Resources

Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

January 2025 Notice of Proposed Rulemaking Brings Notable Changes to HIPAA Security Rule

Client Alert
February 25, 2025

In January 2025, the U. S. Department of Health and Human Services (HHS) filed a Notice of Proposed Rulemaking (NPRM) to amend many portions of the current Health Insurance Portability & Accountability Act (HIPAA) Security Rule. Comments to the proposed rule are due by March 7, 2025.

The broad focus of these proposed changes is on enhancing covered entities’ and business associates’ cybersecurity practices. Because these rule changes were initiated under the Biden Administration, we are unsure whether the current Administration will maintain the rule changes as drafted. However, cybersecurity has historically been a bipartisan issue.

The NPRM proposes the following for HIPAA covered entities (CEs):

1. Requires CEs to conduct a compliance audit at least once every 12 months to ensure compliance with the Security Rule requirements.

2. Requires CEs to annually train workforce members on the following topics:

a. The entity’s written policies and procedures with respect to electronic protected health information (ePHI);

b. Guarding against, detecting, and reporting suspected or known security incidents, including malicious software and social engineering; and

c. The entity’s written policies and procedures for accessing relevant electronic information systems.

3. Requires a CE to terminate a workforce member's access to ePHI within one hour of their employment ending.

4. Requires CEs to perform vulnerability scanning at least every 6 months and penetration testing at least once every 12 months.

5. Requires CEs to conduct and document a Technology Asset Inventory and Network Map of its electronic information systems and all technology assets that may affect the confidentiality, integrity, or availability of ePHI. The inventory must include identification, the person accountable for, and the location of each technology asset.

6. Requires CEs to complete written risk analyses that include a review of the technology asset inventory and network map; identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI; identification of potential vulnerabilities to the CE’s electronic information systems; and an assessment of the risk level for each identified threat and vulnerability to the CE’s ePHI. Currently, the HIPAA Security Rule does not specify a frequency for risk assessments, but the NPRM requires risk assessments to be reviewed and updated annually or when regulatory changes necessitate a risk assessment.

7. Requires CEs to plan for contingencies and how they will respond to security incidents. CEs must:

a. Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours;

b. Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration;

c. Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and     how  the entity will respond to suspected or known security incidents; and

d. Implement written procedures for testing and revising written security incident response plans.

The proposed rule also sets forth important proposed changes for business associates (BAs). The NPRM requires that BAs verify to CEs at least once every 12 months through a written analysis of the BA’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate that they have deployed technical safeguards required by the Security Rule to protect ePHI.

If you have questions about the January 2025 NPRM or HIPAA Security Rule, please contact BMD Member Daphne Kackloudis at dlkackloudis@bmdllc.com or BMD Attorney Jordan Burdick at jaburdick@bmdllc.com.

HIPAAHealthcareHealth LawDaphne KackloudisJordan Burdick
Client Alert

Ohio Appellate Court Rules in Favor of Gender-Affirming Care

March 19, 2025On March 18, 2025, the 10th District Court of Appeals in Franklin County ruled that Ohio’s House Bill (HB) 68, which restricts puberty blockers and hormone therapy for minors seeking gender-affirming care, violates the Health Care Freedom Amendment and is therefore unenforceable. The court found that the law unlawfully interferes with parental rights and medical decision-making. The case, Moe v. Yost, has been remanded, and Ohio Attorney General Dave Yost intends to appeal.Client Alert

HHS Revokes Public Comment Requirement on Certain Policy Changes

March 5, 2025The U.S. Department of Health and Human Services (HHS) has revoked the Richardson Waiver, eliminating the requirement for public notice and comment on certain policy changes. This decision allows HHS to implement new policies more quickly, potentially affecting healthcare funding rules like Medicaid work requirements. While it speeds up policymaking, it also reduces opportunities for stakeholder input, raising concerns over transparency and unintended consequences for healthcare providers, states, and patients.Client Alert

Don't Get Caught Dazed and Confused: Another Florida Court Weighs in on Employer Obligations to Accommodate Medical Marijuana Use

March 3, 2025A Florida trial court ruled in Giambrone v. Hillsborough County that employers may need to accommodate off-duty medical marijuana use under the Florida Civil Rights Act (FCRA). This contrasts with prior rulings and raises new compliance challenges for employers. With the case on appeal, now is the time to review workplace drug policies.Client Alert

Corporate Transparency Act to be Re-evaluated

February 28, 2025Recent federal rulings have impacted the enforceability of the Corporate Transparency Act (CTA), which took effect on January 1, 2024. While reporting requirements were briefly reinstated, FinCEN has now paused enforcement and is reevaluating the CTA. Businesses are no longer required to submit reports until further guidance is issued. For updates and legal counsel, contact BMD Member Blake Gerney.Client Alert

Ohio Recovery Housing Operators Beware: House Bill 58 Seeks to Make Major Changes

February 26, 2025Ohio House Bill 58 proposes significant changes to recovery housing oversight, granting ADAMH Boards authority to inspect and investigate recovery residences. The bill also introduces a Certificate of Need (CON) program, requiring state approval for major facility changes. OMHAS will assess applications based on cost, quality, accessibility, and financial feasibility. The bill also establishes a recovery housing residence fund to support inspections. For more information, contact BMD attorneys Daphne Kackloudis or Jordan Burdick.
Older posts