Changes are Coming to HIPAA's Security Rule: What ABA Agencies Need to Know

This article is intended as information only. Please don't consider it legal advice. ABA Compliance Solutions doesn't provide legal services. While we strive to offer accurate and up-to-date information, we always suggest consulting with an attorney for advice tailored to your specific needs.

In an era where data breaches and cyber threats continue to be disturbingly common, the regulatory frameworks intended to help ensure the safety and privacy of sensitive patient information continue to evolve. As part of that evolution, the U.S. Department of Health and Human Services (HHS) has proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

For small- and mid-sized applied behavior analysis (ABA) agencies, understanding these proposed changes, planning for them, and complying with them is extremely important. ABA Compliance Solutions is here to help you navigate the updates, understand the key timelines, and implement necessary adjustments to remain compliant.

Overview of the Proposed Changes to HIPAA's Security Rule

The proposed changes to HIPAA's Security Rule are intended to enhance safeguards for electronic protected health information (ePHI), streamline compliance measures, and respond to evolving cybersecurity threats. Some of the areas of focus in the proposed rule include:

1. Risk Analysis and Risk Management: The proposed changes include significantly increased specificity in how ABA agencies (and other regulated entities) should conduct and document risk analyses to identify and mitigate vulnerabilities related to ePHI.
2. Incident Response and Reporting: If included in the final language of the updated security rule, ABA agencies that are covered entities under HIPAA will face new requirements for detecting, responding to, and reporting cybersecurity incidents, including ransomware attacks.
3. Third-Party Risk Management: Beyond tightening up requirements for healthcare providers, proposed changes in the security rule also include stronger accountability measures for business associates (BA’s) and vendors to ensure that third-party entities handling ePHI adhere to the same rigorous security standards. BA’s are companies or individuals that work with your ABA agency and whose work involves the use, creation, or disclosure of protected health information.
4. Multi-Factor Authentication (MFA): Changes to the security rule include a proposed requirement that covered entities implement MFA with any system that contains ePHI.
5. Minimum Necessary Access: The proposed language in the rule emphasizes the need for ABA agencies to limit access to ePHI based on the minimum necessary principle, which basically means only allowing people (staff, vendors, etc.) access to the ePHI that they actually need to get their jobs done and no more.

These are only some of the proposed changes and we’ll have to wait to see what’s included in the final rule when it comes out. So, for right now you should be aware of the direction things seem to be headed and you should pay attention to the timelines that will be in play so that you can make sure your ABA company remains compliant with HIPAA’s security requirements.

Important Timelines for Finalizing and Implementing Changes

As with any regulatory update, the process of finalizing and rolling out the proposed changes to HIPAA's Security Rule involves multiple stages. Here are the key timelines to watch:

• Publication of the Proposed Rule: The proposed changes were published in the Federal Register, on January 6, 2025 and this marks the start of the public comment period.
• Public Comment Period: Stakeholders, including ABA agencies like yours, can submit feedback on the proposed changes. The public comment period typically lasts 60-90 days, so you’ll likely have until early March or early April if you’d like to make any comments. 
• Review and Finalization: Once the comment period closes, HHS will review the feedback and may revise the proposed language of the security rule based on the feedback they received. This process can take several months to a year.
• Publication of the Final Rule: Once finalized, the new rule will be published in the Federal Register, and we’ll be given an effective date and compliance deadline. The effective date is when a new rule officially becomes part of the law and the compliance deadline is the date by which regulated entities have to fully implement the requirements of the rule.
• Compliance Deadlines: After publication, entities will generally have 180 days to one year to implement the new requirements, depending on the complexity of the changes. 

It is crucial for ABA agencies to stay informed throughout this timeline to ensure adequate preparation and compliance.

What ABA Agencies Can Do to Prepare

While the changes are still in the proposal stage, we here at ABA compliance Solutions recommend that you take a proactive approach to your preparation for the changes. Being proactive can save your agency time, resources, and potential penalties down the line. Here’s a list of concrete steps ABA agencies can take now to position themselves for compliance:

• Conduct a Comprehensive Risk Analysis:
• Review your current risk analysis process.
• Identify gaps in how risks to ePHI are documented and mitigated.
• Update your risk management plan to align with the proposed enhancements.
• Assess and Strengthen Incident Response Plans:
• Evaluate your current incident response protocols.
• Establish clear procedures for detecting and responding to cyber threats.
• Implement a system for timely reporting of incidents, including ransomware attacks.
• Review Vendor Agreements:
• Audit all business associate agreements (BAAs) to ensure compliance with current and proposed standards.
• Require vendors to provide evidence of their cybersecurity practices.
• Implement Multi-Factor Authentication (MFA):
• Transition to MFA for all systems accessing ePHI.
• Train staff on the use and importance of MFA to enhance security.
• Limit ePHI Access:
• Conduct an audit of user access to ePHI in your systems.
• Implement role-based access controls to ensure that folks only have access to the minimal amount of ePHI they need to do their jobs.
• Train Your Workforce:
• Update training your programs to address proposed changes and emphasize the importance of security.
• Conduct regular cybersecurity awareness sessions with your staff.

By taking these steps now, ABA agencies can build a strong foundation for compliance and reduce the risk of last-minute scrambling once the changes are finalized. To make that process even easier, you might think about considering adopting recognized security practices, which will not only improve your ABA agency's security, but also serve you very well in preparing for whatever changes may come in HIPAA's revised security rule. We wrote a blog post earlier all bout recognized security practices, so check that out if you'd like.

Final Thoughts

The proposed changes to HIPAA’s Security Rule mark a significant step forward in enhancing the protection of sensitive health information. For ABA agencies, these updates represent both a challenge and an opportunity to strengthen their cybersecurity and compliance practices.

By staying informed, acting proactively, and leveraging the support of trusted partners like ABA Compliance Solutions, your agency can navigate these changes confidently and continue to prioritize the privacy and security of the individuals you serve.