Privacy Ref’s provides HIPAA Assessments as well as HIPAA Program Reviews. Our assessments and reviews take a top-down approach to analyzing an organization’s program and practices to complying with HIPAA’s Privacy and Security rules. The focus is on actual day-to-day activities of individuals and how they handle Protected Health Information, PHI, as well as the applications and business activities used to process data. This allows us to focus on a rapid, minimally invasive interview and observation process that can take place over a few business days.
Privacy Ref representatives will meet remotely with organizational leaders and other members of your organization to discuss areas of concern as well as the process for the interviews.
Privacy Ref then will begin the analysis process by reviewing documents and other artifacts related to the protection of PHI. This includes items such as policies, notices, codes of conduct, relevant procedures, and charters.
Privacy Ref will then interview key individuals from various areas of the company, supplementing this information by asking them about their daily routines and how they handle the protection of PHI. We identify benefits and potential risks posed by the activities and perspectives of these individuals. To prepare participants for these sessions, Privacy Ref will create a video discussing the project and our processes for distribution. An on-site visit is also an alternative.
After each interview, Privacy Ref will prepare notes in a bulleted format for review by the meeting participants. This gives the participants a chance to ensure we heard everything correctly and correct any possible misstatements.
After gathering information, including a walkthrough of the office space, and being shown any systems used for the transfer of personal information which may also be done via video conferencing technology, the Privacy Ref representatives will analyze their findings.
We will then prepare and deliver a review report. The report will include:
- a high-level personal information data inventory,
- a review of PHI governance,
- an analysis of PHI processing,
- a high-level statement on applicable legal compliance, and
- identification of risks facing your organization due to this processing.
Assessments differ from reviews in that they include a closer look at operation using multiple consultant from our team, the utilization of Privacy Ref Frameworks in our analysis and additional reporting details.
Privacy Ref has prepared two frameworks for the analysis of HIPAA compliance. The first framework has decomposed the requirements proscribed in the HIPAA Privacy, Security, and Administrative Rules to identify how your organization meets these requirements. The second provides a deeper analysis of the HIPAA Security Rule based upon Table 12 of NIST SP 800-66.