The first step in the risk management process should be to develop and implement a risk management plan. The purpose of a risk management plan is to provide structure for the covered entity’s evaluation, prioritization, and implementation of risk-reducing security measures. For the risk management plan to be successful, key members of the covered entity’s workforce, including senior management and other key decision makers, must be involved. The outputs of the risk analysis process will provide these key workforce members with the information needed to make risk prioritization and mitigation decisions. The risk prioritization and mitigation decisions will be determined by answering questions such as:
- Should certain risks be addressed immediately or in the future?
- Which security measures should be implemented?
Many of the answers to these questions will be determined using data gathered during the risk analysis. The entity has already identified, through that process, what vulnerabilities exist, when and how vulnerability can be exploited by a threat, and what the impact of the risk could be to the organization. This data will allow the covered entity to make informed decisions on how to reduce risks to reasonable and appropriate levels. An important component of the risk management plan is the plan for implementation of the selected security measures.
The implementation component of the plan should address:
- Risks (threat and vulnerability combinations) being addressed;
- Security measures selected to reduce the risks;
- Implementation project priorities, such as: required resources; assigned responsibilities; start and completion dates; and maintenance requirements.
The implementation component of the risk management plan may vary based on the circumstances of the covered entity. Compliance with the Security Rule requires financial resources, management commitment, and the workforce involvement. Cost is one of the factors a covered entity must consider when determining security measures to implement. However, cost alone is not a valid reason for choosing not to implement security measures that are reasonable and appropriate. The output of this step is a risk management plan that contains prioritized risks to the covered entity, options for mitigation of those risks, and a plan for implementation. The plan will guide the covered entity’s actual implementation of security measures to reduce risks to EPHI to reasonable and appropriate levels.