Covered entities need to conduct risk assessments that cover the requirements of HIPAA, HITECH and Meaningful use, and create a process for steady and consistent mitigation of known gaps and vulnerabilities based on risk. Reducing risk of vulnerabilities of unauthorized access to your ePHI can be done via safeguards and controls, plus audits and monitoring. When reducing risk is outside of a covered entities control, audits and monitoring are required in order to demonstrate due diligence. Know where your ePHI is stored, where it is at risk, and take steps now to reduce or eliminate the risk. Encrypt vulnerable locations. Encrypt sensitive data. By doing so, you will be protecting your organization by reducing risk of breach of ePHI. Finally, don't forget what is sometimes considered to be the hardest part--documenting your compliance activities in order to demonstrate evidence of due diligence in and avoid major $$$$ penalties for negligence under the HITECH Act of 2009.