OCR Says Gap Analysis Does Not Meet HIPAA Requirements

  • HHS OCR Logo

The HHS Office for Civil Rights (OCR) has issued guidance answering the question that performing a gap analysis of an information system’s safeguards is not enough to meet the minimum requirements of the HIPAA Security Rule. While a gap analysis can be used to discover where problems exist in securing electronic protected health information (ePHI), it does not satisfy the risk analysis obligations under the Security Rule. Under the HIPAA rule, a covered entity or business associate must perform a risk analysis that encompasses the potential risks to all ePHI created, received, maintained or transmitted by any electronic medium, or, regardless of the source or location of the data.

A gap analysis typically provides a partial assessment of an entity’s enterprise and is often used to provide a high-level overview of what controls are in place to protect ePHI or to identify potential gaps where controls are not in place. Gap analyses may also be used to review an entity’s compliance with particular standards and implementation specifications of the Security Rule. OCR emphasizes that a gap analysis does not demonstrate an accurate and thorough assessment of the risks to all ePHI that an entity creates, receives, maintains, or transmits.

The HIPAA Security Rule requires covered entities like health care providers, hospitals, and health plans to protect against reasonably anticipated threats or hazards to the security or integrity of the e-PHI they create, maintain, or transmit. It also requires that they put appropriate safeguards in place to reduce the risk from those security threats. The requirements of the Security Rule also apply to business associates, defined as contractors and vendors of covered entities who create, transmit, or maintain e-PHI. The risk assessment is also a core requirement for eligible providers and hospitals seeking payment through the Meaningful Use EHR Incentive Program that was recently renamed the Promoting Interoperability Program.

The Security Rule allows covered entities and business associates flexibility in developing measures to meet the requirements of the standards and implementation specification including consideration of organization size and type, complexity of the technology and infrastructure, human element, infrastructure, and the cost of security measures. The starting point for determining what is appropriate and reasonable is by conducting a risk analysis of the systems and technologies that create, transmit, or store electronic protected health information e-PHI as part of a comprehensive process to safeguard the confidentiality, integrity, and availability of patient data.

CynergisTek’s Risk Assessment process specifically addresses regulatory requirements and helps organizations implement an ongoing risk management program. Our strategic process includes technical testing, a physical survey, a programmatic gap analysis and policy review, and formal risk analysis using the NIST SP 800-30 Rev. 1 standard. For more information, contact CynergisTek.

May 7th, 2018|

About the Author:

David Holtzman
Considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules, David Holtzman was a senior advisor at OCR before joining the team at CynergisTek. He also previously served as the privacy & security officer for Kaiser Permanente’s Mid-Atlantic Region.