HIPAA Gap Analysis and a HIPAA Risk Analysis

HIPAA Gap Analysis
Learn about the HIPAA Gap Analysis

What is the difference between a HIPAA Gap Analysis and a HIPAA Risk Analysis?  Many organizations use these interchangeably, however, they are not correct in doing so.  Don’t make the same mistake. We can help you understand the difference.

Office of Civil Rights Requirements

The Office for Civil Rights clearly spelled out the steps and requirements for a HIPAA Security Risk Analysis.  As a result, it requires covered entities to conduct an accurate and thorough assessment. It must consider potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the organization.  Furthermore, entities must consider the potential risks, threats and vulnerabilities to all of the covered entities ePHI.  This includes all ePHI which is created received, maintained or transmitted, including the source or location of the ePHI

Understanding a HIPAA Gap Analysis

The HIPAA Rule does not require a HIPAA Gap Analysis.  The Gap Analysis is usually a limited evaluation of a covered entity or business associate’s organization to reveal whether there are certain policies, controls or safeguards required by the HIPAA.  As a result, it is important rules are in place and implemented. The HIPAA Gap analysis should begin with a review of all policies, procedures, processes, practices and systems. It must investigate all facilities that relate to privacy, uses and disclosures of PHI.

Gap Analysis Insufficient for HIPAA Rule

A Gap Analysis  does not satisfy the Security Risk Analysis requirement. It does not demonstrate an accurate and thorough analysis. In effect, it must consider all risks, threats  and vulnerabilities to all of the ePHI an entity creates, receives, maintains or transmits.  Consequently, the gap analysis is not equivalent to the risk analysis as it does not satisfy the rule as specified  by 45 C.F.R. §164.308(a)(ii)(A).  It is important to note that OCR expects a covered entity to document and implement all of the necessary regulations of the HIPAA Rule to obtain a Compliant rating.

Therefore, it is important to identify your covered entity’s needs and determine whether you require a Gap Analysis or Risk Analysis.  Assure that the vendor you engage is qualified to perform the specific type of analysis that you need. 

HIPAA Technical Safeguards Protect PHI

Technical Safeguards Protect PHI
Technical Safeguards Protect PHI


Why Technical Safeguards?

HIPAA technical safeguards protect PHI and have become a major part of any HIPAA Privacy program. Technical safeguards are important due to constant technology advancements in the health care industry. They are key elements that help to maintain the safety of EPHI as the internet changes.   One of the greatest challenges of healthcare organizations face is that of protecting electronic protected health information (EPHI).   This would include protection of electronic health records, from various internal and external risks. To best reduce risks to EPHI, covered entities must implement technical safeguards.  

Comply with Technical Safeguards

The Security Rule requires a covered entity to comply with the HIPAA Technical Safeguard standards and certain implementation specifications.  A covered entity may use any security measures that allow it to reasonably and appropriately do so.

Define “Technical Safeguards”

The Security Rule defines technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”  

This rule is based on several fundamental concepts.  These concepts include:

  • Flexibility
  • Scalability
  • Technology neutrality

As they are written there are no specific requirements identified for types of technology to implement.  It is entirely up to a covered entity to determine what security measures and specific technologies are reasonable and appropriate for implementation within the entity.

Solutions vary in nature depending on the organization.   The Security Rule requires that reasonable and appropriate measures must be implemented and that the General Requirements of the rule must be met. That is the most important requirement.

Implementing “The Security Rule”

In the Security Standards under General Rules, Flexibility of Approach, provides the entity with important guidance for focusing on decisions a covered entity must consider when selecting security measures such as technology solutions.  Once an organization has completed the required risk analysis and risk management process the entity will be able to make the appropriate informed decisions.

The Rule allows the use of security measures but there is no specific technology that is required.  The guidance given is that the entity should reasonably and appropriately implement the Standards and implementation specifications.  As a result of this the covered entity must determine which security measures and specific technologies are reasonable and appropriate for implementation in its organization.  

Technical Standards:

  • Access Control
  • Audit Controls
  • Integrity
  • Person or Entity Authentication
  • Transmission Security

Standard: Access Control

This first standard is meant to outline the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.

It provides users with rights and/or privileges to access and perform functions using programs, files information systems and applications.  Ideally it should provide access to the minimum necessary information required to perform a duty within the organization. This access should be granted based upon a set of access rules the covered entity implements as part of “Information Management Access”outlined in the Administrative Safeguards section of the Rule.

The standard requires a covered entity to:

“Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Information Access Management.”

