The HIPAA Gap Assessment evaluates your organisation's compliance maturity across 10 chapters covering all major provisions of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.
Chapters
| # | Chapter | CFR References | Questions |
|---|---|---|---|
| 1 | Privacy Rule — Uses & Disclosures | 164.502-164.514 | 8 |
| 2 | Privacy Rule — Individual Rights | 164.520-164.528 | 7 |
| 3 | Privacy Rule — Administrative Requirements | 164.530 | 6 |
| 4 | Security Rule — Administrative Safeguards | 164.308 | 9 |
| 5 | Security Rule — Physical Safeguards | 164.310 | 5 |
| 6 | Security Rule — Technical Safeguards | 164.312 | 6 |
| 7 | Security Rule — Organisational Requirements | 164.314 | 4 |
| 8 | Security Rule — Policies, Procedures & Documentation | 164.316 | 4 |
| 9 | Breach Notification | 164.400-164.414 | 6 |
| 10 | HITECH Act & Enforcement | HITECH Sec. 13400-13411 | 5 |
Maturity Scoring
Each question uses a 0-4 maturity scale:
- 0 — Not Implemented: No measures in place
- 1 — Initial: Ad-hoc or informal measures
- 2 — Developing: Documented but inconsistently applied
- 3 — Defined: Formally documented and consistently applied
- 4 — Optimised: Continuously monitored and improved
Understanding Your Score
The gap assessment dashboard displays:
- Overall compliance score — Weighted average across all chapters, displayed as a percentage with a compliance ring
- Chapter-by-chapter breakdown — Individual scores per chapter, highlighting areas of strength and weakness
- Priority gaps — Questions scored 0 or 1 that represent the highest compliance risk
- Trend over time — If you run periodic assessments, track improvement over time
Cross-Framework Propagation
Certain HIPAA gap assessment questions are linked to equivalent controls in other frameworks (ISO 27001, NIST CSF, SOC 2, etc.). When you score a HIPAA question at 3 or above, equivalent controls in other enabled frameworks are automatically updated — and vice versa. This reduces duplicate assessment effort when managing multiple compliance frameworks.