Legislation

HIPAA Extreme Risk Protection Orders
Best Practices, HIPAA, Legislation

HHS Issues Guidance on HIPAA Disclosures for Extreme Risk Protection Orders

December 20, 2021 Comments Off on HHS Issues Guidance on HIPAA Disclosures for Extreme Risk Protection Orders

December 20, 2021 To combat HIPAA’s common misconception of acting as a barrier law, the Department of Health and Human Services (HHS) along with the Office for Civil Rights (OCR) has continued to emphasize that the law does not simply prohibit PHI disclosure altogether but rather permits the safe sharing of relevant information when necessary.  While we’ve recently seen information published in response to HIPAA’s role in a public health emergency and disclosure of vaccination status – just today the government issued guidance addressing another widely important concern. The latest announcement helps clarify how the HIPAA Privacy Rule permits covered health care providers to disclose protected health information (PHI) for the purpose of extreme risk protection orders (ERPO) and to prevent an individual in crisis from accessing firearms. This guidance follows suit with the U.S. Department of Justice’s model extreme risk protection order legislation and aims to support law enforcement, family members and others who intervene in an effort to prevent firearm injuries and deaths. The issued guidance speaks to HIPAA’s requirements in relation to ERPO laws, stating that the Privacy Rule does allow a health care provider to disclose PHI in support of an application for an ERPO against an individual in limited circumstances. HIPAA allows entities to share an individual’s PHI without authorization if they feel that the individual poses a danger to themselves or others, if the disclosure is required by law, or when the disclosure is in response to an order of a court or other lawful process. It details specific examples for each permission along with general considerations for meeting the Privacy Rule’s “minimum necessary” standard. This standard requires covered entities and business associates to make reasonable efforts to limit the PHI disclosed to the minimum necessary to accomplish the intended purpose of the use or request. In response to the issued notice, recently appointed OCR Director, Lisa J. Pino states that, “HIPAA should not be a barrier to communication for law enforcement, concerned family members, health care providers, and others when they see an individual in crisis. Today’s guidance helps clarify legal requirements and to better support individuals in crisis.” This guidance is essential in not only improving the public’s safety but clarifying any confusion that could get in the way of doing that. “Too often, communities bear the weight of heartbreaking tragedies caused by the epidemic of gun violence in our country,” said HHS Secretary Xavier Becerra. “Today’s guidance on HIPAA and Extreme Risk Protection Orders is an important step the Biden-Harris Administration is taking towards protecting communities from gun violence by allowing law enforcement, concerned family members, or others to prevent a person in crisis from accessing firearms.” HIPAA plays a key role in not only protecting the privacy and security of patients’ health information but permitting health care providers to intervene in a safe and appropriate matter if ever necessary. So when it comes to keeping your patients and your practice’s best interest at heart, understanding HIPAA law and following guidance such as the one released today, is vital.  

Proposed 2022 HHS Budget
HIPAA, Legislation

What the Proposed 2022 HHS Budget Says About the Future of HIPAA & Cybersecurity

July 15, 2021 Comments Off on What the Proposed 2022 HHS Budget Says About the Future of HIPAA & Cybersecurity

July 15, 2021 HIPAA compliance has seemed to be on the government’s radar more than ever before. In just the past year, we’ve seen record-breaking Office for Civil Rights (OCR) enforcement, proposed Privacy Rule updates and the implementation of the HIPAA Safe Harbor Law and the 21st Century Cures Act – two new sets of legislation centered around healthcare, technology, and patient rights. So with the spotlight set on protecting the privacy and security of health data during a time where reliance on technology is especially prevalent – it should come as no surprise that the government’s newly proposed budget features a heavy focus and increase in funding for this area specifically.  What’s in the proposed budget?  The Biden Administration recently released their proposed 2022 budget for the Department of Health and Human Services (HHS) in early June. The proposal calls for additional spending to better protect the healthcare industry from evolving cyber threats and support government efforts in enforcing compliance among covered entities. So exactly how much of a budget increase are they requesting and what does that tell us about the future of HIPAA compliance? While those dollar figures are already a good indicator of where we can expect the government to continue its focus – ensuring that patients’ health data is properly protected goes beyond those hefty price tags. Fiscal 2022 proposed budget also seeks to add 39 staff members to the OCR, bringing the employment total to 229, and acknowledges that the “OCR will engage in rulemaking to further strengthen individuals’ rights to access their own health information, improve information sharing for care coordination and case management and reduce administrative burdens.” So just as recent enforcement numbers have proven the governments’ awareness of noncompliance and influx of cyberthreats has shed light on a lack of proper security protections amongst healthcare providers – this proposed budget provides a ‘crystal-ball’ prediction of what we can expect to see moving forward. Adding in millions of dollars to the budget and expanding the task force in these relevant government agencies will produce even more resources available to ensure all covered entities are best protecting health data privacy and security. And although the new budget is not finalized as of yet, the upcoming changes to the Privacy Rule and commitment outlined within the proposal to improve upon government rulemaking is a clear sign that their emphasis on HIPAA and other health IT-related laws is not going away anytime soon.  What does this mean for you?  First off, meeting HIPAA and cybersecurity requirements is essential to protecting your practice and your patients from a data breach or HIPAA violation. While these are certainly things that should be prioritized regardless of the government’s spending plans, the proposal creates even more urgency in ensuring that you have these necessary safeguards in place. So as the government continues to hone in their focus on health data privacy and security, your practice should too – and having a complete compliance AND security program is the perfect place to start.

