insightsArticles

A financial institution’s core banking system, or core processing system, is an essential software that provides the backbone for day-to-day operations and transaction processing. Accounting for the costs of these systems can be tricky because of the complexities often involved in these contracts.  

The contracts tend to be long-term, as it would be infeasible (and undesirable) for financial institutions to have to re-negotiate and possibly switch core providers on a frequent basis. In addition, the contracts often include varying fees and provisions listed throughout the contract. The accounting team is often provided this lengthy contract and then left with the task of deciphering what is meaningful from an accounting standpoint.  

There are two key pieces of accounting guidance to consider when analyzing core contracts: 

1) Accounting Standards Codification (ASC) 705 – Cost of Sales and Services 

2) ASC 350-40 – Intangibles – Goodwill and Other – Internal-Use Software 

Core contracts may provide incentives or credits that can be applied against the fees charged by the core provider. According to ASC 705-20-25-1, “consideration from a vendor also includes credit or other items (for example, a coupon or voucher) that the entity can apply against amounts owed to the vendor (or to other parties that sell the goods or services to the vendor). The entity shall account for consideration from a vendor as a reduction of the purchase price of the goods or services acquired from the vendor…” 

As an example, let’s say your financial institution receives a one-time credit as part of signing a new core contract of $100,000 and the contract is to provide services to your institution over five years. This credit can be applied to future invoices received from the core provider. The contract has a monthly maintenance fee of $20,000 (likely among other charges). This credit would thus reduce the monthly maintenance expense of $20,000 to $18,333 (reduced by $100,000 divided by 60 months). This is a simple example, but hopefully, it will provide insight into the mechanics of the accounting for credits and incentives. In reality, these contracts tend to be much more complex, with variable fees and possibly even credits or incentives that can only be applied against certain fees. These credits/bonuses may not be recognized fully up front as a gain, revenue, or reduction of expense.  

There are often many fees listed in a core contract and these fees tend to be for various services related to the contract. Each fee should be considered on its own and assessed against the criteria listed in ASC 350-40-25, which establishes three project stages for internal-use software: 

1. Preliminary Project Stage. This stage may include: 

a. Conceptual formulation of alternatives 

b. Evaluation 

c. Determination 

d. Final selection 

All costs associated with the preliminary project phase shall be expensed as incurred. 

2. Application Development Stage. This stage may include: 

a. Design 

b. Coding 

c. Installation 

d. Testing 

Whether or not costs in this stage shall be expensed or capitalized is dependent on the type of cost: 

1. Costs incurred to develop internal-use software shall be capitalized. 
2. Costs to develop or obtain software that allows for access to or conversion of old data by new systems shall be capitalized. 
3. Training costs shall be expensed as incurred. 
4. Data conversion or clean-up costs shall be expensed as incurred. 
5. Postimplementation-Operation Stage. This stage may include: 

a. Training 
b. Application maintenance 

All costs associated with the post-implementation-operation stage shall be expensed as incurred. 

Costs incurred for upgrades and enhancements to internal-use software shall be expensed or capitalized in accordance with the guidance provided above. Costs incurred for maintenance shall be expensed as incurred.  

As an example in applying the above project stages, let’s say your institution has hired your core provider to develop an application programming interface (API – essentially a “bridge” between two software programs, allowing them to “talk” one another) so a new automated account reconciliation software can interface directly with your core. The core provider is charging you directly for the design of this API. These costs would be capitalized. Once designed, the core provider also provides your institution training on the API (for a fee) – these training fees would be expensed. Any internal training expenses, such as ongoing training, would be expensed as incurred. Furthermore, if your core provider charges a maintenance fee for ongoing maintenance of the API, these fees would also be expensed as incurred. 

Given these core contracts, and the fees associated with them, can be quite voluminous, it is best practice to establish a list of the services and associated fees listed in the contract. An accounting determination can then be made in accordance with ASC 705 and 350-40 and listed next to each service/fee. Such a list can also be helpful in tracking the various credits and incentives that are being provided and how much of these credits and incentives remain to be utilized by your financial institution. 

