New State order for Health Insurance Companies

Insurance Data Security Risk Assessment and Reporting

The state of Virginia announced this week that they have made changes to state HIPAA laws (14VAC5-430) and are now formally requiring health insurers to perform an annual NIST-based Cybersecurity Risk Assessment. The new requirements were released in a statement from the Commonwealth of Virginia, and are included below:

  • Requirements for implementing a periodic Information Security Program Risk Assessment, which will, among other things, identify internal or external cybersecurity threats and address safeguards to manage the potential threats.
  • Requirements for implementing Information Security Program Security Measures to manage, protect against and respond to cybersecurity threats.
  • Requirements and obligations of the Bureau’s licensees who engage third-party providers to ensure compliance with the Code and the Rules.
  • Requirements for reporting cybersecurity events to the Commissioner of Insurance and maintaining related records.

14VAC5-430. Insurance Data Security Risk Assessment and Reporting adding 14VAC5-10-14VAC-430-70

Why are they implementing these changes now?

The OCR has made a statement about the increasing number of non-compliance cases for health insurers across the country, and the particularly sensitive nature of the information that these business carry necessitates the change. This is clearly a concern for the Commonwealth of Virginia, and many other states may follow by making statements with formal changes to their State requirements. The proposed effective date is December 1, 2020. Compliance with the provision is required on or before July 1, 2022.

Intraprise Health’s Security Risk Assessment (SRA) software addresses requirements for these proposed changes and all other HIPAA requirements while also automating 82% of the time and effort that this project requires. Our SRA is a TurboTax-like solution for Health Insurers of all sizes who need to comply with state regulations and perform a security risk assessment.

Using HIPAA One® to Complete your Security Risk Assessment

HIPAA One®’s simple and automated approach includes a Technical Security Baseline (TSB) inspired by the NIST 800-30 standard and NIST 800-53 framework which covers cybersecurity threats and compliance. As a recognized third-party compliance specialist, we guarantee you will be compliant and pass an audit when you use HIPAA One®. Our team of professional auditors are available to answer any questions about these or future changes and will help you each step of the way. For more information about our SRA and other HIPAA solutions visit our solutions page.