May 9, 2018

When it comes to complying with the requirements of the Healthcare Information Portability and Accountability Act (HIPAA) regarding electronic protected health information (ePHI), don’t confuse a gap analysis with a risk analysis, the Office of Civil Rights reminds healthcare providers in a recent bulletin.

A gap analysis can help providers identify areas of vulnerability related to ePHI privacy and security, but it is not a substitute for the more comprehensive risk analysis and corrective action plan required under HIPAA.

The HIPAA Security Rule requires covered entities—and their business associates—to “conduct a thorough and accurate assessment of the risks and vulnerabilities to ePHI” as a first step toward identifying and implementing the appropriate safeguards in their practices and institutions.  Some organizations might think they have done all the necessary work to know where improvements are needed in order to protect their ePHI, when, in fact, what they have accomplished is only a gap analysis.  This work is only the beginning of the more detailed and in-depth examination required to complete a risk assessment and fully meet the rule’s provisions, the bulletin notes.

While useful, a gap analysis provides only a “high level overview of the controls in place that protect ePHI without engaging in the comprehensive evaluation required by a risk analysis,” according to the bulletin.  A gap analysis offers a narrowed review of the enterprise to determine whether certain safeguards required by the Security Rule are in place.  A risk analysis identifies specific vulnerabilities and risks across the enterprise for the purpose of following through with implementation of modifications and corrections to bring those risks to an appropriate and reasonable level.

Although the Security Rule does not require a specific methodology or format for the risk assessment, it does require that the risk assessment incorporate certain elements.  Following is a list of some of these key elements:

• The risk assessment should be wide in scope, including all of an entity’s ePHI regardless of electronic medium or where it is created, received, maintained or transmitted.
• Entities should consider all locations and information systems for ePHI in the risk assessment, including workstations and servers, applications, mobile devices, communications and equipment.
• Although the Security Rule does not dictate the frequency of risk assessments, they should be considered an ongoing process and be reviewed and updated regularly.
• Documentation of the risk assessment should demonstrate that it was conducted in a comprehensive and thorough manner.
• Organizations should assess and assign risk levels to the vulnerabilities identified so resources and corrective actions can be prioritized to address the most significant problems first.
• The risk assessment should identify technical as well as non-technical vulnerabilities, including incorrectly implemented information systems.

Additional components of a HIPAA risk assessment, a sample gap analysis and links to additional resources can be found here.