Why a Gap Analysis in Healthcare is Far from Straightforward
In the context of regulatory compliance, a gap analysis in healthcare is an assessment of the required level of regulatory compliance compared to the existing level of regulatory compliance. A gap analysis has the objective of identifying what measures need to be implemented in order to achieve the required level of regulatory compliance. However, a gap analysis in healthcare is far from straightforward.
Organizations in the healthcare sector have to comply with multiple federal, state, and industry regulations. They may also be required to comply with voluntary standards to maintain a professional accreditation. Some regulations complement each other. Other regulations conflict with each other. In some cases, regulations can apply to some areas of an organization’s operations – but not others.
For example, the Colorado Privacy Act does not apply to “Protected Health Information that is collected, stored, and processed by a covered entity or its business associates”, but it does apply to any other information collected, stored, or maintained by a covered entity or business associate that is not maintained in the same designated record set as Protected Health Information.
Further Challenges with Identifying Compliance Requirements
As a result, the first stage of a gap analysis in healthcare is to identify which regulations apply to which of an organization’s operations. It can also be beneficial to identify occasions when compliance with one regulatory standard (i.e., OSHA §1910.39) will enable compliance with other regulatory standards (in this example, CMS’ Emergency Preparedness Rule §485.625(d)(1)).
However, it is also important to be aware that some regulatory standards are “conditional” on an organization’s ability to comply with them. Examples of “conditional compliance” exist in most federal, state, and industry regulations, but the most obvious example is in the General Rules of the HIPAA Security Standards (45 CFR §164.306) which conditions the implementation of security measures on:
- The size, complexity, and capabilities of the covered entity or business associate.
- The covered entity’s or the business associate’s technical infrastructure, hardware, and software security capabilities.
- The costs of security measures.
- The probability and criticality of potential risks to electronic protected health information.
Items (iii) and (iv) in this standard imply that if it is too expensive to implement a security measure, or there is minimal risk to ePHI if a security measure is not implemented, these measures do not have to be implemented – irrespective of whether they are “required” or “addressable” implementations. But what happens if a measure is not necessary under HIPAA, but required by a conflicting regulation?
How to Resolve the Complexity of a Gap Analysis in Healthcare
The way to resolve the complexity of a gap analysis in healthcare is to take advantage of automated compliance software that not only includes checklists for applicable regulations, but also recommendations for compliance best practices. These solutions can often be customized to account for circumstances in which regulations compliment or conflict with each other, when they apply to some operations but not others, or when “substitute” standards have to be implemented to replace “conditional” standards that do not apply.
Using software of this nature gives organizations a holistic view of the required level of regulatory compliance so it is possible to compare the required level against the existing level in order to conduct an accurate gap analysis in healthcare. Organizations finding it difficult to measure their existing level of regulatory compliance against the required level are advised to speak to compliance software vendors and organize a trial of the software in their own environments.
