Risk Register and 30/60/90 Remediation Plan: A Practical Guide for Small Practices
6 min read · Updated April 25, 2026
Most small practices do a Security Risk Assessment once, file the PDF, and never look at it again. That is the gap OCR keeps finding. The risk register and the remediation plan are what turn a one-time assessment into the ongoing program the rule actually requires.
This guide walks through what belongs in the register, how to score without overthinking it, and how to structure a 30/60/90 plan that a 1 to 10 provider practice can realistically execute.
The Two Halves of the Security Rule You Cannot Skip
The Security Rule splits the work into two paired requirements that small practices often treat as one.
- Risk Analysis under 45 CFR 164.308(a)(1)(ii)(A) requires an accurate and thorough assessment of the potential risks and vulnerabilities to ePHI.
- Risk Management under 45 CFR 164.308(a)(1)(ii)(B) requires you to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
HHS OCR Risk Analysis Guidance lists nine elements, including "Determine the Level of Risk" and "Finalize Documentation." The risk register is the artifact that bridges the two halves. It is where the assessment outputs become tracked, owned, dated work items.
The pattern in OCR enforcement actions is consistent: practices completed an assessment, then never followed through. Risk Management failures are cited repeatedly. The fix is unglamorous and writable.
Why Documentation Is Not Optional
45 CFR 164.316(b)(1) requires documentation of any action, activity, or assessment required by the subpart. 45 CFR 164.316(b)(2) sets a six-year retention clock from the later of creation or last effective date. A risk register that lives only in someone's head, or in a spreadsheet that gets overwritten quarterly, does not meet that bar. Version it. Keep the prior versions.
What Belongs in the Risk Register
A small practice does not need an enterprise GRC platform. A locked spreadsheet or a structured document inside your compliance binder is enough, as long as it captures the fields below for every identified risk.
| ID | Risk | Asset | Likelihood | Impact | Score | Current Controls | Owner | Target Date | Status |
|---|---|---|---|---|---|---|---|---|---|
| R-001 | EHR access reviews not performed | ePHI in EHR | High | High | 9 | Initial provisioning only | Office Manager | 30 days | In progress |
| R-002 | Backup restoration never tested | ePHI in EHR backups | Medium | High | 6 | Nightly backup runs | IT Vendor | 60 days | Open |
| R-003 | Workforce training stale | Workforce | Medium | Medium | 4 | Onboarding only | Office Manager | 60 days | Open |
The full set of fields a small practice should track:
- ID (e.g., R-001) so you can reference rows in meeting notes
- Risk description in plain language
- Asset or data affected (e.g., ePHI in EHR, ePHI in email, ePHI in backups)
- Threat (ransomware, lost laptop, insider error, vendor outage)
- Vulnerability (no MFA, unencrypted device, missing BAA)
- Likelihood Low, Medium, or High
- Impact Low, Medium, or High
- Inherent risk score (Likelihood x Impact, on a 1 to 9 grid)
- Current controls already in place
- Residual risk after current controls
- Owner, a named person not a department
- Target date
- Status (Open, In progress, Done, Accepted)
- Evidence link to the artifact that proves it was done
Prioritization Without Paralysis
45 CFR 164.306(b) is the section small practices should reread before they start scoring. It says your security measures may be tailored to your size, complexity, and capabilities, your technical infrastructure, the costs of measures, and the probability and criticality of risks. That is the regulatory permission slip to be practical.
Use a 3x3 grid. Multiply Likelihood by Impact, score 1 to 9. Anything that lands at 6 or above goes in the 30 day bucket unless there is a real reason it cannot. Score 3 to 4 goes in 60. Score 1 to 2 goes in 90 or gets formally accepted with a written rationale.
The 30/60/90 Remediation Plan
The 30/60/90 framing is an operational convention, not a regulatory term. The rule cares about "reasonable and appropriate." A 30/60/90 cadence is just the bucket structure that tends to fit small practice attention spans and budget cycles.
30 Days: Quick Wins on the Highest Scores
- Enable MFA on email and remote access
- Confirm full-disk encryption on every laptop and workstation that touches ePHI
- Close any missing or expired Business Associate Agreements
- Get the sanctions policy in writing under 45 CFR 164.308(a)(1)(ii)(C)
- Document EHR access review cadence and run the first one
60 Days: Medium Lifts
- Workforce training refresh for everyone who handles ePHI
- Configure log retention so you can actually look back when something happens
- Media disposal and reuse procedure under 45 CFR 164.310(d)(2)
- Review and document workstation security under 45 CFR 164.310(b)
90 Days: Bigger Items
- Test the contingency plan, do not just write it (45 CFR 164.308(a)(7))
- Establish a formal information system activity review cadence under 45 CFR 164.308(a)(1)(ii)(D)
- Review physical safeguards end to end
- Schedule the next risk analysis
Addressable Is Not Optional
A common misread of 45 CFR 164.306(d) is that "addressable" means "skip if you want." It does not. For an addressable implementation specification, you must either implement it, implement an equivalent alternative, or document the reasoned decision not to implement it along with what you did instead. If a row in your register involves an addressable spec and your plan is to do something different, the rationale belongs in the register next to the row.
