Upcoming New 2025 HIPAA Changes and Beyond

Upcoming New 2025 HIPAA Changes and Beyond!

Brian L. Tuttle, CPHIT, CHA, CHP, CBRA, CISSP, CCNA, Net +

• The Health Insurance Portability Act of 1996 (HIPAA)

• Enacted by the United States Congress and signed by President Clinton in 1996.

Bi-partisan bill also known as the Kennedy-Kassebaum Act named after two of its major sponsors:

• Senator Ted Kennedy (D) Massachusetts

• Senator Nancy Kassebaum (R) Kansas

HIPAA Titles

• Title I – Health Care Access, Portability, and Renewability

• Title II – Preventing Healthcare Fraud and Abuse, ADMINISTRATIVE SIMPLIFICATION, Medical Liability Reform.

• Title III – Tax Related Health Provisions

• Title IV – Application and Enforcement of Group Health Plan Requirements

• Title V – Revenue Offsets

“Privacy” and “Security” are not even in the name “HIPAA” but they present our biggest challenge

September

23rd , 2013

Couple of Points

• The HIPAA Omnibus Rule went into affect

• Increased penalties

• Equals the burden between business associates and covered entities

• Enforces what was already on the books for covered entities

• Greatly enforces and increases federal auditing

• More funding for 2025?

• More audits for 2025?

• Every year since Omnibus fines have increased

• Individual Remedy

Business Associate (Definition)

• 2024 will show increased enforcement on BA’s

• Business Associates (BA’s) are individuals or entities who create, receive, maintain, or store private health information on behalf of a covered entity.

• Example: Answering Services, Medical Transcription, IT groups, Billing companies, shredding services are clearly under the auspices of “Business Associate”

Risks of Telemedicine (Telecommuting)

Telecommuting Policy Should be in Place

ON HOME COMPUTERS OR LAPTOPS

Telecommuting

• Telecommuting does not replace the need for child or dependent care.

• All staff members should be expected to make arrangements for children or dependents that require care to ensure that they do not interfere with your performance expectations and/or be privy to any confidential patient interactions.

• Acceptable arrangements include an off-site day care or another primary caregiver in your home.

• No one other than the employee should be allowed to use the practice owned computer or personally owned computers (if used to access, transmit, or store PHI)

HIPAA PRIVACY RULE

What is Causing the Unprecedented Increase?

• 133 million individuals affected in 2023

• The healthcare industry has become a prime target for cybercriminals due to the vast amount of sensitive patient data it holds and the criticality of its operations

• In 2023, the healthcare industry reported data breaches costing an average of $10.93 million per breach — almost double that of the financial industry, which came in second with an average cost of $5.9 million

Healthcare is a Major Target

• Prime target for cybercriminals due to the vast amount of sensitive patient data it holds and the criticality of its operations.

• Systems such as electronic health records (EHRs), telemedicine, email used for patient interaction, and other software as a services technologies bring numerous benefits but also expand entry points for cybercriminals.

• Protecting these digital assets is essential to maintaining the confidentiality, integrity and availability of patient information.

Train Staff on Email Hacking Tricks

What Can We Do?

Good Technology (DO NOT GO CHEAP HERE)

Business level firewalls

Business level operating systems

Professional IT consultants (or internal IT staff)

What is Ransomware?

• Type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid.

• More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key

What is Information Technology

Information blocking is a practice by a health IT developer of certified health IT, health information network, health information exchange, or health care provider that, except as required by law or specified by the Secretary of the HHS as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI).

Personal Device Use Increasing

DO NOT

• Allow PHI to be written to the mobile device

• Permit integration with insecure file sharing or hosting services

• Set it and forget it (always include BYOD in risk assessments)

DO

• Require business grade security suites

• Require business grade operating systems

• Require hardware encryption

Mitigating Steps for Theft

• HARDWARE ENCRYPTION

• Remote Tracking – GPS tracking ability, this is now standard on iPHones using “Find my iPhone” function

• Remote Disabling – secondary layer of protection but will not protect if SIM card was stolen first….

• Remote Memory Wipe – must be installed prior via app or function (last resort)

2024 Mobile Devices

• HHS issued guidance addressing the extent to which PHI is protected on mobile devices. Although the HIPAA Privacy Rule and Security Rule (protecting PHI when maintained or transmitted electronically) provide protections for the use and disclosure of PHI held or maintained by covered entities and their business associates, they do not address PHI accessed through or stored on personal devices owned by individual patients.

• Example: although PHI maintained on electronic devices owned by a covered entity would be protected from disclosure by HIPAA, once a patient downloads that information to a personal device, HIPAA would no longer protect it.

2025 Mobile Devices

• The guidance does provide tips to help individuals protect their own PHI, such as:

• Avoiding downloads of unnecessary or random apps to personal devices; and

• Avoiding (or turning off) permissions for apps to access an individual's location data. (This reduces information about a person's activities that can be used by the app or sold to third parties, such as the name and address of health care providers a person visits.)

TEXTING Positives in Healthcare

• Texting CAN provide great advantages in health care

– Appointment Reminders (2024 - MUST OPT IN FOR MENTAL HEALTH AND SUBSTANCE ABUSE) – Fast – Easy – Loud background noise problems are mitigated – Bad signal issues mitigated

Device neutral

TEXTING Negatives in Healthcare

• Reside on device and not deleted

• Very easily accessed

• Not typically centrally monitored by IT

• Can be compromised in transmission relatively easy

• HIPAA Privacy Rule requires disclosure of PHI to patient (i.e. text message is used to make a judgement in patient care)

• CANNOT TEXT PATIENT ORDERS UNLESS ENCRYPTED

THE END Q&A

Turn static files into dynamic content formats.

Create a flipbook

Upcoming New 2025 HIPAA Changes and Beyond

Published on Oct 23, 2024

conferencepanel77

This 90-minute webinar on "Upcoming New 2025 HIPAA Changes and Beyond!" will be addressing how practice/business managers (or compliance offers) need to get their HIPAA house in order as HIPAA HITECH is now fully enforced with bipartisan support and the government is not using kid gloves any more. It will also address major changes under the Omnibus Rule, the Biden administration, new congressional mandates, and any other applicable updates for 2025 and beyond along with changes relating to COVID-19. More importantly, he will show you how to limit those risks by simply taking proactive steps and utilizing best practices. Register Now, https://conferencepanel.com/conference/upcoming-new-2025-hipaa-changes-and-beyond