988 Suicide & Crisis Lifeline

Read this if your organization is subject to HIPAA regulations.

For over two decades, the HIPAA Security Rule has remained largely unchanged, aside from extending its scope beyond covered entities to include business associates. During this time, cybersecurity threats in the healthcare sector have grown significantly, and the US Department of Health and Human Services Office for Civil Rights (OCR) has gained extensive enforcement experience.

To address evolving threats and regulatory challenges, OCR has issued proposed modifications to the Security Rule, introducing stricter security controls, mandatory encryption requirements, and a shift away from “addressable” implementation specifications. While these changes aim to improve data security, they also introduce new compliance burdens that could be challenging for many regulated entities.

Key proposed changes to the HIPAA security rule

1. Greater specificity in security requirements

Historically, the HIPAA Security Rule provided flexibility by outlining broad security categories without mandating specific implementation measures. While this adaptability allowed organizations to tailor their security programs, it also created compliance ambiguities and enforcement challenges. The newly proposed rule introduces more detailed and prescriptive requirements, including:

• Asset inventory and network mapping
  • Organizations must maintain a comprehensive inventory of technology assets, including identification, version, accountability, and location.
  • A network map illustrating the movement of ePHI across systems is required.
• Risk analysis and patch management
  • Annual review and update of risk analysis and risk management plans.
  • Mandatory patching of critical risks within 15 days and high risks within 30 days.
• Access control and workforce security
  • Termination of workforce access to ePHI within one hour of employment cessation.
  • 24-hour notification requirement when a workforce member loses access at another regulated entity.
  • New employees must complete security training within 30 days of system access.
• Network security and monitoring
  • Mandatory network segmentation to prevent lateral movement in case of a breach.
  • Real-time system monitoring to detect unauthorized activity and alert workforce members.
• Authentication and identity management
  • Mandatory multifactor authentication for system access and privilege changes.
  • Implementation of strong password policies aligned with industry standards.
• Security testing and incident response
  • Annual penetration testing and biannual vulnerability scanning to identify risks.
  • Establishment of a security incident response plan with annual testing.
• Backup and disaster recovery enhancements
  • ePHI backups must occur at least every 48 hours, with a 72-hour recovery time for critical systems.
  • Monthly testing of data restoration processes.

2. Elimination of “addressable” implementation specifications

Under the current rule, certain security measures are designated as “addressable,” meaning that organizations can implement them based on reasonableness and appropriateness, or document why an alternative measure was chosen. The proposed rule eliminates this flexibility, making previously addressable requirements mandatory.

Encryption of ePHI at rest and in transit will be required in nearly all cases.

Limited exceptions apply only when:

• A technology asset does not support encryption and the organization has a migration plan.
• A patient explicitly requests unencrypted communication and acknowledges the risks.
• Encryption is unavailable in an emergency situation.
• The system is FDA-regulated and certain conditions apply.

This raises concerns about operational feasibility, as the rule does not explicitly allow common unencrypted communications such as text-based appointment reminders or patient notifications.

3. Expanded documentation and compliance verification

The proposal significantly expands compliance documentation, verification, and reporting obligations. Regulated entities would be required to:

• Conduct annual security audits to verify compliance.
• Obtain written security attestations from business associates every 12 months, including:
  • A cybersecurity expert’s written analysis confirming technical safeguards.
  • A certification verifying the accuracy of the analysis.
• Review and test policies and procedures annually, including:
  • Patch management
  • Risk analysis updates
  • Workforce sanctions
  • Media disposal and reuse
  • Contingency plans

4. Stricter enforcement and compliance obligations

OCR is shifting toward greater enforcement accountability, making it clear that merely having a policy in place is no longer sufficient. The proposed rule would require regulated entities to:

• Demonstrate that security measures are actively deployed and operational.
• Ensure that implemented controls are continuously monitored and updated.
• Regularly test compliance through internal audits and external verification.

