Skip to main content
How can a business rules solution enable compliance with Sarbanes-Oxley, HIPAA or similar?

A formalized, auditable collection of rules for collecting and acting upon information is central to the requirements of regulatory mandates such as Sarbanes-Oxley and HIPAA. Companies must ensure and enforce compliance by every employee, for every transaction, and in every automated system. With traditional programming techniques, logic on how a program should behave is hard coded into each individual system. So if a corporate policy needs to be changed (because of a new law or increased reporting requirements), each program must be examined, recoded, tested, and redeployed to production.

A business rules product such as Blaze Advisor allows the logic that controls such requirements to be stored in a single location, where it can be reviewed, updated, audited, and accessed by multiple computer programs. Since the logic is not duplicated in multiple programming systems, it is consistent and up to date for use throughout the company.

In a real world scenario, this could mean things like proper privacy warnings posted and audit logs generated for any health services applicant giving information over:

• An interactive website

• A touchtone phone response system

• A telephone conversation with a call center agent

• A computerized application form processed in batch

Because business rules can fire based on immediate changes in known data values (whether calculated or input), they can add controls to the process of data collection as well. Information that is not needed for a particular case can be bypassed, secure in the knowledge that all applicable use scenarios have been considered by the rule engine. This saves time and money for the healthcare provider. Rules can also find cases where one piece of information produces the need for other, related pieces of information as specified by regulatory considerations. The rules make sure that everything that is needed is collected up front, reducing multiple contacts, turnaround time, and the potential for unauditable transactions for compliance purposes.

related posts