Skip Ribbon Commands
Skip to main content
Home > Services > Audit and Compliance > HIPAA GAP Assessment


HIPAA Gap Assessment – Pre Audit


The Health Information Portability and Accountability Act (HIPAA) was enacted in 1996 addressing the security and privacy of health care data. In addition, The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA) and signed into law on February 17, 2009. The HITECH Act amended HIPAA with significant changes to data breach notification, enforcement, and penalties.

SecureState’s HIPAA Gap Assessment will review your systems and processes to identify areas of non-compliance.


  • Compliance with the HIPAA/HITECH
  • Identification of non-compliant areas and understanding of what actions are needed to comply with the HIPAA Security and Privacy Rules
  • Proper 3rd party objective demonstration of HIPAA/HITECH compliance
  • Avoidance of damages often totaling millions of dollars that could result from a ePHI/PHI compromise
  • Reduction of the cost, confusion, and complexity of HIPAA/HITECH compliance


SecureState’s Audit & Compliance consultants are experts in understanding both the technical aspects as well as the business aspects of your organization. Our experienced Team Members have worked with many organizations in the commercial, government, and health and human services sectors; including providers and service organizations. As part of these relationships, SecureState has gained extensive knowledge and experience with National Institute of Standards and Technology (NIST) security control frameworks, such as NIST SP 800-66, that are commonly used in government agencies and can be adopted by commercial organizations. In addition, SecureState has a number of CIPP professionals as well as a former HIPAA Compliance Officer for a Fortune 500 financial institution on staff to assist with both the Security and Privacy Rules outlined within HIPAA.

Did You Know?

  • Data breaches cost the healthcare industry $6 billion per year
  • Data breaches cost healthcare organizations an average of $1 million per year
  • Lack of staff and preparation (policies and processes) are blamed for most data breaches
  • A HIPAA Gap Assessment should be performed annually

Our Approach and Methodology

SecureState’s approach to a HIPAA Gap Assessment – Pre Audit maps out critical information processes and determines if regulatory controls have an impact on the business. The goals are to:

  • Evaluate the effectiveness of your HIPAA compliance program
  • Validate HIPAA controls
  • Remediation cost-justification
  • Keep you up-to-date on any new HIPAA requirements, threats, and liabilities

The stages of our HIPAA Gap Assessment, with limited descriptions, are as follows:

Pre-Onsite Visit:

  • Introduce engagement participants and define roles
  • Review engagement activities
  • Review any applicable documentation

Process Mapping:

  • Document the in-scope HIPAA business process and supporting technologies
  • Perform data flow analysis and map HIPAA processes to technical infrastructure

Requirements Analysis:

  • Document the existing controls used to protect ePHI/PHI
  • Identify gaps against the NIST 800-66 framework for HIPAA Security Rule
  • Identify gaps against the GAPP framework for HIPAA Privacy Rule


  • On-site interview and information gathering to assess HIPAA compliance status
  • Outline strategic recommendations to mitigate identified control gaps
  • Upload remediation activities to “MyState Portal”

What Makes Us Different

  • Provides comprehensive on-demand security expertise during the engagement and throughout the year
  • Supports clients’ HIPAA programs with our proprietary “MyState Portal” and a team of qualified HIPAA specialists
  • Maintains close relationships with our clients because we care about the outcome of the assessment
  • Has a former HIPAA HIPAA/Chief Privacy Officer for a Fortune 500 company on staff
  • Recognizes Unified Compliance Framework (UCF) and/or HITRUST Common Security Framework for cross-compliance mapping