IT Audit

Article Autumn Hines

Updating HIPAA regulations is a gradual process, starting with feedback requests from the Department of Health and Human Services (HHS) to address outdated or burdensome aspects of the law. Following this, a Notice of Proposed Rulemaking (NPRM) is issued, inviting industry comments before a Final Rule is released. Significant changes proposed for 2024 include changes to the HIPAA Privacy Rule and new requirements for patient access to their Protected Health Information (PHI).

Notably, the timeframe for responding to access requests is shortened, and mandates around electronic health records are clarified. Although these updates aim to streamline processes, they pose implementation challenges for healthcare organizations, including necessary training and policy adjustments. Additionally, the HHS plans to propose new cybersecurity regulations by the end of 2024 to bolster patient data protection amid rising cyber threats.

Recent and Proposed Changes

Proposed New HIPAA Privacy Rule Changes

  • Patients can inspect their PHI in person and take notes or photos.
  • Access to PHI must be provided within 15 days (reduced from 30).
  • Transfers of ePHI to third parties are limited to what’s in an EHR.
  • Individuals can request PHI transfers to personal health applications.
  • Individuals should receive ePHI at no cost in certain situations.
  • Covered entities must inform individuals of their rights regarding PHI summaries.
  • Estimated fee schedules for PHI access must be posted online.
  • Individualized fee estimates for PHI copies are required.
  • A pathway is created to direct the sharing of PHI among entities.
  • Providers must respond to records requests directed under the HIPAA Right of Access.
  • The requirement for written confirmation of privacy notice provision is removed.
  • PHI can be disclosed to prevent reasonably foreseeable threats to health or safety.
  • Certain uses of PHI can be made in good faith for the individual’s best interest.
  • A minimum necessary standard is established for care coordination disclosures.
  • The definition of healthcare operations now includes care coordination.
  • Armed Forces can use or disclose PHI to all uniformed services.
  • A definition for electronic health records is added.

Transaction Code Set Update Adds Three New Codes to enable electronic transmission of healthcare attachment transactions

HHS Healthcare Sector Cybersecurity Strategy Report

  1. Establish voluntary cybersecurity goals for the healthcare sector
  2. Provide resources to incentivize and implement cybersecurity practices
  3. Implement an HHS-wide strategy to support greater enforcement and accountability
  4. Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity

In 2019, OCR maintained robust enforcement efforts, concluding the year with 10 settlements and civil monetary penalties amounting to $12,274,000. Toward the end of the year, OCR launched a new initiative to ensure compliance with the HIPAA Right of Access, which mandates that individuals receive timely access to their medical records for a reasonable, cost-based fee.

Penalty Structure for HIPAA Violations in 2024

Annual Penalty LimitAnnual Penalty LimitMinimum Penalty per ViolationMaximum Penalty per ViolationAnnual Penalty Cap
Tier 1Lack of knowledge$137
$34,464$34,464
Tier 2Reasonable cause$1,379$68,928$137,886
Tier 3Willful neglect$13,785$68,928$344,638
Tier 4Willful neglect (not corrected within 30 days)$68,928$68,928$2,067,813

Article Autumn Hines

The Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) has been out since 2022 but is not in effect nor has a clear timetable. However, it has been clear that Department of Defense (DOD) contractors were supposed to prepare for the compliance requirements. CMMC 2.0 got a step closer to reality in August 2024, in which the DOD introduced a proposed rule in the Federal Register that outlines the enforcement of its updated cybersecurity standards under CMMC 2.0. This proposal, which amends the Defense Federal Acquisition Regulation Supplement (DFARS), aims to integrate CMMC 2.0 requirements across all DOD vendor contracts involving the following forms of information. 

The proposed rule does not appear to change anything we know about CMMC 2.0, but it clarifies some expectations and moves us closer to a finalized and effective date. 

This new proposal introduces enhanced requirements for contracting officers. They will be responsible for ensuring bidders meet CMMC compliance and must notify contractors when CMMC standards apply to a contract. 

