The Information Governance, Privacy & Security practice within FTI Consulting’s Technology segment was engaged to lead HIPAA Security Rule risk assessments for several U.S. entities owned by a German-based medical device company.

Recent changes in the business operations of these companies triggered potential HIPAA implications and the need for an initial risk assessment. The team’s initial work focused on the technical, administrative and physical safeguards required under HIPAA’s Security Rule. The strengthening of those safeguards and analysis of the security data privacy practices of each company led to a broader engagement to design and implement a complete privacy program across each of the U.S. companies. FTI’s work eventually grew to include privacy solutions for entities in India and the client’s German headquarters.

Our Role:

FTI conducted detailed on-site reviews of the client’s administrative, technical and physical privacy and security controls. Policies were reviewed, to inform an in-depth report of potential risks and the changes needed to align with regulatory standards. These assessments provided the client and FTI’s team with important insights into the key areas the new privacy program would need to address.

Early on in the project, FTI’s team also worked closely with outside counsel to establish consistent definitions of what data would and would not be considered PHI and what business operations were potentially in scope for CCPA. As part of the foundational work, FTI developed a framework around NIST standards to help the client understand the key elements that would need to be a part of the privacy program. For example, a data map was developed to serve as the source of truth for all instances and uses of data generated across the organization’s 178 unique systems and 12 entities in the U.S., Canada and Mexico.

In working with the CISO, FTI led a privacy assessment of one company’s software development lifecycle, which quantified its maturity level and provided specific recommendations to further incorporate Privacy by Design into processes.

The privacy program roll-out also included designing and implementing a privacy framework based on NIST to serve as the foundation for their privacy program going forward. This spanned setting up and supplementing a records of processing system with information gathered as part of the data mapping efforts, developing a privacy impact assessment (PIA) process for vendors, marketing, software development, etc., to assess risk against a consistent set of criteria on an ongoing basis, updating privacy policies and notices, creating an incident handling playbook and defining roles and workflows for handling data subject access requests. Additionally, FTI built upon the client’s existing data protection training program to provide training modules specific to CCPA and other data privacy requirements. The team also led refreshes of the HIPAA assessments, and provided HIPAA advisory services to help design net-new business processes. The team continues to provide ongoing services to manage the new privacy program.