Privacy Rule Proposed Modifications
HIPAA, Legislation

Privacy Rule Proposed Modifications | Public Comments Released

July 8, 2021 Comments Off on Privacy Rule Proposed Modifications | Public Comments Released

July 8, 2021 Remember those Privacy Rule modifications that the Department of Health and Human Services (HHS) proposed late last year? Well, after adding a 45-day extension on the public comment period back in March, the responses submitted have finally been made available – giving us some additional insight on what we can expect to see when the updates are officially finalized.   For anyone looking for a light-read while they drink their morning coffee – diving into the official HHS document might not be for you. The proposal included a lengthy list of changes centered around increasing permissible disclosures of protected health information (PHI) and enhancing care coordination and case management. As the healthcare industry has evolved, so have the necessary requirements for protecting data privacy and security – and these modifications address several issues that have become the source of widespread non-compliance over recent years. One of the major areas of focus should come as no surprise considering the initiative that was declared in 2019 to enhance enforcement for patient right of access violations – and the 19 different settlements that have resulted from it so far. So in looking at how the Privacy Rule changes plan to improve this issue, some of the major proposed provisions include: In addition to addressing patients’ right of access, the proposed modifications also clarify certain definitions and phrasing that oftentimes leads to confusion and misunderstanding by providers and patients. Some of these updates include: While the examples provided are only a snapshot of the full list of proposed modifications, each update follows suit with the evolving environment in the healthcare industry and covers relevant concerns felt by both providers and patients. So much so, that the comment period extension was made due to such a “high degree of public interest” and amounted to a total of 1,391 comments submitted in response to the HHS’s proposal.  So what can we expect?  These proposed modifications take into consideration the public comments received on the OCR’s 2018 RFI that requested public input on how HIPAA rules could improve to better “support care coordination and case management and promote value-based care while preserving the privacy and security of PHI.” Each provision is a direct reflection of the key themes identified in the public opinion received back in 2018 and addresses issues like administrative burdens and the need for improving upon patient rights. So although we don’t have a time machine to jump ahead and see what exactly the final rule will entail, we can pretty confidently say that these concerns addressed in the HHS document will continue to be a focus in regulatory amendments and government enforcement. And the high volume of public interest clearly depicts the impact and value that enacting these changes will have on patients and providers. When will you need to comply  As far as knowing the what and when of the final ruling – we don’t quite have a definitive answer. But it’s important for all covered entities to be aware and prepared for the expectations of complying with the modified Privacy Rule provisions when they are made official. According to the HHS, “The effective date of a final rule would be 60 days after publication.” Additionally, entities will still have 180 days from that effective date to update or implement policies and procedures to achieve compliance with these new standards.  So when it comes to the timeframe for when the government will actually start enforcing the new compliance standards, you have 240 days of breathing room once the final rule is published. BUT based on the HHS’s acknowledgment that the impact of adhering to these new guidelines will involve “covered entities actions to re-train their employees on, and adopt policies and procedures to implement, the legal requirements of this proposed rule” we highly recommend taking an ‘early bird gets the worm’ approach for compliance. Having a complete HIPAA program in place along with a full understanding of the potential changes that could be coming your way is the best way to ensure that your patients’ data is best protected and your practice is best prepared for avoiding a HIPAA violation and fine.

