HIPAA Gap Analysis
There's too much at risk not to be 100% sure
As part of their preparations for compliance with the Health Insurance Portability and Accountability Act (HIPAA), healthcare organizations need to compare their current information-handling and information-disclosure practices to the requirements of HIPAA's implementing regulations. Both the final privacy rule and the proposed (as of the date this was written) information security regulations speak to the need for performing a risk assessment - often referred to as a “gap analysis”, but the scope of a gap analysis is probably narrower, as discussed below - to identify areas of non-compliance.
Beyond HIPAA requirements, there are a number of good business reasons for performing a risk assessment of the organization's computer-based and paper-based information systems. System weaknesses can subject the organization to liability for breaches of confidentiality and invasions of privacy.
Goals of a Risk Assessment (Gap Analysis):
“Gap Analysis - The examination of assets, their threats and vulnerabilities to identify and evaluate risks. This is the process of defining the entire shape and scope of your information security.”
"Risk assessment" is an evaluation of the potential risks associated with how the organization collects, uses, manages, and discloses health information. The term "gap analysis" refers to analyzing the organization's information-handling practices against the requirements of HIPAA and identifying gaps between current practices and required practices required by HIPAA.