Chapter 6: Gap Analysis | HIPAA Security Implementation, Version 1.0

6.1 INTRODUCTION

In healthcare, the patient history and physical examination are crucial to establishing correct diagnosis and the proper course of treatment. The approach to HIPAA security compliance is essentially the same. A review of your current environment and operating procedures is needed to help you ˜diagnose' your gaps and ˜treat' or remediate the problem. An information audit can be considered the history-during this activity, you will document where your organization is today. It is critical that the information you seek directly relate to the issues that involve security. You need to be as broad as possible. Too much information is better than too little. Knowing what you should be looking for and willing to be surprised by what you may find will put you well on the way to the development of the complete description of your organization's security posture . The physical exam is essentially your interview and questionnaire process, giving you the real-time view of your organization from the very important perspectives of its people, its policies, and its procedures.

For the purposes of this discussion, we are treating a gap analysis as distinct from a risk analysis. The primary focus of a gap analysis is to evaluate the information gathered from the data gathering process against the requirements of the HIPAA security regulation. Once that process is complete, you will have established the groundwork for the mandated risk analysis. The risk assessment is actually the basis for your decision making process as to what should be done to mitigate the risk of an incident, how to implement those decisions, and what activities need to be documented. It will also lay the groundwork for your on-going efforts.

Gap analysis should feed directly into remediation so the information and data gathered during this process should be organized and presented logically in a format that will translate easily into your organization's project planning and budgeting processes. During the gap analysis, you can take the opportunity to promote your organization's understanding of HIPAA security, reaffirm its impact while promoting understanding and laying the groundwork for the needed education and training of your workforce. Although your organization may elect to devote additional resources to try and capture some of the details called for in the risk analysis, you should not treat the gap analysis as your final risk analysis. The gap analysis is like a preliminary physical exam. It provides you direction and allows you to establish the complexity of the problems. Thus, it provides the ˜map' so that the ongoing treatment plan that will make activities such as in-depth risk analysis, vulnerability assessment, and penetration testing effective in helping cure the aliment, rather than merely soothe the symptoms.

This section outlines an approach to the conduct of the gap analysis. It is broken down, as much as possible, into checklists and component parts . The intent is to establish a set of tools that can be used by varying size organizations, covering all aspects of security while minimizing complexity and detail. The approach is intended to be scaleable. If something doesn't apply to you, check it as such and move on. Many organizations will want to focus on their policies and procedures, especially if their technical platforms are simple. Remember, the rule applies to electronic protected health information (PHI), but, together with the privacy rule, it forms a complete framework that covers all forms of protected health information, covering both paper and electronic media. You will need to review the privacy requirements you have implemented and adjust or enhance them with the findings from your HIPAA Security gap analysis.

We have organized this section into two major parts:

Project Methodology: Planning is essential to a successful HIPAA gap analysis. We briefly present what you should consider in scoping the project. We discuss the various steps you should take to gather the information and background data. Included are a set of activities and templates that a) document the history and current state of your organization, b) review a cornerstone of your security program-your policies and procedures, and c) provide an approach to reviewing your security specific elements with your workforce, especially the IM and IT departments.
Analysis and Reporting: What to look for and how to present it in an effective manner is the second key to a successful gap analysis. Knowing in advance how to organize the data you gather will allow the most effective transformation of the data in useful information. More importantly, proper organization will force a cohesive statement of your gaps so that you can develop an implementation plan and a resource budget, including manpower and dollars, to effectively comply with the requirements in the regulation by the required date of April 20, 2005, April 20, 2006 for a small health plan. The processes you implement now, however, form a foundation for information security management within your organization, a set of activities that will become increasing more critical to your operation with the increasing use of medical system automation.

This section is organized from the viewpoint of a self-analysis. Self-assessment can work well for your organization, provided you are honest with yourself. Consider setting up an independent team with an appropriate mix of talents. If, however, you do outsource to a consultant who specializes in this area, you should still review this section and use it as a basis for assessing the study results for which you have contracted. You should also firmly establish the scope and boundaries of the HIPAA gap analysis with the consultant. Otherwise, you may easily find yourself paying for additional services you nether need or want.