This change was prompted in part by a court ruling (University of Texas M.D. Anderson Cancer Center v. HHS), which found that OCR’s enforcement authority was limited when entities had encryption mechanisms in place but were not consistently using them. The new rule seeks to close that gap by requiring proof of actual implementation and functionality.

Implementation timeline and potential regulatory outlook for proposed HIPAA Security Rule changes

Public comments were due by March 7, 2025. If finalized, organizations will have 240 days to comply (60 days after the final rule is published, plus an additional 180 days). Business associate agreements must be updated within one year of the final rule’s effective date.

With the recent change in administration, there is uncertainty about whether the rule will be finalized under the new administration. However bipartisan consensus exists on the need for stronger healthcare cybersecurity. The Trump administration previously enforced the HIPAA Security Rule similarly to Democratic administrations. While Trump’s general approach is deregulatory, this proposal may still advance due to the ongoing threat of healthcare data breaches.

Key areas for stakeholder feedback

With the March 7, 2025, deadline approaching, regulated entities should evaluate the potential impact of the proposed changes and consider submitting comments to OCR on:

• Operational feasibility of annual policy reviews, audits, and compliance testing.
• Burden of obtaining written security attestations from all business associates.
• Additional exceptions for encryption mandates, particularly for patient-initiated communications.
• Clarification on shared security responsibilities in cloud computing environments.
• Refinement of the definition of “security incidents” to exclude unsuccessful breach attempts.

Next steps for regulated entities

Given the likelihood of increased enforcement, organizations should begin preparing now by:

• Assessing current security practices against the proposed requirements.
• Identifying gaps in encryption, risk analysis, and workforce training policies.
• Reviewing business associate agreements for necessary updates.
• Preparing for increased audit and verification obligations.
• Engaging in industry advocacy to ensure feasible and practical implementation standards.

By proactively addressing these upcoming changes, regulated entities can position themselves for compliance while minimizing operational disruptions.

BerryDunn’s healthcare consulting team has the expertise your organization needs to ensure compliance with HIPAA. Learn more about our team and services.

In late 2024, the Centers for Medicare and Medicaid Services (CMS) launched a sweeping off-cycle mandate requiring all skilled nursing facilities (SNFs) in the United States to revalidate their Medicare provider enrollment record. Facilities of all types–including for-profit and not-for-profit–are affected.

This revalidation, which is required to maintain your Medicare participation, is due by May 1, 2025. For SNFs grappling with this fast-approaching application deadline, here are five things to know about the changes, process, and new information that will keep your billing privileges current.

1. What has changed, and why? 

The CMS mandate introduced new disclosure requirements that are far more extensive than previous reporting requirements. The intent is to promote transparency by collecting more comprehensive data on:

• Skilled nursing facility ownership and control structures.

• Information on designated parties, including organizational and ownership structures, associated with SNFs. Notably, SNFs must identify and report all Additional Disclosable Parties (ADPs).

• A final rule regarding Disclosures of Ownership and Additional Disclosable Parties Information for Skilled Nursing Facilities and Nursing Facilities was published by CMS in 2023. Read the final rule.

As part of this effort, CMS updated the Form CMS-855A application and developed a 20-page SNF-specific attachment that is required for SNF reporting. Additionally, CMS published and subsequently updated new Guidance on the CMS-855A Form with SNF Attachment, which outlines the changes, process, forms, and required information and supporting documents. 

Tip: Given the complexity of the new requirements, SNFs are encouraged to consult with legal counsel to ensure compliance. Working with outside credentialing and enrollment professionals can also be helpful in guiding SNFs through the revalidation process.

2.  Who must be disclosed?

The CMS requires detailed information to be collected on ownership, management, and related parties, including these individuals and entities:

• Every member of the SNF’s governing body

• Every person or entity who is an officer, director, member, partner, trustee, or managing employee

• Every person or entity who is an additional disclosable party (ADP) of the SNF

• The organizational structure of each ADP and a description of the relationship of each ADP to the SNF and one another

Tip:  Start by making a thorough assessment of your organization’s ownership and management structure. Identify all relevant parties, including organizations and individuals, according to the new, broader definitions contained in the CMS guidance.

