HIPAA Security Rule gap analysis

Web Site: http://m3ipinc.com

HIPAA is arguably the most challenging issue facing healthcare organizations today. The Security Rule provisions of HIPAA are now at the forefront of healthcare legislation in the United States, and all healthcare providers will be held accountable for compliance. These measures, although cost intrusive and time consuming, will ultimately result in cost savings and increased efficiencies across the entire healthcare industry.

Things to know about the HIPAA Security Rule:

What ? The rule applies to ePHI (electronic protected health information), which is individually identifiable health information in electronic form.

Who? Covered Entities (CE) must comply with the rules requirements. CE's include:

Health Plans

Medicare Parts A, B and supplements
Veterans Health Care providers
Long-term health care

Health Care Providers


Health Care Clearinghouses

Billing Services
Community Health Information Systems
Community Health Management Systems

How? CE's must maintain reasonable and appropriate administrative, physical and technical safeguards to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI.

Why? The basic premise of the Security Rule is to protect the confidentiality, integrity and availability of ePHI when it is stored, maintained or transmitted.

When? The final Security Rule will be effective as of April 21st, 2003. Most CE's must comply by April 21st, 2005. Small health plans (those with yearly receipts of $5 million or less) will have until April 21st, 2006.

What is a Gap Analysis?

A gap analysis provides for a analysis based on current best practices and methodologies. It should focus on the following current HIPAA safeguard standards:


The gap analysis should be based primarily on information gathered by your organization and will involve extensive information gathering and current-state assessments of your controls and operational procedures by your own internal IT staff. This method will provide:

Better Use of Resources
Greater Understanding of the I/T Infrastructure
Substantial Cost Savings

What the Gap Analysis provides?

The primary focus of the gap analysis is to evaluate the information collected from the information gathering process against the requirements of the HIPAA security rule. Once the process is complete, you will have established the benchmark for the mandated risk analysis. The risk assessment is actually the basis for your decision making process as to what should be done to mitigate the risk of an incident, how to implement those decisions and what activities need to be documented. It will also provide the groundwork for your on-going efforts in regards to protecting ePHI (electronic protected health information). It should be broken down into four phases:

Information Gathering Checklist
Questionnaire & Policy and Procedures Review
Summary of Gap Results
Matrix Summary

Some HIPAA security questions you should know the answers to:

Do you have security policy and procedure documentation?

Have you performed a detailed security audit with an action plan within the last 6 months?

Have you provided for staff security awareness training?

Are there controls in place, in regards to what information employees can access?

Is there a disaster recovery plan in place?

Are you using diligent authentication methods? (ie: strong passwords, tokens, etc)

If you have a security policy in place, how often is it reviewed? Every quarter? Every year?

Are there plans to do periodic testing and assessments of your infrastructure?

Do you have an Incident Response Team? If not, who should be on it?

A gap analysis should be used like a preliminary physical examination. It provides you direction and allows you to establish the complexity of the problems. Thus, it provides the roadmap so that the on-going treatment plans that will make activities such as in-depth risk analysis, vulnerability assessment and penetration testing effective in helping cure the ailment, rather than merely soothe the symptoms.

To respond to this or previous newsletters or to inquire about an on-site presentation, please feel free to call us at 508-995-4933 or email us at mdesrosiers@m3ipinc.com.

Until next month.....


Michael Desrosiers
m3ip, Inc.

Got something to add? Send me email.

(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> HIPAA Security Rule gap analysis

Increase ad revenue 50-250% with Ezoic

More Articles by © Michael Desrosiers

Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

privacy policy