Estimated read time: 3 minutes
Let's talk about something that used to live entirely in your IT department's world but now sits squarely in your accreditation prep folder: information systems risk management.
If you're pursuing URAC accreditation, you've probably come across RM3 – Information Systems and thought, "Great, another standard about technology." But here's the thing: RM3 isn't really about servers and software. It's about how you manage, monitor, and mitigate risks tied to the systems that run your entire operation.
And URAC? They want proof you're doing it—not just once during a pre-review scramble, but consistently, with documentation that spans your entire review period.
What Is RM3, Really?
RM3 is part of URAC's Risk Management focus area and gets reviewed during both desktop and validation reviews for all accreditation programs. While the exact wording of RM3 may vary slightly depending on your accreditation program, the expectations remain consistent.
At its core, RM3 expects organizations to:
β
Identify risks related to information systems
β
Document those risks and how you're managing them
β
Actively manage systems to protect data integrity, availability, and security
These requirements align with URAC's broader goals: quality, safety, reliability, and compliance across healthcare operations.
For all URAC accreditations, you'll need to address:
- Data integrity (Is your data accurate and traceable?)
- Storage, maintenance, and destruction (How long do you keep information before destroying it—and how do you destroy it?)
- Ongoing risk assessment (What could go wrong, and what are you doing about it?)
This isn't a one-and-done exercise. URAC expects information systems risk management to be integrated into your broader risk management framework—complete with policies, procedures, and ongoing oversight.
RM3-1: Information Systems Management
The first part of RM3 focuses on how you manage your systems—both operational and clinical.
URAC expects a formal, documented process that covers:
- How systems are maintained and secured
- How data is handled, stored, backed up, and protected
- Who's accountable for system oversight (clear roles and responsibilities)
- Evidence that systems function as intended to support operations and quality goals.
What You'll Need to Show
From a documentation standpoint, be ready to produce:
β
Written information such as system governance policies
β
Organizational charts or role definitions establishing accountability
β
Evidence of ongoing monitoring, maintenance, and updates
The goal? Prove that your information systems aren't just in place—they're actively managed, reliable, and secure.
RM3-2: Systems Risk Assessment
Here's where RM3 shifts from management to risk assessment.
URAC requires organizations to conduct regular risk assessments of their information systems.
These assessments should identify:
- Security vulnerabilities (access control, authentication, encryption gaps)
- Operational risks (system failures, downtime, data loss)
- Data integrity threats (accuracy issues, traceability gaps)
- Availability risks (what happens if critical systems go down?)
But identifying risks isn't enough. URAC expects you to take action.
Strong RM3 compliance includes:
β
Evaluating the likelihood and impact of identified risks
β
Developing documented risk mitigation plans with preventive controls and corrective actions
β
Establishing a routine reassessment cycle (quarterly, annually, or other frequency appropriate for your organization – and stipulated in your policies & procedures)
β
Tracking corrective actions and documenting outcomes
This demonstrates that risk management is ongoing and measurable, not just theoretical paperwork you pull together before a review.
What Evidence Will URAC Actually Review?
To demonstrate RM3 compliance, organizations typically provide:
π Policies and procedures for system and data management, including destruction chain of custody
π Security and access control standards
π Logs showing identified risks, mitigation efforts and corrective actions
π Destruction Logs, with evidence of procedures that meet requirements
π Acknowledgement documentation showing staff have read, understand, and will comply with related policies & procedures
If you can't produce these documents—or if they're outdated, incomplete, or inconsistent—you've got an RM3 gap.
Why RM3 Actually Matters
Look, we get it—RM3 can feel like one more compliance hoop to jump through.
But here's why it's worth taking seriously:
β
Protects sensitive consumer and organizational data (and keeps you out of breach headlines)
β
Ensures system availability for critical clinical and administrative functions
β
Reduces operational disruptions and security incidents
β
Demonstrates proactive, continuous risk management (not reactive firefighting)
Ultimately, RM3 supports URAC's commitment to continuous quality improvement—helping organizations operate safely, securely, and reliably in a technology-driven healthcare environment.
Need Help Getting RM3 Right?
At MHR, we help organizations build URAC compliance that holds up under scrutiny—policies that match operations, risk assessments that drive real action, and documentation that proves you've been managing risk continuously in your ongoing operations.
Whether you're tackling RM3 for the first time or tightening up your existing approach, we're here to help.
π Contact us at [email protected] to discuss your URAC preparation strategy.
πGet our tool, RM 3 Information System Risk Management Toolkit: https://www.managedhealthcareresources.com/urac-rm3-toolkit
Learn more at managedhealthcareresources.com and follow us on LinkedIn for updates.
This blog reflects insights from MHR's URAC consulting practice. Our team includes former URAC surveyors who understand what is required. For questions about RM3 or other URAC Risk Management standards, Contact us at [email protected].
