Where We Help Our Clients
One of the overriding themes to our work is helping clients both in defining the formal elements of their baseline compliance program (i.e., the specific required things that they must do to comply with the set of regulations that apply to their business) and in using their compliance work to benefit their business operations overall.
As a smaller organization, with limited people and resources, since you're doing all that "have to comply" work anyway, why not make sure your overall operations benefit? At heart, it's the same approach: Start with what it is that you have to/want to accomplish, create a policy statement that will drive toward that accomplishment, and find the required elements of procedures necessary to accomplish it and ways to track how it's being done.
Very often, the compliance program itself will improve operations quality; however, you can experience similar benefits in operations areas that may not have a driver beyond your own entrepreneurial vision and mission for your business. And there's nothing wrong with making sure that everyone in your organization understands and delivers on that, too.
Here are some of the types of environments and organizations we help:
General Privacy and Data Protection
The U.S. may lack a true, formal right to privacy (that's a whole other conversation); however, we have plenty of "sectoral" laws that create complicated privacy requirements for many types of entities, and most of those laws do not provide exceptions for business size beyond some vague understanding that smaller entities aren't expected to devote specific levels of investment to their privacy and data protection programs.
Since first working on privacy and security issues in 2002, this has become a primary focus of our expertise, especially in terms of proactive approaches to minimizing data collection and management risks and simplifying compliance programs as a result of taking proactive measures.
In addition to the major financial and healthcare privacy regulations at the U.S. federal level, we understand the European Union's GDPR (General Data Protection Regulation) and its precursors, Canada's PIPEDA (Personal Information Protection and Electronic Documents Act), and cross-border data transfer issues that involve U.S.-based data processors and data controllers; FERPA, COPPA, and the "pseudo-regulatory" PCI-DSS. And we monitor U.S. state regulations in data breach response, marketing privacy, and the developing area of state healthcare privacy rules that are more restrictive than key aspects of HIPAA.
We also are quite comfortable managing the sometimes strange interplay between different regulatory authorities and their sometimes competing priorities across industries especially where they may intersect on privacy issues (such as payment processing in healthcare or with federal vs. state requirements).
Since first working on privacy and security issues in 2002, this has become a primary focus of our expertise, especially in terms of proactive approaches to minimizing data collection and management risks and simplifying compliance programs as a result of taking proactive measures.
In addition to the major financial and healthcare privacy regulations at the U.S. federal level, we understand the European Union's GDPR (General Data Protection Regulation) and its precursors, Canada's PIPEDA (Personal Information Protection and Electronic Documents Act), and cross-border data transfer issues that involve U.S.-based data processors and data controllers; FERPA, COPPA, and the "pseudo-regulatory" PCI-DSS. And we monitor U.S. state regulations in data breach response, marketing privacy, and the developing area of state healthcare privacy rules that are more restrictive than key aspects of HIPAA.
We also are quite comfortable managing the sometimes strange interplay between different regulatory authorities and their sometimes competing priorities across industries especially where they may intersect on privacy issues (such as payment processing in healthcare or with federal vs. state requirements).
RESERVE FOR EVENTUAL SUBPAGE OR ADDING IN ADDITIONAL CONTENT HERE LATER
What We Mean
If we haven’t made our point by now, we’ll say it again: Documentation is by far the most important element in a strong compliance program.But we don’t mean legalistic compliance documentation taken from some template and that has little connection to your actual operations. You have business to do. You have to comply with unchosen requirements imposed by others while you do business. So why not make your documentation help you accomplish both?
Where your general operations procedures are concerned, it may be legitimate to claim that you have a procedure and that everyone knows how to follow it and that it's just not written down. That can be perfectly valid for things that don’t have lots of regulatory specifics driving them. But that won't satisfy explicit regulations that say, literally, that you have to have written policies and procedures as a part of staying in compliance with those regulations.
We help our clients create documentation that can improve and maintain their understanding of their business operations beyond just compliance. This same documentation can help anyone with a role to play for or in your business follow YOUR playbook and minimize miscommunication about your expectations, so your business runs more smoothly.
Some Examples
Aside from the most commonly produced policies and procedures documents, we often help our clients create governance documents (such as a compliance program charter and overall program policy), compliance auditing and monitoring documents (including checklists and data gathering templates and logs), job descriptions (for compliance, privacy, and security roles and compliance language to include in other descriptions), vendor and service provider documents (includingHealthcare
When people say "HIPAA compliance" they most often mean anything related to privacy and security in the healthcare context. That is of course the main concern; however, there is nearly always more to healthcare practice compliance than that.
Though many of the more proactive privacy program activities we undertake aren't normally seen by healthcare clients as HIPAA requirements, we try to make sure that our clients understand how proactive privacy work can be a direct part of fulfilling some of the more troublesome HIPAA requirements for covered entities. For example, proactive privacy projects (such as privacy impact assessments) can often help give a structure to the oft-misunderstood HIPAA "risk assessment" or "risk analysis" that all covered entities are supposed to be doing already, though many still don't know how to start.
