Advis has accumulated years of experience in conducting HIPAA compliance reviews for both providers and business associates. In order to fully ensure HIPAA compliance, we utilize the following project structure:
Phases of Advis’s HIPAA Compliance Audit Process: Documentation Collection
In order to perform a review and assessment of a client’s current compliance of its companies with applicable HIPAA regulations, the client provides Advis with available pertinent documentation related to privacy and security of information.
HIPAA Risk Management Assessment
We perform a desk audit and evaluate all written documentation related to protecting sensitive information.
Information and Fact-Finding Interviews
Along with reviewing client’s applicable documentation, Advis will conduct informational and fact-finding interviews with the client, to discuss the current pertinent policies and practices within its companies and to determine what additional practices may exist beyond what is formalized in writing.
Following the completion of the information collection and review, Advis will produce a comprehensive HIPAA risk analysis of the existing policies and current practices within the client’s companies and prepare for the compliance review report. The report will include:
- PHI Inventory
- Identify source, location, custodian, type, safeguards, vulnerabilities, threats, and criticality
- HIPAA Threat Matrix
- Identify categories, likelihood of occurrence, and method of managing risk
- HIPAA Risk Matrix
- Utilize PHI Inventory and Threat Matrix to evaluate overall risk
- High Risk
- Medium Risk
- Low Risk
- HIPAA Scorecard
- Provides applicable regulatory standard and current compliance as well as level of remediation necessary
Based on the identified weakness within the client’s companies, we will include recommended policies and procedures to address the gaps between a client’s practices and regulatory requirements. Based on the HIPAA compliance review report provided by us, our clients could improve their policies and procedures in concert with their internal practices and the appropriate stakeholders.
The program is designed to teach health systems what to look for in current practices so that they may determine what course of action to take in order to comply with HIPAA rules and regulations. The training provides the following:
- Definition of Senior Management’s role
- Definition of Privacy Officer’s role
- Identification of personnel to be trained
- Explanation of how to train by department & discipline
- Discussion of training materials needed
- Explanation of how to make the most of in-house resources.
HIPAA Policy Resources:
HHS.gov HIPAA Training Resources
American Medical Association HIPAA Resources