Does your HIPAA security need a check up? Check out our list of myths and risks to see how your security measures up.

HIPAA security audit risks and myths are revealed here with an easy-to-understand visual breakdown. Based in San Diego, Network Antics’ offers local and national risk assessment support and an on-going relationship with our specialized proactive multiple mandate software. Contact us today to arrange an HIPAA security audit assessment.


I have to outsource the security risk analysis. False. It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will requite expert knowledge that could be obtained through services of an experienced outside professional.
A checklist will suffice for the risk analysis requirements. False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.
There is a specific risk analysis method that i must follow. False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI.
My security risk analysis only needs to look at my EHR. False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data. Please see U.S. Department of Health and Human Services (HHS) guidance on remote use.
I only need to do a risk analysis once. False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections. Contact us today for your HIPAA security audit.
Before I attest for an EHR incentive program, I must fully mitigate all risks. False. The EHR incentive program requires correcting any deficiencies (identified during the risk analysis) during the reporting period, as part of its risk management process.
Each year, I’ll have to completely redo my security risk analysis. False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic system occur, review and update the prior analysis for changes in risk. Under meaningful use, reviews are required for each EHR reporting period. For EPs, the EHR reporting period will be 90 days or a full calendar year, depending on the EP’s year of participation in the program.


Extra resources:

On-site HIPAA Risk Assessment

HIPAA Audit Story


If you have any questions about HIPA security audits that we can help you with, reach out to us today!

Leave A Comment