HIPAA Security Risk Management Plan Template

Disclaimer: PrivaPlan HIPAA Security Risk Management Plan Template

The information provided in this document does not constitute, and is no substitute for, legal or other professional advice. Users
should consult their own legal or other professional advisors for individualized guidance regarding the application of the law to
their particular situations, and in connection with other compliance-related concerns.

<To customize this template document, replace all of the text that is presented in angle brackets
(i.e. “<” and “>”) with text that is appropriate to your organization and circumstances. After
completing the customization of this document, the document should be reviewed by an attorney
who is familiar with health privacy laws and regulations in the state(s) in which the organization
maintains its facilities, and who is in a position to provide legal counsel to your organization. >

© 2014 by PrivaPlan® Associates, Inc. All Rights Reserved. 1

 HIPAA Security Risk Management Plan Template

<Insert Name> HIPAA Security Risk Management Plan

Version: <insert version> [Use to track versions]

Owners:

<Insert names and job titles>

[Typically this should be owned by the Security Official as well as other individuals involved in
HIPAA compliance and/or the actual risk remediation like IT and the Privacy Official.]

Background

This HIPAA Security Risk Management Plan represents the <Insert Name> ongoing risk
management program based upon:

 The most current HIPAA Security Risk Analysis

 Prior HIPAA Security Risk Analyses
 Any corrective action plans required by governmental bodies

Plan Execution

Each risk management item is backed up by documentation regarding the project plan for
managing or mitigating the risk. The specific owners and resources for execution are listed on this
secondary plan.

Plan Accountability and Revisions

[Sample language to consider using; your circumstances may be different]

The plan accountability and revisions are managed as follows:

 Monthly review by the team owners of the risk management plan status
 Identification of any areas of deficiency in meeting the plan resulting in a status report to
the CEO
 Updating the plan with revised timelines is subject to the approval of the CEO
 The plan may also be updated and revised based upon:
o New HIPAA or other security incidents
o Regulatory changes
o Increased threat levels due to internal or external factors
o Vendor and resource support issues

© 2014 by PrivaPlan® Associates, Inc. All Rights Reserved. 2

 HIPAA Security Risk Management Plan Template

Plan:

<Insert Year> HIPAA SRA Risk or Best Practice and Mitigation Plan Risk Mitigation
Gap Completion Date
SECURITY RISK HIGH

<Insert your specific SRA High
Risk/Gap here (there may be more
than one)>
[EXAMPLE: Legacy backup tapes are
not encrypted]
<Insert your specific Best Practice and <Insert each step of your
Mitigation Plan here> Mitigation plan with a “to
be completed by” date>
[EXAMPLE: Backup tapes are stored in the
IT closet; a full inventory should be [EXAMPLE: Inventory
completed including identifying those that completed by 2-15-2014
are not encrypted and either encrypting,
copying to an encrypted storage device, or Encryption/disposal plan
securely destroying. While the practice has by 5-30-2014
improved physical security controls, it is
not impermeable and thus the backups Completion by 7-30-
remain a risk for a security incident and 2014]
Breach if stolen.]

© 2014 by PrivaPlan® Associates, Inc. All Rights Reserved. 3

 HIPAA Security Risk Management Plan Template
<Insert Year> SRA Risk or Gap
SECURITY RISK MEDIUM
<Insert your specific SRA Medium
Risk/Gaps here (there may be
several)>
[EXAMPLE 1:
Facility Security plan and controls
can be improved including:
 Visitor Access and
authentication by improved
front desk training and
monitoring
 Improve access monitoring
and management of
perimeter doors as well as
high risk interior areas such
as the data center
<Insert your specific SRA Medium
Risk/Gaps here>
[EXAMPLE 2: Mobile device
safeguards and management
settings can be updated]
<Insert your specific SRA Medium
Risk/Gaps here>
[EXAMPLE 3: Replace all Windows
XP workstations.]
© 2014 by PrivaPlan® Associates, Inc. All Rights Reserved.
Best Practice and Mitigation Plan Risk Mitigation
Completion Date
<Insert your specific Best Practice and <Insert each step of
Mitigation Plan here> your Mitigation plan with
a “to be completed by”
date>
[EXAMPLE 1:
 Increase visitor access controls [EXAMPLE 1:
through the use of more vigilant In remediation-visitor
visitor sign in and authentication access, swipe cards,
(including issuing a unique badge). biometric data center
controls and video
 Increase physical security controls surveillance controls are
by the use of video surveillance.
being implemented in
 Implement the use of March 2014
smartcard/swipe card access
controls integrated with photo ID Updated training by 4-
badges and eventually proximity 31-2014
controls for network access.
 Implement additional biometric Full deployment of photo
controls on the data center. ID cards to staff by 5-1-
 Implement photo ID badges for 2014
vendors who have ongoing access
requirements; this can also include Deployment of enhanced
a Code of Conduct requirement for vendor authentication
key vendors.] and badge controls by 5-
15-2014
<Insert your specific Best Practice and <Insert each step of your
Mitigation Plan here> Mitigation plan with a “to
be completed by” date>
[EXAMPLE 2: Implement a third party
mobile security software and ensure that [EXAMPLE 2: by 4-31-
encryption of cached mail and text 2014]
messages is enabled.]
<Insert your specific Best Practice and <Insert each step of your
Mitigation Plan here> Mitigation plan with a “to
be completed by” date>
[EXAMPLE 3. Replace Windows XP
operating system with Windows 7 or 8. As [EXAMPLE 3: 4-8-2014]
of April 8, 2014 Windows will no longer
provide support or updates for Windows
XP, leaving systems at risk.]
4
 HIPAA Security Risk Management Plan Template
<Insert Year> HIPAA SRA Risk or
Gap
LOW SECURITY RISK
<Insert your specific SRA Low
Risk/Gaps here (there may be
several)>
[Example 1: The process for
identifying and updating ePHI is not
documented.]
<Insert your specific SRA Low
Risk/Gaps here>
[EXAMPLE 2: Printer, multifunction
printers and other devices require
security procedures to limit possible
malware intrusion.]
© 2014 by PrivaPlan® Associates, Inc. All Rights Reserved.
Best Practice and Mitigation Plan Risk Mitigation
Completion Date
<Insert your specific Best Practice and <Insert each step of
Mitigation Plan here> your Mitigation plan with
a “to be completed by”
[EXAMPLE 1: We recommend creating a date>
detailed PHI use/disclosure inventory. This
can be done as a training tool. For [EXAMPLE 1: Partially
maintenance, we suggest a process such remediated with risk
as having each department manager analysis.
responsible for identifying any new
technology acquisitions or Completion 9-30-2014]
implementations. When identified, these
should be communicated to the Security
Official. The Security Official will establish
a similar process within the IT department.
Collectively, the Security Official can use
this information to update the ePHI
inventory and assess risk of the new
technology relevant to the safeguards in
place. Appropriate risk management will be
implemented.]
<Insert your specific Best Practice and <Insert each step of
Mitigation Plan here> your Mitigation plan with
a “to be completed by”
[EXAMPLE 2: Any device that joins the date>
domain requires specific procedures to
limit the potential for malware to be [EXAMPLE 2: Practice is
inserted. A threat vector even for printers conducting a “printer
or multifunction printers that only have evaluation and de-
RAM memory is the insertion of malware to commissioning” program
capture fax transmissions or other ePHI. to reduce the number of
Since most of these devices are not printers and
powered down on a routine basis, these multifunction devices in
malware systems can remain in memory. use by 5-30-2014
Printer administrator default passwords
should be changed.] Strengthen credentials
and access controls on
remaining devices by 10-
31-2014]
5