3. What are the new ADP disclosure requirements?

The newly updated reporting requirements mandate increased disclosures about additional disclosable parties (ADPs). In general, the definition of an ADP applies to any person or entity who:

• Exercises operational, financial, or managerial control over the SNF

• Provides real estate to the SNF

• Delivers management or administrative services, consulting, or accounting/financial services to the facility

SNFs are also required to provide information on the ADPs' organizational structures and to describe the relationships between ADPs and the facility.

Tip: Refer to the guidance provided by CMS to fully understand the new, broader definition of ADPs. Begin by identifying all ADPs associated with your facility and thoroughly document all existing service relationships.

4.  What else might trigger reporting?

The new regulations include expanded definitions of parties with operational, financial, or managerial control that are now subject to a SNF’s reporting requirements. For example:

• Managerial control now includes “managing organizations” or “managing employees” such as a general manager, business manager, administrator, director, or consultant, who directly or indirectly managers, advises, or supervises any element of the practices, finances of operations of the SNF

• Operational control refers to the oversight and responsibility for the SNF’s daily activities and transactions and is not limited to those in supervisory roles. Any degree of responsibility for operations, even informal, may trigger the disclosure requirements

• Financial control can include monitoring or managing the SNF’s finances, authority to approve the expenditure of SNF funds, an owning organization that funds part of the SNF’s operations, or banks that have given the SNF a line of credit

Tip: The new regulations have broadened the scope of these areas of influence with SNFs. As previously mentioned, it’s important to thoroughly review the definitions provided in the CMS guidance to be sure you’re in compliance.

5.  What type of data gets collected and disclosed?

The new regulations require SNFs to disclose detailed information about both organizations and individuals with ownership interests and/or managing control. For organizations, this includes but is not limited to:

• Legal business name (LBN)
• Doing business as name (DBA)
• Whether or not they have less than 5% ownership interest, or are an ADP without ownership or managing control of the SNF
• Tax Identification Number (TIN) – not required if the ADP has less than 5% ownership interest
• National Provider Identifier (NPI) of the organization with ownership interest/managing control
• IRS Proprietary/Non-Profit Status (proprietary, non-profit, disregarded entity)

SNFs must also report data on individuals with ownership interest and/or managing control. Information disclosing their relationship with the facility includes but is not limited to whether they have:

• 5% or greater direct ownership interest
• 5% or greater indirect ownership interest
• 5% or greater mortgage interest
• 5% or greater security interest
• General partnership interest in the SNF
• Limited partnership interest in the SNF
• Managing control, such as corporate officers, corporate directors, and W-2 managing employees

Tip: The new revalidation process requires SNFs to collect and keep track of more detailed information than ever before. A best practice is to develop internal processes for collecting, maintaining, and reporting ownership and control information.

As you prepare your CMS-885A application, remember you have the choice of filing it through the mail, or using the preferred secure online format via the PECOS portal.  

We're here to help

With the May 1, 2025, deadline approaching, it can be helpful to work with an experienced team of credentialing professionals who will help you navigate the complex process of meeting the new revalidation requirements. For example, BerryDunn’s Credentialing and Enrollment Team has developed a valuable, proprietary tool to help client organizations collect, organize, and track ownership, control, and ADP information, and to guide them through the CMS revalidation process. Additional CMS resources are available, including PECOS support, via the External User Services (EUS) Help Desk. The Help Desk can also be reached by phone at 1.866.484.8049 or email at EUS_Support@cms.hms.gov.

