Compliance gap tracking

HIPAA's risk management standard requires covered entities not just to identify risks, but to implement security measures to reduce those risks to a reasonable and appropriate level. Structured gap tracking is the operational mechanism for doing this, it documents what was found, who is responsible for addressing it, and whether the corrective action has been completed. In a review or investigation, this documentation supports the practice's ability to demonstrate that identified gaps were not ignored.

Gaps emerge from SRAs, policy reviews, internal audits, and sometimes from incident investigations. Each gap should be recorded as a distinct item with enough detail to be actionable, what the gap is, where it was identified, and what safeguard category it falls under. Categorization helps with prioritization and reporting: gaps in high-risk areas require different urgency than gaps in lower-risk administrative processes.

• Log each gap as a separate line item in a tracking register or log
• Record the gap description, the source (SRA, policy review, audit), and the date identified
• Categorize by safeguard type: administrative, physical, or technical
• Note the regulatory citation or policy area the gap relates to
• Avoid combining multiple related gaps into a single item, each gap should be trackable independently

Gaps without owners do not get resolved. Every gap in the tracking register should have a designated owner, a specific person responsible for completing the corrective action, not a department or a vague role. Priority assignment should be based on the risk level of the gap: gaps that create significant exposure to unauthorized ePHI access or breach scenarios should be prioritized over gaps that are lower-risk administrative oversights.

• Assign a named owner to every gap, not just a department
• Set a target completion date for each gap based on its priority level
• Use a consistent priority framework (e.g., High/Medium/Low) applied consistently across all gaps
• Prioritize gaps that affect ePHI access controls, breach notification, or incident response
• Review priority assignments with appropriate compliance advisors where the risk level is unclear

A gap tracking register is only valuable if it is kept current. Status updates, when a gap moves from identified to in-progress to resolved, should be recorded in the register as they occur, not in a batch at the end of a review cycle. Each status change should include the date and any relevant notes about what was done. Gaps that are resolved should be closed with documentation of the corrective action taken, not simply removed from the list.

Gaps that are not progressing should be escalated rather than left in a perpetual in-progress status. If an owner cannot complete a corrective action within the assigned timeline, practice leadership should be involved to determine whether the timeline needs adjustment, additional resources are required, or a different approach is needed.

Gap tracking data becomes most valuable when it is reviewed regularly as part of a compliance management routine. A monthly or quarterly status report that summarizes the number of open gaps, the number closed since last review, and any items past their target date gives practice leadership visibility into compliance progress without requiring deep review of the full register each time.

• Generate a gap status summary at least monthly for leadership review
• Track the total open gaps, gaps past target date, and gaps closed in the current period
• Flag any gaps past target date for discussion and timeline reassessment
• Archive the full gap register periodically to create a historical compliance record
• Use gap trend data to inform the scope and focus of the next SRA or policy review