HIPAA Gap Assessment SOP¶
Standard Operating Procedure for HIPAA compliance gap assessments
Service Pillar: Protect Service Category: Compliance Gap Assessment Target Duration: 2-3 weeks Related Pricing: See Pricing & Positioning
Service Overview¶
Purpose¶
Conduct comprehensive HIPAA compliance gap assessments for covered entities and business associates, identifying deficiencies against the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule.
Target Personas¶
| Persona | Primary Pain Point | Value Case |
|---|---|---|
| Healthcare Admin | HIPAA compliance burden, audit fear | Pass audits first try, reduce risk |
| Service Business Owner | Compliance anxiety, technology overwhelm | Plain-language guidance |
Business Justification¶
| Metric | Value | Source |
|---|---|---|
| Average healthcare breach cost | $10.93 million | IBM Cost of a Data Breach 2024 |
| HIPAA violation penalty range | $100-$50,000 per violation | HHS HIPAA Enforcement |
| Average OCR settlement | $1.5 million | HHS OCR Enforcement Data |
| Healthcare industry breach frequency | Highest cost for 14 consecutive years | IBM 2024 |
| SMB ransomware involvement | 88% of incidents | Verizon DBIR 2025 |
Pricing Reference¶
| Tier | Scope | Price Range | Duration |
|---|---|---|---|
| Small Practice | <50 employees, single location | $8,000-$12,000 | 2 weeks |
| Medium Practice | 50-200 employees, 2-5 locations | $15,000-$25,000 | 2-3 weeks |
| Large Practice | 200+ employees, multiple locations | $25,000-$40,000 | 3-4 weeks |
See Pricing & Positioning for complete pricing structure.
Pre-Engagement¶
Qualification Checklist¶
- Organization is covered entity or business associate
- Executive sponsor identified
- Budget approved (reference pricing tier above)
- Timeline confirmed
- Key stakeholders identified
- Document access confirmed
Required Information Gathering¶
| Category | Documents Needed |
|---|---|
| Organizational | Org chart, employee count, locations |
| Technology | Network diagram, asset inventory, application list |
| Policies | Existing policies, procedures, training records |
| Vendor | Business Associate Agreements, vendor list |
| Previous | Prior audits, assessments, remediation plans |
Kickoff Meeting Agenda¶
- Introductions and roles (15 min)
- HIPAA overview and SBK approach (20 min)
- Scope confirmation (15 min)
- Document request review (15 min)
- Interview schedule (15 min)
- Timeline and milestones (10 min)
- Questions and next steps (10 min)
Assessment Framework¶
HIPAA Security Rule Requirements¶
Assess against all 54 implementation specifications across three safeguard categories:
Administrative Safeguards (§164.308)¶
| Standard | Specifications | Assessment Method |
|---|---|---|
| Security Management Process | Risk Analysis, Risk Management, Sanction Policy, Information System Activity Review | Document review, interviews, evidence collection |
| Assigned Security Responsibility | Designate Security Official | Org chart review, job description |
| Workforce Security | Authorization, Workforce Clearance, Termination | HR process review, access logs |
| Information Access Management | Isolating Clearinghouse Functions, Access Authorization, Access Establishment and Modification | Policy review, access controls audit |
| Security Awareness and Training | Security Reminders, Protection from Malware, Log-in Monitoring, Password Management | Training records, awareness evidence |
| Security Incident Procedures | Response and Reporting | IR plan review, incident logs |
| Contingency Plan | Data Backup, Disaster Recovery, Emergency Mode Operation, Testing, Applications Criticality Analysis | BCP/DR documentation, test records |
| Evaluation | Periodic Evaluation | Prior assessment records |
| Business Associate Contracts | Written Contracts | BAA inventory, contract review |
Physical Safeguards (§164.310)¶
| Standard | Specifications | Assessment Method |
|---|---|---|
| Facility Access Controls | Contingency Operations, Facility Security Plan, Access Control Procedures, Maintenance Records | Site inspection, policy review |
| Workstation Use | Policies and Procedures | Policy review, observation |
