propoSedruLemakIngtoSIgnIfICantLyrevISe hIpaaSeCurItyruLe
Health Care law Section
Continuedfrompage40
such as “ electronic information system ,” “ technical controls ,” and most notably , “ multi-factor authentication ,” which could become a requirement to ensure that the appropriate user is accessing ePHI ;
2 . Under the existing Security Rule , there was flexibility provided to the regulated entity to determine if a safeguard in place was reasonable and appropriate . The proposed rule could change this concept to ensure that the necessary standards are met , but some flexibility could remain for regulated entities to make considerations for their specific needs ;
3 . Backup systems could be required to retrieve copies of ePHI which is no more than 48 hours older than ePHI maintained in the electronic information systems ;
4 . Encryption practices could be revised as , under the proposed rule , all ePHI transfers would require encryption with limited exceptions ;
5 . Regulated entities could be required to :
• develop an inventory of technology assets and a network map to determine how ePHI is used within its system . There could be a requirement to document and audit such efforts at a minimum of every 12 months ;
• document any activity that could present a risk to ePHI , which may require monitoring the use and transmittal of ePHI ; and
• conduct vulnerability scans at least once every six months and penetration testing of an electronic information system at least once every 12 months .
Although business associates are responsible for complying with the Security Rule , the proposed rule places additional requirements on covered entities who are engaging with business associates . Regulated entities may have to include in network mapping and technology asset inventory the involvement of the business associate , except if the business associate solely controls the ePHI . Regulated entities could have to verify that the business associate has utilized the technical safeguards as required by federal code by obtaining written verification on an annual basis from a qualified individual on behalf of the business associate . Additionally , new and existing business associate agreements may need to include notification of the use of a business associate ’ s contingency plan no later than 24 hours after activation . day-to-day healthcare operations could be impacted by the proposed rule such as requiring the revision of existing policies , providing employees with training , conducting compliance audits to ensure six month and yearly evaluations have been completed , and evaluating current and future business associate relationships . If implemented , regulated entities would have 180 days to reach compliance , and there would be a longer transition period for the business associate requirements . For more information on the proposed rule , comment period and upcoming deadlines , please visit federalregister . gov . n
Author : Rebecca Siviglia – Moffitt Cancer Center
M A r - A P r 2 0 2 5 | H C B A L A W Y E r
4 1