Transcript
[Transcript] Episode 508: Reassurance About the Proposed HIPAA Security Rule Change-Induced Panic
Evan Dumas
You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.
Liath Dalton
And I’m Liath Dalton, and we are Person Centered Tech.
Liath Dalton
This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.
Evan Dumas
Hello and welcome to Episode 508: Reassurance About the Proposed HIPAA Security Rule Change-Induced Panic.
Speaker 1
Yes, there is a lot of panic, distress, anxiety, ambivalence, questions, I would say, like panic’s at the high end of the spectrum of the range of emotions. But I would say it’s been pretty prevalent,
Evan Dumas
Oh yeah.
Liath Dalton
As like, the dominant emotional response that most solo and group practice owners are having, regarding the proposed Security Rule changes, because they are very extensive.
Evan Dumas
Oh, yeah.
Liath Dalton
And do bring up some new pieces.
Evan Dumas
Mhm.
Liath Dalton
So we thought, let’s, let’s talk about what the kind of time frame would be, if it were to go into effect. What the new required provisions really mean and what their implications are, and try and allay some of the distress that is kind of proliferating right now.
Liath Dalton
So at the end of December 2024, there were extensive new Security Rule changes and updates proposed and published in the Federal Register, and a comment period opened. That comment period is closing on March 7, and it’s really just kind of in the last week or two that we’ve seen the increased distress about it as it’s gotten on more and more folks radar.
Evan Dumas
Yeah.
Liath Dalton
So first of all, a note about the time frame, because I think everyone’s thinking, oh my goodness, when is this going to go into effect? And the, because it does have new requirements, and some of which are really significant, how the heck am I going to manage that? So let’s break that down.
Evan Dumas
Yeah.
Liath Dalton
First, when a new rule is published as a final rule, it goes into effect 60 days after the final rule is published.
Evan Dumas
Mhm.
Liath Dalton
So there’s two months.
Liath Dalton
Then there is the mandatory compliance transition period, which is 180 days, unless specified that it’s longer. And there are a couple provisions in the proposed changes that they are recommending have a longer transition period. But the default, like the statutory minimum, is the 180 days on top of the 60 days.
Evan Dumas
Yep.
Evan Dumas
Yeah.
Liath Dalton
So it will be eight months from the time of being published.
Evan Dumas
Yeah.
Liath Dalton
Right? The comment period is just closing now, and I want to provide some context that’s really, really relevant. Because back in 2020, remember 2020? Although I’ve seen a few comments that have been like, it feels like 2025 is just 5 2020s, stacked in araincoat, or in an overcoat.
Evan Dumas
That sounds about right, yeah. I love it, yeah.
Liath Dalton
Back in December of 2020, proposed changes to the HIPAA Privacy Rule were published. And that had an extended comment period that closed in May of 2021. Evan, have those changes gone into effect?
Evan Dumas
Nope, not yet. Not even a peep about them.
Liath Dalton
No. There is literally no indication of if and when those will actually go into effect.
Evan Dumas
Yeah.
Liath Dalton
Nothing. So we are basically five years on from that.
Evan Dumas
Yeah, we haven’t even adopted the old ones. So these new ones, they’re not even in the queue. Not even.
Liath Dalton
No, they are, they are not in the queue. And so I think we are realistically looking at, even if the changes do go into effect and become a requirement, that it likely will be a minimum of a year, if not multiple years.
Evan Dumas
Oh my gosh, yeah.
Liath Dalton
Before it actually goes into effect. And realistically, given how long the Privacy Rule changes took or have taken and yet not materialized, and the fact that the monetary impact of those proposed changes was significantly less than the monetary impact of these changes, I think it will be even longer. Also,
Evan Dumas
It’s huge, yeah.
Liath Dalton
the security, proposed Security Rule changes are a lot more expensive than the proposed Privacy Rule changes,
Evan Dumas
Yeah.
Liath Dalton
and have received a massive amount of comments. And with good, good reason, because there are a couple provisions in them that would, they are not clarified well, what they actually mean. Specifically, the one regarding penetration testing.
Evan Dumas
Yeah, no, it’s all fuzzy.
