[Transcript] Episode 508: Reassurance About the Proposed HIPAA Security Rule Change-Induced Panic

 

Evan Dumas 

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 508: Reassurance About the Proposed HIPAA Security Rule Change-Induced Panic.

 

Speaker 1 

Yes, there is a lot of panic, distress, anxiety, ambivalence, questions, I would say, like panic’s at the high end of the spectrum of the range of emotions. But I would say it’s been pretty prevalent,

 

Evan Dumas 

Oh yeah.

 

Liath Dalton 

As like, the dominant emotional response that most solo and group practice owners are having, regarding the proposed Security Rule changes, because they are very extensive.

 

Evan Dumas 

Oh, yeah.

 

Liath Dalton 

And do bring up some new pieces.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So we thought, let’s, let’s talk about what the kind of time frame would be, if it were to go into effect. What the new required provisions really mean and what their implications are, and try and allay some of the distress that is kind of proliferating right now.

 

Liath Dalton 

So at the end of December 2024, there were extensive new Security Rule changes and updates proposed and published in the Federal Register, and a comment period opened. That comment period is closing on March 7, and it’s really just kind of in the last week or two that we’ve seen the increased distress about it as it’s gotten on more and more folks radar.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So first of all, a note about the time frame, because I think everyone’s thinking, oh my goodness, when is this going to go into effect? And the, because it does have new requirements, and some of which are really significant, how the heck am I going to manage that? So let’s break that down.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

First, when a new rule is published as a final rule, it goes into effect 60 days after the final rule is published.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So there’s two months.

 

Liath Dalton 

Then there is the mandatory compliance transition period, which is 180 days, unless specified that it’s longer. And there are a couple provisions in the proposed changes that they are recommending have a longer transition period. But the default, like the statutory minimum, is the 180 days on top of the 60 days.

 

Evan Dumas 

Yep.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So it will be eight months from the time of being published.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Right? The comment period is just closing now, and I want to provide some context that’s really, really relevant. Because back in 2020, remember 2020? Although I’ve seen a few comments that have been like, it feels like 2025 is just 5 2020s, stacked in araincoat, or in an overcoat.

 

Evan Dumas 

That sounds about right, yeah. I love it, yeah.

 

Liath Dalton 

Back in December of 2020, proposed changes to the HIPAA Privacy Rule were published. And that had an extended comment period that closed in May of 2021. Evan, have those changes gone into effect?

 

Evan Dumas 

Nope, not yet. Not even a peep about them.

 

Liath Dalton 

No. There is literally no indication of if and when those will actually go into effect.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Nothing. So we are basically five years on from that.

 

Evan Dumas 

Yeah, we haven’t even adopted the old ones. So these new ones, they’re not even in the queue. Not even.

 

Liath Dalton 

No, they are, they are not in the queue. And so I think we are realistically looking at, even if the changes do go into effect and become a requirement, that it likely will be a minimum of a year, if not multiple years.

 

Evan Dumas 

Oh my gosh, yeah.

 

Liath Dalton 

Before it actually goes into effect. And realistically, given how long the Privacy Rule changes took or have taken and yet not materialized, and the fact that the monetary impact of those proposed changes was significantly less than the monetary impact of these changes, I think it will be even longer. Also,

 

Evan Dumas 

It’s huge, yeah.

 

Liath Dalton 

the security, proposed Security Rule changes are a lot more expensive than the proposed Privacy Rule changes,

 

Evan Dumas 

Yeah.

 

Liath Dalton 

and have received a massive amount of comments. And with good, good reason, because there are a couple provisions in them that would, they are not clarified well, what they actually mean. Specifically, the one regarding penetration testing.

 

Evan Dumas 

Yeah, no, it’s all fuzzy.

 

Liath Dalton 

And so that really needs to be specified. And there’s a big push, including an organized one from the APA, that there be an exclusion for solo and small practitioners, with regards to that specific provision. So there are still things that have to be clarified and negotiated, and it’s worth noting that a significant factor in all of this is our current context regarding regulation.

 

Evan Dumas 

Compliance, yeah, yeah, or lack thereof, yeah.

 

Liath Dalton 

Wait, what, I mean, Evan, what would you say our take is on the current administration, the new administration, relatively new administration’s, approach to regulation is?

 

Evan Dumas 

Yeah, I’d say if you thought no one cared before, you are going to be amazed by how people care less now.

 

Liath Dalton 

Right, right. So they’re a huge question mark, and one that you know in terms of betting odds is that this is not going to come to pass, maybe at all.

 

Evan Dumas 

Yeah, yeah, maybe at all.

 

Liath Dalton 

Because of the current administration’s approach to deregulation as a priority.

 

Evan Dumas 

Yep.

