APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

HIPAA Security Rule gap analysis

© June 2004 Michael Desrosiers
Web Site: https://m3ipinc.com

HIPAA is arguably the most challenging issue facing healthcare organizations today. The Security Rule provisions of HIPAA are now at the forefront of healthcare legislation in the United States, and all healthcare providers will be held accountable for compliance. These measures, although cost intrusive and time consuming, will ultimately result in cost savings and increased efficiencies across the entire healthcare industry.

Things to know about the HIPAA Security Rule:

What ? The rule applies to ePHI (electronic protected health information), which is individually identifiable health information in electronic form.

Who? Covered Entities (CE) must comply with the rules requirements. CE's include:

Health Plans

Medicare Parts A, B and supplements
Veterans Health Care providers
Long-term health care

Health Care Providers


Health Care Clearinghouses

Billing Services
Community Health Information Systems
Community Health Management Systems

How? CE's must maintain reasonable and appropriate administrative, physical and technical safeguards to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI.

Why? The basic premise of the Security Rule is to protect the confidentiality, integrity and availability of ePHI when it is stored, maintained or transmitted.

When? The final Security Rule will be effective as of April 21st, 2003. Most CE's must comply by April 21st, 2005. Small health plans (those with yearly receipts of $5 million or less) will have until April 21st, 2006.

What is a Gap Analysis?

A gap analysis provides for a analysis based on current best practices and methodologies. It should focus on the following current HIPAA safeguard standards:


The gap analysis should be based primarily on information gathered by your organization and will involve extensive information gathering and current-state assessments of your controls and operational procedures by your own internal IT staff. This method will provide:

Better Use of Resources
Greater Understanding of the I/T Infrastructure
Substantial Cost Savings

What the Gap Analysis provides?

The primary focus of the gap analysis is to evaluate the information collected from the information gathering process against the requirements of the HIPAA security rule. Once the process is complete, you will have established the benchmark for the mandated risk analysis. The risk assessment is actually the basis for your decision making process as to what should be done to mitigate the risk of an incident, how to implement those decisions and what activities need to be documented. It will also provide the groundwork for your on-going efforts in regards to protecting ePHI (electronic protected health information). It should be broken down into four phases:

Information Gathering Checklist
Questionnaire & Policy and Procedures Review
Summary of Gap Results
Matrix Summary

Some HIPAA security questions you should know the answers to:

Do you have security policy and procedure documentation?

Have you performed a detailed security audit with an action plan within the last 6 months?

Have you provided for staff security awareness training?

Are there controls in place, in regards to what information employees can access?

Is there a disaster recovery plan in place?

Are you using diligent authentication methods? (ie: strong passwords, tokens, etc)

If you have a security policy in place, how often is it reviewed? Every quarter? Every year?

Are there plans to do periodic testing and assessments of your infrastructure?

Do you have an Incident Response Team? If not, who should be on it?

A gap analysis should be used like a preliminary physical examination. It provides you direction and allows you to establish the complexity of the problems. Thus, it provides the roadmap so that the on-going treatment plans that will make activities such as in-depth risk analysis, vulnerability assessment and penetration testing effective in helping cure the ailment, rather than merely soothe the symptoms.

To respond to this or previous newsletters or to inquire about an on-site presentation, please feel free to call us at 508-995-4933 or email us at mdesrosiers@m3ipinc.com.

Until next month.....


Michael Desrosiers
m3ip, Inc.

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> HIPAA Security Rule gap analysis

Inexpensive and informative Apple related e-books:

Take Control of Parallels Desktop 12

Take Control of Numbers

Take Control of the Mac Command Line with Terminal, Second Edition

Take Control of High Sierra

Digital Sharing Crash Course

More Articles by © Michael Desrosiers

Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Printer Friendly Version

Technology is both a tool for helping humans and for destroying them. This is the paradox of our times which we're compelled to face (Frank Herbert).

Linux posts

Troubleshooting posts

This post tagged:



Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode