Is a Security Risk Analysis the Same as a GAP Analysis?

Is a Security Risk Analysis the Same as a GAP Analysis?

Is a Security Risk Analysis the same as a Gap Analysis?

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) addressed this question as part of their "April 2018 OCR Cyber Security Newsletter: Risk Analyses vs. Gap Analyses - What is the Difference?"

Security Risk Analyses (SRAs)

Under the HIPAA Privacy, Security and Breach Notification Rules covered entities and their business associates are required to safeguard electronic protected health information (ePHI) through reasonable and appropriate security measures.

A Security Risk Analysis is a requirement under the HIPAA Security Rule, which directs covered entities and business associates to conduct a thorough and accurate assessment the risks and vulnerabilities to ePHI. This is the first step in identifying and implementing safeguards that ensure the confidentiality, integrity, and availability of ePHI.

According to OCR, there are certain elements common to a risk analysis that should be incorporated into an entity's risk analysis process. These elements include:

  • The scope of the analysis should address all of an entity's ePHI, regardless of the medium in which it is created, received, maintained, or transmitted, or the source of location of its ePHI.
  • Identify locations of information systems and information systems where ePHI is created, received, maintained, or transmitted. Such an inventory should consider not only workstations and servers, but also applications, mobile devices, electronic media, communications equipment, and networks as well as physical locations.
  • Identify technical as well as non-technical vulnerabilities.
  • Assess current security measures such as encryption and anti-malware solutions.
  • Determine the level of risk for threat and vulnerability combinations identified by the risk analysis.
  • Documentation should demonstrate that a covered entity's or business associate's risk analysis was conducted in an accurate and thorough manner.
  • Conducting a risk analysis is an ongoing process that should be reviewed and updated regularly.

Gap Analyses

While not required by the HIPAA Rules, a Gap Analysis is a useful tool to identify whether certain standards and implementation specifications of the Security Rule have been met. A gap analysis is typically a narrowed examination of a covered entity or business associate's enterprise to assess whether certain controls or safeguards required by the Security Rule are implemented. A gap analysis can also provide a high-level overview of the controls in place that protect ePHI, without engaging in the comprehensive evaluation required by a risk analysis.

OCR provided the following example of what to consider in a Gap Analysis:

Is a Security Risk Analysis the Same as a GAP Analysis?

How does HCP help our clients with Risk Analyses and Gap Analyses?

Healthcare Compliance Pros offers a couple of options for conducting a risk analysis. Many of you already have our self-guided online Security Risk Analysis (SRA). However, our other options include a comprehensive review and custom action plan provided by one of our HIPAA professionals. By default, we perform a gap analysis for all of our clients. This includes the setup process of the compliance programs, customization of policies and procedures, the dashboard that is viewable and the account level, reporting and other compliance management tools we offer to all of our clients.

If you would like more information about all of our SRA options, or if you have any compliance questions, please feel free to comment below or send us an email at or reach us by phone toll-free at 855-427-0427.