Liath Dalton
And so that really needs to be specified. And there’s a big push, including an organized one from the APA, that there be an exclusion for solo and small practitioners, with regards to that specific provision. So there are still things that have to be clarified and negotiated, and it’s worth noting that a significant factor in all of this is our current context regarding regulation.
Evan Dumas
Compliance, yeah, yeah, or lack thereof, yeah.
Liath Dalton
Wait, what, I mean, Evan, what would you say our take is on the current administration, the new administration, relatively new administration’s, approach to regulation is?
Evan Dumas
Yeah, I’d say if you thought no one cared before, you are going to be amazed by how people care less now.
Liath Dalton
Right, right. So they’re a huge question mark, and one that you know in terms of betting odds is that this is not going to come to pass, maybe at all.
Evan Dumas
Yeah, yeah, maybe at all.
Liath Dalton
Because of the current administration’s approach to deregulation as a priority.
Evan Dumas
Yep.
Liath Dalton
Right? So that’s the the context, is there may be zero desire from the current administration to move this forward in any way. If it does get moved forward, it is going to be a very lengthy process, and that process will also include additional specifications and modifications based on all of the comments and pushback regarding the most problematic or most most challenging provisions, right? Most impactful.
Evan Dumas
Yeah.
Liath Dalton
So that’s the kind of reassurance that we want to provide around what the timeline would look like, if it were to come to pass, and then say whether that is, I mean, going to be the case, is pretty doubtful right now,
Evan Dumas
Very much so.
Liath Dalton
So there is time. There’s a lot of time. There is time to breathe and not feel distress around this and what, how it’s going to impact your practice.
Evan Dumas
Yeah, because you may have felt distressed when you saw, oh no, the comment period is closing, your voices won’t be heard. So many other people and large companies have had their voices heard, who have much more powerful lobbying power than us individuals do.
Evan Dumas
And this is a really slow, slow process. So slow that, you know, we’ve probably already forgotten that the proposed Privacy Rule changes haven’t gone into effect. So yeah no, no rush on any of this.
Liath Dalton
Exactly. Though, I will say, after poring over the entire proposed changes and the explanations of each of them, that I have some additional reassurance.
Evan Dumas
Mm, good.
Liath Dalton
And a perspective, which is that the vast majority of them are, there is a very compelling case and need for them to go into effect, really.
Evan Dumas
Mhm, yes.
Liath Dalton
From, because we are in a context where the risk landscape has really evolved, the security threats and their realization and the breaches that have occurred have been costly. And not only costly, but impacted delivery of care and quality of care. And in medical contexts, some of these breaches, or security incidents, have actually resulted in deaths.
Liath Dalton
So.
Evan Dumas
Oh, yeah.
Liath Dalton
There is a is a reason that we need to shore up the security of healthcare information and ePHI. Because the consequences of not doing so are really significant, and we are seeing that play out, you know, on an ongoing basis, kind of at the moment. So there’s, there is rationale behind making changes.
Liath Dalton
And the HIPAA Omnibus rule came out in 2013, so 12 years ago. And the the practice landscape, the, what tech looks like, or the interoperability and interdependence of different healthcare systems and services, has changed dramatically in that time period. And while the existing standards provide a framework for managing the present and evolving risks, there has been a lot of misunderstanding and misapplication of those standards that has weakened the security measures that are in place and the protections that should be in place for for PHI. So part of the goal of the proposed changes is really providing specificity where the lack of specificity has translated to lack of compliance.
Evan Dumas
Yeah, it’s and if people don’t know what to do, they can’t do it!
Liath Dalton
Right. And they are very explicit as well about preserving the flexibility and scalability of the requirements. So it’s both an effort to improve the specificity but maintain the commitment and the realization of the need for scalability and a degree of flexibility as well. Because what it looks like for a solo practitioner to comply and to safeguard Protected Health Information is very different than a multi state hospital organization, and there’s the whole spectrum in between.
Liath Dalton
So the the rationale for providing more specificity and clarifying some of the pieces that have really been misunderstood and misapplied makes a lot of sense. And because PCT has had such an emphasis on the in practice compliance, like really implementing the chain, the necessary safeguards, and applying what the standards are to our current tech and security risk and practice context, and because PCT has followed the NIST framework, the National Institute for Technology Standards, or Standards of Technology, the vast majority of the new designated as requirements in the proposed rule are things that are already addressed, and you are already doing when you’re following the PCT Way program.