It should be noted that the Financial Accounting Standards Board (FASB) has an ongoing project related to the accounting for and disclosure of software costs. More details and a current status update on the project can be found on the FASB’s website. A proposed Accounting Standards Update (ASU) was issued in October 2024. The proposed ASU would eliminate the project stages detailed above. Instead, costs would start to be capitalized when both of the following occur: 

1. Management has authorized and committed to funding the software project. 
2. It is probable that the project will be completed and the software will be used to perform the function intended (referred to as the “probable-to-complete recognition threshold”). 

Again, this is just a proposed ASU at this time and until a final ASU is issued, financial institutions should continue to follow the project stage guidance detailed above in assessing the accounting treatment for the fees in their core contracts. As always, your BerryDunn team is here to help should you have any questions! 

FINRA is launching a broad review of its regulatory requirements to modernize rules, reduce unnecessary burdens, and support innovation in financial services. This initiative aims to enhance investor protection and market integrity by adapting regulations to evolving market conditions and technological advancements.

The review will begin with two key areas:

• Capital formation: Examining how regulations impact capital acquisition brokers, “limited purpose” broker-dealer models, research analysts, and capital-raising processes
• The modern workplace: Addressing regulations related to branch offices and remote work, registered representative credentialing and education, customer communication methods, and recordkeeping practices, particularly with respect to communications.

FINRA invites member firms, investors, and stakeholders to provide feedback on other areas that may require modernization, including economic costs, technological changes, and regulatory overlaps. The comment period is open until May 12, 2025, and submissions can be made online, via email, or by mail. The Regulatory Notice lists specific questions to consider when responding.

This effort aligns with FINRA’s commitment to continuous improvement through industry engagement, ensuring that regulations remain effective, efficient, and relevant to the evolving financial landscape.

Focused on providing industry expertise and advisory relationships that extend past audit and tax seasons, BerryDunn's Financial Services team can help you enhance, grow, and adapt your operations to surpass your future goals. Learn more about our team and services. 

Last month, in honor of Women's History Month, we had the opportunity to speak with two women making waves in the parks and recreation industry—BerryDunn’s Becky Dunlap and Lakita Frazier. Both have built meaningful careers driven by a passion for community impact and the outdoors, forging paths that inspire others in the field. 

Finding their calling in parks and recreation 

Lakita Fraser didn’t set out to work in parks and recreation—it found her. A summer job as a part-time recreation leader sparked an unexpected love for the field, leading her to make it her life’s work. “I quickly realized how much I loved engaging with the community and creating meaningful experiences for people,” she recalls. Over the years, she gained valuable experience in local government, eventually transitioning to consulting. Though she misses the day-to-day interaction of working within a team, she now helps parks and recreation professionals navigate challenges and build stronger programs. 

Becky Dunlap, on the other hand, discovered her passion in college when a professor encouraged her to consider parks and recreation as a career. “That conversation changed everything for me,” she says. Her journey took her through various leadership roles in local government before moving into consulting, where she enjoys the ability to innovate and drive change without bureaucratic obstacles slowing the process. 

Overcoming challenges as women in the field 

Lakita’s journey hasn’t always been easy. She recalls battling imposter syndrome early in her career as a young department head. “There were days when I questioned whether I truly belonged in a leadership position,” she admits. “But I leaned on my mentors, and they reminded me that I earned my seat at the table.” Today, she focuses on connecting with parks and recreation professionals, elevating the importance of their work and advocating for more opportunities for women in the field. 

For Becky, balancing ambition and personal commitments has been one of her biggest challenges. As a working mother, she has learned to manage her bandwidth—sometimes pulling back to ensure she can fully dedicate herself to the commitments she takes on. Despite these obstacles, she thrives on problem-solving and making tangible improvements in the field. “If I can help create better systems or funding models that make parks and recreation more effective, then I know I’m making a difference,” she says. 

Looking ahead: Challenges and optimism for the future 

Both women recognize the hurdles parks and recreation agencies face today, from funding shortages to the lingering effects of the pandemic. Lakita emphasizes the importance of resilience, believing the industry will continue to push forward despite challenges. “Our field is full of problem-solvers,” she says. “We’ve overcome budget cuts, crises, and uncertainty before, and we’ll do it again.” 

