Proper documentation of your risk assessment is critical for compliance. The Office for Civil Rights (OCR) evaluates the quality and completeness of your assessment documentation during audits and breach investigations. This guide explains what documents to create, how to organize them, and how long to retain them.
Why Documentation Matters
Documentation serves multiple important purposes:
- Compliance proof: Demonstrates to OCR that you conducted a required assessment
- Methodology evidence: Shows how you identified risks and calculated risk ratings
- Accuracy verification: Allows OCR to evaluate whether assessment was thorough and accurate
- Risk management tracking: Documents what actions you're taking to address identified risks
- Trend analysis: Enables year-over-year comparison of risk posture
- Legal protection: Demonstrates good faith compliance effort if challenged
Core Assessment Documents to Maintain
1. Risk Assessment Report
What: Main assessment document summarizing findings and risk ratings
Contents should include:
- Executive summary for leadership
- Assessment scope and methodology
- System inventory and data flows
- Threat and vulnerability findings
- Risk calculations and scoring methodology
- Prioritized risk register with ratings
- Recommendations and remediation strategies
- Assessment period/dates and approval signatures
2. Supporting Documentation
- System inventory: Detailed list of all systems, applications, locations, and data flows
- Vulnerability assessment results: Vulnerability scans, penetration testing reports, configuration reviews
- Threat identification documentation: Process used to identify threats; threats considered and evaluated
- Risk calculations: Risk scoring methodology and calculations for each identified risk
- Control documentation: Current security controls and their effectiveness ratings
- Interview notes: Documentation of interviews with key stakeholders
- Evidence files: Supporting documentation (screenshots, logs, policy copies, etc.)
3. Remediation Documentation
- Remediation plans: For each identified risk, documented action plan with owner and timeline
- Status tracking: Monthly or quarterly updates on remediation progress
- Completion evidence: Documentation that remediation activities were completed
- Effectiveness validation: Evidence that remediation actually closed or reduced the risk
- Interim measures: For risks not yet fully remediated, documentation of interim protective controls
4. Approval and Sign-Off
- Compliance officer signature: Dated approval by responsible compliance officer
- IT leadership approval: Sign-off by IT director or security officer
- Executive/Board approval: Evidence of senior leadership awareness and approval
- Dated versions: All versions of assessment documents with dates and change logs
Documentation Organization and Storage
Recommended File Structure
| Category |
Document Types |
Retention Period |
| Current Assessment |
Main report, summary, findings |
Current year + 5 years |
| Supporting Materials |
Scans, interviews, evidence |
Assessment year + 4 years minimum |
| Prior Assessments |
Previous years' full assessments |
6 years minimum |
| Remediation Tracking |
Status reports, completion evidence |
6 years minimum |
| Approvals |
Signed assessments, board minutes |
6+ years |
Storage Best Practices
- Secure storage: Risk assessment documents contain sensitive information; store securely with access controls
- Centralized location: Keep all assessment materials in one organized location for easy retrieval
- Backup copies: Maintain backup of all assessment documentation
- Version control: Clearly mark all versions with dates and document changes
- Organized by year: Structure by assessment year for easy historical retrieval
- Confidentiality: Limit access to assessment documents to appropriate staff
What OCR Expects to See
During Breach Investigations
If OCR investigates a breach, they will request:
- Most recent risk assessment (usually within 18 months)
- Assessment from prior year (to check if assessment was updated annually)
- Documentation of methodology used
- System inventory covering systems involved in breach
- Evidence that vulnerability exploited in breach was addressed in assessment
- Remediation plans and status for vulnerabilities related to breach
A common OCR finding: The organization's risk assessment failed to identify the vulnerability that led to the breach, demonstrating the assessment was inadequate.
During Compliance Audits
During audits, OCR reviews:
- Completeness of assessment (did it cover all systems and locations?)
- Accuracy of findings (are identified risks actually present?)
- Quality of risk analysis (are risk calculations reasonable?)
- Evidence of risk management (are identified risks being addressed?)
- Frequency of assessment (is it updated at least annually?)
- Documentation quality (is work product professional and complete?)
Documentation Retention Timeline
Current Assessment Year: Maintain in easily accessible location; under active management
Prior Year Assessment: Keep available for comparison and trend analysis
2-5 Years Ago Assessments: Maintain for historical reference and audit purposes
Minimum 6-Year Retention: HIPAA requires documentation retention for minimum 6 years
Beyond 6 Years: Consider maintaining for 7-8 years to provide extra audit protection
Executive Summary for Leadership
Beyond the detailed assessment report, create a concise executive summary for board/leadership:
Executive Summary Should Include:
- Brief description of assessment scope and period
- Summary of findings by risk level (number of Critical, High, Medium, Low findings)
- Key vulnerabilities of concern to organization
- Progress on prior year remediation items
- Budget and resources needed for remediation
- Overall risk trend (improving, stable, deteriorating)
- Recommendations for board awareness and approval
Streamline Assessment Documentation
Maintaining comprehensive assessment documentation manually is error-prone and time-consuming. Medcurity's platform automatically generates professional documentation, maintains version control, and organizes all supporting materials for audit readiness.
Automate Documentation Management
Data Destruction and Records Management
When to Dispose of Assessments
- Minimum retention: 6 years per HIPAA requirements
- Longer retention recommended: 7-8 years provides extra protection
- Ongoing litigation: If OCR investigation or litigation is ongoing, maintain indefinitely
- Secure destruction: When it's time to dispose, use secure methods (shredding, secure deletion)
Frequently Asked Questions
Q: Do we need to keep every single document from the assessment?
Not every preliminary note, but you should maintain: final assessment report, supporting vulnerability scans/evidence, risk calculations, remediation plans, and completion evidence. Minimal supporting work papers are necessary to understand your methodology and conclusions.
Q: Can we store assessment documents in the cloud?
Yes, if the cloud provider is HIPAA-compliant and you have a business associate agreement in place. Many organizations use secure cloud storage for document management. Ensure encryption in transit and at rest.
Q: What if our assessment documentation is disorganized?
Better late than never to organize. Create a file structure now with current and prior assessments. If OCR requests documents and you can produce them (even if not perfectly organized), that's better than saying you have nothing. But organize as soon as possible.
Q: Do board minutes discussing risk assessment need to be kept?
Yes, they're supporting documentation showing governance awareness. If board approved risk assessment or received briefing on findings, maintain those meeting minutes with risk assessment documentation. They demonstrate accountability and oversight.