 

Liath Dalton 

Right? So that’s the the context, is there may be zero desire from the current administration to move this forward in any way. If it does get moved forward, it is going to be a very lengthy process, and that process will also include additional specifications and modifications based on all of the comments and pushback regarding the most problematic or most most challenging provisions, right? Most impactful.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So that’s the kind of reassurance that we want to provide around what the timeline would look like, if it were to come to pass, and then say whether that is, I mean, going to be the case, is pretty doubtful right now,

 

Evan Dumas 

Very much so.

 

Liath Dalton 

So there is time. There’s a lot of time. There is time to breathe and not feel distress around this and what, how it’s going to impact your practice.

 

Evan Dumas 

Yeah, because you may have felt distressed when you saw, oh no, the comment period is closing, your voices won’t be heard. So many other people and large companies have had their voices heard, who have much more powerful lobbying power than us individuals do.

 

Evan Dumas 

And this is a really slow, slow process. So slow that, you know, we’ve probably already forgotten that the proposed Privacy Rule changes haven’t gone into effect. So yeah no, no rush on any of this.

 

Liath Dalton 

Exactly. Though, I will say, after poring over the entire proposed changes and the explanations of each of them, that I have some additional reassurance.

 

Evan Dumas 

Mm, good.

 

Liath Dalton 

And a perspective, which is that the vast majority of them are, there is a very compelling case and need for them to go into effect, really.

 

Evan Dumas 

Mhm, yes.

 

Liath Dalton 

From, because we are in a context where the risk landscape has really evolved, the security threats and their realization and the breaches that have occurred have been costly. And not only costly, but impacted delivery of care and quality of care. And in medical contexts, some of these breaches, or security incidents, have actually resulted in deaths.

 

Liath Dalton 

So.

 

Evan Dumas 

Oh, yeah.

 

Liath Dalton 

There is a is a reason that we need to shore up the security of healthcare information and ePHI. Because the consequences of not doing so are really significant, and we are seeing that play out, you know, on an ongoing basis, kind of at the moment. So there’s, there is rationale behind making changes.

 

Liath Dalton 

And the HIPAA Omnibus rule came out in 2013, so 12 years ago. And the the practice landscape, the, what tech looks like, or the interoperability and interdependence of different healthcare systems and services, has changed dramatically in that time period. And while the existing standards provide a framework for managing the present and evolving risks, there has been a lot of misunderstanding and misapplication of those standards that has weakened the security measures that are in place and the protections that should be in place for for PHI. So part of the goal of the proposed changes is really providing specificity where the lack of specificity has translated to lack of compliance.

 

Evan Dumas 

Yeah, it’s and if people don’t know what to do, they can’t do it!

 

Liath Dalton 

Right. And they are very explicit as well about preserving the flexibility and scalability of the requirements. So it’s both an effort to improve the specificity but maintain the commitment and the realization of the need for scalability and a degree of flexibility as well. Because what it looks like for a solo practitioner to comply and to safeguard Protected Health Information is very different than a multi state hospital organization, and there’s the whole spectrum in between.

 

Liath Dalton 

So the the rationale for providing more specificity and clarifying some of the pieces that have really been misunderstood and misapplied makes a lot of sense. And because PCT has had such an emphasis on the in practice compliance, like really implementing the chain, the necessary safeguards, and applying what the standards are to our current tech and security risk and practice context, and because PCT has followed the NIST framework, the National Institute for Technology Standards, or Standards of Technology, the vast majority of the new designated as requirements in the proposed rule are things that are already addressed, and you are already doing when you’re following the PCT Way program.

 

Evan Dumas 

Yeah, yeah. We’ve seen this coming, and we’ve given advice to follow these things, so you’d be set ahead of time. It’s also just good advice.

 

Liath Dalton 

Right. And kind of considered a minimum of security best practices in our current landscape, according to all the different Information Systems security experts and frameworks. So it’s not, if you are already doing things the PCT Way, and these changes were to go in effect, the changes required would be minimal. PCT would author some updated policies, policy inserts to address a couple of the new requirements, and would modify a couple existing policies to include and specifically address the additional specificity.

 

Liath Dalton 

Like, for instance, one of the pieces that they did provide specificity on, in the proposed changes is annual training and annual risk analysis. Now, our existing P and P say that’s the frequency it should be done, because that’s best practice, but it doesn’t list it as an explicit requirement. So that would be a tweak that we made.

 

Liath Dalton 

The big pieces that there are concerns around are the penetration testing requirement, and that’s really the one that generated the the most concern. Because as the changes that are proposed read currently, there would be a requirement for all regulated entities to perform penetration testing on an annual basis, to do compliance audits and vulnerability scans every six months.

 

Liath Dalton 

Now, those are big, scary terms when you don’t know what that would actually look like. And because the typical PCT practice client, and honestly, the just mental health practices in general, currently, is very cloud reliant,

 

Evan Dumas 

Yeah.

