New Cybersecurity Rules for Healthcare? Understanding HHS’s HIPPA Proposal

Top Stories

Home>
Media & Technology>

        New Cybersecurity Rules for Healthcare? Understanding HHS’s HIPPA Proposal
    News

        Getty Images, Kmatta
    
By Elaine Kim, ACEJan 20, 2026
Elaine Kim, ACE
Elaine Kim, Ace is a contributor for The Fulcrum, a nonpartisan publication dedicated to strengthening democracy by fostering informed civic engagement and elevating diverse perspectives.
 See More Writings by author 
Background
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to protect sensitive health information from being disclosed without patients’ consent. Under this act, a patient’s privacy is safeguarded through the enforcement of strict standards on managing, transmitting, and storing health information. 
In 2003, the U.S. Department of Health and Human Services published the HIPAA Security Rule. The Security Rule aimed to protect the security of a subset of identifiable patient information called Electronic Protected Health Information, or ePHI. Under this rule, regulated entities, such as providers and hospitals, are required to comply with administrative, technical, and physical requirements. 
On January 6, 2025, the Office for Civil Rights within the HHS issued a notice of proposed rulemaking (NPRM) for the HIPAA Security Rule. NPRMs are a part of the federal rulemaking process in which a proposed rule is published in the Federal Register and made public and open to feedback from individuals, organizations, and other stakeholders. After reviewing the comments, agencies like the HHS can revise the rule before finalizing it. The proposed rule to the HIPAA Security Rule comes in response to a surge in data breaches in the healthcare industry. Cybersecurity challenges in healthcare top those of any other industry with over $10.93 million lost to breaches in 2024, a number that has been increasing in the past years. This NPRM seeks to “improve cybersecurity and better protect the American health care system from a growing number of cyberattacks” by strengthening the Security Rule. The Security Rule had only been changed once before, in 2013, under the HIPAA Omnibus Rule, and these changes were also aimed at enhancing the privacy of ePHI. 
Arguments in Favor
Supporters of the proposed changes to the HIPAA Security Rule argue that it is a crucial and necessary move to strengthen the privacy of electronic protected health information. They contend that the changes will close existing gaps in security by creating a more consistent defense and also increase the public’s trust in digital health systems. Proponents emphasize the stricter wording and removal of ambiguous language will enhance compliance and reduce vulnerabilities in protecting sensitive information.
Enhanced Privacy of ePHI
The proposed changes would ultimately strengthen protections around ePHI in response to the high utilization of electronic records and the increased risk for cyber incidents associated with electronic records. HHS aims to establish more consistent baseline regulations for all covered entities to ensure proper compliance and enhanced protection. The rule enforces more rigorous safeguards on formerly addressable controls through mechanisms such as a technical inventory, data mapping requirements, and mandatory authenticity controls. Together, these measures will aim to close existing security gaps and create a more uniform defense against cyber threats. 
Increased Public Trust
The proposed rule is also expected to increase and restore the public’s trust in the new world of digital health systems. Currently, breach costs and high frequency of attacks constantly put patients’ data at risk. Between 2018 and 2023, breach reports made to OCR doubled and the number of people targeted and affected by these attacks increased by more than tenfold, with over 167 million people affected in total in 2023. In early 2024, over 100 million UnitedHealth patients were victims of cyberattacks that leaked their private information, exposing the vulnerabilities across the healthcare industry. Shortly after this incident, the NPRM was introduced as a direct regulatory response to the growing concerns. Through a multi-lever effort in ensuring heightened security of ePHI, the proposed rule works to rebuild patients’ and other stakeholders’ confidence in the protection of their digital health information. 
