HIPAA compliance

HIPAA Remediation Plan: How to Fix Compliance Gaps and Prove You Fixed Them

A risk assessment that ends with a list of findings and no follow-through is worse than no assessment at all, because now the gaps are documented and unaddressed. This guide explains what a HIPAA remediation plan is, where the requirement actually lives in the regulation, why the 30-day correction window can change your penalty tier, what a defensible plan contains, how to prioritize fixes by risk instead of convenience, the interim controls that protect you while long projects run, and the documentation that turns finished work into evidence.

July 15, 2026

What HIPAA remediation plan means in practice

The hardest moment in HIPAA compliance is not the risk assessment. It is the Monday after, when the assessment is done, the findings are sitting in a spreadsheet, and someone has to decide what happens next. A HIPAA remediation plan is the document that answers that question: a written, prioritized register of every identified compliance gap, who owns the fix, when it is due, what happens in the meantime, and how the organization will prove the gap was actually closed. The phrase remediation plan appears nowhere in the HIPAA regulations, which surprises people, but the activity is unambiguously required, and organizations that skip it end up in the worst possible position, holding a document that proves they knew about their gaps and a track record that proves they ignored them. This guide walks through where the remediation requirement actually lives in the regulation, why the speed of your correction can determine which civil penalty tier applies, what a defensible remediation plan contains, how to order the work, the interim safeguards that matter while long fixes are in flight, the findings that show up on almost every gap list, and the documentation habits that turn finished work into evidence an investigator will accept.

Start with the regulatory foundation, because it explains what the plan has to accomplish. The HIPAA Security Rule requires a risk analysis at 45 CFR 164.308(a)(1)(ii)(A), and immediately next to it, at 45 CFR 164.308(a)(1)(ii)(B), it requires risk management: implementing security measures sufficient to reduce identified risks and vulnerabilities to a reasonable and appropriate level. Read those two provisions together and the logic of the whole rule appears. The risk analysis finds the problems; risk management fixes them; and a remediation plan is simply risk management written down with names and dates attached. The standard both provisions serve is 45 CFR 164.306(a), which obligates covered entities and business associates to protect the confidentiality, integrity, and availability of electronic protected health information against reasonably anticipated threats. And the rule is explicit, at 45 CFR 164.306(b), that what counts as reasonable and appropriate depends on your size, complexity, and capabilities, your technical infrastructure, the cost of the measures, and the probability and criticality of the risks involved. That flexibility is a gift to small organizations, but it cuts both ways: a five-person billing company is not expected to remediate like a hospital system, but no organization gets to leave a known, critical, cheaply fixable risk open and call that reasonable.

Now the fact that gives remediation speed a dollar value. The civil penalty structure at 45 CFR 160.404 is built around culpability tiers, and the line between the two most expensive tiers is nothing more than whether you corrected the violation. A violation due to willful neglect that is corrected within 30 days sits in the third tier, where 2026 penalties run from $14,602 to $73,011 per violation. The same violation left uncorrected falls into the fourth tier, where the minimum jumps to $73,011 per violation and the annual cap reaches $2,190,294 for repeated violations of the same requirement. The regulation goes further in your favor when the conduct was not willful: under the affirmative defense at 45 CFR 160.410, a penalty may not be imposed at all for a violation not due to willful neglect if it is corrected within 30 days of the date you knew, or with reasonable diligence should have known, that the violation occurred. In plain terms, an organization that finds its own problems and fixes them quickly can eliminate or drastically shrink its penalty exposure, and an organization that documents a problem and sits on it converts an ordinary gap into evidence of neglect. The Privacy Rule adds a parallel duty at 45 CFR 164.530(f): when a use or disclosure violates the rules, you must mitigate the harmful effects to the extent practicable. Remediation is not compliance housekeeping. It is the single most direct lever you have over what a violation ultimately costs.

Where HIPAA remediation plan risk appears

So what does a defensible remediation plan actually contain? Working compliance officers converge on the same core fields, because each one answers a question an investigator will eventually ask. Every entry needs the finding itself, stated plainly and tied to the specific provision it falls under, so that encryption is missing on twelve laptops that store patient spreadsheets becomes a gap against the addressable encryption specification at 45 CFR 164.312(a)(2)(iv) rather than a vague note about device security. Every entry needs a risk rating that carries over from the risk analysis, reflecting how likely the threat is and how bad the impact would be. Every entry needs an owner, meaning one named person, not a department, because a fix assigned to IT belongs to no one. Every entry needs a target date that reflects the risk rating, the resources required, and a realistic view of the work. Entries for longer fixes need the interim measures that reduce exposure in the meantime. And every entry needs a verification step: what evidence will show the fix is real, and who signs off on closure. A remediation plan without owners and dates is a wish list, and a plan without verification steps is a stack of claims nobody can check.

