the new hipaa privacy rule
TRANSCRIPT
THE NEW HIPAA PRIVACY RULE
OVERVIEW
In 2013, the Department of Health and Human Services' Office for Civil Rights (“OCR”) said it was taking the "compliance through enforcement" approach to encourage more covered entities to comply with the full letter of the HIPAA law. OCR stated its goal to identify existing privacy and security problems and take the necessary steps to ensure remediation, whether through fines or other actions.
To begin, the OCR expects that every company with Protected Health Information (“PHI”) to regularly engage in a risk analysis and other compliance activities related to HIPAA. Since 2009, over 60,000 breaches have been reported, and 800 have been identified to affect 500 or more individuals. Not surprisingly, over half of the reported incidents were caused by the loss or theft of a laptop or other mobile device. 46% of corporate laptops and 35% of smartphones contain sensitive data. 113 smartphones are lost every minute in the U.S.
FINES AND PENALTIES
There are new consequences for noncompliance. For years, HIPAA violations were considered insignificant, but the 2009 Health Information Technology for Economic and Clinical Health (“HITECH”) Act radically changed the financial impact of a PHI data breach and broadened the sources that could induce an audit. Fines now range from $100 to $50,000 per violation, depending on the preparedness and culpability of the covered entity. Furthermore, state attorneys general may now bring civil actions on behalf of state residents to obtain damages or seek enjoinment to avoid further violations.
It is each organization’s responsibility to clearly document their security policies and breach response in addition to the requirement to perform annual risk assessments. OCR investigations consider the culture of compliance and examine the organization’s overall approach to security and privacy. Gartner research estimates that covered entities and business associates now have a 20% chance of undergoing a HIPAA audit in the next five years.
BRINGING ON UHY
UHY can train your organization to identify, classify, and protect PHI. Companies with mature compliance strategies can leverage UHY to execute their vision. UHY’s experienced consultants can help you develop and implement appropriate incident response plans to respond to the updated breach standards.
NEW REQUIREMENTS
The OCR recognized the number of outside organizations touching PHI increased dramatically in recent years and established the HIPAA Omnibus Rule to hold business associates to the same privacy and security standards as providers. This rule impacts organizations primarily in two ways.
RULE: First, the Omnibus Rule extends the authority of HHS to regulate business associates, as well as any subcontractors they employ. This creates new responsibilities for the business associates of HIPAA covered entities who handle PHI.
ACTION: Covered entities should review all of their business practices to ensure they have correctly identified all of their business associates, and review the Business Associate Agreements (“BAAs”) they have in place to ensure they properly require organizations to comply with the HIPAA Privacy Rule and Security Rule. This rule requires organizations that serve as business associates to conduct risk assessments to identify gaps in their compliance and understand their legal responsibilities to both the covered entity and HHS. In effect, a business associate is now subject to the same kinds of fines and penalties for HIPAA violations as covered entities are.
RULE: Second, the Omnibus Rule requires breach notification whenever a covered entity or business associate experiences an impermissible use or disclosure of PHI. Any event of unauthorized disclosure, even internally, is presumed to be a breach and the burden is on the entity to prove there is a low probability that PHI has been compromised. This lower standard significantly increases the likelihood that notification is required than under the previous “risk of harm” standard.
ACTION: Organizations subject to HIPAA need to reevaluate their incident response and breach notification practices to ensure that they are in compliance with the Omnibus Rule. At a minimum, this should include:
1. Review policies and procedures to verify the organization’s practice is consistent with the new rule
2. Update policies and procedures that notify both HHS and affected individuals when a breach occurs
3. Update the risk assessment process for the new breach standard 4. Address incident response plan
THE SOLUTION
While the changes may seem minor, the enhanced documentation requirements create new burdens for providers. Eliminating the harm threshold forces each organization to investigate and document every possible breach. The OCR enforced the Omnibus Rule since September and organizations would be well‐advised to review and improve their policies and practices as soon as possible.
www.uhy‐us.com
THE NEXT LEVEL OF SERVICE In July, 2000, six leading regional tax and business advisory firms, with tenures dating back to the early 1970s, merged to form a national professional services entity known as UHY Advisors, Inc. They came together in the pursuit of a shared vision: to deliver the service of a local/regional firm and the services of a national firm to the dynamic middle market.
UHY ADVISORS Michael Witt UHY Advisors MI, Inc. 27725 Stansbury Blvd, Suite 210 Farmington Hills, MI 48334 Phone: (248) 355‐0280 Fax: (248) 355‐0157
UHY Advisors, Inc. provides tax and business consulting services through wholly owned subsidiary entities that operate under the name of “UHY Advisors.” UHY Advisors, Inc. and its subsidiary entities are not licensed CPA firms.
UHY LLP is a licensed independent CPA firm that performs attest services in an alternative practice structure with UHY Advisors, Inc. and its subsidiary entities. UHY Advisors, Inc. and UHY LLP are U.S. members of Urbach Hacker Young International Limited, a UK company, and form part of the international UHY network of legally independent accounting and consulting firms.
“UHY” is the brand name for the UHY international network. Any services described herein are provided by UHY Advisors and/or UHY LLP (as the case may be) and not by UHY or any other member firm of UHY. Neither UHY nor any member of UHY has any liability for services provided by other members.
© 2014 UHY Advisors.
UHYLLP020714