Updated March 2025: Looking for a Business Associate Agreement? Download our FREE template.

Free BAA Download
Total HIPAA Logo

The Ins and Outs of Risk Management

HIPAA Risk Assessment and Risk ManagementRisk Assessment and Risk Management

A Risk Assessment1 is a first step in protecting your organization, but it feeds into something as important – Risk Management. What is Risk Management? It’s the process of identifying, evaluating, and then mitigating the risks in your organization. Your Risk Management Plan feeds off of the results of your Risk Assessment.

Your Risk Assessment evaluates different criteria depending on the industry you are reviewing. Take the case of a bank, you’re not as concerned about Protected Health Information (PHI), but rather about loans and other financial products. Your Risk Assessment might include whether an applicant has the ability to repay the loan in a timely fashion. If you’re an employer group, an insurance agency, or a healthcare provider, your Risk Assessment is centered around PHI. You’re concerned with the possibility of health information being released to unqualified parties who can use the information for their personal gain.

First, the Risk Assessment

Creating your Risk Assessment is the first step of the Risk Management process; it lays the foundation for a detailed understanding of the risks to the confidentiality, integrity, and availability of ePHI and collects the information needed to establish the administrative, physical, and technical safeguards HIPAA requires be included in the Privacy and Security Policies and Procedures.

Yes, it’s a requirement, but it also works in your favor. The Risk Assessment provides the framework needed to complete your HIPAA compliance documents and it also identifies information for the key staff members and management to make risk prioritization and mitigation decisions.

How often you should perform a Risk Assessment depends on the size and complexity of the organization. Larger companies may need to administer one each year. You’ll also want to complete one when major changes occur to your organization.

Complete a Risk Assessment when you:

  • experience a security incident
  • have a change in ownership
  • turn over key management
  • plan to incorporate new technology

Check out our blog, “HIPAA Risk Assessment – Is this required?” and also our Risk Assessments Webinar for helpful information regarding Risk Assessments.

Developing The Risk Management Plan

You’ve completed a Risk Assessment – and now you’re ready to create the documents that will protect the information. Health and Human Services (HHS) provides questions your organization should consider for a Risk Management Plan:2

  • What security measures are already in place to protect PHI and ePHI? Is executive leadership and/or management involved in Risk Management and mitigation decisions? Figure out the key players and roles that will help safeguard the PHI.
  • Are security processes being communicated throughout the organization? See who in your organization knows about the security measures implemented and how you’ll get the information distributed amongst the staff.
  • Does the covered entity need to engage other resources to assist in Risk Management? You may decide that there are more practical solutions for your organization by delegating certain security measures to a third-party vendor (cloud file storage).

Although there are many different ways to address Risk Management, the following steps serve as a guideline to completing the Risk Management process:

  1. Identify the hazards
  2. Decide who could be harmed
  3. Establish control measures
  4. Record the findings of your assessment and inform those at risk of the controls
  5. Review the Risk Assessment on a regular basis

Implementing a Risk Management Plan

After you’ve documented your plan, it’s time to take action. Consider assigning an owner to each action item to avoid any item falling through the cracks.

For each major risk, you should take one of the following actions:

  • Avoid the risk – eliminate or protect from a threat. Such as moving a fax machine to a locked and secure location for only staff members with authorization.
  • Mitigate the risk – identify ways to reduce the probability of the risk. As an example, creating access levels in your organization.
  • Contingency – define actions to be taken in response to risks. Especially, defining HHS’ requirement to report if there is a breach violation.
  • Transfer the risk – shift the consequence of a risk to have a third party. For instance, using a cloud service provider and move data from local servers to the cloud or transitioning into shredding yourself to hiring a shredding vendor.

Ongoing Risk Management

Once your Risk Management Plan is documented, consider it to be a living document that you reference and change regularly. Use the following steps to monitor any risks and change the document and rules as necessary:

Step 1: Have the designated workforce members monitor and identify any new risks.

Step 2: Review previously documented risks (through the Risk Assessment) and determine if any risks have changed in nature.

  • For example, a desktop computer maintaining ePHI that had not been backed up routinely is now no longer used and the data has been saved to a local server or by cloud storage in accordance with your record retention policies. The risk then no longer exists. Document the reason the risk no longer exists noting the date the risk was eliminated.

Step 3: Review each existing risk and update the status of all incomplete mitigation actions. Note the date of the review and any change in the expected implementation date.

Step 4: Review results with your designated Security Officer.

Summary

Risk Assessment and Risk Management are the foundations of your organization HIPAA Security Rule compliance efforts. Risk Assessment and Risk Management are ongoing processes that will provide you, as a covered entity, business associate or business associate subcontractor, a detailed understanding of the risks to ePHI and the security measures needed to effectively manage those risks. Performing these processes appropriately will ensure the confidentiality, availability, and integrity of ePHI, protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, and protect against any reasonably anticipated uses or disclosures of ePHI that are not permitted or required under the HIPAA Privacy Rule.2

  1. Total HIPAA labels a Risk Assessment as collecting the initial information and Risk Analysis the process of evaluating a potential breach.
  2. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf

Sharing is caring!

