Evan Dumas

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello, and welcome to Episode 618 HIPAA Security Rule Update: What We Know, What We Don’t, and What You Should Do Right Now.

 

Liath Dalton 

Yes, today’s episode is a quick update on something we have been getting asked about constantly over the past few months. And we already did an update episode earlier in the year, but part of that update was, well, it’s on the Office of Civil Rights regulatory agenda for May, and so by the end of May, ostensibly we should know something.

 

Liath Dalton 

Except when it isn’t and comes in as a surprise. But that’s why we are giving this update because we do have some news that is meaningful. So basically the questions we’ve been getting have been: What’s happening with the proposed HIPAA Security Rule update? Is it still coming? Has it been abandoned? What do I need to do?

 

Liath Dalton 

And our honest answer at this point in time is we still do not know exactly what the Office of Civil Rights, who are the HIPAA regulators, are going to do, but we do have some meaningful info that helps us understand how they are thinking about it, thinking about the proposal specifically, and kind of most importantly, what practices should be focusing on while we wait for the final verdict. And the final verdict may well not be the final rule. We shall see.

 

Liath Dalton 

So as the title belies, we’re going to talk about what we know, what we don’t, and part of what we do know, and how that informs the practical takeaways relates to some comments from Paula Stannard, who is the OCR director.

 

Evan Dumas 

Hopefully, yeah.

 

Liath Dalton 

Well, we know how bureaucracy and government agencies work, and it is always kind of at the pace of molasses.

 

Evan Dumas 

Uh huh.

 

Evan Dumas 

Mhm.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And even though it wasn’t a major announcement, it’s useful clarification. I would say kind of the framing is really that the lesson is more about the underlying security principles that the OCR continues to emphasize than about the proposed rule itself.

 

Liath Dalton 

So before we get into that, though, let’s talk through what, how we got to this point.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

Which the quick synopsis is that in January of 2025 specifically January 6, 2025 the notice of proposed rulemaking was released and then opened for public comment. There were over 4700 comments submitted in response to it, and there was sort of just this period of silence from the OCR after the comment period closed. Then in December, late December 2025 it got placed on the OCR spring regulatory agenda, with the timeline stating that May was when the Final Rule was going to be addressed, but we are now at the time of recording on June 17, and there has been absolutely nothing.

 

Evan Dumas 

Nope.

 

Liath Dalton 

Not a peep. And, as you can imagine, Evan and I have Google news alerts for set for anything related to this. And there has been nothing there, nothing on the official websites, and so it is still just showing being on the May regulatory agenda. But of course May is over, and they have not yet released the next regulatory cycle agenda. So there is, is nothing concrete, no specific timelines, and what we’re really looking at right now is what the indicators are based on what Stannard said, and then what the practical kind of takeaways are for what you should be doing or not doing. The not doing part is panicking or feeling like all of a sudden you’re going to be hit with an avalanche of

 

Evan Dumas 

Oh no.

 

Liath Dalton 

onerous requirements, because that is not the case. So basically I want to say that regulatory uncertainty does not mean security uncertainty.

 

Evan Dumas 

No, not at all.

 

Liath Dalton 

Like, before we get into Stannard’s comments, because I think that’s the, the most important takeaway from this whole conversation that Evan and I are having now. Because the regulatory future may be uncertain, but the threat landscape is not, right? While the regulators figure out what the regulation should be, cyber attacks haven’t paused, ransomware attacks haven’t paused, email compromise hasn’t stopped, and healthcare breaches most certainly have not paused. And the current HIPAA Security Rule remains fully in effect.

 

Liath Dalton 

So, while we don’t know what the OCR will ultimately do with the proposed rule, we do know without a doubt that safeguarding client information remains an active responsibility and imperative today, not just under HIPAA, which, the existing HIPAA Security Rule very clearly mandates that, but also for ethics and operational and just general business needs too.

 

Liath Dalton 

So I think where practices need to keep their attention is on safeguarding client information based on what is reasonable and appropriate in our current threat landscape.

 

Liath Dalton 

So now on to what Stannard said. She recently made some comments during the 42nd National HIPAA Summit and was very careful not to predict what the OCR will ultimately do with the proposed rule. So these comments were announcing a decision or previewing a Final Rule, and she sort of tiptoed around not indicating whether the OCR will ultimately finalize, modify, delay, or withdraw altogether the proposal, right?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So she said that they are still, and the comments were in at the end of March, but and you might be saying, well, it’s June now. Why are we talking talking about comments made in March when it’s June? Well, because we haven’t had anything else since, and it really is the most telling thing that we have have gotten, and because there are some meaningful takeaways from it, it merits discussion.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So she said they are still working their way through the 1000s of comments submitted.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

We should also say that there is a coalition of over 100 hospitals and healthcare organizations that submitted a signed letter and petition to have the NPRM withdrawn altogether,

 

Evan Dumas 

True, yeah.

