logo
HIPAA Trends to Watch in 2025

Security

HIPAA Trends to Watch in 2025

New Year, new HIPAA considerations. As of December 9, 2024, there were more than 168 million individuals affected by healthcare data breaches reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). This number is record breaking. The 10 largest data breaches affected nearly 137 million individuals. Moreover, nine of the top 10 were perpetrated through either hacking or an IT incident, with several originating within a HIPAA business associate's network server (e.g., MOVEit Transfer).

 

While federal law enforcement agencies have highlighted the propensity and perniciousness of cybercriminals to attack the healthcare sector over the past several years, in November 2024, the HHS Office of the Inspector General (OIG) released report A-18-21-08014, “The Office for Civil Rights Should Enhance Its HIPAA Audit Program to Enforce HIPAA Requirements and Improve the Protection of Electronic Protected Health Information” (hereinafter “Report”). The impetus for the Report and the call for HHS-OCR to refine and reinstitute its Audit Program, which is different from when a complaint of a potential HIPAA violation is received through the portal, included three objectives to determine whether (or not): (1) OCR fulfilled its requirement under the HITECH Act to “perform periodic audits of entities to assess compliance with HIPAA Privacy, Security, and Breach Notification Rules; (2) OCR's HIPAA audit implementation and its audit protocol have been effective in assessing ePHI protections and reducing risks within the healthcare sector; and (3) OCR's oversight of its HIPAA audit program was effective at improving cybersecurity protections at entities” (p. 2).

 

The end results? Here are three that stood out to me:

 

  • While OCR fulfilled the HITECH Act's requirement to perform periodic audits of HIPAA Rules' compliance by covered entities and business associates, it “did not include assessing the majority of the required protections for compliance with the HIPAA Rules” (p. 7).
  • OCR “did not implement a documented process that laid out the procedures to follow during and after its Phase 2 HIPAA audits to resolve any identified deficiencies” (p. 10).
  • Although OCR refuted many of the recommendations made by OIG, there was an indication that not only will the HHS-OCR HIPAA audits resume in early 2025, they will be more detailed and will likely have additional downstream impact for covered entities and business associates' significant non-compliance because of OIG's concern “that OCR's HIPAA audits, as implemented, do not provide assurance that audited entities are complying with the HIPAA Rules requirements” (p. 12).

 

As the Report highlighted, “The American public has witnessed disruptive attacks on its healthcare sector that jeopardize sensitive personal information, delay medical treatment, and ultimately may lead to increased suffering and death” (p. 6). Subsequently, and perhaps not surprisingly, on December 27, 2024, HHS-OCR announced a Notice of Proposed Rulemaking (NPRM), as required by the Administrative Procedures Act (APA), to update the Security Rule's standards to strengthen cybersecurity standards to relevantly address the ever-evolving cybersecurity threats to the healthcare sector.

 

Compliance Considerations

 

In 2023, HHS released its Healthcare Sector Cybersecurity concept paper (hereinafter “Concept Paper”), which detailed advancing cybersecurity enhancements for the healthcare sector, including the publication of voluntary best practices. Additional resources were released in early 2024, and in October 2024 (after a five-year hiatus), HHS and the National Institute for Standards and Technology (NIST) hosted the “Safeguarding Health Information: Building Assurance Through HIPAA Security” that highlighted the imminent proposed updates to the Security Rule.

 

Some of the key proposed items appearing on the HHS website, which appear in the Federal Register (90 Fed. Reg. 898 [Jan. 6, 2025]) in regulatory prose include the following:

 

  • Eliminate the terms “required” and “addressable” and make all specifications required with express, limited exceptions in certain circumstances;
  • Update definitions and revise implementation specifications to reflect changes in technology and terminology;
  • Add specific compliance time periods for many existing requirements;
  • Emphasize the annual risk analysis, including the development and revision of a technology map and asset inventory;
  • Strengthen disaster recovery and business continuity strategies and the related policies and procedures;
  • Require business associates to verify at least every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate's relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed a nd is accurate; and
  • Require certain regulated entities within 24 hours when a workforce member's access to ePHI or certain electronic information systems is changed or terminated.

 

Many of these requirements build on what already exists and what both covered entities and business associates should have been complying with since 2005. For those who have been complying from the outset, whether in existence since 2005 or if a business was established after 2005, the task will not be quite as daunting. For those who have significant gaps that have been identified and never corrected them, those who did not have a proper audit done by a subject matter expert, and for those who have not kept up with technical, administrative, and physical safeguards, now is the time to invest in a comprehensive risk analysis and related items. Given the number of class action lawsuits, federal and state enforcement actions – whether administrative or litigation, and the evolving threat landscape, the potential financial, reputational, legal, and, most importantly in healthcare, patient harm, cybersecurity and HIPAA compliance can no longer be ignored.