For foster teens, the path to adulthood is uniquely challenging. As thousands of young adults age out of the foster care system each year, many child welfare agencies are searching for ways to better support them through this transition. According to Dr. Elizabeth Wynter, child welfare advocate and author of Follow the Love: Permanent Connections Scaffolding, the key is to build strong youth-adult partnerships. In a recent episode of BerryDunn’s Fresh Perspectives in Social Work podcast, Dr. Wynter and I discussed the need for a “connection scaffold” and offered insights on improving outcomes for foster youth. Here are five take-aways from our conversation.

Fostering relationships with youth 

The most important element in a young person’s life is having a supportive adult connection. This “connection scaffolding” is essential if we want young people to be able to form long-term, healthy attachments and make a successful transition to adulthood. Every interaction with a young person is an opportunity to build trust—too often, we make decisions based on liability, rather than the best interests of our youth. So, as child welfare people, we have to ask ourselves: Are we just being transactional or are we being relational in our interactions? Well-being is built on relationships.

Integrate youth voice in the child welfare system

Child welfare advocates recognize the importance of actively involving and empowering young people in the system to ensure their voices are heard and considered when making decisions that impact their lives. But integrating youth voices can be a challenge that requires a change in attitudes, values, and beliefs. We need to be ready to have young people at the table, but we haven’t yet changed our training or approach. This requires a shift in thinking: to perceive youth not as service recipients but as organizational assets. By creating youth-adult partnerships, we can learn from young people what leads to success.

Value all existing connections with foster children

There’s no greater loss for a young person than losing their primary caregiver. Being pulled away from one’s family to live with strangers is very frightening. They are dealing with loss and grief, and often we don’t give them enough time to process the loss before they can open up to a new relationship. Research shows that more than half of youth will end up living with a relative when they age out of care. So, instead of severing those family connections, we can work to scaffold them. We can teach young people about healthy boundaries so when they re-enter those connections, they will be better prepared. All connections can be of value.

Focus on social-emotional needs

Becoming an adult is a challenging transition for all young people, but foster youth have a steeper climb than their peers because they lack adequate support and guidance. During COVID, foster youth fell even further behind academically, emotionally, and socially. If our goal is to help young people become interdependent, as opposed to independent, it’s important to teach them interpersonal communication, socialization, and help-seeking skills. Focusing on social-emotional needs is essential if we are to prepare our young people for the journey ahead.

Follow the data for improved child welfare outcomes

What is success? Unless we begin tracking the outcomes for youth in the foster care system, we don’t know what works. How many of our young people at any given time have graduated college? How many have jobs? When we cut off their stipends, are they going to be homeless? By doing a self-sufficiency matrix that identifies how youth are moving toward self-sufficiency, child welfare agencies can begin to deliver more targeted, need-based services rather than one-size-fits-all. It takes time, but we need numbers to really understand whether or not our services are of value.

BerryDunn’s child welfare consulting team works with agencies to develop sustainable programs that support the safety and well-being of your children and families while supporting child welfare professionals. We work with agencies to leverage data and drive effective decision-making for interested parties to create more stable environments that support the reduction in child vulnerability. Learn more about our child welfare team and services.

In today's data-driven world, the ability to share information between Medicaid and Public Health Agencies (PHAs) is crucial for efficiently using limited resources to serve both individual patient and population health goals and priorities. Often, states already have the needed technology, but they don’t have the partnerships or workforce infrastructure to leverage existing investments across different agencies.

At BerryDunn, we bring together experts from different disciplines to take on current challenges. Our experience offers states and territories realistic and proven strategies that maximize existing investments to make the broadest impact on a population’s health and well-being.

The following are some planning considerations for uniting Medicaid and public health in accomplishing unique goals with shared resources, and bringing much-needed, sustainable resources to modernize public health systems.