Becky shares this optimism, noting that the future will depend on strong leadership and innovative solutions. She encourages young women entering the field to believe in themselves and not be discouraged by setbacks. “Mistakes are part of the process,” she advises. “And how you respond to them is ultimately more important than the mistake itself.” 

What's next for these leaders? 

Lakita plans to continue supporting parks and recreation professionals through her work at BerryDunn, while also expanding efforts with Women in Parks and Recreation to create more opportunities for women in the field. Becky, meanwhile, is focusing on developing innovative technology solutions to help departments run more efficiently and improve service delivery. 

Their experiences highlight the impact of women's leadership in parks and recreation. Despite obstacles, they have helped shape the path for future generations, demonstrating how passion, resilience, and dedication contribute to meaningful progress. 

BerryDunn's Parks, Recreation, and Libraries team works with clients across the country to improve operations, drive innovation, identify improvements to services based on community need, and elevate your brand and image―all from the perspective of our team’s combined 100 years of hands-on experience. Learn more about our team and services. 

The construction industry presents some unique accounting and financial reporting requirements when it comes to construction work-in-progress (WIP) schedules. To keep a solid pulse on contract financial status and results, it is important that these schedules are accurate and up to date. Here are five of the more common mistakes we encounter when working with clients:

1. Inaccurate inputs for the WIP schedule

Achieving 100% accuracy can be challenging as the WIP schedule depends on four main inputs. The four inputs include:

• Projected total cost
• Contract value
• Job-to-date cost
• Job-to-date billings

A miscalculation in any of these can cause inaccuracies in your work-in-progress reporting of revenues and contract assets and liabilities.

2. Estimated under/overbilling costs that don’t match contract scope or reflect actual costs

Has the project scope changed without including the corresponding change order? This can result in overstated contract revenues and underbillings. Are total estimated costs greater than they should be? This can result in overstated overbillings and understated contract revenues which, if it happens consistently, can materially skew reported revenues and gross margin.

3. Change orders and billings that are improperly included or excluded

The main determination if a change order should be included in WIP schedule calculations is if it is a continuation of an existing contract and is signed and legally enforceable or at least has a mutually agreed-upon scope and is awaiting price agreement. If so, the projections should be updated to include the change order. This can get complicated, though, so be sure to check with your accountant if there is a question.

4. Not reconciling the WIP schedule to the financial statements

It is important to understand the WIP schedule and how it ties into financial reporting. The general ledger or internal financial statements should be reconciled with supporting external sources as well as internal calculations or spreadsheets, including the WIP schedule. This includes reconciling contract assets, contract liabilities, and related income statement accounts.

5. Not including all contracts on the WIP schedule–including open and closed jobs

The WIP schedule should include all contract amounts, no matter how big or how small, or whether they are open or closed. Open vs. closed jobs should be noted as such on the schedule. It is a best practice to include job numbers for each contract; this way jobs can be tracked month over month, or year over year, and a gain/loss fade analysis can be performed.

BerryDunn’s Construction team partners with clients to provide meaningful insights on best practices in building capacity, stabilizing cash flow in growth, reducing tax liabilities, capturing reimbursable local taxes, and navigating state nexus. Learn more about our team and services. 

The FDIC's Quarterly Banking Profile for Q4 2024 reports positive performance for the 4,046 community banks evaluated. Here are the key highlights: 

Note: Graphs are for all FDIC-insured institutions unless the graph indicates it is only for FDIC-insured community banks. 

Financial Performance 

• Net Income Growth: Full-year net income decreased by $624.4 million (2.4%) year-over-year to $25.9 billion, driven by higher noninterest expense, higher provision expense, and realized losses on the sale of securities of $566 million. Quarterly net income decreased $440.7 million (6.5%) from the prior quarter to $6.4 billion, driven by the same inputs as yearly net income. However, compared to fourth quarter 2023, net income increased $535.3 million, or 9.2%, driven primarily by higher net interest income and noninterest income.
• Net Interest Margin (NIM): Full-year NIM decreased by 6 basis points to 3.33% due to higher asset yields outpacing the cost of funds. However, NIM quarter-over-quarter increased 9 basis points from the previous quarter and 9 basis points over the 2023 quarter four to 3.44%.
• Revenue Growth: Net operating revenue increased $1.9 billion (7.3%) year-over-year, with gains in both net interest and noninterest income. Operating revenue rose by $960.3 million (3.6%) over the previous quarter, following similar drivers of growth. 