When to Reassess
45 CFR 164.308(a)(8) requires periodic Evaluation. In practice, refresh the analysis and the register when any of these happen:
- You switch EHRs or add a major vendor
- You experience a ransomware incident, breach, or near miss
- The practice grows, splits, merges, or moves
- A material change in the threat environment (e.g., a new attack pattern hitting your specialty)
- At minimum, on an annual cadence
Optional Federal Reference
NIST SP 800-66 Rev. 2, published February 2024, is a federal resource for implementing the Security Rule. It is not required, and it is written for a broader audience than a 4 provider clinic, but it is a useful structural reference if you want one.
A Note on the 2025 NPRM
HHS published a Notice of Proposed Rulemaking in late December 2024 / early January 2025 that would tighten Security Rule cadence requirements and remove the addressable / required distinction. As of April 2026 it is proposed, not finalized. Build to the current rule, but be aware the bar is likely moving up rather than down.
Where D3rx Fits
The D3rx Security Risk Analysis organizes the register, the 30/60/90 plan, target dates, status tracking, and evidence links into an audit-ready binder. It does not make decisions about what is reasonable and appropriate for your practice. It assembles what you have decided into a structure your office manager can hand to counsel, an auditor, or a payer credentialing team without scrambling. If something is missing from the binder, that is the gap you go fix this week.
Disclaimer
This guide is informational. D3rx organizes documentation and produces point-in-time assessment materials based on the inputs you provide. This is not legal advice. D3rx does not certify your program, does not guarantee any OCR audit outcome, and does not replace counsel familiar with your jurisdiction and specialty. Consult qualified HIPAA counsel for decisions that carry regulatory weight.
Have a billing question?
Ask D3 →Frequently asked
Is a 30/60/90 plan actually required by HIPAA?
No. The 30/60/90 structure is an operational convention, not a regulatory term. The regulatory anchor is 45 CFR 164.308(a)(1)(ii)(B), which requires you to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. OCR cares that you have a documented plan with owners and target dates, and that you work the plan. The 30/60/90 cadence is a useful way to force prioritization in a 1 to 10 provider practice.
How granular should risk scoring be?
For a small practice, a simple Low, Medium, High scale on both likelihood and impact, multiplied into an inherent risk score, is enough. 45 CFR 164.306(b) explicitly allows you to scale your approach to your size, complexity, capabilities, and cost. A 5x5 matrix or quantitative dollar-loss modeling is overkill if you have one office and one EHR. What matters is that scoring is consistent across rows so prioritization is defensible.
What if I cannot afford to fix a risk in 90 days?
Document it. Capture the risk in the register, note the compensating controls you have, record the rationale for the longer timeline, and set a realistic target date. For addressable specifications under 45 CFR 164.306(d), if you decide an alternative is more reasonable and appropriate, write down what you implemented instead and why. The failure mode OCR pursues is silence, not honest constraint.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
No external citations found — this guide synthesizes from multiple sources.
Sources verified as of April 25, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
Related across the archive
- BillingBusiness Associate Agreement Checklist for Small PracticesA working checklist for small practices to identify which vendors need a Business Associate Agreement, what clauses the BAA must contain, and how to track them.
- BillingHIPAA Security Risk Assessment Checklist for Small PracticesA practical, action-oriented Security Risk Assessment checklist for 1-10 provider practices. Covers the nine OCR elements, asset inventory, addressable specs, and how to document evidence.
- BillingHIPAA Training Log Requirements for Small PracticesWhat HIPAA actually requires for workforce training, what your training log should contain, and how long to keep it. Built for small practices and office managers.
- ComplianceAmbulatory Surgery Center Compliance: CMS + State + Infection Control42 CFR Part 416 Conditions for Coverage, CMS State Operations Manual Appendix L, the ASC Infection Control Surveyor Worksheet, and where state ASC licensure tightens the standard.
- Glossary60-Day Overpayment RuleACA requirement that Medicare and Medicaid overpayments be reported and returned within 60 days of identification.
- RegulationHIPAA Accounting of Disclosures (45 CFR 164.528)Individuals may request an accounting of disclosures of their PHI made by a covered entity in the prior six years, with a defined list of exclusions.
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.
- ComplianceAnti-Kickback Statute: What Medical Practices Actually Need to Know (42 USC § 1320a-7b(b))The federal Anti-Kickback Statute is intent-based, criminal-grade, and the most common fraud-and-abuse theory in OIG enforcement. Here is what AKS actually prohibits, how the safe harbors function, and where practices get caught.