logo
HIPAA Trends to Watch in 2025

Security

HIPAA Trends to Watch in 2025

New Year, new HIPAA considerations. As of December 9, 2024, there were more than 168 million individuals affected by healthcare data breaches reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). This number is record breaking. The 10 largest data breaches affected nearly 137 million individuals. Moreover, nine of the top 10 were perpetrated through either hacking or an IT incident, with several originating within a HIPAA business associate's network server (e.g., MOVEit Transfer).

 

While federal law enforcement agencies have highlighted the propensity and perniciousness of cybercriminals to attack the healthcare sector over the past several years, in November 2024, the HHS Office of the Inspector General (OIG) released report A-18-21-08014, “The Office for Civil Rights Should Enhance Its HIPAA Audit Program to Enforce HIPAA Requirements and Improve the Protection of Electronic Protected Health Information” (hereinafter “Report”). The impetus for the Report and the call for HHS-OCR to refine and reinstitute its Audit Program, which is different from when a complaint of a potential HIPAA violation is received through the portal, included three objectives to determine whether (or not): (1) OCR fulfilled its requirement under the HITECH Act to “perform periodic audits of entities to assess compliance with HIPAA Privacy, Security, and Breach Notification Rules; (2) OCR's HIPAA audit implementation and its audit protocol have been effective in assessing ePHI protections and reducing risks within the healthcare sector; and (3) OCR's oversight of its HIPAA audit program was effective at improving cybersecurity protections at entities” (p. 2).

 

The end results? Here are three that stood out to me:

 

  • While OCR fulfilled the HITECH Act's requirement to perform periodic audits of HIPAA Rules' compliance by covered entities and business associates, it “did not include assessing the majority of the required protections for compliance with the HIPAA Rules” (p. 7).
  • OCR “did not implement a documented process that laid out the procedures to follow during and after its Phase 2 HIPAA audits to resolve any identified deficiencies” (p. 10).
  • Although OCR refuted many of the recommendations made by OIG, there was an indication that not only will the HHS-OCR HIPAA audits resume in early 2025, they will be more detailed and will likely have additional downstream impact for covered entities and business associates' significant non-compliance because of OIG's concern “that OCR's HIPAA audits, as implemented, do not provide assurance that audited entities are complying with the HIPAA Rules requirements” (p. 12).

 

As the Report highlighted, “The American public has witnessed disruptive attacks on its healthcare sector that jeopardize sensitive personal information, delay medical treatment, and ultimately may lead to increased suffering and death” (p. 6). Subsequently, and perhaps not surprisingly, on December 27, 2024, HHS-OCR announced a Notice of Proposed Rulemaking (NPRM), as required by the Administrative Procedures Act (APA), to update the Security Rule's standards to strengthen cybersecurity standards to relevantly address the ever-evolving cybersecurity threats to the healthcare sector.

 

Compliance Considerations

 

In 2023, HHS released its Healthcare Sector Cybersecurity concept paper (hereinafter “Concept Paper”), which detailed advancing cybersecurity enhancements for the healthcare sector, including the publication of voluntary best practices. Additional resources were released in early 2024, and in October 2024 (after a five-year hiatus), HHS and the National Institute for Standards and Technology (NIST) hosted the “Safeguarding Health Information: Building Assurance Through HIPAA Security” that highlighted the imminent proposed updates to the Security Rule.

 

Some of the key proposed items appearing on the HHS website, which appear in the Federal Register (90 Fed. Reg. 898 [Jan. 6, 2025]) in regulatory prose include the following:

 

  • Eliminate the terms “required” and “addressable” and make all specifications required with express, limited exceptions in certain circumstances;
  • Update definitions and revise implementation specifications to reflect changes in technology and terminology;
  • Add specific compliance time periods for many existing requirements;
  • Emphasize the annual risk analysis, including the development and revision of a technology map and asset inventory;
  • Strengthen disaster recovery and business continuity strategies and the related policies and procedures;
  • Require business associates to verify at least every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate's relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed a nd is accurate; and
  • Require certain regulated entities within 24 hours when a workforce member's access to ePHI or certain electronic information systems is changed or terminated.

 

Many of these requirements build on what already exists and what both covered entities and business associates should have been complying with since 2005. For those who have been complying from the outset, whether in existence since 2005 or if a business was established after 2005, the task will not be quite as daunting. For those who have significant gaps that have been identified and never corrected them, those who did not have a proper audit done by a subject matter expert, and for those who have not kept up with technical, administrative, and physical safeguards, now is the time to invest in a comprehensive risk analysis and related items. Given the number of class action lawsuits, federal and state enforcement actions – whether administrative or litigation, and the evolving threat landscape, the potential financial, reputational, legal, and, most importantly in healthcare, patient harm, cybersecurity and HIPAA compliance can no longer be ignored.

 

Conclusion

 

HIPAA enforcement, the likelihood of increased penalties, and lawsuits involving cybersecurity are only set to increase. In healthcare, it is vital to remember that “cybersecurity is patient safety.” Moreover, there are now more resources than ever to ensure compliance. It is safe to say that excuses will not be tolerated by federal and state government agencies or by lawyers bringing cases for non-compliance or post-breach. In sum, how would you like your sensitive information protected and handled?

 

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate, and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston.

