
Navigating Upcoming Changes to HIPAA in 2024

As we move through 2024, significant updates to HIPAA regulations are set to impact healthcare providers, business associates, and covered entities. The 2023 Notice of Proposed Rulemaking on the HIPAA Privacy Rule is nearing finalization, with increased privacy protection for reproductive health care and modifications to the confidentiality of substance use disorder patient records under 42 CFR Part 2. These changes aim to enhance coordination among providers and introduce new rights for patients, along with stronger breach notification requirements and civil enforcement authority.
Cybersecurity remains a top priority, with the Office for Civil Rights (OCR) emphasizing compliance with the HIPAA Security Rule. Hacking and ransomware attacks are a significant focus, and the OCR is increasing its regional presence to provide more resources, including videos, guidance, newsletters, webinars, and technical assistance. The National Institute of Standards and Technology (NIST) has also revised its publication on implementing the HIPAA Security Rule, offering strategies for assessing and managing risks to electronic protected health information (ePHI).
Increased Risk of Audits in 2024
The OCR HIPAA audit program is set to commence in 2024, with a significant increase in audits expected. This program will focus on compliance with the HIPAA Security Rule, targeting covered entities and business associates. The heightened scrutiny means that healthcare organizations must be more vigilant in reviewing their policies, procedures, and compliance efforts. Preparing for these audits is crucial.
At NonaSec, we specialize in helping healthcare organizations navigate these changes and enhance their cybersecurity posture. Our services include:
- Comprehensive risk analyses
- Security assessments
- Compliance reviews
- Implementation of cybersecurity measures
Best Practices and Resources for HIPAA Compliance
Recent enforcement actions highlight the importance of adhering to HIPAA rules. For instance, a large medical center faced a $4.75 million settlement for failing to safeguard ePHI, resulting in unauthorized access and sale of patient information. Similarly, two other healthcare firms [1] [2] were fined for inadequate risk analysis and insufficient monitoring of their health information systems. Best practices for HIPAA compliance include regular risk analysis, ensuring Business Associate Agreements (BAAs) are up to date, properly disposing of PHI, integrating risk management into business processes, learning from past incidents, and providing regular training for workforce members.
In line with the HPH Cybersecurity Performance Goals, NonaSec offers tailored solutions to help your organization implement these best practices. These goals, released by HHS, aim to help healthcare organizations enhance their cybersecurity posture, improve response to cyber incidents, and minimize residual risks.
NonaSec’s expertise in cybersecurity and compliance ensures that your organization can stay ahead of regulatory changes and avoid costly penalties. Contact us for a free consultation to learn how we can support your compliance efforts and protect your patient information.