CDMP Fundamentals • 100 Questions • 90 Minutes
← Back to HIPAA Compliance
🔍 Phase 0 2-4 weeks

Phase 0: HIPAA Readiness Assessment

Before diving into implementation, you need to understand where the organization stands today. This phase establishes the baseline: What systems contain ePHI? Who has access? What policies exist? What are the biggest gaps? Think of this as the diagnostic phase — just like a doctor examines a patient before prescribing treatment, you must assess the organization before prescribing compliance actions.

🎯 Objectives

  • Identify all systems, applications, and databases that create, receive, store, or transmit ePHI
  • Determine whether the organization is a Covered Entity, Business Associate, or both
  • Catalog all existing privacy and security policies, procedures, and documentation
  • Identify key stakeholders and establish the compliance project team
  • Create a preliminary scope and timeline for the full HIPAA compliance program
  • Understand the organization's current compliance posture and biggest risk areas

Organizational Classification and Scope Definition

Determine the organization's exact HIPAA classification. Are they a Covered Entity (healthcare provider, health plan, clearinghouse)? A Business Associate? Both? This determines which HIPAA requirements apply and the scope of your compliance program. Interview executives, review the organization's charter, services, and contracts to make this determination. Also identify all subsidiaries, departments, and locations that handle PHI.

🎓 Beginner's Note

If you are unsure whether the organization qualifies as a Covered Entity or Business Associate, ask this simple question: 'Does this organization handle any information about a person's health, healthcare services, or healthcare payment that could identify who that person is?' If yes, HIPAA almost certainly applies in some way.

💡 Consultant Tips

  • Many organizations are surprised to learn they are Business Associates — any company that processes, stores, or transmits PHI on behalf of a Covered Entity qualifies
  • A healthcare system that also runs a self-insured employee health plan may be both a Covered Entity (as a provider) and a Covered Entity (as a health plan) — with separate compliance obligations for each
  • Document your classification determination and the reasoning behind it — OCR may ask for this
  • If the organization is a Business Associate, obtain copies of all BAAs they have signed with Covered Entities to understand their contractual obligations

ePHI Data Flow Mapping

Create a comprehensive map of how ePHI flows through the organization. Document every system that creates, receives, stores, processes, or transmits ePHI. Include internal systems (EHR, billing, lab systems, email), external connections (insurance companies, pharmacies, labs, clearinghouses), and the people and processes that move data between systems. This is the foundation of your risk analysis.

🎓 Beginner's Note

Start by asking: 'If I were a patient record, where would I travel from the moment I am created to the moment I am archived or destroyed?' Follow the data through every system, every handoff, every backup copy. You will almost certainly discover ePHI in places no one expected — personal email inboxes, shared network drives, old backup tapes in a closet.

💡 Consultant Tips

  • Interview IT staff, clinical staff, billing staff, and administrative staff — each group interacts with different ePHI systems
  • Do not forget about shadow IT: spreadsheets on desktops, personal email forwarding, USB drives, paper records that get scanned
  • Map data flows visually using a flowchart or data flow diagram — this makes it much easier to identify gaps
  • Include both structured data (databases, EHR) and unstructured data (scanned documents, faxes, clinical notes, voicemails)
  • Document the physical locations where ePHI is stored, including cloud environments and backup locations

Existing Policy and Documentation Review

Collect and review all existing policies, procedures, and documentation related to privacy, security, and compliance. This includes IT security policies, acceptable use policies, incident response plans, business continuity plans, vendor management procedures, employee handbooks (for privacy provisions), and any existing BAAs. Determine what exists, what is current, what is outdated, and what is missing entirely.

🎓 Beginner's Note

Do not be surprised if the organization has very few documented policies. Many healthcare organizations, especially smaller practices, operate on informal processes and tribal knowledge. That is exactly why they need your help. Document what you find (or do not find) — every gap is an item on your implementation roadmap.

💡 Consultant Tips

  • Create a document inventory spreadsheet tracking: document name, version, last updated date, owner, HIPAA requirement it addresses, and gap assessment status
  • Many organizations have policies that exist on paper but are not actually followed in practice — note these gaps
  • Look for policies that conflict with each other or with HIPAA requirements
  • Check if the organization has ever had a HIPAA audit, OCR investigation, or breach — those records are invaluable for understanding the current state

Stakeholder Identification and Team Formation

Identify all key stakeholders who will be involved in the HIPAA compliance program. Form the core compliance team. At minimum, you need an executive sponsor, a Privacy Officer (or candidate), a Security Officer (or candidate), IT leadership, clinical leadership, HR, legal counsel, and compliance staff. Define roles, responsibilities, and meeting cadences.

🎓 Beginner's Note

HIPAA requires organizations to designate both a Privacy Officer and a Security Officer. In small practices, these can be the same person. In hospitals and health systems, they should be separate roles. These are not just 'nice to have' titles — OCR will specifically ask who holds these roles during any investigation.

💡 Consultant Tips

  • The executive sponsor must have real authority — ideally the CEO, COO, or CMO. Without executive support, compliance programs stall
  • The Privacy Officer and Security Officer roles are required by HIPAA — if no one currently holds these titles, identify candidates immediately
  • Include at least one frontline clinical staff member on the team — they understand the daily workflow impacts of compliance requirements
  • If the organization does not have in-house legal counsel with HIPAA expertise, recommend engaging outside healthcare counsel

Business Associate Inventory

Create a complete inventory of all third parties that have access to PHI. This includes IT vendors, cloud service providers, billing companies, collection agencies, consultants, attorneys, accountants, shredding companies, transcription services, answering services, and any other entity that performs a function involving PHI. For each, determine if a current BAA is in place.

🎓 Beginner's Note

This activity almost always reveals surprises. Common missed Business Associates include: the answering service that takes after-hours patient calls, the IT support company that has remote access to systems, the copier/printer leasing company (copiers have internal hard drives that store copies of everything scanned or printed), and the cloud backup service.

💡 Consultant Tips

  • Review accounts payable records to identify all vendors — any vendor that touches PHI needs a BAA
  • Do not forget about cloud services: if the organization uses Google Workspace, Microsoft 365, Dropbox, or any cloud platform for PHI, a BAA is required
  • Check if BAAs are current, properly executed, and contain all required provisions from the Omnibus Rule
  • Create a BA tracking spreadsheet: vendor name, service, PHI accessed, BAA status, BAA date, review date

📦 Phase Deliverables

HIPAA Classification Determination Document (Covered Entity, Business Associate, or both)
ePHI Data Flow Map (visual diagram showing all systems, connections, and data movement)
Existing Policy and Documentation Inventory (with gap assessment)
Stakeholder Map and Compliance Team Charter
Business Associate Inventory (with BAA status for each)
Preliminary Gap Assessment Summary (high-level findings and risk areas)
Compliance Program Scope and Timeline Recommendation
← Back to HIPAA Compliance