Costs and Efficiency 

• Noninterest Expense: Up by $1.1 billion and $931.1 million (5.4%) year-over-year and quarter-over-quarter, respectively, to $18.1 billion. This was largely due to increased salaries and employee benefits expense.
• Efficiency: The efficiency ratio (noninterest expense as a share of net operating revenue) increased to 65.06%, increasing 26 basis points from a quarter earlier, reflecting the increases in noninterest expense.

Loan and Deposit Trends 

• Broad-Based Loan Growth: Total loans and leases grew by $24.4 billion (1.3%) quarter-over-quarter, with a notable increase in commercial real estate (CRE). Total loans and leases increased 5.1% from the prior year, with notable increases in CRE and residential real estate.
• Deposit Increases: Domestic deposits rose by $37 billion (1.6%) in the fourth quarter, with growth in both insured and uninsured deposits.

Asset Quality 

• Stable Metrics: Nonperforming loan levels remained low, despite a slight rise in past-due loans to 1.2%, an increase of 7 basis points from third quarter 2024. Net charge-offs were marginally higher but within manageable levels (0.22%, up 6 and 4 basis points from a quarter and year ago, respectively). This ratio remained 0.07% higher than the pre-pandemic average of 0.15%. The reserve coverage ratio decreased 6.17% from third quarter 2024 and 48.8% from a year earlier to 179.7%.
• Unrealized Securities Losses: Despite an increase of unrealized losses of $11.6 billion (29.6%) from the previous quarter, unrealized losses on securities declined $961.6 million (1.9%) from the prior year.

Capital and Structural Stability 

• Capital Ratios: Decreased slightly across the board, with the average Community Bank Leverage Ratio (CBLR) dropping to 12.22%, down 3 basis points from the previous quarter. Of the 4,046 community banks, 1,629 have elected the CBLR framework. 
• No Bank Failures: For the fourth quarter, there were no community bank failures, reflecting continued sector stability. However, total community banks declined by 36 from the previous quarter, primarily due to M&A activity. 

Conclusion and Outlook 

Another year has closed, and community banks continue to remain resilient. 2024 saw a dip in earnings as banks navigated increases in costs and depressed NIMs. The good news is; the NIM graph above shows the potential trend towards a rebound in 2025. The regulatory landscape continues to be closely watched by the banking community. Substantial changes throughout the federal government continue to create uncertainly. The impact these changes will have on the banking industry remains yet to be known. Many see opportunity in the changes. Community banks are pillars of their communities and trusted advisors to those they serve. In these times of uncertainty, it is critical for banks to leverage and strengthen those relationships with their customers, much as they did during the pandemic. 

Technology will likely continue to remain at the forefront of conversations in 2025 as the banking industry continues to monitor advances in artificial intelligence and how these advances can make an immediate impact on bank operations. There is a lot of hype surrounding technology, especially artificial intelligence, and banks will need to be deliberate in building these tools into their strategic plans and fully vetting out any tools before implementing them as there are often significant costs associated with these tools. However, using a “wait and see” approach is likely not sufficient, as customers will increasingly expect these tools to be part of their experience. 

There may also be anxiety amongst employees, as there are varying headlines and stories regarding the impact technology (again, especially artificial intelligence) will have on the workforce. It will be crucial for leadership teams to monitor this sentiment throughout their organization and provide clear messaging to employees. 

2024 was also year two of the current expected credit loss (CECL) standard for many institutions. As institutions gained comfort surrounding the new CECL standard and saw the impact of changing inputs and assumptions, the importance of a robust governance and oversight framework over the CECL calculation continued to be emphasized. 2025 will likely continue to be a year of refinement as historical trends and peer data continue to be built under CECL. As always, your BerryDunn team is here to help! 

