What does Taylor Swift have to do with HIPAA? Turns out, not a whole lot. But in one line in particular from her famous "ME!" song, Taylor sings "But one of these things is not like the others." It's a famous phrase that might date back to one of Sesame Street's trademark segments in which the adult actor presented four items, three of which matched, and one that was different. The words of the song asked the children viewing the show to figure out which one "doesn't belong". At the end of the song, the actor presented the correct answer.

Whether it's Taylor Swift or Sesame Street, the this notion of "what doesn't belong" can be applied to HIPAA terms. Chances are you’ve heard things like “security risk analysis,” "risk assessment,“ "gap assessment,” and "compliance assessment." While these may all sound similar, there are actually two distinct processes here with unique purposes -- technically called the "HIPAA Security Risk Analysis" and the "HIPAA Security Non-Technical Evaluation." Let's delve into the details of each, shedding light on their roles in relation to meeting HIPAA compliance as a healthcare provider, health plan, or vendor.

‍

Defining HIPAA Security Risk Analysis:

The HIPAA security risk analysis is a crucial process mandated by HIPAA for healthcare providers, health plans, and their vendors who have intentional or incidental access to electronic protected health information (ePHI). It requires a comprehensive approach, evaluating all risks associated with ePHI. As per the HIPAA Security Rule 45 CFR § 164.308(a)(1)(ii)(A), this analysis considers factors such as threats, vulnerabilities, likelihood, and impact.

This analysis scrutinizes how ePHI is created, received, maintained and/or transmitted within an organization. A true HIPAA security risk analysis doesn't just identify risks; it also provides a remediation plan. This plan, as mandated by the HIPAA Security Rule 45 CFR § 164.308(a)(1)(ii)(B), acts as a roadmap, guiding organizations in addressing and rectifying any security risks uncovered during the risk analysis. For more information and guidance on HIPAA risk analyses, the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) website is a valuable resource.

‍

Deciphering HIPAA Non-Technical Evaluation aka "HIPAA Gap Analysis":

On the other hand, a HIPAA Non-Technical Evaluation, sometimes incorrectly called a “HIPAA Risk Assessment” and correctly referred to as a gap or cmpliance assessment, focuses on how an organization is aligned with the adoption of the HIPAA Security Rule.

The HIPAA Security Rule consists of a set of standards and implementation specifications designed to ensure the confidentiality, integrity, and availability of ePHI. There are a total of 18 standards within the Security Rule, organized into three categories: administrative safeguards, physical safeguards, and technical safeguards. 

Each standard includes various implementation specifications that provide detailed requirements for alignment. Here's a breakdown of the standards within each category:‍

Administrative Safeguards (9 standards):

• Security Management Process
• Security Personnel
• Information Access Management
• Workforce Training and Management
• Security Awareness and Training
• Security Incident Procedures
• Contingency Plan
• Evaluation
• Business Associate Contracts and Other Arrangements

‍

Physical Safeguards (4 standards):

• Facility Access Controls
• Workstation Use
• Workstation Security
• Device and Media Controls

‍

Technical Safeguards (5 standards):

• Access Control
• Audit Controls
• Integrity
• Person or Entity Authentication
• Transmission Security

‍

HIPAA Gap Assessment: Not a Substitute for a HIPAA Security Risk Analysis:

It's crucial to recognize that while a compliance/gap assessment is effective in locating possible holes in a security program, it is not a substitute for what is required within a HIPAA security risk analysis, as mandated by the HIPAA Security Rule. According to the HIPAA Security Rule 45 CFR § 164.308(a)(1)(ii)(A), a gap assessment is truly an introduction to the broader landscape of risk analysis. In fact, one of the implementation specifications of the Security Management Process standard is to conduct an enterprise-wide security risk analysis.

When faced with the decision of whether to prioritize a risk analysis or a compliance/gap assessment, initiating with a comprehensive HIPAA risk analysis ensures that the organization is adhering to regulatory requirements. Once the risk analysis is completed and remediation efforts are underway, the completion of a gap assessment can be beneficial to present insights into the effectiveness of existing administrative, physical and technical safeguards.

In conclusion, OCR – the enforcement arm of HIPAA – requires a lot out of organizations, and requirements around completing an enterprise-wide HIPAA Security risk analysis as well as a HIPAA security compliance/gap assessment are not to be taken lightly. Both bodies of work require subject matter experts and often require technology to appropriately perform these tasks. Ultimately, the intricacies of HIPAA demand a comprehensive approach, and both risk analysis and gap analysis play integral roles in fortifying the security of ePHI within healthcare organizations.