Mar 27, 2025

Public Webinar Available Now: HIPAA Security Rule Gets a Makeover – Let’s Break it Down
The Department of Health and Human Services (HHS) released a Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information (NPRM) on Jan 6, 2025. This will be the first major update to the HIPAA Security Rule since the HIPAA Omnibus Rule in 2013.
These proposed changes bring about new requirements, including:
- Vulnerability scanning
- Penetration testing
- Patch management
- Network segmentation
- Data backup testing
- Multi-factor authentication
- Security incident planning and testing
- HIPAA compliance audits
- Business associate delegation
- Guidelines for ongoing maintenance
This webinar provides an overview of the proposed changes and expected timelines for regulated entities to meet compliance with the new rule. The proposed rule seeks to strengthen cybersecurity by updating the Security Rule’s standards to better address ever-increasing cybersecurity threats to the health care sector. While the Department is undertaking this rulemaking, the current Security Rule remains in effect.
For more information about the proposed rule for HIPAA Security, please follow the links below:
Fact Sheet: “HIPAA Security Rule Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information”
Notice of Proposed Rulemaking (NPRM) – “HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information”
Contact the experts at Kentucky REC with all your HIPAA Privacy and Security questions. We’re here to help: 859-323-3090.
Jan 24, 2025
The Hospital Quality Reporting (HQR) System is now open and accepting calendar year 2024 Medicare Promoting Interoperability Program data submissions and attestations from eligible hospitals and critical access hospitals.
The data submission deadline for the CY 2024 requirements, including eCQM data, has been changed from February 28, 2025 to Friday, March 14, 2025.
As a reminder, hospitals are required to:
- Report data using the ONC Health Information Technology certification criteria to meet the certified electronic health record technology (CEHRT) requirement. Get your ID # from the Certified Health IT Product List (CHPL).
- Successfully submit four calendar quarters of data for six eCQMs:
- Three self-selected eCQMs from the CY 2024 Available eCQMs Table
- Three CMS-selected eCQMs: Safe Use of Opioids-Concurrent Prescribing, Cesarean Birth (PC-02), and Severe Obstetric Complications (PC-07)
- Submit web-based measure data for any continuous, self-selected 180-day EHR period within the calendar year.
Note: Failure to report at least a “1” for all required measures with a numerator or reporting a “No” for a Yes/No response measure will result in a total score of 0 points for the Medicare Promoting Interoperability Program.
- Earn a minimum total score of 60 points
- Complete the following requirements by attesting “Yes” to both
- Acting to Limit or Restrict the Compatibility or Interoperability of CEHRT
- ONC Direct Review
- Complete the following measures under the Protect Patient Health Information Objective by attesting “Yes” to both
- SAFER Guides
- Security Risk Analysis
- Submit data for the following measures under each objective below:
- Electronic Prescribing Objective
- e-Prescribing
- Query of Prescription Drug Monitoring Program (PDMP)
- Health Information Exchange Objective (Participants must select one of the three reporting options below)
- Report on both the Support Electronic Referral Loops by Sending Health Information measure and the Support Electronic Referral Loops by Receiving and Reconciling Health Information OR Report on the Health Information Exchange (HIE) Bi-Directional Exchange OR Report on the Enabling Exchange Under the Trusted Exchange Framework and Common Agreement (TEFCA)
- Provider to Patient Exchange Objective
- Provide Patients Electronic Access to Their Health Information
- Public Health and Clinical Data Exchange (A level of active engagement is required for each measure below)
- Syndromic Surveillance Reporting
- Immunization Registry Reporting
- Electronic Case Reporting
- Electronic Reportable Laboratory Result Reporting
- Antimicrobial Use and Resistance (AUR) Surveillance
- Voluntarily submit data for the following optional measures/requirements (Select One):
- Clinical Data Registry Reporting
- Public Health Registry Reporting
Contact YOUR experts at Kentucky REC with all your QPP, MIPS/MVP, and APM Track questions. We’re here to help: 859-323-3090.