Prioritization is where good plans distinguish themselves from long ones, and the rule is simple to state and hard to obey: order the work by risk, not by ease. The gaps that combine high likelihood with high impact go first, and in practice that list is depressingly consistent: portable devices that hold unencrypted protected health information, user accounts that stay active after termination, no tested backups of critical systems, and administrative access spread far beyond the people who need it. These are the exact scenarios behind years of breach reports and enforcement actions, which is precisely why they belong at the top regardless of how disruptive the fix feels. Quick wins have their place, and closing several cheap, fast items early builds momentum and shows regulators and leadership that the program is alive. What you cannot do is let the easy items become the whole plan while the structural work waits. A twelve-month project to redesign access roles in your electronic health record system should not block the two-week task of enabling automatic logoff, but the reverse is also true: a year of finished small tasks does not excuse an untouched critical finding. The honest test is to read your plan top to bottom and ask whether the order reflects what would actually hurt patients and the organization most, or just what was most convenient to schedule.

Long fixes create a gap between finding a problem and solving it, and interim compensating controls are how you stay defensible inside that gap. Suppose the full-disk encryption rollout will take a quarter because devices are scattered across clinics and budgets arrive in phases. The remediation entry should say so, and it should also record what you did immediately: a policy prohibiting protected health information on portable devices until encryption lands, enforcement of that policy through the sanction framework at 45 CFR 164.308(a)(1)(ii)(C), tightened export permissions in the systems where the data lives, and a communication to staff explaining the temporary rule. The Security Rule's own structure supports this approach. For addressable implementation specifications, 45 CFR 164.306(d) requires you to assess whether the specification is reasonable and appropriate and, if you take another route, to document why and implement an equivalent alternative where reasonable. That documentation discipline is exactly the muscle interim controls require: write down what you are doing instead, why it reduces the risk, and when the permanent fix arrives. An investigator who finds a slow fix accompanied by documented interim measures sees an organization managing risk. An investigator who finds the same slow fix with nothing in between sees an organization that knew and did not act.

Evidence and controls to keep

It helps to know what will be on the list before you build it, because a handful of findings dominate nearly every gap assessment in healthcare. A missing or stale risk analysis leads the parade; it is the most commonly cited failure in enforcement history, and if yours is old or absent, refreshing it is remediation item number one because everything else flows from it. Workforce training gaps come next, and they deserve special attention for a practical reason: training is required under both the Privacy Rule at 45 CFR 164.530(b) and the Security Rule's awareness and training standard at 45 CFR 164.308(a)(5), it appears on every audit document request, and it is usually the fastest significant finding to close, since role-based training with verifiable certificates can be rolled out to an entire workforce in days. Missing business associate agreements follow, a gap against 45 CFR 164.308(b) that grows quietly every time someone signs up a new vendor without telling compliance. Then access rights that no longer match job roles, which offends both the Security Rule access controls at 45 CFR 164.312(a) and the Privacy Rule's minimum necessary access design at 45 CFR 164.514(d)(2). Then audit logs that exist but that nobody reviews, a standing violation of the information system activity review requirement at 45 CFR 164.308(a)(1)(ii)(D). And then contingency planning, the backup, disaster recovery, and emergency operations work required by 45 CFR 164.308(a)(7) that everyone defers until the ransomware event makes it urgent.

Documentation is what separates remediation that protects you from remediation that merely happened. The Security Rule's documentation standard at 45 CFR 164.316(b)(1) requires policies, procedures, and required actions, activities, and assessments to be maintained in written form, and 45 CFR 164.316(b)(2) attaches three duties that map directly onto your remediation plan: retain documentation for six years from creation or last effective date, make it available to the people who need to follow it, and review and update it as conditions change. Apply those duties to the plan itself. The register of findings, the owners and dates, the interim measures, the closure evidence, and each periodic status update belong in your compliance records for six years, because they are the narrative proof of your risk management program. This evidence points in two directions, and you should be honest with yourself about both. A well-kept remediation record is powerful defense material: it shows a program that finds problems and closes them, which is what reasonable diligence looks like. But the same record can convict you. A finding logged three years ago, rated critical, assigned to no one, and still open at the time of a breach is close to a textbook illustration of willful neglect, and it will be read that way. The answer is not to stop writing findings down. It is to run the plan you wrote.