On March 28, 2025, the FDIC issued a Financial Institution Letter (FIL), which rescinds its prior notification requirement for financial institutions engaging in crypto-related activities, as established in FIL-16-2022. Under the new guidance, FDIC-supervised institutions may engage in permissible crypto-related activities without prior FDIC approval, provided they manage associated risks effectively. These risks include market, liquidity, operational, cybersecurity, consumer protection, and anti-money laundering concerns. The FDIC will continue working with other agencies and issue further guidance to clarify banks' involvement in digital asset markets. Read the full content of FIL, FIL-7-2025.

Just a reminder that, for those institutions that are engaged or plan to engage in crypto-related activities, accounting for such activity should follow the Financial Accounting Standards Board’s (FASB) guidance on crypto assets, which can be found in Accounting Standards Codification (ASC) 350-60. Accounting Standards Update (ASU) 2023-08 established the first-ever accounting and disclosure framework for crypto assets within US generally accepted accounting principles. 

Assets that meet six criteria¹ are required to subsequently be measured at fair value with changes recognized in net income each reporting period. Such assets must be presented separately from other intangible assets in the balance sheet, and changes from the remeasurement of crypto assets must be separately presented from changes in the carrying amounts of other intangible assets in the income statement. The ASU also provides for various disclosure requirements, including disclosure of the name, cost basis, fair value, and number of units for each significant crypto asset holding, as well as a roll forward, in the aggregate, of crypto asset holding activity for the reporting period.  

As always, should you have any questions, please don’t hesitate to reach out to your BerryDunn team. 

¹ ASC 350-60-15-1 indicates that such assets must meet all of the following criteria: 

a. Meet the definition of intangible assets as defined in the ASC. 
b. Do not provide the asset holder with enforceable rights to or claims on underlying goods, services, or other assets. 
c. Are created or reside on a distributed ledger based on blockchain or similar technology. 
d. Are secured through cryptography. 
e. Are fungible. 
f. Are not created or issued by the reporting entity or its related parties. 

In late 2024, the Centers for Medicare and Medicaid Services (CMS) launched a sweeping off-cycle mandate requiring all skilled nursing facilities (SNFs) in the United States to revalidate their Medicare provider enrollment record. Facilities of all types–including for-profit and not-for-profit–are affected.

This revalidation, which is required to maintain your Medicare participation, is due by May 1, 2025. For SNFs grappling with this fast-approaching application deadline, here are five things to know about the changes, process, and new information that will keep your billing privileges current.

1. What has changed, and why? 

The CMS mandate introduced new disclosure requirements that are far more extensive than previous reporting requirements. The intent is to promote transparency by collecting more comprehensive data on:

• Skilled nursing facility ownership and control structures.

• Information on designated parties, including organizational and ownership structures, associated with SNFs. Notably, SNFs must identify and report all Additional Disclosable Parties (ADPs).

• A final rule regarding Disclosures of Ownership and Additional Disclosable Parties Information for Skilled Nursing Facilities and Nursing Facilities was published by CMS in 2023. Read the final rule.

As part of this effort, CMS updated the Form CMS-855A application and developed a 20-page SNF-specific attachment that is required for SNF reporting. Additionally, CMS published and subsequently updated new Guidance on the CMS-855A Form with SNF Attachment, which outlines the changes, process, forms, and required information and supporting documents. 

Tip: Given the complexity of the new requirements, SNFs are encouraged to consult with legal counsel to ensure compliance. Working with outside credentialing and enrollment professionals can also be helpful in guiding SNFs through the revalidation process.

2.  Who must be disclosed?

The CMS requires detailed information to be collected on ownership, management, and related parties, including these individuals and entities:

• Every member of the SNF’s governing body

• Every person or entity who is an officer, director, member, partner, trustee, or managing employee

• Every person or entity who is an additional disclosable party (ADP) of the SNF

• The organizational structure of each ADP and a description of the relationship of each ADP to the SNF and one another

Tip:  Start by making a thorough assessment of your organization’s ownership and management structure. Identify all relevant parties, including organizations and individuals, according to the new, broader definitions contained in the CMS guidance.

