Read the OCR HIPAA audit protocol. This will give you an understanding of what to expect if the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) were to audit your organization. If you’re conducting your HIPAA gap analysis as a proactive initiative, it’s nice to know your analysis approach will be like OCR, should you get audited. This will help prevent surprises and potentially costly fines for noncompliance. You should finish your HIPAA gap analysis with a high level of confidence that you have assessed using a sound approach.
2. Determine the Scope
Before starting your gap analysis you need to determine the scope. Are you going to attempt to cover the entire organization? One office? One department? One healthcare system? If possible, start with a smaller initial scope before trying to tackle the entire organization. This will allow you to familiarize yourself with the process, develop confidence, and adjust your approach as necessary. You’ll have a better idea of the resource and time requirements from you and others and you’ll be better informed to plan the rest of the gap analysis activities.
Next, identify your key stakeholders. Document their roles and responsibilities, and what you anticipate needing from them.
4. Develop a Plan
Now that you have an idea of the scope and who the stakeholders are, you should develop a plan. The first HIPAA gap analysis is not a small undertaking, especially if you’re unfamiliar with the process. Depending on the size of your organization and complexity of your business practices and technology, you may have your hands full before you even begin. Your plan should have enough detail to be meaningful, actionable, and facilitate your success. How are you going to gather information? How are you going to organize and store it? What will you document and where? Who will you share it with? Do you have milestones? Specific deliverables? Having something documented before you attempt to the next step will help.
5. Managerial Commitment
You will need time and resources from other teams and departments to complete your gap analysis. Having managerial commitment from the highest level possible will help ensure timeliness and responsiveness. If you’re dealing with many different sites, offices, or locations, identify a logical sponsor for your project and get their commitment. If you don’t have support from leadership, you’re going to have a hard time with this activity. Everyone has their “day jobs,” and without top-down commitment, it will be difficult to keep your asks a priority. Make sure leadership understands this is a legal requirement – you’re not doing it just for fun.
6. Request Documentation and Schedule Interviews
You can develop your initial document request list by reviewing the HIPAA Security and Privacy rules and developing a list of requirements that require documentation. This will include a seemingly endless list of policies and procedures. In addition to reviewing documentation, you’re going to need to interview a significant number of staff to gather information. Attempt to identify who would be qualified to speak to the implementation of the safeguards you’re assessing. Depending on the scope of your assessment, you may need several interviews with different staff to cover the same safeguard (or logical group of safeguards). Try to schedule staff with related or similar responsibilities in the same interview, but keep the number of people in an interview reasonable – more than six people is cumbersome and inefficient. You’ll end up needing to schedule more time with them, and now that you’ve burned one meeting, getting time on their calendars to cover the same topic will be much harder the second time around.
7. Review Documentation
Once you’ve received responses, you’ll need to review the documentation to identify whether all the requested policies and procedures were provided. Whenever possible, perform this review prior to the interview. This will increase your effectiveness by allowing you to ask more pointed and informed questions. Document the title of each document you review, your notes and observations, and any gaps you've identified. If you have specific questions, write them down now. You don’t want to be rereading documents in front of staff during an interview. Keep this information organized so you can easily refer to it during the related staff interviews.
Conduct staff interviews to confirm whether the policies and procedures remain accurate and are still being enforced. Document the interview notes in whatever format you’ve chosen for your assessment report or deliverable (e.g., Microsoft Word, Microsoft Excel, etc.). Determining who to interview is always a challenge. If this is the first HIPAA gap analysis for your organization, you're likely to encounter an interview with the wrong people. Get whatever relevant information you can, ask if they know who you should talk to, and then release them from the interview. Make sure you document the right staff for your next analysis.
9. Assurance Testing
In addition to gathering information via interview, you should perform some assurance testing to get comfortable with the design and effectiveness of critical safeguards. This is often required to show due diligence for your HIPAA gap analysis activity. Examples include detailed tests like reviewing the output of system access reviews, reviewing IPS rule settings, reviewing response activities from triggered security alerts, observing staff execute job duties according to documented procedure, and documenting observations and results.
HIPAA isn’t prescriptive with regard to documentation of your HIPAA gap analysis. Various GRC or compliance tools exist to help with this, in addition to homegrown applications or spreadsheet-based processes. You need to determine what's right for your organization based on what's available and most useful. Keep in mind, you’ll need to continuously update your gap analysis. This is not a one-time process, so at minimum, leverage an ongoing management or tracking tool, as well as a point-in-time report of the output of this specific activity (based on your defined scope). The report should include your documented approach, any assumptions or constraints, and the results. This will serve as your point-in-time record, as your ongoing management and tracking tool should be updated on a regular basis.
Throughout the process, keep detailed evidence of your activities. This is important to show due diligence and inform your next steps. Once you’ve completed your initial gap analysis (full or narrowed scope), what are you going to do with the results?
Who do you need to communicate results to?
If you identified gaps, how will they be treated and tracked?
Think about how you can improve your approach: What tools might you benefit from?
What communications can you make templates for?
How can you streamline information gathering and reporting?
How are you going to communicate your results, and to whom?
What do you want to assess next?
Consult Legal Counsel
Finally, don't hesitate to engage your organization's legal counsel. This blog post is not legal advice. Consulting with legal counsel on your unique gap analysis approach and results is always recommended.