If your team handles protected health information, you have probably heard the term "HIPAA gap analysis" - but what does it mean, and why does it matter? At its core, a HIPAA gap analysis is a structured review. It compares your current operations, policies, and technical controls against what HIPAA actually requires. The result is a clear picture of where you stand today and where the shortfalls are.
For healthcare teams, covered entities, and business associates, HIPAA compliance is not a one-time event. Regulations evolve, technology changes, staff turns over, and new business relationships bring new risk. A gap analysis gives you a concrete, documented baseline. With it, you can prioritize the work that actually reduces your exposure rather than guessing where to start.
This guide covers what a HIPAA gap analysis is, how it differs from a security risk assessment, when you need one, what it covers, and how to run one step by step. Whether you are starting compliance from scratch or reviewing your program after an incident, this process gives you a workable framework.
What Is a HIPAA Gap Analysis?
A HIPAA gap analysis is a systematic evaluation. It compares your team's current policies, procedures, technical safeguards, and operational practices against the rules of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. The output is a documented list of gaps - areas where your setup is missing, incomplete, outdated, or inconsistent with what the regulation requires.
The word "gap" is intentional. It describes the distance between two points: where the regulation says you need to be, and where your team actually is. Some gaps are straightforward - a required policy does not exist. Others are more nuanced. A policy exists on paper but is not being followed in practice, or a technical control is in place but is not configured correctly or documented.
This is different from a compliance checklist. A checklist asks "do you have X?" A gap analysis asks "do you have X, is it complete, is it accurate, is it being used as written, and does it actually meet the intent of the requirement?" The distinction matters. Superficial compliance - having policies that exist but are not put into practice - is one of the most common findings in OCR investigations following a breach.
Gap Analysis vs. Security Risk Assessment
These two activities are often confused. Some teams mistakenly believe completing one satisfies the other. They serve related but distinct purposes.
A HIPAA gap analysis evaluates compliance completeness. It asks: across all applicable HIPAA rules, what has been set up and what has not? The output is a compliance inventory - a mapping of rules to your current state, with gaps flagged for fixes.
A security risk assessment (SRA) evaluates threat and vulnerability exposure. It asks: what threats exist to the confidentiality, integrity, and availability of your ePHI? What is the likelihood those threats will materialize? What is the potential impact? The SRA is a specific HIPAA Security Rule requirement under 45 CFR 164.308(a)(1)(ii)(A). Its output is a risk register that drives your risk management program.
Both are required. The gap analysis tells you what you have not built yet. The SRA tells you what threats are most dangerous to the infrastructure you have. Teams that skip the gap analysis and go straight to an SRA often end up with a thorough threat analysis built on a compliance foundation that has fundamental holes in it. Teams that complete only a gap analysis may have all the required docs in place without understanding which vulnerabilities represent genuine exposure.
For more on the security risk assessment specifically, see our HIPAA security risk assessment service.
When Do You Need a HIPAA Gap Analysis?
There are several situations where a gap analysis is either required or strongly advisable.
Starting Compliance From Scratch
New practices, newly formed business associates, and teams that have never formally addressed HIPAA should begin with a gap analysis. It sets a baseline and tells you what needs to be built before you can operate in a defensible compliance posture.
After a Data Breach or Security Incident
A breach reveals that something failed. A post-incident gap analysis identifies whether the failure was isolated or a sign of broader compliance problems. Regulators expect teams that have experienced a breach to show they investigated root causes and addressed systemic issues. A documented gap analysis is evidence of that process.
Regulatory Changes
HIPAA is not static. The 2026 HIPAA Security Rule updates - the first significant overhaul since 2013 - introduce new rules around encryption, multi-factor authentication, network segmentation, and incident response. Teams that have not reviewed their Security Rule compliance since the proposed rulemaking need to run a gap analysis against the updated standards to understand what changes are required.
