Clarifying misconceptions about healthcare RMPs.

Tod Ferran, CISSP, QSA
By: Tod Ferran
This article was also featured in BC Advantage: “Lessons Learned About HIPAA Risk Management Plans"

Many healthcare entities haven’t yet separated the difference between the HIPAA Security Rule and HIPAA Privacy Rule. Because of this confusion, they leave many security regulations unfulfilled. Most practices I’ve communicated with are trained, strict adherers to the Privacy Rule, but don’t understand that the Security Rule is a completely different ball game. (SEE ALSO: Understanding HIPAA Privacy and Security Rules.)
I’d like to clarify a misperceived section of HIPAA security: The RMP.
The Risk Management Plan (RMP) is the compliance step that works through issues discovered in the risk analysis and provides a documented instance proving your active acknowledgement (and correction) of PHI risks and HIPAA requirements.

There are three vastly different approaches to RMP that vary in cost, time, and work required. To my knowledge, every covered entity engaged with HIPAA is using at least one of these methods.

1) Audit approach

This approach is the quickest way to become HIPAA compliant…if you have the time and money to devote. A HIPAA auditor visits your location, verifies what safeguards have been implemented, completes a risk analysis, and essentially fills out a risk management plan for you. This process usually takes one to three months. Of all three approaches, this is the quickest to compliance but it will cost you. Depending on your organization and the PHI it handles, an annual HIPAA audit starts around $40,000.

2) Net approach

I gave this method its name because a security expert tries to ‘catch’ all important HIPAA requirements in one RMP. Security experts work with you remotely to prioritize threats found in your risk analysis. If you find a good HIPAA vendor, they guide you through the creation and implementation of a RMP.
While the audit approach is the quickest way to become compliant, the net approach gives you the biggest bang for your buck. Cost varies, but I typically see about $2,000 annually. Depending on the time you are willing to invest, this method can take from three months up to two years.

3) DIY approach

DIY is usually attempted by finding a RMP template via a Google search, then figuring it out yourself. Here’s the problem with DIY. Even if a healthcare professional came up with an acceptable plan, they likely wouldn’t be able to understand all the technical jargon, prioritize it by level of importance, or even complete it. Please don’t be offended by this statement! In the same way I don’t expect to know anything about correctly conducting a medical exam or diagnosing a tumor, you aren’t expected to understand the technical jargon that goes along with HIPAA compliance.

In my experience, the net approach is the most cost effective and practical for small to mid-sized entities.

What should be included in a RMP?

Although the risk analysis outcome should directly feed into a RMP, plans should also include all HIPAA Security, Privacy, and Breach Notification requirements. For example: identification and documentation of job roles is a HIPAA requirement, but doesn't necessarily come from a risk analysis. As a general rule, including all risks and HIPAA requirements, your plan will likely have 100-200 to do’s.

SEE ALSO: Your Security Strategy Should Be Risk Based

Although specific items included in a RMP vary, here are a few industry best practices to include.
  • Each HIPAA rule and its takeaway: This one is pretty obvious, but you should line item each HIPAA rule (all 157 of them) and the corresponding resolutions.
  • Risk level: Each vulnerability discovered should be assigned a risk level. You can get some of this information from the risk analysis, but may have to estimate the rest based on current breach and hacker activity.
  • Date completed: Including a date completed is great for both HHS documentation and your own records.
  • Completed by: This is great for practices where two or more people (such as a doctor and office manager) are completing an RMP together.
  • Notes section: It’s helpful to include a comments section next to each requirement, just in case you want to jot a reminder for next year.
Risk Management Plan Template
Sample Risk Management Plan from SecurityMetrics

What are the most recent RMP trends?

Covered entities are either working on compliance, or they’re not. Those who are working on compliance are either succeeding or failing.

There are a few core reasons covered entities struggle with risk management plans…
  • People aren’t starting because they are afraid to try. Many falsely believe they’re 100% on their own to figure everything out. They take one look at the hundreds of requirements and give up before they’ve even started.
  • Many people who try literally have no idea what they’re doing. I recently spoke to an office manager who thought maintaining a secure firewall at all times meant she needed to lock the office door when she went home. Security professionals may chuckle at that statement, but I realize you weren’t trained to think like a paranoid security geek. Realizing you need help is a great step towards compliance.
  • People get privacy requirements, but need help with security. Both parts, the Security Rule and the Privacy Rule have been around for 10 years, however due to their technical nature and the fact that the government did not actively impose penalties for non-compliance, the Security Rule has been largely ignored. Because of this, many don’t understand that the HIPAA Security Rule requires a completely different set of security precautions and safeguards.

How much time should you devote to an RMP?

Technically, you could spend 80 hours a week on HIPAA compliance. A ‘realistic’ timetable is different for every situation. I’ve found that prioritization is a great way to maintain sanity and reduce the greatest risk items first. If you only have one hour per week to spend on HIPAA, get those high-risk items done first. Don’t waste time on HIPAA requirements that probably won’t prevent PHI loss, damage, or theft. Not at the beginning, anyway.

Perhaps a few scenarios will help you decide how much time per week is right for your practice.
  • One very busy office administrator manages HIPAA compliance for a two-doctor practice. Along with her compliance tasks, she schedules patient visits, takes calls, manages front desk operations, negotiates with insurance companies, and deals with angry customers. (Sound familiar?) Because she is stretched thin, she can only squeeze compliance in for 20 minutes a week. If she implements the net approach, she can get a security professional to walk her through her plan for those 20 minutes a week, and likely complete many HIPAA requirements during the course of a year.
Watch the webinar: A 21-Day HIPAA Compliance Plan
  • In another situation, a dedicated compliance officer manages a compliance team at a hospital. Her entire job is devoted to getting her hospital HIPAA compliant. Under the direction of a HIPAA auditor, working 40 hours per week on HIPAA, and delegating specific requirements to her team, she can probably complete the implementation of her RMP within a few months.

To the people who question if they are the right employee to take charge of HIPAA compliance, my response is always, it doesn’t matter, just start! If you simply start on HIPAA security compliance, you’re doing better than 50% of your peers. Decide which approach you want to implement. Determine how much time you can devote to compliance per week. Then either call an auditor, start researching RMP online, or contact a vendor who can walk you through compliance.


Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.