March 2001

HIPAA Gap Analysis Set to Begin

Catholic Health Initiatives is taking the next step toward system-wide compliance with all aspects of the administrative simplification portion of the Health Insurance Portability and Accountability Act (HIPAA) by providing market-based organizations with the tools needed to identify gaps in their HIPAA compliance and ways to fill those gaps. Three market-based organizations will serve as test sites for Catholic Health Initiatives’ approach to gap analysis, with all remaining market-based organizations scheduled to begin the process in April. "The gap analysis, or business impact analysis, is a standardized, self-administered assessment that market-based organizations will use to identify any gaps in their HIPAA compliance and to identify alternatives for remediation," said Tracy L. Thomas, director of the national HIPAA program for Catholic Health Initiatives. "The analysis should take most market-based organizations about four to six weeks to complete, though larger organizations may take a bit longer." Repository to track information Market-based staff members responsible for the gap analysis will enter information gathered through the assessment into a Web-enabled database, called the Compliance Knowledge Repository, that will track compliance status, gaps, possible solutions and remediation efforts. The database will also track business associate, vendor and software application information related to HIPAA compliance issues. "The database will also link to a repository of documents that market-based HIPAA leaders can use to identify solutions they can adapt to fit the needs of their organizations," said Thomas. "Over time, the repository will also contain standards and guidelines developed by our national HIPAA work groups as well as sample policies and procedures, templates and work plans." HIPAA leaders, HIPAA program teams and senior management at market-based organizations have been learning more about HIPAA regulations through several education sessions provided via teleconference by the HIPAA program management office. To date, these sessions have focused on security standards, standards for electronic data interchange, budget planning and privacy standards. "The teleconferences are extremely beneficial because we don’t have to research the specifics of the various HIPAA rule sets ourselves," said Karl Brockmeier, director of the information technology project office for Centura Health, Denver, Colo. "The national program office has done the research for us, and because of that Centura is getting a quick start on HIPAA preparations." Thomas is encouraged by the high level of participation in the teleconferences. "We have had more than 100 participants for each session," she said. "The feedback we’ve received from market-based HIPAA leaders, and our conversations with other health care systems of similar size, show that Catholic Health Initiatives is on track for HIPAA preparation, although our progress during the next few months will be critical." Resources on Web site Copies of PowerPoint presentations from the HIPAA Education Series, as well as other information helpful to HIPAA leaders, are available on the Catholic Health Initiatives HIPAA Central Web site at In addition, training on Catholic Health Initiatives’ approach to the business impact analysis and tool sets will be delivered to HIPAA leaders and program teams through advanced HIPAA education and training conferences, to be held in three locations around the country starting in late April. For more information, contact Tracy L. Thomas at 610/358-4528 or