| Workstation Security | Physical Safeguards | Site inspection, controls review |
| Device and Media Controls | Disposal, Media Re-use, Accountability, Data Backup and Storage | Process review, evidence |
Technical Safeguards (§164.312)¶
| Standard | Specifications | Assessment Method |
|---|---|---|
| Access Control | Unique User ID, Emergency Access Procedure, Automatic Logoff, Encryption and Decryption | Technical testing, configuration review |
| Audit Controls | Audit Mechanisms | Log review, SIEM configuration |
| Integrity | Mechanism to Authenticate ePHI | Technical controls review |
| Person or Entity Authentication | Authentication Procedures | Authentication system review |
| Transmission Security | Integrity Controls, Encryption | Technical testing, network analysis |
Privacy Rule Assessment (§164.500-534)¶
| Area | Key Elements |
|---|---|
| Notice of Privacy Practices | Publication, content, updates |
| Individual Rights | Access, amendment, accounting of disclosures |
| Uses and Disclosures | Minimum necessary, authorizations, permitted uses |
| Administrative Requirements | Privacy Officer, training, complaints |
Breach Notification Rule (§164.400-414)¶
| Area | Key Elements |
|---|---|
| Breach Definition | Understanding of 4-factor risk assessment |
| Notification Procedures | Individual, media, HHS notification processes |
| Documentation | Breach log, risk assessments, notifications |
Assessment Process¶
Phase 1: Document Review (Days 1-5)¶
Objective: Review existing policies, procedures, and documentation
| Activity | Deliverable | Duration |
|---|---|---|
| Policy inventory | Policy mapping matrix | 1 day |
| Policy gap analysis | Gap identification | 2 days |
| Technical documentation review | Asset and architecture understanding | 1 day |
| Prior assessment review | Historical context | 0.5 day |
| Document findings | Preliminary observations | 0.5 day |
Phase 2: Interviews (Days 6-10)¶
Objective: Understand operational reality through stakeholder interviews
| Stakeholder | Topics | Duration |
|---|---|---|
| Privacy Officer / Security Officer | Overall program, governance, incidents | 90 min |
| IT Leadership | Technical controls, infrastructure, incidents | 90 min |
| HR Leadership | Workforce security, training, terminations | 60 min |
| Clinical/Operations Leadership | Workflow, PHI handling, practical challenges | 60 min |
| Front Desk / Intake Staff | Day-to-day PHI handling | 45 min |
| IT Staff | Technical implementation, monitoring | 60 min |
Interview Guidelines: - Use open-ended questions - Request evidence for claims - Note policy vs. practice gaps - Identify quick wins and critical gaps - Maintain confidentiality
Phase 3: Technical Assessment (Days 8-12)¶
Objective: Validate technical controls and configurations
| Assessment Area | Testing Approach | Tools |
|---|---|---|
| Access Controls | User access review, privilege audit | AD analysis, access reports |
| Encryption | Data at rest, in transit verification | Network scans, config review |
| Audit Logging | Log availability, retention, monitoring | SIEM review, log analysis |
| Authentication | Password policy, MFA implementation | Policy review, technical testing |
| Workstation Security | Endpoint configuration, patching | Configuration audit |
| Network Security | Segmentation, firewall rules | Network analysis |
| Backup and Recovery | Backup verification, recovery testing | Backup reports, test records |
Phase 4: Analysis and Reporting (Days 11-15)¶
Objective: Synthesize findings into actionable report
| Activity | Deliverable | Duration |
|---|---|---|
| Finding consolidation | Master findings list | 1 day |
| Risk rating | Prioritized findings | 1 day |
| Remediation planning | Recommendations | 1 day |
| Report drafting | Draft report | 1.5 days |
| Internal QA review | Quality-assured report | 0.5 day |
Risk Rating Methodology¶
Finding Severity Levels¶
| Level | Definition | Remediation Timeline |
|---|---|---|
| Critical | Immediate risk to PHI, likely OCR finding, active vulnerability | 30 days |
| High | Significant gap, probable OCR finding, weak control | 60 days |
