OCR Says Gap Analysis Does Not Meet HIPAA Requirements

May 7, 2018 David Holtzman

The HHS Office for Civil Rights (OCR) has issued guidance answering the question that performing a gap analysis of an information system’s safeguards is not enough to meet the minimum requirements of the HIPAA Security Rule. While a gap analysis can be used to discover where problems exist in securing electronic protected health information (ePHI), it does not satisfy the risk analysis obligations under the Security Rule. Under the HIPAA rule, a covered entity or business associate must perform a risk analysis that encompasses the potential risks to all ePHI created, received, maintained or transmitted by any electronic medium, or, regardless of the source or location of the data.

A gap analysis typically provides a partial assessment of an entity’s enterprise and is often used to provide a high-level overview of what controls are in place to protect ePHI or to identify potential gaps where controls are not in place. Gap analyses may also be used to review an entity’s compliance with particular standards and implementation specifications of the Security Rule. OCR emphasizes that a gap analysis does not demonstrate an accurate and thorough assessment of the risks to all ePHI that an entity creates, receives, maintains, or transmits.

The HIPAA Security Rule requires covered entities like health care providers, hospitals, and health plans to protect against reasonably anticipated threats or hazards to the security or integrity of the e-PHI they create, maintain, or transmit. It also requires that they put appropriate safeguards in place to reduce the risk from those security threats. The requirements of the Security Rule also apply to business associates, defined as contractors and vendors of covered entities who create, transmit, or maintain e-PHI. The risk assessment is also a core requirement for eligible providers and hospitals seeking payment through the Meaningful Use EHR Incentive Program that was recently renamed the Promoting Interoperability Program.

The Security Rule allows covered entities and business associates flexibility in developing measures to meet the requirements of the standards and implementation specification including consideration of organization size and type, complexity of the technology and infrastructure, human element, infrastructure, and the cost of security measures. The starting point for determining what is appropriate and reasonable is by conducting a risk analysis of the systems and technologies that create, transmit, or store electronic protected health information e-PHI as part of a comprehensive process to safeguard the confidentiality, integrity, and availability of patient data.

CynergisTek’s Risk Assessment process specifically addresses regulatory requirements and helps organizations implement an ongoing risk management program. Our strategic process includes technical testing, a physical survey, a programmatic gap analysis and policy review, and formal risk analysis using the NIST SP 800-30 Rev. 1 standard. For more information, contact CynergisTek.

About the Author

David Holtzman

David Holtzman is an executive advisor for CynergisTek. He is considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules. Prior to CynergisTek, Holtzman served on the health information privacy team at the Department of Health & Human Services, Office for Civil Rights (OCR/HHS), where he led many OCR initiatives including the effort to integrate the administration and enforcement of the HIPAA Security Rule, and health information technology policies. David has nearly two-decades of experience in developing, implementing and evaluating health information privacy and security compliance programs from both government and private sector organizations. He is a member of the HHS “CISA 405-d Workgroup”, the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council and Co-Chair of the Privacy and Security Workgroup for North Carolina Healthcare Information & Communications Alliance (NCHICA).

Follow on Twitter More Content by David Holtzman
Previous Article
NY AG Schneiderman Quits: What's Next for Enforcement?
NY AG Schneiderman Quits: What's Next for Enforcement?

Next Article
Podcast: Finding Orangeworm
Podcast: Finding Orangeworm