The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to apply reasonable security protections to electronic protected health information (ePHI). The HIPAA Security rule directs covered entities to conduct a “risk analysis” to identity and implement safeguards to ensure the confidentiality, integrity and availability of ePHI.
A risk analysis is an assessment of the risks and vulnerabilities to ePHI. It is a comprehensive evaluation of the covered entity’s business to identify ePHI and the potential risks and vulnerabilities to the ePHI. The result of the risk analysis is used to modify the covered entity’s business approach and ePHI systems to reduce risks to an appropriate level.
A gap assessment is not specifically required by the HIPAA rule but it can be used to identify if the standards and implementation specifications of the Security Rule have been met. A gap assessment provides a high-level overview of the controls in place to protect ePHI, without the detail of the risk analysis.
The Department of Health and Human Services released a publication comparing a risk analysis and gap assessment and suggesting elements to include in both when evaluating HIPAA security compliance. The HIPAA Security Rule does not require a specific method to assess the risks of ePHI, but it does set forth certain elements that should be incorporated into a risk analysis process. These items include
- Consider potential risks to all ePHI, regardless of the medium.
- Data Collection. Identify all locations and information systems where ePHI is created, received, maintained or transmitted.
- Identify and Document Potential Threats and Vulnerabilities. Look at both technical and non-technical vulnerabilities, including flaws in information systems.
- Assess Current Security Measures. Document the effectiveness of current controls.
- Determine the Likelihood and Potential Impact of Threat Occurrence. Document the possibility of a particular threat triggering a vulnerability and the impact if the vulnerability is triggered.
- Determine the Level of Risk. Assign a level of risk to each vulnerability discovered during the analysis.
- The documentation of the analysis should contain enough detail to demonstrate that the risk analysis was conducted.
- Review and Update. The risk analysis should be an ongoing process.
A gap analysis provides just a partial assessment of a covered entity’s operations and is used to determine what controls are in place and where potential gaps in controls may lie. A gap analysis is also used to evaluate a particular standard of the Security Rule, but it is not a full risk analysis.
Click here for information about conducting a risk analysis.
The HHS description of risk analysis vs. gap analysis may be accessed by clicking here.
