Completing your Risk Assessment is only the first step in the journey to secure Protected Health Information (“PHI”). A risk assessment simply identifies the items that pose risk to PHI and need remediation. The bulk of the work in a risk management program is what follows the risk assessment, the risk management plan. A risk management plan is a general term for the prioritization and tracking of the remediation items a risk assessment identified.
The output of a risk assessment is a detailed list of work that needs to be completed, however, it is unreasonable to think that work can all be completed at one time. Some of the remediation items (i.e. deploying new technology) may require months of work or a financial investment. These items need to be planned out in a reasonable way for the organization, which is objective of the risk management plan.
After a risk assessment, all of the remediation items should be reviewed and assigned an,
Start date; and
Anticipated completion date.
Essentially all of the items that need remediation will have a plan for when they will be completed.
It is acceptable if that date is some time down the road, assuming the delay is justified compared to the unmitigated risk.
In addition to outlining all of the remediation steps, the risk management plan is your way to show progress in remediating the identified tasks. This is a critical step necessary to verify to auditors, regulators, and partners that you are mitigating the risks identified.
This brings to a close our series of articles on risk assessments. Keep in mind that a risk assessment is an important tool for HIPAA compliance and maintaining the privacy of PHI. However, it is only the first step in the process. Arguably the more critical component is the remediation work which is outlined and tracked in the risk management plan.