The document outlines upcoming HIPAA changes for 2025, emphasizing increased enforcement on business associates and the necessity for telecommuting policies to safeguard protected health information. It addresses escalating cyber threats in the healthcare sector, detailing the impact of data breaches and the importance of proper technology and training to mitigate risks. Additionally, it discusses the implications of personal device use on HIPAA compliance and highlights the advantages and drawbacks of texting in healthcare communications.

1. Upcoming New 2025 HIPAA Changes and
Beyond!
Brian L. Tuttle, CPHIT, CHA, CHP, CBRA, CISSP, CCNA, Net +

2. • The Health Insurance Portability Act of 1996 (HIPAA)
• Enacted by the United States Congress and signed by President
Clinton in 1996.
Bi-partisan bill also known as the Kennedy-Kassebaum Act named
after two of its major sponsors:
• Senator Ted Kennedy (D) Massachusetts
• Senator Nancy Kassebaum (R) Kansas

3. HIPAA Titles
• Title I – Health Care Access, Portability, and Renewability
• Title II – Preventing Healthcare Fraud and Abuse,
ADMINISTRATIVE SIMPLIFICATION, Medical Liability Reform.
• Title III – Tax Related Health Provisions
• Title IV – Application and Enforcement of Group Health Plan
Requirements
• Title V – Revenue Offsets

4. “Privacy” and “Security”
are not even in the name
“HIPAA” but they present
our biggest challenge

5. September 23rd, 2013
Couple of Points
• The HIPAA Omnibus Rule went into affect
• Increased penalties
• Equals the burden between business associates and covered
entities
• Enforces what was already on the books for covered entities
• Greatly enforces and increases federal auditing
• More funding for 2025?
• More audits for 2025?
• Every year since Omnibus fines have increased
• Individual Remedy

6. Business Associate (Definition)
• 2024 will show increased enforcement on BA’s
• Business Associates (BA’s) are individuals or
entities who create, receive, maintain, or
store private health information on behalf of a
covered entity.
• Example: Answering Services, Medical
Transcription, IT groups, Billing companies,
shredding services are clearly under the
auspices of “Business Associate”

7. Risks of Telemedicine (Telecommuting)
Telecommuting Policy Should be in Place
DO NOT COPY OR STORE PROTECTED HEALTH
INFORMATION ON HOME COMPUTERS OR
LAPTOPS

8. Telecommuting
• Telecommuting does not replace the need for child or
dependent care.
• All staff members should be expected to make arrangements
for children or dependents that require care to ensure that
they do not interfere with your performance expectations
and/or be privy to any confidential patient interactions.
• Acceptable arrangements include an off-site day care or
another primary caregiver in your home.
• No one other than the employee should be allowed to use the
practice owned computer or personally owned computers (if
used to access, transmit, or store PHI)

9. HIPAA PRIVACY RULE
CHANGES
1. Changes to Right of Access
2. Changes relating to Care Coordination and
Information Sharing
3. Necessity to update the Notice of Privacy
Practices

10. What is Causing the Unprecedented Increase?
• 133 million individuals affected in 2023
• The healthcare industry has become a prime target for
cybercriminals due to the vast amount of sensitive patient data
it holds and the criticality of its operations
• In 2023, the healthcare industry reported data breaches costing
an average of $10.93 million per breach — almost double that of
the financial industry, which came in second with an average
cost of $5.9 million

11. Healthcare is a Major Target
• Prime target for cybercriminals due to the vast amount of sensitive patient
data it holds and the criticality of its operations.
• Systems such as electronic health records (EHRs), telemedicine, email used
for patient interaction, and other software as a services technologies bring
numerous benefits but also expand entry points for cybercriminals.
• Protecting these digital assets is essential to maintaining the confidentiality,
integrity and availability of patient information.

12. Train Staff on Email Hacking Tricks

13. What Can We Do?
Good Technology (DO NOT GO CHEAP HERE)
Business level firewalls
Business level operating systems
Professional IT consultants (or internal IT staff)

14. What is Ransomware?
• Type of malware that prevents or limits users from
accessing their system, either by locking the system's
screen or by locking the users' files unless a ransom
is paid.
• More modern ransomware families, collectively
categorized as crypto-ransomware, encrypt certain
file types on infected systems and forces users to pay
the ransom through certain online payment methods
to get a decrypt key

15. What is Information Technology
Information blocking is a practice by a health IT
developer of certified health IT, health
information network, health information
exchange, or health care provider that, except as
required by law or specified by the Secretary of
the HHS as a reasonable and necessary activity,
is likely to interfere with access, exchange, or
use of electronic health information (EHI).

16. Personal Device Use Increasing

17. DO NOT
• Allow PHI to be written to the mobile
device
• Permit integration with insecure file
sharing or hosting services
• Set it and forget it (always include BYOD
in risk assessments)

18. DO
• Require business grade security suites
• Require business grade operating
systems
• Require hardware encryption

19. Mitigating Steps for Theft
• HARDWARE ENCRYPTION
• Remote Tracking – GPS tracking ability, this is now
standard on iPHones using “Find my iPhone”
function
• Remote Disabling – secondary layer of protection but
will not protect if SIM card was stolen first….
• Remote Memory Wipe – must be installed prior via
app or function (last resort)

20. 2024 Mobile Devices
• HHS issued guidance addressing the extent to which PHI is protected on
mobile devices. Although the HIPAA Privacy Rule and Security Rule
(protecting PHI when maintained or transmitted electronically) provide
protections for the use and disclosure of PHI held or maintained by
covered entities and their business associates, they do not address PHI
accessed through or stored on personal devices owned by individual
patients.
• Example: although PHI maintained on electronic devices owned by a
covered entity would be protected from disclosure by HIPAA, once a
patient downloads that information to a personal device, HIPAA would no
longer protect it.

21. 2025 Mobile Devices
• The guidance does provide tips to help individuals protect their own PHI,
such as:
• Avoiding downloads of unnecessary or random apps to personal devices;
and
• Avoiding (or turning off) permissions for apps to access an individual's
location data. (This reduces information about a person's activities that
can be used by the app or sold to third parties, such as the name and
address of health care providers a person visits.)

22. TEXTING Positives in Healthcare
• Texting CAN provide great advantages in
health care
– Appointment Reminders (2024 - MUST OPT IN FOR
MENTAL HEALTH AND SUBSTANCE ABUSE)
– Fast
– Easy
– Loud background noise problems are mitigated
– Bad signal issues mitigated
– Device neutral

23. TEXTING Negatives in Healthcare
• Reside on device and not deleted
• Very easily accessed
• Not typically centrally monitored by IT
• Can be compromised in transmission relatively easy
• HIPAA Privacy Rule requires disclosure of PHI to
patient (i.e. text message is used to make a
judgement in patient care)
• CANNOT TEXT PATIENT ORDERS UNLESS ENCRYPTED

24. THE END
Q&A
www.hipaa-consulting.com
Register Now