Administrative Safeguard Analysis
Initially, the gap analysis begins with a review of items required by the HIPAA Rules as identified in the individual Privacy, Security and HITECH Rules. Data reviewed in a HIPAA Gap Analysis includes the policies the covered entity or business associates must implement that ensure individuals? rights over their PHI, such as right to access PHI, to request an amendment to PHI or an accounting of disclosures, to request a restriction, and make a privacy complaint, and others. Also, under review are the policies and procedures used to safeguard PHI in all formats whether verbal, paper or electronic. These include administrative requirements such as policies, business associate agreements, named privacy and security officials, training on the policies that affect employees? job duties, a complaint process, and breach reporting.
Physical Safeguard Analysis
In addition a gap analysis includes a review of physical safeguards which protect information systems and related equipment and facilities from hazards and intrusions. The analysis examines physical safeguards that protect paper PHI maintained in the regular course of business and also verbal PHI used and disclosed within the organization. In order to perform a thorough analysis of the physical safeguards gap analysis requires an onsite review.
Technical Safeguard Analysis
Finally, the gap analysis reviews technical safeguards that protect ePHI by applying mechanisms to protect the confidentiality, integrity and availability of the data. These safeguards control access to PHI and assure the information is true and accurate. They ensure PHI is available for those authorized to use the information to perform their job functions.
How It Can Help You
Above all the focus is to identify deficiencies and risk areas that exist between the policies and/or protections currently in place. It will look at the existing compliance program and the HIPAA Rules requirements. The analysis reviews the gaps identified and highlights necessary remediation to cure the deficiencies, reduce risk, and bring the program into compliance. This will give the entity the opportunity to determine how best to approach taking the necessary steps to bring itself into compliance.
Most importantly, the gap analysis will give covered entities and business associates an overall snapshot of their compliance efforts. Secondly, it will help them discover areas where they are non-compliant with HIPAA Rules or which put them at risk. Additionally, it will give the organization a roadmap to compliance. Finally, this will give the privacy officer the information needed to move forward with any necessary revisions to the program.