Security

Risk Register

A living document that records identified risks, their likelihood and impact ratings, owners, and remediation status.

1 min read · Last reviewed May 23, 2026

At a glance

Category
Security
Primary sources
2
Workspace handoff
sra studio

Where this comes up

This sits inside the security risk analysis under 45 CFR 164.308(a)(1)(ii)(A) — workstation controls, EHR access roles, ePHI transmission encryption, audit logging, vendor risk, and incident response. Reviewers expect dated evidence of the control, not a policy PDF that says it exists.

Full definition

What it is in practice

Although the HIPAA Security Rule does not name a "risk register," NIST SP 800-30 and SP 800-66 describe it as the operational artifact connecting the SRA to ongoing risk management. Each entry typically captures: asset, threat, vulnerability, likelihood, impact, control, owner, and review date.

How it shows up in your practice

Review the register quarterly. Close completed items with evidence and document the rationale for any accepted residual risk. The register is the artifact you hand an auditor.

Sources

Take it into the workspace

Maintain your risk register in SRA Studio

Open sra studio
Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.