06 Jun Documentation is the Cornerstone to Compliance Management
See if this story one of our MSP customers relayed to us sounds familiar.
I could hear the fear in her voice.
One of our clients, subject to the HIPAA rules, called to say she had just received a letter saying that her company was being randomly audited by the Office for Civil Rights (OCR) — the federal agency that enforces HIPAA — and she only had days to respond.
When we started with the client several months earlier, we discovered they weren’t compliant. However, they assured me that they had corrected the issues. We didn’t want to send old reports, so we ran another set of scans to have proof they had addressed the issues.
But they hadn’t.
Our new scans showed that many of the same problems existed. It turned out that her IT guy did not know how to apply security controls across a network.
Time was running out. They finally fixed the problems, and we ran a third set of scans, which were clean. We gave them a fresh set of reports to provide the OCR as evidence of compliance, just before the deadline. A few months later, I received the following message from our client:
Great news! Attached is the letter we received from the OCR saying they are closing our case without further action. Thank you so much for your assistance with the response. I can’t tell you how much we appreciate your input that greatly influenced this outcome.
If your clients are in a regulated industry, they are always subject to audit. If they have an incident or someone files a complaint, they will be investigated. If they suffer a breach, they will almost certainly be sued or fined.
Most regulators are lawyers. They require written reports. Documentation will be demanded or subpoenaed. Sometimes, they want reports from a year ago or more. HIPAA requires that documentation be retained for six years.
Documentation takes time to produce. It needs to be reviewed to validate security and compliance, and to identify new risks. Sometimes documentation seems pointless because it just records a lot of information that may never be used. But it is critical because you can’t take chances in a regulated environment. Hoping you won’t be audited, investigated, or sued is not a business strategy that will result in good outcomes if your luck runs out, like it did for our MSP’s client.
Adding Compliance-as-a-Service can change your MSP business and allow you to charge more because compliance documentation is becoming an important deliverable.
You may need to educate your prospects and clients about the need for them to be ready to provide written reports showing they have implemented the necessary procedures to comply with their policies. Make it clear to your clients that your managed services keep them secure, but they need to pay extra for the documentation they need to have available if an audit, investigation, or lawsuit presents itself.
To learn more about how you can help your clients manage the entire compliance process, request a demo of Compliance Manager GRC today.