Annual Compliance Review Cycle
Even without external triggers, most compliance programs include an annual gap analysis as part of the routine review cycle. Operations change, vendors change, staff changes. What was compliant two years ago may have drifted. Annual reviews catch that drift before it becomes an enforcement problem.
Before an OCR Audit
The Office for Civil Rights runs compliance reviews both proactively and in response to complaints and breaches. Teams that receive an audit notification have limited time to respond. Having a current gap analysis on file shows that your compliance program is active and documented. That matters in how investigations are resolved.
After Major Operational Changes
Implementing a new EHR system, moving to cloud infrastructure, acquiring another practice, or onboarding a new category of business associates - all of these are moments where existing safeguards and policies may no longer match how you actually operate. A targeted gap analysis after these changes confirms that your compliance program kept pace.
What Does a Gap Analysis Cover?
A full HIPAA gap analysis covers all three major rules, along with the administrative infrastructure that supports them.
Privacy Rule
The Privacy Rule governs how PHI can be used and disclosed. A gap analysis against the Privacy Rule examines whether your Notice of Privacy Practices is current and properly distributed. It checks whether patient rights processes are documented and functional. It reviews whether minimum necessary standards are applied consistently, and whether authorization forms are used correctly. It also reviews whether your workforce training addresses Privacy Rule needs.
Security Rule
The Security Rule applies to electronic protected health information (ePHI). It is organized into three categories of safeguards. Administrative safeguards include your security management process, assigned security responsibility, workforce security, information access management, security awareness training, security incident procedures, contingency planning, and business associate management. Physical safeguards cover facility access controls, workstation use policies, and device and media controls. Technical safeguards address access controls, audit controls, integrity controls, and transmission security. A gap analysis maps your current controls against each of these required and addressable specifications.
Breach Notification Rule
The Breach Notification Rule requires covered entities and business associates to have documented procedures for identifying potential breaches. It also requires running the four-factor risk assessment to determine whether notification is required, and executing notifications to affected individuals, HHS, and in some cases the media. A gap analysis reviews whether these procedures exist, whether staff know how to use them, and whether the procedures have been tested.
Administrative Rules
Beyond the three rules, HIPAA has administrative infrastructure needs. Policies and procedures must be documented and maintained. Workforce training must be conducted and documented. A Privacy Officer and Security Officer must be designated. Business associate agreements must be in place with all applicable vendors and partners. These are often where gaps are found - the policies exist but have not been updated in years, training records are incomplete, or BAA inventories are outdated.
For a detailed look at how these rules apply to your team, our HIPAA consulting services cover both gap analysis and ongoing compliance program management.
How to Perform a HIPAA Gap Analysis: Step by Step
The following process applies whether you are running a gap analysis internally or engaging an outside consultant to lead it.
Step 1: Define Scope and Objectives
Determine which rules and which parts of your team are in scope. For most covered entities, the full scope includes all three HIPAA rules and all departments that handle PHI or ePHI. Business associates may have a narrower scope depending on the services they provide. Define what you are trying to learn from the analysis and who will receive the results.
Step 2: Inventory Current Policies, Procedures, and Controls
Collect all existing compliance docs: privacy and security policies, workforce training records, risk assessment reports, BAA inventories, incident response plans, system inventories, access control docs, and audit logs. This inventory becomes your "current state" baseline.
Step 3: Map Rules to HIPAA Standards
Work through each applicable HIPAA standard and specification - required and addressable - and map it to your docs inventory. For each requirement, the question is: do we have something that addresses this, and if so, where is it?
Step 4: Identify Gaps
For each requirement, determine the gap status: fully met, partially met, or not met. Partially met gaps are as important to document as fully unmet ones. A policy that exists but is incomplete, outdated, or not followed in practice creates nearly the same exposure as no policy at all.
Step 5: Assess Severity and Risk of Each Gap
Not all gaps carry equal weight. A missing BAA with a high-volume cloud vendor that processes ePHI is a higher-risk gap than an outdated physical security policy for a storage room that no longer contains PHI. Score each gap based on its potential impact and the likelihood of it contributing to a reportable incident or enforcement action.
