The Department of Health and Human Services has issued a Notice of Proposed Rulemaking (NPRM) that signals significant changes to the HIPAA Security Rule, and DME providers should take note.
While these updates aren’t law yet, the direction is clear: vague standards are becoming firm requirements. That means more documentation, more testing, and more accountability—especially when it comes to how you handle electronic protected health information (ePHI).
“Many things that were optional before are now required,” says Dean Landry, IT Services Manager at Medbill. “This will take time, coordination, and involvement across your organization.”
Meet the Expert: Dean Landry
Since October 2022, Dean Landry has brought a deep understanding of tech and ever-changing healthcare regulations to his role as Medbill’s IT Services Manager. With over two decades of IT leadership experience spanning enterprise infrastructure, cybersecurity, cloud migration, and higher education systems, Landry is uniquely equipped to guide organizations through the technical and operational demands of HIPAA compliance.
NPRM: A Shift from Guidance to Enforcement
HIPAA has long been filled with gray areas. Certain controls were previously “addressable,” meaning organizations could opt out if they documented why a control wasn’t feasible. That’s about to change.
“The NPRM is firming up those requirements,” Landry explains. “Where they used to say, ‘You should encrypt data,’ now they’ll say, ‘You must encrypt data in transit and at rest.’ There’s much less room for interpretation.”
The updates will require:
- Annual review and documentation of all HIPAA-related policies
- Enhanced technical and physical safeguards
- Proof that compliance activities are happening, not just policies saying they will
This shift will hit smaller DME companies hardest. “If you’re a three-person organization, you still have to comply,” Landry notes. “Even if you outsource help, the responsibility still falls on you.”
The Heaviest Lifts for DME Providers
Several NPRM provisions stand out for the effort they’ll require to implement:
Data Flow Mapping for ePHI
Organizations must trace the flow of ePHI across all systems and processes—from intake to archiving—and assess protections at every step.
“This one’s a mess,” Landry admits. “You need input from multiple departments just to understand where the data moves, and then you have to document how it’s protected throughout.”
Monthly Audit Log Reviews
Systems that handle ePHI must log every access and change. Those logs must be reviewed monthly and retained for a period of six years.
“If there’s a breach, HHS can come to you and ask who accessed a record five years ago,” Landry says. “You have to be able to produce that data.”
Disaster Recovery Testing
Previously, it was enough to have a disaster recovery plan on paper. Now, providers must prove they’ve tested it—either with real backups or a documented tabletop simulation.
“Simulation is the minimum,” says Landry. “You sit down with everyone involved in a real incident and walk through the response. That alone can take hours.”
Monthly Micro-Trainings
HIPAA training is no longer a one-time annual requirement. Monthly training, quizzes, and performance tracking will become standard, especially for teams that handle PHI daily.
Stricter Vendor Oversight
Every vendor—even those who might only incidentally access PHI—must undergo formal screening. That could include security questionnaires, policy reviews, or compliance attestations.
“If we send a laptop for repair and there’s a chance it contains PHI, that vendor needs a signed Business Associate Agreement (BAA),” Landry explains. “You need records proving that even your cleaning crew won’t accidentally access patient data.”
DMEs: Here’s How to Prepare For Upcoming Changes
Although the NPRM is still in its comment period, many experts expect some significant version of it to move forward.
Delaying preparation only increases your risk. Here’s where to start:
- Inventory your systems: Know which tools and processes handle PHI
- Map your workflows: Identify where ePHI flows—and where it’s vulnerable.
- Review your policies: Make sure they’re current, complete, and actually followed.
- Document everything: HIPAA doesn’t just want plans—it wants proof.
- Involve your leadership team: Compliance is bigger than IT.
“This isn’t something one person can do alone,” Landry says. “It takes HR, executive leadership, IT, operations—everyone has a role.”
Need Guidance? Medbill Can Help.
Many DME providers (especially those with small operations) don’t have the resources to manage these changes internally, and that’s where outside expertise can help.
Whether it’s documenting your data flow, running a disaster recovery test, or evaluating your vendor risk, the Medbill team is here to help you prepare without scrambling once the rule becomes law.
Don’t wait for the final rule to take action. Contact Medbill to start building your compliance strategy now.