HIPAA Privacy and Security Program Assessment
A residential services and support organization with more than 300 locations and a mission to provide exceptional community-based services that promote independent living and quality of life for individuals with special needs called upon the Change Healthcare Consulting team for a HIPAA Privacy and Security Assessment. In addition, the client had a desire to map the HIPAA Security controls to the National Institute of Standards and Technology (NIST) Controls 800.53, version 4. The client had an impending audit and wanted to ensure compliance across the board adopting NIST as their cyber security framework. The client wanted the Change Healthcare team to assess and remediate their Privacy and Security program including, but not limited to, creating a set of Privacy and Security Policies and Procedures and conducting a high-level risk assessment. The Consulting team had a 4-month timeline to assess the client’s current state and remediate the program.
The organization faced multiple challenges in their endeavor to maintain HIPAA Privacy and Security compliance. One critical challenge is the client’s small size and heavy regulation requirements. Despite being a smaller organization, they faced the same policy and procedure requirements as a large company, yet with fewer resources. Another key challenge for the client was that, as a lean organization, they did not have the subject matter experts readily available to address their cyber security and privacy regulatory requirements. These gaps made it difficult to properly scope the engagement as the client was not entirely sure what they needed.