OCR Newsletter on Gap Analysis Offers Reminders on Risk Plans

HIPAA covered entities and business associates know they must perform a risk analysis of the electronic protected health information they maintain, to comply with the security rule.

Specifically, the requirement is for “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the [organization].”

Even though a basic requirement, conducting the analysis—and the necessary risk management plan to address the identified risks—is still something organizations struggle with. That was confirmed by the audit findings the Office for Civil Rights (OCR) recently released (RPP 5/18, p. 1).

But say for the sake of argument that the risk analysis and management plans are done. One way to determine whether they’ve actually resulted in compliance with the safeguards required by the security rule, according to OCR, is to conduct a gap analysis.

“A gap analysis, while not required by the HIPAA Rules, is a useful tool to identify whether certain standards and implementation specifications of the Security Rule have been met,” OCR says in a recent edition of its monthly “cyber awareness” newsletter.

Here’s the difference between the two, says OCR:

◆ “A risk analysis is a comprehensive evaluation of a covered entity or business associate’s enterprise to identify the ePHI and the risks and vulnerabilities to the ePHI. The risk analysis is then used to make appropriate modifications to the ePHI system to reduce these risks to a reasonable and appropriate level.

This document is only available to subscribers. Please log in or purchase access.


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field