3. What are the new ADP disclosure requirements?

The newly updated reporting requirements mandate increased disclosures about additional disclosable parties (ADPs). In general, the definition of an ADP applies to any person or entity who:

• Exercises operational, financial, or managerial control over the SNF

• Provides real estate to the SNF

• Delivers management or administrative services, consulting, or accounting/financial services to the facility

SNFs are also required to provide information on the ADPs' organizational structures and to describe the relationships between ADPs and the facility.

Tip: Refer to the guidance provided by CMS to fully understand the new, broader definition of ADPs. Begin by identifying all ADPs associated with your facility and thoroughly document all existing service relationships.

4.  What else might trigger reporting?

The new regulations include expanded definitions of parties with operational, financial, or managerial control that are now subject to a SNF’s reporting requirements. For example:

• Managerial control now includes “managing organizations” or “managing employees” such as a general manager, business manager, administrator, director, or consultant, who directly or indirectly managers, advises, or supervises any element of the practices, finances of operations of the SNF

• Operational control refers to the oversight and responsibility for the SNF’s daily activities and transactions and is not limited to those in supervisory roles. Any degree of responsibility for operations, even informal, may trigger the disclosure requirements

• Financial control can include monitoring or managing the SNF’s finances, authority to approve the expenditure of SNF funds, an owning organization that funds part of the SNF’s operations, or banks that have given the SNF a line of credit

Tip: The new regulations have broadened the scope of these areas of influence with SNFs. As previously mentioned, it’s important to thoroughly review the definitions provided in the CMS guidance to be sure you’re in compliance.

5.  What type of data gets collected and disclosed?

The new regulations require SNFs to disclose detailed information about both organizations and individuals with ownership interests and/or managing control. For organizations, this includes but is not limited to:

• Legal business name (LBN)
• Doing business as name (DBA)
• Whether or not they have less than 5% ownership interest, or are an ADP without ownership or managing control of the SNF
• Tax Identification Number (TIN) – not required if the ADP has less than 5% ownership interest
• National Provider Identifier (NPI) of the organization with ownership interest/managing control
• IRS Proprietary/Non-Profit Status (proprietary, non-profit, disregarded entity)

SNFs must also report data on individuals with ownership interest and/or managing control. Information disclosing their relationship with the facility includes but is not limited to whether they have:

• 5% or greater direct ownership interest
• 5% or greater indirect ownership interest
• 5% or greater mortgage interest
• 5% or greater security interest
• General partnership interest in the SNF
• Limited partnership interest in the SNF
• Managing control, such as corporate officers, corporate directors, and W-2 managing employees

Tip: The new revalidation process requires SNFs to collect and keep track of more detailed information than ever before. A best practice is to develop internal processes for collecting, maintaining, and reporting ownership and control information.

As you prepare your CMS-885A application, remember you have the choice of filing it through the mail, or using the preferred secure online format via the PECOS portal.  

We're here to help

With the May 1, 2025, deadline approaching, it can be helpful to work with an experienced team of credentialing professionals who will help you navigate the complex process of meeting the new revalidation requirements. For example, BerryDunn’s Credentialing and Enrollment Team has developed a valuable, proprietary tool to help client organizations collect, organize, and track ownership, control, and ADP information, and to guide them through the CMS revalidation process. Additional CMS resources are available, including PECOS support, via the External User Services (EUS) Help Desk. The Help Desk can also be reached by phone at 1.866.484.8049 or email at EUS_Support@cms.hms.gov.

Read this if your organization is subject to HIPAA regulations.

For over two decades, the HIPAA Security Rule has remained largely unchanged, aside from extending its scope beyond covered entities to include business associates. During this time, cybersecurity threats in the healthcare sector have grown significantly, and the US Department of Health and Human Services Office for Civil Rights (OCR) has gained extensive enforcement experience.

To address evolving threats and regulatory challenges, OCR has issued proposed modifications to the Security Rule, introducing stricter security controls, mandatory encryption requirements, and a shift away from “addressable” implementation specifications. While these changes aim to improve data security, they also introduce new compliance burdens that could be challenging for many regulated entities.

