Privacy Assessment

Many businesses face security and privacy compliance requirements. Understanding the path to compliance can be difficult and a lack of clarity can lead to controls that are too expensive, overbearing, or on the opposite end of the spectrum, simply not adequate or reasonable. These gaps may cause minor inconveniences or significant damages and they may result in severe financial penalties, loss of public trust, and damage to corporate reputation.

This HIPAA Privacy Assessment will provide a comprehensive evaluation of the Client's compliance and a plan for effectively mitigating those gaps.

The objectives of this initiative are as follows:

• Assess the need for, the timing of, and gaps to comply with the HIPAA Privacy Rule sections (§164.502 to §164.530). 
• Review policies, processes, and procedures for regulatory compliance.
• Evaluate the organization's ability to operationalize regulatory requirements.
• Develop a preliminary set of findings, with actionable, reasonable recommendations to address any gaps identified.

This HIPAA Privacy Assessment consists of the following phases:

1. PLANNING
   1. Identify key resources required for the project and anticipated level of effort
   2. Develop a project plan and calendar, including agreement from the organization on project tasks and timeline
   3. Conduct a formal project kickoff meeting to gain an understanding of the current organizational structure that supports decision-making around privacy-related matters
2. INFORMATION GATHERING
   1. Identify key areas for improvement relative to HIPAA Privacy Rule
   2. Meet with the Client to gain an understanding of current controls and procedures throughout the organization's systems subject to the HIPAA Privacy Rule, and understand:
      1. How the organization operates, where data is collected, and why
      2. Current privacy governance structure within the organization
      3. What policies, procedures, processes, and frameworks exist within the organization for storage, collection, protection, transfer, backup, and deletion of protected data
      4. When, and under what circumstances, is HIPAA data disclosed
      5. The documentation of the relevant process and controls
   3. Conduct interviews with key data and process owners to understand the organization's current data privacy controls and procedures
3. ANALYSIS AND REPORTING
   1. Establish a baseline of HIPAA Privacy Rule
   2. Analyze information, gathered via documentation reviews and interviews, to validate that the organization's policies and procedures address the requirements of the HIPAA Privacy Rule
   3. Identify and prioritize gaps and optimization opportunities in processes, policies, procedures, and documentation
   4. Develop a written report outlining our observations, opportunities for improvement, and summaries of findings
   5. Develop recommendations for remediation of any gaps or non-compliance
4. PRESENTATION - Presentation of findings to Client

DeepSeas will produce the following deliverables:

1. KICKOFF MEETING - DeepSeas will host a kickoff meeting to conduct introductions and familiarize the Client with the initiative. This meeting will be no longer than sixty (60) minutes and it is intended to review the objectives, methodology, scope, and deliverables in the Statement of Work.
2. SUMMARY FINDINGS - DeepSeas will deliver a report summarizing the findings, with mitigation recommendations related to the initiative.

The client is responsible for the completion of the following tasks, in accordance with agreed-upon timelines established as part of the project plan.

1. Client to assign a point of contact (POC) responsible for client coordination and logistics.
2. The client is responsible for scheduling and coordination of internal client resources for all project work.
3. The client is responsible for the approval and implementation of draft documents within their organization.