HIPAA Business Process Review

The first step to HIPAA compliance is understanding where PHI resides in your environment.

The Health Information Portability and Accountability Act (HIPAA) was enacted in 1996 to protect health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA addresses the security and privacy of health care data. In addition, The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA) and signed into law on February 17, 2009. The HITECH Act amended HIPAA with significant changes to data breach notification, enforcement, and penalties. SecureState’s HIPAA Business Process Review will audit your business and data flows providing proper identification of all areas falling under HIPAA purview.


A HIPAA Business Process Review will provide an objective, third party review of your organization's business processes and how they may be impacted by HIPAA/HITECH. The assessment will document data flows and identify next steps in establishing a program to protect Protected Health Information (PHI). Understanding where and how your company uses PHI  will help your organization avoid damages, often totaling millions of dollars, which could result from a breach.


SecureState has extensive knowledge and experience with the Department of Health and Human Services (HHS) HIPAA audit protocol and National Institute of Standards and Technology (NIST) security control frameworks, which are commonly used in government agencies and can be adopted by commercial organizations. NIST SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule is aligned with the HHS audit protocol and provides a framework against which HIPAA compliance can be successfully assessed.. SecureState has been privileged to read formal audit reports. The insight gained from these reports allows SecureState to provide specific guidance to your organization on how best to implement security and align with CMS and OCR expectations.

Approach and Methodology

SecureState begins the HIPAA Business Process Review by documenting the in-scope HIPAA business process and its supporting technologies. We then perform a data flow analysis and map the HIPAA processes to the technical infrastructure. This exercise results in a well-defined scope that can identify potential areas of concern and can be used as the basis for next steps, which may include such activities as a HIPAA Gap Assessment or annual Risk Assessment. 

Get Started!