 

Conclusion

 

HIPAA enforcement, the likelihood of increased penalties, and lawsuits involving cybersecurity are only set to increase. In healthcare, it is vital to remember that “cybersecurity is patient safety.” Moreover, there are now more resources than ever to ensure compliance. It is safe to say that excuses will not be tolerated by federal and state government agencies or by lawyers bringing cases for non-compliance or post-breach. In sum, how would you like your sensitive information protected and handled?

 

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate, and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston.

 

Rachel can be reached through her website: www.rvrose.com

 
Coming Soon to a Federal Register Near You: Changes to the FTC’s Health Breach Notification Rule

Practice Management

Coming Soon to a Federal Register Near You: Changes to the FTC’s Health Breach Notification Rule:On April 26, 2024, the Federal Trade Commission (FTC) announced changes to its Health Breach Notification Rule, 16 CFR Part 318 (HBNR). The effective date is 60 days after its publication in the Federal Register
Considerations for Whistleblowers and Companies

Practice Management

Considerations for Whistleblowers and Companies:In June 2022, I wrote an article, “The False Claims Act and the Seal: What Whistleblowers Need to Know,” which I encourage everyone reading this article to also read. The United States Supreme Court’s decision in United States ex rel. Polansky v. Executive Health Resources (599 U.S. 419; 2023) confirmed that the United States government has nearly unfettered discretion “to dismiss a [federal False Claims Act] suit over a relator’s objection” (Id. at 423; see also State ex rel. Fox v. Thornley, 2023 IL App [4th]; citing Polansky as instructive when interpreting the Illinois False Claims Act).
Zero Trust and the ONC-SAMHSA Initiative

Security

Zero Trust and the ONC-SAMHSA Initiative:"Cybersecurity is patient safety" is a phrase that should be indoctrinated into everyone's brain in the healthcare and public health sector. The notion is highlighted by a late-January/early-February series of announcements by Lurie Children's Hospital of Chicago that the hospital went "old school," reverting to paper records and establishing a call center as part of its business continuity process in order to "protect the information of our patients, workforce, and organization at large." Subsequently, they announced that the "network was accessed by a known criminal threat actor."
The Uniform Commercial Code and Its Relation to Hardware, Software, and Related Services Used by Healthcare Sector Participants

Practice Management

The Uniform Commercial Code and Its Relation to Hardware, Software, and Related Services Used by Healthcare Sector Participants:As set forth in 45 CFR § 164.502(a)(3), a business associate may not utilize protected health information (PHI) in any way that would violate the Health Information Portability and Accountability Act of 1996 (HIPAA) and the related Privacy Rule.
Data Use Agreements: Utilization and Distinguishing from Business Associate Agreements

Practice Management

Data Use Agreements: Utilization and Distinguishing from Business Associate Agreements:Any person in the healthcare industry knows or should learn that if they are considered a covered entity or business associate (including subcontractor), that creates, receives, maintains, and/or transmits protected health information (PHI), then a business associate agreement (BAA) is required. See 45 CFR §160.103, 45 CFR § 164.504. This is not a new phenomenon; in fact, it has been required for over 20 years.
Whistleblowers and Company Data: To Collect or Not to Collect

Practice Management

Whistleblowers and Company Data: To Collect or Not to Collect:Before the thought, "Oh, I have access to all this information - ‘Come on Barbie, let's go party' 1" crosses a potential whistleblower's mind, there is one question to ask. "Should I collect documents from my employer or a person that I contract with to perform services?" This is critical to avoiding potential liability at both the employment and post-employment stages. What are the potential ramifications? It depends. 
Two HIPAA Enforcement Actions Underscore the Importance of the Confidentiality, Integrity, and Availability of Patient Information and the Consequences

Security

Two HIPAA Enforcement Actions Underscore the Importance of the Confidentiality, Integrity, and Availability of Patient Information and the Consequences:In March 2023, the current Presidential Administration announced its national cybersecurity strategy. Prior to its release, the President issued two Executive Orders, which underscored the importance of privacy of individuals' health information, tracking data without the knowledge or consent of a consumer/patient, and coordination among federal government agencies to implement initiatives or strengthen existing initiatives.
If Conduct Appears to Buck the Legal Norm, Chances Are That It Does

