HIPAA Gap Analysis for Healthcare Organizations


A HIPAA gap analysis is a crucial step for healthcare organizations in ensuring compliance with the HIPAA Security Rule. Why? An understanding of HIPAA gap analysis will help understand this question: HIPAA gap analysis is defined by the US Department of Health and Human Services (HHS) as a means to evaluate or assess the extent to which there are lacunae in the implementation by the Covered Entities or their Business Associates, of the safeguards or privacy controls set out by the Security Rule. It can be understood as an assessment tool which helps healthcare settings that come under HIPAA, to determine where they stand vis-à-vis compliance with the HIPAA Security Rule. So, a HIPAA gap analysis is a tool by which a HIPAA-administered healthcare entity examines whether it is taking all the prescribed steps to HIPAA compliance, identify the gaps, if any, and close them. It is a means to putting the organization on the path to HIPAA compliance. Ideal to consist of a set of questions As such, HIPAA gap analysis could ideally consist of a few queries about what all the healthcare organization has been missing in implementing its HIPAA Security Rule requirements. Some of the parameters a healthcare organization that comes under HIPAA Security Rule can use as a guide to assess the extent of its HIPAA gap include:  The extent to which the encryption and virus protection and other aspects of IT safety, are meeting expectations  The extent to which patient safety and privacy are prone to compromise  The best practices that its employees are implementing to secure ePHI. Issues that a HIPAA gap analysis is expected to address Expectedly, a HIPAA gap analysis should cover all of the areas that make the healthcare organization vulnerable to data breaches of this ePHI. These are some of them:  Assessment of the susceptibility of the ePHI to breaches  Steps to take to reduce this risk  The policies and procedures that need to be put in place to do this  A review system that is ongoing and continuous  Delegating the roles and responsibilities to the officers in charge of HIPAA implementation  Putting the necessary security documentation protocols in place  Recommending and implementing data backup and recovery procedures. Ways of performing a HIPAA gap analysis A HIPAA gap analysis can be performed by either the healthcare organization or a third party hired for this task. Entrusting this task to third parties requires a great deal of guarantees and safeguards of both a technical and legal nature. They both have their merits and disadvantages, and it is eventually up to the organization to decide which method suits it best. HIPAA gap analysis and Risk Analysis There is a considerably strong relation between HIPAA gap analysis and Risk Analysis. HIPAA gap analysis is the means to risk analysis and is not the same as, or quite as strong or mandatory as the latter. A HIPAA gap analysis is at best desirable for an organization and is not a HIPAA requirement, whereas risk analysis is. A Risk Analysis is more comprehensive and covers far more areas than a HIPAA gap analysis. A HIPAA gap analysis is not a substitute for Risk Analysis. The fundamental standpoint by which to understand the difference between HIPAA gap analysis and Risk Analysis is that a HIPAA gap analysis only evaluates and suggests what needs to be done to meet HIPAA compliance requirements, while Risk Analysis is a means to implement all that is needed.

Date Posted: 22 Aug 2018