OCR Explains Difference Between Risk Analysis and Gap Analysis

The latest Office for Civil Rights (OCR), cybersecurity newsletter focused on the differences between a risk analysis and a gap analysis.

The OCR started the newsletter by reminding covered entities and business associates that they must do everything in their power to protect health information.  The OCR also reminded covered entities and business associates that one of the requirements for HIPAA compliance is the risk analysis. “Conducting a risk analysis is the first step in identifying and implementing safeguards that ensure the confidentiality, integrity, and availability of ePHI,” the OCR said.

The OCR went on to provide a comparison of the risk analysis and gap analysis.  Essentially, a risk analysis is more comprehensive.  The gap analysis assesses whether specific controls and safeguards are implemented.  The risk analysis will typically go a step further and evaluate if the risks and vulnerabilities to ePHI have been addressed by the current safeguards and controls, and it will also identify areas for the organization to modify practices or securities that are already in place if necessary.

The OCR also stated that the Security Rule does not require a certain methodology, such as NIST or HITRUST, to assess the risks to ePHI.  Additionally, the OCR does not expect the risk analysis to have a specific format, but there should be enough detail to demonstrate that an organization’s risk analysis was thorough.

With that said, the OCR does expect certain requirements be fulfilled by the risk analysis.  Those requirements include ensuring that all risks are considered in safeguarding ePHI and that all locations where ePHI is stored, transmitted, and received are encompassed.  Additionally, technical and non-technical vulnerabilities should be documented, and current security measures should be assessed to determine if they are the best safeguards the organization can implement.

Finally, the OCR reminds health care organizations that the risk analysis should be reviewed and updated regularly to ensure that the ever-emerging threats and vulnerabilities are addressed.

Join HIPAAgps today to start your risk analysis.