Good Faith Effort
Definition
A good faith effort is a documented, sincere, and reasonable attempt to meet a compliance obligation, protect sensitive information, respond to a requirement, or correct a deficiency, even when perfect execution is not immediately possible. Under HIPAA, the concept is often relevant when an organization must show that it acted responsibly, followed a reasonable process, and did not ignore known duties or risks. A good faith effort does not automatically excuse noncompliance, but it can help demonstrate intent, diligence, accountability, and timely action. In practice, this means identifying the requirement, assigning ownership, taking proportionate steps, preserving evidence, communicating with affected parties where appropriate, and tracking remediation through completion. The strength of a good faith effort depends on facts: what the organization knew, how quickly it acted, whether decisions were reasonable, and whether records support the actions taken. Similar concepts appear in other privacy, security, and governance frameworks as reasonable effort, due care, due diligence, or demonstrable accountability.
Real-World Examples
Timely Risk Remediation
A digital health startup discovers that access reviews were delayed, assigns an owner, performs the overdue review, documents exceptions, and tracks corrective actions.
Breach Response Documentation
A small healthcare provider investigates a potential data exposure, preserves investigation notes, documents decisions, notifies required stakeholders, and strengthens controls afterward.
Policy Rollout During Growth
A health technology SMB updates security policies, trains new employees, captures acknowledgements, and records follow-up for staff who missed the first deadline.
Enterprise Audit Preparation
A large organization identifies incomplete vendor evidence, requests missing documentation, records outreach attempts, applies interim safeguards, and tracks final closure.
A good faith effort is a sincere, reasonable, and documented attempt to meet a compliance obligation. In HIPAA contexts, it helps show that an organization understood its responsibilities, acted responsibly, and worked to address risks or gaps rather than ignoring them.
In information security and GRC, good faith effort means applying reasonable care to identify requirements, assign responsibility, implement safeguards, document decisions, and correct deficiencies. It focuses on evidence-backed diligence, not just verbal claims that the organization intended to comply.
Organizations prove good faith effort with dated records, assigned owners, risk assessments, meeting notes, remediation tickets, policy approvals, training logs, access reviews, vendor communications, and evidence of follow-through. The documentation should show what was known, what was done, when it happened, and why decisions were reasonable.
Useful documentation includes written procedures, risk analysis records, corrective action plans, control evidence, investigation notes, exception approvals, workforce training records, vendor follow-ups, and management review notes. Strong evidence links each action to a specific compliance concern or security risk.
No. A good faith effort is not the same as full compliance. It may show responsible conduct and meaningful progress, but an organization can still have gaps, findings, or obligations to remediate if required safeguards or processes were incomplete.
Regulators and auditors may consider good faith efforts because they help distinguish responsible, documented action from neglect or willful disregard. Evidence of diligence can provide context for how an organization managed constraints, responded to issues, and reduced risk over time.
Examples include conducting a risk assessment after discovering a gap, implementing interim access controls, documenting breach investigation steps, updating security policies, retraining employees, following up with vendors, and tracking remediation tasks until completion.
Organizations should track good faith efforts in a structured system of record that captures the issue, owner, due date, actions taken, evidence collected, approvals, residual risk, and final closure. Consistent tracking makes the effort easier to verify during audits or investigations.
A good faith effort may help provide context and may be considered when evaluating an organization's conduct, but it does not guarantee reduced penalties or eliminate findings. Outcomes depend on the facts, the severity of the issue, the harm involved, and the quality of remediation.
Reasonable efforts usually focus on whether actions were proportionate and appropriate under the circumstances. Good faith efforts also emphasize sincere intent, honest conduct, timely action, and documentation showing that the organization tried to meet its obligations responsibly.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-07 | WatchDog GRC Team | Initial publication |
