So you think you’re ready to start your first HIPAA gap analysis but aren’t sure where to start? Well, if you’ve never tackled one before, there are 10 key steps to prepare and execute a streamlined assessment.
1. Familiarize yourself
There is a lot of documentation and legalese around HIPAA. To cut through this, I recommend reviewing the following before beginning your HIPAA gap analysis.
- Understand the definition of PHI. PHI is the primary focus of this activity. There’s a definition provided in the HIPAA privacy rule here: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf?language=es
- Read the summary of the HIPAA Security Rule: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
- Read the summary of the HIPAA Privacy Rule: https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
- Read the HHS page about the Breach Notification Rule: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
- Read the OCR HIPAA audit protocol. This will give you an understanding of what to expect if OCR were to audit your organization. If you’re conducting your HIPAA gap analysis as a proactive initiative, it’s nice to know your analysis approach will be like OCR, should you get audited. This will help prevent surprises and potentially costly fines for being noncompliant. You should finish your HIPAA gap analysis with a high level of confidence that you have assess using a sound approach like that of OCR.
2. Determine the scope
Before starting your gap analysis you need to determine the scope. Are you going to attempt to cover the entire organization? One office? One department? One healthcare system? If you can, I recommend starting with a smaller initial scope before trying to tackle the entire organization. This will allow you to familiarize yourself with the process, develop some confidence, and adjust your approach as necessary. You’ll have a better idea of the resource and time requirements from you and others and you’ll be better informed to plan the rest of the gap analysis activities.
Next identify the key stakeholders you will need to interact with. Document their roles and responsibilities, and what you anticipate you’ll need from them.
4. Develop a plan
Now that you have an idea of the scope and who the stakeholders are, you should develop a plan. The first HIPAA gap analysis is not a small undertaking, especially if you’re unfamiliar with the process; depending on the size of your organization and complexity of your business practices and technology, you may have your hands full before you even begin. Your plan should have enough detail to be meaningful, actionable, and facilitate your success. How are you going to gather information? How are you going to organize and store it? What will you document and where? Who will you share it with? Do you have milestones? Specific deliverables? Having something documented before you attempt to the next step will help.
5. Managerial commitment
You will need time and resources from other teams and departments to complete your gap analysis. Having managerial commitment from the highest level possible will help ensure timeliness and responsiveness. If you’re dealing with many different sites, offices, or locations, identify a logical sponsor for your project and get their commitment. If you don’t have support from leadership, you’re going to have a hard time with this activity. Everyone has their “day jobs” and without commitment from the top down it will be difficult to keep your asks a priority. Make sure they understand this is a legal requirement- you’re not doing it just for fun.
6. Request documentation and schedule interviews
You can develop your initial document request list by reviewing the HIPAA Security and Privacy rules and developing a list requirements that require documentation. This will include a seemingly endless list of policies and procedures. In addition to reviewing documentation, you’re going to need to interview a significant number of staff members to gather information. Attempt to identify who would logically be qualified to speak to the implementation of the safeguards you’re assessing. Depending on the scope of your assessment, this may mean you need several interviews with different staff to cover the same safeguard (or logical group of safeguards). Try to schedule staff with related or similar responsibilities in the same interview but keep the number of people in an interview reasonable. An interview with more than 6 people is often cumbersome and inefficient. You’ll end up needing more time and half of the people may have not spoken by the time your meeting is over. You’ll need to schedule more time with them, and now that you’ve burned one meeting getting time on their calendar to cover the same topic will be much harder the second time around.
7. Review documentation
Once you’ve received responses, you’ll need to review all the documentation to identify whether all the requested policies and procedures were provided. Whenever possible I recommend performing this review prior to the interview. This will increase your effectiveness by allowing you to ask more pointed and informed questions. Document the title of each document you review, your notes and observations, and any gaps that you identified. If you have specific questions, write them down now. You don’t want to be re-reading documents in front of staff during an interview. Keep this information organized so you can easily refer to it during the related staff interviews.
Conduct staff interviews to confirm whether the policies and procedures remain accurate and are still being enforced. Document the interview notes in whatever format you’ve chosen for your assessment report or deliverable (word, excel, or otherwise). Determining who to interview is always a challenge. If this is the first HIPAA gap analysis for your organization, you are likely to encounter an interview with the wrong people. Get whatever relevant information you can from, ask them if they know who you should talk to, and then release them from the interview. Make sure you document the right staff for your next analysis.
9. Assurance testing
In addition to gathering information via interview, you should perform some assurance testing to get comfort over the design and effectiveness of critical safeguards. This is often required to show due diligence for your HIPAA gap analysis activity. Examples could include detailed tests like reviewing the output of system access reviews, reviewing IPS rule settings, reviewing response activities from triggered security alerts, and observing staff execute job duties according to documented procedure, and documenting observations and results.
HIPAA isn’t prescriptive of how you document your HIPAA gap analysis. Various GRC or compliance tools exist that can help with this, in addition to home-grown applications or spreadsheet-based processes. You need to determine what is right for your organization based on what is available and most useful. Keep in mind, you’ll need to continuously update your gap analysis – this is not a one-time process, so at minimum I’d recommend having an ongoing management or tracking tool, as well as a point-in-time report of the output of this specific activity (based on your defined scope). The report should include your documented approach, any assumptions or constraints, and the results. This will serve as your point-in-time record, as your ongoing management and tracking tool should be updated on a regular basis.
Throughout the process, keep detailed evidence of your activities. This is important to show due diligence and inform your next steps. Once you’ve completed your initial gap analysis (full or narrowed scope), what are you going to do with the results?
- Who do you need to communicate them to?
- If you identified gaps, how will they be treated and tracked?
- Think about how you can improve your approach: what tools might you benefit from?
- What communications can you make templates for?
- How can you streamline information gathering and reporting?
- How are you going to communicate your results, and to whom?
- What do you want to assess next?
Consult Legal Counsel
Finally, do not hesitate to engage your organizations legal counsel. I am not your lawyer, and this blog post is not legal advice. Consulting with legal counsel up front on your unique gap analysis approach and results is always recommended.
Remember a HIPAA Gap Analysis does not constitute a HIPAA Risk Analysis. They are unique requirements and activities. To better understand the differences, I previously wrote this helpful blog post: https://nuharborsecurity.com/hipaa-risk-analysis-vs-gap-assessment/
NuHarbor Security can guide your through this process, assist with your gap analysis, and help you take the right steps toward compliance. Feel free to reach out for more information.