 |
|
|
Tactical Execution of Privacy Assessment
Tactical methodology with major milestones and The Valla Group
and Client activities are detailed below. Activities are completely customizable
based on extent of engagement and Client needs/requirements.
1. Baseline understanding of organizational awareness/readiness
via Customized HIPAA Privacy Questionnaire
| The
Valla Group |
Client |
| · Create questionnaire
for layman usage |
· Identify target
audience |
| · Disseminate questionnaire |
· Assist in customization of questionnaire
to accommodate the HMNMH culture and process |
| · Answer follow-up
questions from target audience |
· Support and communicate
the importance of the completeness and accuracy of questionnaire responses |
| · Assimilate responses |
· Analyze validity of responses |
| · Follow-up on incomplete
responses |
|
| · Quantitative baseline analysis by
department and responses |
|
| · Draw baseline
conclusions and provide general recommendations |
|
2. Conduct one-on-one HIPAA Privacy interview advisory
sessions
| The
Valla Group |
Client |
| · Congregate like-discipline
clusters |
· Determine key
contacts for all departments |
| · Schedule interview times with all
discipline clusters |
· Assist in scheduling interview times
with key contacts |
| · Create interview
questions that specifically address baseline conclusions and nature
of department |
· Providing guidance
and feedback regarding context and content of interview information |
| · Provide educational materials to
introduce the concept of privacy and protected health information |
|
| · Recording and
systematically categorizing the information received as a result of
interviews |
|
| · Continual observation of general
practices during interview discussion sessions |
|
 Back
to Top
3. Inventory Protected Health Information (PHI) Automated
and Paper Systems
| The
Valla Group |
Client |
| · Provide educational
data sheet defining what a PHI storage system is |
· Encourage full
disclosure of all previously created systems documentation (e.g. systems
Y2K documents, systems inventory, etc.) |
| · Solicit voluntary revelation of
PHI computer systems and paper systems |
· Oversight committee, executive management
reinforce the importance of full disclosure of information during
process |
| · Work with IS to
identify network and commonly used systems |
· Maintain awareness
and analysis mode regarding systems and HIPAA and continue to communicate
discovered information to HIPAA team |
| · Leverage IS data systems inventories
documentation |
|
| · Conduct sessions
with discipline clusters to identify discrete and uncommon systems
(one-offs) and paper systems (e.g. logs, note cards, etc.) |
|
| · Create stratified PHI inventory
in criticality/ business essential order |
|
| · Emphasize systems
that are more vulnerable regarding privacy |
|
4. Existing Privacy Policies and Procedures Inventory
and Determination Review
| The
Valla Group |
Client |
| · Provide guidelines
for determining which existing Policies and Procedures may need additional
HIPAA language |
· Coordinate Policies
and Procedures review team |
| · Collect and correlate all global
health system Policies, Procedures, Consents, and Authorizations |
· Recruit internal expertise to participate
in Policies and Procedures strategic review session |
| · Collect and correlate
all department-specific/created Policies, Procedures, Consents, and
Authorizations |
· Ensure all Policies,
Procedures, Consents and Authorizations have been collected |
| · Conduct review of all employee access
areas (e.g. intranet, internal systems, etc.) Policies, Procedures,
Consents, and Authorizations |
· Provide space and supplies for Policies
and Procedures strategic review sessions |
| · Create HIPAA comparative
tool to illustrate results of analysis |
|
| · Conduct Policies and Procedures
strategic review sessions |
|
| · Assimilate results
into quantitative document to determine current state |
|
| · Identify gaps or missing Policies,
Procedures, Consents, and Authorizations |
|
Back
to Top
5. External Business Relationships Inventory and PHI Applicability
Determination
| The
Valla Group |
Client |
| · Educate health
system staff on the definition of external business relationships,
including: business associate, trading partner, chain of trust |
· Reinforcing importance
of activity and encourage full and timely disclosure from stakeholders |
| · Obtain vendor/external business
relationship entities from internal systems and aggregate common relationships
across functions/clusters |
· Leverage immediate education opportunities |
| · Leverage Materials
Management and Accounts Payable Systems to identify bulk of external
business relationships |
· Follow up with
missing demographic information |
| · Leverage any internal existing contract
management systems |
· Assist with data entry |
| · Solicit client
to identify external business relationships |
|
| · Enter identified business relationships
into proprietary Valla Group software tool for analysis |
|
6. Privacy Assessment and Gap Analysis Formal Documentation
& Presentation
| The
Valla Group |
Client |
| · Identify Privacy
Assessment central themes |
· Preview final
presentation with key stakeholders who validate findings and provide
feedback |
| · Produce formal documentation with
visual, qualitative, and quantitative data |
· Coordinate final presentation to
oversight entity |
Back
to Top
|
|
|
