Privacy Consulting Services

Axiom has more than ten years of privacy support experience including successfully implementing and managing the privacy program for the Defense Health Agency (DHA) (formerly the TRICARE Management Activity [TMA]) and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Program of the Military Health System (MHS). Our work for the MHS, the nation’s largest integrated healthcare delivery system, includes providing privacy support services for the Department of Defense’s (DoD’s) TRICARE health plans. These health plans provide integrated, affordable, and high-quality health services to MHS beneficiaries. Currently, we are supporting the State of South Carolina Department of Administration’s Division of Information Security (“DIS”) and Enterprise Privacy Office (“EPO”) as a Lot 7 vendor on the Managed Security Services (MSS) contract to help State agencies in establishing information security and privacy services and provide technology and service recommendations for use by State agencies.

We possess strong project management skills, extensive consulting experience and high degrees of expertise in information privacy, including the Privacy Act of 1974 (Privacy Act), HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) Act breach reporting requirements, the Affordable Care Act and privacy-related Office of Management and Budget guidance.

Our experience includes standing up new offices based on overarching federal laws, regulations and policies. Time and again, Axiom has been entrusted to facilitate the implementation of new privacy offices, help determine overarching regulatory requirements, implement privacy risk management strategies, create standard operating procedures (SOPs), develop and implement communication plans/materials, and developing training programs.

Axiom’s Privacy Consulting Support Services include:

  • Privacy Impact Assessments Services
    • Conduct privacy program reviews for compliance with best practices and privacy laws and regulations
    • Develop frameworks to support impact assessment requirements in conformance with applicable legal, regulatory, and policy requirements for privacy
    • Perform privacy impact assessments and create assessment reports detailing the findings and recommendations for remediation
  • Privacy Training Development and Delivery Services
    • Develop customized role-based privacy training and awareness materials (i.e., web-based training, PowerPoint presentations, videos) to support training requirements
    • Support the delivery of Privacy training
  • Enterprise Privacy Communication Management Services
    • Identify stakeholders and end-user communities to receive privacy-related communications
    • Develop privacy-related communication plans and surveys
  • Risk Assessment Assistance Services Specifically Related to Privacy
    • Develop framework to support privacy risk assessment requirements in conformance with applicable legal, regulatory, and policy requirements for privacy
    • Perform privacy risk assessments and creating assessment report detailing the findings and recommendations for remediation
  • Perform Data Inventory and Classification Services
    • Support the development of frameworks, tools and processes to perform data inventory and classification in accordance with the organization’s data classification schema
    • Complete data inventory and data classification in accordance with the organization’s data classification schema, and recommend safeguards appropriate to the data classification
    • Interpret discovery tool findings and provide recommendations, including impact on data inventory and data classification
  • Privacy Program Development and Compliance Consulting Services
    • Provide subject matter experts with relevant privacy program design, development and implementation experience in state and local government domains to support privacy program development initiatives
  • Privacy Incident Response Management Services
    • Provide subject matter expertise support for incident management and incident management process
    • Conduct investigations of incidents involving the suspected or actual, loss of control, or unauthorized acquisition, access, use, or disclosure, of personally identifiable information
    • Provide guidance regarding evaluation and analysis of incidents to determine appropriate response to privacy incidents
    • Provide support to ensure all response actions are appropriately documented
    • Ensure all legal and regulatory requirements are met during investigation (i.e., State of SC law, U.S. law, Federal regulation, EU regulation, HIPAA)
    • Provide guidance regarding management and coordination of communication strategy/plan; including the ability to draft communications with appropriate messaging and to meet legal requirements (including harm remediation strategy)
    • Support communications and inquiries with third (3rd) parties, third (3rd) party counsel and regulatory bodies
    • Support development and implementation of appropriate remediation of incidents
    • Develop privacy incident mitigation plans
    • Develop and manage privacy incident crisis communications
    • Assist with individual notification process including, determining notification requirements based on applicable laws and regulations, identifying affected individuals, coordinating notification (e.g., mailings, call centers, and media announcements)
    • Maintain inventory of legal and other requirements (contract/policy)
    • Track management of incidents to ensure appropriate/timely handling
    • Obtain incident metrics
    • Develop and implement of testing plan and exercises/drills
    • Assist with the execution of crisis management plans during a critical incident, including development of communications