CACI's Approach To HIPAA Compliance Impact/Risk Assess

The impacts/risks associated with the Health Insurance Portability and Accountability Act of 1996 cross many boundaries in healthcare. They range from clinical and business functions to information security practices, information technology, facilities and policies and procedures.

The CACI and Phoenix Health Systems Impact/Risk Assessment builds a high level roadmap for successful HIPAA planning and subsequent compliance activities. It is the economical first step in understanding the basic magnitude of HIPAA's enterprise-wide implications.

What type of organization can benefit from CACI's HIPAA compliance impact/risk assessment?

• Needs to get a pulse on general HIPAA compliance gaps and implications
• Wants a secure environment to protect the confidentiality of patient information
• Wants to avoid significant financial and criminal penalties for wrongful disclosure of patient information and to reduce its risks
• Believes that protecting patient information makes good business sense, even without HIPAA
• Is concerned with the proliferation of non-standard health care transactions, diagnosis and procedure codes and provider numbers
• Wants to protect previous investments and seek opportunities to increase productivity
• Needs a basis for decision making and directing its HIPAA readiness and compliance activities

The assessment consists of 12 areas (Click on a link to see sample questions for that area)

• It features the Information Security and Health Information Management components of HIPAA. They determine the general state of organizational and technical security to protect patient information and confidentiality.
• Other HIPAA components are examined to determine general regulatory compliance for Healthcare Identifiers and Standardization of Code Sets (diagnosis and procedure).
• Finally, a number of areas critical to achieving and maintaining HIPAA compliance are assessed
5. Awareness
6. Facilities and Infrastructure
7. Physician's Office
8. Financial Data
9. General Organizational Issues
10. Project Management
11. Risk Management
12. Vendor/Trading Partner Management

Major deficiencies and gaps are noted and recommendations developed for further action. Our report provides management with an opinion of what major areas the organization may need to focus resources on to comply with HIPAA regulations and reduce its current level of impact/risk.

A routine assessment will generally include, among other activities

• A high level review of current security practices, access controls and related policies and procedures to protect patient privacy
• A general analysis of current Internet and/or intranet security provisions.
• A general review of the use of electronic transactions, formats and the general compliance with X12 standards
• A review of the incidence of multiple provider number schemas and proliferation throughout enterprise
• An identification of major HIPAA compliance gaps and areas requiring further in-depth analysis

Also, at the conclusion of a routine assessment a customer will receive an on-site presentation of assessment findings which includes

• A high level summary of the organization's existing HIPAA compliance state
• The identification of major gaps and associated organizational impacts/risks
• The identification of opportunities for immediate improvements.
• A prioritized list of HIPAA related opportunities and challenges

Summary

CACI's HIPAA compliance impact/risk assessment offering is an adaptation of it's tried and proven software development project risk assessment methodology. It is a high level consulting service with predefined work plan and deliverables and may last from two to six weeks.

It was created in response to client requests for effective and economical consulting services that provide a high level assessment of a specific operational, business or technical functions or processes as they exist today. This service is an unparalleled value at an exceptional cost.