The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) recently issued a Notice of Proposed Rulemaking (NPRM) to modify the HIPAA Security Rule. These changes, proposed December 27, 2024, aim to strengthen cybersecurity protections for electronic protected health information (ePHI) in response to the ever-increasing threats to the healthcare sector.
At MMG, we understand the complexities and challenges that healthcare organizations and large physician groups face in meeting these new compliance requirements. Our comprehensive cybersecurity assessment and consulting services are designed to help you navigate these changes seamlessly and ensure your organization remains compliant.
Key Compliance Requirements Addressed by MMG:
1. Implementation Specifications: We assist in removing the distinction between "required" and "addressable" implementation specifications, ensuring all are met with specific, limited exceptions.
2. Documentation: Our team helps you maintain written documentation of all Security Rule policies, procedures, plans, and analyses.
3. Technology Asset Inventory and Network Mapping: We develop and revise a technology asset inventory and a network map that illustrates the movement of ePHI throughout your electronic information systems.
4. Risk Analysis: Our experts conduct a detailed risk analysis, including a review of the technology asset inventory, identification of threats and vulnerabilities, and assessment of risk levels.
5. Access Management: We ensure timely notification of changes or termination of workforce members' access to ePHI or electronic information systems.
6. Contingency Planning and Incident Response: MMG establishes written procedures for restoring lost electronic information systems and data, prioritizing restoration, and responding to security incidents.
7. Compliance Audits: We conduct annual compliance audits to ensure adherence to Security Rule requirements.
8. Technical Safeguards: Our services include reviewing anti-malware protection, open network ports, and multi-factor authentication configurations.
9. Encryption and Technical Controls: We ensure encryption of ePHI at rest and in transit, and establish technical controls for consistent configuration of electronic information systems.
10. Vulnerability Scanning and Penetration Testing: MMG can provide vulnerability scanning every six months and penetration testing annually to identify and mitigate potential security risks.
By partnering with MMG, you can confidently address the new HIPAA Security Rule requirements and enhance your organization's cybersecurity posture. Our team of experts is dedicated to providing tailored solutions that meet your specific needs and ensure compliance with the latest regulations.
To learn more about how MMG can help your organization, please contact Joe Compton, Managing Director Advisory Services and COO, to set up a conversation.
Joe Compton is Managing Director, Advisory Services at Medic Management Group. He has more than 30 years professional experience in areas including IT infrastructure development, IT management, IT risk management and mitigation, and strategic planning and support. Medic Management Group is a national provider of advisory and consulting competencies, transaction support services, and back office administrative support to independent and system owned physician practice groups.