This policy is listed for reference only and should be reviewed with your lawyer before implementing them into daily practice. We are not lawyers and are not providing any legal advice. View our legal disclaimer.

Security Management Process: Risk Management Assignment (Required)

Reference: 45 CFR 164.308(a)(1)
Last Updated: May 19, 2024


The purpose of the Risk Management Assignment Policy is:

  • To identify sources capable of conducting the risk analysis;
  • To ensure the risk analysis is conducted without any bias and that the information presented is objective and presents a realistic status of the organization.


Procedure: In accordance with current guidelines it is our intention to conduct a risk analysis as follows:

  • A risk analysis shall be conducted once per year. Exceptions to the annual analysis include:
    • Prior to substantial changes in the environment a risk assessment or impact analysis must be conducted.
    • The occurrence of an event or incident warranting the reevaluation of risks requires an immediate risk assessment.
  • All risk analysis shall be coordinated with the HIPAA Security Officer;
  • In order to ensure objectivity, whenever possible, we shall subcontract this task to a subcontractor experienced in risk analysis;
    • If a subcontractor is not available to conduct a risk analysis in a timely fashion we may conduct the risk analysis using internal resources;
    • Internal resources for risk analysis may not be used more than two years in a row.
  • The Security Manager shall be responsible for the completion of the risk analysis in a timely fashion.
    • Security Manager may recommend and coordinate risk analysis with a reliable and experienced subcontractor.
  • Findings of the risk analysis shall be documented and given to the Security Manager within 30 days of concluding the assessment.
  • Within 90 days of receiving the results of the risk assessment the security manager shall implement measures to remediate vulnerabilities and sufficiently reduce risk exposure.
  • Remediation activities.
  • Submit the risk remediation plan to the appropriate data security office who shall forward a copy of the mitigation plan to the HIPAA Security Officer.
  • Provide written exemption or extension requests for any vulnerability that, due to business or technology constraints, it cannot remediate in the allotted time (5.1.4). All such requests must be approved by the appropriate data security office, HIPAA Security Officer and Risk Management.
  • Data produced from the risk assessment shall be kept confidential.
Simplify Your Compliance with
Software and Guided Coaching
Let your patients and clients know that you take HIPAA seriously with the HIPAA Seal of Compliance for your website, storefront, and marketing materials.

Get instant access to HIPAA Compliance News and Updates

You'll get your first checklist as soon as you sign up!

overlapping hands

Our Mission

To safeguard medical data by providing secure, reliable, and fully HIPAA-compliant hosting solutions, enabling healthcare professionals to focus on their primary mission of providing care.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram