Health Information Compliance Alert
Know the Facts on Gap Analysis Vs. Risk Analysis
PDF
Question: We keep hearing that a gap analysis of how we implement our HIPAA compliance plan is a whole lot easier and quicker than performing an annual risk analysis. Is that true and should we switch to that type of risk management process? Michigan Subscriber Answer: A gap analysis has some benefits, but overall, your organization is better off sticking with the more thorough and involved risk analysis for HIPAA planning. Here’s why: “A gap analysis is typically a narrowed examination of a covered entity or business associate’s enterprise to assess whether certain controls or safeguards required by the Security Rule have been implemented,” notes the HHS Office for Civil Rights (OCR) in its Cybersecurity Newsletter. “A gap analysis provides a high-level overview of how an entity’s safeguards are implemented and show what is incomplete or missing (i.e., spotting ‘gaps’), but it generally does not provide a comprehensive, enterprise-wide view of the security processes of covered entities and business associates.” A gap analysis is a partial investigation of your HIPAA compliance practices and usually focuses specific problem areas such as IT systems, workforce sanctions for noncompliance, or logging protocols. On the other hand, a risk analysis offers a more in-depth look at an organization’s practices in their entirety — and OCR also allows CEs and BAs to choose their own methodology for implementation and documentation. “There are certain practical elements” that entities should incorporate into their Security Rule risk analysis compliance, OCR says. Here’s a short runsheet of what you should be doing as part of your risk analysis, according to the Cybersecurity Newsletter:
Health Information Compliance Alert
- HIPAA:
Bolster HIPAA Understanding With These Fundamentals
Tip: Train staff on regulations to boost compliance efforts. You may discuss HIPAA with your [...] - Compliance:
Feds Continue to Target PHE-Related Telehealth Services in 2022
Tip: Prepare for possible OIG scrutiny now. As providers struggled to contend with the pandemic, [...] - MPFS 2022 Focuses on Telehealth Evolution
In the calendar year (CY) 2022 Medicare Physician Fee Schedule (MPFS), the Centers for Medicare [...] - Utilize Opportunities to Review Telehealth Practices
Tip: Examine compliance policies and make adjustments as needed. Whether your organization has been using [...] - Reader Questions:
Understand These HIPAA Conduit Exception Rule Specifics
Question: With all the concerns over cybersecurity issues over the last couple of years, we [...] - Reader Questions:
Know the Facts on Gap Analysis Vs. Risk Analysis
Question: We keep hearing that a gap analysis of how we implement our HIPAA compliance [...] - Industry News:
Don’t Forget to Report 2021 Small Breaches to OCR By March 1
If your practice experienced a small breach last year, the clock is winding down on [...] - Industry Notes:
ONC Wants Input on Prior Authorization for HIT
The feds aim to help healthcare providers cut down on their administrative duties and give [...] - Industry Notes:
Stay on Top of Promoting Interoperability Program 2021 Attestation Due Dates
Hospitals and critical access hospitals (CAHs) that haven’t registered for the Promoting Interoperability (PI) Programs [...] - Industry Notes:
PHE Gets Its 8th Renewal
You can heave a sigh of relief — the feds are extending the COVID-19 Public [...]