 

Liath Dalton 

your all of your PHI is intended to be contained in HIPAA compliance-compatible, cloud based systems. That means you have a lot less endpoints, and the primary responsibility for pen testing is on your EHR. It’s on Google workspace.

 

Liath Dalton 

And what pen testing would look like for you as a cloud reliant practice would be more like end point management. So device security, making sure that the device security measures you have in place are actually in place and not outdated, and maybe some network security testing, a little social engineering testing. But not big, crazy things, because you’re not running your own servers

 

Evan Dumas 

No, hopefully not.

 

Liath Dalton 

or proprietary systems and plugging into APIs. And you probably hearing these terms and going, what’s that? Don’t worry about it.

 

Evan Dumas 

Don’t worry about it.

 

Liath Dalton 

You don’t want that.

 

Evan Dumas 

No.

 

Liath Dalton 

So the, all that to say that the basis for the proposed changes really does make sense, but you are already doing them, the majority of them, if you are following the PCT Way and have done a PCT Risk Analysis and Risk Mitigation Planning, or are utilizing our policies and procedures and have followed the project plan or the program for implementing them.

 

Liath Dalton 

All the changes to in specifying the requirement for encryption, for data at rest and in transit is being managed. The requirements around device security are implemented so you have that really solid foundation. And the additional pieces that would be new would be not something that would actually impact you or be a requirement for a very long time from where we are now, and it’s likely that the specifications would be or that the way the final rule would turn out would have a lot more specificity and clarity and take into account all of the input that they have had about, first of all, a need for that, and then also really ensuring that it does have the scalability.

 

Liath Dalton 

I mean, I saw even in the cost, that, in the comments that someone who works at a pen testing company specified that without more clarity, if you were just doing a broad pen testing of every component for a mid sized practice, that you’re looking at up to 60 hours, and so saying that the cost that they’ve estimated for things is off.

 

Evan Dumas 

Oh.

 

Liath Dalton 

So they’re, they’re not just getting comments from clinicians, yeah, and practitioners who are feeling concerned, but also from industry professionals. So it, it as it, as it is currently written, is not going to go into effect it at any point.

 

Evan Dumas 

Nope, not at all.

 

Liath Dalton 

So focus on other other things. Try, try to ground in the present. If you haven’t engaged the formal compliance process yet, to be in compliance with the existing Security Rule standards, now is a good time to do it. Because, as I say, the reasons for making this update are really, they are compelling.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

But it’s also going to be much easier to, at some point, potentially, but maybe never in the future, have to comply with the proposed new requirements if you’ve got a really solid foundation in place.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And wanting to return how we frame all of this to centering safeguarding client info and safeguarding client info as being a cornerstone element of client care, that outcome is worthwhile, right? And should be the highest motivating factor. Not that it’s just required by regulations and by your licensing board, but because it is something that really does impact client care.

 

Liath Dalton 

So I want to hopefully pull us back from being so focused on these potential changes that will be far off in the future, to centering client client care and safeguarding client info as being the motivating factor for addressing security and risk management practices within your practice.

 

Liath Dalton 

And Evan from an emotional perspective, when you are doing risk analyses with folks, that I know, that’s something that you really emphasize right? And that someone might start a risk analysis from that more fear based or rule oriented framework, but then at the end, kind of be able to see it through a different lens.

 

Evan Dumas 

Oh, yeah, definitely. People come with such fears of fines and fees for HIPAA malfeasance. But then we talk about the realities of it. And we talk about, oh, by doing a risk analysis, you’re already doing a great job by looking at this stuff. Because so many people, you know, put your head in the sand. Which you know, everyone has their own level of capacity to deal with this, and I want you to take care of yourself and your clients first, of course. But really thinking about like, oh, I can create a safety net and sleep better? Great. That sounds nice. Let’s do that

 

Liath Dalton 

Exactly. So then, one, one thing, one last little note, because it did warm my heart, and should, should warm folks who are doing the PCT Way program, was that one section, or actually throughout a majority of the proposed rule change sections, there was a real emphasis on this new term of deployment. Because they’ve seen that the sort of biggest and most impactful gap between the existing regulations and actual compliance is that folks are doing the more performative aspects, but aren’t actually implementing their policies and procedures in practice, or deploying the security measures that their policies and procedures say or what they do.

 

Liath Dalton 

So the orientation to in practice application is what we need to be prioritizing, and the regulators themselves are also cognizant of that. So if you’re, even if you haven’t done the formal compliance process yet, but you are really making intentional decisions about establishing a strong security circle and keeping PHI within that security circle, you are on your way to to managing this effectively.

 

Liath Dalton 

So. Alright, folks, we hope that was was helpful and indeed reassuring and has hopefully freed up some capacity to tend to the other needs in your practice and in your own life. Take good care, and we’ll chat to you next week.

 

Evan Dumas 

Yeah. Bye, everybody.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast, or click podcast on the menu bar.