Privacy and Regulatory Compliance: HIPAA Compliance Review for a Nonprofit

The client, a regional affiliate of a global nonprofit organization focused on providing job training and placement assistance, collected protected health information (PHI) as part of its business processes and needed to assess its compliance to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. It needed to identify critical gaps that might impact its ability to achieve and maintain HIPAA compliance.

2 women meeting around computer

Challenge

The client, a regional affiliate of a global nonprofit organization focused on providing job training and placement assistance, collected protected health information (PHI) as part of its business processes and needed to assess its compliance to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. It needed to identify critical gaps that might impact its ability to achieve and maintain HIPAA compliance.

 

Experis Solution

Experis used a tailored version of our proven program compliance assessment methodology, which includes four phases - discovery, gap analysis, remediation and reporting - to assess a subset of the organization’s programs covered by a specific Business Associate Agreement (BAA) and involved the collection, processing, and storage of protected health information.

Experis reviewed the policies, processes, and safeguards deployed for each program against requirements defined in HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act to identify compliance gaps. We also reviewed the organization and identified the specific roles and personnel with responsibilities affected by HIPAA and HITECH requirements and those likely to have direct interaction with protected health information to help scope the recommended actions.

Experis analyzed the information and identified potential issues and opportunities for improvement in the client’s environment. We developed a report that summarized the current compliance state, identified the primary gaps, and recommended actions to address each issue. The report also included the estimated impact and risk level associated with each recommendation so the client could prioritize improvements.

 

Results

Experis’s knowledge of the requirements, experience with validating privacy and security compliance, and familiarity with leading practices in privacy and security controls helped the client develop a deeper understanding of its compliance requirements added significantly to the delivered value of the work.