Is information security gap analysis important for HIPAA compliance?

Security gap analysis is a strong, reliable technique for enterprises looking to assure HIPAA compliance. Expert Mike Chapple explains how to perform the analysis.

Mike Chapple, University of Notre Dame

Some sources say healthcare organizations should perform "gap analysis" to find weak spots in HIPAA compliance....

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please log in.

You have exceeded the maximum character limit.

Please provide a Corporate Email Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

Is this a good idea? How should we go about performing compliance gap analysis?

It is absolutely a good idea. Security gap analysis is a time-tested compliance technique that is well-suited for organizations subject to HIPAA, PCI DSS and other security and privacy regulations. A gap analysis or assessment basically consists of measuring the performance of IT assets to see if they are meeting the expected performance metrics. A security or compliance gap analysis, therefore, would measure the current compliance efforts of an organization against the stated requirements of a regulatory body or standards group.

Organizations conducting an information security gap analysis should first decide who will perform the assessment. If the assessment is for internal use, it may be appropriate to have internal staff conduct the assessment, if they are qualified to evaluate regulatory compliance. On the other hand, if the assessment will be shared with external stakeholders, the organization may wish to leverage the independence of a third-party audit firm.

The meat of the information security gap analysis is a requirement-by-requirement assessment of the organization's compliance with the HIPAA rules. The assessor should document how the organization complies with each part of the regulation and then identify any gaps that require remediation before the organization is fully compliant. This gap assessment then provides the organization's leadership with a roadmap to full compliance.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out what privacy regulations enterprises should follow

Learn how companies should handle SaaS compliance

Discover who should perform HIPAA and HITECH compliance assessments

This was last published in March 2016

Datadog Log Management is now HIPAA-compliant

HIPAA compliance not guaranteed with ePHI security

Compliance Manager tool aims to ease security audit process

Can organizations use a SOC 2 report to help with HIPAA compliance?

Next Steps

Dig Deeper on Security audit, compliance and standards

Datadog Log Management is now HIPAA-compliant

HIPAA compliance not guaranteed with ePHI security

Compliance Manager tool aims to ease security audit process

Can organizations use a SOC 2 report to help with HIPAA compliance?

Related Q&A from Mike Chapple

Stateful vs. stateless firewalls: Understanding the differences

Wired vs. wireless network security: Best practices

The difference between AES and DES encryption