Decreased Ambiguity
Much of the proposed rule’s efforts are directed toward eliminating the ambiguity and leniency around compliance by enforcing more stringent and defined standards. It amends the “addressable” language in the original Security Rule which offers flexibility to covered entities on implementing safeguards and replaces it with required specifications to ensure that entities do not misinterpret “addressable” as optional. The rule changes reduce uncertainties around regulation for healthcare providers and provide clarity for enforcement agencies via more explicit requirements. This would promote more efficient and consistent interpretation and compliance around cybersecurity.
Arguments in Opposition
Opponents of the proposed changes to the HIPAA Security Rule highlight concerns about the costs and practicality of implementing the new rules. They argue that the more stringent requirements may burden smaller or resource-limited healthcare providers, potentially diverting resources from patient care or creating workflow disruptions. Critics also note potential overlaps with existing cybersecurity frameworks, which could result in redundancy, making compliance more difficult.
Resource and Cost
HHS’s proposed changes to the HIPAA Security Rule may place significant financial burdens on smaller or rural healthcare providers. The more stringent requirements on ePHI regulation can put a strain on these providers who may lack resources to conduct annual audits, risk assessments, and other mandatory procedures. This, in turn, can lead to resources being diverted from clinical care, impacting timely patient care. Furthermore, the new regulations would require a significant portion of employees in a practice to engage in HIPAA training, which can lead to even greater workflow disruptions. These providers will also have to ensure that they have sufficient staffing and procedures to provide records in a shortened timeframe. This further widens the equity gap between large and small healthcare entities.
Complexity of Implementation
The implementation of the new rule changes may potentially be a complex and disruptive process. Training a large number of employees on HIPAA procedures and performing the now required security evaluations may interfere with workflow and delay timely patient care. With an increase in documentation and compliance burden, entities may necessitate the help of third-party legal and IT experts in order to meet the requirements to implement high level security measures under a shorter timespan. Equity concerns may be raised as a result of disproportionate burdens falling on smaller providers who may face more barriers to compliance than larger organizations. 
Overlapping Policy Frameworks
Redundancy and misalignment of policies may also pose a problem for healthcare organizations and entities that already adhere to existing cybersecurity frameworks. The NIST Cybersecurity Framework (CSF) and HITRUST Common Security Framework (CSF) are two frameworks that contain similar controls in HIPAA risks as the proposed rule. Many of the changes outlined in the NPRM overlap with the rules that are already in place under these existing frameworks which may create confusion and conflicts that can lead to duplicative efforts. Covered entities may face inefficiencies in complying with the proposed rule without clearer guidance on how the rule changes align with existing regulations.
Conclusion
HHS’s proposed rule to the HIPAA Security Rule is a timely response to the rising concern over cybersecurity vulnerabilities in healthcare. As ePHI use and technology are rapidly evolving, the proposed rule is a necessary effort toward modernizing outdated standards for digital health information. However, despite the rule’s potential for strengthening privacy and public trust in digital health, there are equity concerns regarding the financial burdens and complications that smaller entities may face in implementing these changes. Moving forward, it will be important to strike a balance between security and feasibility in the implementation of the proposed rule in order to effectively protect patient privacy while maintaining an equitable healthcare system. 

