Q&A: Documentation in the HIPAA risk management plan

Q. Are we required to explain why a vulnerability was not addressed or was deemed low priority in the risk management plan? If so, are there any examples of acceptable ways to document this per OCR?

A. Yes, to a limited degree. It’s not necessary to justify all acceptable risks. If the risk analysis is conducted in accordance with a standardized model such as that outlined in the National Institute of Standards and Technology (NIST) Publication 800-30, the risk analysis report includes documentation supporting why a risk is deemed low or compensating controls have been implemented to address the vulnerability.

You do need to document that you’ve accepted the risks. This could be included as a management response in the summary of your risk analysis report. There is no established standard when it comes to documenting risk acceptance other than the fact that OCR points to NIST in some of its guidance and in the Breach Notification Rule. Your best bet would be to check out NIST 800-30 if you’re searching for a standard that OCR will view favorably.

Editor’s note: This question was answered by Chris Apgar, CISSP. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Editor Nicole Votta at nvotta@hcpro.com.