Upcoming New 2025 HIPAA Changes and Beyond

1
Upcoming New 2025 HIPAA Changes and Beyond!
Brian L. Tuttle, CPHIT, CHA, CHP, CBRA, CISSP,
CCNA, Net
2

• The Health Insurance Portability Act of 1996
  (HIPAA)
• Enacted by the United States Congress and signed
  by President Clinton in 1996.

• Bi-partisan bill also known as the
  Kennedy-Kassebaum Act named after two of its
  major sponsors
• Senator Ted Kennedy (D) Massachusetts
• Senator Nancy Kassebaum (R) Kansas

3
HIPAA Titles

• Title I Health Care Access, Portability, and
  Renewability
• Title II Preventing Healthcare Fraud and Abuse,
• ADMINISTRATIVE SIMPLIFICATION, Medical Liability
  Reform.
• Title III Tax Related Health Provisions
• Title IV Application and Enforcement of Group
  Health Plan
• Requirements
• Title V Revenue Offsets

4
Privacy and Security are not even in the name
HIPAA but they present our biggest challenge
5
September 23rd, 2013 Couple of Points

• The HIPAA Omnibus Rule went into affect
• Increased penalties
• Equals the burden between business associates and
  covered entities
• Enforces what was already on the books for
  covered entities
• Greatly enforces and increases federal auditing
• More funding for 2025?
• More audits for 2025?
• Every year since Omnibus fines have increased
• Individual Remedy

6
Business Associate (Definition)

• 2024 will show increased enforcement on BAs
• Business Associates (BAs) are individuals or
  entities who create, receive, maintain, or store
  private health information on behalf of a covered
  entity.
• Example Answering Services, Medical
  Transcription, IT groups, Billing companies,
  shredding services are clearly under the
• auspices of Business Associate

7
Risks of Telemedicine (Telecommuting)
Telecommuting Policy Should be in Place DO NOT
COPY OR STORE PROTECTED HEALTH INFORMATION ON
HOME COMPUTERS OR LAPTOPS
8
Telecommuting

• Telecommuting does not replace the need for child
  or dependent care.
• All staff members should be expected to make
  arrangements for children or dependents that
  require care to ensure that they do not interfere
  with your performance expectations and/or be
  privy to any confidential patient interactions.
• Acceptable arrangements include an off-site day
  care or another primary caregiver in your home.
• No one other than the employee should be allowed
  to use the practice owned computer or personally
  owned computers (if used to access, transmit, or
  store PHI)

9
HIPAA PRIVACY RULE CHANGES

1. Changes to Right of Access
2. Changes relating to Care Coordination and
   Information Sharing
3. Necessity to update the Notice of Privacy
   Practices

10
What is Causing the Unprecedented Increase?

• 133 million individuals affected in 2023
• The healthcare industry has become a prime target
  for cybercriminals due to the vast amount of
  sensitive patient data it holds and the
  criticality of its operations
• In 2023, the healthcare industry reported data
  breaches costing an average of 10.93 million per
  breach almost double that of the financial
  industry, which came in second with an average
  cost of 5.9 million

11
Healthcare is a Major Target

• Prime target for cybercriminals due to the vast
  amount of sensitive patient data it holds and
  the criticality of its operations.
• Systems such as electronic health records (EHRs),
  telemedicine, email used for patient
  interaction, and other software as a services
  technologies bring numerous benefits but also
  expand entry points for cybercriminals.
• Protecting these digital assets is essential to
  maintaining the confidentiality,
• integrity and availability of patient information.

12
Train Staff on Email Hacking Tricks
13
What Can We Do?
Good Technology (DO NOT GO CHEAP HERE) Business
level firewalls Business level operating
systems Professional IT consultants (or internal
IT staff)
14
What is Ransomware?

• Type of malware that prevents or limits users
  from accessing their system, either by locking
  the system's screen or by locking the users'
  files unless a ransom is paid.
• More modern ransomware families, collectively
  categorized as crypto-ransomware, encrypt certain
  file types on infected systems and forces users
  to pay the ransom through certain online payment
  methods to get a decrypt key

15
What is Information Technology
Information blocking is a practice by a health IT
developer of certified health IT, health
information network, health information exchange,
or health care provider that, except as required
by law or specified by the Secretary of the HHS
as a reasonable and necessary activity, is likely
to interfere with access, exchange, or use of
electronic health information (EHI).
16
Personal Device Use Increasing
17
DO NOT

• Allow PHI to be written to the mobile device
• Permit integration with insecure file sharing or
  hosting services
• Set it and forget it (always include BYOD in risk
  assessments)

18
DO

• Require business grade security suites
• Require business grade operating systems
• Require hardware encryption

19
Mitigating Steps for Theft

• HARDWARE ENCRYPTION
• Remote Tracking GPS tracking ability, this is
  now standard on iPHones using Find my iPhone
  function
• Remote Disabling secondary layer of protection
  but
• will not protect if SIM card was stolen first.
• Remote Memory Wipe must be installed prior via
  app or function (last resort)

20
2024 Mobile Devices

• HHS issued guidance addressing the extent to
  which PHI is protected on mobile devices.
  Although the HIPAA Privacy Rule and Security Rule
  (protecting PHI when maintained or transmitted
  electronically) provide protections for the use
  and disclosure of PHI held or maintained by
  covered entities and their business associates,
  they do not address PHI accessed through or
  stored on personal devices owned by individual
  patients.
• Example although PHI maintained on electronic
  devices owned by a covered entity would be
  protected from disclosure by HIPAA, once a
  patient downloads that information to a personal
  device, HIPAA would no longer protect it.

21
2025 Mobile Devices

• The guidance does provide tips to help
  individuals protect their own PHI,
• such as
• Avoiding downloads of unnecessary or random apps
  to personal devices and
• Avoiding (or turning off) permissions for apps to
  access an individual's location data. (This
  reduces information about a person's activities
  that can be used by the app or sold to third
  parties, such as the name and address of health
  care providers a person visits.)

22
TEXTING Positives in Healthcare

• Texting CAN provide great advantages in health
  care
• Appointment Reminders (2024 - MUST OPT IN FOR
  MENTAL HEALTH AND SUBSTANCE ABUSE)
• Fast
• Easy
• Loud background noise problems are mitigated
• Bad signal issues mitigated
• Device neutral

23
TEXTING Negatives in Healthcare

• Reside on device and not deleted
• Very easily accessed
• Not typically centrally monitored by IT
• Can be compromised in transmission relatively
  easy
• HIPAA Privacy Rule requires disclosure of PHI to
  patient (i.e. text message is used to make a
  judgement in patient care)
• CANNOT TEXT PATIENT ORDERS UNLESS ENCRYPTED

24
THE END

• QA
• www.hipaa-consulting.com

Register Now