In January 2025, the US Department of Health and Human Services issued a Notice of Proposed Rulemaking (the “Notice”) concerning the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. HIPAA requires entities to implement policies and procedures to address unexpected outages of data systems and to respond to breaches in security. The Notice applies to natural disasters or other major mishaps that cause electronic systems to fail.
Covered entities need to implement a disaster recovery plan and a plan to get back on line as quickly as possible. Under current rules, some specifications are “required,” while others are “addressable.” The Notice removes the “required” or “addressable” definitions and makes all specifications “required” with few exceptions. Under the current rule, when a standard is considered “addressable,” covered entities had to have considered the issues but did not necessarily need a formal policy or procedure in place. Under the revised rule as set forth in the Notice, all such addressable specifications would become required.
The Notice requires “vulnerability management” standards, meaning a contingency plan to make sure exact backup copies are done of any electronic protected health information. Any compromised data must be restored within 72 hours of a data loss event. A business associate must notify covered entities within 24 hours of activating a contingency plan. There would also have to be a written security incident response requirement to specify how workforce members would report problems.
These are just a few of the changes in the updates. We will address others in future blogs.
Revolution Law Group is located in Greensboro, NC, and serves individuals and small businesses throughout the Triad and surrounding areas. To contact us please visit Revolution.law or call 336-333-7907.
The information included here is for informational purposes only, is not exhaustive of all considerations when creating documents, is not intended to be legal advice, and should not be relied upon for that purpose. We strongly recommend you consult with an attorney and do not attempt to create your own documents.