Another consideration is that HIPAA provides a "floor" for healthcare data protections, but states are free to create more restrictive rules for data of their state residents, and more and more states including our own home states of Missouri and Kansas are doing just that—now that state attorneys general have had a few years to get comfortable with their role in helping HHS enforce HIPAA within their own states' border, coupled with a decade or more of enforcing their own state data breach rules. And to varying degrees, state attorneys general are becoming more aggressive about seeking to force HIPAA financial penalties for violations within their states. In the healthcare context, Cover Compliance can also help decode the impact of more general data regulations on our clients' HIPAA-regulated operations.
Aside from the actual protected health information that HIPAA governs, healthcare entities also may deal with personal financial information that is subject to additional rules (such as payment processing information that is subject to banking regulations and financial services rules such as PCI or the NACHA rules governing bank account transactions). We can help healthcare entities understand the additional non-healthcare rules and how to manage them in their overall compliance program without creating conflicts with their HIPAA rules.
Though many of the more proactive privacy program activities we undertake aren't normally seen by healthcare clients as HIPAA requirements, we try to make sure that our clients understand how proactive privacy work can be a direct part of fulfilling some of the more troublesome HIPAA requirements for covered entities. For example, proactive privacy projects (such as privacy impact assessments) can often help give a structure to the oft-misunderstood HIPAA "risk assessment" or "risk analysis" that all covered entities are supposed to be doing already, though many still don't know how to start.
Another consideration is that HIPAA provides a "floor" for healthcare data protections, but states are free to create more restrictive rules for data of their state residents, and more and more states including our own home states of Missouri and Kansas are doing just that—now that state attorneys general have had a few years to get comfortable with their role in helping HHS enforce HIPAA within their own states' border, coupled with a decade or more of enforcing their own state data breach rules. And to varying degrees, state attorneys general are becoming more aggressive about seeking to force HIPAA financial penalties for violations within their states. In the healthcare context, Cover Compliance can also help decode the impact of more general data regulations on our clients' HIPAA-regulated operations.
Aside from the actual protected health information that HIPAA governs, healthcare entities also may deal with personal financial information that is subject to additional rules (such as payment processing information that is subject to banking regulations and financial services rules such as PCI or the NACHA rules governing bank account transactions). We can help healthcare entities understand the additional non-healthcare rules and how to manage them in their overall compliance program without creating conflicts with their HIPAA rules.
Financial Services
Beyond general privacy and data protection at financial services firms, we can help with other general compliance pain points in other aspects of financial services.
We have experience working with federal regulations (both pre-CFPB and as managed by the CFPB now), and state-level equivalents, and have helped small businesses with their credit and lending compliance nationwide.
Throughout our financial services work, we have also helped with initiatives related to the expansion of "anti-privacy" (as we call them) programs that came in reaction to the September 11 terrorist bombings in 2001. We can help smaller banks, lenders, money services businesses, and alternative financial services firms, build strong, ethical compliance programs while also meeting their "know your customer" (KYC) obligations and other anti-money-laundering/countering financing of terrorism (AML/CFT) program requirements.
And of course, we can help financial services clients figure out where they fit into the HIPAA compliance world as a business associate to healthcare entities.
We have experience working with federal regulations (both pre-CFPB and as managed by the CFPB now), and state-level equivalents, and have helped small businesses with their credit and lending compliance nationwide.
Throughout our financial services work, we have also helped with initiatives related to the expansion of "anti-privacy" (as we call them) programs that came in reaction to the September 11 terrorist bombings in 2001. We can help smaller banks, lenders, money services businesses, and alternative financial services firms, build strong, ethical compliance programs while also meeting their "know your customer" (KYC) obligations and other anti-money-laundering/countering financing of terrorism (AML/CFT) program requirements.
And of course, we can help financial services clients figure out where they fit into the HIPAA compliance world as a business associate to healthcare entities.
Startups
Startups, especially ones that may have data-intensive operations, are getting more and more compliance program scrutiny from regulators and investors. We can help such startups, whether they are in the proof-of-concept stage or have already begun operating.
And don't think that the general tendency of regulations not being able to keep up with technology gives a cutting-edge startup a pass. In fact, the more cutting edge your technology, the more likely it is that any perceived compliance failure (especially in terms of how you handle personal information) gets attention using tried-and-true concepts such as the Federal Trade Commission's "unfair, deceptive, or abusive acts or practices" ("UDAAPs") to scrutinize what you do and say.
We advise that you at least take a look on your own at what we have to say elsewhere on our site about our work with clients so you can start forming your own opinion of whether you might have some risks to address, especially if your concept is consumer data-intensive. Or if it's in healthcare or financial services. Or you plan to market and sell in multiple states. Or to minors—or seniors. Or you're going to be storing data "in the cloud". And the list can go on and on.