Evan Dumas
Yeah, yeah. We’ve seen this coming, and we’ve given advice to follow these things, so you’d be set ahead of time. It’s also just good advice.
Liath Dalton
Right. And kind of considered a minimum of security best practices in our current landscape, according to all the different Information Systems security experts and frameworks. So it’s not, if you are already doing things the PCT Way, and these changes were to go in effect, the changes required would be minimal. PCT would author some updated policies, policy inserts to address a couple of the new requirements, and would modify a couple existing policies to include and specifically address the additional specificity.
Liath Dalton
Like, for instance, one of the pieces that they did provide specificity on, in the proposed changes is annual training and annual risk analysis. Now, our existing P and P say that’s the frequency it should be done, because that’s best practice, but it doesn’t list it as an explicit requirement. So that would be a tweak that we made.
Liath Dalton
The big pieces that there are concerns around are the penetration testing requirement, and that’s really the one that generated the the most concern. Because as the changes that are proposed read currently, there would be a requirement for all regulated entities to perform penetration testing on an annual basis, to do compliance audits and vulnerability scans every six months.
Liath Dalton
Now, those are big, scary terms when you don’t know what that would actually look like. And because the typical PCT practice client, and honestly, the just mental health practices in general, currently, is very cloud reliant,
Evan Dumas
Yeah.
Liath Dalton
your all of your PHI is intended to be contained in HIPAA compliance-compatible, cloud based systems. That means you have a lot less endpoints, and the primary responsibility for pen testing is on your EHR. It’s on Google workspace.
Liath Dalton
And what pen testing would look like for you as a cloud reliant practice would be more like end point management. So device security, making sure that the device security measures you have in place are actually in place and not outdated, and maybe some network security testing, a little social engineering testing. But not big, crazy things, because you’re not running your own servers
Evan Dumas
No, hopefully not.
Liath Dalton
or proprietary systems and plugging into APIs. And you probably hearing these terms and going, what’s that? Don’t worry about it.
Evan Dumas
Don’t worry about it.
Liath Dalton
You don’t want that.
Evan Dumas
No.
Liath Dalton
So the, all that to say that the basis for the proposed changes really does make sense, but you are already doing them, the majority of them, if you are following the PCT Way and have done a PCT Risk Analysis and Risk Mitigation Planning, or are utilizing our policies and procedures and have followed the project plan or the program for implementing them.
Liath Dalton
All the changes to in specifying the requirement for encryption, for data at rest and in transit is being managed. The requirements around device security are implemented so you have that really solid foundation. And the additional pieces that would be new would be not something that would actually impact you or be a requirement for a very long time from where we are now, and it’s likely that the specifications would be or that the way the final rule would turn out would have a lot more specificity and clarity and take into account all of the input that they have had about, first of all, a need for that, and then also really ensuring that it does have the scalability.
Liath Dalton
I mean, I saw even in the cost, that, in the comments that someone who works at a pen testing company specified that without more clarity, if you were just doing a broad pen testing of every component for a mid sized practice, that you’re looking at up to 60 hours, and so saying that the cost that they’ve estimated for things is off.
Evan Dumas
Oh.
Liath Dalton
So they’re, they’re not just getting comments from clinicians, yeah, and practitioners who are feeling concerned, but also from industry professionals. So it, it as it, as it is currently written, is not going to go into effect it at any point.
Evan Dumas
Nope, not at all.
Liath Dalton
So focus on other other things. Try, try to ground in the present. If you haven’t engaged the formal compliance process yet, to be in compliance with the existing Security Rule standards, now is a good time to do it. Because, as I say, the reasons for making this update are really, they are compelling.
Evan Dumas
Yeah.
Liath Dalton
But it’s also going to be much easier to, at some point, potentially, but maybe never in the future, have to comply with the proposed new requirements if you’ve got a really solid foundation in place.
Evan Dumas
Yeah.
Liath Dalton
And wanting to return how we frame all of this to centering safeguarding client info and safeguarding client info as being a cornerstone element of client care, that outcome is worthwhile, right? And should be the highest motivating factor. Not that it’s just required by regulations and by your licensing board, but because it is something that really does impact client care.