The 21st Century Cures Act
HIPAA, Legislation

Premiering Now | The 21st Century Cures Act

April 2, 2021 Comments Off on Premiering Now | The 21st Century Cures Act

April 2, 2021 Roll back the curtains and cue the drumroll because it’s the moment we’ve all been waiting for… the 21st Century Cures Act is finally making it’s big debut. The newest legislation directed by the  Office of the National Coordinator for Healthcare Technology (ONC) is officially effective on April 5, bringing several advancements to healthcare and technology that are sure to live up to the hype. So if you’re a healthcare provider and you use any sort of healthcare application, we hope you have your popcorn ready because this one’s for you!  So let’s take it from the top – what even is the 21st Century Cures Act? The HITECH Act and more recently the HIPAA Safe Harbor Law have already set the stage, providing legislative requirements that put technology and healthcare in the spotlight. But the Cures Act goes one step further as the sequel to these health IT related laws, outlining how practices and healthcare app developers can overcome the balancing act of giving patients easy access to their electronic protected health information (ePHI) while still maintaining data privacy and security.  Ultimately, patients play the starring role in the Cures Act requirements. Getting the red carpet treatment to access their health records in the ways that they want to receive it – whether that be an app, another EHR, or similar electronic system. Having this ‘patients-first’ focus is at the center of HHS’s work toward a value-based health care system and enables:  How does it impact me?  This star-studded set of legislation features a ton of improvements for healthcare and technology that you definitely don’t want to miss.  So now what?!  Wondering how this new law changes HIPAA requirements? Spoiler alert – it doesn’t. All of those HIPAA requirements surrounding data privacy and security, proper disclosure, and patient record access requests are still featured within the new legislation and should not be forgotten. Having a complete HIPAA compliance program in place is the groundwork for protecting patient data, and underscores what the Cures Act entails.  Now, if recent enforcement efforts haven’t given you enough of a preview, the government is a tough critic for noncompliance. So much so that in the latest round of HIPAA audit results, 94% of covered entities’ compliance efforts were rated as a total flop. So having a complete compliance program that meets all requirements (including the new ones we just covered) is key to keeping your practice out of the limelight of enforcement and avoiding an Oscar-worthy HIPAA fine.    

Period for Proposed HIPAA Privacy Rule Modifications
HIPAA, Legislation

Comment Period Extended for Proposed HIPAA Privacy Rule Modifications

March 11, 2021 Comments Off on Comment Period Extended for Proposed HIPAA Privacy Rule Modifications

March 11, 2021 HIPAA law is officially getting with the times thanks to the proposed Privacy Rule modifications that are giving the “prehistoric law” a new modernized look. While the planned updates were officially announced last December, the Department of Health and Human Services (HHS) has just added a 45-day extension on the comment period – giving the public some more time to weigh in on what they want they want the updated legislation to cover.  The original HIPAA Privacy Rule came on the scene in 2003 – you know, like when disposable cameras and listening to Shake Ya Tailfeather by Nelly on your iPod were cool? With as much as technology has changed the world around us, it only makes sense that the laws governing data protection follow suit. Especially since they haven’t changed since being created in the “stone-ages.”  The new proposed changes go hand-in-hand with the evolving needs of patients and providers to address the issues of patient right of access and “unnecessary regulatory burdens.” Each of these have proven to be trending areas of focus in recent OCR enforcement efforts with three out of the four settlements announced in 2021 resulting from right of access complaints. But improving patient rights and boosting care coordination isn’t only in the government’s best interests, “OCR anticipates a high degree of public interest in providing input on the proposals because the HIPAA Privacy Rule affects nearly anyone who interacts with the health care system,” Acting OCR Director Robinsue Frohboese stated in response to the recent announcement. “The 45-day extension of the comment period to May 6, 2021, will give the public a full opportunity to consider the proposals and submit comments to inform future policy.” Now, we know what you’re probably thinking – is there really a high degree of public interest over HIPAA???? While the idea might come as a bit of a surprise – the major spike in patient complaints, data breaches, and government enforcement seen over just the past year have given the law some new-found fame. And since everyone loves a good comeback story, this HIPAA revival has proven that staying up on the latest and greatest in regulation changes is worth keeping on your radar.    So, even though the new extension buys you some more time to comply with the proposed updates – it’s never too early to meet mandatory HIPAA requirements. Unfortunately, the reality is that most practices today would need to perform an excavation, chiseling through mountains of dust, to bring their HIPAA compliance program out of the dark ages. If your compliance program resembles something that hasn’t been touched since Tom ruled MySpace, getting up with the times is not an option and upgrading to an electronic HIPAA solution is the perfect place to start.   Want to put in your ‘two cents’ on the proposed Privacy Rule updates? Just visit the Federal Register to read the official rule proposal and submit your comments!   

