The document summarizes key points from a presentation on anticipated changes to HIPAA privacy and security regulations for 2024 and beyond. It discusses proposed 2023 rule changes enhancing protections for reproductive health information. These changes are being extended into 2024 through ongoing rulemaking. The presentation covers differences between privacy and security, employee training requirements, best practices for cybersecurity and incident response, and conclusions on avoiding liability when new regulations take effect.
hyderabad call girl.pdfRussian Call Girls in Hyderabad Amrita 9907093804 Inde...
HIPAA Changes 2024 Conference
1. HIPAA Changes for 2024 and
Beyond
Conference Panel
Wednesday, December 6, 2023
by
Mark R. Brengelman, JD, MA
Attorney at Law
Frankfort, Kentucky 1
2. About Mark R. Brengelman
• Holds Bachelor's and Master's Degrees in Philosophy from Emory University, Atlanta,
Georgia
• Earned a Juris Doctorate from the University of Kentucky College of Law, Lexington,
Kentucky
• Served out a successful twenty-year career with state government in Kentucky,
including…. now in private practice since 2012
• Was a former Assistant Attorney General assigned to multiple state licensure boards in
health care and other professions – General Counsel and Prosecuting Attorney
• Has presented Continuing Education for over 50 national and state organizations and
private companies, including the Kentucky Office of the Attorney General, the Kentucky
Bar Association, the National Attorneys General Training and Research Institute, the
Federation of Associations of Regulatory Boards, and eight of its member associations in
psychology, physical therapy, dentistry, nursing, veterinary medicine, emergency medical
services, state licensed contractors, and athletic trainers
• Has represented all three branches of state government and now a local municipality in
governmental ethics and now a state licensure board
Represents:
• licensees before state boards and in other professional matters
• two state licensure boards
• parents and kids in confidential child abuse and neglect cases, termination
of parental rights, and adoption proceedings
I help health care practitioners, kids/parents, and government agencies
navigate the law and ethics and make the rules understandable as applied to
them.
3. Based upon the content of this program, you will be able effectively to identify:
• Introduction to federal regulatory process-notice and comment rulemaking
• Overview of proposed HIPAA Privacy Rule changes for 2023
• Why these 2023 changes are extended into 2024
• HIPAA security and privacy-what’s the difference anymore
• Training your employees-what’s really required
• Cybersecurity-why it’s more important now
• Self-audits, remediation, and implementation of improvements
• Best practices for responding to a security incident
• Lessons learned from the most recent cyberattack investigation
• Cybersecurity sanctions policies to support HIPAA compliance
• Conclusion: avoiding risk and liability with best practices to anticipate HIPAA changes for 2024 but not yet
in effect
HIPAA changes for 2024 and beyond
3
4. Disclaimer! Goals of the content of this program – what this does and does not cover:
• Does provide a broad overview of anticipated proposed HIPAA changes for 2024 in the federal notice and
comment rulemaking system
• Does not cover everything about anticipated proposed HIPAA changes for 2024 – current proposed rule
changes in 2023 consisted of 48 pages in the Federal Register!
• Does educate the person attending to ask the right questions in their own profession/health care entity
about changes in compliance with federal law under HIPAA to look for in 2024
• Additional disclaimer – I do not work in the area of federal administrative rulemaking (state rulemaking,
yes), and I do not work daily in the area of HIPAA compliance; I work in professional licensure and
regulation of health care professionals – all aspects touch in some part on HIPAA as to confidentiality
HIPAA changes for 2024 and beyond
4
5. Introduction to HIPAA changes for 2024 and beyond – we start with 2023 rule changes:
• Why start in 2023?
• The Department of Health and Human Services published proposed amendments to HIPAA to further safeguard the privacy
of reproductive health care information in 2023 – April 17, 2023
• This was the biggest change in the proposed rules in…..how long?
• Comments were due sixty days later by June 16, 2023; nearly 26,000 comments were filed; some publicly released and
searchable (more to come? all to come?) – preliminary conclusions from the comments
• This is somewhat old data
• Why were these proposed rule changes significant?
• Incorporated guidance documents into the law
• Responded to the U.S. Supreme Court’s Dobbs v. Jackson Women's Health Organization decision on abortion recognizing
state-by-state differences – even more so now in 2023/2024;
• Example: Ohio constitutional amendment
• The proposed amended HIPAA rule prohibits the use and disclosure of this information for certain criminal, civil, and
administrative investigations and proceedings where reproductive health care is legal in the state that it was provided or
under federal law
• This HIPAA update would preempt contrary state law in these narrow situations -- for 2023, there are also proposed
corresponding changes, such as to the requirements for notices of privacy practices and requiring attestations for certain
requests for information potentially related to reproductive health care
HIPAA changes for 2024 and beyond
5
6. Existing guidance and why that is not enough:
• After the Supreme Court officially published the Dobbs v. Jackson Women's Health Organization decision on June 24, 2022,
the federal Department for Health and Human Services published two guidance documents related to the privacy of
reproductive health care information
• What is a guidance document? Does it have the force of law? Yes and no….