Liath Dalton
So I want to hopefully pull us back from being so focused on these potential changes that will be far off in the future, to centering client client care and safeguarding client info as being the motivating factor for addressing security and risk management practices within your practice.
Liath Dalton
And Evan from an emotional perspective, when you are doing risk analyses with folks, that I know, that’s something that you really emphasize right? And that someone might start a risk analysis from that more fear based or rule oriented framework, but then at the end, kind of be able to see it through a different lens.
Evan Dumas
Oh, yeah, definitely. People come with such fears of fines and fees for HIPAA malfeasance. But then we talk about the realities of it. And we talk about, oh, by doing a risk analysis, you’re already doing a great job by looking at this stuff. Because so many people, you know, put your head in the sand. Which you know, everyone has their own level of capacity to deal with this, and I want you to take care of yourself and your clients first, of course. But really thinking about like, oh, I can create a safety net and sleep better? Great. That sounds nice. Let’s do that
Liath Dalton
Exactly. So then, one, one thing, one last little note, because it did warm my heart, and should, should warm folks who are doing the PCT Way program, was that one section, or actually throughout a majority of the proposed rule change sections, there was a real emphasis on this new term of deployment. Because they’ve seen that the sort of biggest and most impactful gap between the existing regulations and actual compliance is that folks are doing the more performative aspects, but aren’t actually implementing their policies and procedures in practice, or deploying the security measures that their policies and procedures say or what they do.
Liath Dalton
So the orientation to in practice application is what we need to be prioritizing, and the regulators themselves are also cognizant of that. So if you’re, even if you haven’t done the formal compliance process yet, but you are really making intentional decisions about establishing a strong security circle and keeping PHI within that security circle, you are on your way to to managing this effectively.
Liath Dalton
So. Alright, folks, we hope that was was helpful and indeed reassuring and has hopefully freed up some capacity to tend to the other needs in your practice and in your own life. Take good care, and we’ll chat to you next week.
Evan Dumas
Yeah. Bye, everybody.
Liath Dalton
This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast, or click podcast on the menu bar.


Your Hosts:
PCT’s Director Liath Dalton
Senior Consultant Evan Dumas
Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.
In our latest episode, we’re hoping to lower the level of distress around the proposed HIPAA Security Rule changes for therapy practice owners.
We discuss:
- What the some of the proposed changes to the Security Rule are, including penetration testing
- The timeframe for these changes if they are implemented, and the likelihood they actually will be implemented
- The rationale behind the proposed changes, and why they’re necessary in our current threat landscape
- How following the PCT Way can minimize the changes you need to make as HIPAA regulations evolve
- Centering client care and safeguarding client info as a motivating factor, rather than fear

Therapy Notes proudly sponsors Group Practice Tech!
TherapyNotes is a behavioral health EMR/EHR that helps you securely manage records, book appointments, write notes, bill, and more. We recommend it for use by mental health professionals. Learn more about TherapyNotes and use code “PCT” to get two months of free software.
*Please note that this offer only applies to brand-new TherapyNotes customers
Resources for Listeners
Resources & further information
Resources:
- JD Supra article summarizing proposed HIPAA Security Rule Changes and context: New Year, New HIPAA Security Rule: OCR Adds to Health Care Entities’ New Year’s Resolutions
- HHS Fact Sheet on proposed changes: HIPAA Security Rule Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information
- Full text of the Notice of Proposed Rulemaking (NPRM) in the Federal Register: HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information
- Comments on the NPRM (Note, you can also search the public comments by keyword; ability make comments closed on 3/7/25)
PCT Resources:
- PCT’s Comprehensive HIPAA Security Compliance Program (discounted) bundles:
- For Group Practices
- For Solo Practitioners
- PCT’s HIPAA Risk Analysis & Risk Mitigation Planning service for mental health group practices — care for your practice using our supportive, shame-free risk analysis and mitigation planning service. You’ll have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health group practice, and a mitigation checklist to help you reduce your risks.
- Group Practice Care Premium
- weekly (live & recorded) direct support & consultation service, Group Practice Office Hours — including monthly session with therapist attorney Eric Ström, JD PhD LMHC
- + assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting all personally owned & practice-provided devices (for *all* team members at no per-person cost)
- + assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost) + more
Group Practices
Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.
Solo Practitioners
Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.