Understand existing data systems

It is essential to understand the context of Medicaid and public health data systems and build solutions based on current realities. For instance, the Medicaid Enterprise System (MES) is a portfolio of systems that support various functions such as beneficiary eligibility, care management, provider enrollment, and often, data analytics to enable value-based care models. In many places, Medicaid is also funding, or has a great stake in, the Health Information Exchange (HIE) system(s), which centralizes clinical health information for access across disparate care settings. Alternatively, PHAs have information systems to support their responsibility to be the source of truth for tracking birth/death records, surveillance, prevention, disease prevalence, and outbreaks. This information collectively informs prevention efforts and helps to monitor and respond to public health threats.

Understand the funding drivers

Medicaid IT systems are funded through a combination of federal and state resources; the federal government provides matching funds from the Centers for Medicare & Medicaid Services (CMS). Federal investments vary by state, but CMS often invests in systems that enable effective Medicaid operations. Some of these CMS-supported systems are typical to Medicaid, such as claims management systems, while others are typical to public health departments, such as immunization registries. Public health information systems receive funding from various federal sources to support efforts like vital records reporting, disease registries, and syndromic surveillance. After decades of underfunding, the Centers for Disease Control and Prevention (CDC) released the Public Health Infrastructure Grant (PHIG), which allocates funding to health departments to support upgrades to technology, training, and staffing for modernized disease detection, prevention, and response. The PHIG-supported infrastructure may include some of the same systems in the Medicaid Enterprise.

Promote data interoperability

One of the main challenges in health information sharing is ensuring that different data systems can communicate with each other. This means adopting standardized data formats and protocols that enable different systems to share and interpret data accurately. Both clinical and public health data sets are defined by clear data standards; however, that does not mean the healthcare community is adhering to these standards consistently. Matters of equity, technical and workforce enhancements, and policy enforcements and incentives all require local collaboration, expert support, and partnerships with leaders aiming for interoperability.

Establish clear governance and policies

Effective health information sharing requires clear governance structures and policies that outline how data will be shared, who will have access, and how privacy will be maintained. Developing a framework that addresses these aspects can help build trust between Medicaid and PHAs, ensuring that data is used responsibly, ethically, and in line with federal and state law.

Draw on proven case studies

Look for proven examples that information sharing can provide valuable insights. Across the nation, MES and PHAs are working together to leverage IT infrastructure to support wide-reaching population health goals. Whether it's ensuring that health records contain accurate death data or public health has real-time laboratory results on disease outbreaks, there is a lot to learn from what is working in the field.

The COVID-19 pandemic proved that health information system infrastructure was not sufficient, and that existing systems were not being used to their capacity. One prevalent example is the lack of use of HIEs to support both Medicaid and PHA data aggregation and sharing needs. HIEs can serve as a clearing house for real-time clinical data directly from the sources of Electronic Health Records (EHRs), laboratory information systems (LIMs), and other community information systems. By identifying shared data needs, Medicaid and PHAs can analyze current information for a variety of foundational use cases that align directly with their strategic goals. Many states and territories have made progress in this area.

Take the first step

Building strong relationships between Medicaid and PHAs is essential if states/territories want to leverage existing IT investments to bolster programs focused on improving health and well-being. Start with finding a champion who is willing to understand the mutual benefits of working together and is a trusted voice with agency leadership. Meet your partners where they are, beginning with what drives them (e.g., environmental pressure, funding sources, existing IT, the mission of their organization). Be consistent and expect that building partnerships that catalyze such transformative impact will take time and energy.

By leveraging existing data systems and fostering a collaborative environment, states/territories can achieve broad information-sharing goals that enhance health outcomes. What do you think about these strategies? Do you have any specific goals or challenges that your state/territory needs help with? Let’s connect!

At BerryDunn, we have hands-on experience working with both Medicaid and PHAs. We can help with strategic planning and coordinating efforts to draft and submit funding requests like APDs, launching projects that benefit both agencies through shared goals and activities. Learn more about our services and contact the Public Health team.

Public health is at a crossroads. With the lessons learned from COVID-19 and a workforce on the brink of burnout, now is the time for transformative action. By reimagining operations, infrastructure, and health equity, we can shape a system that’s responsive to future challenges.

