Health Insurance Portability and Accountability Act (“HIPAA”) Risk Management
HIPAA Risk Assessment & Implementation
Organizations meeting the definition of “covered entity” or “business associate” are subject to HIPAA requirements to protect the privacy and security of health information. Covered entities include health plans, health care clearinghouses, and healthcare providers who transmit any health information in electronic form in connection with a transaction for which the Department of Health and Human Services (“HHS”) has adopted a standard. Business associates perform various functions involving the use or disclosure of protected health information (“PHI”) on behalf of or through services provided to a covered entity. Managing PHI with integrity, discretion, and in a manner compliant with HIPAA continues to grow in difficulty and cost. Advis can assist with HIPAA risk management assessments and staff training to ensure optimal compliance in this area.
Learn more about our HIPAA services
EXPERIENCE IN HIPAA RISK MANAGEMENT & COMPLIANCE
Advis has years of experience in conducting HIPAA compliance reviews for covered entities and business associates. To ensure HIPAA compliance, we utilize the following project structure:
Documentation Collection
Client teams will provide Advis with HIPAA policies, procedures, and other relevant documents to perform an initial review.
HIPAA Risk Management Assessment
Advis will perform a desk audit and evaluate all written documentation related to protecting PHI.
Information and Fact-Finding Interviews
Along with reviewing applicable documentation, Advis will conduct informational and fact-finding interviews with the client to discuss its current policies and procedures to determine what additional practices may exist beyond what is formalized in writing.
Analysis & Preparation of Report
Following the completion of information collection and review, Advis will produce a comprehensive HIPAA risk analysis of the existing policies, procedures, and practices. This will establish a baseline of the current state and serve as preparation for the compliance review report. The report will include:
PHI Inventory Identify source, location, custodian, type, safeguards, vulnerabilities, threats, and criticality.
HIPAA Threat Matrix Identify categories, likelihood of occurrence, and method of managing risk.
HIPAA Risk Matrix Utilize PHI Inventory and Threat Matrix to evaluate overall risk (e.g., high, medium, or low).
HIPAA Scorecard Provide applicable regulatory standard and current compliance as well as level of remediation necessary.
Remediation Based on the identified weakness, Advis will include recommended policies, procedures, and practices to address identified compliance gaps.
Mapping and Plotting a HIPAA Risk Management Policy
Covered entities and business associates using the Advis approach will become more familiar with HIPAA and its requirements, identify key parts of policies and procedures, and implement remedial measures, if necessary. The training provides the following:
- Definition of Senior Management’s role
- Definition of Privacy Officer’s role
- Identification of personnel to be trained
- Explanation of how to train by department and discipline
- Discussion of training materials needed
- Explanation of how to make the most of in-house resources
