Respond to Risks. Protect Your Information.

Risk response is part of an ongoing process of managing risks identified during risk analysis and a key step in the overall NIST Risk Management Process

Responding to risks in a methodological manner, with adequate identification of owners, alternatives considered, documented decisions and implementation planning is required under the HIPAA Security Rule.

Meaningful Use attestation also requires providers implement security updates as necessary and correct identified security deficiencies as part of its risk management process.

Clearwater Risk Response WorkShop™

Clearwater’s experts utilize Clearwater’s proprietary WorkShop™ process that not only delivers results, but educates teams to become self-sufficient.

  • Leverages risk analysis data populated in Clearwater IRM|Analysis™ software
  • Based on careful study of the explicit HHS/OCR Guidance and NIST SP800-39 – Managing Information Security Risk


Clearwater’s HIPAA Risk Analysis WorkShop™ has earned the exclusive endorsement of the American Hospital Association.

Key Risk Response WorkShop™ Features

  • Methodology strictly based on NIST Security Framework
  • Leverages the full power of the IRM|Analysis™ software
  • Introduces your team to a workflow for completing a NIST-based risk response process
  • Results in the documentation of a course of action to reduce risks you elect to mitigate based on effectiveness and feasibility
  • Drives the process and provides historical documentation of alternatives considered, investment options, decisions made, tasks assigned, and responsible parties
  • Enables project management of implementation tasks through completion
  • Fixed -price, so there are no cost surprises
  • At your option, complete the work under direction of outside counsel
  • Periodic Project Status Reports; Receive Risk Response Planning Executive Summary Report

Key Risk Response WorkShop™ Benefits

  • Be Clear: De-Mystify a complex process by using a by-the-book approach and obtain management approval of a risk response process and procedure
  • Be Confident: utilize a proven approach and methodology used by 100s of organizations
  • Be Thorough: for all risks exceeding your risk threshold, evaluate alternatives, associated costs and effectiveness
  • Be an Informed Decision Maker: readily identify security investments providing the highest ROI by reducing highly-ranked and/or multiple risks
  • Be On-Record: document alternatives considered and decisions made to provide evidence of good faith effort
  • Be Diligent: collaborate, create, document and execute on a detailed implementation plan for alternatives elected
  • Become Self-Sufficient: your team will learn a repeatable, sustainable process to manage your information security risks
“We chose Clearwater because they are a front runner in healthcare privacy, security and information risk management consulting and assisting with this area. And, they also have developed specialized software to help organizations comply with HIPAA and meet the Meaningful Use criteria and qualify for incentives. They may be listed as a consulting group, but they will also train and adjust to whatever is needed based upon your in-house expertise. The other top vendors were mainly consultants that come in and perform the work, give recommendations in a report and leave. Clearwater offered the same type of consulting but also offered the software tool and trained us on a methodology and process”
Wayne Richmond, Data Security Officer, Princeton Community Hospital

Why is Risk Response Important?

The HIPAA Security Rule not only requires the completion of a periodic risk analysis, it requires that action be taken to address risks (45 CFR §164.308(a)(1)(ii)(B):

Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a)

Increasing reliance on electronic information, interoperability and data sharing makes effective risk response critical in the face of a rapidly expanding threat landscape for sensitive information.

Responding to risks can also help to protect your revenue and reputation. Greater enforcement by Federal and State agencies mean organizations are facing significantly greater civil monetary penalties and greater civil monetary penalties.

Contact Us