There are many different combinations of access control methods and technical controls that can be used to accomplish these objectives.  Whatever method is used it should be appropriate for the role and/or function of the workforce member.

There are four implementation specifications:

  • Unique User identification (Required)
  • Emergency Access Procedure (Required)
  • Automatic Logoff (Addressable)
  • Encryption and Decryption (Addressable)

Unique User Identification (Required)

According to this implementation specification, a covered entity is directed to do the following:

“Assign a unique name and/or number for identifying and tracking user identity.”

A user identification is a process used to identify a specific user of an information system, typically by name and/or number.  This identifier will allow an entity to track specific user activity when that user is logged into an information system.  By doing so It will enable an entity to hold users accountable for functions performed on information systems with EPHI when logged into those systems. 

There are no specified formats described by the Rule for identification.  A Covered entity must determine the best user identification strategy based on their workforce and their operations.

Emergency Access Procedure

Under this implementation specification the organization is asked to:

“Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.”  

There must be procedures which are well documented and instructions that will allow an entity to have access to EPHI during emergency situations.  An entity must determine the types of situation that would require emergency access to information systems.  Examples to consider would be loss of power or hijacking of data.

Automatic Logoff

Under this implementation specification the organization is asked to:

“Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.”

Automatic logoff from a system is a common approach to protecting inadvertent access to workstations. It is an effective way to prevent unauthorized users from accessing EPHI on a workstation left unattended.

Encryption and Decryption

Under this implementation specification the covered entity is asked to consider:

“Implement a mechanism to encrypt and decrypt electronic protected health information.”  

This is an addressable system and should be put into effect when it is a reasonable and appropriate safeguard for a covered entity.  Encryption is a method of converting messages into encoded text using an algorithim.  By using this technique there is low probability anyone other than the intended recipient who has the key may read the information.  There are many ways to encrypt or technologies to protect data from being inappropriately accessed.  It is up to the entity to decide if this is necessary.

When the Security Rule was enacted they recognized the rapid advances in technology. Consequently, it would be very difficult to give guidelines that change regularly. For this reason, they chose not to require specific safeguards.  It is up to the organization to do a careful risk assessment.   Based on this, they may create the appropriate mechanism to protect ePHI.  Presently the use of encryption of ePHI is an effective tool.  It is a good safeguard for the safe transmission of email and texts through the cloud.  In many cases this has become the standard for the transmission of sensitive data in healthcare and in the business world.

Standard:  Audit Controls

Audit controls are key in monitoring and reviewing activity in the system to protect its EPHI.

The standard requires a covered entity to:

“Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

Information systems must have some level of audit control with the ability to provide reports.  These controls are useful for auditing system activity in the face of a security violation.

The Security Rule does not identify specific data to be gathered by the audit controls.  It is up to the covered entity to consider this after a risk analysis and to determine the most reasonable and appropriate for audit control for their systems that contain EPHI.

Standard: Integrity

Integrity is defined in the Security Rule, as “the property that data or information have not been altered or destroyed in an unauthorized manner.”

The standard requires a covered entity to:

“Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.”

The reason for this standard is to establish and implement policies and procedures for protecting EPHI from being compromised regardless of the source.  It will help prevent work force members from making accidental or intentional changes and thus altering or destroying EPHI.  It may also help prevent alterations caused by electronic media errors or failures.

There is one addressable implementation specification.

Mechanism to Authenticate Electronic Protected Health Information

If it is reasonable and appropriate a covered entity must:

“Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.”

A covered entity must do a risk analysis and determine from this the various risks to the integrity of EPHI.  This will help define the security measures necessary to reduce the risks.

Standard:  Person or Entity Authentication

Authenticating the individual who has access to the system is very important in the establishment of technical safeguards.

This standard requires a covered entity to:

“Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”  

This implementation specification requires a system of identification to verify that a person is who they are before getting access to the system.  There are many ways of accomplishing this such as passwords, PINs, smart cards, tokens, keys or biometrics.

The mechanism used will depend on the organization.  Most organizations rely on a password or PIN.  If the credential entered match those of the system, the user is then allowed access.

Standard: Transmission Security

It is important to guard all transmissions of electronic protected health information.

This standard requires a covered entity to:

“Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”

Once a covered entity has completed a risk analysis they will review and understand the current method used to transmit EPHI.  Consider if it is sent by email, internet, a network or texting.  Once these methods are reviewed the entity can determine the best way to protect EPHI.

There are two implementation specifications:

  • Integrity Controls
  • Encryption

Integrity Controls

Based on a risk analysis If this is an implementation specification that is reasonable and appropriate, the covered entity must:

“Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”

Integrity in the context of this implementation focuses on making sure the EPHI is not improperly modified during transmission.  This may be accomplished by using network protocols that confirm the data that was sent is the data is received.


