An analysis that identifies an organization’s current state and the steps required to reach compliance. Includes an internal evaluation, renewed annually at minimum; new components are evaluated as introduced, then added to ongoing evaluations. Both covered entities and business associates must comply: for instance, a cloud-based EMR application provided by a third party to a covered entity or entities.