New Cybersecurity Rules for Healthcare? Understanding HHS’s HIPPA Proposal was originally published by the ACE and is republished with permission.

Join a growing community committed to civic renewal.
Subscribe to The Fulcrum and be part of the conversation.

        Confirm that you are not a bot.
      

        ×
      
Latest news
Media & Technology
        America’s Greatest Geopolitical Blind Spot
    
Imran Khalid
1h
Governance & Legislation
        Republican Attacks on Citizen Ballot Measures Undermine Democracy
    
Austin Sarat
1h
Health
        Housing Insecurity as a Public Health Crisis: From Framework to Action
    
Asha Wasuge
1h
Governance & Legislation
        Key Senate panel advances Trump’s pick for Fed chair
    
Erika Tulfo
1h

The Top 5

Discover More

Background

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to protect sensitive health information from being disclosed without patients’ consent. Under this act, a patient’s privacy is safeguarded through the enforcement of strict standards on managing, transmitting, and storing health information.

In 2003, the U.S. Department of Health and Human Services published the HIPAA Security Rule. The Security Rule aimed to protect the security of a subset of identifiable patient information called Electronic Protected Health Information, or ePHI. Under this rule, regulated entities, such as providers and hospitals, are required to comply with administrative, technical, and physical requirements.

On January 6, 2025, the Office for Civil Rights within the HHS issued a notice of proposed rulemaking (NPRM) for the HIPAA Security Rule. NPRMs are a part of the federal rulemaking process in which a proposed rule is published in the Federal Register and made public and open to feedback from individuals, organizations, and other stakeholders. After reviewing the comments, agencies like the HHS can revise the rule before finalizing it. The proposed rule to the HIPAA Security Rule comes in response to a surge in data breaches in the healthcare industry. Cybersecurity challenges in healthcare top those of any other industry with over $10.93 million lost to breaches in 2024, a number that has been increasing in the past years. This NPRM seeks to “improve cybersecurity and better protect the American health care system from a growing number of cyberattacks” by strengthening the Security Rule. The Security Rule had only been changed once before, in 2013, under the HIPAA Omnibus Rule, and these changes were also aimed at enhancing the privacy of ePHI.

Arguments in Favor

Supporters of the proposed changes to the HIPAA Security Rule argue that it is a crucial and necessary move to strengthen the privacy of electronic protected health information. They contend that the changes will close existing gaps in security by creating a more consistent defense and also increase the public’s trust in digital health systems. Proponents emphasize the stricter wording and removal of ambiguous language will enhance compliance and reduce vulnerabilities in protecting sensitive information.

Enhanced Privacy of ePHI

The proposed changes would ultimately strengthen protections around ePHI in response to the high utilization of electronic records and the increased risk for cyber incidents associated with electronic records. HHS aims to establish more consistent baseline regulations for all covered entities to ensure proper compliance and enhanced protection. The rule enforces more rigorous safeguards on formerly addressable controls through mechanisms such as a technical inventory, data mapping requirements, and mandatory authenticity controls. Together, these measures will aim to close existing security gaps and create a more uniform defense against cyber threats.

Increased Public Trust

The proposed rule is also expected to increase and restore the public’s trust in the new world of digital health systems. Currently, breach costs and high frequency of attacks constantly put patients’ data at risk. Between 2018 and 2023, breach reports made to OCR doubled and the number of people targeted and affected by these attacks increased by more than tenfold, with over 167 million people affected in total in 2023. In early 2024, over 100 million UnitedHealth patients were victims of cyberattacks that leaked their private information, exposing the vulnerabilities across the healthcare industry. Shortly after this incident, the NPRM was introduced as a direct regulatory response to the growing concerns. Through a multi-lever effort in ensuring heightened security of ePHI, the proposed rule works to rebuild patients’ and other stakeholders’ confidence in the protection of their digital health information.

Decreased Ambiguity

Much of the proposed rule’s efforts are directed toward eliminating the ambiguity and leniency around compliance by enforcing more stringent and defined standards. It amends the “addressable” language in the original Security Rule which offers flexibility to covered entities on implementing safeguards and replaces it with required specifications to ensure that entities do not misinterpret “addressable” as optional. The rule changes reduce uncertainties around regulation for healthcare providers and provide clarity for enforcement agencies via more explicit requirements. This would promote more efficient and consistent interpretation and compliance around cybersecurity.

Arguments in Opposition

Opponents of the proposed changes to the HIPAA Security Rule highlight concerns about the costs and practicality of implementing the new rules. They argue that the more stringent requirements may burden smaller or resource-limited healthcare providers, potentially diverting resources from patient care or creating workflow disruptions. Critics also note potential overlaps with existing cybersecurity frameworks, which could result in redundancy, making compliance more difficult.

Resource and Cost

HHS’s proposed changes to the HIPAA Security Rule may place significant financial burdens on smaller or rural healthcare providers. The more stringent requirements on ePHI regulation can put a strain on these providers who may lack resources to conduct annual audits, risk assessments, and other mandatory procedures. This, in turn, can lead to resources being diverted from clinical care, impacting timely patient care. Furthermore, the new regulations would require a significant portion of employees in a practice to engage in HIPAA training, which can lead to even greater workflow disruptions. These providers will also have to ensure that they have sufficient staffing and procedures to provide records in a shortened timeframe. This further widens the equity gap between large and small healthcare entities.

