What We Do for Our Clients


We apply deep experience with expanding, ever-changing regulatory environments to help clients strengthen their compliance programs and minimize risks of compliance failures. Here are some of the things we do to help enable and manage effective compliance programs for our clients while helping them avoid both "technology envy" and "technophobia":

Documentation for It All

If we haven’t made our point by now, we’ll say it again: Documentation is by far the most important element in a strong compliance program.

We help our clients create documentation that can improve and maintain their understanding of their business operations beyond just compliance. This same documentation can help anyone with a role to play for or in your business follow your playbook and minimize miscommunication about your expectations, so your business runs more smoothly.

Some Examples
Aside from the most commonly produced policies and procedures documents, we often help our clients create governance documents (such as a compliance program charter and overall program policy), compliance auditing and monitoring documents (including checklists and data gathering templates and logs), job descriptions (for compliance, privacy, and security roles and compliance language to include in other descriptions), vendor and service provider documents (including proposal language around privacy and security or other compliance requirements), customer-facing documentation (such as privacy notices, authorization and opt-in forms, etc.), and internal training materials.
RESERVE FOR EVENTUAL SUBPAGE OR ADDING IN ADDITIONAL CONTENT HERE LATER


What We Mean
If we haven’t made our point by now, we’ll say it again: Documentation is by far the most important element in a strong compliance program.

But we don’t mean legalistic compliance documentation taken from some template and that has little connection to your actual operations. You have business to do. You have to comply with unchosen requirements imposed by others while you do business. So why not make your documentation help you accomplish both?

Where your general operations procedures are concerned, it may be legitimate to claim that you have a procedure and that everyone knows how to follow it and that it's just not written down. That can be perfectly valid for things that don’t have lots of regulatory specifics driving them. But that won't satisfy explicit regulations that say, literally, that you have to have written policies and procedures as a part of staying in compliance with those regulations.

We help our clients create documentation that can improve and maintain their understanding of their business operations beyond just compliance. This same documentation can help anyone with a role to play for or in your business follow YOUR playbook and minimize miscommunication about your expectations, so your business runs more smoothly.

Some Examples
Aside from the most commonly produced policies and procedures documents, we often help our clients create governance documents (such as a compliance program charter and overall program policy), compliance auditing and monitoring documents (including checklists and data gathering templates and logs), job descriptions (for compliance, privacy, and security roles and compliance language to include in other descriptions), vendor and service provider documents (including

Comprehensive Compliance Tools

We can help with documentation, and are happy to stop there. But we will likely advise you to go beyond the documentation, whether you use our services to do so or not.

Figuring out policies and procedures often causes stress all by itself, and very often even large, "sophisticated" organizations never evolve much beyond that. But for your own protection, you need to have a way to know that your procedures actually fulfill your policies, and you have to be able to know when your procedures are being followed and to correct errors when they are not, as well as to account for changes in your business and their impact on it all.

We can help you think creatively about ways to know that things are functioning like they're supposed to. And we can work out tools to help you do the monitoring, whether you want to use basic checklists and logs created in Excel or you want something much easier to manage on the back end and are willing to put in a bit more work with us initially to get things set up.

With Excel, people often get overwhelmed with the process and this usually has to do with trying to use poorly crafted Word procedures templates in conjunction with overly complicated Excel spreadsheet templates. And it gets worse when the two types of documents don't "mesh". We can help avoid that trap; however, the Excel/Word approach does require manual file and data management to organize everything. If the manual approach is not to your liking, we can show you rather quickly how cost-effective and helpful a SharePoint solution can be. And the side benefit from demystifying SharePoint for you for your compliance program needs is often that you start seeing ways SharePoint could help you in your business in general.

Staffing and Mentorship

Most regulatory frameworks have at least some element of requiring a formal naming of a compliance administrator or officer (such as the HIPAA requirement for a covered entity to appoint an official responsible for privacy and for security, though such officials can be one person and can be someone with additional responsibilities at the covered entity).

Though documentation is the foundation for a compliance program, you have to have someone maintain that foundation and manage the whole “structure” of the compliance program. Ideally, you’d have the right compliance manager in place before we begin to help you with your documentation. But even if you don't have your compliance role fully defined, we advise our clients to at least give some pointed, advance thought to who will be responsible for their program after Cover Compliance is gone. We can help with that process, too.

We can help clients with writing position descriptions and identifying the right people to do this work with them or for them (both from within existing people and when they need to hire someone). We can then train those people to perform in their roles. We provide mentorship for those key compliance staff and for business owners and leaders and can do that for period of time and can be available to give on-call assistance when specific needs arise.

Compliance Training

The type of training and mentorship described above is what we’d call compliance management training. “Regular” compliance training includes regulation-specific training and training that is designed to explain your compliance program—why it exists, what your policies are, and what happens when things out of the ordinary occur. Think of HIPAA privacy and security training required for HIPAA covered entities, or anti-money laundering compliance training required for certain financial institutions.

