Resources

Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

January 2025 Notice of Proposed Rulemaking Brings Notable Changes to HIPAA Security Rule

Client Alert
February 25, 2025

In January 2025, the U. S. Department of Health and Human Services (HHS) filed a Notice of Proposed Rulemaking (NPRM) to amend many portions of the current Health Insurance Portability & Accountability Act (HIPAA) Security Rule. Comments to the proposed rule are due by March 7, 2025.

The broad focus of these proposed changes is on enhancing covered entities’ and business associates’ cybersecurity practices. Because these rule changes were initiated under the Biden Administration, we are unsure whether the current Administration will maintain the rule changes as drafted. However, cybersecurity has historically been a bipartisan issue.

The NPRM proposes the following for HIPAA covered entities (CEs):

1. Requires CEs to conduct a compliance audit at least once every 12 months to ensure compliance with the Security Rule requirements.

2. Requires CEs to annually train workforce members on the following topics:

a. The entity’s written policies and procedures with respect to electronic protected health information (ePHI);

b. Guarding against, detecting, and reporting suspected or known security incidents, including malicious software and social engineering; and

c. The entity’s written policies and procedures for accessing relevant electronic information systems.

3. Requires a CE to terminate a workforce member's access to ePHI within one hour of their employment ending.

4. Requires CEs to perform vulnerability scanning at least every 6 months and penetration testing at least once every 12 months.

5. Requires CEs to conduct and document a Technology Asset Inventory and Network Map of its electronic information systems and all technology assets that may affect the confidentiality, integrity, or availability of ePHI. The inventory must include identification, the person accountable for, and the location of each technology asset.

6. Requires CEs to complete written risk analyses that include a review of the technology asset inventory and network map; identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI; identification of potential vulnerabilities to the CE’s electronic information systems; and an assessment of the risk level for each identified threat and vulnerability to the CE’s ePHI. Currently, the HIPAA Security Rule does not specify a frequency for risk assessments, but the NPRM requires risk assessments to be reviewed and updated annually or when regulatory changes necessitate a risk assessment.

7. Requires CEs to plan for contingencies and how they will respond to security incidents. CEs must:

a. Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours;

b. Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration;

c. Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and     how  the entity will respond to suspected or known security incidents; and

d. Implement written procedures for testing and revising written security incident response plans.

The proposed rule also sets forth important proposed changes for business associates (BAs). The NPRM requires that BAs verify to CEs at least once every 12 months through a written analysis of the BA’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate that they have deployed technical safeguards required by the Security Rule to protect ePHI.

If you have questions about the January 2025 NPRM or HIPAA Security Rule, please contact BMD Member Daphne Kackloudis at dlkackloudis@bmdllc.com or BMD Attorney Jordan Burdick at jaburdick@bmdllc.com.

HIPAAHealthcareHealth LawDaphne KackloudisJordan Burdick
Client Alert

Ohio Recovery Housing Operators Beware: House Bill 58 Seeks to Make Major Changes

February 26, 2025Ohio House Bill 58 proposes significant changes to recovery housing oversight, granting ADAMH Boards authority to inspect and investigate recovery residences. The bill also introduces a Certificate of Need (CON) program, requiring state approval for major facility changes. OMHAS will assess applications based on cost, quality, accessibility, and financial feasibility. The bill also establishes a recovery housing residence fund to support inspections. For more information, contact BMD attorneys Daphne Kackloudis or Jordan Burdick.Client Alert

Corporate Transparency Act Effective Again

February 20, 2025The federal judiciary has issued multiple rulings on the enforceability of the Corporate Transparency Act (CTA), which took effect on January 1, 2024. Previously, enforcement was halted nationwide due to litigation in Smith v. U.S. Department of the Treasury. However, on February 18th, the court lifted the stay, reinstating the CTA’s reporting requirements. Non-exempt entities now have until March 21, 2025, to comply. Businesses should act promptly to avoid civil penalties of $591 per day and potential criminal liability.Client Alert

Status Update: Physician Noncompete Agreements in Ohio

February 11, 2025Noncompete agreements remain enforceable in Ohio if they meet specific legal requirements. While the AMA and FTC have challenged these restrictions, courts continue to uphold reasonable noncompete provisions for physicians. Recent cases, like MetroHealth System v. Khandelwal, highlight how courts may modify overly restrictive agreements to balance employer interests with patient care. With ongoing legal challenges to the FTC’s proposed ban, Ohio physicians should consult a healthcare attorney before signing or challenging a noncompete agreement.Client Alert

Immigration Orders and Their Economic Impact on Small Business: Insights from Attorney and Former Immigration Judge Rob Ratliff

January 30, 2025President Trump's recent executive orders, targeting immigration policies, could significantly impact small businesses in Ohio, particularly those owned by undocumented immigrants. With stricter visa vetting, halted refugee admissions, and potential deportations, these businesses face uncertainty, workforce disruption, and closures. Ohio's immigrant-owned businesses, especially in food services and transportation, contribute billions to the state economy, and any disruption could result in economic ripple effects.Client Alert

Corporate Transparency Act Ruling from the U.S. Supreme Court

January 24, 2025The U.S. Supreme Court recently ruled on the enforceability of the Corporate Transparency Act (CTA), lifting an injunction previously imposed by the Fifth Circuit. However, a separate nationwide injunction remains in effect, meaning businesses are still not required to comply with the CTA’s reporting requirements. FinCEN continues to accept voluntary reporting while enforcement remains paused.
Older posts