Step 6: Prioritize Fixes Based on Risk Level
Organize gaps into priority tiers. High-risk gaps - those most likely to contribute to a breach or regulatory violation - require immediate attention. Medium-risk gaps should be addressed in the near term. Lower-risk gaps can be scheduled into your standard compliance maintenance cycle.
Step 7: Create a Fix Plan With Timelines and Owners
A gap analysis that produces a list of problems without a plan to fix them has limited value. For each identified gap, the fix plan should specify what needs to be done, who is responsible, and by what date. The plan becomes the working document that drives your compliance program forward.
What to Do With Gap Analysis Results
Once the gap analysis is complete, the work of fixing gaps begins. The findings document is useful only if it drives action.
Build a fix roadmap organized by priority tier. High-risk gaps should be addressed right away - typically within 30 days for critical items like missing BAAs, absent security incident procedures, or no workforce training program. Medium-risk gaps generally have a 60-to-90-day target. Lower-risk items can be incorporated into the next compliance review cycle, typically six months out.
Assign ownership clearly. Every gap should have a named individual responsible for the fix, not just a department. Ambiguous ownership means items stall. Track progress in a format that is accessible to your compliance officer and can be presented to leadership or regulators as evidence of active compliance management.
Document the entire process. The gap analysis itself, the findings, the fix plan, and the evidence of completed fixes are all records that show your compliance program is functioning as a genuine program. In an OCR investigation, that documentation is the difference between a finding of good-faith effort and one of willful neglect.
If you need help translating gap analysis findings into a working fix program, our HIPAA gap analysis service includes both the analysis and a structured fix roadmap.
Common Gap Analysis Findings
While every team is different, certain gaps appear often enough that they are worth calling out. If your team has not recently reviewed these areas, they are good starting points.
- Outdated or missing policies. Many teams created HIPAA policies when they first became subject to the rules and have not updated them since. Policies that do not reflect current technology, workflows, or regulatory rules create a documented gap between what you say you do and what you actually do.
- Incomplete or absent risk assessments. The Security Rule requires a risk analysis as a predicate to the entire security management process. Teams that lack a documented, current risk assessment are missing one of HIPAA's most fundamental rules. It is among the most common findings in OCR enforcement actions.
- Insufficient workforce training records. Training may happen, but if it is not documented - who was trained, on what, when - it effectively did not happen from a compliance standpoint. Undocumented training is a gap even when the training itself was adequate.
- Missing or expired business associate agreements. BAA inventories drift over time. Vendors are added, contracts lapse, and the BAA never gets signed or renewed. An audit of your active vendors against your BAA files often turns up gaps.
- Absence of audit logging or log review. The Security Rule requires audit controls - mechanisms to record and examine activity in systems that contain ePHI. Teams that have no logging, or have logs that are never reviewed, have a gap in both the technical control and the process around it.
- No tested incident response plan. A written incident response plan that has never been tested is a different thing from one that has been walked through and refined. Gap analyses often find plans that exist on paper but have no testing record and whose owners may not be fully familiar with the procedures.
Conclusion
A HIPAA gap analysis is one of the most practical tools available to healthcare teams for managing compliance risk. It does not require a crisis to be valuable. In fact, its greatest value is as a proactive tool that keeps your compliance program current with your actual operations, not just your docs. The teams that manage HIPAA risk well are the ones that know where their gaps are before regulators or adversaries find them first.
The gap analysis is also not a destination. It is a recurring process. Teams that treat it as a one-time project often find themselves several years later with docs that no longer reflect how they operate, policies that have not kept pace with technology, and a compliance program that exists more in form than in substance. Running gap analyses on a regular cycle - and acting on the results - is what separates a functioning compliance program from a paper one.
If your team is due for a gap analysis or is working through findings from a previous one, our HIPAA gap analysis service provides a structured, documented assessment with a prioritized fix roadmap your team can act on immediately.