Skip to main content
Notifications
You're all caught up.
View all notifications
OnlyHIPAA
← All documentation

Risk Register

The risk register tracks identified risks to ePHI, scored by likelihood × impact (1–25), with a treatment decision for each.

Treatments

  • Mitigate — reduce the risk with controls.
  • Accept — acknowledge and tolerate it (document why).
  • Transfer — shift it (e.g. insurance, a vendor).
  • Avoid — stop the activity that creates it.

From risk to action

When you set a risk to Mitigate, you can have OnlyHIPAA generate a tracked remediation task automatically. Its priority is set from the risk score, and it links back to the risk so the work is visible from both sides. A risk can also be linked to the finding that surfaced it.

Treatment SLAs

Give a risk a due date and OnlyHIPAA tracks the treatment SLA. The register flags risks that are due soon (within a week) or overdue (with how many days past). Once an open or in-treatment risk passes its due date, the risk owner is escalated automatically (falling back to org admins) — at most once a week, so overdue work surfaces without becoming noise. Closing the risk or moving the due date stops the escalation.

Heatmap

The register opens with a likelihood × impact heatmap so you can see the distribution of risk at a glance and spot where the high-severity cluster sits.

OnlyHIPAA

Making HIPAA compliance accessible for every healthcare organization.

HIPAA SOC 2 NIST CSF

View our security posture →

Product

  • Frameworks
  • Sherpa AI
  • Risk Analysis
  • Compliance Operations
  • Reporting
  • Integrations & API
  • Pricing

Company

  • About Us
  • Team
  • Mission
  • Contact

Legal

  • Privacy Policy
  • Terms of Service
  • BAA Template
  • Security

Resources

  • Documentation
  • HIPAA Guide
  • Blog
  • Status Page

© 2026 OnlyHIPAA, Inc. All rights reserved.

OnlyHIPAA provides tools to assist with HIPAA compliance but does not constitute legal advice. Consult qualified legal counsel for specific compliance guidance.