The risk register tracks identified risks to ePHI, scored by likelihood × impact (1–25), with a treatment decision for each.
When you set a risk to Mitigate, you can have OnlyHIPAA generate a tracked remediation task automatically. Its priority is set from the risk score, and it links back to the risk so the work is visible from both sides. A risk can also be linked to the finding that surfaced it.
Give a risk a due date and OnlyHIPAA tracks the treatment SLA. The register flags risks that are due soon (within a week) or overdue (with how many days past). Once an open or in-treatment risk passes its due date, the risk owner is escalated automatically (falling back to org admins) — at most once a week, so overdue work surfaces without becoming noise. Closing the risk or moving the due date stops the escalation.
The register opens with a likelihood × impact heatmap so you can see the distribution of risk at a glance and spot where the high-severity cluster sits.