New State order for Health Insurance Companies

July 1 2022
Insurance Data Security Risk Assessment and Reporting

The state of Virginia announced this week that they have made changes to state HIPAA laws (14VAC5-430) and are now formally requiring health insurers to perform an annual NIST-based Cybersecurity Risk Analysis. The new requirements were released in a statement from the Commonwealth of Virginia, and are included below:

  • Requirements for implementing a periodic Information Security Program Risk Assessment, which will, among other things, identify internal or external cybersecurity threats and address safeguards to manage the potential threats.
  • Requirements for implementing Information Security Program Security Measures to manage, protect against and respond to cybersecurity threats.
  • Requirements and obligations of the Bureau's licensees who engage third-party providers to ensure compliance with the Code and the Rules.
  • Requirements for reporting cybersecurity events to the Commissioner of Insurance and maintaining related records.

14VAC5-430. Insurance Data Security Risk Assessment and Reporting adding 14VAC5-10-14VAC-430-70

Why are they implementing these changes now?

The OCR has made a statement about the increasing number of non-compliance cases for health insurers across the country, and the particularly sensitive nature of the information that these business carry necessitates the change. This is clearly a concern for the Commonwealth of Virginia, and many other states may follow by making statements with formal changes to their State requirements. The proposed effective date is December 1, 2020. Compliance with the provision is required on or before July 1, 2022.

HIPAA One’s Security Risk Analysis (SRA) software addresses requirements for these proposed changes and all other HIPAA requirements while also automating 82% of the time and effort that this project requires. Our SRA is a TurboTax-like solution for Health Insurers of all sizes who need to comply with state regulations and perform a security risk assessment.

Using HIPAA One to Complete your Security Risk Analysis

HIPAA One’s simple and automated approach includes a Technical Security Baseline (TSB) inspired by the NIST 800-30 standard and NIST 800-53 framework which covers cybersecurity threats and compliance. As a recognized third-party compliance specialist, we guarantee you will be compliant and pass an audit when you use HIPAA One. Our team of professional auditors are available to answer any questions about these or future changes and will help you each step of the way. For more information about our SRA and other HIPAA solutions visit our solutions page.

Updates for INS-2020-00168-Chapter 430- Insurance Data Security Act Regulation can be found here.

Providers

64,000+

Providers

Locations

7,000+

Locations

Pass-Rate

100%

Pass Rate

five star review

5/5

Star Reviews

Let HIPAA One do the heavy lifting for your company when it comes to compliance. Make us part of your team to stay up-to-date, stay automatically compliant, and most importantly, protect your client's information.

Simplify HIPAA COMPLIANCE

Join Us in Our Mission to Simplify HIPAA Compliance!

Simple. Automated. Affordable.

Scroll to Top