Home / Blog / Top 4 Compliance Matters for Government Case Management Software

Top 4 Compliance Matters for Government Case Management Software

11 March, 2022

Katie Wolf

Katie Wolf

To find the right technology for your office, pay attention to these 4 areas.

In 2021, the US Government took on the problem of government technology. In an Executive Order, President Biden vowed to “improve customer services through technology . . . with simple, seamless, and secure services that meet people where they are.” 1

This promise comes not a moment too soon. Citizens and government employees have long been demanding better technology solutions. We want our experience to be intuitive, secure, and efficient. No more slow loading speeds, bugs, or broken links. No more confusing run-around.

Clunky legacy systems still hamper many government offices. They require tremendous time and resources to maintain and are difficult to update to meet new compliance standards.

But new technology can modernize your operation. It can respond swiftly and with agility to new expectations and regulations, cut down on IT spending, and attract new talent to your office.

When it comes to finding the right case management for government, pay special attention to ensuring compliance in these 4 areas:

1. Security

Government agencies and offices at all levels are the targets of cybercriminals. They have already cost the government billions—and the future holds an increasing rate of attack and ever more sophisticated techniques. Cybercrime costs globally have been growing by 15% each year, and are expected to hit $10.5 trillion annually by 2025. 2

Look for technology that will be an ally when it comes to protecting your information. Other companies can have more resources to devote to security—global players like AWS can have a security budget of billions, and regularly undergo extensive security audits. Going through a vendor can be far more cost-effective than trying to design secure IT in-house.

When analyzing different options, ask vendors:

  • Do you have third party audits showing your compliance to CJIS requirements? CJIS standards help protect government agencies from cyber threats while allowing them to share necessary criminal justice information.
  • Do you have a SOC 2 Type 2 audit report? This report is given after extensive audits by an outside auditor who is certified by the American Institute of CPAs (AICPA), the organization that governs IT and security auditing standards.
  • Do you meet the security standards set out by CJIS (Criminal Justice Information Services) Security Policy 5.9?
  • Do you have a third-party review of their data encryption? Is it in compliance with FIPS 140-2? FIPS — the Federal Information Processing Standards — was created by the National Institute for Standards and Technology (NIST).
  • Do you comply with the security requirements set out by HIPAA and HITECH, to protect personal health information?
  • Do you have a dedicated team of professionals, ensuring an agile and rapid response to evolving cybersecurity threats?

2. Privacy

In addition to its Security Rule, HIPAA includes a Privacy Rule that prohibits the disclosure of protected information. Ask vendors for a report about their compliance with HIPAA rules and whether they’ve been audited and assessed by third-party experts.

Also consider the requirements of Subtitle D of the HITECH Act. This sets out new breach notification requirements and accounting rules for disclosures of patient health information. When a data breach affects 500 or more people, you must notify those affected, Health and Human Services, and the news media. Enter into a Business Associate's Agreement (BAA) or Sub-BAA with service providers, to ensure they’re compliant with the latest HITECH Act updates.

Perhaps most importantly, ask whether the company has a Data Privacy or Data Protection Officer (DPO). Many regulations and standards require companies to name a qualified expert to this position, to ensure a continued, agile response to new threats.

There are additional privacy concerns for those operating in California (CCPA) or Europe (GDPR). Even those outside these jurisdictions might want or need to adopt some of the requirements they set out. For instance, Data Protection Agreements (DPAs), required by the GDPR, are popular safeguards to help delineate how service providers will use and process your data. Standard Contractual Clauses are a set of terms and conditions that protect personal data that leaves the European Economic Area. You might require your service providers to show a Privacy Policy with updated language around cookies, consent, right-to-be-forgotten actions, and other considerations required by the GDPR.

3. Disaster Recovery (DR) and Business Continuity Plans (BCP)

Every day, another news story reminds us that we live in uncertain times. But the work you do is crucial: use technology to strengthen your office, to ensure your valuable work can continue, no matter what comes your way. Based on the nature of your work, you may face additional requirements to maintain access to your information and continue your service to the public.

A fire or flood can destroy paper files and in-office servers. A ransomware attack can keep you from accessing every file stored on your computer. The cloud is a powerful tool to protect your information and keep your work moving forward. Whatever happens to your physical office, you can continue working remotely if you have an internet connection.

Ask technology vendors about their own Disaster Recovery and Business Continuity Plans. Make sure they have redundant data backup and high availability (HA) systems. An HA computing environment includes redundant switching, routing, and power for the supporting infrastructure systems so that if one system fails, another can take over.

In addition, it is crucial to ensure that HA systems are also backed up to different cloud regions in other parts of the United States or the world, depending on where the service is located. For example, the DR plan should include considerations for backing up data on the West Coast of the United States if the production platform operates on the East Coast.

4. Records management

Many offices are bound by regulations requiring you to document your activities, archive your files securely, ensure accessibility to other agencies or the public, and dispose of records at a particular time.

Task and legal document management technology can be crucial in complying with these rules. Make sure that the technology you use keeps secure records of your work (who does what, when), provides a secure means of sharing with others who should have access, and allows you to permanently delete data you should no longer have.

In a recent report to the President, the US CIO noted that subscribing to efficient, secure, cloud-based services “will enable the Government to stop building systems that are expensive to maintain and modernize.” 3

Faced with the growing cost of maintaining and upgrading legacy IT, managing server farms, and developing security practices, many government agencies have determined that now is the time to transition to agile and cost-effective case management software.

____________________

1 Martorana, Clare and Mina Hsiang. “Using Technology to Improve Customer Experience and Service Delivery for the American People.” The White House. The United States Government, December 13, 2021. https://www.whitehouse.gov/omb/briefing-room/2021/12/13/using-technology-to-improve-customer-experience-and-service-delivery-for-the-american-people/.

2 Morgan, Steve. “Cybercrime to Cost the World $10.5 Trillion Annually by 2025.” Cybercrime Magazine. November 13, 2020. https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/.

3 US CIO. “Report to the President on Federal IT Modernization.” 2017. https://www.cio.gov/assets/resources/Report-to-the-President-on-IT-Modernization-Final.pdf