 

Rachel can be reached through her website: www.rvrose.com

 

Culture of Safety Is Based on Prevention, Not Punishment

Auditing

Culture of Safety Is Based on Prevention, Not Punishment :This article emphasizes the need for healthcare institutions to focus on building a culture of safety through Root Cause Analysis (RCA) to manage clinical risk.
Pain Coding ICD-10: G89 Codes and Guidelines | Medical Coding

Coding

Pain Coding ICD-10: G89 Codes and Guidelines | Medical Coding :Continuing our exploration of commonly misunderstood areas in medical coding, today, we focus on pain coding, specifically addressing ICD-10 Pain Coding. Pain is one of the most frequent reasons patients seek medical attention. As published by the National Institutes of Health (NIH), pain is the leading complaint that drives individuals to healthcare providers.
Turning Around a Failing (or Non-Optimized) Medical Practice Using G.R.O.W. Steps

Practice Management

Turning Around a Failing (or Non-Optimized) Medical Practice Using G.R.O.W. Steps:It is no secret that 2024 was a rough year for many small businesses throughout America and medical practices were not excluded from the macro-economic challenges of inflation and economic uncertainty. When inflation rises quickly like it occurred in 2023 and 2024 it is hard to keep up and adjust quickly enough to offset the impact. According to AHA.org, inflation grew at 12.4% from 2021-2023 but Medicare reimbursement only adjusted by 5.2% during this same period.
Spotlight on February 2025 FWA

Auditing

Spotlight on February 2025 FWA:A California man pleaded guilty to health care fraud, aggravated identity theft, and money laundering in connection with a years-long scheme to defraud Medicare of more than $17 million through sham hospice companies and his home health care company.
E/M: Column 3 Hospitalization Consideration

Coding

E/M: Column 3 Hospitalization Consideration :Many healthcare professionals face challenges when interpreting the AMA guidelines on high-risk consideration for hospitalization. The only documented reference to this guideline appears on page 7, where it states that a decision about hospitalization should include consideration of alternative levels of care.
Optimizing RCM in the ASC Marketplace

Practice Management

Optimizing RCM in the ASC Marketplace:When compared to large hospital systems, ambulatory surgical centers (ASCs) experience leaner margins and smaller administrative teams, making efficient revenue cycle management (RCM) not just a priority but a necessity for financial longevity.
Medicare Quality Payment Program Changes Affecting Radiology Practices for 2025

Coding

Medicare Quality Payment Program Changes Affecting Radiology Practices for 2025:The 2025 update to the Current Procedural Terminology (CPT)® has 270 new codes, 38 revised codes, and 112 deleted codes. In addition, the ICD-10-CM update has over 300 revisions, additions and deletions. Although relatively few of these changes will impact radiology practices, it’s essential to know what they are and adjust your practice systems accordingly.
What Is the Impact of the 2025 Medicare Fee Schedule Changes on Radiology Practices?

Coding

What Is the Impact of the 2025 Medicare Fee Schedule Changes on Radiology Practices?:The 2025 conversion factor (CF) that sets the overall rate for the Medicare Physician Fee Schedule (MPFS) was adjusted downward by 2.83% from the 2024 rate, to $32.3465 per RVU vs. $33.2875 per Relative Value Unit (RVU).
Dental Claims Requiring Use of ICD-10-CM Codes

Coding

Dental Claims Requiring Use of ICD-10-CM Codes :Dental claims now require the use of ICD-10-CM codes. Several states (e.g., Arizona) have begun to mandate that diagnosis codes be reported along with dental codes on claim forms. For instance, if a patient's visit is due to an underlying medical condition, an ICD-10-CM code must be included.
2025 New CPT Codes to Capture Evaluation and Management Telemedicine Services

Coding

2025 New CPT Codes to Capture Evaluation and Management Telemedicine Services:The American Medical Association (AMA) introduced a new subsection, “Telemedicine Services,” to the Evaluation and Management (E/M) section for 2025 along with seventeen new telemedicine codes and new telemedicine coding guidelines. The new CPT Current Procedural Terminology (CPT®) codes effective as of January 1, 2025, which better reflect the resources needed to provide these services, are divided into encounters that take place through a real-time audio and video connection or a real-time audio-only connection.
Healthcare Needs More Than Apps: The Power of Human Connection

Practice Management

Healthcare Needs More Than Apps: The Power of Human Connection:In 2023, $10.7 billion was collectively raised by 492 digital health tech companies, according to "2023 Year-End Digital Health Funding: Break on Through to the Other Side" by Rock Health. These companies include everything from AI to virtual care solutions, portable medical devices, and moIn 2023, $10.7 billion was collectively raised by 492 digital health tech companies, according to "2023 Year-End Digital Health Funding: Break on Through to the Other Side" by Rock Health. These companies include everything from AI to virtual care solutions, portable medical devices, and more. re.
Rate Increases in Stop Loss or Pie in the Sky?

Practice Management

Rate Increases in Stop Loss or Pie in the Sky?:As of recently, some industry colleagues are suggesting that the stop-loss market will produce low double-digit rate increases in 2025. This would suggest that the market is or will be firming up from years of very competitive pricing to the consumers' benefit, but to the stop-loss insurance industry's financial disadvantage.

 

 

 

 

 

 

 

 

 

Get More - BC Magazine

Subscribe now to access more resources than ever before!

Current Issue - OUT NOW

January / February| Issue 20.1

 

Magazine | CEUs | Webinars