the organization complies with each of those provisions. On the roadmap or crosswalk, the organization will want to identify each policy, procedure, communication, training and monitoring activity related to each provision identified to show how they comply. Again, let’s take the example of healthcare organizations’ compliance with HIPAA and their compliance obligation to provide a Notice of Privacy Practices. The map would link to or include a copy of their notice policy, related procedures, their new hire and annual training course content that discusses the notice requirements, the repository/evidence of such compliance; i.e., where would OCR find copies of signed notices or file of to whom the notice was sent, and any related monitoring processes/activities that are used to monitor this process. It is important to identify and collect current versions showing compliance as well as historical evidence/documentation showing compliance over time.
The creation of such a tool gives the organization a baseline to audit and monitor against, helps avoid scrambling to collect documentation when responding to complaints and audit requests and enhances the organization’s ability to identify risk and program maturity progression. This practice can be easily adopted and customized for all organizational models, regardless of size, complexity, industry and scale of business.
Look for Step 2 in creating a quality privacy program, “Performing a Risk Assessment,” in the September edition of The Privacy Advisor.
Deidre Rodriguez, CIPP/US, has actively been working in privacy compliance for 10 years including policy development, incident response, advisory support and strategic planning. Currently, Deidre is the director of the Corporate Privacy Office and Regulatory Oversight for WellPoint, Inc.