HIPAA Gap Analysis

SKILL.md

# HIPAA Gap Analysis

Assess your organization's HIPAA compliance posture across all five rule areas — Administrative Safeguards, Physical Safeguards, Technical Safeguards, Privacy Rule, and Breach Notification Rule. Covers all 32 control areas required for covered entities and business associates. Produces a gap report with compliance score, identified deficiencies, and a prioritized remediation roadmap.

---

## Usage

```json
{
  "tool": "hipaa_gap_analysis",
  "input": {
    "organization_name": "Sunrise Health Clinic",
    "organization_type": "Covered Entity",
    "entity_size": "Small",
    "services_provided": ["Primary Care", "Telehealth", "Lab Services"],
    "phi_volume": "Medium",
    "phi_types": ["Medical Records", "Billing Information", "Lab Results"],
    "workforce_size": 45,
    "locations_count": 3,
    "cloud_services": true,
    "third_party_vendors": true,
    "mobile_devices": true,
    "security_officer_assigned": true,
    "workforce_training": false,
    "access_management": true,
    "contingency_plan": false,
    "incident_response": false,
    "risk_assessment_conducted": true,
    "business_associate_agreements": true,
    "facility_access_controls": true,
    "workstation_use_controls": false,
    "device_media_controls": false,
    "access_control_systems": true,
    "audit_controls": false,
    "integrity_controls": false,
    "transmission_security": true,
    "privacy_officer_assigned": true,
    "notice_of_privacy_practices": true,
    "patient_rights_procedures": true,
    "minimum_necessary_procedures": false,
    "complaints_process": true,
    "breach_notification_procedures": false,
    "breach_risk_assessment": false
  }
}
```

---

## Parameters

All fields are **required**.

### Organization Profile

| Field | Type | Description |
|-------|------|-------------|
| `organization_name` | string | Name of the organization being assessed |
| `organization_type` | string | e.g., `Covered Entity`, `Business Associate`, `Hybrid Entity` |
| `entity_size` | string | `Small`, `Medium`, `Large` |
| `services_provided` | array of strings | List of healthcare services offered |
| `phi_volume` | string | Volume of PHI handled: `Low`, `Medium`, `High` |
| `phi_types` | array of strings | Types of PHI: e.g., `Medical Records`, `Billing Information`, `Lab Results`, `Mental Health Records` |
| `workforce_size` | integer | Total number of employees/contractors |
| `locations_count` | integer | Number of physical locations |
| `cloud_services` | boolean | Whether cloud services are used to store/process PHI |
| `third_party_vendors` | boolean | Whether third-party vendors have access to PHI |
| `mobile_devices` | boolean | Whether mobile devices are used to access PHI |

### Administrative Safeguards

| Field | Type | Description |
|-------|------|-------------|
| `security_officer_assigned` | boolean | Designated Security Officer in place |
| `workforce_training` | boolean | Regular HIPAA workforce training conducted |
| `access_management` | boolean | Formal access management procedures exist |
| `contingency_plan` | boolean | Data backup and disaster recovery plan exists |
| `incident_response` | boolean | Security incident response procedures in place |
| `risk_assessment_conducted` | boolean | Formal risk assessment has been conducted |
| `business_associate_agreements` | boolean | BAAs executed with all relevant vendors |

### Physical Safeguards

| Field | Type | Description |
|-------|------|-------------|
| `facility_access_controls` | boolean | Physical access controls for facilities with PHI |
| `workstation_use_controls` | boolean | Workstation use and security policies in place |
| `device_media_controls` | boolean | Controls for hardware/media containing PHI |

### Technical Safeguards

| Field | Type | Description |
|-------|------|-------------|
| `access_control_systems` | boolean | Technical access controls (unique user IDs, auto-logoff, etc.) |
| `audit_controls` | boolean | Audit logs for PHI access and activity |
| `integrity_controls` | boolean | Controls to ensure PHI is not improperly altered or destroyed |
| `transmission_security` | boolean | Encryption/security for PHI in transit |