| Medium | Moderate gap, possible OCR finding, improvement opportunity | 90 days |
| Low | Minor gap, best practice recommendation | 180 days |
| Informational | Observation, no direct compliance impact | As resources allow |
Risk Calculation¶
Risk Score = Likelihood × Impact
Likelihood (1-5):
1 = Remote (unlikely to occur)
2 = Unlikely (could occur occasionally)
3 = Possible (may occur)
4 = Likely (will probably occur)
5 = Almost Certain (expected to occur)
Impact (1-5):
1 = Negligible (minimal ePHI exposure)
2 = Minor (limited ePHI, no harm expected)
3 = Moderate (significant ePHI, potential harm)
4 = Major (substantial ePHI, likely harm)
5 = Catastrophic (extensive ePHI, severe harm)
Deliverables¶
Gap Assessment Report¶
Structure:
- Executive Summary (2-3 pages)
- Scope and approach
- Key findings summary
- Overall compliance posture
- Priority recommendations
-
Investment estimate
-
Methodology (1-2 pages)
- Assessment framework
- Testing approach
-
Limitations
-
Detailed Findings (varies)
- Finding ID and title
- HIPAA requirement reference
- Current state
- Risk rating
- Evidence
- Recommendation
-
Estimated effort
-
Remediation Roadmap (2-3 pages)
- Prioritized action plan
- Timeline by phase
- Resource requirements
-
Quick wins identified
-
Appendices
- Documents reviewed
- Interviews conducted
- Technical testing results
Remediation Roadmap¶
| Phase | Timeline | Focus | Typical Items |
|---|---|---|---|
| Immediate | 0-30 days | Critical findings | Active vulnerabilities, missing policies |
| Short-term | 30-90 days | High findings | Major gaps, control weaknesses |
| Medium-term | 90-180 days | Medium findings | Program improvements |
| Long-term | 180+ days | Low/Info | Best practices, optimization |
Quality Assurance¶
Internal Review Checklist¶
- All HIPAA standards addressed
- Findings have evidence
- Risk ratings are consistent
- Recommendations are actionable
- Report is client-appropriate language
- Executive summary is compelling
- Remediation roadmap is realistic
- Pricing references are accurate
Client Review Process¶
- Draft report delivery (allow 3-5 business days for review)
- Client feedback collection
- Clarification meeting if needed
- Final report delivery
- Client sign-off
Post-Delivery¶
Handoff to Remediation¶
If client engages for remediation: - Transition meeting with delivery team - Remediation project plan development - Regular progress tracking - Re-assessment at remediation completion
Follow-Up Cadence¶
| Touchpoint | Timing | Purpose |
|---|---|---|
| 30-day check-in | 30 days post-delivery | Progress on critical items |
| 90-day review | 90 days post-delivery | Remediation status |
| Annual re-assessment | 12 months | Full re-assessment offering |
Related Services¶
| Service | Connection | SOP Reference |
|---|---|---|
| vCISO | Ongoing compliance management | vcto-vciso-engagement-sop.md |
| Risk Assessment | Complements HIPAA with full risk analysis | risk-assessment-sop.md |
| Security Awareness | Training program development | security-training-sop.md |
| Incident Response | IR planning and testing | incident-response-sop.md |
| Penetration Testing | Technical vulnerability validation | pentest-sop.md |
Evidence Base¶
Why This Approach Works¶
| Principle | Evidence | Source |
|---|---|---|
| Risk-based approach | OCR enforcement focuses on risk analysis failures | HHS OCR Guidance |
| Administrative focus | 70%+ of HIPAA findings are administrative | HHS Enforcement Statistics |
| Documentation emphasis | Lack of documentation is most common finding | HIPAA Journal Analysis |
| Practical remediation | Reasonable and appropriate standard | 45 CFR 164.306 |
SBK Success Metrics¶
| Metric | Target | Measurement |
|---|---|---|
| First-time audit pass rate | 100% | Client OCR/external audit outcomes |
| Client satisfaction | 4.5+/5.0 | Post-engagement survey |
| On-time delivery | 95% | Project tracking |
| Remediation engagement rate | 60%+ | Sales tracking |
Regulatory References¶
- HIPAA Security Rule
- HIPAA Privacy Rule
- HIPAA Breach Notification Rule
- OCR Audit Protocol
- NIST SP 800-66 - HIPAA Implementation Guide
Last Updated: February 2026 Version: 1.0