Gap Analysis Insufficient for HIPAA Rule
A Gap Analysis does not satisfy the Security Risk Analysis requirement. It does not demonstrate an accurate and thorough analysis. In effect, it must consider all risks, threats and vulnerabilities to all of the ePHI an entity creates, receives, maintains or transmits. Consequently, the gap analysis is not equivalent to the risk analysis as it does not satisfy the rule as specified by 45 C.F.R. 164.308(a)(ii)(A). It is important to note that OCR expects a covered entity to document and implement all of the necessary regulations of the HIPAA Rule to obtain a Compliant rating.
Therefore, it is important to identify your covered entity’s needs and determine whether you require a Gap Analysis or Risk Analysis. Assure that the vendor you engage is qualified to perform the specific type of analysis that you need.