Initially, the HIPAA gap analysis begins with a review of items required by the HIPAA Rules as identified in the individual Privacy, Security and HITECH Rules. Data reviewed in a HIPAA Gap Analysis includes the policies the covered entity or business associates must implement that ensure individuals’ rights over their PHI. Some examples include right to access PHI, to request an amendment to PHI or an accounting of disclosures, to request a restriction, and make a privacy complaint, and others. Also, under review are the policies and procedures used to safeguard PHI in all formats whether verbal, paper or electronic. These include administrative requirements such as policies, business associate agreements, named privacy and security officials, training on the policies that affect employees’ job duties, a complaint process, and breach reporting. Collecting this information will later help to prepare for a Security Risk Analysis.