Closure deserves its own discipline, because a fix is not finished when someone says it is finished. Every remediation entry should end with verification: a retest or inspection that confirms the control actually works, evidence captured at the moment of closure, and a named person accepting the item as done. The evidence varies by finding, and collecting it takes minutes when the work is fresh: configuration exports showing encryption enabled, a user access report matching the role matrix, training completion records with certificate identifiers for every workforce member, the countersigned business associate agreement in the vendor file, a log review calendar with the first three reviews actually performed. Verified closures then feed the loop the Security Rule expects you to run continuously. The evaluation standard at 45 CFR 164.308(a)(8) requires periodic technical and nontechnical evaluation in response to environmental and operational changes, and 45 CFR 164.306(e) requires security measures to be reviewed and modified as needed to keep protection reasonable and appropriate. Remediation, in other words, is not a project with an end date. It is the repeating middle of a cycle: assess, plan, fix, verify, document, and reassess, with each pass through the loop producing a shorter and less alarming findings list than the one before.

How to apply the guidance

There is one more reason to run this process well on your own schedule, and it is the difference between remediation you design and remediation that is designed for you. When the Office for Civil Rights investigates a breach or complaint and finds significant noncompliance, settlements routinely arrive with a corrective action plan attached: a multi-year, OCR-supervised remediation program in which the regulator approves your risk analysis, approves your revised policies, approves your training materials, and receives regular implementation reports, with the settlement payment riding alongside. Everything in an imposed corrective action plan is work you could have done voluntarily, sooner, cheaper, and without a federal monitor reading your status reports. Breach events also compress your timeline: the breach notification rules force a documented risk assessment of the incident under 45 CFR 164.402, notifications on fixed deadlines, and immediate mitigation, all while the underlying gap that caused the incident screams for a fix. An organization with a living remediation plan absorbs that pressure, because the machinery for assigning, tracking, and verifying fixes already exists. An organization without one improvises its remediation program during the worst month in its history, in front of a regulator, and the improvisation shows.

Five mistakes account for most remediation failures, and every one of them is avoidable. The first is the ownerless plan, where findings are assigned to departments, committees, or nobody, and each quarterly review discovers that everyone assumed someone else was handling it. The second is closure without evidence: items marked done on someone's verbal assurance, which collapse the first time an auditor asks to see proof and the proof does not exist. The third is sequencing by convenience, where the plan fills up with completed easy items while the critical finding that requires budget and executive attention rolls forward quarter after quarter, aging into liability. The fourth is treating remediation as a one-time cleanup tied to a single assessment, when the regulation plainly frames it as a continuous obligation; the organization that remediates once and stops will meet the same findings again in three years, plus interest. The fifth is the documented-and-ignored gap, the most dangerous of all: writing a finding into the record and then letting it sit changes your legal posture, because you can no longer claim you did not know. If leadership is unwilling to fund a fix, the plan should record the interim controls and the risk acceptance decision explicitly, with a date and a signature, rather than letting silence stand in for a decision no one made.

Next steps for HIPAA remediation plan

Here is how to get from no plan to a working plan in a week of honest effort. Start with the findings source: if you have a current risk analysis, pull its findings into a single register; if you do not, that absence is itself your first finding, and a structured self-assessment against the Security Rule safeguards will generate your initial gap list in an afternoon. Draft the register with the fields that matter: finding, citation, risk rating, owner, due date, interim measures, verification step, status. Take it to leadership and get owners and dates accepted out loud, because a plan nobody agreed to is a plan nobody follows. Close the workforce training gap first if you have one, for the reasons above: it is required by two separate rules, it is on every document request list, it is the fastest meaningful finding to fix, and a workforce that actually understands the rules stops creating new findings while you work on the old ones. Then set the cadence: a monthly or quarterly standing review where owners report status, closed items get their evidence filed, stalled items get escalated, and the plan's review date gets updated, which keeps you square with the documentation duties and keeps the register honest.

If you are building or rebuilding your remediation program, the supporting pieces are close at hand. Our free HIPAA risk assessment tool walks through the Security Rule safeguards question by question and produces a scored gap list you can drop straight into a remediation register, which solves the blank-page problem in about twenty minutes. Our penalty calculator shows what the culpability tiers and the 30-day correction window mean in dollars, which is a remarkably effective slide when you need leadership to fund a fix. And when the training finding comes up, as it almost always does, role-based team training with assessment-backed, verifiable certificates lets you close the most commonly cited gap on the list in days, with completion records that drop cleanly into your closure evidence file. Fix what you find, write down what you fixed, and keep the proof. That is the entire discipline, and organizations that practice it stop fearing the Monday after the risk assessment.


Recommended resources

Keep exploring the topic.

Use the related training, compliance, and documentation pages when you need the next practical step after this guide.