After a risk analysis if this implementation specification is a reasonable and appropriate safeguard the covered entity must:

“Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.”

As mentioned earlier under the Access Control standard, encryption is a method of converting messages into an encoded or unreadable text that is later decrypted into comprehensible text.  This is an addressable implementation, similar to that under Encryption and Decryption.

Encryption works only if the sender and receiver are using the same or compatible technology.  The Security Rule allows covered entities the flexibility to determine when, with whom and what method of encryption to use. 

In Conclusion

HIPAA technical safeguards are important due to technology advancements as they help to protect EPHI in today’s environment.  It is crucial for all covered entities and business associates who deal with electronic PHI to review their use of Technical Safeguards to be fully in compliance.  

We are available to discuss Technical Safeguards with your organization.


HIPAA and Social Media can be Problematical

HIPAA and Social Media
Social Media and HIPAA


Benefits of Social Media

Social media offers many benefits for health care organizations because it allows interaction with patients and others.  It offers education, and services.  As a result, it is an essential communication and marketing tool and part of strategic marketing plans.  Due to this organizations turn to social media to communicate with their employees. Unfortunately HIPAA and Social Media can be problematical.

Authorization to use PHI

It is possible to violate HIPAA Rules and patient privacy while using social media, if not managed correctly.  Due to this it is important for health care organizations to disclose protected health information carefully.   An organization must do so only with patient authorization for interviews, photographs and marketing communications.

Media Posts May Risk Privacy

Posts of PHI done by employees will violate the HIPAA Rules and result in a reportable breach of PHI. Social media posts are not a permissible use or disclosure of PHI.   The ability to post simultaneously in several platforms increases the risk for an organization. Remember that to de-identify PHI,  all 18 identifiers must be removed.   There must also be low risk it could be used to identify the patient. Facial images, and other identifiers such as tattoos must also be removed.    Learn more.

Preventing HIPAA Privacy Risk

Employees should be trained on the dangers of using social media inappropriately from the very onset of their employment.  Many organizations deal with the issue through development of a social media use policy.   They also monitor social media activity.  If not addressed, HIPAA and Social Media can be problematical.

Using Cybersecurity to Protect PHI

Safeguard ePHI Cybersecurity Protect PHI Protected Health Information
Using Cybersecurity to Protect PHI

Risk From Many Sources

HIPAA Technical Safeguards protect PHI and are a major part of any HIPAA Security program. Using cybersecurity to protect EPHI is a key feature of HIPAA.  Technical safeguards are key protections that help to maintain the safety of EPHI as the internet changes.   One of the greatest challenges of healthcare organizations face is that of protecting electronic protected health information (EPHI).   This includes protection of electronic health records, from various internal and external risks. To best reduce risks to EPHI, covered entities must implement technical safeguards. 

An organization may face multiple challenges as it attempts to protect EPHI.  These issues must all be considered as they may originate from inside or outside the organization.  It is important for any organization to perform a full risk analysis to protect the organization from such a variety of threats.  We present several examples of cyberthreats in healthcare you must be ready to address.  This will help you as you develop your Security Program

Cyberthreats From Outside Sources

In today’s environment many new potential targets will develop from bad actors.  We must be prepared to handle the security threats of tomorrow.

Cybersecurity is the art of protecting networks, devices and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.  There are many risks, and these come in various forms.  Among these are malware erasing your entire system, a cyber-attacker breaching your system and altering files, a cyber-hijacker using your computer to attack others, or an attacker stealing or freezing your data in return for money. There is no guarantee that even with the best precautions you will prevent this, but there are steps you can take to minimize the chances.

Using cybersecurity to protect PHI is a key feature of HIPAA.  Electronic protected health care information or EPHI is at increased risk from many sources:

  • Foreign hackers looking for data to sell – usually on the dark web
  • Ransomware attacks that lock up data until a ransom payment is received
  • Phishing schemes that lure the user into clicking a link or opening an attachment to deploy malicious software; and
  • Spear phishing –a targeted attack on a specific person that appears to come from a legitimate source usually instructing a transfer of funds.
  • The internet of Things or IoT will allow the interconnection of devices as a means for virus or malware to enter our systems.

What You Can Do

In order to safeguard EPHI against threats:

  • First, know how to spot phishing emails.
  • Learn how to use strong passwords, two factor authentication and encryption.
  • Finally, have policies, procedures and safeguards in place to protect EPHI and Know who to report an incident to in your organization.

