Updates

2025 OSHA Healthcare Updates
Legislation, OSHA

OSHA 2025: What Healthcare Professionals Need to Know

February 3, 2025 No comments yet

February 3, 2025 We’ve already seen that 2025 will be a year of major healthcare compliance changes, with the OCR releasing the long-awaited updates to the Security Rule proposal. Similar to how HIPAA laws are being updated, OSHA will likely update key legislation for healthcare workers. Healthcare workers experience the highest rates of workplace injuries, with an average of 3.6 injuries for every 100 employees. Healthcare environments can present many hazards, so it is essential that your staff knows how to prevent and mitigate dangerous situations. While some OSHA initiatives have not been finalized, OSHA has already started the year with legislation that impacts healthcare workers. Increased Penalty Costs As seen in previous years, OSHA has once again increased its fine cost. OSHA has increased the penalty for serious and other-than-serious violations from $16,131 to $16,550 per violation due to inflation. The maximum penalty for repeated and willful violations also has been increased from $161,323 to $165,514 per violation. This highlights that OSHA is dedicated to setting an example with monetary punishment. It’s safe to say that this adjustment will continue to be an annual increase. Consolidating COVID-19 Regulations It’s an understatement to say that COVID-19 devastated and transformed healthcare. Nearly five years since it was classified as a pandemic, proposed healthcare OSHA COVID-19 regulations were officially scrapped as of early January. Over the past years, COVID-19 regulations have been altered. Emergency Temporary Standards required distinctive protocols to follow, which expired. A proposed rule for COVID-19 mitigation in healthcare settings was waiting to be passed for years. Now, specific OSHA COVID-19 legislation in healthcare will be rolled into a broader infectious disease rule, which is expected to be finalized in 2025. This comprehensive rule is expected to require COVID-19 recordkeeping log, but not much else focused on specifically COVID-19. The anticipated comprehensive rule will likely mandate a COVID-19 recordkeeping log. Federal Workplace Violence Legislation Healthcare workers are five times more likely to be attacked at work than workers in any other industry. We’ve seen state-level legislation announced requiring specific logs, training, heightened penalties, and more to mitigate workplace violence in healthcare, but federal legislation is still being drafted. Currently, workplace violence falls under OSHA’s General Duty Clause, requiring organizations to maintain “a place of employment which are free from recognized hazards.” This federal legislation is expected to be announced in 2025. It will likely mirror what state legislation requires, so please review your state’s legislation regarding workplace violence prevention in your practice. What’s Next? As new legislation is announced, it’s vital for your practice to maintain an organized OSHA program. New laws, especially focused on workplace violence prevention, will require additional training, logs, and more. Turning to smart software can allow for your practice to simplify and streamline compliance. Cloud-based software automatically updates with the latest legislation, providing your practice with a clear path to compliance. To learn more about how your practice can achieve OSHA compliance, meet with our experts today.

HIPAA Security Rule Updates
HIPAA, Legislation

The HIPAA Security Rule is Changing: Is Your Practice Ready?

January 23, 2025 No comments yet

January 23, 2025 The HIPAA Security Rule went into effect in 2003, and it’s an understatement to say that technology has changed quite a bit since then. The Office for Civil Rights has released proposed updates for the HIPAA Security Rule. After a historic year of breaches, this legislation comprehensively strengthens the current Rule. This is the first update of the legislation in a decade. Many of the new requirements simply reinforce existing recommendations within the Security Rule, which now makes best practices mandatory. This legislation is the result of the significant rise in cyber attacks and the OCR’s continuous noncompliant findings when investigating Covered Entities and Business Associates. Although the proposed rule has not yet been finalized, legislation will likely be enacted within the next year, given bipartisan support for protecting patient data. What is the HIPAA Security Rule? The Security Rule, a critical component of HIPAA, centers on stringent guidelines for managing electronic Protected Health Information (ePHI). These guidelines encompass a wide range of safeguards—including physical, administrative, and technical—all designed to ensure the protection of sensitive patient data. One of the most significant components of the Security Rule is completing a Security Risk Analysis (SRA). The SRA sets a benchmark for your practice and assesses what your practice currently does to protect patient data. This analysis includes safeguards ranging from physical measures, like door alarms, to technical precautions, like properly encrypting files. This analysis is a yearly procedure for the OCR and continues to be emphasized in this proposal. In this new proposal, the OCR strictly defines the SRA as a yearly requirement with more guidelines on specific questions. The OCR has introduced eight implementation specifications for risk analysis. This also includes a thorough analysis of potential natural disasters and the consequences if a Business Associate was breached. In fact, the government has introduced a Risk Analysis Initiative, fining practices and businesses that do not complete this analysis. While this assessment is a major component of this rule, once vulnerabilities are identified, it’s up to your practice to implement these safeguards to protect your patients. What’s Changing? This proposed rule mandates that Covered Entities and their Business Associates implement certain proactive measures that were previously only strongly recommended, such as multi-factor authentication. As technology has greatly advanced since the introduction of this rule, there are also more requirements focused on system management, including required anti-malware protection, disabling unused network ports, and a network map, highlighting what devices are connected to specific networks in an organization. Network segmentation is another advancement of the rule, requiring practices to use different networks based on access to specific information. New policies and procedures will also be required if this proposal goes into effect. For instance, contingency plans will be required, showing what a practice or business plans to do if it is breached within 72 hours. Additionally, practices need to have a transition plan when staff leaves, and they need to notify other regulated entities when a staff member’s access to ePHI is changed or terminated. Business Associates (BAs) will also face stricter requirements when working with Covered Entities. If breached, BAs must notify their Covered Entities within 24 hours. BAs will also now have to have their compliance program certified by a Subject Matter Expert in cybersecurity on a yearly basis, ensuring that the business is taking the right steps to protect patient data. What Can I Do? While this rule is still within its comment period until early March, it could be enacted this year. Being aware of upcoming HIPAA legislation and preparing your practice is vital. Working with a smart compliance solution can take the pressure off, with compliance experts updating their systems to ensure their users will be compliant with new laws. Looking to understand HIPAA compliance for your practice before new laws take effect? Schedule a consultation with one of our experts today.