Biotechnology and Gene Therapy Company Required HIPAA and Privacy Program Evaluation

Background & Challenges

A biotechnology and gene therapy operating in United States, Europe, and Canada with $220 million in revenue and 1,100 employees hired BDO for a HIPAA and Privacy Program Evaluation. While the client had a mature IT operation, it was in the initial stages of its privacy program. The organization technologically processed significant amounts of Protected Health Information (PHI). As a result, the client’s privacy risk exposure was substantial. The organization needed a consistent, repeatable, methodology for identifying privacy risks, prioritizing findings, and remediating issues. 


BDO developed and operationalized a Privacy by Design and Default / Data Protection by Design and Default program, coordinating with IT and Security, to manage risk and compliance. The process included the intake and implementation of impact assessments, identification of risks, and mitigation according to risk tolerance thresholds. 

Client Impact

This collaborative approach reduced time and confusion among system owners and staff, ultimately creating much needed buy-in across the business to address privacy compliance objectives.