HIPAA Blog

HIPAA Gap Analysis and a HIPAA Risk Analysis

HIPAA Gap Analysis
Learn about the HIPAA Gap Analysis

What is the difference between a HIPAA Gap Analysis and a HIPAA Risk Analysis?  Many organizations use these interchangeably, however, they are not correct in doing so.  Don?t make the same mistake. We can help you understand the difference.

Office of Civil Rights Requirements

The Office for Civil Rights clearly spelled out the steps and requirements for a HIPAA Security Risk Analysis.  As a result, it requires covered entities to conduct an accurate and thorough assessment. It must consider potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the organization.  Furthermore, entities must consider the potential risks, threats and vulnerabilities to all of the covered entities ePHI.  This includes all ePHI which is created received, maintained or transmitted, including the source or location of the ePHI

Understanding a HIPAA Gap Analysis

The HIPAA Rule does not require a HIPAA Gap Analysis.  The Gap Analysis is usually a limited evaluation of a covered entity or business associate?s organization to reveal whether there are certain policies, controls or safeguards required by the HIPAA.  As a result, it is important rules are in place and implemented. The HIPAA Gap analysis should begin with a review of all policies, procedures, processes, practices and systems. It must investigate all facilities that relate to privacy, uses and disclosures of PHI.

Gap Analysis Insufficient for HIPAA Rule

A Gap Analysis  does not satisfy the Security Risk Analysis requirement. It does not demonstrate an accurate and thorough analysis. In effect, it must consider all risks, threats  and vulnerabilities to all of the ePHI an entity creates, receives, maintains or transmits.  Consequently, the gap analysis is not equivalent to the risk analysis as it does not satisfy the rule as specified  by 45 C.F.R. ?164.308(a)(ii)(A).  It is important to note that OCR expects a covered entity to document and implement all of the necessary regulations of the HIPAA Rule to obtain a Compliant rating.

Therefore, it is important to identify your covered entity?s needs and determine whether you require a Gap Analysis or Risk Analysis.  Assure that the vendor you engage is qualified to perform the specific type of analysis that you need. 

Sharing Mental Health Information

Sharing Mental Health Information
A doctor sharing mental health information with a caregiver

Sharing Mental Health Information

Allowing Providers to Share

In certain circumstances HIPAA allows sharing of mental health information by mental health providers based on professional judgment.   It can be when it is in the best interests of the patient, or to prevent or lessen a risk of harm.

If there is a risk of harm to themselves or others, or if exhibiting behavior that may threaten their health or safety, providers need to be able to use professional judgment.   As a result they can identify the potential or likely risk and determine who can help lessen it.

Ways to Share Mental Health Information

There are several ways the provider may address the situation.

If the patient lacks ability to make decisions or is unconscious, the provider can share information with the patient?s personal representative (if applicable).   They can also share with family or friends involved in their care if it?s determined in the patients? best interest.

A provider may contact anyone reasonably able to lessen the risk of harm.   This is important when they believe that a patient presents a serious and imminent threat to the health or safety to themselves or another person.

OCR Wont’t Second Guess

The Office for Civil Rights (OCR)states it won?t second guess mental health provider?s judgement when a patient is a threat to himself or others. HIPAA allows mental health providers to share information.

For more detail see the OCR guidance on this vital topic.  Remember to check state law for any restrictions on sharing.  It is the responsibility of all providers of mental health treatment to know the rules before managing this information.

This is your HIPAA ABCs brought to you by HIPAA Associates.  Contact us for more information on this important topic and HIPAA training for you and your company.