Resources

Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

January 2025 Notice of Proposed Rulemaking Brings Notable Changes to HIPAA Security Rule

Client Alert
February 25, 2025

In January 2025, the U. S. Department of Health and Human Services (HHS) filed a Notice of Proposed Rulemaking (NPRM) to amend many portions of the current Health Insurance Portability & Accountability Act (HIPAA) Security Rule. Comments to the proposed rule are due by March 7, 2025.

The broad focus of these proposed changes is on enhancing covered entities’ and business associates’ cybersecurity practices. Because these rule changes were initiated under the Biden Administration, we are unsure whether the current Administration will maintain the rule changes as drafted. However, cybersecurity has historically been a bipartisan issue.

The NPRM proposes the following for HIPAA covered entities (CEs):

1. Requires CEs to conduct a compliance audit at least once every 12 months to ensure compliance with the Security Rule requirements.

2. Requires CEs to annually train workforce members on the following topics:

a. The entity’s written policies and procedures with respect to electronic protected health information (ePHI);

b. Guarding against, detecting, and reporting suspected or known security incidents, including malicious software and social engineering; and

c. The entity’s written policies and procedures for accessing relevant electronic information systems.

3. Requires a CE to terminate a workforce member's access to ePHI within one hour of their employment ending.

4. Requires CEs to perform vulnerability scanning at least every 6 months and penetration testing at least once every 12 months.

5. Requires CEs to conduct and document a Technology Asset Inventory and Network Map of its electronic information systems and all technology assets that may affect the confidentiality, integrity, or availability of ePHI. The inventory must include identification, the person accountable for, and the location of each technology asset.

6. Requires CEs to complete written risk analyses that include a review of the technology asset inventory and network map; identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI; identification of potential vulnerabilities to the CE’s electronic information systems; and an assessment of the risk level for each identified threat and vulnerability to the CE’s ePHI. Currently, the HIPAA Security Rule does not specify a frequency for risk assessments, but the NPRM requires risk assessments to be reviewed and updated annually or when regulatory changes necessitate a risk assessment.

7. Requires CEs to plan for contingencies and how they will respond to security incidents. CEs must:

a. Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours;

b. Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration;

c. Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and     how  the entity will respond to suspected or known security incidents; and

d. Implement written procedures for testing and revising written security incident response plans.

The proposed rule also sets forth important proposed changes for business associates (BAs). The NPRM requires that BAs verify to CEs at least once every 12 months through a written analysis of the BA’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate that they have deployed technical safeguards required by the Security Rule to protect ePHI.

If you have questions about the January 2025 NPRM or HIPAA Security Rule, please contact BMD Member Daphne Kackloudis at dlkackloudis@bmdllc.com or BMD Attorney Jordan Burdick at jaburdick@bmdllc.com.

HIPAAHealthcareHealth LawDaphne KackloudisJordan Burdick
Client Alert

RNs and APRNs Take Note: Ohio Board of Nursing Mandates a New CE Reporting Period

April 29, 2026Ohio’s Board of Nursing has updated the continuing education reporting period for RNs and APRNs. Beginning March 26, 2026, CE credits must be completed between July 1 and June 30 of odd-numbered years, replacing the previous November to October timeframe.Client Alert

Ohio Med Spas: Peptide Do's and Do Not's

April 29, 2026Recent guidance from the Ohio Board of Pharmacy outlines key compliance requirements for med spas using peptides. While some peptide drugs are FDA approved, others are not or cannot be compounded. Med spa operators should ensure they source medications from licensed suppliers, avoid non-approved or “research use only” products, and follow all compounding and storage regulations to maintain compliance and avoid enforcement actions.Client Alert

Substance Use Disorder Providers: 42 CFR Part 2 Now Enforceable

April 15, 2026Updates to 42 CFR Part 2 are now enforceable, bringing significant changes to how substance use disorder (SUD) records are handled. The Final Rule aligns Part 2 more closely with HIPAA, introduces updated penalties, allows a single patient consent for treatment, payment, and operations, and adds new requirements for Notices of Privacy Practices. It also creates a formal definition of SUD counseling notes and imposes strict consent requirements for their use and disclosure. Providers should review and update policies to ensure compliance.Client Alert

AAA Introduces AI-Assisted Arbitrator for Certain Disputes

April 7, 2026The American Arbitration Association has introduced an AI-assisted arbitration platform designed to streamline certain document-based disputes. While a human arbitrator still makes the final decision, the technology can improve efficiency, reduce costs, and accelerate case resolution. Companies should weigh these benefits against considerations such as transparency, risk, and contractual requirements before adopting AI-assisted arbitration.Client Alert

Quiet Hours Texts and TCPA Claims: Consent Remains King as Courts Divide on Text Messages

March 31, 2026Businesses face increasing TCPA lawsuits over off-hours marketing texts, but recent court decisions highlight strong defenses. Clear consumer consent and updated terms and conditions can defeat many claims, while a growing number of courts are finding that text messages are not “telephone calls” under the statute. Proactive compliance measures, including clickwrap agreements and forum-selection clauses, are critical to reducing risk.
Older posts