By Carlos Leyva
Published: February 2, 2014
Using an Agile Methodology for HIPAA Compliance
Most technology projects fail because of people and process challenges that have very little to do with the underlying technologies and almost everything to do with a kind of social/organizational complexity (i.e. which lies at the heart of wicked problems). A HIPAA Compliance implementation includes so much more than technology that to call it a technology project is itself is a misnomer. A HIPAA Compliance implementation is more aptly described as a change project; and to manage a change project as “WICKED” as HIPAA Compliance, I suggest we borrow a page from our friends in the software thought leadership space and use an Agile approach to compliance.
For our purposes, “Agile Compliance” can be defined as follows[1]:
Agile Compliance is a group of methods based on an iterative and incremental approach, where compliance solutions evolve through collaboration between cross-functional teams. It promotes adaptive planning, evolutionary development and implementation, and a time-boxed iterative approach, which encourages rapid and flexible response to changing regulations. It is a conceptual framework that promotes foreseen interactions throughout the implementation cycle and acknowledges that, due to a changing technical and regulatory environment, the implementation cycle never ends. Agile Compliance is how an Organization will go about changing its compliance DNA.[2]
There are simply no cookbooks, no maps, no videos, no books, no webinars, no conferences, no software and certainly no checklists that are capable of providing a step by step approach to solving all of the Organizational problems that surround HIPAA Compliance. That is why an Agile Compliance methodology is required. Each solution will be different from the next because each Organization is different. That said, once your Organization decides to commit to an iterative, agile approach to solving the HIPAA Compliance problem over time, the HIPAA Survival Guide Subscription Plan will help you get started and help guide you along the way.
We understand that an industry whose very foundation rests on the scientific method will have a difficult time accepting the fact that heuristics is the best we can do. In fact, for many within healthcare it is clearly anathema to suggest that sufficient study of the problem will not only lead to poor results, it will lead right off the cliff to certain failure. The “form a committee to form a committee to study the problem” approach will likely lead to death by a thousand cuts. We have seen this movie before and it does not have a happy ending. As daunting as HIPAA Compliance is, the most important thing you can do is GET STARTED.
In short, to solve a wicked problem you must fail fast in order to succeed. Why? Because problems this complex can’t even be defined, let alone solved, without a better understanding of where your Organization is today as compared to where it needs to be tomorrow. To solve a wicked problem you must act more and study less. That is the point that Lee Iacocca made when he took a chainsaw to the Mustang in order to make a Mustang “convertible.”[3] Get busy doing! Break some ground!
Here’s a little math for the “scientific types” among you. The following equation, from Ludwig Boltzmann (a top gun physicist of German descent) who lived in the 1880’s, is engraved on his memorial stone in Vienna. And although amazingly simple, it lays the theoretical foundation for the rest of this discussion:
- S = k log W
- “S” stands for entropy.
- “k” is a universal constant known as Boltzmann’s constant.
- “W” has to do with the number of ways in which parts of a system can be arranged.
When confronting any complex problem, the number of possible ways that the “solution space” could be arranged approaches infinity (i.e. it is a really BIG NUMBER). The “W” is quite large; therefore, the solution space, from your perspective, is in a state of maximum entropy. Order is imposed, and entropy is reduced, by reducing the number of Decisions In Progress (“DIP”). By making intelligent, methodical and relentless decisions, constraints are imposed. As constraints are imposed, the number of possible arrangements are reduced, order increases, and entropy decreases. One of the primary objectives of the HIPAA Survival Guide Subscription Plan is to help your Organization significantly reduce the DIP by getting your organization going, and keeping it going, as you work on your HIPAA Compliance implementation going forward.[4]
Notice that we didn’t say by making the “right” decisions. Even making wrong educated decisions sooner rather than later is a better alternative than “methodically studying the problem” because it provides your Organization the opportunity to actually understand the problem faster than you otherwise would. In short, as Tom Peters would say: “fail forward fast” in order to succeed.
Agile methodologies work by attacking chaos. Using Agile methodologies as part of your HIPAA Compliance strategy will allow you to quickly discover the true nature of the problem you are attempting to solve, while producing meaningful deliverables as you go.
Big Problems require Small solutions. It’s not that the end game solution will turn out to be small, but rather that the ultimate solution can only be achieved through a series of smaller solutions.
The butterfly effect is the well-known phenomenon in chaos theory which shows that small modifications to initial conditions produce dramatic downstream effects. Which for our purposes translates into the methods that you use to attack the problem space will likely be the deciding factor between HIPAA Compliance success and failure. It’s all beta, all the time. We intend to reinforce the use of an agile methodology throughout the HIPAA Survival Guide Subscription Plan. For now jump in and get started.[1] Agile Compliance is a term we coined borrowing heavily from the concept of Agile Software Development.
[2] Agile methodologies grew out of recognition by software thought leaders that the traditional “waterfall” linear methodology for developing software was completely broken. Analogously, we believe that traditional GRC model of compliance is broken.
[3] Apparently this is pure urban legend but it does serve to make the point, which is: get started.
[4] Your SR implementation will be a continuous process over time and not a project that has a beginning, middle, and end. Your organization must learn to accept new “features” and continuous updates as the “new normal” in regulatory compliance.
Make sure you are Omnibus Rule Compliant: HIPAA Privacy Checklist.