PErformIng A PrIvAcy
rulE gAP AnAlysIs
And rIsk AnAlysIs
Considering the potential costs and eﬀort associated with Health
Insurance Portability and Accountability Act (HIPAA) compli-
ance, it is a mistake to install a HIPAA solution without ﬁrst under-
standing your current organizational HIPAA compliance situation.
Your organization may already have in place policies, procedures,
systems, and technology that adequately address at least some of the
To determine where HIPAA compliance requirements must
be addressed, or your HIPAA gaps, you must perform a HIPAA
Privacy Rule gap analysis and risk analysis. Using the results of
these analyses, along with any existing business and ﬁnancial plans,
your organization will be ready to develop a HIPAA compliance
plan, including a listing of compliance priorities. Use the following
checklist to help you perform your own Privacy Rule gap analysis and
identify privacy risks.
7.2 Gap Analysis and Risk Analysis
1. Is someone within your organization responsible for addressing
privacy issues and compliance? is should be someone who
has been assigned privacy oﬃcial responsibilities, often des-
ignated as the privacy oﬃcer. is may also be an existing
role that has been given the privacy oﬃcer responsibilities,
but continues to maintain his or her current title. e pri-
vacy oﬃcer, or equivalent, should be someone who knows
THE PRACTICAL GUIDE TO HIPAA PRIVACY
not only your business well but also is very familiar with the
health care industry, is experienced with security and privacy
activities, and is knowledgeable in the HIPAA regulations.
Typically, this person has ﬁlled one or more of the following
• Information security oﬃcer
• Chief privacy oﬃcer
• Director of information technology
• Director of medical records
• Director of patient accounting
• Director of patient registration/admitting
• Compliance oﬃcer
2. Do you have an inventory of all your organizational policies, proce-
dures, training, and technical controls? Besides collecting all these
documents from within your organization, also collect HIPAA
plans from your business associates (BAs), including vendors,
clearinghouses, payers, cloud providers, and so on. Obtain cop-
ies of all forms related to release of protected health informa-
tion (PHI) or authorizations to release or disclose PHI to third
parties. Document and inventory everything you collect.
3. Have you reviewed all your documents and identiﬁed the direc-
tives and practices that apply to PHI? Determine and document
• What rules, if any, exist for protecting health information?
• Identify all current non-IT-speciﬁc policies and pro-
cedures related to information access, disclosure, and
• What are the procedures for allowing access to PHI and
• What are the procedures for responding to complaints?
• How is your Notice of Privacy Practices (NPP), if it applies
to your organization, worded?
• What PHI-related security and privacy training do you
provide and require?
• What types of ongoing security and privacy awareness
communications do you provide?