What is the Breach Notification Rule?
Best Practices, HIPAA, Legislation

What is the Breach Notification Rule?

February 12, 2021 Comments Off on What is the Breach Notification Rule?

February 12, 2021 Don’t shoot the messenger, but HIPAA breaches continue to skyrocket over the last few years – making your practice increasingly likely to experience a breach related to cyberthreats, human error, or other means. While we wish we had better news, we CAN at least help make sure that if a breach were to occur you’ve got the low down on one of the less common, but very relevant, aspects of HIPAA – the Breach Notification Rule. Any type of breach of patient data (verbal, technical or paper-based) counts as a breach of information. The OCR has some specific requirements for you to follow in the event of a breach – namely, what types of notifications are required and who needs to be alerted if the worst should occur. So while we’re not wishing a breach on anyone, let’s walk through the key aspects of what to do next – just in case – when it comes to responding to a breach.  Step One: Assessing a Breach First, whether your breach is suspected or pretty much a done deal, you need to assess the breach and determine the who, what, when, where and how of the incident. This is essential to finding out whose data is affected as well as what the likely ramifications are of the breach, and will inform how you handle breach notifications. Step Two: Notifying the Right Parties Once you’ve finished assessing a breach, you’ve only explored the tip of the iceberg. You know you have a major issue on your hands – so now what? Your first step is to get the right people – affected patients – informed as well as notify the Department of Health and Human Services (HHS) in all cases where a malicious or unknown breach has occurred. You may also have some state-specific parties that need to be notified as well, though this varies by your specific practice location. Step Three: Providing the RIGHT Information There are quite a few specifics that must be included in your apology letter, and just to make things even more complicated, states have different requirements here as well. A few of the basic elements include a brief description of what happened, the suspected or confirmed dates of the incident, and a description of the type(s) of protected health information (PHI) involved, any steps individuals should take to protect themselves from any potential harm, and a description of what the covered entity involved is doing to investigate the breach, mitigate harm to individuals, and to protect against any further breaches. You’ll likely also need to include contact information for affected parties to reach out to for additional questions. Step Four: Providing TIMELY Information We’re sure it’s no surprise that your practice doesn’t have carte blanche control over when you provide breach notifications. The OCR actually lays out some pretty specific timelines here, including that:  Either way, reports should always be done through the HHS breach portal, and we highly recommend submitting those breaches as soon as possible to proactively correct and mitigate any threats (and any resulting HIPAA fines you might be up for as well). Additional Steps While data breaches are usually out of anyone’s control, the way your practice actually handles the incident is the important part – and will help you avoid a resulting HIPAA fine. This is probably the never several steps in our book – not only handling the breach notification rule requirements but also mitigating the threat(s) and preventing future violations. There are likely other specific requirements you need to meet as well (by state again…seriously, don’t shoot the messenger!) and having a complete HIPAA program, including breach notification policies and procedures, will help you get the right information for your specific scenario and check all requirements off your list.

2020 HIPAA Breaches Reporting Deadline
Best Practices, HIPAA, Legislation

2020 HIPAA Breaches Reporting Deadline is March 1st

February 5, 2021 Comments Off on 2020 HIPAA Breaches Reporting Deadline is March 1st

