Resources

Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

January 2025 Notice of Proposed Rulemaking Brings Notable Changes to HIPAA Security Rule

Client Alert
February 25, 2025

In January 2025, the U. S. Department of Health and Human Services (HHS) filed a Notice of Proposed Rulemaking (NPRM) to amend many portions of the current Health Insurance Portability & Accountability Act (HIPAA) Security Rule. Comments to the proposed rule are due by March 7, 2025.

The broad focus of these proposed changes is on enhancing covered entities’ and business associates’ cybersecurity practices. Because these rule changes were initiated under the Biden Administration, we are unsure whether the current Administration will maintain the rule changes as drafted. However, cybersecurity has historically been a bipartisan issue.

The NPRM proposes the following for HIPAA covered entities (CEs):

1. Requires CEs to conduct a compliance audit at least once every 12 months to ensure compliance with the Security Rule requirements.

2. Requires CEs to annually train workforce members on the following topics:

a. The entity’s written policies and procedures with respect to electronic protected health information (ePHI);

b. Guarding against, detecting, and reporting suspected or known security incidents, including malicious software and social engineering; and

c. The entity’s written policies and procedures for accessing relevant electronic information systems.

3. Requires a CE to terminate a workforce member's access to ePHI within one hour of their employment ending.

4. Requires CEs to perform vulnerability scanning at least every 6 months and penetration testing at least once every 12 months.

5. Requires CEs to conduct and document a Technology Asset Inventory and Network Map of its electronic information systems and all technology assets that may affect the confidentiality, integrity, or availability of ePHI. The inventory must include identification, the person accountable for, and the location of each technology asset.

6. Requires CEs to complete written risk analyses that include a review of the technology asset inventory and network map; identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI; identification of potential vulnerabilities to the CE’s electronic information systems; and an assessment of the risk level for each identified threat and vulnerability to the CE’s ePHI. Currently, the HIPAA Security Rule does not specify a frequency for risk assessments, but the NPRM requires risk assessments to be reviewed and updated annually or when regulatory changes necessitate a risk assessment.

7. Requires CEs to plan for contingencies and how they will respond to security incidents. CEs must:

a. Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours;

b. Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration;

c. Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and     how  the entity will respond to suspected or known security incidents; and

d. Implement written procedures for testing and revising written security incident response plans.

The proposed rule also sets forth important proposed changes for business associates (BAs). The NPRM requires that BAs verify to CEs at least once every 12 months through a written analysis of the BA’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate that they have deployed technical safeguards required by the Security Rule to protect ePHI.

If you have questions about the January 2025 NPRM or HIPAA Security Rule, please contact BMD Member Daphne Kackloudis at dlkackloudis@bmdllc.com or BMD Attorney Jordan Burdick at jaburdick@bmdllc.com.

HIPAAHealthcareHealth LawDaphne KackloudisJordan Burdick
Client Alert

Corporate Transparency Act Overhauled: U.S. Entities No Longer Required to Report

March 24, 2025The Department of Treasury has issued an interim final rule significantly altering the Corporate Transparency Act (CTA). As of March 21, 2025, all U.S.-created entities and their beneficial owners are exempt from reporting requirements. Only non-U.S. entities registered to do business in the U.S. must still report, but they are not required to disclose U.S. citizen owners. Business owners should stay informed on these changes and consult legal counsel for compliance guidance.Client Alert

ODM to Implement Medicaid Work Requirements: What Providers and Medicaid Expansion Recipients Need to Know

March 21, 2025The Ohio Department of Medicaid (ODM) has submitted a waiver to impose work requirements for Medicaid expansion recipients. If approved, the new eligibility criteria will take effect on January 1, 2026. A federal public comment period is open until April 7, 2025.Client Alert

Ohio Appellate Court Rules in Favor of Gender-Affirming Care

March 19, 2025On March 18, 2025, the 10th District Court of Appeals in Franklin County ruled that Ohio’s House Bill (HB) 68, which restricts puberty blockers and hormone therapy for minors seeking gender-affirming care, violates the Health Care Freedom Amendment and is therefore unenforceable. The court found that the law unlawfully interferes with parental rights and medical decision-making. The case, Moe v. Yost, has been remanded, and Ohio Attorney General Dave Yost intends to appeal.Client Alert

HHS Revokes Public Comment Requirement on Certain Policy Changes

March 5, 2025The U.S. Department of Health and Human Services (HHS) has revoked the Richardson Waiver, eliminating the requirement for public notice and comment on certain policy changes. This decision allows HHS to implement new policies more quickly, potentially affecting healthcare funding rules like Medicaid work requirements. While it speeds up policymaking, it also reduces opportunities for stakeholder input, raising concerns over transparency and unintended consequences for healthcare providers, states, and patients.Client Alert

Don't Get Caught Dazed and Confused: Another Florida Court Weighs in on Employer Obligations to Accommodate Medical Marijuana Use

March 3, 2025A Florida trial court ruled in Giambrone v. Hillsborough County that employers may need to accommodate off-duty medical marijuana use under the Florida Civil Rights Act (FCRA). This contrasts with prior rulings and raises new compliance challenges for employers. With the case on appeal, now is the time to review workplace drug policies.
Older posts