Auditing

If Conduct Appears to Buck the Legal Norm, Chances Are That It Does:It's akin to wearing Doc Martens to a professional cocktail party reception or Uggs to court. In other words, the wardrobe choice jumps out as not being appropriate for the situation. Likewise, certain conduct that violates the Anti-Kickback Statute (AKS) and the False Claims Act (FCA) unequivocally jumps out as being unlawful under the facts and circumstances, yet persons engage in the inappropriate behavior. 
The Significance of Not Obtaining Patient/Consumer Consent Before Poaching Data

Practice Management

The Significance of Not Obtaining Patient/Consumer Consent Before Poaching Data:Now, in 2023, the FTC announced two consent orders related to the prohibited poaching and use of PHI by known third parties and the DOJ announced another settlement under its Civil Cyber-Fraud Initiative. 
Administration for Strategic Preparation and Response Releases Updated Cybersecurity Framework Implementation Guide

Compliance

Administration for Strategic Preparation and Response Releases Updated Cybersecurity Framework Implementation Guide:Whenever I present, which is often, I often receive follow-up questions from participants regarding resources to utilize when creating, reviewing, and/or supplementing a compliance program, including relevant policies and procedures. 
Recent False Claims Act Cases Shed Light Upon Compliance Scrutiny

Practice Management

Recent False Claims Act Cases Shed Light Upon Compliance Scrutiny:As touted by the U.S. Department of Justice (DOJ) and Members of Congress alike, including Senator Chuck Grassley (R-IA), the False Claims Act, 31 U.S.C. §§ 3729, et seq. (FCA) is the federal government's primary tool to root out fraud and put money back into the federal fisc.
HIPAA Considerations When Business Associates and Data Are International

Compliance

HIPAA Considerations When Business Associates and Data Are International:Although it is said that "business is global," there are some nuances to this blanket statement to consider when creating, receiving, maintaining, or transmitting electronic protected health information or electronic health information (PHI) internationally. Before delving into items to consider when business associates (including subcontractors) and PHI are international, it's important to appreciate that both the U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCR) and the U.S. Department of Justice (DOJ) have the ability to enforce violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as the related Privacy Rule, Security Rule, and Breach Notification Rule.
The U.S. Government and Cooperation Credit in Relation to the False Claims Act and the Federal Anti-Kickback Statute

Practice Management

The U.S. Government and Cooperation Credit in Relation to the False Claims Act and the Federal Anti-Kickback Statute:Those familiar with the healthcare industry have no doubt learned that the U.S. Department of Health and Human Services Office of the Inspector General (HHS-OIG) and the U.S. Department of Justice (DOJ) have identified both the False Claims Act (FCA) and the Anti-Kickback Statute (AKS) as laws critical to thwarting fraud, waste, and abuse. Often, these two laws come together in a FCA case. 
No Surprises Act and Good Faith Estimate Considerations for Behavioral Health Providers

Practice Management

No Surprises Act and Good Faith Estimate Considerations for Behavioral Health Providers:Overview: Enacted as part of the Consolidated Appropriations Act of 2021, Pub. L. 116-260 (Dec. 27, 2020), the No Surprises Act (NSA) and the related regulations, which became effective January 1, 2022, should have a positive impact for patients.
Two Hot Ransomware Items to Watch

Compliance

Two Hot Ransomware Items to Watch:The healthcare sector continues to be a target of cybercriminals. An area that continues to emerge is ransomware as a service (RaaS)-basically the adoption of a Software as a Service model, which is subscription-based and "enables affiliates to use already-developed ransomware tools to execute ransomware attacks." 
Waiving Copays Associated with Medicare - Just as Illegal Now as it Was in 1994

Practice Management

Waiving Copays Associated with Medicare - Just as Illegal Now as it Was in 1994:On December 19, 1994, the U.S. Department of Health and Human Services, Office of Inspector General (HHS-OIG) published a Special Fraud Alert in the Federal Register related to the waiver of copays, with the intention of alerting the public about "its concern about possible widespread and abusive health care industry practices, and seeking wider dissemination of information to the general public." 
The Oft-Overlooked Federal Trade Commission's Health Breach Notification Rule Gets a Nudge

Compliance

The Oft-Overlooked Federal Trade Commission's Health Breach Notification Rule Gets a Nudge:For many, when an individual's Protected Health Information (PHI) is unlawfully accessed, the first law that comes to mind is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). 
The Biggest Threat to Healthcare Cybersecurity: Telehealth

Practice Management

The Biggest Threat to Healthcare Cybersecurity: Telehealth:According to a recent study by SecurityScorecard and Dark Owl, "Telehealth systems have experienced an enormous increase in targeted attacks."
COVID-19 or Not: The Anti-Kickback Statute Remains a Tool of Choice for False Claims Act Violations

