Risk Analysis vs Gap Analysis – Knowing the Difference is Important

Posted: June 26, 2018

As a Certified HITRUST Assessor and career healthcare compliance and security specialist, I was very pleased to see OCR’s April Cybersecurity newsletter highlighting the differentiation between a HIPAA RISK Analysis and a HIPAA GAP Analysis.  The confusion or lack of true understanding around the difference in these two examinations, is something I have been seeing in the marketplace for quite some time. Not understanding the differences, can be detrimental and I believe confusion and misinformation plague organizations working hard to do the right thing.

A Gap Analysis Does Not Satisfy HIPAA Risk Analysis Requirement

In my role at CompliancePoint, I have been leading a team providing assessments for healthcare entities that include both a HIPAA Gap Analysis and Risk Analysis simultaneously for years. All too often, we see HIPAA Gap Analysis’s being performed by assessor organizations who either do not fully understand or are not able to adequately communicate to the client that a gap analysis does not satisfy the risk analysis requirement.  An organization is not fully compliant with the HIPAA security rule risk analysis requirement, after undergoing a gap analysis assessment.   According to HHS and OCR guidelines, an organization MUST specifically conduct a risk analysis to be deemed in HIPAA compliance.

Understanding the Difference

Ongoing debates within Healthcare Information Security and Compliance continue around why a healthcare entity would need to conduct a Risk analysis and a Gap analysis. At a high level, I believe the best way to define the differentiation is:

  1. A HIPAA Gap Analysis measures the client’s information security posture against HIPAA (HHS Audit Protocol) to determine whether the client has reasonable and appropriate administrative, physical and technical safeguards in place to protect patient health information.
  2. A Risk Analysis is a requirement within the HHS Audit Protocol, specifically under the HIPAA Security Rule Administrative Safeguards.

The Risk Analysis is a required control within a Gap Analysis for HIPAA as defined within the HHS Audit protocol. When OCR conducts an investigation, they use the HHS Audit Protocol to conduct the investigation. Without conducting a thorough and comprehensive risk analysis, an entity will not identify the applicable threats and vulnerabilities that allows them to take the corrective actions necessary to mitigate risk. Doing a thorough risk analysis provides insight into the entities current security posture. The next step after the risk analysis (per the HHS Audit Protocol) is risk management. Risk cannot be managed without having done a thorough risk analysis.

Link to HHS Audit Protocol:


We understand risk managment and compliance can be challenging. Please feel free to reach out to connect@compliancepoint.com for more information on HIPAA compliance as well as other regulation, privacy, security or compliance matters. Or visit us here.

Martha Raber

Author: Martha Raber

Martha Raber is a HIPAA Security Consultant for CompliancePoint’s Information Security Practice. Her knowledge spans across multiple industries and entities including healthcare, telecommunications, and travel technology (airlines and SaaS). Martha’s passion lies with knowing she can help Organizations meet compliance and mitigate risk through Gap and Risk Assessments and by providing recommendations for meeting regulatory requirements and internal organizational objectives. Martha has earned the HITRUST CSF Practitioner, CISSP, and CompTIA Security+ certifications. She has also earned a Master’s of Science in Information Systems and a certification in Business Management from Stratford Career Institute.

Leave a Reply

Your email address will not be published. Required fields are marked *

Reduce risk, maintain a compliant posture, and protect info