Similar but Different: Gap Assessment vs Risk Assessment

If you’ve heard the terms gap assessment and risk assessment used interchangeably before in privacy or security conversations, you are not alone. At Intraprise Health, we have found that there are quite a few misconceptions about these two approaches and how to differentiate between them. In this post, we’ll define the key characteristics of a gap assessment and risk assessment and debunk a few myths along the way.

As the more well known of the two, a HIPAA security risk assessment is a comprehensive assessment of all risks to ePHI (Electronic Protected Health Information) as required by HIPAA for healthcare providers and their business associates. By calculating risk based on threat, vulnerability, likelihood and impact, providers can gauge their compliance with HIPAA’s required administrative, physician and technical safeguards. A risk assessment assesses how ePHI is created, received, maintained and stored within an organization. Every bona fide HIPAA risk assessment will produce a remediation plan which creates a road map for “fixing” any security vulnerabilities as found by the risk assessment. For additional information and guidance on HIPAA risk analyses, visit The U.S. Department of Health & Human Services Office for Civil Rights (OCR) website.

A gap assessment (also commonly called a HIPAA Compliance Program Review or Audit) is a method of assessing the differences in performance between an organization’s information systems or software applications to determine if there are any existing vulnerabilities in their network security settings. This high-level review of an organization’s controls can be completed using various controls and frameworks based on the target objectives of the gap assessment. Essentially a gap assessment compares what safeguards an organization has in place vs the reality of how well those safeguards are working.

While a gap assessment is without question an effective tool at locating vulnerabilities, OCR clearly states that that a gap assessment is never a substitute for a bona fide risk assessment as required by the HIPAA Security Rule. Think of a gap assessment as an introduction, not a replacement to a risk assessment. When facing the decision of whether your workplace should focus on a risk assessment or gap assessment, our recommendation is always to comply with HIPAA first and tackle your HIPAA risk assessment. Then, once your risk assessment has been completed and remediation has begun, the software presents the gap assessment in the final report (below). Bottom line, never put your organization at risk by not complying with HIPAA or completing a risk assessment.

At Intraprise Health, we offer industry-leading, automated HIPAA risk assessment software and professional services to help your organization “check the box” on this mandatory requirement and be audit-ready. Click here to learn more and speak with a member of the team to hear about new software feature, Automated Templates which measure compliance controls at a corporate level then validating and updated by the field office staff.