PErformIng A PrIvAcy
rulE gAP AnAlysIs
And rIsk AnAlysIs
7.1 Introduction
Considering the potential costs and effort associated with Health
Insurance Portability and Accountability Act (HIPAA) compli-
ance, it is a mistake to install a HIPAA solution without first under-
standing your current organizational HIPAA compliance situation.
Your organization may already have in place policies, procedures,
systems, and technology that adequately address at least some of the
HIPAA requirements.
To determine where HIPAA compliance requirements must
be addressed, or your HIPAA gaps, you must perform a HIPAA
Privacy Rule gap analysis and risk analysis. Using the results of
these analyses, along with any existing business and financial plans,
your organization will be ready to develop a HIPAA compliance
plan, including a listing of compliance priorities. Use the following
checklist to help you perform your own Privacy Rule gap analysis and
identify privacy risks.
7.2 Gap Analysis and Risk Analysis
1. Is someone within your organization responsible for addressing
privacy issues and compliance?is should be someone who
has been assigned privacy official responsibilities, often des-
ignated as the privacy officer. is may also be an existing
role that has been given the privacy officer responsibilities,
but continues to maintain his or her current title. e pri-
vacy officer, or equivalent, should be someone who knows
not only your business well but also is very familiar with the
health care industry, is experienced with security and privacy
activities, and is knowledgeable in the HIPAA regulations.
Typically, this person has filled one or more of the following
Information security officer
Chief privacy officer
Director of information technology
Director of medical records
Director of patient accounting
Director of patient registration/admitting
Compliance officer
2. Do you have an inventory of all your organizational policies, proce-
dures, training, and technical controls? Besides collecting all these
documents from within your organization, also collect HIPAA
plans from your business associates (BAs), including vendors,
clearinghouses, payers, cloud providers, and so on. Obtain cop-
ies of all forms related to release of protected health informa-
tion (PHI) or authorizations to release or disclose PHI to third
parties. Document and inventory everything you collect.
3. Have you reviewed all your documents and identified the direc-
tives and practices that apply to PHI? Determine and document
the following:
What rules, if any, exist for protecting health information?
Identify all current non-IT-specific policies and pro-
cedures related to information access, disclosure, and
What are the procedures for allowing access to PHI and
medical records?
What are the procedures for responding to complaints?
How is your Notice of Privacy Practices (NPP), if it applies
to your organization, worded?
What PHI-related security and privacy training do you
provide and require?
What types of ongoing security and privacy awareness
communications do you provide?

Get The Practical Guide to HIPAA Privacy and Security Compliance, 2nd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.