Practice Management

COVID-19 or Not: The Anti-Kickback Statute Remains a Tool of Choice for False Claims Act Violations:The COVID-19 pandemic has not diminished the focus of the U.S. Department of Justice ("DOJ") and whistleblowers, who are known as "Relators," from bringing and enforcing claims that violate both the federal Anti-Kickback Statute (AKS)   and the False Claims Act (FCA). 
Sharing of PHI with Large Tech Companies, Confidential Agreements, and HIPAA's Prohibition on the Marketing and Sale of PHI

Compliance

Sharing of PHI with Large Tech Companies, Confidential Agreements, and HIPAA's Prohibition on the Marketing and Sale of PHI:
As stated on Forbes, "The chief worry isn't about thieves getting their hands on lost or stolen devices, but the ease with which companies can gain access to the personal information."
2019 HIPAA Settlements and Take-Aways

Compliance

2019 HIPAA Settlements and Take-Aways:
The Health Insurance Portability and Accountability Act of 1996 ("HIPAA")  and the Health Information Technology for Economic and Clinical Health Act ("HITECH Act")  are two of the pillars that form the foundation of a patient's privacy rights in relation to his/her protected health information ("PHI"), as well as the obligations of covered entities, business associates, and subcontractors to ensure the confidentiality, integrity, and availability of the data.
This is also a good time to remind providers that a deceased individual's PHI is subject to HIPAA for 50 years. 
HIPAA and Health Apps and APIs Oh My

Compliance

HIPAA and Health Apps and APIs Oh My :All this to say that technology is complex
The Importance of Being Earnest Why HIPAA and HITECH Compliance Matters

Auditing

The Importance of Being Earnest Why HIPAA and HITECH Compliance Matters:What's significant is the underlying violations of the Security Rule
Recent HHS Guidance Underscores the Importance of HIPAA Compliance

Practice Management

Recent HHS Guidance Underscores the Importance of HIPAA Compliance:Everyone who participates in the United States healthcare system either as a patient
The False Claims Act, Knowledge and the 60 Day Rule

Coding

The False Claims Act, Knowledge and the 60 Day Rule:Three important terms of the FCA
A Prescription for Start Ups Relationships with Physicians

Practice Management

A Prescription for Start Ups Relationships with Physicians:The purpose of the note is to provide an overview that educates readers
What is a Legal Hold and e Discovery Anyway

Practice Management

What is a Legal Hold and e Discovery Anyway:The transition from paper to electronic records
Update Medicare Quality Reporting Programs

Practice Management

Update Medicare Quality Reporting Programs:By now, the healthcare industry should be aware of the fundamental shift in reimbursement
Learning from Vanderbilt: Dealing with HIPAA Breaches

Compliance

Learning from Vanderbilt: Dealing with HIPAA Breaches:What did Vanderbilt announce?
HIPAA, Legal Holds, and PHI: Rachel Rose, J.D., M.B.A. With Sean McKenna, J.D., B.A.

Compliance

HIPAA, Legal Holds, and PHI: Rachel Rose, J.D., M.B.A. With Sean McKenna, J.D., B.A.:I spent almost 16 years with the federal government handling healthcare fraud matters
CMS Emergency Preparedness Rule Released - Do You Have a Plan?

Compliance

CMS Emergency Preparedness Rule Released - Do You Have a Plan?:a breach or a ransomware attack, which potentially impacts the confidentiality, integrity, or availability of the protected health information
Working From Home - Make a Security Checklist

Compliance

Working From Home - Make a Security Checklist:Regardless of the industry, the number of individuals who telecommute, at least once a week, is increasing.
What Healthcare Entities and Business Associates Can Learn From Other Government Agencies and Related Laws About Handling and Disposing of PII and PHI.

Practice Management

What Healthcare Entities and Business Associates Can Learn From Other Government Agencies and Related Laws About Handling and Disposing of PII and PHI.:One just needs to turn on the television, listen to Bloomberg, or read the U.S. Department of Health and Human Services' (HHS) Wall of Shame to hear about data breaches involving personally identifiable information (PII) and protected health information (PHI). 
Relative Value Units Important Now More Than Ever

Coding

Relative Value Units Important Now More Than Ever:In light of The Patient Protection and Affordable Care Act, the of physician groups and practices, and reimbursement issues, physicians need to appreciate what Relative Value Units (RVUs) are and how they can impact compensation.

Rachel V. Rose, JD, MBA

Rachel V. Rose, JD, MBA


Principal at Rachel V. Rose - Attorney at Law, PLLC

Email me

Houston, TX

 

Total articles published on BC Advantage 35

Editorial Ad

Ad pdf ad here