HIPAA Privacy and Security Program Assessment

Averaging more than 15 years of experience in the healthcare industry, our consultants have worked in a variety of management positions within commercial and government payer organizations, so we understand your challenges first-hand—including competitive pressures, organizational obstacles, and limited resources.

Case Overview:

A residential services and support organization with more than 300 locations and a mission to provide exceptional community-based services that promote independent living and quality of life for individuals with special needs called upon the Change Healthcare Consulting team for a HIPAA Privacy and Security Assessment. In addition, the client had a desire to map the HIPAA Security controls to the National Institute of Standards and Technology (NIST) Controls 800.53, version 4. The client had an impending audit and wanted to ensure compliance across the board adopting NIST as their cyber security framework. The client wanted the Change Healthcare team to assess and remediate their Privacy and Security program including, but not limited to, creating a set of Privacy and Security Policies and Procedures and conducting a high-level risk assessment. The Consulting team had a 4-month timeline to assess the client’s current state and remediate the program.


The organization faced multiple challenges in their endeavor to maintain HIPAA Privacy and Security compliance. One critical challenge is the client’s small size and heavy regulation requirements. Despite being a smaller organization, they faced the same policy and procedure requirements as a large company, yet with fewer resources. Another key challenge for the client was that, as a lean organization, they did not have the subject matter experts readily available to address their cyber security and privacy regulatory requirements. These gaps made it difficult to properly scope the engagement as the client was not entirely sure what they needed.



The primary goal for the Consulting team was to develop a scope and advise on that plan to ensure the client would pass the audit, but more importantly to reduce their security risk to an acceptable level for the organization. As a result, the Consulting team was able to conduct an initial assessment to identify deficiencies in their security program related to the HIPAA Privacy and Security Rule. To remediate, the Consulting team educated the staff on current rules and regulations through the development of a security training program and to understand their risks to be better prepared for future assessments. In addition, 32 privacy and 36 security policies and procedures were developed and delivered to the client.


The Consulting team was able to close out the project by leaving the client in a successful position, enabling them to pass audit and regulation checks in the future. The team carefully organized and structured the policies and procedures for easy review and ensured all staff was refreshed to maintain the new protocols moving forward..

To continue viewing this Insight, please fill out your information below

Go Back

Like this case study or need to read it later?

Related Insights

View all Insights