• Guidance documents are suggestions to individuals regarding how to comply with the law - while helpful, the Department for
Health and Human Services could only provide increased HIPAA protections through notice-and-comment rulemaking – it
had to change the black and white law (you can’t be found guilty of not following guidance)
• Guidance documents – a “pet peeve” of mine in the law for state agencies
• Example: “use a secure digital platform” – guidance document says that 16-bit, double-ended encryption is “secure”
• But only “the law” can mandate 16-bit, double-ended encryption as being required under the law
• While the guidance document can give a safe-harbor provision basically saying “if you use 16-bit, double-ended encryption,”
then you won’t get in trouble with us;” after all, it may be the case that 8-bit, double encryption is sufficient
• The first guidance document identified how HIPAA currently applies to the privacy of reproductive health care information,
emphasizing that it permits but does not require disclosures of this information – state law may apply here both for or
against release – HIPAA allows for state law to apply (i.e., mandatory reporting of child abuse/neglect)
HIPAA changes for 2024 and beyond
6
7. Existing guidance and why that is not enough:
• The second guidance document clarified that HIPAA does not apply to health information on consumer devices
or stored with most consumer apps, which is otherwise the existing HIPAA laws – we should know this
• Why is this important? Lots of information on these apps – not private! Subject to subpoena without any
HIPAA privacy protections at all
• In conclusion for our introduction, these proposed changes for 2023 and extending in to 2024 will involve next
steps for covered entities and business associates alike
• This is still on-going! No time limit to publish the final rule – covered entities will have 180 days to comply fully
with any changes (hint: employee training is important!)
• See webinar dated October 3, 2023: “HIPAA and Proposed Changes for 2023”
HIPAA changes for 2024 and beyond
7
8. HIPAA security and privacy – what’s the difference?
• Security and privacy concepts are merging – result of evolution of Electronic Health Records and direct
patient access on secured health care applications (apps) on your smartphone;
• Privacy and security were two distinct concepts – now, the two rules seem to be alike in many ways
• Patients more clearly have a right in 2024 to have direct access to their own medical records
• In the absence of direct access, covered entities have to respond to individual and specific requests, to
verify the identity of the person requesting the medical record, and to handle correctly medical records
data with third parties
• Note: this has always been true with Business Associates, and smartphone apps raise this liability
HIPAA changes for 2024 and beyond
8
9. Training your employees – what’s really required?
• Initial training vs. training as needed – is annual training the solution to the latter?
• Needs to address cyber-awareness and especially phishing;
• Focus on phishing: even law firms are vulnerable; Example: pulling the plug (literally)
• Examples: spoofing an e-mail from a valid sender (who’s been hacked) with general instructions;
• Examples: spoofing an e-mail from a valid sender (who’s been hacked) with specific instructions, like a
bank transfer notice;
• Health care is the most vulnerable to cyber hackers; two-factor identification is the easiest, most efficient
way to protect sensitive information
• Employee and worker education are critical – must include all employees and volunteers
• Differentiate between workers who have direct access to medical records/PHI vs. others
• Why is this important? Facility liability for all workers!
• Cyberattacks are growing and are more sophisticated – even my own PCP office!
• Minimal standards: identify signs of attack or phishing; correctly report the incident, and; take steps to