February 5, 2021 2020 was certainly not the year anyone planned, and despite your best intentions, the transition to remote operations and reliance on new technologies may have led your practice to experience a (hopefully minor) HIPAA breach last year. If you had a major breach (500+ patients affected) you’re a little late to the reporting party (breaches affecting over 500 patients should be reported within 60 days, or sooner depending on your state). If fewer patients were affected and you only had a minor breach on your hands, mark your calendars for the upcoming small breach reporting deadline on March 1st.  What types of incidents are HIPAA breaches, and how do I know if I have to report it? Any instance in which protected health information (PHI) was exposed in violation of the HIPAA Privacy Rule or HIPAA Security Rule counts as a breach of HIPAA. This could be as small as sending an email containing PHI to the wrong person, or as big as a hacking incident affecting hundreds of patient records. While we wish there was a ringing alarm to signal a breach has occured, many breaches aren’t as easy to detect. If you just aren’t sure, first assess the scenario to help make that determination – particularly what the risk is that the PHI possibly exposed would be used for ‘malicious intent’. We’re big believers in the “better safe than sorry” mentality, and recommend reporting any incident that could be a breach to meet all the necessary reporting requirements.    What qualifies as a ‘small’ HIPAA breach? HIPAA classifies minor breaches as incidents impacting 500 individuals or less. Even if the breach only involved a single patient, it still counts as a breach and should be reported no later than 60 days after the end of the calendar year (aka, March 1st). The ONLY case in which a breach of this kind might not need to be reported is if you can determine with absolute certainty that the data exposed won’t be misused or has been permanently deleted. (P.S., if your breach fell into that 500+ patients bucket, while you’re a little behind we still recommend submitting a late report, instead of no report at all, to reduce the penalties you might face.) What if my business associate experienced the breach, do I have to report it?  While the Office for Civil Rights (OCR) does encourage business associates to report breaches themselves, the responsibility of getting the report in correctly and on time ultimately falls on the practice. If one of your third-party vendors experienced a breach in 2020, it’s best to check with them to ensure that the breach was reported or report the breach yourself to make sure you’re covered (again – better safe than sorry!). Even if you have a Business Associate Agreement (BAA) in place with the vendor and an incident is completely out of your hands, failing to report the breach by the deadline can still result in HIPAA fines.      Reporting HIPAA breaches of any kind is extremely important to avoiding further fines and penalties. If you do have to make a report – you’re not alone. Only 44% of healthcare organizations actually meet cybersecurity standards, meaning a LOT of organizations wind up with data breaches even if they have solid HIPAA programs in place. There is some good news however with the new HIPAA Safe Harbor Law. You could qualify for reduced HIPAA fines if and only if you can prove that your practice has had the necessary technical safeguards and HIPAA requirements in place for 12 months before the breach. So, the short version? Make sure you report ANY possible or confirmed small breaches that occurred in 2020 by March 1st to avoid further penalties. If you DON’T have a HIPAA program in place but still have a breach to report we highly recommend getting a program in place ASAP to help reduce possible fines or other penalties.  

The HITECH Act
HIPAA, Legislation

What is the HITECH Act and How Does it Relate to HIPAA?

January 28, 2021 Comments Off on What is the HITECH Act and How Does it Relate to HIPAA?

January 28, 2021 Trying to understand all of the complicated rules and regulations your practice needs to follow can sometimes feel like keeping up with the Joneses – but HIPAA isn’t the only compliance rulebook your practice needs to follow, and other laws (both new and old) impact your practice operations and your HIPAA compliance program – enter the HITECH Act.  Whether it’s your first time visiting our news page (welcome!) or you’re a regular reader (welcome back!) you might’ve seen last week’s article covering the new HIPAA Safe Harbor bill that offers practices reduced HIPAA fines IF they have reasonable security safeguards already in place before a breach. The bill amends the HITECH Act to incorporate this change, but if you aren’t even sure what the HITECH Act really is, let’s take a step back and cover what the Act means for you and where these new changes come into play.  The What The ‘Health Information Technology for Economic and Clinical Health’ Act, or HITECH Act (much easier to say), was signed into law way back in 2009 to essentially promote the implementation of health information technology, specifically the use of electronic health records (EHRs), by healthcare providers. Transitioning from paper to electronic records was (and still is) time-consuming and costly, and the HITECH act provided incentives for making the switch – while also ensuring that healthcare organizations along with their business associates remained in line with HIPAA law as they upgraded their systems.  The Why So you might be thinking – well doesn’t HIPAA law already promote the secure usage of EHR’s? You’re right (high five!) but the HITECH Act goes one step further and expands the enforcement and strength of HIPAA regulations related to technical requirements within the HIPAA Privacy and Security Rules. Thanks to the HITECH Act, violation tiers were introduced, increasing financial penalties for HIPAA violations and ultimately giving the Office for Civil Rights (OCR) more money in the bank to go after non-compliant covered entities.  The HITECH act was also designed to answer questions around how to offer the same HIPAA protections to electronic protected health information (ePHI), not just physical PHI, as practices went digital. This included: Where the HIPAA Safe Harbor Bill Fits In Fast forward to 2021, and all the same needs the HITECH act was introduced to fill still apply. However, the newly signed HIPAA Safe Harbor Bill helps to reinforce the value of these security measures with the new incentives offered and opportunity for reduced fines – and it’s one of the few pieces of new legislation you should actually feel GOOD about! So whether it’s HIPAA, HITECH, or the brand new Safe Harbor Bill – understanding and complying with each and every one of their requirements is essential to protecting your patients.  Still not quite sure about what’s required? Don’t sweat it! Schedule a free consult with one of our HIPAA experts today to ensure you’re up to speed.