 

Liath Dalton 

because of the burden of cost, right?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So these are just some of the observations that she, she offered that really give us some insight into how they’re thinking about the underlying issues that the proposal is intended to address, and I think that these observations she made are more useful than trying to speculate about what the Final Rule may or may not look like if it comes to pass. And they, these comments that she made really highlight the concerns of the OCR and where they’re putting their focus that we’ve been sort of naming and aware of for quite some time, right, Evan?

 

Evan Dumas 

Mhm, oh yeah.

 

Liath Dalton 

Yeah, so the sort of signal one from what Stannard said was that the cost of doing nothing is high. Which I actually want to go back to our prior episodes about this, because I think we, we said the same thing, essentially.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

Right? That yes, this is costly, but the cost of not addressing these things is even higher. So, she said that, you know, the cost of inadequate security is massive, that while they are aware of concerns about compliance costs and implementation burdens, that the costs organizations face when security incidents occur are even greater, and specifically named ransomware payment, system remediation, credit monitoring, reputational damage, civil liability exposure, etc. So this kind of tells us something important, right, that they aren’t viewing the conversation solely through the lens of regulatory burden.

 

Evan Dumas 

No, not at all.

 

Liath Dalton 

Which they shouldn’t be.

 

Evan Dumas 

No.

 

Liath Dalton 

That’s actually kind of, kind of reassuring, given how much emphasis the current administration does have on deregulation.

 

Evan Dumas 

Yeah, they’re not doing this to be cruel, they’re doing this to point out that the cost of the lock is cheaper than the cost of what you have in the safe.

 

Liath Dalton 

Exactly, that’s a perfect analogy, and I think is really useful framing for us to apply. It’s kind of how we approach HIPAA in general, right?

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

It’s, it’s, it’s not an arbitrary burden. It is scaffolding.

 

Evan Dumas 

Yeah. It’s a safety net, like if you discover that you’re walking a tight rope and you look down and there’s no safety net, you don’t just say, well, I’m going to keep looking up, I don’t, I want to ignore that. You think, oh, how can I make this more safe? Let’s, let’s, let’s do some things. Let’s take care of it. Ignorance is never the solution.

 

Liath Dalton 

No, and that’s always been the point of the Security Rule. It has never been about compliance for compliance’s sake, it’s been about the central mandate, which is protecting the confidentiality, integrity, and availability of Protected Health Information, which is in everyone’s interest. So the fact that the OCR continues to be focused on cybersecurity risk and the real world consequences of inadequate safeguards is appropriate and reassuring.

 

Liath Dalton 

The next part that she spoke to was the fact that the proposal shifts things from being addressable to required when we’re talking about safeguards that HIPAA covered entities need to implement. And this is really, in practical terms, the most important signal for healthcare providers, because standard specifically discussed concerns that many organizations have treated addressable implementation specifications as though they were optional.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And this is a major and common misunderstanding that we encounter when we’re talking about HIPAA security compliance, because addressable doesn’t mean implement if you feel like it. Addressable means assess whether the safeguard is reasonable and appropriate in your environment. If it is, implement it.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

If it isn’t, then implement an equivalent alternative safeguard, or document why one is not reasonable and appropriate. The expectation has always been that thoughtful analysis and documented decision making is necessary, not to simply just ignore the safeguard if it’s something that’s listed as addressable.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So I think that’s just a really vital takeaway. And encryption was the primary example that she used for this, and definitely a deliberate example to use. Because when the HIPAA Security Rule was first written over 20 years ago, 23 years ago, encryption was not nearly as accessible, affordable, or widely deployed as it is today, right? Technologies changed, threats have changed, and so expectations have changed. Because what is now reasonable and appropriate in the context of the mitigating measures we have available and situated in the context of what our current threat landscape and impact of those threats being realized is, is completely different.

 

Liath Dalton 

So that’s why it’s always a process, not a one and done, and is responsive to what we’re operating within. So in talking about encryption, she was saying that many organizations should already be concluding that encryption is reasonable and appropriate based on today’s realities, and that’s really a different argument than you should do this because a future rule might require it.

 

Evan Dumas 

Yeah, totally. Yeah, yeah.

 

Liath Dalton 

Right? The argument instead is you should evaluate it honestly based on today’s threat landscape. That’s a big distinction, and that brings us back to the current HIPAA Security Rule’s reasonable and appropriate standard that already exists.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So then the the other thing that she, that Stannard highlighted was how central the risk analysis standard is.

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

And that it continues to be the most common compliance finding, not just not doing risk analyses, though that that still is pretty pervasive, but incomplete analyses, outdated analyses, and analyses that don’t actually meaningfully drive security decisions. Evan, do you think this should sound familiar to our longtime listeners?

 

Evan Dumas 

Oh, yeah, we’ve been beating the drum of risk analyses for a long time. And I, you know, still meet tons of folks who are like, I didn’t even know this was a thing. And they’re like, yeah, they haven’t done a great job of advertising.

 

Liath Dalton 

That’s super true. And it also risk analysis isn’t a form, it’s not a checklist, it’s not a one-time event, it is a process

 

Evan Dumas 

Mhm.

 

Liath Dalton 

that allows you to determine what safeguards are reasonable and appropriate for your specific practice. It’s how you identify your risks, how you prioritize mitigation efforts, and then it’s how you make defensible decisions.

