HIPAA Assessment SOP¶
Sub-procedure of hipaa-gap-sop.md
Overview¶
Detailed procedures for conducting HIPAA compliance gap assessments, including the assessment framework, interview protocols, technical testing methodology, and evidence collection requirements. This sub-procedure covers Phases 1-3 of the parent SOP assessment process.
Scope¶
Parent SOP: HIPAA Gap Assessment Pillar: Protect (Security & Compliance) Service Area: HIPAA Compliance Gap Assessment
Prerequisites¶
- Parent SOP requirements met
- Kickoff meeting completed with executive sponsor
- Required documentation received (policies, network diagrams, BAAs)
- Interview schedule confirmed with stakeholders
- Technical access credentials obtained for assessment
- NDA and engagement letter signed
Procedure¶
Step 1: Document Inventory and Gap Analysis¶
Objective: Catalog existing policies and identify documentation gaps
| Activity | Duration | Owner |
|---|---|---|
| Collect all existing HIPAA policies and procedures | 0.5 day | Lead Assessor |
| Map policies to HIPAA Security Rule requirements (§164.308-312) | 1 day | Lead Assessor |
| Identify missing or incomplete documentation | 0.5 day | Lead Assessor |
| Review Privacy Rule NPP and individual rights procedures | 0.5 day | Privacy SME |
| Document preliminary gap observations | 0.5 day | Lead Assessor |
Documentation Mapping Matrix:
| HIPAA Requirement | Policy Status | Procedure Status | Evidence Available |
|---|---|---|---|
| Risk Analysis (§164.308(a)(1)) | ☐ Complete ☐ Partial ☐ Missing | ☐ Complete ☐ Partial ☐ Missing | ☐ Yes ☐ No |
| Security Management Process | ☐ Complete ☐ Partial ☐ Missing | ☐ Complete ☐ Partial ☐ Missing | ☐ Yes ☐ No |
| Workforce Security | ☐ Complete ☐ Partial ☐ Missing | ☐ Complete ☐ Partial ☐ Missing | ☐ Yes ☐ No |
| Information Access Management | ☐ Complete ☐ Partial ☐ Missing | ☐ Complete ☐ Partial ☐ Missing | ☐ Yes ☐ No |
| Security Awareness Training | ☐ Complete ☐ Partial ☐ Missing | ☐ Complete ☐ Partial ☐ Missing | ☐ Yes ☐ No |
Step 2: Stakeholder Interviews¶
Objective: Understand operational reality and validate documented controls
Interview Protocol:
- Pre-Interview Preparation
- Review relevant documentation before each interview
- Prepare role-specific questions based on responsibilities
-
Identify evidence requests for follow-up
-
Interview Execution
- Use open-ended questions to understand actual practices
- Document specific examples and evidence references
- Note discrepancies between policy and practice
-
Identify quick wins and critical gaps
-
Post-Interview Documentation
- Complete interview notes within 24 hours
- Log evidence requests and follow-up items
- Update gap matrix with interview findings
Standard Interview Questions by Role:
| Role | Key Questions |
|---|---|
| Privacy/Security Officer | "Walk me through your last risk assessment process" |
| IT Leadership | "How do you manage access to systems containing ePHI?" |
| HR Leadership | "Describe your process for onboarding/offboarding employees with PHI access" |
| Clinical Operations | "How do you handle PHI in day-to-day workflows?" |
Step 3: Technical Assessment¶
Objective: Validate technical safeguard implementation
Assessment Areas:
| Control Area | Testing Method | Tools Required |
|---|---|---|
| Access Controls | User access review, privilege audit | AD Query tools, Access reports |
| Encryption | Configuration validation, certificate review | OpenSSL, network scanners |
| Audit Logging | Log availability, retention verification | SIEM access, log analysis tools |
| Authentication | Password policy validation, MFA verification | Policy review, technical testing |
| Network Security | Segmentation verification, firewall rule review | Network scanners, firewall access |
Technical Testing Checklist:
- Unique user identification verified for all PHI systems
- Emergency access procedure tested and documented
- Automatic logoff configured appropriately
- Encryption at rest verified for ePHI storage
- Encryption in transit verified (TLS 1.2+ for ePHI transmission)
- Audit logs capturing required events
- Log retention meets 6-year HIPAA requirement
- Backup and recovery procedures tested
Step 4: Evidence Collection and Validation¶
Objective: Gather and organize evidence supporting control implementation
Evidence Categories:
| Category | Examples | Retention Location |
|---|---|---|
| Policies | Written policies, approval records | Document repository |
| Technical | Configuration screenshots, scan results | Secure evidence folder |
| Administrative | Training records, access reviews | HR/Compliance systems |
| Physical | Badge logs, visitor logs, facility photos | Physical security records |
Deliverables¶
| Deliverable | Format | Owner |
|---|---|---|
| Policy Gap Matrix | Excel/PDF | Lead Assessor |
| Interview Notes | Secure document | Assessment Team |
| Technical Assessment Findings | Structured report | Technical Lead |
| Evidence Inventory | Excel tracker | Lead Assessor |
| Preliminary Findings Summary | Brief document | Lead Assessor |
Quality Gates¶
- All 54 Security Rule implementation specifications addressed
- Privacy Rule core requirements evaluated
- Breach Notification procedures assessed
- All scheduled interviews completed
- Technical testing covers all PHI systems
- Evidence collected for all "implemented" findings
- Gap ratings consistent with methodology
Related Documents¶
- Parent SOP: HIPAA Gap Assessment
- HIPAA Remediation SOP
- Risk Assessment SOP
- Cross-Pillar SOPs
- Assessment Templates
Last Updated: February 2026 Parent SOP: hipaa-gap-sop.md