Prepare for Cyberattacks

In the case of a cyberattack or similar emergency an entity must:

  • Execute its response and mitigation procedures and contingency plans.
  • Report the time to other law enforcement agencies.
  • Should report all cyber threat indicators to federal and information-sharing and analysis organizations.
  • Finally, it must report the breach to Office for Civil Rights (OCR) as soon as possible, but not later than 60 days after the discovery of a breach affecting 500 or more individuals.

The OCR considers all mitigation efforts taken by the entity during any breach investigation.  For instance, such efforts include voluntary sharing of breach-related information with the appropriate agencies.  Remember in the event of a cyberattack it is critical to comply with breach reporting requirements.

Texting Protected Health Information

When we talk about texting there are two different types of texting we must consider.  Each of these acts differently and serve very different needs.   The first type is what we usually perform using our phone and carrier and is also known as Short Message Service (SMS). This is the default app on our phone that many people use to send and receive texts every day. It is not secure. The second type is app based and is used by healthcare providers (mostly doctors and nurses) to communicate to one another on patient-related care. It can also be used by providers to communicate with patients and is secure. 

To be compliant secure texting needs to meet certain technical standards for HIPAA compliance:

  • Encryption of message data in transit and at rest
  • Reporting/auditability of message content
  • Passcode enforcement
  • Authentication
  • Permissions management capabilities

If safeguards like these are in place, PHI can be sent with a minimum of risk. 

Because SMS is an unencrypted channel one might presume an entity cannot send PHI. This is actually not true because encryption is not mandated according to the Security Rules. Healthcare organizations must determine whether encryption is reasonable and an appropriate safeguard, in protecting PHI. It is possible to use alternative safeguards If encryption is not deemed reasonable and appropriate by the covered.

Recent Clarification from OCR

At a recent conference at the HIMSS health IT conference in Las Vegas on March 6, Roger Severino, director of the OCR said that healthcare providers may share PHI with patients through standard (SMS) text messages. 

Providers must do the following:

  • Warn their patients that texting is not secure
  • Gain the patients’ authorization
  • Document the patients’ consent

Presently these represent comments and have yet to enter into policy.   The OCR has long-promised guidance on this topic and it is reasonable to assume a ruling on the topic is imminent.

Patient Orders

In December 2017, the Joint Commission issued a clarification explicitly stating the use of Secure Texting for patient orders is prohibited.  Providers should opt for the use of Computerized Provider Order Entry (CPOE) as the preferred method of order entry. CMS insists that a physician or Licensed Independent Practitioner (LIP) should enter orders into the medical record via a handwritten order or via CPOE.  When using this system, orders are immediately downloaded into the provider’s electronic health records (EHR). Moreover, this method is preferred as the order would be dated, timed, authenticated and promptly placed in the medical record.

Finally, using cybersecurity to protect PHI remains the cornerstone to protecting all ePHI which all organizations should address in today’s healthcare climate.

Incomplete Efforts at Encryption

Incomplete efforts at encryption result in OCR fine.
OCR requires participation in the Privacy Rule.

The OCR ordered the University of Texas MD Anderson Cancer Center to pay $4.3 million in penalties for HIPAA violations after half-hearted and incomplete efforts at encryption.

Judgement Against MD Anderson

“A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) has ruled that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR. Moreover this is the second summary judgment victory in OCR’s history of HIPAA enforcement and the $4.3 million is the fourth largest amount ever awarded to OCR by an ALJ or secured in a settlement for HIPAA violations.”

Encryption Policies Ignored

The Office of Civil Rights (OCR) ordered the University of Texas MD Anderson Cancer Center (MD Anderson) to pay $4,348,000. These were civil money penalties for HIPAA violations because it did not follow its own encryption policies or the HIPAA Rules.

Entities of MD Anderson lost an unencrypted laptop and two flash drives during 2012 and 2013 . The devices contained the electronic personal health information of over 33,500 individuals. Consequently this lack of technical safeguards influenced greatly the decision of OCR.

OCR Serious About Lack of Technical Safeguards

Despite creating policies for encryption, the center failed to follow these or to quickly pursue its implementation after the 2012 and 2013 breaches. As a result it was clear to the courts the organization had failed to follow the HIPAA rule after the investigation.

“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino.  The $4.3 million is the fourth largest amount ever awarded to the OCR.

Most importantly, it is important to know that having security policies is not sufficient. An organization must observe and follow these policies to protect patients and the entity. Consequently, all organizations must routinely review their plan, train their employees on HIPAA and monitor that everyone follows the plan.

The Notice of Proposed Determination by OCR