 

Liath Dalton 

So, really, our takeaway is that, and takeaway being focused on Stannards, comments, I, and I keep wanting to chuckle every time I talk about Stannard, because we’re also talking about Stannard in the context of standards.

 

Liath Dalton 

Anyway, funny in my own head, but Stannard’s comments weren’t so much about the NPRM itself, they’re really about the rationale behind it, right?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And the concerns that she highlighted, specifically encryption, risk analysis and organizations treating addressable safeguards as optional when that isn’t actually reasonable and appropriate, and the high cost of inadequate security are all issues that exist, whether or not this proposed rule is finalized. And so that’s why our recommendation remains consistent. Don’t build your compliance strategy around trying to predict what the OCR may do at some point in time in the future, build it around your risk analysis, build it around reasonable and appropriate safeguards, build it around the ultimate goal and need that this whole process serves, which is protecting client information, and if you’re doing that and doing that well, you’re in a strong position whether or not the proposed Final Rule is actually finalized, if it’s modified, if it’s delayed, or if it’s withdrawn.

 

Evan Dumas 

Oh, I get it.

 

Evan Dumas 

So, what should practices do right now? Easy peasy. One, take a fresh look at your risk analysis. If you haven’t done one in a while, do one. And just, it’s always good to see where your EPHI lives, what your risks are, and what your plans are for fixing it. Then also make sure you have multi-factor authentication and encryption turned on. Are they in place? If not, why have you chose not? Hopefully you’ve chose not. If not, if it’s just a button you got to click. And does your rationale hold? Because, like, sometimes people in a mitigation plan will accept risks, but it’s always good to look at that and revisit it and go, hmm, maybe it’s time to remedy that and not accept it anymore.

 

Evan Dumas 

Look at your security circle. The circle is something we talk a lot about, about what holds, accesses, contains, manages, transmits PHI. What’s in your circle of control? The systems, the vendors, the business associates that you use, and to sort of take stock of who has access. Anyone from the workforce to third-party, like service workers, to your systems you use. And just sort of know, know your circle. And finally document. So if, when you’re doing all of this, you’re going to come to some new decisions about what to do, what not to do, and demonstrate, you know, what you’re thinking. Write down your decisions and show your work. Like demonstrate your risk management. Because, you know, the classic saying of documentation or it wasn’t done. It’s good to document all of these things.

 

Liath Dalton 

And if you’re sitting there thinking, okay, this all makes sense, but where do I actually start? We’ve got a resource that can help with exactly that. We’ve included a link to our free mini risk analysis tool in the show notes. It helps you identify the primary components of your practice’s security circle and evaluate your current safeguards through the same reasonable and appropriate lens we’ve been talking about throughout this episode.

 

Liath Dalton 

It’s not a substitute for a full security risk analysis, but it is a great way to get a snapshot of your current security practices and identify areas that may need additional attention. Basically, in just a few minutes, it can help you understand what you’re already doing well, which we love, where there may be gaps, and what you may want to focus on next.

 

Liath Dalton 

And for practices looking for a more comprehensive roadmap, that’s exactly why The PCT Way system exists. That’s why The PCT Way system and process is designed the way that it is, in terms of the content, the support, and both the initial implementation and then the ongoing maintenance of it. To make sure that you, first of all, construct a strong security circle and then maintain a perimeter with integrity. We don’t want the perimeter getting porous or lacking definition, right?

 

Liath Dalton 

So, of course, these are things that we are here to support you in and have material resources for. So, check out the show notes, because we both offer a consultant performed risk analysis and risk mitigation planning service, and then have a lot of tools and supports to help with the actual mitigation, from device and workspace security, to system configuration, workforce training, and direct support and consultation for all the emergent questions that arise in the process of running a modern practice.

 

Liath Dalton 

So this isn’t something you have to navigate alone. And, as you know, as we said before, when talking about the proposed Security Rule changes, The PCT Way system and all of our formal compliance materials already address basically 99.9% of what was in the proposed rule. And the reason for that being is because it really is sound and logical, based on both the current threat landscape and the technology that we have available.

 

Liath Dalton 

So the kind of takeaway from all of this, is yeah, we don’t know what the OCR will ultimately do, but we do know what the OCR continues to care about, which is risk analysis, reasonable and appropriate safeguards, and meaningful protection of client information. So the proposed rule might change the roadmap a little bit, but it doesn’t change the destination, and we already have a good roadmap to reach that destination if we follow it. So, come, come use our roadmap.

 

Evan Dumas 

Yeah, exactly.

 

Liath Dalton 

Thanks for listening. We hope you found this helpful, and hopefully part of the helpfulness is that it is reassuring that the rule has, the changes have not been made, there aren’t new requirements that you are suddenly beholden to, and they aren’t going to just crop up overnight. So all that you need to do now to safeguard your practice is safeguard client information in ways that are reasonable and appropriate. And that is something that is manageable.

 

Liath Dalton 

All right, folks, we’ll talk to you next week.

 

Evan Dumas 

Yeah, talk to you next week, everybody.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.