Enterprise MVP Jumpstart


This Engagement helps customers Jumpstart their solution required to comply with the three most insidious and disruptive requirements under §164.524 of the Proposed Privacy Rule of 2021; referred to herein as the right to access and inspect. This product is only offered as part of our Subscription.


  • Provides a vehicle to drive organizational change
  • Compresses the time to make strategic decisions
  • Trains key stakeholders regarding disruptive enterprise changes
  • An in-depth summary of the Rule’s modifications to improve stakeholder’s understanding
  • Train the trainer so that additional stakeholders can be trained (e.g., POC staff)
  • Reviews three Enterprise MVPs™ in depth including critical processes and legal decisions
  • Reviews Mini-MVPs ™ demonstrating the value to POC staff, including requisite policies, training, patient encounter methodology, and how liability can be avoided
  • Introduces senior management team, in-house counsel (“SMT”), and other key stakeholders on process definitions (e.g., Swimlane diagrams) and supporting documentation
  • Discusses and demonstrates why MVPs ™ drive all implementation requirements
  • Discusses and demonstrates other expansive rights contained in §164.524 of the Rule
  • Provides “Tweaks” to MVPs ™ to better align with customer’s operational environment
  • Defines the methodology for achieving deliverables in an elapsed time of approximately 3 weeks


  1. The Patient has the right to request an inspection of their PHI at the time of an appointment  at the POC “to view, take notes, take photographs, and use other personal resources to capture their information.” This right is the most disruptive for several reasons: (a) POC staff must be prepared to allow the request; (b) patient has not previously specified the PHI scope; (c) there is no time to gather the PHI requested; and (d) POC staff, if not trained properly may create liability instead of mitigating it. The request must be honored because the Rule requires it and is constrained only by the “readily available” standard (e.g., EHR, Portal, PCs, Laptops, etc.). The 2013 Omnibus Rule made clear that a designated record set is more than the EHR, and may include electronic documents such as those found in Word, Excel, PDFs, etc. Our Mini-MVP ™ derived from its Enterprise MVP ™ establishes all POC staff requirements including, policies, training, time allocation, the definition for “readily available” and legal considerations that POC must be aware of.
  2. The Patient has the right to request to inspect with Notice,arranging a convenient time and place” (e.g., medical records facility) with the provider, which also allows the patient “to view, take notes, take photographs, and use other personal resources to capture their information.” This right is inferred from the NPRM’s guidance. The “readily available” standard does not apply. It implies, that when “arranging a convenient time and place” a provider can inquire regarding the patient’s PHI scope. This right to inspect likewise does not specify the time a patient must be allotted Our Enterprise MVP ™ for this right provides the patient with additional time to inspect PHI because a medical records facility is less disruptive to a provider’s operations (example from NPRM). Again, our Mini-MVP ™ contains all requirements for this right. The time decision, together with the legal analysis and rationale to support it, using the Rule’s balancing act standard, is likewise contained within its corresponding Mini-MVP ™.
  3. Access (without inspections) PHI is analogous to the old Privacy Rule’s right to access; except that the timeframe has been cut from 30 to 15 days, with one 15-day extension. The clock on the fifteen days starts ticking as soon as the provider receives the patient’s request.

The rights selected above were selected from others required by the new Rule because they are the three most likely to lead to OCR audits, CMPs, and other liability yet unforeseen (e.g., class actions lawsuits).


  1. Meet with the senior management team  ("SMT") to (a) confirm deliverables; (b) confirm methodology; (c) confirm the need for a dedicated customer project manager; (d) identification of a maximum of 8 additional customer stakeholders that would participate; (e) expectations of SMT during kickoff training, during the interviews, and in the facilitated session; (f) confirm SMT’s understanding of “Us Plus Three”; and (g) confirm 3LP’s rationale for accepting or rejecting “Tweaks.
  2. Conducted virtually using GoToMeeting; a more robust Zoom application.
  3. Conduct a two-hour training session.
  4. Conduct and record one-hour interviews with key stakeholders asking for modifications that meet 3LP’s threshold for Tweaks.
  5. Make the modifications to MVPs ™ that satisfy 3LP’s threshold (e.g., modifications to the Swimlanes and supporting documentation); performed by PM with 3LP review.
  6. Two-hour facilitated session after interviews to gain consensus on “Us Plus Three” MVPs ™.

Contact us: Mature Compliance Programs Made Easier!