Risk Register and 30/60/90 Remediation Plan: A Practical Guide for Small Practices

Most small practices do a Security Risk Assessment once, file the PDF, and never look at it again. That is the gap OCR keeps finding. The risk register and the remediation plan are what turn a one-time assessment into the ongoing program the rule actually requires.

This guide walks through what belongs in the register, how to score without overthinking it, and how to structure a 30/60/90 plan that a 1 to 10 provider practice can realistically execute.

The Two Halves of the Security Rule You Cannot Skip

The Security Rule splits the work into two paired requirements that small practices often treat as one.

• Risk Analysis under 45 CFR 164.308(a)(1)(ii)(A) requires an accurate and thorough assessment of the potential risks and vulnerabilities to ePHI.
• Risk Management under 45 CFR 164.308(a)(1)(ii)(B) requires you to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

HHS OCR Risk Analysis Guidance lists nine elements, including "Determine the Level of Risk" and "Finalize Documentation." The risk register is the artifact that bridges the two halves. It is where the assessment outputs become tracked, owned, dated work items.

The pattern in OCR enforcement actions is consistent: practices completed an assessment, then never followed through. Risk Management failures are cited repeatedly. The fix is unglamorous and writable.

Why Documentation Is Not Optional

45 CFR 164.316(b)(1) requires documentation of any action, activity, or assessment required by the subpart. 45 CFR 164.316(b)(2) sets a six-year retention clock from the later of creation or last effective date. A risk register that lives only in someone's head, or in a spreadsheet that gets overwritten quarterly, does not meet that bar. Version it. Keep the prior versions.

What Belongs in the Risk Register

A small practice does not need an enterprise GRC platform. A locked spreadsheet or a structured document inside your compliance binder is enough, as long as it captures the fields below for every identified risk.

ID	Risk	Asset	Likelihood	Impact	Score	Current Controls	Owner	Target Date	Status
R-001	EHR access reviews not performed	ePHI in EHR	High	High	9	Initial provisioning only	Office Manager	30 days	In progress
R-002	Backup restoration never tested	ePHI in EHR backups	Medium	High	6	Nightly backup runs	IT Vendor	60 days	Open
R-003	Workforce training stale	Workforce	Medium	Medium	4	Onboarding only	Office Manager	60 days	Open

The full set of fields a small practice should track:

• ID (e.g., R-001) so you can reference rows in meeting notes
• Risk description in plain language
• Asset or data affected (e.g., ePHI in EHR, ePHI in email, ePHI in backups)
• Threat (ransomware, lost laptop, insider error, vendor outage)
• Vulnerability (no MFA, unencrypted device, missing BAA)
• Likelihood Low, Medium, or High
• Impact Low, Medium, or High
• Inherent risk score (Likelihood x Impact, on a 1 to 9 grid)
• Current controls already in place
• Residual risk after current controls
• Owner, a named person not a department
• Target date
• Status (Open, In progress, Done, Accepted)
• Evidence link to the artifact that proves it was done

Prioritization Without Paralysis

45 CFR 164.306(b) is the section small practices should reread before they start scoring. It says your security measures may be tailored to your size, complexity, and capabilities, your technical infrastructure, the costs of measures, and the probability and criticality of risks. That is the regulatory permission slip to be practical.

Use a 3x3 grid. Multiply Likelihood by Impact, score 1 to 9. Anything that lands at 6 or above goes in the 30 day bucket unless there is a real reason it cannot. Score 3 to 4 goes in 60. Score 1 to 2 goes in 90 or gets formally accepted with a written rationale.

The 30/60/90 Remediation Plan

The 30/60/90 framing is an operational convention, not a regulatory term. The rule cares about "reasonable and appropriate." A 30/60/90 cadence is just the bucket structure that tends to fit small practice attention spans and budget cycles.

30 Days: Quick Wins on the Highest Scores

• Enable MFA on email and remote access
• Confirm full-disk encryption on every laptop and workstation that touches ePHI
• Close any missing or expired Business Associate Agreements
• Get the sanctions policy in writing under 45 CFR 164.308(a)(1)(ii)(C)
• Document EHR access review cadence and run the first one

60 Days: Medium Lifts

• Workforce training refresh for everyone who handles ePHI
• Configure log retention so you can actually look back when something happens
• Media disposal and reuse procedure under 45 CFR 164.310(d)(2)
• Review and document workstation security under 45 CFR 164.310(b)

90 Days: Bigger Items

• Test the contingency plan, do not just write it (45 CFR 164.308(a)(7))
• Establish a formal information system activity review cadence under 45 CFR 164.308(a)(1)(ii)(D)
• Review physical safeguards end to end
• Schedule the next risk analysis

Addressable Is Not Optional

A common misread of 45 CFR 164.306(d) is that "addressable" means "skip if you want." It does not. For an addressable implementation specification, you must either implement it, implement an equivalent alternative, or document the reasoned decision not to implement it along with what you did instead. If a row in your register involves an addressable spec and your plan is to do something different, the rationale belongs in the register next to the row.

When to Reassess

45 CFR 164.308(a)(8) requires periodic Evaluation. In practice, refresh the analysis and the register when any of these happen:

• You switch EHRs or add a major vendor
• You experience a ransomware incident, breach, or near miss
• The practice grows, splits, merges, or moves
• A material change in the threat environment (e.g., a new attack pattern hitting your specialty)
• At minimum, on an annual cadence

Optional Federal Reference

NIST SP 800-66 Rev. 2, published February 2024, is a federal resource for implementing the Security Rule. It is not required, and it is written for a broader audience than a 4 provider clinic, but it is a useful structural reference if you want one.

A Note on the 2025 NPRM

HHS published a Notice of Proposed Rulemaking in late December 2024 / early January 2025 that would tighten Security Rule cadence requirements and remove the addressable / required distinction. As of April 2026 it is proposed, not finalized. Build to the current rule, but be aware the bar is likely moving up rather than down.

Where D3rx Fits

D3rx organizes the register, the 30/60/90 plan, target dates, status tracking, and evidence links into the Compliance Binder. It does not make decisions about what is reasonable and appropriate for your practice. It assembles what you have decided into a structure your office manager can hand to counsel, an auditor, or a payer credentialing team without scrambling. If something is missing from the binder, that is the gap you go fix this week.

Disclaimer

This guide is informational. D3rx organizes documentation and produces point-in-time assessment materials based on the inputs you provide. This is not legal advice. D3rx does not certify your program, does not guarantee any OCR audit outcome, and does not replace counsel familiar with your jurisdiction and specialty. Consult qualified HIPAA counsel for decisions that carry regulatory weight.