In addition to the disclosure myths above, check out these common HIPAA myths that many practices still believe to be true. Myth: Your healthcare organization is too small to be hacked. Reality: Even small healthcare companies get hacked. In fact, some hackers prefer smaller organizations because they understand that they can be easier targets. And if a hacking incident leads to a HIPAA breach, the size of your organization won’t protect you from a government audit and potential sanctions. The HHS Office for Civil Rights (OCR) will investigate organizations of any size when they suffer a data breach. Caveat: But the OCR does take into consideration your organization’s size, as well as your budget and whether you have limited resources. As long as you’ve documented why you’ve made the choices you have, OCR will take this into consideration, but in all cases, you need to make sure you are meeting the HIPAA standards. Myth: Performing the Security Risk Analysis is optional for small providers. Reality: All providers — not matter how big or small — that handle protected health information (PHI) must perform a risk analysis. There is no specific risk analysis format that you must follow, but you must address all three areas: administrative, physical, and technical. Myth: Hacking presents a much higher risk of a data breach than physical security problems. Reality: Data can be stolen in many ways, not just over a compromised network. Hospitals and other large clinical settings are targets of opportunity for thieves looking for personal information. Because these facilities are built for public access, protecting the data inside is not their primary objective. Best bet: Prioritize strengthening physical security controls and network security, including preventing unauthorized physical access to secure areas as well as preventing outright physical theft. Myth: Installing and using an electronic health record (EHR)-compliant system fulfills the security compliance requirements. Reality: Using an EHR system that’s HIPAA-compliant doesn’t necessarily take care of all your security issues, ACS said. And your risk analysis should address all aspects of your system, not just the information contained in your EHR software. Myth: You’ve never had a breach before, so you don’t need to worry so much. Reality: If you haven’t had a breach, you may be thinking your controls are working. That could be the case, but it might not be. Why take the risk? The fact that you haven’t had a breach simply means that you’ve dodged that proverbial bullet until now. Consider yourself lucky, but don’t fail to review and adjust security protocols to adequately protect healthcare data.