Similar but Different: Gap Assessment vs Risk Analysis

If you’ve heard the terms gap assessment and risk analysis used interchangeably before in privacy or security conversations, you are not alone. At HIPAA One, we have found that there are quite a few misconceptions about these two approaches and how to differentiate between them. So much so that we addressed the topic on a recent webinar with our trusted partners and advisers, Crowe Horwath. Click here for a link to the recorded version. In this post, we’ll define the key characteristics of a gap assessment and risk analysis and debunk a few myths along the way.

High-level overview slide from our webinar with Crowe Horwath 

As the more well known of the two, a HIPAA security risk analysis is a comprehensive assessment of all risks to ePHI (Electronic Protected Health Information) as required by HIPAA for healthcare providers and their business associates. By calculating risk based on threat, vulnerability, likelihood and impact, providers can gauge their compliance with HIPAA’s required administrative, physician and technical safeguards. A risk analysis assesses how ePHI is created, received, maintained and stored within an organization. Every bona fide HIPAA risk analysis will produce a remediation plan which creates a road map for “fixing” any security vulnerabilities as found by the risk analysis. For additional information and guidance on HIPAA risk analyses, visit The U.S. Department of Health & Human Services Office for Civil Rights (OCR) website.

Risk Analysis Pro

A gap assessment (also commonly called a HIPAA Compliance Program Review or Audit) is a method of assessing the differences in performance between an organization’s information systems or software applications to determine if there are any existing vulnerabilities in their network security settings. This high-level review of an organization’s controls can be completed using various controls and frameworks based on the target objectives of the gap assessment. Essentially a gap assessment compares what safeguards an organization has in place vs the reality of how well those safeguards are working.

Question within the HIPAA One software regarding Gap Assessment and the HIPAA OCR Audit Protocol

HIPAA Gap Assessment IN HIPAA One

While a gap assessment is without question an effective tool at locating vulnerabilities, OCR clearly states that that a gap assessment is never a substitute for a bona fide risk analysis as required by the HIPAA Security Rule. Think of a gap assessment as an introduction, not a replacement to a risk analysis. When facing the decision of whether your workplace should focus on a risk analysis or gap assessment, our recommendation is always to comply with HIPAA first and tackle your HIPAA risk analysis. Then, once your risk analysis has been completed and remediation has begun, HIPAA One presents the gap assessment in the final report (below). Bottom line, never put your organization at risk by not complying with HIPAA or completing a risk analysis.

At HIPAA One, we offer industry-leading, automated HIPAA risk analysis software and professional services to help your organization “check the box” on this mandatory requirement and be audit-ready. Click here to learn more and speak with a member of the team to hear about new software feature, Automated Templates which measure compliance controls at a corporate level then validating and updated by the field office staff.

GDPR and Windows 10 Compliance

This is the second post in a 2-part series on GDPR. Guest post written in collaboration with Microsoft. On April 14, 2016, the European Union (EU) ratified the final version of the General Data Protection Regulation aka GDPR. The new GDPR … [Continue reading]

GDPR and the Impact on U.S. Healthcare Providers

A new acronym has begun popping up within the healthcare technology community and is slowly beginning to gain momentum in the way of media coverage and industry articles. If you’ve heard the term GDPR in the past few months and did not understand … [Continue reading]

Cloud Security in Healthcare

Guest Blog by Yiannis Koukouras, TwelveSec in collaboration with HIPAA One In our culture, something or someone is always trending. Whether it be bell-bottom jeans in the '70's, playing Nintendo in the '80's or watching stock market go up and down … [Continue reading]

Missed your SRA in 2017? Here’s How to Avoid a MIPS Penalty

First, do your HIPAA Security Risk Analysis immediately to reduce chances of a breach while maintaining compliance with all Federal reimbursement programs. With just mere days left before the March 31st MIPS submission deadline, if you have not … [Continue reading]

Consequences for HIPAA Violations

A recent HHS Office for Civil Rights email blast outlined a story that many of us have heard before, another business closed with significant monies paid out in fines. Filefax, Inc. has agreed to pay $100,000 in order to settle potential violations … [Continue reading]

We’ve Helped Many Access the LADMF! Need Assistance?

Last May, we wrote a “How To” blog on the Social Security Limited Access Death Master File (LADMF) aka DMF and the response has been overwhelming! The HIPAA One team is delighted by how many of you have come forward and asked us to assist your … [Continue reading]

Newly Released Whitepaper Co-Authored with Microsoft

The concept of the “Internet of Things” (IoT) is becoming an increasingly growing topic of conversation as  more and more companies are interconnecting everyday objects around us to the internet, such as: medical devices, appliances, voices and … [Continue reading]

2017 Deadlines for EHR Incentive Programs

Does your workplace accept any payments from EHR incentive programs like MACRA or Meaningful Use? If so, the fourth quarter is probably a busy time preparing and finalizing documents for submission. At HIPAA One, we understand the amount of extra … [Continue reading]

Not All Risk Analysis Tools Created Equal

One of our favorite phrases at HIPAA One is “free like a puppy.” Our President, Steven Marco uses it regularly on webinars to convey the sentiment that nothing is ever truly free and there is always some kind of hidden string attached. This sentiment … [Continue reading]