With the publication of the HITECH and Security rules, compliance with HIPAA is back in the spotlight. Effective January 1, 2014, new rules will pertain. In our recent article in Family Practice Management, we dispel some myths and provide practical guidance to physicians. The importance of taking HIPAA compliance seriously can be seen in the first settlement of 2013 with the Office of Civil Rights of 2013. There, Idaho State University agreed to $400,000 and enter into a 2-year corrective action plan to settle alleged violations of HIPAA. In investigating the self-reported incident, the Office for Civil Rights found risk analyses and assessments that were "incomplete and inadequately identified potential risks or vulnerabilities," as well as "failure to assess the likelihood of potential risks occurring." The principle problem was a disabled firewall over a period of four years. There was no evidence that any records were accessed or that the security actually was breached. The settlement makes it clear that risk assessment and gap analysis are essential to being able to craft a well-designed, customized plan for HIPAA compliance. This is no longer a matter of choice.