Applying lessons learned during the COVID-19 response, our post-pandemic world requires public health to embrace a culture of change and discover new ways to offer services and improve health outcomes. Fostering an educated and resilient workforce, operationalizing health equity, strengthening partnerships and funding, enhancing organizational change management, and improving data collection and sharing efforts are key considerations for public health leaders navigating the transformation process. 

Through transformation, public health agencies can build a system that is more engaged with partners and responsive to future community health challenges. When agencies are more capable of meeting the needs of communities, they essentially increase their abilities to enhance health outcomes across the country. 

Since 2014, the Public Health Workforce Interest and Needs Survey (PH WINS) has assessed the governmental public health workforce in the United States. The survey, conducted by the de Beaumont Foundation and the Association of State and Territorial Health Officials (ASTHO), identifies the public health workforce’s opportunities and challenges including demographics, job characteristics, employee engagement, and training needs within public health agencies. The 2021 survey was conducted during the COVID-19 response and provided meaningful insights that public health leaders could use to make decisions about the current workforce and set priorities for the future workforce with the goals of improving the employee experience and increasing the effectiveness of public health efforts across communities.  

Key survey findings 

The 2021 PH WINS identified a diverse public health workforce in terms of age, educational background, and experience but also recognized challenges posed by an aging workforce. The survey found a significant proportion of public health professionals nearing retirement, which presents a potential problem for sustainability and a critical need for succession planning within public health agencies. 

Taking a deeper look into the demographic gaps identified by survey respondents, most public health professionals identified as white (54%), female (79%), and aged 40 or older (63%). Nearly half of the nation’s public health workforce reported being between the ages of 31 and 50 years, and nearly half of the professionals had served in public health agencies for five years or less while 13% had served for 21 or more years.  

To safeguard communities, promote health equity, and prevent disease, public health professionals are essential. Understanding the workforce’s reasons for leaving the field is crucial for succession planning, recruitment, and retention. The top reasons identified by survey respondents for leaving include work overload, burnout, and stress. More than 25% of public health staff stated they are considering leaving their organization within the next year, and 24% reported that the COVID-19 pandemic had an impact on the decision.  

According to the survey, job satisfaction and morale should be areas of concern for public health leaders even though many public health professionals reported they are dedicated to their work. Over 50% of the respondents reported feeling burnt out, with the COVID-19 pandemic increasing these feelings. The results also acknowledge the importance of addressing and offering mental health services for public health professionals to work toward improving employee morale. 

The PH WINS highlights several important opportunities and challenges required to strengthen the public health workforce. Public health agencies must begin addressing burnout, offering mental health support, and guaranteeing access to professional development opportunities. The survey revealed a substantial proportion of the workforce identified gaps in professional growth and training with public health professionals saying they need more training in areas such as leadership, health equity, and data analysis.  

According to the 2021 survey, the top five areas for training identified nationally by public health professionals across all supervisory levels include: 

• Budget and financial management   
• Systems and strategic thinking   
• Community engagement   
• Change management   
• Policy engagement  

Opportunities for improvement through public health transformation

By addressing and closing gaps, the public health system will be more responsive, skilled, and versatile. Opportunities for improvement through public health transformation include identifying and addressing concerns within communities served by infusing a health equity lens throughout all areas of public health programs and implementing a data modernization strategy. The results of the PH WINS emphasize how important it is to plan and invest in the public health workforce to achieve goals to help ensure the safety and well-being of communities across the country.  

The 2024 PH WINS, set to be released this summer, will give us a timelier temperature check on how the public health workforce is faring and if the opportunities and challenges identified in 2021 remain relevant, have changed, or have been adequately addressed. As the public health landscape evolves, leaders must act decisively to strengthen the workforce, embed health equity into programs, and modernize data systems. By doing so, we can safeguard communities and ensure lasting positive health outcomes. 

This is the first in a series of articles delving into opportunities for public health transformation. Learn more about our public health team and services.