We can do both. Where your regulation-specific compliance training needs are concerned, we prefer to work in a train-the-trainer role. We can deliver your actual training, customized for your business and your risks, but we recommend doing that with your compliance person on board to help. This approach becomes an extension of our mentoring your compliance staff, to enable someone in your organization to manage this work on an ongoing basis and we are happy to come in periodically to help or as a guest speaker. And once again, we can come up with some creative options for ongoing awareness training that cost less than you might expect and that address your specific compliance program and business operations.

For the rest of your compliance management training needs, we can help provide specific training presentations and materials in such subjects as general "Compliance 101" (basic compliance concepts, not specific regulatory components), the compliance and governance lifecycle, and compliance auditing and monitoring.

And stay tuned as we are actively working now on being able to serve up some of this kind of information on our site and through some other means such as Udemy or YouTube. The first offerings are likely to be in compliance management training with some key regulation-specific training content to follow later.

Vendor and Business Associate Compliance

You might notice that we use the terms “vendor”, “service provider”, and “business associate” almost interchangeably. In the context of healthcare, the term “business associate” has taken on a more formal meaning; however, that should not confuse anyone exploring this area of compliance and oversight of third parties. If you are in healthcare or are a business that works with healthcare providers, health insurers, and others that handle protected health information of individuals, just know that you need to pay special attention to this area of compliance and to understand HIPAA as well as any other state or federal regulations that might govern your business. Cover Compliance can help non-healthcare entities get a handle on what HIPAA might mean for their business.

Even if you are not in healthcare, vendor compliance is still likely to be an issue you need to address, in at least one of two ways.

Service Providers to Regulated Businesses
If your business exists as a service provider to other businesses, you can expect growing attention to your business being held to specific compliance demands by the businesses that contract with you. This type of vendor compliance is driven by your customers’ compliance program requirements, but it means you should do yourself the favor of putting some formality around how you approach responses to your customers and how you manage the underlying demands. A thorough, proactive approach related to the types of products and services you offer, can help you maintain satisfaction from existing business customers and give you an advantage over service providers with whom you compete.

Consumer-Facing Businesses that Use Commercial Service Providers
If you are a consumer-facing business and you rely on key vendors and business associates to serve your consumer customers, you probably have some degree of formal vendor supervision that YOU are obligated to give to your vendors. And even if you don’t have specific regulatory requirements that you must apply to your vendors, your own compliance risk and business confidence are best served by making it clear to service providers with whom you contract what your specific service level expectations are.

So here we are talking about two things—helping our clients oversee vendors and service providers in ways that directly relate to our clients’ businesses, and helping service provider businesses (most often, those serving HIPAA-regulated covered entities) create and run their OWN compliance programs.

We can help you with both of these vendor compliance areas. This is another area where we can serve as translator to help you make sure you understand what others are telling you, in language that demystifies regulatory expectations and decodes technical jargon.

On-Call Assistance

We can offer a variety of ways to provide ongoing support to clients. We work to make ourselves available to existing clients when unexpected issues arise. But for clients who anticipate the need for quick support at different times, retainer scenarios are possible. These would be most common following fulfillment of key engagements, such as retaining us for follow-up questions after a client goes live with a major process change or documentation revision or after delivering annual training.

The most common on-call assistance we set up, though, usually follows when we help a client with finding and training compliance staff, in that period after initial orientation to their role but before the client is comfortable with the staff taking solo action on higher-risk issues.

Data Breach Response

We’ve worked on data breach response since when states just started following California’s lead to create their own data breach incident laws. And it is precisely that long history of experience that plays into our special note here on our perspective on incident response.

To say it plainly: We understand the need for this work; but we actively discourage people from using our services in this area unless they are already a client, and one with whom we have some history in terms of understanding their business and their compliance program. We will absolutely help existing clients with data-related incidents where necessary. But that is part of our preference for working in a proactive way to avoid common risks that our clients face.

Whether you are a Cover Compliance client already or not, If you do not already have a formal incident response policy and procedure and are not sure how to execute an incident response plan, we may still be able to help if you have had an incident that you believe might rise to the level of an actual data breach under state or federal regulations. But in order to protect your investigation and response, we encourage you to seek advice from your legal counsel first and work under their direction.

For additional details on how we might help with a data breach, especially when working closely with your legal counsel, please see our Legal Counsel Efficiency page in the About Us section of this site.

Resources Page


NEW Site Content!!
In addition to our diagram for the Cover Compliance approach to implementing new compliance programs, we've added materials we shared in a recent class Glenn taught on writing good compliance policies & procedures.

Where We Can Help


Get the rest of the story about the industries and entities where we create compliance programs here.

Resources

These resources are available on request while our site evolves. Click the resource name to launch our contact form and tell us what resources you're interested in or let us know by phone. Direct download of resources here will be available soon.
Call us for more information.
816.226.6759
816.2Comply
What We Do
Regulatory compliance advisory services for smaller and not-for-profit entities that lack resources to purchase and manage complex enterprise systems and staff.
Stacks Image p4_n32
Cover Compliance
WHERE WE ARE
Overland Park, KS in the Kansas City area

  • 1.816.226.6759