Employers
HHS Signals Continued Focus on Health Plan Privacy and Cybersecurity
Privacy and security are enforcement priorities for government regulators following HHS's restructuring of its Office for Civil Rights.
HR Compliance
Proposed Updates to the HIPAA Security Rule
Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced proposed changes to the HIPAA Security Rule, marking the first update since 2013.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced proposed changes to the HIPAA Security Rule, marking the first update since 2013. These modifications, published as part of a Notice of Proposed Rulemaking (NPRM), aim to enhance cybersecurity measures across the healthcare industry. The proposed updates provide stronger data protection but will require HIPAA-regulated entities to implement new administrative processes.
Key Proposed Changes
The NPRM introduces several updates to the HIPAA Security Rule, including:
- Technology Asset Management: Entities would be required to maintain an inventory of all technology assets and create a network map of electronic information systems.
- Annual Verification by Business Associates: Covered entities must obtain annual written confirmation from business associates that HIPAA safeguards are in place, with business associates expected to do the same for their subcontractors.
- Strengthened Risk Management: The proposal elevates risk management from a technical safeguard to a mandatory standard, requiring written plans to address identified risks.
- Mandatory Encryption: Encryption of all electronic protected health information (ePHI) at rest and in transit would become a required standard.
- Policy Updates: New and revised policies would address workforce access to ePHI and mandate enhanced security awareness training.
Challenges and Opportunities
Compliance with the proposed updates may cost HIPAA-regulated entities approximately $9 billion in the first year, with recurring costs of $6 billion annually in subsequent years. While these changes could reduce data breaches by 7-16%, balancing these benefits with the increased compliance burden will be difficult for many organizations, especially those already grappling with resource constraints.
Public Comment Period
Stakeholders are encouraged to review the NPRM and submit feedback during the 60-day public comment period, which began upon its publication in the Federal Register. Comments can be submitted through regulations.gov.
Benefit Allocation Systems (BAS) provides online solutions for: Employee Benefits Enrollment; COBRA; Flexible Spending Accounts (FSAs); Health Reimbursement Accounts (HRAs); Leave of Absence Premium Billing (LOA); Affordable Care Act Record Keeping, Compliance & IRS Reporting (ACA); Group Insurance Premium Billing; Property & Casualty Premium Billing; and Payroll Integration.
MyEnroll360 integrates with major insurance carriers for enrollment eligibility management (e.g., Blue Cross, Blue Shield, Aetna, United Health Care, Kaiser, CIGNA and others), and with leading payroll platforms for enrollment deduction management (e.g., Workday, ADP, Paylocity, PayCor, UKG, and others).
This article is for informational purposes only and is not intended as legal, tax, or benefits advice. Readers should not rely on this information for taking (or not taking) any action relating to employment, compliance, or benefits. Always consult with a qualified professional before making decisions based on this content.
Topics
HR Compliance
Hiring Young Workers This Summer
Hiring workers under age 18 requires additional compliance responsibilities under the Fair Labor Standards Act's child labor provisions.
HR Compliance
What Federal Eligibility Verification Rules Can Teach Private Employers
A new OPM rule on federal health plan eligibility verification offers practical lessons for private employers managing dependent audits and qualifying life event documentation.