Key proposed changes to the HIPAA security rule

1. Greater specificity in security requirements

Historically, the HIPAA Security Rule provided flexibility by outlining broad security categories without mandating specific implementation measures. While this adaptability allowed organizations to tailor their security programs, it also created compliance ambiguities and enforcement challenges. The newly proposed rule introduces more detailed and prescriptive requirements, including:

• Asset inventory and network mapping
  • Organizations must maintain a comprehensive inventory of technology assets, including identification, version, accountability, and location.
  • A network map illustrating the movement of ePHI across systems is required.
• Risk analysis and patch management
  • Annual review and update of risk analysis and risk management plans.
  • Mandatory patching of critical risks within 15 days and high risks within 30 days.
• Access control and workforce security
  • Termination of workforce access to ePHI within one hour of employment cessation.
  • 24-hour notification requirement when a workforce member loses access at another regulated entity.
  • New employees must complete security training within 30 days of system access.
• Network security and monitoring
  • Mandatory network segmentation to prevent lateral movement in case of a breach.
  • Real-time system monitoring to detect unauthorized activity and alert workforce members.
• Authentication and identity management
  • Mandatory multifactor authentication for system access and privilege changes.
  • Implementation of strong password policies aligned with industry standards.
• Security testing and incident response
  • Annual penetration testing and biannual vulnerability scanning to identify risks.
  • Establishment of a security incident response plan with annual testing.
• Backup and disaster recovery enhancements
  • ePHI backups must occur at least every 48 hours, with a 72-hour recovery time for critical systems.
  • Monthly testing of data restoration processes.

2. Elimination of “addressable” implementation specifications

Under the current rule, certain security measures are designated as “addressable,” meaning that organizations can implement them based on reasonableness and appropriateness, or document why an alternative measure was chosen. The proposed rule eliminates this flexibility, making previously addressable requirements mandatory.

Encryption of ePHI at rest and in transit will be required in nearly all cases.

Limited exceptions apply only when:

• A technology asset does not support encryption and the organization has a migration plan.
• A patient explicitly requests unencrypted communication and acknowledges the risks.
• Encryption is unavailable in an emergency situation.
• The system is FDA-regulated and certain conditions apply.

This raises concerns about operational feasibility, as the rule does not explicitly allow common unencrypted communications such as text-based appointment reminders or patient notifications.

3. Expanded documentation and compliance verification

The proposal significantly expands compliance documentation, verification, and reporting obligations. Regulated entities would be required to:

• Conduct annual security audits to verify compliance.
• Obtain written security attestations from business associates every 12 months, including:
  • A cybersecurity expert’s written analysis confirming technical safeguards.
  • A certification verifying the accuracy of the analysis.
• Review and test policies and procedures annually, including:
  • Patch management
  • Risk analysis updates
  • Workforce sanctions
  • Media disposal and reuse
  • Contingency plans

4. Stricter enforcement and compliance obligations

OCR is shifting toward greater enforcement accountability, making it clear that merely having a policy in place is no longer sufficient. The proposed rule would require regulated entities to:

• Demonstrate that security measures are actively deployed and operational.
• Ensure that implemented controls are continuously monitored and updated.
• Regularly test compliance through internal audits and external verification.

This change was prompted in part by a court ruling (University of Texas M.D. Anderson Cancer Center v. HHS), which found that OCR’s enforcement authority was limited when entities had encryption mechanisms in place but were not consistently using them. The new rule seeks to close that gap by requiring proof of actual implementation and functionality.

Implementation timeline and potential regulatory outlook for proposed HIPAA Security Rule changes

Public comments were due by March 7, 2025. If finalized, organizations will have 240 days to comply (60 days after the final rule is published, plus an additional 180 days). Business associate agreements must be updated within one year of the final rule’s effective date.

With the recent change in administration, there is uncertainty about whether the rule will be finalized under the new administration. However bipartisan consensus exists on the need for stronger healthcare cybersecurity. The Trump administration previously enforced the HIPAA Security Rule similarly to Democratic administrations. While Trump’s general approach is deregulatory, this proposal may still advance due to the ongoing threat of healthcare data breaches.

