You may think you are secure and in compliance but there’s a chance you may be wrong. Read our information compiled directly from’s site on common misconceptions regarding HIPAA Security Risk Assessment & analysis and some of the common mistakes that “covered entities” make.

Small companies do not need to complete a security risk analysis.

False. No matter what size your “covered entity” is, a security risk analysis is a requirement of HIPAA Security rules.In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis, this includes any “business associates”.

Installing and using a certified EHR fulfills the security risk analysis MU requirement.

Again – False. You must still perform a full security risk analysis, even if you use a certified EHR. The HIPAA Security requirements address all ePHI you maintain, not just what is in your certified EHR.

My EHR vendor takes care of everything regarding my privacy and security.

False Again. Your EHR vendor will provide information, assistance, and training on the privacy and security aspects of their specific product ONLY. However, “they are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted”

I have to outsource the security risk analysis.

False. It may be possible for small “covered entities” to do their own risk analysis using readily available tools. However, to do an accurate and thorough risk analysis that will not fail a compliance review, may require expert knowledge that the “covered entity” may not have. In this case, it’s best to gain professional help from someone with experience in HIPAA Security compliance.

We can just use a Risk analysis checklist to be compliant

False. A checklist will help you through the process of your risk analysis but it will not perform technical security risks analysis of the controls you have in place to verify that they meet current HIPAA requirements for security.

I must follow a specific risk analysis method

False. You can use a specific risk analysis method as your baseline, however you should taylor it to meet your exact security needs. There are many different risk analysis methods based on different variables and each have different outcomes.

I only need to review my EHR for my security risk analysis.

False. You just review ALL systems that store, transmit, capture or modify your ePHI, it is not limited to just your EHR system. This includes tablets, phones, printers, fax,portable medical devices, workstations and all servers.

I already did a risk analysis, I’m compliant

False. HIPAA Secuirty rules indicate that you must continually & periodically review your risk analysis to make sure it’s current. If anything changes, you must update your risk analysis to include new systems, vendors and other devices that may come in contact with ePHI.

I must fully mitigate all risks before I attest my EHR

False. You can never mitigate all risks. You must identify and correct deficiencies to the best of your ability during the risk management process.

I have to do a full security risk analysis each year.

False. Typically you will need to perform one full security risk analysis.  You should determine a reasonable time period to review it (Monthly, quarterly, annually – based on your own needs) and make the necessary modifications to your security risk analysis when risks change. “Under the Meaningful Use Programs, reviews are required for each EHR reporting period. For EPs, the EHR reporting period will be 90 days or a full calendar year, depending on the EP’s year of participation in the program.”

Information from: