By: Mark Brisson, Information Assurance Analyst
I often speak with healthcare organizations and have found that many are unsure of the difference between a HIPAA risk analysis and a HIPAA gap analysis as they related to the Security Rule. I’ve discovered that this is due to confusion caused by legislation, frameworks, and industry sources interchangeably (and often incorrectly) using terms like “risk assessment”, “risk analysis”, and “security assessment”. This can lead to unknown compliance violations and risk exposure. Although HIPAA risk analysis and gap analysis activities are both required by HIPAA, they are unique and involve distinct processes and deliverables.
As confusing as this can be for people in the security industry, it’s even worse for those who aren’t! Throughout my career, I have found that by outlining the differences as clearly and concisely as possible, I am able to get both new team members and clients up to speed quickly. I have shared some of the key points that continue to work for me below in order to clarify the value and importance of performing both a HIPAA risk analysis and gap analysis.
HIPAA Risk Analysis
The risk analysis process is a required HIPAA implementation specification. It can be found within the Security Management Process standard, located at § 164.308(a)(1)(ii)(A). The purpose of this requirement is to help you identify, document, and analyze threats and related vulnerabilities that may be exploited and impact the confidentiality, integrity, or availability of electronic protected health information (ePHI).
Steps and requirements
To perform a risk analysis, your team must analyze scenarios and risk factors using a documented, repeatable procedure and produce a justifiable risk rating. As mandated by HIPAA, this process must be required by organizational policy and guided by thorough written procedural documents. Output of risk analysis activities must be maintained per HIPAA safeguards. The HIPAA audit protocol states that risk analysis documents should include, at a minimum:
- Purpose and scope of the risk analysis
- Workforce member roles and responsibilities
- Management involvement in risk analysis
- Frequency for reviewing and updating the risk analysis
- A defined scope that identifies all systems that create, transmit, maintain, or transmit ePHI
- Details of identified threats and vulnerabilities
- Assessment of current security measures
- Impact and likelihood analysis
- Risk ratings
This process should cover analysis of all ePHI that is stored, processed, transmitted, or received by your organization. Your HIPAA risk analysis activities should be conducted on an ongoing basis in response to changes in threat landscapes, business missions and activities, technologies in use, and other changes that may affect the current approach or results.
The risk analysis requirement is accompanied by a separate required implementation specification, titled Risk Management. This is located at § 164.308(a)(1)(ii)(B) and requires your organization to manage and reduce the security risks you identify during analysis, and to meet the general requirements of the HIPAA Security Rule. The intent of this implementation specification is to promote and require ongoing management and treatment activities such that your organization adequately and appropriately addresses risk.
The HIPAA text on the risk analysis requirement is intentionally non-prescriptive, allowing for organizations to develop and customize a process that is sufficient, feasible, and effective for their organization. Unfortunately, this can also be problematic, as some struggle with how to start, develop, and implement a process and determine if it is sufficient.
HIPAA Gap Analysis
Conducting a HIPAA gap analysis allows an organization to assess their current posture and implementation status of all HIPAA Security, Privacy, and Breach rule standards and implementation specifications. A key difference (from risk analysis) is that this activity isn’t a singular prescribed requirement in HIPAA.
Gap analysis is often the first step organizations take when assessing their compliance. This type of review is generally a higher-level process, with limited assurance testing, and is aimed at identifying major safeguard gaps. This does not include identification of threats or vulnerabilities, just whether safeguard standards and implementation specifications have been implemented or not. The output of your risk analysis should inform control selection, design, implementation, and maintenance. This information should be considered when conducting your future gap analysis activities.
- A risk analysis and gap analysis are both necessary compliance activities, but they are different.
- A risk analysis will inform you regarding relevant security and compliance risks as well as what safeguards may need to be implemented and how they should be designed.
- A gap analysis will assess if you’ve successfully implemented HIPAA standards and implementation
- The risk analysis and gap analysis processes should inform each other in process and in results.
- Assurance testing of controls is required by the risk analysis.
- Risk analysis methods can be tailored based on organizational, business, technology, and other factors.
- Assurance testing to measure control effectiveness is required and is often overlooked during HIPAA risk analysis.
Want more information? Feel free to reach out. Additionally, I’ve included some helpful links:
- NuHarbor Security HIPAA Compliance Services:
- OCR Security Rule series whitepaper #6- Basics of Risk Analysis and Risk Management: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf?language=es
- OCR Audit Protocol for guidance:
Would you like some help? NuHarbor Security can guide your through this process, assist with your risk analysis or gap analysis, and help you take the right steps toward compliance.