What goes in a HIPAA risk management plan

The risk analysis gets all the attention, but OCR requires the risk management plan too. Here is what it needs to contain, how it relates to the risk analysis, and what a defensible plan looks like.

By CoreFolio

Published May 11, 2026Verified May 14, 20265-minute read

Every Office for Civil Rights (OCR) settlement under the Risk Analysis Initiative cites a missing or inadequate risk analysis as the violation. The risk management plan is a separate requirement in the Security Rule — and OCR requires it in the corrective action plan of every settlement. Both have to be documented.

45 CFR § 164.308(a)(1)(ii)(A) covers the risk analysis — the assessment of what could go wrong. 45 CFR § 164.308(a)(1)(ii)(B) covers the risk management plan — the documented response to what you found.

Most articles about HIPAA compliance focus on the risk analysis and stop there. This one covers the second document.

What the rule requires

The Security Rule requires covered entities to "implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level."

That is the standard: risks reduced to a "reasonable and appropriate" level. Not zero. Not eliminated. Reduced and managed. And documented.

The risk management plan is the documentation of how you plan to reduce each risk your analysis identified. It needs to exist, it needs to be current, and it needs to be tied to specific risks.

How the risk management plan relates to the risk analysis

Think of the two documents as paired. The risk analysis answers: "What are our risks?" The risk management plan answers: "What are we doing about them?"

You cannot have a defensible risk management plan without a current risk analysis. And a risk analysis with no corresponding plan leaves the second half of the requirement unsatisfied.

OCR's investigative data request letters ask for both simultaneously: "copies of the most recent risk analysis" and "policies and procedures for managing identified risks." Investigators expect to see the connection between them.

What a risk management plan needs to contain

The rule does not prescribe a format. Based on the U.S. Department of Health and Human Services (HHS) 2010 guidance, OCR settlement patterns, and National Institute of Standards and Technology (NIST) SP 800-30, a defensible plan should contain:

1. A reference to the risk analysis it addresses. Date the analysis was completed, who conducted it. This ties the plan to a specific, current assessment.

2. A list of identified risks, by priority. Not all risks are equal. Your plan should distinguish between immediate, high-likelihood gaps (weak passwords on your electronic health record (EHR), no MFA on remote access) and lower-priority long-term items (network segmentation upgrades, formal pen testing).

3. A specific action for each risk. Not "we will address this" but "we will enable multi-factor authentication (MFA) on the EHR portal by [date]" or "we will execute business associate agreements (BAAs) with all vendor relationships by [date]." Vague language in a risk management plan is a flag for investigators.

4. A responsible party for each action. Who is accountable? For a small practice, this is often the practice owner or office manager. It can be a vendor for technical controls they manage. The name (or role) should be there.

5. A timeline. When will each action be completed? A risk management plan with no dates is not a management plan — it is a list of intentions.

6. A date for review. The plan should be a living document reviewed at least annually alongside the risk analysis. Note when the next review is scheduled.

Sorting risks by urgency

Risk management plans are easier to act on when identified risks are grouped by how quickly and cheaply they can be addressed.

Some gaps close at no cost within days — enabling MFA on your EHR portal and email account, revoking access for departed staff, verifying that every workforce member with ePHI access has a current sanctions agreement on file, updating the Notice of Privacy Practices.

A second category requires vendor coordination rather than capital: executing or updating BAAs with your EHR vendor, billing company, cloud backup service, and telehealth platform; confirming that encryption is enabled by default; asking your IT provider about patch management. These take a phone call or email, not a budget line.

A third category genuinely requires capital planning — network segmentation, replacing outdated devices that cannot be patched, formal workforce training programs, penetration testing. These belong in the plan with realistic timelines, not next week's to-do list.

The rule cares that you have a plan and are making measurable progress against it. Separating risks into urgency bands prevents paralysis and lets you show OCR — and yourself — that the most actionable items are being addressed first.

What "reasonable and appropriate" means in enforcement

OCR does not expect a small five-provider practice to implement the same controls as a large academic medical center. The Security Rule explicitly accounts for the "size, complexity, and capabilities" of the covered entity (45 CFR § 164.306(b)(2)).

What "reasonable and appropriate" means in enforcement is: you identified your significant risks, you have a documented plan to address them, and you are making progress. A plan that identifies 10 gaps and has addressed 7 of them over 12 months is defensible. A practice with no plan, or with a plan that has not been touched in three years, is not.

Signing and dating the plan

Like the risk analysis, the risk management plan should be dated and signed (or attributed to a responsible party). The date tells investigators it is current. The signature tells them who is accountable.

If your risk management plan is a collaborative document, the practice owner's signature covers it. If an external consultant or IT vendor produced it, the plan should still be countersigned by someone inside the practice who reviewed and approved it — you cannot outsource accountability.

Keeping it current

When you complete your annual risk analysis, update the risk management plan to reflect:

Risks that have been addressed and closed
New risks identified in this year's analysis
Updated timelines for open items
Changes in responsible parties

The plan should be dated at each update. Investigators can tell the difference between a plan that has been maintained and one that was created once and filed.

Sources: 45 CFR § 164.308(a)(1)(ii)(A) (risk analysis); 45 CFR § 164.308(a)(1)(ii)(B) (risk management plan); 45 CFR § 164.306(b)(2) (flexibility of approach); HHS OCR Guidance on Risk Analysis Requirements (2010); NIST SP 800-30 Rev. 1 (2012).

FAQ

Common questions

Is a HIPAA risk management plan required?

Yes. 45 CFR § 164.308(a)(1)(ii)(B) requires every covered entity to document and implement security measures sufficient to reduce identified risks to a reasonable and appropriate level. In Risk Analysis Initiative settlements, OCR cites the missing risk analysis as the violation (§ 164.308(a)(1)(ii)(A)); the risk management plan is required in every corrective action plan as the mandated remediation step.

What is the difference between a risk analysis and a risk management plan?

The risk analysis (§ 164.308(a)(1)(ii)(A)) asks what risks exist. The risk management plan (§ 164.308(a)(1)(ii)(B)) documents what you are doing about each identified risk. OCR requires both — a risk analysis with no corresponding plan leaves the second obligation unsatisfied.

What should a HIPAA risk management plan contain?

A defensible plan includes: a reference to the risk analysis it addresses, a prioritized list of identified risks, a specific action for each risk, a responsible party, a completion timeline, and a scheduled review date. Vague language like 'we will address this' is a flag for investigators.

How often should I update my HIPAA risk management plan?

Update the plan annually alongside your risk analysis. Each update should close completed items, add new risks from the current analysis, update timelines for open items, and note any changes in responsible parties. Date and sign each version.

Keep learning

How-to
How to do a HIPAA risk analysis yourself: a step-by-step guide for small practices
The Security Rule requires every covered entity to conduct an accurate, thorough risk analysis. Here is what that actually means, what it has to contain, and how to do it yourself — or prepare for a focused consultant review.
May 14, 20266-minute read
Enforcement
The OCR Risk Analysis Initiative, explained
When OCR investigates a small practice — after a breach report, a ransomware attack, a vendor incident, or a patient complaint — the first thing they ask for is the risk analysis. Here is what changed in late 2024, what the rule actually requires, and what a defensible answer looks like.
May 14, 202617-minute read
Enforcement
What OCR finds every time it investigates a small practice
More than 100 OCR resolution agreements follow the same pattern. Here are the six violations investigators find most often — and what each means for your practice.
May 7, 20265-minute read