
Alert!!! New HIPAA Requirements for 2025!!!
The Department of Health and Human Services published in the Federal Register the HIPAA Security Rule, including new HIPAA requirements, to Strengthen the Cybersecurity of Electronic Protected Health Information on January 6th, 2025. It is open for public comment until March 6th and then dental offices must work toward compliance within 180 days—that’s only 6 months!
Interpreting the New Requirements
The document is 398 pages and I am trying to sort out the requirements. Some specifications that were previously listed as “addressable” rather than “required” are now all considered “required.” Evidently, according to HHS, some of the regulated entities (including dental offices) felt that an “addressable” implementation specification was optional. This interpretation is incorrect and weakens the cybersecurity posture of regulated entities.
The Cost of Non-Compliance
Additionally, we cannot merely disclaim any interest in these upcoming changes due to cost. According to HHS, there is a significant cost associated with breaches and unauthorized access—financial, reputational, and more.
How Will the Changes Affect You?
Training
Training must be provided on the updates. We are already updating our materials and will have a recorded version available as well as live presentations to get your office up to date.
HIPAA Policies
Policies must be revised to reflect the changes. For example, dental offices will now be required to review patch management processes at least once every 12 months and modify the processes as reasonable and appropriate. A reasonable and appropriate time period would be within 15 days.
There are also more stringent requirements for monitoring and incident response policies and procedures. IT systems must be restored in 72 hours.
HIPAA Risk Analysis
The Risk Analysis must be written and very specific. Vulnerability scanning must be performed at least every 6 months and penetration testing at least every 12 months.
Business Associate Agreements
The business associate agreements must be revised to include a provision that if the business associate activates their contingency plan, they must notify you within 24 hours. Additionally, you must obtain from your business associate each year a written analysis and certification of compliance with the Security Rule’s technical safeguards. Even though you delegate certain functions to your business associate, such as your IT vendor, you are responsible for compliance with the Security Rule.
Summary
Should you be concerned? Yes. Should you take action? Yes. If you are not on our Annual Audit Ready program, consider reactivating your service to allow us to get your practice up to date. Be informed of these new HIPAA requirements.
Want to learn more about Modern Practice Solutions?
By Olivia Wann
Compliance Law, Dental Law, HIPAA, HIPAA Requirements, Modern Practice Solutions
