Risk analysis vs gap analysis: which does your practice need?

Practices researching HIPAA compliance often encounter two terms: risk analysis and gap analysis. Vendors use them interchangeably. Some consultants offer "gap analysis" when the regulation requires "risk analysis." Others suggest both are necessary without explaining why.

The confusion is understandable but costly. 45 CFR § 164.308(a)(1)(ii)(A) requires a risk analysis. It does not require a gap analysis. The proposed 2026 Security Rule would change some implementation specifications from "addressable" to "required," making gap analysis more relevant for verifying compliance against the new standard. But even then, the two documents serve different purposes.

This article explains the distinction, which you need now, and when you might need both.

What each analysis does

Risk analysis

Purpose: Identify what could go wrong with your electronic protected health information (ePHI) and assess how likely and how severe each scenario is.

Required by: 45 CFR § 164.308(a)(1)(ii)(A) — mandatory since 2005.

Core question: What threats exist to our ePHI, and what is the risk level of each?

Methodology: National Institute of Standards and Technology (NIST) SP 800-30 framework. Identify threats, identify vulnerabilities, assess likelihood, assess impact, determine risk level.

Output: Risk register with prioritized risks and risk ratings.

Example finding: "Ransomware via phishing is a high-likelihood, high-impact risk to our unpatched workstations."

Gap analysis

Purpose: Compare your current state against a defined standard and identify where you fall short.

Required by: Not explicitly required by current HIPAA (except implicitly for "addressable" implementation specifications).

Core question: Do we meet the specific requirements of [standard]?

Methodology: Control-based assessment against a checklist or framework.

Output: List of gaps with severity ratings, often mapped to specific controls.

Example finding: "We do not have multi-factor authentication on remote access, which the 2026 proposed rule would require."

The regulatory context

Current Security Rule (2005, amended 2013)

The current rule at 45 CFR § 164.308(a)(1)(ii)(A) requires:

"Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information..."

This is a risk analysis. The rule does not say "conduct a gap analysis."

Many implementation specifications in the current rule are "addressable," meaning you can implement them as written, implement an equivalent alternative, or document why implementation is not reasonable and appropriate for your environment. A risk analysis helps determine what is reasonable and appropriate.

Proposed 2026 Security Rule

The Notice of Proposed Rulemaking (90 Fed. Reg. 898, January 6, 2025) would:

• Change many "addressable" specifications to "required"
• Add specific technical controls (MFA, encryption, network segmentation)
• Make annual risk analysis explicit

Under the proposed rule, a gap analysis becomes more valuable because:

• The required controls are more specific
• There is less flexibility for equivalent alternatives
• Practices need to verify they meet the new baseline

When you need risk analysis

Always. The current rule requires it. The Office for Civil Rights (OCR) enforces it. The Risk Analysis Initiative specifically targets practices without current, accurate, thorough risk analyses.

You need a risk analysis when:

• You have never conducted one (new practices)
• Your prior analysis is more than 12 months old
• Your practice has changed (new EHR, new location, new vendors, staff changes)
• You are preparing for an audit or responding to an investigation
• OCR has opened an inquiry

The risk analysis is foundational. It identifies what you need to protect and what threatens it. Without it, you cannot make reasonable security decisions.

When you need gap analysis

Strategically, not universally. A gap analysis is useful when:

Preparing for the 2026 rule. If the proposed rule is finalized, practices will need to verify they meet the new required controls. A gap analysis against the 2026 standard identifies what must change.

Evaluating specific frameworks. Some practices voluntarily adopt frameworks like NIST Cybersecurity Framework (CSF) or HITRUST. Gap analysis shows where they stand relative to those standards.

Responding to specific findings. If an audit identifies a control failure, a gap analysis can verify whether other controls in the same category are implemented.

Due diligence for business associates. Some covered entities require business associates to demonstrate compliance against specific control sets.

Not needed: For day-to-day HIPAA compliance under the current rule. The risk analysis satisfies the regulatory requirement.

Why they cannot be the same document

Some practices ask: "Can we do one analysis that covers both?" The answer is no, for methodological reasons.

Different inputs:

• Risk analysis: Threat intelligence, vulnerability assessment, likelihood estimation
• Gap analysis: Control framework, requirements checklist, standard specification

Different processes:

• Risk analysis: Threat-based, asks "what could go wrong?"
• Gap analysis: Control-based, asks "do we meet requirement X?"

Different outputs:

• Risk analysis: Risk register with prioritized risks (threat × impact)
• Gap analysis: Gap list with control compliance status (present/absent)

Different purposes:

• Risk analysis: Inform security decisions and risk management
• Gap analysis: Verify compliance against a standard

A combined document trying to do both typically does neither well. It becomes unwieldy, and the dual methodology confuses reviewers.

The workflow: risk analysis first, gap analysis if needed

For most practices, the appropriate sequence is:

Step 1: Conduct risk analysis

• Identify threats and vulnerabilities
• Assess likelihood and impact
• Determine risk levels
• Produce Risk Management Plan

Step 2: Review risk analysis findings

• Do identified risks cluster around specific control gaps?
• Are there patterns in the findings?

Step 3: Conduct gap analysis if warranted

• If preparing for 2026 rule: gap analysis against proposed controls
• If pursuing voluntary certification: gap analysis against chosen framework
• If addressing audit findings: targeted gap analysis in specific area

The risk analysis informs security priorities. The gap analysis, when used, verifies compliance against external standards.

What CoreFolio produces

CoreFolio HIPAA free assessment: Produces a structured risk analysis following NIST 800-30 methodology. Identifies threats, assesses likelihood and impact, and generates a risk register. This satisfies the 45 CFR § 164.308(a)(1)(ii)(A) requirement.

CoreFolio HIPAA Digital Binder: Adds the 2026 Readiness Gap Report, which is a gap analysis against the proposed 2026 Security Rule controls. This helps practices prepare for the anticipated changes while maintaining current compliance.

Why both matter: The risk analysis protects you now and satisfies current OCR enforcement. The gap analysis prepares you for the likely future state of the regulation.

Practical guidance

If you have no analysis: Start with the risk analysis. It is required now, and OCR is actively enforcing it.

If you have a current risk analysis: Review it for accuracy and completeness. Consider whether a gap analysis against the 2026 proposed rule would help you prepare for upcoming changes.

If OCR has opened an investigation: Ensure your risk analysis is accurate, thorough, current, and accompanied by a Risk Management Plan. A gap analysis is secondary to enforcement needs.

If you are a business associate: Your covered entities likely require a risk analysis. Some may request gap analysis against specific control sets. Know which your contracts require.

The risk analysis is the foundation of HIPAA Security Rule compliance. The gap analysis is a valuable additional tool for specific purposes. Do not confuse them, and do not let a vendor sell you a gap analysis when you need the risk analysis that OCR actually enforces.

Sources