But whatever the list of particular compliance risks, taking an advance look at your potential compliance landscape can help you save in the long-run by helping you decide on additional work you might do when it’s less intrusive, rather than having to redo or undo things later. And taking this kind of proactive approach on compliance issues, can even be a strategic advantage when you’re seeking funding. Should someone ask how you've evaluated risks, you can point toward your proactive compliance management approach and be able to converse about what risks you've found and how you’re already addressing them.
We can work with both the data intensive startups themselves and with the venture capital funds and investors who are doing their own due diligence on data protection, privacy, and general compliance operations ahead of investing or as a part of the investors getting involved in the operations of the startups in which they are already invested.
And don't think that the general tendency of regulations not being able to keep up with technology gives a cutting-edge startup a pass. In fact, the more cutting edge your technology, the more likely it is that any perceived compliance failure (especially in terms of how you handle personal information) gets attention using tried-and-true concepts such as the Federal Trade Commission's "unfair, deceptive, or abusive acts or practices" ("UDAAPs") to scrutinize what you do and say.
Privacy-by-Design (PbD) & Privacy Impact Assessments (PIAs) for Data Intensive Startups
The last thing gung-ho startups want to hear is “Whoa! Shouldn’t you do a PIA for your Whatchamacallapp app?”. In relatively short order, Cover Compliance can help you figure out whether your product or concept might benefit from a more detailed, advance compliance impact assessment (whether in terms of privacy or other business risks).We advise that you at least take a look on your own at what we have to say elsewhere on our site about our work with clients so you can start forming your own opinion of whether you might have some risks to address, especially if your concept is consumer data-intensive. Or if it's in healthcare or financial services. Or you plan to market and sell in multiple states. Or to minors—or seniors. Or you're going to be storing data "in the cloud". And the list can go on and on.
But whatever the list of particular compliance risks, taking an advance look at your potential compliance landscape can help you save in the long-run by helping you decide on additional work you might do when it’s less intrusive, rather than having to redo or undo things later. And taking this kind of proactive approach on compliance issues, can even be a strategic advantage when you’re seeking funding. Should someone ask how you've evaluated risks, you can point toward your proactive compliance management approach and be able to converse about what risks you've found and how you’re already addressing them.
We can work with both the data intensive startups themselves and with the venture capital funds and investors who are doing their own due diligence on data protection, privacy, and general compliance operations ahead of investing or as a part of the investors getting involved in the operations of the startups in which they are already invested.
Nonprofits
This is a new area for us and one we are hoping takes on growing importance for Cover Compliance.
Throughout our site, you'll find reference to different sources of authority that create compliance obligations. Beyond regulations and industry practices, contracts between two entities normally create their own compliance requirements that are even more specific than the regulations that might drive creation of the contract relationship.
Functioning in a similar way as contracts do for commercial entities, grants drive most of the compliance obligations in place at any given time at not-for-profit agencies. Cover Compliance can help nonprofits create compliance procedures and compliance monitoring tools to help document and prove compliance with the terms of grants the nonprofit has already won. And we can help nonprofits gain advantage in selection for new grants by allowing them to define a clear compliance plan and communicate it to funders.
We offer significant discounts from our normal commercial rates for nonprofits who hire us to help with their compliance and documentation needs.
Throughout our site, you'll find reference to different sources of authority that create compliance obligations. Beyond regulations and industry practices, contracts between two entities normally create their own compliance requirements that are even more specific than the regulations that might drive creation of the contract relationship.
Functioning in a similar way as contracts do for commercial entities, grants drive most of the compliance obligations in place at any given time at not-for-profit agencies. Cover Compliance can help nonprofits create compliance procedures and compliance monitoring tools to help document and prove compliance with the terms of grants the nonprofit has already won. And we can help nonprofits gain advantage in selection for new grants by allowing them to define a clear compliance plan and communicate it to funders.
We offer significant discounts from our normal commercial rates for nonprofits who hire us to help with their compliance and documentation needs.
Resources Page
All New Content Coming for the All New Site!
For starters, we updated our diagram for the Cover Compliance approach to implementing new compliance programs, decking it out in our new logo and color palette. That's all that's available now, but more is coming very soon.
Next in the queue is our translation of the new Brazil LGPD regulatory agenda and a couple Cover Compliance quick reference guides.
What We Do
Get the rest of the story about the types of compliance tools and services we provide clients here.
Resources
These resources are available on request while our site evolves. Click the resource name to launch our contact form and tell us what resources you're interested in or let us know by phone. Direct download of resources here will be available soon.
Call us for more information.
816.226.6759
816.2Comply
Navigation
What We Do
Privacy & data protection compliance programs simplified for smaller businesses that lack staff or resources to purchase and manage complex enterprise systems.
Cover Compliance LLC