We at EMR Legal and Veterans Press have been encouraging our clients and customers to perform a gap analysis since shortly after HIPAA became law in 1996. Now, finally, the Department of Health and Human Services (“DHHS”) Office for Civil Rights (“OCR”) is encouraging covered entities to do one.

Our definition of gap analysis is to determine where you are HIPAA compliant, where you are not HIPAA compliant, and how you bridge the gap. HIPAA does not require a gap analysis, but it is a good management tool to find out what you need to do in order to become HIPAA compliant in an efficient, cost-effective manner. We also recommend that business associates perform a gap analysis for the same reasons and, as a practical matter, to help in contract negotiations with covered entities and upstream business associates.

Now, in its April 2018 cybersecurity newsletter, OCR details the benefits of performing a gap analysis in addition to the required risk analysis to identify all potential risks to the confidentiality, integrity, and availability of electronic protected health information (“EPHI”), as required under 45 C.F.R. § 164.308(a)(1)(ii)(A), and to update it periodically and as necessary because of changes to one’s practice model, patient mix, technology, new risks, physical location, and so forth.

According to the newsletter, the gap analysis, on the other hand, can give HIPAA covered entities and their business associates an overall view of their compliance efforts, can help them discover areas where they are not yet compliant with HIPAA rules, and can help them identify any gaps in the controls that they have already implemented. OCR offers an example of a simple gap analysis in the Cybersecurity Newsletter article at https://www.hhs.gov/sites/default/files/cybersecurity-newsletter-april-2018.pdf:

The gap analysis that we have developed is somewhat different. A sample from the security portion follows:

Gap Analysis Survey Kit

Security

• Does the company have a formal security program?
• Who, if anyone, in the company is responsible for security?
• If the company has such an official, identify the person and detail his or her duties.
• If the company has such an official, what are his or her qualifications?
• Does the company have a security policy?
• What, if any, physical security measures are in place to safeguard the data?
• Are they sufficient?
• What physical security measures, if any, exist to protect against environmental harm, such as temperature and humidity controls, surge protection, and so forth?
• Are they sufficient?
• What physical security measures, if any, exist to protect against unauthorized access, such as locks, barriers, security monitoring, and so forth?
• Are they sufficient?
• How is required maintenance of the computer system accomplished?
• What, if any, documentation of required maintenance does the company keep?
• How does the company back up data?
• Does the company have a disaster plan?
• Does the company have an emergency mode operation/disaster recovery plan?
• What, if any, technical security measures are in place to safeguard the data?
• What, if any, personnel security measures are in place to safeguard the data?
• Do employees sign a confidentiality agreement?
• What training has been provided within the past two years?
• What initial training has been provided?
• What periodic refresher training has been provided?
• Has all training been documented?
• Are the company’s personnel security measures sufficient?
• Does the company test and revise its security measures?
• Has the company performed risk analysis of risks to the information in the last five years?
• When did you last perform risk analysis?
• If so, review the documentation of the risk analysis.
• If so, have changed conditions necessitated a new risk analysis?
• If so, has the company completed such a risk analysis update?
• Has the company experienced any breaches of security in the last five years?
• If so, describe the breach(es) and any resulting harm.
• If so, what remedial measures, if any, did the company take?
• Has the company experienced any breaches of confidentiality in the last five years?
• If so, describe any such breach and any resulting harm.
• If so, what remedial measures, if any, did the company take?
• Does the company have procedures for reporting and responding to security incidents and breaches?
• Does the company use email?
• If so, does the email contain patient identifiable health information?
• What security measures are in place to protect email?
• Are they sufficient?
• Does the company have a formal email policy?
• Does the company use the internet?
• If so, does the company use the internet to transmit patient identifiable information?
• If so, what security measures are in place to protect the information?
• Are they sufficient?
• Does the company have an internet use policy?

Regardless of the form used and even if you did not perform a gap analysis as the first step in your compliance effort as we have recommended, a gap analysis is a good tool to check on your state of compliance and, if not sufficient, a good tool to identify deficiencies to remedy. After all, little difference exists between a gap analysis and an audit, and no matter what you call it, a gap analysis can go a long way toward satisfying the HIPAA evaluation standard in § 164.306 (8), which requires performance of a periodic technical and nontechnical evaluation, based initially upon the standards implemented under the Security Rule and, subsequently, in response to environmental or operational changes affecting the security of (“EPHI”).

FYI, in case you are keeping track, this blog item is the fifth and final in the HIPAA potpourri series that Jon announced a few weeks ago in this blog. Stay tuned, same time, same station, next week, for Jon’s next regular blog. He will be discussing other forthcoming OCR guidance as it issues other changes in the near future, such as, for example, the following, among others:

• Change to the Privacy Rule requiring health care providers to obtain an acknowledgment from patients of receipt of a Notice of Privacy Practices, rather than merely making a good faith effort to and documenting why they could not.
• Change to the Privacy Rule implementing the HITECH Act requirement to account for disclosures of PHI.
• Change to the Privacy Rule presuming that providers are acting in the individual’s best interests when they share information with the individual’s family members unless evidence exists that they did so in bad faith.

As always, thanks for reading Jon’s blog, including this one about OCR’s encouragement to perform a gap analysis, and remember to contact us if you need HIPAA compliance help. If you need help with your gap analysis, your required new/updated risk analysis, drafting/updating/implementing your policies based on your risk analysis, you can find the help you need in the book by Jonathan P. Tomes, The Complete HIPAA Policies and Procedures Guide, with its accompanying CD of sample policies that you can easily make your own, available at http://www.veteranspress.com/product/hipaa-policies-and-procedures. Jon is back at the helm now, and you can reach him at jon@veteranspress.com and Alice at iammccart@gmail.com. If you specifically want Jon’s help with your gap analysis, go to http://www.veteranspress.com/product/hipaa-gap-analysis. And if you then specifically want Jon’s help with your risk analysis, go to http://www.veteranspress.com/product/hipaa-risk-analysis-toolkit. If you need a handy place to keep written documentation of all of your HIPAA compliance efforts, consider Your Happy HIPAA Book, available at http://www.veteranspress.com/product/your-happy-hipaa-book.