safeguard against threats
HIPAA changes for 2024 and beyond
9
10. Cybersecurity best practices – why’s it more important now?
• New changes and updated standards are now grounds for government enforcement;
• Data protection – designed to prevent data breaches and data theft;
• Why health care data is so valuable;
• Must conduct a Security Risk Assessment;
• See webinar “How to Conduct a HIPAA Risk Assessment and the Surprising Danger of Not Doing One;”
June 15, 2023
• Spoiler alert: the surprising danger of not doing one was that the government held it against you in a
HIPAA investigation – as a practical matter, a risk assessment may have caught the problem first
HIPAA changes for 2024 and beyond
10
11. Best practices for responding to a security incident:
• Health and Human Services lists all breaches reported to HHS within the last 24 months that are under
some kind of investigation;
• Note: investigations either exonerate or implicate – “innocent until proven guilty;”
• Monitor this list to gauge the current state of cyberattacks and data breaches;
• Prevention: review all Information Technology and computer assets and compile a list
• Example: new technology – cast made of the foot using a computer tablet and high-resolution camera;
• Analyze once detected: watch for attack and breach indicators; if a possible breach is detected, then
review all IT devices and re-secure them
• Example: your main Personal Computer is hacked; spreads to a smartphone when someone uses their
smartphone to check business e-mail . . . because the main computers are down
• Contain, eradicate, and recover
• Stop the attack (IT containment plan);
• Eradicate the breach (removing malware, resetting passwords, completing all necessary software
updates)
• Restore your systems using most-recent back-up if necessary, and resume business as usual;
• Post-incident review: very little time spent on this; review the incident and use it for future instruction;
improve your response plan – update your current procedures;
HIPAA changes for 2024 and beyond
11
12. Lessons learned from the most recent cyberattack investigation:
• Barely 30 days ago, HHS settled a ransomware cyberattack investigation involving a Business Associate;
• Entity was “Doctor’s Management Services,” a Massachusetts medical management company that
provided medical billing and payor credentialing services;
• Large breach report affecting the electronic medical records of 206K persons - $100K settlement;
• Ransomware – type of malware (malicious, unauthorized software) that denies access to the user’s own
data (usually encrypting it with a computer key used by the hacker) until a ransom is paid;
• First ever ransomware settlement agreement that HHS has reached (October was cybersecurity
awareness month);
• Investigation showed:
• Evidence of potential failures to determine risks/vulnerabilities;
• Insufficient monitoring of health information systems’ activity to protect against cyberattack;
• Lack of policies and procedures in place to implement the HIPAA Security Rule to protect confidentiality,
integrity, and availability of electronic Protected Health Information;
• Outcome: $100K fine; government monitoring for three years; implementation of a corrective action plan
including Risk Analysis to identify problems; Risk Management Plan to fix them; update written policies
and procedures; provide workforce training on HIPAA policies and procedures
HIPAA changes for 2024 and beyond
12
13. Cybersecurity sanctions policies to support HIPAA compliance:
• From HSS directly – part of its Threat Brief detailing types of social engineering that hackers use to gain
control and access to healthcare information systems and data;
• Recommended protective measures: “hold every department accountable” – sanction policies;
• Apply to your own Human Resources and employees/workers/volunteers;
• Prediction: lack of a sanctions policy will be used against you in a future investigation involving a breach
that is traceable to a single person or persons
• The Privacy Rule requires covered entities to “have and apply appropriate sanctions against members of
its workforce who fail to comply with the privacy policies and procedures of the covered entity or the
requirements of [the Privacy Rule] or [the Breach Notification Rule] of this part.”
• The Security Rule requires covered entities and business associates to: “[a]pply appropriate sanctions
against workforce members who fail to comply with the security policies and procedures of the covered
entity or business associate.”
• Elements include the functions of a sanctions policy, the content of what a sanction policy would look like,
and the execution of sanctioning consistently within an organization
• This is beyond the scope of today’s presentation – could be another entire webinar
• Applicability to a single health care practitioner as a covered entity?
HIPAA changes for 2024 and beyond
13
14. Conclusion: Summary and tips for avoiding liability and risk with coming HIPAA changes for 2024:
For individual health care practitioners:
• As to state law: read and understand your profession’s practice act and know what current practice
standards are and current confidentiality in general under state law – usually the standards are very broad
in professional licensure, but more detailed in mental health professions
• Use a nationally recognized and “HIPAA compliant” software and medical records system – it may allow
you to flag and to separate PHI related to reproductive health care
• Train all your staff and re-train them when HIPAA changes
• Note: what I do drills down only to a single health care practitioner as a covered entity
HIPAA changes for 2024 and beyond
14
15. Conclusion: Summary and tips for avoiding liability and risk with coming HIPAA changes:
For health care facilities:
• Know your HIPAA confidentiality and coming changes or hire someone who does – your facility is liable
• Have regular training on HIPAA rules for everyone (employees/volunteers) – recommended annual
training for anyone who has access to PHI – especially for facilities that provide reproductive health care
• Document your facility’s Risk Assessments accurately to include these changes – that is your best
defense to a federal HIPAA investigation that will mitigate damages if there is a security breach or
improper disclosure of PHI on reproductive health care
• Large entities will have their own IT and HIPAA compliance offices, so just do that!
HIPAA changes for 2024 and beyond
15
16. Did we get to cover all the following?
• Introduction to federal regulatory process-notice and comment rulemaking
• Overview of proposed HIPAA Privacy Rule changes for 2023
• Why these 2023 changes are extended into 2024
• HIPAA security and privacy-what’s the difference anymore
• Training your employees-what’s really required
• Cybersecurity-why it’s more important now
• Self-audits, remediation, and implementation of improvements
• Best practices for responding to a security incident
• Lessons learned from the most recent cyberattack investigation
• Cybersecurity sanctions policies to support HIPAA compliance
• Conclusion: avoiding risk and liability with best practices to anticipate HIPAA changes for 2024 but not yet
in effect
HIPAA changes for 2024 and beyond
16