A HIPAA gap analysis, according to the U.S. Department of Health and Human Services (HHS) is “typically a narrowed examination of a covered entity or business associate’s enterprise to assess whether certain controls or safeguards required by the Security Rule have been implemented.”
For medical groups, hospitals, compliance officers, and other organizations reliant on HIPAA privacy and security regulations, a gap analysis is an important tool to help gauge where your organization stands in relation to safeguards and healthcare compliance requirements. A gap analysis points out safety gaps by asking and answering several important questions, including:
- Are IT safety measures, such as virus protection and encryption, performing to expectation?
- Are there gaps in patient privacy and safety?
- Are employees following best practices to keep electronic protected health information (ePHI) safe?
Who should conduct a HIPAA Gap Analysis?
It might seem practical to rely on your staff – provided that they have experience in compliance evaluations on multiple occasions, but experience must include a detailed understanding of regulations and the ability to produce accurate reports. These reports, after all, will be used to close security gaps.
Relying on a reputable, third-party firm to run your risk analysis is a good course of action. A reputable consulting firm means the difference between some experience and expert level experience. With a gap analysis, you want experts who have done this many times as well as experts who will notice hard-to-detect breaches that are easy to miss.
Preparing for a HIPAA Gap Analysis
After you have assigned a third-party auditor or assembled a team, it’s time to prepare and assemble materials within your organization, including:
- Policies and procedures for compliance, especially in relation to how patient information is stored and disclosed.
- Copies of HIPAA and state law regulations kept handy for reference during the gap analysis.
- Existing insurance policies for coverage of breaches in HIPAA privacy compliance.
- Manuals, repair logs and inventory of IT systems and devices to learn how your current measures are protecting patient data.
- Employee training and policy manuals to make sure employees are receiving the best and latest information for HIPAA compliance.
Key issues addressed in a HIPAA Gap Analysis report
Understand that the report should cover security issues discovered through the gap analysis.
- Vulnerability assessment results.
- Security recommendations to reduce risk.
- Outline of worker sanctions for policy and procedure going forward, including emergency procedures.
- Clear procedures for ongoing system reviews.
- Identification of key officer responsible for supervision of ePHI access.
- Demonstrate how ePHI is separate from other operations.
- How security incidents are/were documented and emergency response protocols in place.
- Information on data backup procedures and recovery.
It’s important to note that data sharing is not limited to a single department when running a gap analysis.
The final report will give you the necessary tools to manage or improve risks, such as (1) putting security measures in place to diminish risks and close gaps, (2) implementing immediate policies or taking fast disciplinary action against employees who are not in line with security regulations, and (3) incorporating review procedures to regularly evaluate information system activity.
Why perform a HIPAA Gap Analysis?
Healthcare organizations that are subject to HIPAA regulations must routinely analyze and assess risks. Every healthcare provider who participates in the Medicare and Medicaid payment systems is required to have a functioning Corporate Compliance Program. Taking steps to measure and evaluate compliance processes should be an ongoing process. By assessing specific security gaps and taking corrective measures regularly, compliance becomes part of your infrastructure and operations. It is also a strong reminder for employees that all compliance regulations are taken seriously and each staff member is part of assuring sustainability.