Gap Analysis in Healthcare: Methodology
To demonstrate how a gap analysis in healthcare is to be performed, consider one specific HIPAA regulation. This regulation, found at 45 CFR 164.310(c), is a Security Rule physical safeguards standard. The language for the regulation is as follows: “(c) Standard: Workstation security. Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.”
To conduct a gap analysis in healthcare, an organization takes the requirement of a standard (here, the requirement is to implement physical safeguards, to ensure access is restricted to authorized personnel), and turns it into a “yes” or “no” question. The question reframes the requirement into an “are you doing this?” inquiry. The question for the workstation security requirement, therefore, is: “Have you implemented physical safeguards for all workstations that access ePHI, to restrict access to authorized users?”
If the answer to the question is “yes,” there is no gap – the organization is doing what the law requires. If the organization’s answer is “no,” there is a gap between what the organization is doing, and what it should be doing.
An organization then repeats this process with respect to other regulations.
Gap Analysis in Healthcare: Issues
Not every “question” contained in a gap analysis in healthcare has a simple “yes” or “no” answer. An organization must first determine whether certain facts exist before the question can be answered. In the workstation security gap analysis in healthcare question, for example, before the question of “Have you implemented physical safeguards” can be answered, the organization must first determine:
◈ How many workstations it has; and
◈ Which of these access ePHI.
Once these facts are determined, the question can be answered. If the number of workstations is known, and the number of workstations that access ePHI is known, the organization has enough factual background to answer the question. If the organization does not know which stations access ePHI, the organization cannot answer “yes” or “no” to the gap analysis question, since it lacks sufficient information. In such a case, an organization should indicate that the answer is “N/A,” with “N/A” standing for “not currently known.” To complete the gap analysis for this question, the organization must inventory its workstations and what the computer terminals access.
Organizations may contract with business associates to perform a gap analysis. Business associates with expertise in IT, for example, can be used to assist a covered entity with components of the HIPAA Security Rule gap analysis. Covered entities can also assign different workforce members to address specific items in the gap analysis, depending on their knowledge with a given gap analysis topic.
Gap Analysis in Healthcare: Not Just for HIPAA
Gap analysis in healthcare can be used to remedy compliance deficiencies with respect to any number of regulations, including state law medical privacy requirements, state data breach laws, and other federal laws regulating healthcare providers.