Case Studies

HIPAA Case Study I

My business partner required a GAP assessment for one of his clients. He is based in LA and required the assessment for a Chicago-based hospital. The GAP assessment was meant to determine the hospital’s compliance to HIPAA regulations.

Problems along the way:

The OCR conducts sample audits for the covered entities and business associates in the United States to determine their compliance to the set regulations. In case of non-compliance, these companies are required to pay heavy penalties.

The client, therefore, approached QE’s US-based business partner, who then proceeded to invite the Quality Edge CEO to participate in QE’s HIPAA audit. Herein, we worked with the CIO of the hospital as well as the Operational Unit Heads during the course of our assessment. This enabled us to obtain detailed and accurate results for the preparation of our report. With our timely GAP assessment, the client was more than prepared for the impending audit, which was to be conducted by the OCR.

Our Tasks Included:

1. My business partner prepared the required questionnaires for each of the hospital departments. These departments included HR, IT, Admin, Operational, and Training.

2. A security checklist was drawn up to assess the interviewees’ knowledge and understanding of current HIPAA regulations.

3. Each of the key people involved in the hospital, including the persons pivotal to the running of the establishment, along with the department heads, were interviewed individually as part of the audit. These interview sessions were thorough and lasted two days. They helped in the gathering of vital data for the assessment.

4. Moreover, my business partner also required the mapping of HIPAA regulations as per the guidelines set by ISO 27001.

5. The GAP analysis analysed the gap in security and privacy related matters. The report was jointly prepared in association with my business partner, and the latter then shared it with our client.

Our systematic and meticulous intervention thereby saved the hospital a considerable sum of money that would otherwise have been levied by the OCR due to its failure to meet the required HIPAA regulations.

HIPAA Case Study II

The second client was based in Mumbai, with a head office in the United States. They were developing healthcare applications for their US-based customer with whom they had also signed a Business Associate Agreement. Since their
customer was a covered entity, they required certification to become HIPAA compliant. A certification body who had previously certified them for ISO 9001 referred them to the Quality Edge Mumbai office.

This project was then jointly executed by QE in association with our US-based business partner.

Problems Along the Way:

Due to our client’s BAA signed with a US-based entity, they required the enforcement of HIPAA regulations. Furthermore, they even required a risk-assessment, as well as HIPAA Training and Services for their employees in order to ensure the implementation of these regulations.

Our Tasks Included:

1. Conducting an HIPAA GAP Analysis Assessment. This involved individual interview sessions of department heads as well as the key figures within the company. Department heads belonging to IT, HR, Admin, and Training were interviewed along with the CTO and COO of the enterprise. Each interview session was detailed and exhaustive. It helped in understanding the employees’ knowledge of HIPAA regulations, thereby generating the required data for the assessment.

2. A risk assessment was conducted as well to guarantee that our clients would have no future legal problems when dealing with their US-based customers.

3. Following this, a certification program was conducted for a team of 40 developers based in both, the United States and India. Through this, they each became a Certified HIPAA Administrator.

Here, QE was involved in identifying gaps in the client’s firm, and enabling them to become HIPAA compliant. This process involved suggesting best practices as per the guidelines set by HIPAA, and also providing technical expertise in various other areas. These included suggestions in implementation of Vulnerabilities Assessment, Penetration Testing, and improvements in Policies and Procedures.

The client made the required changes to their documentation and resent the same once the modifications were made in order to ensure that no further gaps were left behind. Thus, with our detailed and accurate assessment, our client was ensured of their adherence to HIPAA guidelines, thereby reducing any further complications in their business endeavours.

ISO 27001 Case Study

A private sector bank based in India approached QE for help in setting up the Information Security Framework as per the RBI guidelines. The IT arm of the bank was required to adhere to the parameters set within ISO 27001-2005.

They therefore required an end-to-end assessment with respect to ISO 27001:2005 requirements which included a GAP
analysis, Risk Assessment, Documented policies, processes, procedures, internal audit and management review .

The assessments were conducted solely by QE, Mumbai.

Problems Along the Way:

The top management within the bank needed to be convinced of the advantages of the ISO 27001-2005 certification. Due to the ever-changing guidelines, multiple assessments needed to be conducted in order to guarantee the proper functioning of the enterprise.

Our Tasks Included:

1. Conducting a GAP analysis in order to identify areas within the IT department of the bank which needed to be improved upon.

2. After the preparation of the GAP Analysis report, a presentation was created to identify the advantages of the ISO 27001-2005 certification.

3.This was then presented to the top management within the bank.

4. Convinced of its advantages, a risk assessment was conducted for the IT department as well. This involved various documented policies, procedures, and processes.

5. After having determined the scope of the ISO certification, it was finally implemented within the bank. This ensured continual betterment of the facilities provided, staff training, as well as the equipment used by the enterprise.

6. An internal audit was then conducted to ensure the proper execution of the documented processes as per ISO 27001 guidelines.

7. This was followed by the management review of the changes made and its consequent advantages for the bank staff as well as patrons.

8. Moreover, awareness training for the employees was also conducted in order to ensure that the bank provided the best customer service for its customers. This training also certified that the bank employees upheld the requirements set by the ISO certification as well as by the Information Security Framework mandated by the RBI.

Here, QE was able to suggest best practices and also identify risk-areas in need for immediate attention. This helped a well-established bank improve its business practices, which would consequently encourage more clients to approach the enterprise. With our timely certification as well as thorough assessments, the bank also possesses the credentials required to ensure its adherence to RBI guidelines.

The value addition of QUALITY EDGE resulted in the bank engaging QE for transition to ISO 27001:2013 standard. QE also conducts periodic DR audits by its team for the IT applications of the bank.

ISO 9001 Case Study

This client was based in Mumbai. His company employed a workforce of approx. 200 individuals, and approached Quality Edge for an ISO 9001 certification .This project was executed solely by QE, Mumbai with the help of its team.

Problems Along the Way: The company offered financial inclusion facilities. Since many of its vital systems needed to be systematic and process oriented, QE was entrusted to ensure setup of systems and processes for all its functions and departments. This included conducting a gap analysis, conduct ISO 9001 training, documentation of processes/procedures, internal audit and management review in order to warrant a continued adherence of the set guidelines.

Our Tasks Included:

1. Initiating an ISO 9001 certification program. This quality maintenance certification was imperative for better workforce practices as well as improved future business interactions. An ISO 9001 certification defines a certain standard of output due to its promise of good facilities, training, staff, services, and equipment. Therefore, with much-needed help from QE, the company was able to forge a more stable image within the  business world.

2. Conducting individual interviews of each department as well as key people within the enterprise was also essential. These interviews were extremely detailed and provided inputs for the GAP analysis report.

3. This was followed by the preparation of the GAP analysis report itself.Gaps within the company framework and daily functioning were identified by us and revealed to the client.These were then corrected to ensure the smooth functioning of the firm in the future.

4. Training of the staff was also undertaken by QE to guarantee the maintenance of the ISO 9001 guidelines in the daily working of the company. Here, QE was able to assure improved functioning of a company through documentation of processes and procedures.

5. An internal audit was conducted by QE to ensure that the organization adheres to laid down systems and procedures.By highlighting and improving on the gaps present within their system, workforce, and activities and with constant guidance from QE, the firm was able to meet the ISO 9001 certification standards..