### Privacy Rule

| Field | Type | Description |
|-------|------|-------------|
| `privacy_officer_assigned` | boolean | Designated Privacy Officer in place |
| `notice_of_privacy_practices` | boolean | NPP distributed and acknowledged |
| `patient_rights_procedures` | boolean | Procedures for patient access, amendment, and accounting |
| `minimum_necessary_procedures` | boolean | Minimum necessary standard applied to PHI use/disclosure |
| `complaints_process` | boolean | Process for receiving and handling privacy complaints |

### Breach Notification Rule

| Field | Type | Description |
|-------|------|-------------|
| `breach_notification_procedures` | boolean | Breach notification procedures documented |
| `breach_risk_assessment` | boolean | Process for conducting breach risk assessment in place |

---

## What You Get

- **Overall HIPAA compliance score** — percentage and maturity rating
- **Rule-by-rule gap breakdown** — Administrative, Physical, Technical, Privacy, Breach Notification
- **Control deficiency list** — exactly which of the 32 controls are gaps
- **Risk-prioritized remediation plan** — Immediate (0–30 days), Short-term (30–90 days), Long-term (90+ days)
- **Regulatory exposure summary** — potential penalty tiers based on identified gaps (Tier 1–4)
- **Audit readiness rating** — how prepared the organization is for an OCR audit

---

## Example Output

```json
{
  "organization": "Sunrise Health Clinic",
  "overall_score": 62,
  "compliance_rating": "Partial Compliance",
  "audit_readiness": "Moderate Risk",
  "rule_scores": {
    "administrative_safeguards": { "score": 71, "gaps": 2 },
    "physical_safeguards": { "score": 33, "gaps": 2 },
    "technical_safeguards": { "score": 50, "gaps": 2 },
    "privacy_rule": { "score": 80, "gaps": 1 },
    "breach_notification": { "score": 0, "gaps": 2 }
  },
  "critical_gaps": [
    "No breach notification procedures — OCR Tier 3/4 penalty exposure",
    "No breach risk assessment process — required for all incidents",
    "Workstation use controls absent — PHI exposure risk at endpoints",
    "No audit controls — inability to detect or prove unauthorized access"
  ],
  "immediate_actions": [
    "Document and implement breach notification procedures (7 days)",
    "Deploy workstation lock/encryption policy (14 days)",
    "Enable audit logging on all systems accessing PHI (7 days)"
  ],
  "penalty_exposure": "Tier 3 — Willful Neglect (up to $50,000 per violation)"
}
```

---

## API Reference

**Base URL:** `https://portal.toolweb.in/apis/compliance/hipaa-gap-analysis`

| Endpoint | Method | Description |
|----------|--------|-------------|
| `/hipaa-analysis` | POST | Run full HIPAA gap assessment |

**Authentication:** Pass your API key as `X-API-Key` header or `mcp_api_key` argument via MCP.

---

## Pricing

| Plan | Daily Limit | Monthly Limit | Price |
|------|-------------|---------------|-------|
| Free | 5 / day | 50 / month | $0 |
| Developer | 20 / day | 500 / month | $39 |
| Professional | 200 / day | 5,000 / month | $99 |
| Enterprise | 100,000 / day | 1,000,000 / month | $299 |

---

## About

**ToolWeb.in** — 200+ security APIs, CISSP & CISM certified, built for enterprise compliance practitioners.

Platforms: Pay-per-run · API Gateway · MCP Server · OpenClaw · RapidAPI · YouTube

- 🌐 [toolweb.in](https://toolweb.in)
- 🔌 [portal.toolweb.in](https://portal.toolweb.in)
- 🤖 [hub.toolweb.in](https://hub.toolweb.in) (MCP Server)
- 🦞 [toolweb.in/openclaw/](https://toolweb.in/openclaw/)
- ⚡ [rapidapi.com/user/mkrishna477](https://rapidapi.com/user/mkrishna477)
- 📺 [youtube.com/@toolweb-009](https://youtube.com/@toolweb-009)