Every company with Protected Health Information (“PHI”) is expected to regularly engage in a risk analysis and other compliance activities related to HIPAA . Since 2009, over 60,000 breaches have been reported, and 800 have been identified to affect 500 or more individuals. Not surprisingly, over half of the reported incidents were caused by the loss or theft of a laptop or other mobile device. 46% of corporate laptops and 35% of smartphones contain sensitive data. 113 smartphones are lost every minute in the U.S.

1.
THE NEW HIPAA PRIVACY RULE
OVERVIEW
In 2013, the Department of Health and Human Services' Office for Civil Rights (“OCR”) said it
was taking the "compliance through enforcement" approach to encourage more covered
entities to comply with the full letter of the HIPAA law. OCR stated its goal to identify existing
privacy and security problems and take the necessary steps to ensure remediation, whether
through fines or other actions.
To begin, the OCR expects that every company with Protected Health Information (“PHI”) to
regularly engage in a risk analysis and other compliance activities related to HIPAA. Since 2009,
over 60,000 breaches have been reported, and 800 have been identified to affect 500 or more
individuals. Not surprisingly, over half of the reported incidents were caused by the loss or
theft of a laptop or other mobile device. 46% of corporate laptops and 35% of smartphones
contain sensitive data. 113 smartphones are lost every minute in the U.S.
FINES AND PENALTIES
There are new consequences for noncompliance. For years, HIPAA violations were considered
insignificant, but the 2009 Health Information Technology for Economic and Clinical
Health (“HITECH”) Act radically changed the financial impact of a PHI data breach and
broadened the sources that could induce an audit. Fines now range from $100 to $50,000 per
violation, depending on the preparedness and culpability of the covered entity. Furthermore,
state attorneys general may now bring civil actions on behalf of state residents to obtain
damages or seek enjoinment to avoid further violations.
It is each organization’s responsibility to clearly document their security policies and breach
response in addition to the requirement to perform annual risk assessments. OCR
investigations consider the culture of compliance and examine the organization’s overall
approach to security and privacy. Gartner research estimates that covered entities and
business associates now have a 20% chance of undergoing a HIPAA audit in the next five years.
BRINGING ON UHY
UHY can train your organization to identify, classify, and protect PHI. Companies with mature
compliance strategies can leverage UHY to execute their vision. UHY’s experienced
consultants can help you develop and implement appropriate incident response plans to
respond to the updated breach standards.

2.
NEW REQUIREMENTS
The OCR recognized the number of outside organizations touching PHI increased dramatically
in recent years and established the HIPAA Omnibus Rule to hold business associates to the
same privacy and security standards as providers. This rule impacts organizations primarily in
two ways.
RULE: First, the Omnibus Rule extends the authority of HHS to regulate business associates, as
well as any subcontractors they employ. This creates new responsibilities for the business
associates of HIPAA covered entities who handle PHI.
ACTION: Covered entities should review all of their business practices to ensure they have
correctly identified all of their business associates, and review the Business Associate
Agreements (“BAAs”) they have in place to ensure they properly require organizations to
comply with the HIPAA Privacy Rule and Security Rule. This rule requires organizations that
serve as business associates to conduct risk assessments to identify gaps in their compliance
and understand their legal responsibilities to both the covered entity and HHS. In effect, a
business associate is now subject to the same kinds of fines and penalties for HIPAA violations
as covered entities are.
RULE: Second, the Omnibus Rule requires breach notification whenever a covered entity or
business associate experiences an impermissible use or disclosure of PHI. Any event of
unauthorized disclosure, even internally, is presumed to be a breach and the burden is on the
entity to prove there is a low probability that PHI has been compromised. This lower standard
significantly increases the likelihood that notification is required than under the previous “risk
of harm” standard.
ACTION: Organizations subject to HIPAA need to reevaluate their incident response and
breach notification practices to ensure that they are in compliance with the Omnibus Rule. At
a minimum, this should include:
1. Review policies and procedures to verify the organization’s practice is consistent with
the new rule
2. Update policies and procedures that notify both HHS and affected individuals when a
breach occurs
3. Update the risk assessment process for the new breach standard
4. Address incident response plan
THE SOLUTION
While the changes may seem minor, the enhanced documentation requirements create new
burdens for providers. Eliminating the harm threshold forces each organization to investigate
and document every possible breach. The OCR enforced the Omnibus Rule since September
and organizations would be well‐advised to review and improve their policies and practices as
soon as possible.

3.
THE NEXT LEVEL OF SERVICE
UHYLLP020714
In July, 2000, six leading regional tax and
business advisory firms, with tenures dating
back to the early 1970s, merged to form a
national professional services entity known
as UHY Advisors, Inc. They came together in
the pursuit of a shared vision: to deliver the
service of a local/regional firm and the
services of a national firm to the dynamic
middle market.
UHY ADVISORS
Michael Witt
UHY Advisors MI, Inc.
27725 Stansbury Blvd, Suite 210
Farmington Hills, MI 48334
Phone:
(248) 355‐0280
Fax:
(248) 355‐0157
UHY Advisors, Inc. provides tax and business
consulting services through wholly owned
subsidiary entities that operate under the
name of “UHY Advisors.” UHY Advisors, Inc.
and its subsidiary entities are not licensed
CPA firms.
UHY LLP is a licensed independent CPA firm
that performs attest services in an
alternative practice structure with UHY
Advisors, Inc. and its subsidiary entities. UHY
Advisors, Inc. and UHY LLP are U.S.
members of Urbach Hacker Young
International Limited, a UK company, and
form part of the international UHY network
of legally independent accounting and
consulting firms.
“UHY” is the brand name for the UHY
international network. Any services
described herein are provided by UHY
Advisors and/or UHY LLP (as the case may
be) and not by UHY or any other member
firm of UHY. Neither UHY nor any member
of UHY has any liability for services provided
by other members.
© 2014 UHY Advisors.
www.uhy‐us.com