Jan 14, 2025
HIPAA Security Rule Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information
On December 27, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI).
OCR administers and enforces the Security Rule, which establishes national standards for the protection of individuals’ ePHI by covered entities (health plans, health care clearinghouses, and most health care providers), and their business associates (together, regulated entities).
This proposed rule seeks to strengthen cybersecurity by updating the Security Rule’s standards to better address ever-increasing cybersecurity threats to the health care sector.
These plans included the publication of voluntary cybersecurity best practices and a strategy for greater cybersecurity enforcement and accountability, which included updating the HIPAA Security Rule with new cybersecurity requirements.
The NPRM proposes to strengthen the Security Rule’s standards and implementation specifications with new proposals and clarifications, including:
- Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required with specific, limited exceptions.
- Require written documentation of all Security Rule policies, procedures, plans, and analyses.
- Update definitions and revise implementation specifications to reflect changes in technology and terminology.
- Add specific compliance time periods for many existing requirements.
- Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
- Require greater specificity for conducting a risk analysis. New express requirements would include a written assessment that contains, among other things:
o A review of the technology asset inventory and network map.
o Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI.
o Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems
o An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
- Require notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
- Strengthen requirements for planning for contingencies and responding to security incidents. Specifically, regulated entities would be required to, for example:
o Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
o Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration.
o Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents.
o Implement written procedures for testing and revising written security incident response plans.
- Require regulated entities to conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements.
- Require that business associates verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate.
- Require encryption of ePHI at rest and in transit, with limited exceptions.
- Require regulated entities to establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner. New express requirements would include:
o Deploying anti-malware protection.
o Removing extraneous software from relevant electronic information systems.
o Disabling network ports in accordance with the regulated entity’s risk analysis.
- Require the use of multi-factor authentication, with limited exceptions.
- Require vulnerability scanning at least every six months and penetration testing at least once every 12 months.
- Require network segmentation.
- Require separate technical controls for backup and recovery of ePHI and relevant electronic information systems.
- Require regulated entities to review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures.
- Require business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.
- Require group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.
While the Department is undertaking this rulemaking, the current Security Rule remains in effect.
HHS encourages all stakeholders, including patients and their families, health plans, health care providers, health care professional associations, consumer advocates, and government entities, to submit comments through regulations.gov.
Public comments on the NPRM are due 60 days after publication of the NPRM in the Federal Register. The Department will also be conducting a Tribal consultation meeting soon. Information and RSVP details are forthcoming.
The NPRM may be viewed or downloaded at: https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of
Contact the experts at Kentucky REC with all your HIPAA Privacy and Security questions. We’re here to help: 859-323-3090.
Nov 15, 2024
TEAM Model APM – Transforming Episode Accountability Model for Acute Care Hospitals
Available Now: Friday Nov 15, 2024
On November 15th, your trusted REC experts released a webinar focusing on CMS’s recently announced new MANDATORY payment arrangement: Transforming Episode Accountability Model (TEAM). This model is set to launch January 1st, 2026 for selected acute care hospitals in 188 core-based statistical areas (CBSAs).
Many Kentucky hospitals will be required to participate in this first phase, specifically hospitals located in:
Bowling Green
Corbin
Glasgow
Lexington-Fayette
Middlesboro
This model is a 5-year project beginning January 1, 2026, and ending December 31, 2030.
You will receive regulatory analysis of this new program and information on: episodes of care; timelines; financial up-side and down-side risk glidepaths; and other need-to-know elements set forth by CMS in this new model.
For further information:
CMS TEAM Model Hospital Registration (Primary Hospital Contact for FY26 Mandatory Participants).
For more information on the upcoming TEAM Model
To receive future CMS announcements, join the CMS Listserv.
REGISTER TODAY to be in-the-know on this very important topic impacting clinicians and Acute Care Hospitals across Kentucky and the nation.
For details and more information on TEAM from CMS, visit HERE.
Contact YOUR experts at Kentucky REC with all your QPP, MIPS/MVP, and APM Track questions. We’re here to help: 859-323-3090.