Documents

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.


Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

State of HIPAA Compliance in 2025

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!

Document
Register for Webinar

Related Posts

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records
*This process is technical and requires access to your Domain Name Server (DNS). It’s recommended to have an IT professional handle these configurations to avoid potential issues. If you proceed yourself, back up your current settings with screenshots or copies before making any changes.
Organizations rely heavily on email for marketing and communication, making it a prime target for malicious actors. Phishing, spoofing, and other email attacks can inflict significant financial and reputational damage. In response to this growing threat, email providers are tightening their security measures, and businesses that aren’t paying attention risk having their emails blocked.
A recent announcement from Microsoft, highlighted in their Tech Community blog, highlights that Outlook is implementing stricter requirements for high-volume senders to protect users from unwanted and potentially harmful messages. This move serves as a clear signal: email authentication is no longer optional – it’s required for all organizations, regardless of their sending volume.
The key to making sure your emails reach their intended recipients is all in the configuration and alignment of your Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) records. These protocols verify an organization actually sent the emails and tells receiving servers your messages are legitimate and shouldn’t be sent to spam folders or blocked.
What makes SPF, DKIM, and DMARC so crucial?
SPF (Sender Policy Framework): This record lists the authorized mail servers permitted to send emails on your behalf. When your email server receives an email, it checks it and verifies if the sending server’s IP address matches the list in your SPF record. This helps prevent attackers from spoofing your domain using unauthorized servers.
DKIM (DomainKeys Identified Mail): DKIM adds a digital signature to your outgoing emails. This signature is cryptographically linked to your domain and verified by the receiving server using a public key published in your DNS records. DKIM ensures the integrity of the email content and confirms that it hasn’t been tampered with in transit.
DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC builds upon SPF and DKIM. It tells receiving servers what to do with emails that fail SPF and/or DKIM checks. You can set policies to “none” (monitor), “quarantine” (send to spam), or “reject” (block). DMARC also enables reporting, allowing you to gain valuable insights into who sends emails using your domain and identify potential spoofing attempts.
Microsoft’s Stance: A Wake-Up Call
The stricter requirements being implemented by Outlook for high-volume senders emphasize the need for organizations to set up and review their authentication protocols. While the current focus is on high-volume senders, it is clear: email providers are looking for authenticated mail. Failing to correctly set up your DMARC, SPF, and DKIM records will lead to deliverability issues of emails.
What Your Company Needs to Do Now:
Regardless of size or email volume, every company should take the following steps to make sure its email authentication is configured correctly. Here’s a checklist:
Audit Your Existing Records: Check for existing SPF, DKIM, and DMARC configurations. Are they accurate and up-to-date?
Implement Missing Records: If you are missing any of these records, add them immediately. *Consult with your IT team or email service provider for guidance.
Check Alignment: It’s crucial to make sure there is alignment between your SPF, DKIM, and DMARC records. This means that the domain used for SPF and the signing domain in DKIM should match the “From” address domain in your emails. DMARC relies on this alignment to function effectively.
Start with a Monitoring Policy: For DMARC, it’s often best to start with a “none” policy to monitor how your emails are being handled and identify any legitimate sending sources that might not be properly authenticated.
Gradually Enforce Stronger Policies: Once you clearly understand your email flows and have addressed any authentication issues, move gradually towards stronger DMARC policies like “quarantine” or “reject” to protect your domain from spoofing actively.
Regularly Review and Update: The email landscape is constantly changing. Regularly review and update your authentication records as needed, especially when changing your emails or third-party sending services.
The Benefits of Proper Email Authentication:
Properly configuring and aligning your DMARC, SPF, and DKIM records offers significant benefits:
Improved Email Deliverability: Your legitimate emails are more likely to reach the inbox, avoiding spam folders and blocks.
Enhanced Brand Reputation: Protecting your domain from spoofing builds trust with your recipients and safeguards your brand’s reputation.
Increased Security: You significantly reduce the risk of using your domain for phishing and other malicious activities.
Compliance with Evolving Standards: By staying ahead of the curve, you ensure your email practices align with the increasingly stringent requirements of email providers.
The message is clear: email authentication is no longer optional. The recent emphasis from major providers like Microsoft underscores its critical importance in maintaining reliable and secure email communication. By taking the steps to audit and align your DMARC, SPF, and DKIM records, your organization can protect itself, customers, and reputation. Don’t wait until your emails are blocked – act now to secure your email.
Have questions or need help with your HIPAA compliance? Schedule a call with our experts today. https://www.totalhipaa.com/get-started/
To check your DMARC Records go here
https://www.totalhipaa.com/dmarc-lookup-free/
All records, a free and easy tool to use
https://easydmarc.com/

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Save Cart & Generate Link
Send Cart in an Email Done! close
Empty cart. Please add products before saving :)

Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Send Cart Email
Your cart email sent successfully :)