window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-72416617-1');

HIPAA Cyber Security Updates in 2022

HIPAA Cyber Security Updates in 2022

By: Dean Dorton | April 7, 2022

The last major update to HIPAA came back in 2013, but all signs point to another update coming this year, in addition to, the minor changes and guidance previously established in February. Following is what to expect in 2022 from a data security, availability, and sharing perspective.

Cybersecurity | Healthcare | Technology

OCR Cyber Security Guidance for 2022

While not rising to the level of regulation, the OCR has provided guidance on what they see as critical best practices to perform to protect electronic health records. These best practices are largely in response to the threat of ransomware. As part of reviewing risk management policies and procedures, some best practices to include:

  • Maintain offline encrypted backups and regularly test backups
  • Conduct regular vulnerability scans on internet facing devices
  • Regularly patch operating systems and software
  • Train users on phishing and other common IT attacks
Recommended OCR Randsomware Resources

Breach Notification Rule of HIPAA

Requirements for data breach notification involving less than 500 individuals were modified in 2021.

*Change from previous Breach Notification Rule

Breach Notification to OCR Portal

Possible Modifications to HIPAA Rules

Healthcare organizations are the driver for updating HIPAA rules due to their desire to decrease the administrative burden of the current rules as well as remove provisions that limit or discourage the coordination of care. Changes to the rules are due sometime this year. Some of the elements under consideration are:

  • Changing the time frame for responding to patient requests to obtain copies of health information
  • Removing the requirement to obtain written confirmation of receipt of an organization’s notice of privacy practices
  • Easing the restrictions on disclosures of PHI without authorization
  • Changes to HITECH Act requirements for the tracking disclosures of PHI for treatment, payment, and healthcare operations
  • Encouragement of information sharing for treatment and care coordination
  • Changing the Privacy Rule to make sharing PHI with other providers mandatory rather than permissible
  • Expansion of healthcare clearinghouses access to PHI
Upcoming OCR Changes

HIPAA Violation Penalties May Change

While penalties don’t necessarily relate to data security, availability and sharing, the reality is a data breach is typically going to be significantly costlier than paper-based or process-based violations. It takes knowing the penalty of “losing” to justify the investments needed. Doing everything to avoid a data breach still can’t guarantee avoiding it. Unfortunately, it’s a contest between us and the bad guys, with a data breach being a lost battle.

Current HIPAA Violation Information

Contact Us

Kevin Cornwell, CPA, CISA, CITP
IT Audit Associate Director
kcornwell@ddaftech.com • 502.566.1011

Have a question? Click here to contact this representative.

Previous Next

Related Posts

Unlock your growth potential with practical and strategic business advice.

© 2023 Dean Dorton Allen Ford, PLLC • All Rights Reserved

The matters discussed on this website provide general information only. The information is neither tax nor legal advice. You should consult with a qualified professional advisor about your specific situation before undertaking any action.

We use cookies to improve your experience and optimize user-friendliness. Read our cookie policy for more information on the cookies we use and how to delete or block them. To continue browsing our site, please click ok. Ok
Go to Top