HIPAA Risk Management Policy

HIPAA Risk Assessment & Implementation

HIPAA requires all health care plans, clearinghouses and providers to implement new procedures in handling electronic medical records. Managing the records with integrity and discretion has become more difficult as well as expensive. Advis has developed a program to create a HIPAA risk management policy and assist in the training of members of health care facilities in HIPAA privacy implementation.

HIPAA requires all health care plans, clearinghouses, providers, and business associates to implement procedures in handling Protected Health Information (PHI). All covered entities and business associates must comply with the HIPAA requirements to protect the privacy and security of health information and HIPAA also provides individuals with certain rights with respect to their health information.

Managing the health information with integrity and discretion is growing in both difficulty and cost, but with Advis’s assistance effective security and compliance can be achieved.


OR CALL NOW: (708) 478-7030

Learn more about our HIPAA services

Advis has accumulated years of experience in conducting HIPAA compliance reviews for both providers and business associates. In order to fully ensure HIPAA compliance, we utilize the following project structure:

Phases of Advis’s HIPAA Compliance Audit Process: Documentation Collection
In order to perform a review and assessment of a client’s current compliance of its companies with applicable HIPAA regulations, the client provides Advis with available pertinent documentation related to privacy and security of information.

HIPAA Risk Management Assessment
We perform a desk audit and evaluate all written documentation related to protecting sensitive information.

Information and Fact-Finding Interviews
Along with reviewing client’s applicable documentation, Advis will conduct informational and fact-finding interviews with the client, to discuss the current pertinent policies and practices within its companies and to determine what additional practices may exist beyond what is formalized in writing.

Following the completion of the information collection and review, Advis will produce a comprehensive HIPAA risk analysis of the existing policies and current practices within the client’s companies and prepare for the compliance review report. The report will include:

  • PHI Inventory
    • Identify source, location, custodian, type, safeguards, vulnerabilities, threats, and criticality
  • HIPAA Threat Matrix
    • Identify categories, likelihood of occurrence, and method of managing risk
  • HIPAA Risk Matrix
    • Utilize PHI Inventory and Threat Matrix to evaluate overall risk
      • High Risk
      • Medium Risk
      • Low Risk
  • HIPAA Scorecard
    • Provides applicable regulatory standard and current compliance as well as level of remediation necessary


Based on the identified weakness within the client’s companies, we will include recommended policies and procedures to address the gaps between a client’s practices and regulatory requirements. Based on the HIPAA compliance review report provided by us, our clients could improve their policies and procedures in concert with their internal practices and the appropriate stakeholders.

The program is designed to teach health systems what to look for in current practices so that they may determine what course of action to take in order to comply with HIPAA rules and regulations. The training provides the following:

  • Definition of Senior Management’s role
  • Definition of Privacy Officer’s role
  • Identification of personnel to be trained
  • Explanation of how to train by department & discipline
  • Discussion of training materials needed
  • Explanation of how to make the most of in-house resources.

HIPAA Policy Resources:

HHS.gov HIPAA Training Resources

American Medical Association HIPAA Resources