CMMC 2.0 represents a significant overhaul of the original CMMC 1.0, launched in 2019, which faced criticism for its cost and restrictiveness. The updated model simplifies compliance by operating at three levels based on the type of information handled. Companies at Level 1 can conduct self-assessments, while some Level 2 entities can also self-assess, though others will need third-party certification from C3PAOs. Level 3 companies must obtain certification from the DOD. 

The proposed rule stipulates that contractors must present a current CMMC certificate or self-assessment at the contract award stage. This requirement extends to subcontractors, who must comply with CMMC standards if they handle sensitive information. 

Other notable provisions of the proposal: 

  • Contractors must maintain their CMMC level throughout the life of their contracts and affirm compliance annually or upon changes to their information systems. 
  • Contractors are required to submit unique DOD identifiers for each system processing, storing, or transmitting covered information. 
  • CMMC requirements must flow to subcontracts and other contractual instruments, extending compliance obligations broadly within the supply chain. 
  • Contractors must promptly notify contracting officers of any changes to their cyber systems or lapses in information security, with a 72-hour reporting window for significant changes. 

The rule outlines a three-year phase-in period, during which CMMC requirements will initially apply to a subset of DOD contracts. Following this period, CMMC compliance will be mandatory for all relevant contracts. The public comment period for the proposed rule will close on October 15, 2024. If approved, the phased implementation could commence in 2025. 

Article Dean Dorton

The dust is still settling on the new CMMC release, officially called CMMC 2.0, and like any new CMMC related announcements we all have questions. Below are answers to some of the easiest, and fortunately the most important questions from a practical perceptive.

Before jumping into the questions, here is a comparison chart between CMMC 1.0 and 2.0.

CMMC 1.0

CMMC 2.0

Cyber Hygiene Levels

Certification Method Required

Cyber Hygiene Levels

Certification Method Required

Level 5 – Advanced

CMMC Third Party Assessor Organization (C3PAO) Certification

Level 3 – Expert

DoD Certification

Level 4 –  Proactive

Level 3 – Good

Level 2 – Advanced

C3PAO Certification

Level 2 – Intermediate

Self-Assessment

Level 1 – Basic

Level 1 – Foundational

Being proactive seemed like the right thing to do, did I waste time and money due to the regulations changing?

No, as long as you haven’t actually been certified as compliant. If you were confident of your CMMC 1.0 level then you know your CMMC 2.0 level. The requirements haven’t changed, just the level number. However, there are discussions on whether additional requirements will be added to levels, but it does not appear they will be reduced.

All the preparation prior to being certified is the same for CMMC 1.0 and CMMC 2.0. Any gap or readiness assessments, information gathering, and remediation are the same for both CMMC versions. The real difference is one may qualify for performing a self-assessment and not need a C3PAO to certify.

How do I know if a self-assessment will meet our organization’s CMMC requirements?

Like CMMC 1.0, the RFPs and contracts will dictate the requirements. Level 1 organizations can perform self-assessments. Level 2 organizations that are not touching information critical to national security will be able to perform self-assessments. For those Level 2 organizations touching information critical to national security, a C3PAO certification will be required.

Has CMMC 2.0 changed the timeline for compliance?

The timeline with CMMC 1.0 was never definitive. The CMMC 2.0 announcement in November 2021 provided a 9 to 24-month timeline to complete the rulemaking process. RFPs and contracts will have CMMC level requirements on them once the rulemaking process is finalized. There is an indication the DoD wants to create incentives for contractors to be ready sooner rather than later.

What does this mean going forward?

The good news is many organizations expecting to pay for a C3PAO certification will not be required to do so. Even If there is no time or resources to perform a self-assessment, utilizing a third party to assist with a self-assessment will be less expensive than going through the C3PAO certification process. There is less liability and risk involved with a self-assessment, which allows third parties to assist with the readiness assessment, remediation, and ongoing assessment support. It is now even easier to get help if your organization falls into the self-assessment requirement.

Explore other IT Audit and Compliance Services we offer.

Contact your Dean Dorton advisor or other professional advisor for more information.
If you don’t have an advisor, but would like to speak with us, send an email to:
insights@deandortonstg.wpenginepowered.com