Help Center › POA&M
POA&M — Plan of Action & Milestones
Turn every gap into a tracked remediation item — with an owner, a target date, and a status. This is your HIPAA risk-management record, the “what are you doing about it?” half of the SRA.
1. What a POA&M is
A Plan of Action & Milestones (POA&M) is the running list of everything you’ve found that isn’t fully in place, plus what you’re going to do about it. HIPAA requires not just that you find risks (the risk analysis) but that you actively manage them — implementing reasonable measures to reduce risk to an appropriate level. The POA&M is the document that proves you are doing that.
2. Ward’s two POA&Ms
Ward gives you remediation tracking at two levels, because OCR looks at both:
| POA&M | Where | Tracks |
|---|---|---|
| Per-question | POA&M tab (and inside each gap on the Assessment tab) | Each individual safeguard gap — the granular, control-by-control to-do list. |
| Per-mandate | 2026 Readiness tab | Each of the ten 2026 mandates as a single, higher-level remediation item. |
They are stored separately, so closing one doesn’t silently change the other. Both feed your exports and the audit binder.
3. The per-question POA&M (the POA&M tab)
The POA&M tab lists every open gap (every question answered Partially or No) as a card. At the top, a summary strip counts: total items, Open, In progress, Completed, and Overdue.
For each item you can set:
- Remediation action — what you’ll do (“Enable BitLocker on all laptops”).
- Owner — who is responsible.
- Target date — when it’s due.
- Status — Open, In progress, Completed, or Risk accepted.
These are the same fields you can fill on the Assessment tab’s gap box — they’re the same underlying record, so editing in either place keeps them in sync. Items with the “2026 mandatory” flag are marked so you can prioritize them.
Tip: the per-question POA&M only shows gaps. If an item disappears, it’s because you changed its answer to “Yes — in place” or “N/A” on the Assessment tab — i.e. you fixed it. That’s the intended behavior.
4. The four statuses
| Status | Use it when… |
|---|---|
| Open | You’ve identified the gap but haven’t started fixing it. (Default.) |
| In progress | Remediation is underway. |
| Completed | The remediation work is done. (Remember to also change the question’s answer to “Yes” so the gap actually closes.) |
| Risk accepted | Leadership has formally decided to accept this risk rather than remediate it. Document the rationale in the notes — accepted risk must still be a documented, reasonable decision. |
5. Overdue flags
If an item has a target date in the past and its status is not Completed or Risk accepted, Ward marks it Overdue (an amber badge on the card and a count in the summary strip). Overdue items are exactly what an auditor — and your own leadership — will want to see addressed first.
Overdue is computed entirely in your browser by comparing the target date to today’s date. Nothing is sent anywhere, and there are no email reminders for the per-question POA&M (the Cadence tab has its own due-date reminders for recurring obligations).
6. How items are prioritized
The POA&M tab sorts items so the most important rise to the top: 2026-mandatory gaps first, then by risk score (the higher the likelihood × impact, the higher it ranks). This means the very first card is usually a high-risk, 2026-required gap — the thing to fix today.
7. The per-mandate POA&M (2026 Readiness tab)
On the 2026 Readiness tab, each of the ten mandates is itself a tracked POA&M item. Under every mandate card you can set:
- Owner — who owns getting this mandate to “Ready.”
- Target date — your deadline (e.g. before the rule’s effective date).
- Status — Open, In progress, Completed, or Risk accepted.
The tab shows a summary: how many mandates are “not yet ready” and how many are “in active remediation.” If a mandate has a past target date and isn’t Ready, it gets an “Overdue — target [date]” badge. A mandate marked Completed or Risk accepted is treated as closed in the open-vs-tracked count even if its underlying readiness is still Partial — useful when you’ve made a documented decision but the linked questions aren’t all flipped yet.
Per-question vs. per-mandate: use the per-question POA&M for the detailed engineering to-do list, and the per-mandate POA&M for the executive, “are we on track for 2026?” roll-up. Many practices assign the mandate to a manager and the underlying questions to the people doing the work.
8. Exporting the POA&M
You can export the per-question POA&M as:
- Markdown — from the POA&M tab or the Risk Register tab (a formatted document).
- CSV — from the POA&M tab (opens in Excel/Sheets).
The per-mandate POA&M is included in the 2026 gap report (Markdown) export from the 2026 Readiness tab, which lists each mandate with its rule status, severity, readiness, owner, target, and remediation status. Both POA&Ms are bundled into the one-click audit binder ZIP (documents 04-poam.md and 05-2026-gap-report.md).