Assessment of HIPAA Processes and Procedures to Protect PHI

IndustryManaged Care/ PBM
ProblemPHSI’s client was evaluating its HIPAA compliance throughout the organization as it relates to privacy and security. However, the client understood the need to reinforce with employees what PHI can and cannot leave the organization and review the operational and technical safeguards in place when PHI leaves the organization.
PHSI SolutionConduct a focused assessment to identify and document the following:

• Business reason for sending PHI
• Type of file/report/document
• Frequency (scheduled and/or ad hoc)
• Systems generating PHI
• Location of PHI on the client’s systems
• Method for distribution (email, SFTP, etc.)
• Process to validate PHI is delivered to the intended recipient
ResultsPHSI prepared a twenty-question interview to review the client’s internal processes and procedures to help PHSI and the client identify potential HIPAA related issues. PHSI conducted interviews to gain the perspectives of the client’s staff, focusing on different roles and various areas of responsibility. The staff members were part of the teams that were identified as potentially sharing or distributing PHI to outside parties. The selected interviewees used different systems within the client’s organization and had different business needs for sharing data containing PHI with their business partners. PHSI compiled all the interviewee’s responses and provided the feedback to the organization’s Privacy Officer. The survey results were used to reinforce HIPAA compliance and improve process and procedures to protect PHI.