If we haven’t made our point by now, we’ll say it again: Documentation is by far the most important element in a strong compliance program.

We help our clients create documentation that can improve and maintain their understanding of their business operations beyond just compliance. This same documentation can help anyone with a role to play for or in your business follow your playbook and minimize miscommunication about your expectations, so your business runs more smoothly.

Some Examples

Aside from the most commonly produced policies and procedures documents, we often help our clients create governance documents (such as a compliance program charter and overall program policy), compliance auditing and monitoring documents (including checklists and data gathering templates and logs), job descriptions (for compliance, privacy, and security roles and compliance language to include in other descriptions), vendor and service provider documents (including proposal language around privacy and security or other compliance requirements), customer-facing documentation (such as privacy notices, authorization and opt-in forms, etc.), and internal training materials.

We can help with documentation, and are happy to stop there. But we will likely advise you to go beyond the documentation, whether you use our services to do so or not.

Figuring out policies and procedures often causes stress all by itself, and very often even large, "sophisticated" organizations never evolve much beyond that. But for your own protection, you need to have a way to know that your procedures actually fulfill your policies, and you have to be able to know when your procedures are being followed and to correct errors when they are not, as well as to account for changes in your business and their impact on it all.

We can help you think creatively about ways to know that things are functioning like they're supposed to. And we can work out tools to help you do the monitoring, whether you want to use basic checklists and logs created in Excel or you want something much easier to manage on the back end and are willing to put in a bit more work with us initially to get things set up.

With Excel, people often get overwhelmed with the process and this usually has to do with trying to use poorly crafted Word procedures templates in conjunction with overly complicated Excel spreadsheet templates. And it gets worse when the two types of documents don't "mesh". We can help avoid that trap; however, the Excel/Word approach does require manual file and data management to organize everything. If the manual approach is not to your liking, we can show you rather quickly how cost-effective and helpful a SharePoint solution can be. And the side benefit from demystifying SharePoint for you for your compliance program needs is often that you start seeing ways SharePoint could help you in your business in general.

Most regulatory frameworks have at least some element of requiring a formal naming of a compliance administrator or officer (such as the HIPAA requirement for a covered entity to appoint an official responsible for privacy and for security, though such officials can be one person and can be someone with additional responsibilities at the covered entity).

Though documentation is the foundation for a compliance program, you have to have someone maintain that foundation and manage the whole “structure” of the compliance program. Ideally, you’d have the right compliance manager in place before we begin to help you with your documentation. But even if you don't have your compliance role fully defined, we advise our clients to at least give some pointed, advance thought to who will be responsible for their program after Cover Compliance is gone. We can help with that process, too.

We can help clients with writing position descriptions and identifying the right people to do this work with them or for them (both from within existing people and when they need to hire someone). We can then train those people to perform in their roles. We provide mentorship for those key compliance staff and for business owners and leaders and can do that for period of time and can be available to give on-call assistance when specific needs arise.

The type of training and mentorship described above is what we’d call compliance management training. “Regular” compliance training includes regulation-specific training and training that is designed to explain your compliance program—why it exists, what your policies are, and what happens when things out of the ordinary occur. Think of HIPAA privacy and security training required for HIPAA covered entities, or anti-money laundering compliance training required for certain financial institutions.

We can do both. Where your regulation-specific compliance training needs are concerned, we prefer to work in a train-the-trainer role. We can deliver your actual training, customized for your business and your risks, but we recommend doing that with your compliance person on board to help. This approach becomes an extension of our mentoring your compliance staff, to enable someone in your organization to manage this work on an ongoing basis and we are happy to come in periodically to help or as a guest speaker. And once again, we can come up with some creative options for ongoing awareness training that cost less than you might expect and that address your specific compliance program and business operations.

For the rest of your compliance management training needs, we can help provide specific training presentations and materials in such subjects as general "Compliance 101" (basic compliance concepts, not specific regulatory components), the compliance and governance lifecycle, and compliance auditing and monitoring.

And stay tuned as we are actively working now on being able to serve up some of this kind of information on our site and through some other means such as Udemy or YouTube. The first offerings are likely to be in compliance management training with some key regulation-specific training content to follow later.

You might notice that we use the terms “vendor”, “service provider”, and “business associate” almost interchangeably. In the context of healthcare, the term “business associate” has taken on a more formal meaning; however, that should not confuse anyone exploring this area of compliance and oversight of third parties. If you are in healthcare or are a business that works with healthcare providers, health insurers, and others that handle protected health information of individuals, just know that you need to pay special attention to this area of compliance and to understand HIPAA as well as any other state or federal regulations that might govern your business. Cover Compliance can help non-healthcare entities get a handle on what HIPAA might mean for their business.

Even if you are not in healthcare, vendor compliance is still likely to be an issue you need to address, in at least one of two ways.

Service Providers to Regulated Businesses

If your business exists as a service provider to other businesses, you can expect growing attention to your business being held to specific compliance demands by the businesses that contract with you. This type of vendor compliance is driven by your customers’ compliance program requirements, but it means you should do yourself the favor of putting some formality around how you approach responses to your customers and how you manage the underlying demands. A thorough, proactive approach related to the types of products and services you offer, can help you maintain satisfaction from existing business customers and give you an advantage over service providers with whom you compete.

Consumer-Facing Businesses that Use Commercial Service Providers

If you are a consumer-facing business and you rely on key vendors and business associates to serve your consumer customers, you probably have some degree of formal vendor supervision that YOU are obligated to give to your vendors. And even if you don’t have specific regulatory requirements that you must apply to your vendors, your own compliance risk and business confidence are best served by making it clear to service providers with whom you contract what your specific service level expectations are.

So here we are talking about two things—helping our clients oversee vendors and service providers in ways that directly relate to our clients’ businesses, and helping service provider businesses (most often, those serving HIPAA-regulated covered entities) create and run their OWN compliance programs.

We can help you with both of these vendor compliance areas. This is another area where we can serve as translator to help you make sure you understand what others are telling you, in language that demystifies regulatory expectations and decodes technical jargon.

We can offer a variety of ways to provide ongoing support to clients. We work to make ourselves available to existing clients when unexpected issues arise. But for clients who anticipate the need for quick support at different times, retainer scenarios are possible. These would be most common following fulfillment of key engagements, such as retaining us for follow-up questions after a client goes live with a major process change or documentation revision or after delivering annual training.

The most common on-call assistance we set up, though, usually follows when we help a client with finding and training compliance staff, in that period after initial orientation to their role but before the client is comfortable with the staff taking solo action on higher-risk issues.

We’ve worked on data breach response since when states just started following California’s lead to create their own data breach incident laws. And it is precisely that long history of experience that plays into our special note here on our perspective on incident response.

To say it plainly: We understand the need for this work; but we actively discourage people from using our services in this area unless they are already a client, and one with whom we have some history in terms of understanding their business and their compliance program. We will absolutely help existing clients with data-related incidents where necessary. But that is part of our preference for working in a proactive way to avoid common risks that our clients face.

Whether you are a Cover Compliance client already or not, If you do not already have a formal incident response policy and procedure and are not sure how to execute an incident response plan, we may still be able to help if you have had an incident that you believe might rise to the level of an actual data breach under state or federal regulations. But in order to protect your investigation and response, we encourage you to seek advice from your legal counsel first and work under their direction.

For additional details on how we might help with a data breach, especially when working closely with your legal counsel, please see our Legal Counsel Efficiency page in the About Us section of this site.

Where We Can Help

Get the rest of the story about the industries and entities where we create compliance programs here.