Where a risk assessment evaluates threats to your data, a gap analysis evaluates your program against the regulation’s requirements. Together they give a complete picture, but the gap analysis is what produces your concrete to-do list.
What a gap analysis is
A HIPAA gap analysis is a structured comparison of your current policies, safeguards, and practices against the requirements of the Privacy, Security, and Breach Notification Rules. The output is a list of “gaps” — requirements you do not yet fully meet.
It answers a practical question: if an auditor reviewed us today, where would we fall short? Knowing that in advance lets you fix problems on your own terms rather than under the pressure of an audit or breach.
Gap analysis vs risk assessment
These two exercises are complementary but distinct. A risk assessment analyzes the threats and vulnerabilities to your ePHI and their likelihood and impact. A gap analysis compares your program to the regulatory requirements. One is about real-world risk; the other is about regulatory coverage.
A mature program does both: the risk assessment to understand exposure, the gap analysis to confirm requirements are met. Relying on only one leaves part of the picture unexamined.
Step 1: Gather the requirements
Start by assembling the requirements you will measure against — the Privacy, Security, and Breach Notification Rule obligations relevant to your role. Many organizations use a requirements checklist or framework to ensure they cover every obligation systematically.
A complete requirements list is essential, because any requirement you forget to assess is a gap you will not detect.
Free resource
HIPAA Compliance Kit
A practical checklist + policy starter pack to fast-track your program.
Step 2: Document your current state
For each requirement, document what you actually do today. Gather your policies, examine your safeguards, review your training and access records, and check your BAAs. Be honest — the value of the analysis depends on an accurate picture of reality, not an aspirational one.
This step often reveals that practices differ from policies, or that controls assumed to exist are incomplete, which are important findings in themselves.
Step 3: Compare and identify gaps
Place your current state next to each requirement and identify where they diverge. A gap might be a missing policy, an unimplemented safeguard, untrained staff, an absent BAA, or documentation that does not exist. Record each gap clearly.
Being specific about each gap — what is missing and which requirement it relates to — makes the findings actionable rather than vague.
Step 4: Assess the severity of each gap
Not all gaps are equal. A missing risk analysis or unencrypted PHI is far more serious than a minor documentation lag. Rate each gap by the risk it creates and the difficulty of closing it, so you can prioritize sensibly.
This severity rating turns a flat list of findings into a prioritized agenda, ensuring the most dangerous gaps get attention first.
Step 5: Build a remediation plan
Translate the gaps into a remediation plan: for each, define the action needed, assign an owner, and set a deadline. Sequence the work so high-severity gaps are closed first. This plan is the primary deliverable of the gap analysis.
A well-structured remediation plan transforms the analysis from a diagnosis into a course of treatment, with clear accountability for getting the organization to compliance.
Common gaps organizations find
Certain gaps appear repeatedly: a missing or outdated risk analysis, generic policies that do not match practice, vendors without signed BAAs, unencrypted devices, undocumented training, and the absence of a breach-response plan. These recurring gaps map to the areas regulators scrutinize most.
Because they are so common, they also make a useful starting point: checking specifically for these high-frequency gaps catches the issues most likely to cause problems.
Who should conduct the gap analysis
A gap analysis can be performed internally by knowledgeable staff, typically led by the Privacy or Security Officer, or with outside specialists who bring objectivity and experience. An external perspective can surface gaps that internal teams have grown accustomed to overlooking. A gap analysis shows precisely how far you are from full HIPAA compliance.
Whoever conducts it, the analysis must be honest and thorough. A gap analysis that overlooks uncomfortable findings provides false reassurance.
Documenting the analysis
Document the gap analysis itself — the requirements assessed, the current-state findings, the gaps identified, their severity, and the remediation plan. This documentation demonstrates diligence and provides a baseline to measure progress against as gaps are closed.
It also feeds directly into audit readiness, since it shows that the organization actively identifies and addresses its own shortcomings.
Turning findings into progress
The gap analysis only delivers value if its findings are acted upon. Track remediation to completion, update the analysis as gaps close, and revisit it periodically to catch new gaps that emerge as the organization changes. A gap analysis filed away and ignored is wasted effort.
Used as a living tool, it becomes a recurring checkpoint that keeps the program aligned with requirements over time.
When to run a gap analysis
A gap analysis is valuable at several moments: when first building a compliance program, before an anticipated audit or customer review, after significant changes to systems or operations, and periodically as part of ongoing maintenance. Each occasion reveals where current practice has fallen behind requirements.
Running one regularly ensures the organization never drifts too far from compliance without noticing.
Why a gap analysis is worth it
A gap analysis converts the abstract worry of “are we compliant?” into a concrete, prioritized list of what to fix. It lets an organization find and close its weaknesses deliberately, rather than discovering them through an audit finding or a breach.
For the modest effort it takes, a gap analysis delivers outsized value — clarity about where you stand and a clear path to where you need to be.
Using frameworks to structure the analysis
Many organizations structure their gap analysis around an established framework or a detailed requirements checklist, which ensures every obligation is assessed systematically rather than from memory. Frameworks bring consistency and completeness to the exercise.
They also make the results easier to communicate, since findings are tied to recognized categories of requirements that leadership and auditors understand.
Involving the right people
An accurate gap analysis draws on people across the organization — IT for technical safeguards, HR for training and onboarding, operations for workflows, and leadership for governance. No single person sees the whole picture, so input from each area produces a more complete and honest assessment.
Engaging these stakeholders also builds shared ownership of the remediation that follows, making the fixes more likely to stick.
Re-running the analysis over time
A gap analysis captures a moment, but organizations change. Re-running it periodically — and after major changes like new systems or vendors — catches new gaps that have opened since the last assessment. Comparing successive analyses also shows progress as previously identified gaps are closed.
This recurring rhythm keeps the program aligned with requirements rather than drifting until an audit or incident reveals how far it has fallen behind.
From gap analysis to confidence
Completing a gap analysis and closing the gaps it reveals produces something valuable: confidence. Instead of wondering whether the organization would withstand scrutiny, leaders can point to a documented assessment and a record of remediation that demonstrate a deliberate, defensible program.
That confidence is well-founded, because it rests on having honestly measured the organization against the requirements and acted on what the measurement revealed.
Free consultation
Need help with HIPAA?
Talk to our certified compliance team — we’ve supported 200+ audits.
Next
The HIPAA Audit