When your organization completes a risk analysis, you’re on the path to HIPAA compliance but it’s just one step. Once you do a risk analysis, you then need to put plans in place to address these risks. In this post, we’ll explain the actions you need to take after a risk assessment, help you create plans to fill gaps and detail what to document. Ready? Let’s jump in.

What is risk mitigation?

First, let’s talk about what risk mitigation is. Risk mitigation is the process of actually taking action to protect your ePHI data and reduce the risk of potential compromises. Doing this requires you to put plans in place that your team can carry out.

Why should your organization focus on risk mitigation?

As soon as you have a risk analysis, you can shift your focus to risk management and risk mitigation. It’s important that you act with urgency on the vulnerabilities you discover. The truth is that knowing what your risks and vulnerabilities are isn’t enough to make your organization HIPAA compliant. You also have to show that you’re taking reasonable action to reduce these risks.

How to fill the gaps

Start by reviewing your risk analysis and the most concerning potential vulnerabilities that your organization faces. From there, you can start creating an action plan to close the gaps. At this point, you will already know what the potential hazards are. So, it’s time to determine what could happen if you don’t put measures in place and take steps towards getting a better handle on your data and risk factors.

Creating your risk management plan

All the information including potential risks and vulnerabilities you discover within your organization should be addressed in your risk management plan. This plan should also include all privacy, security and breach notification requirements that HIPAA has in place to make sure that you maintain compliance. This may sound complicated but stay with us. You can start creating a risk management plan and implementing risk mitigation in a few steps.

  1. Prioritize the security measures you need to put in place.
  2. Document how you’ll implement these security measures to avoid risks.
  3. Test these measures on a regular basis.

These three things, at their core, are what needs to be included in a risk management plan.

However, if you still aren’t sure what to include, here are some areas to consider that will apply to most organizations.

Data and devices

How will you handle the creation, transfer or deletion of ePHI on devices in your organization? This is an area that’s closely looked at in the event of a HIPAA audit because data loss or theft is one of the most common reasons an organization may have trouble HIPAA guidelines.

Understanding how your organization avoids risks relating to patient data and devices is key.

Incidents and breaches

How will your organization ensure that the right parties are notified in the event of a security incident or breach? Your team should know who to report to and how to report a security incident so that it can be handled as quickly as possible. In addition, you have to make sure that if you do have a breach that impacts a number of individuals, you have the systems in place to notify them quickly. If your organization does ever experience a breach that impacts more than 500 people, you’re required to notify those individuals within 60 days.


What steps will you take to validate that your team is using and disclosing patient information appropriately? Remember, this is all about protecting patient data. Above all else, you need to be able to ensure that your organization is handling this data with care. Understanding what appropriate use is and putting plans in place to ensure that your organization works within those boundaries is a critical part of risk mitigation.

Beyond these important points, there are a few best practices you should consider when creating your risk mitigation plan. They may seem like small additions but in the event of a HIPAA audit, these are some of the things that can make your documentation truly complete.

Rules and Resolutions

While risk mitigation plans will vary from organization to organization it's important to document that you understand the HIPAA rules. You should also show your organization is addressing each rule.

Completion date

Including a completion date is critical in the event of an audit and for your own records. The HHS requires you to complete a risk analysis and risk management plan each year, so having these dates on file can keep your team accountable and also ensure your compliance.


Creating a comment section for each requirement and your organization's resolutions Is great for internal use. This allows the individuals that create the plan to give context to other members of your team, allowing them to understand both the scope of the plan and what's required.

Putting it all together

Making it this far means that you've gathered a lot of data about your organization, risk factors, vulnerabilities, and the way that you plan to address any concerns. That said, it's just as important to make sure that you remember to put all of this information together in documentation that can be provided to the HHS in the event of an audit. If your plans are scattered all over the place or your documentation isn't clear, you could risk failing a HIPAA audit even when your team has put in the work to be HIPAA compliant. Don't let this happen to you. you've done the work, so take a few hours to put it all together and make the information accessible.

On-going risk management

Remember: much like with risk analysis, you should review your risk mitigation plans regularly.

Risk management can’t be put on the back burner or only looked at when someone on your team thinks about it. This should become an on-going practice in your organization and all documentation should be updated accordingly.

Wrapping up

Following these steps will put you on the path to having a greater understanding of what risks your organization may face and how to avoid them. Once you accomplish this, there's more work to be done but your organization will have taken leaps and bounds towards maintaining HIPAA compliance. Want to stay up to date on our HIPAA audit content series? You can check out all our content, including new parts of the series by visiting our blog.