The Summer of Compliance

I was recently asked at  a conference - "What is your most significant concern right now?"  I answered "As a clinician and informatics leader, I worry about delivering care in the healthcare reform world of global capitation - we need to increase the value (quality/cost) of the services we provide.   However, as a CIO, it's the mounting regulatory and compliance pressures that keep me up at night.  They will require a level of resources and focus that will reshape my plans for the next year or more."

The compliance work we're kicking off this Summer includes:

*An enhanced encryption program to ensure all personal laptops/tablets that access hospital systems are encrypted.
*An enhanced mobile/BYOD program that ensures all personal smartphones that access hospital systems are password protected, have timeouts, and encrypted as technology permits
*An enhanced learning management infrastructure so that every person in the BIDMC ecosystem can be held accountable for completing training requirements, including security and compliance topics.   Creating this infrastructure requires a new level of identity management that captures roles and characteristics for employees, volunteers, board members, and contract workers.
*Enhanced Conflict of Interest reporting including the management tools needed to followup on any disclosed conflicts
*A comprehensive audit of our security program and polices - where are we "standard practice" and where are we "best practice".   What gaps do we need to close?

Earlier this week I submitted my capital requests for FY13 and over one third of my budget is for security and compliance related projects.

I've dubbed June 21-Sept 21, 2012 as the "Summer of Compliance".    My hope is that we'll enter the Fall with reduced risks and a technology foundation that not only meets our regulatory needs but also further ensures we respect the privacy preferences of our patients.