- A gap analysis can be used to discover where problems exist in securing electronic protected health information (ePHI), but it is not a substitute for a comprehensive risk analysis required by the HIPAA Security Rule, the Office for Civil Rights (OCR) noted in its April Cyber Security Newsletter.
The HIPAA Security Rule requires covered entities and business associates to conduct a risk analysis, which provides a thorough and accurate assessment of the risks and vulnerabilities to ePHI. The risk analysis is used to make modifications to the ePHI system to reduce risks and ensure confidentiality, integrity, and availability of ePHI.
While the HIPAA Security Rule does not require a specific method to conduct a risk analysis, there are certain elements that your risk analysis should include.
In terms of scope, you should consider the potential risks to all your ePHI, regardless of the electronic medium in which it is created, received, maintained, or transmitted, or the source or location of the ePHI.
Regarding data collection, you should identify all the locations and information systems where ePHI is created, received, maintained, or transmitted. Such an inventory should examine not only workstations and servers, but also applications, mobile devices, electronic media, communications equipment, and networks.
On threats and vulnerabilities, you should identify technical as well as nontechnical vulnerabilities. Technical vulnerabilities can include security holes, flaws, or weaknesses in information systems or incorrectly implemented and/or configured information systems.
To assess your current security measures, you should document the effectiveness of current controls; for example, the use of encryption and antimalware products or implementation of patch management processes.
To determine the likelihood and potential impact of threat occurrences, you should document the likelihood that a threat will trigger or exploit a vulnerability as well as the impact if a vulnerability is triggered or exploited.
You should assess and assign risk levels for the threat and vulnerability combinations identified by the risk analysis. Determining risk levels informs you where the greatest risk is, so you can prioritize resources to reduce the risks.
Your documentation should contain sufficient detail to demonstrate that your risk analysis was conducted in an accurate and thorough manner. If you submit a risk analysis lacking sufficient detail in response to an OCR audit or enforcement activity, you may be required to provide additional documentation to demonstrate that the risk analysis was in fact conducted in an accurate and thorough manner.
You should review and update your risk analysis regularly. Although the Security Rule does not prescribe a frequency for performing risk analysis, risk analysis and risk management processes work most effectively when integrated into your business processes to ensure that risks are identified and addressed in a timely manner.
Short of a comprehensive risk analysis, you can conduct a gap analysis that identifies potential gaps where security controls are not in place to protect ePHI and/or where you are not in compliance with HIPAA.
“A gap analysis is typically a narrowed examination of a covered entity or business associate’s enterprise to assess whether certain controls or safeguards required by the Security Rule are implemented. A gap analysis can also provide a high-level overview of the controls in place that protect ePHI, without engaging in the comprehensive evaluation required by a risk analysis,” according to OCR.
Here is OCR’s example of a gap analysis:
As you can see by the chart, a gap analysis can determine where you might be coming up short when it comes to complying with certain HIPAA regulations.
OCR stressed that a gap analysis usually does not satisfy the HIPAA Security Rule risk analysis requirement because it does not provide an accurate and thorough assessment of the risks to all ePHI.
Resources for conducting a comprehensive risk analysis are available on OCR’s website. In addition, the office’s HIPAA audit protocol is available on its website to provide guidance for covered entities and business associates.