Share This Post

HIPAA Compliance: Choosing Whether to Perform a Gap Analysis or a Risk Analysis

May 23, 2018
Compliance By Rodney Farley, Director

The HIPAA Security Rule “establishes national standards to protect individuals’ electronic personal health information that is created, received, used or maintained by a covered entity.” To ensure compliance, The Office of Civil Rights (OCR) implores providers to implement necessary security measures to safeguard against a breach in electronic protected health information (ePHI). Two commonly confused analyses used in adhering to this compliance mandate are gap analyses and risk analyses. 

 Gap Analysis Risk Analysis 

Gap Analysis vs. Risk Analysis  

While it’s good practice to conduct a gap analysis to discover potential threats, experts believe it is not enough. An April 2018 newsletter released by the OCR suggests that a gap analysis should never take the place of a risk analysis when complying with HIPAA Security policies. A gap analysis provides a high-level synopsis of the controls in place to protect ePHI or holes within a healthcare provider’s system and procedures. However, a risk analysis ensures a thorough investigation of a company’s liabilities and exposure where ePHI is concerned.

Conducting a risk analysis is your company’s first line of defense in risk management. It places you ahead of the game in recognizing and enforcing privacy practices, enabling your facility to protect the confidentiality and integrity of ePHI. 

8 Key Components of a Risk Analysis

The HIPAA Security Rule does not warrant companies to follow explicit procedures for assessing their risk of a data breach. Documentation and processes vary based on the unique needs of the organization. There are, however, eight specific components providers should include in the risk analysis process.

Per the OCR, these components include:

Component Description
Scope The risk analysis should consider the potential risks to all of an entity’s ePHI, regardless of the particular electronic medium in which it is created, received, maintained, or transmitted, or the source or location of its ePHI.
Data Collection When considering the potential risks to its ePHI, entities should identify all of the locations and information systems where ePHI is created, received, maintained, or transmitted. Such an inventory should consider not only workstations and servers but also applications, mobile devices, electronic media, communications equipment, and networks as well as physical locations.
Identify and Document Potential Threats and Vulnerabilities Be sure to identify technical as well as non-technical vulnerabilities. Technical vulnerabilities can include holes, flaws, or weaknesses in information systems; or incorrectly implemented and/or configured information systems. 
Assess Current Security Measures Assess and document the effectiveness of current controls, for example the use of encryption and anti-malware solutions, or the implementation of patch management processes.
Determine the Likelihood and Potential Impact of Threat Occurrence Determine and document the likelihood that a particular threat will trigger or exploit a particular vulnerability as well as the impact if a vulnerability is triggered or exploited.
Determine the Level of Risk Assess and assign risk levels for the threat and vulnerability combinations identified by the risk analysis. Determining risk levels informs entities where the greatest risk is, so entities can appropriately prioritize resources to reduce those risks.
Documentation Although the Security Rule does not specify a form or format for risk analysis documentation, such documentation should contain sufficient detail to demonstrate that an entity’s risk analysis was conducted in an accurate and thorough manner. If a covered entity or business associate submits a risk analysis lacking sufficient detail in response to an OCR audit or enforcement activity, additional documentation may be required to demonstrate that the risk analysis was in fact conducted in an accurate and thorough manner
Review and Update Conducting a risk analysis is an ongoing process that should be reviewed and updated regularly. Although the Security Rule does not prescribe a frequency for performing risk analyses, risk analysis and risk management processes work most effectively when integrated into an entity’s business processes to ensure that risks are identified and addressed in a timely manner.

For more information visit U.S Department of Health and Human Services

Your Next Steps in Identifying Potential Risks

LW Consulting, Inc conducts audits designed to mirror the OCR HIPAA Audit program. We can help you analyze processes, implement controls, and develop policies to protect against threats to your ePHI!

Our HIPAA compliance services include:

  • HIPAA Compliance Audits and Security Assessments
  • Workforce Risk Assessments
  • Business Associate Risk Assessment
  • Policies and Procedures Review
  • Medical Litigation Support
  • Healthcare IT Consulting Support

Minimize risk exposure. Work with our experienced consultants to help protect your business, avoid costly consequences and close the gaps in your compliance program.


  Contact us today to discuss which of our HIPAA compliance services is right for you. 

Contact Us