Key areas for stakeholder feedback

With the March 7, 2025, deadline approaching, regulated entities should evaluate the potential impact of the proposed changes and consider submitting comments to OCR on:

• Operational feasibility of annual policy reviews, audits, and compliance testing.
• Burden of obtaining written security attestations from all business associates.
• Additional exceptions for encryption mandates, particularly for patient-initiated communications.
• Clarification on shared security responsibilities in cloud computing environments.
• Refinement of the definition of “security incidents” to exclude unsuccessful breach attempts.

Next steps for regulated entities

Given the likelihood of increased enforcement, organizations should begin preparing now by:

• Assessing current security practices against the proposed requirements.
• Identifying gaps in encryption, risk analysis, and workforce training policies.
• Reviewing business associate agreements for necessary updates.
• Preparing for increased audit and verification obligations.
• Engaging in industry advocacy to ensure feasible and practical implementation standards.

By proactively addressing these upcoming changes, regulated entities can position themselves for compliance while minimizing operational disruptions.

BerryDunn’s healthcare consulting team has the expertise your organization needs to ensure compliance with HIPAA. Learn more about our team and services.

For foster teens, the path to adulthood is uniquely challenging. As thousands of young adults age out of the foster care system each year, many child welfare agencies are searching for ways to better support them through this transition. According to Dr. Elizabeth Wynter, child welfare advocate and author of Follow the Love: Permanent Connections Scaffolding, the key is to build strong youth-adult partnerships. In a recent episode of BerryDunn’s Fresh Perspectives in Social Work podcast, Dr. Wynter and I discussed the need for a “connection scaffold” and offered insights on improving outcomes for foster youth. Here are five take-aways from our conversation.

Fostering relationships with youth 

The most important element in a young person’s life is having a supportive adult connection. This “connection scaffolding” is essential if we want young people to be able to form long-term, healthy attachments and make a successful transition to adulthood. Every interaction with a young person is an opportunity to build trust—too often, we make decisions based on liability, rather than the best interests of our youth. So, as child welfare people, we have to ask ourselves: Are we just being transactional or are we being relational in our interactions? Well-being is built on relationships.

Integrate youth voice in the child welfare system

Child welfare advocates recognize the importance of actively involving and empowering young people in the system to ensure their voices are heard and considered when making decisions that impact their lives. But integrating youth voices can be a challenge that requires a change in attitudes, values, and beliefs. We need to be ready to have young people at the table, but we haven’t yet changed our training or approach. This requires a shift in thinking: to perceive youth not as service recipients but as organizational assets. By creating youth-adult partnerships, we can learn from young people what leads to success.

Value all existing connections with foster children

There’s no greater loss for a young person than losing their primary caregiver. Being pulled away from one’s family to live with strangers is very frightening. They are dealing with loss and grief, and often we don’t give them enough time to process the loss before they can open up to a new relationship. Research shows that more than half of youth will end up living with a relative when they age out of care. So, instead of severing those family connections, we can work to scaffold them. We can teach young people about healthy boundaries so when they re-enter those connections, they will be better prepared. All connections can be of value.

Focus on social-emotional needs

Becoming an adult is a challenging transition for all young people, but foster youth have a steeper climb than their peers because they lack adequate support and guidance. During COVID, foster youth fell even further behind academically, emotionally, and socially. If our goal is to help young people become interdependent, as opposed to independent, it’s important to teach them interpersonal communication, socialization, and help-seeking skills. Focusing on social-emotional needs is essential if we are to prepare our young people for the journey ahead.

Follow the data for improved child welfare outcomes

What is success? Unless we begin tracking the outcomes for youth in the foster care system, we don’t know what works. How many of our young people at any given time have graduated college? How many have jobs? When we cut off their stipends, are they going to be homeless? By doing a self-sufficiency matrix that identifies how youth are moving toward self-sufficiency, child welfare agencies can begin to deliver more targeted, need-based services rather than one-size-fits-all. It takes time, but we need numbers to really understand whether or not our services are of value.

BerryDunn’s child welfare consulting team works with agencies to develop sustainable programs that support the safety and well-being of your children and families while supporting child welfare professionals. We work with agencies to leverage data and drive effective decision-making for interested parties to create more stable environments that support the reduction in child vulnerability. Learn more about our child welfare team and services.