COVID-19 Public Health Emergency Extended
HIPAA, Legislation

Public Health Emergency Extended Again: What it Means For Your Practice

January 22, 2021 Comments Off on Public Health Emergency Extended Again: What it Means For Your Practice

January 22, 2021 I don’t think anyone will be surprised to hear the latest Department of Health and Human Services (HHS) announcement that waivers related to the Public Health Emergency (PHE) – affecting telehealth, COVID-19 information sharing, and more – are (you guessed it) extended! Originally expiring January 21, 2021, waivers were instead extended again until April 20, 2021. While we all hope COVID-19 is behind us sooner rather than later, we won’t be surprised if waivers are extended again in April (after all, we’ve rung the false alarm 4 times now in saying that the PHE is expiring). Even if the light at the end of the COVID-19 tunnel takes a little bit longer, waivers will still expire, and the sooner your practice is prepared for that day – the better. When it does happen, the PHE expiring won’t mean that life will snap back to the way it was pre-pandemic (as much as we all wish that it could). What it does mean is that normal HIPAA regulations will regain effect – and that your practice needs to have the necessary compliance requirements ready to go if they aren’t already. So let’s recap what changed over the course of 2020 and what’s expected of your practice to remain in compliance when normal HIPAA enforcement kicks back into gear: PHI Disclosures Business Associates  Telehealth  2020 was a historic year for more reasons than just the National Public Health Emergency, and HIPAA enforcement saw record-breaking highs over the past 12 months. We can only expect these efforts to continue in 2021 especially once HIPAA waivers officially expire. If HIPAA is on your list to tackle in 2021 – and it should be, with recent legislation reducing fines for breaches if compliant – determining where you stand now and addressing any areas you’ve relaxed compliance in is a great first step!

HIPAA Safe Harbor Law
HIPAA, Legislation

What is the New HIPAA Safe Harbor Law?

January 14, 2021 Comments Off on What is the New HIPAA Safe Harbor Law?

January 14, 2021 There’s a lot of legislative changes coming in 2021 (including changes to the HIPAA Privacy Rule) that affect your practice’s HIPAA program, but there’s at least one change we think you should be pretty thrilled about. We’re usually pretty happy about HIPAA (we know, we’re weird, but we’ve accepted it) – but what should make your practice just as happy? Well, after an unprecedented year of cyber threats and HIPAA enforcement, recently ratified changes to the HITECH Act include some really good news – reduced HIPAA fines and penalties for data breaches if practices have proper security measures in place. What Changed HR 7898, or the HIPAA Safe Harbor Bill, was officially signed on January 5th, 2021, and amends the HITECH act to require the Department of Health and Human Services (HHS) to take into account if practices have “recognized cybersecurity practices” in place when investigating a data breach, and to be lenient with their fines or other enforcement actions if the practice has met all the basic technical safeguard requirements.  Translation: if you have the right HIPAA Security Rule basics down, and appropriate technical safeguards to mitigate your identified threats, you’ll be able to stress less when a breach occurs – and see a lot fewer $$$ from the HHS. See why it’s not just us that should be happy about this one?  What Else to Know So smaller fines is a major plus – but what’s the fine print? Like any law, there are a few caveats to make sure your practice gets to enjoy these incentives:    The next question – what does “recognized cybersecurity practices” mean?  What to do NOW To put it frankly, if you don’t have the required security standards in place already – it’s time to get a move on. Implementing these recognized security practice’s could mean the difference between a hefty fine or enforcement effort in the case that your practice ever falls victim to a data breach or other HIPAA violation – which is often out of your control.  What’s really important about this law change is that having some cyber security measures in place does not cut it – if you don’t have the specific measures required under the HIPAA Security Rule (that Security Risk Analysis, documentation, and more) you will not meet the requirements outlined in HR 7898. This is another way compliance and security go hand in hand – and to get the benefits of reduced fines, you’ll need both.