Resources

Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

January 2025 Notice of Proposed Rulemaking Brings Notable Changes to HIPAA Security Rule

Client Alert
February 25, 2025

In January 2025, the U. S. Department of Health and Human Services (HHS) filed a Notice of Proposed Rulemaking (NPRM) to amend many portions of the current Health Insurance Portability & Accountability Act (HIPAA) Security Rule. Comments to the proposed rule are due by March 7, 2025.

The broad focus of these proposed changes is on enhancing covered entities’ and business associates’ cybersecurity practices. Because these rule changes were initiated under the Biden Administration, we are unsure whether the current Administration will maintain the rule changes as drafted. However, cybersecurity has historically been a bipartisan issue.

The NPRM proposes the following for HIPAA covered entities (CEs):

1. Requires CEs to conduct a compliance audit at least once every 12 months to ensure compliance with the Security Rule requirements.

2. Requires CEs to annually train workforce members on the following topics:

a. The entity’s written policies and procedures with respect to electronic protected health information (ePHI);

b. Guarding against, detecting, and reporting suspected or known security incidents, including malicious software and social engineering; and

c. The entity’s written policies and procedures for accessing relevant electronic information systems.

3. Requires a CE to terminate a workforce member's access to ePHI within one hour of their employment ending.

4. Requires CEs to perform vulnerability scanning at least every 6 months and penetration testing at least once every 12 months.

5. Requires CEs to conduct and document a Technology Asset Inventory and Network Map of its electronic information systems and all technology assets that may affect the confidentiality, integrity, or availability of ePHI. The inventory must include identification, the person accountable for, and the location of each technology asset.

6. Requires CEs to complete written risk analyses that include a review of the technology asset inventory and network map; identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI; identification of potential vulnerabilities to the CE’s electronic information systems; and an assessment of the risk level for each identified threat and vulnerability to the CE’s ePHI. Currently, the HIPAA Security Rule does not specify a frequency for risk assessments, but the NPRM requires risk assessments to be reviewed and updated annually or when regulatory changes necessitate a risk assessment.

7. Requires CEs to plan for contingencies and how they will respond to security incidents. CEs must:

a. Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours;

b. Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration;

c. Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and     how  the entity will respond to suspected or known security incidents; and

d. Implement written procedures for testing and revising written security incident response plans.

The proposed rule also sets forth important proposed changes for business associates (BAs). The NPRM requires that BAs verify to CEs at least once every 12 months through a written analysis of the BA’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate that they have deployed technical safeguards required by the Security Rule to protect ePHI.

If you have questions about the January 2025 NPRM or HIPAA Security Rule, please contact BMD Member Daphne Kackloudis at dlkackloudis@bmdllc.com or BMD Attorney Jordan Burdick at jaburdick@bmdllc.com.

HIPAAHealthcareHealth LawDaphne KackloudisJordan Burdick
Client Alert

Department of Education Proposes Redefinition of “Professional Degree,” Excluding Nursing and Limiting Graduate Loan Borrowing

February 20, 2026The U.S. Department of Education has issued a Notice of Proposed Rulemaking that would redefine “professional degree” programs under the One Big Beautiful Bill Act. The proposal excludes nursing from the recognized list and would impose new borrowing limits for graduate students while eliminating the Grad PLUS program. Public comments are due by March 2, 2026.Client Alert

First-of-Its-Kind Federal Ruling Finds Use of Consumer AI Tool May Destroy Attorney-Client Privilege

February 17, 2026On February 10, 2026, Judge Jed Rakoff of the U.S. District Court for the Southern District of New York issued a first-of-its-kind ruling finding that documents generated by a criminal defendant using a consumer AI platform were not protected by attorney-client privilege after being shared with counsel. The court treated the AI tool as a third party, concluding that entering sensitive information into a publicly available platform may waive confidentiality. The ruling also suggests that the work product doctrine may not apply where AI-generated materials are created independently by a client rather than at counsel’s direction. The decision signals that parties should exercise caution when using consumer AI tools in connection with legal matters.Client Alert

Your Golden Chance for H-1B Lottery Registration - March 2026

February 16, 2026USCIS H-1B registration opens March 4–19, 2026. U.S.-based employees on valid nonimmigrant status are exempt from the $100,000 fee for change of status petitions. The new weighted lottery favors higher-skilled and higher-paid employees, improving odds for advanced degree holders and Wage Level 3 or 4 workers.Client Alert

Invisible Algorithms: The Hidden Role of Artificial Intelligence in USCIS Immigration Processing

February 10, 2026The Department of Homeland Security has confirmed that artificial intelligence and machine learning tools are now integrated into numerous operational functions within U.S. Citizenship and Immigration Services (USCIS). These tools are described as mechanisms to improve efficiency, reduce backlogs, and assist officers in managing an unprecedented volume of applications. DHS emphasizes that human adjudicators retain decision-making authority and that AI systems do not independently grant or deny immigration benefits. Find out how AI affects the U.S. immigration process.Client Alert

OAAPN | Year In Review: 2026 Ohio Board of Nursing and Ohio Law Rules

February 9, 2026Find out key changes to Ohio law and the Ohio Board of Nursing rules that have directly impacted APRN practice over the past year, including Psychiatric Inpatient Documents, Intimate Examinations, Signature Authority, Duties Related to Fetal Death, Retail IV Therapy Clinics, Release from Permanent Restrictions, Disciplinary Action, Course on Drugs and Prescriptive Authority, Overdose Reversal Drugs, Office Based Opioid Treatment, Withdrawal Management for Substance Use Disorder, Safe Haven Program, and more.
Older posts