HIPAA TIP: Risk Analysis Versus Gap Analysis

It should be no surprise to Covered Entities and Business Associates that a Risk Analysis is a requirement under the HIPAA Security Rule, § 164.308(a)(1)(ii)(A): Conduct an accurate and thorough assessment of the potential risk and vulnerabilities to the Confidentiality, Integrity and Availability (CIA) of electronic Protected Health Information (ePHI) held by the organization. As the Office for Civil Rights (OCR) states a Risk Analysis is a comprehensive detail of where the ePHI is located in the organization and the risks and vulnerabilities to that data.

A Gap Analysis is defined as an optional evaluation that allows a Covered Entity or Business Associate to understand how their controls, put into place to satisfy the implementation specifications/necessary safeguards of the HIPAA Security Rule, are helping to meet these standards.

Risk Analysis – HIPAA Security Rule requirement.

Gap Analysis – NOT a requirement but assists the organization in identifying areas of improvement or potential risks that may affect operations within the environment.

Once the Risk Analysis is completed and all implementation specifications have been reviewed an organization needs to begin the process of mitigating the high and medium risks. During this process focus on what was identified as risks.

Although the Gap Analysis is not a requirement under HIPAA, this analysis needs to focus on the controls put in place for compliance with the Risk Analysis. Think of the Risk Analysis as the “Current State” and the Gap Analysis as the “Desired State”.

HHS OCR Risk Analyses vs. Gap Analyses

HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Anatomy IT can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.