HIPAA Gap Analysis
There's too much at risk not to be 100% sure
As part of their preparations for compliance with the Health Insurance Portability and Accountability Act (HIPAA), healthcare organizations need to compare their current information-handling and information-disclosure practices to the requirements of HIPAA's implementing regulations. Both the final privacy rule and the proposed (as of the date this was written) information security regulations speak to the need for performing a risk assessment-often referred to as a “gap analysis”, but the scope of a gap analysis is probably narrower, as discussed below-to identify areas of noncompliance and specific targets for change.
Beyond HIPAA requirements, there are a number of good business reasons for performing a risk assessment of the organizations computer-based and paper-based information systems. System weaknesses can subject the organization to liability for breaches of confidentiality and invasions of privacy. Inappropriate uses or disclosures of information can result in negative publicity, which can drive patients to choose other healthcare providers out of concern for their privacy. System flaws and "holes" can result in corruption or loss of vital data or inappropriate alteration or manipulation of data.
On a variety of levels, it simply makes good sense to conduct a risk assessment of the healthcare organization's information systems and to use the results in developing strategies for HIPAA compliance.
Goals of a Risk Assessment (Gap Analysis):
“Gap Analysis - The examination of assets, their threats and vulnerabilities to identify and evaluate risks. This is the process of defining the entire shape and scope of your information security.”
We know that we need to assess the risks associated with our health information systems. Before committing to any particular approach, the healthcare organization needs to identify its own goals and expected outcomes, or "deliverables," for the risk assessment.
We use the term "risk assessment" to describe an evaluation of the potential risks associated with how the organization collects, uses, manages, and discloses health information. The term "gap analysis" refers to analyzing the organization's information-handling practices against the requirements of HIPAA and identifying gaps between current practices and required practices under HIPAA.