Complexity of Implementation

The implementation of the new rule changes may potentially be a complex and disruptive process. Training a large number of employees on HIPAA procedures and performing the now required security evaluations may interfere with workflow and delay timely patient care. With an increase in documentation and compliance burden, entities may necessitate the help of third-party legal and IT experts in order to meet the requirements to implement high level security measures under a shorter timespan. Equity concerns may be raised as a result of disproportionate burdens falling on smaller providers who may face more barriers to compliance than larger organizations.

Overlapping Policy Frameworks

Redundancy and misalignment of policies may also pose a problem for healthcare organizations and entities that already adhere to existing cybersecurity frameworks. The NIST Cybersecurity Framework (CSF) and HITRUST Common Security Framework (CSF) are two frameworks that contain similar controls in HIPAA risks as the proposed rule. Many of the changes outlined in the NPRM overlap with the rules that are already in place under these existing frameworks which may create confusion and conflicts that can lead to duplicative efforts. Covered entities may face inefficiencies in complying with the proposed rule without clearer guidance on how the rule changes align with existing regulations.

Conclusion

HHS’s proposed rule to the HIPAA Security Rule is a timely response to the rising concern over cybersecurity vulnerabilities in healthcare. As ePHI use and technology are rapidly evolving, the proposed rule is a necessary effort toward modernizing outdated standards for digital health information. However, despite the rule’s potential for strengthening privacy and public trust in digital health, there are equity concerns regarding the financial burdens and complications that smaller entities may face in implementing these changes. Moving forward, it will be important to strike a balance between security and feasibility in the implementation of the proposed rule in order to effectively protect patient privacy while maintaining an equitable healthcare system.

New Cybersecurity Rules for Healthcare? Understanding HHS’s HIPPA Proposal was originally published by the ACE and is republished with permission.

Related Articles Around the Web

Read More
A bold critique of modern democracy and rising authoritarian ideas, exploring how AI-powered swarm digital democracy could redefine participation and governance.

        Getty Images, Andriy Onufriyenko
    

        The Only Radical Move Forward: Swarm Digital Democracy
    
Ahmed Bouzid
Apr 30, 2026
We are increasingly told that democracy has failed and that its time has passed. The evidence proffered is everywhere, we are told: Gridlock, captured institutions, performative elections, a public that senses, correctly, that its voice rarely translates into real power. Into this vacuum step dystopic movements like the Dark Enlightenment and harder strains of Right-wing populism, offering a stark diagnosis and an even starker cure: Abandon the illusion of popular rule and return to forms of authority that are decisive, hierarchical, and unapologetically exclusionary. They present themselves as bold, clear-eyed, rambunctious, alive, and willing to act where others hesitate. And all to save the world from itself.
But this framing depends on a sleight of hand: It assumes that what we have been living under is, in fact, democracy, and that its failures are the failures of democracy itself. That is the first mistake.
Keep ReadingShow less
Recommended
Democracy
        Balance – The Golden Mean
    
Amy Lockard
19 May 2025
Glossary
        Redistricting
    
The Fulcrum
01 January 2025
Ethics & Leadership
        Best and Worst U.S. Presidential Cabinets Ranked: What the Research Reveals
    
Steve Corbin
03 September 2025
Democracy
        Independents and Republicans May Hold the Power in Los Angeles – If They Actually Vote
    
Ivn  Editorial Board
27 April
Civic Engagement & Education
        Michigan Organizations Boost Voter Engagement and Civic Empowerment
    
Hugo Balta
26 April
Ethics & Leadership
        Trump’s Iran “Victory” Echoes Iraq’s "Mission Accomplished"
    
Nick  Allison
24 April
A growing crisis threatens U.S. public data. Experts warn disappearing federal datasets could undermine science, policy, and democracy—and outline a plan to protect them.

        Getty Images, Richard Drury
    

        America's Data Crisis: Saving Trusted Facts Is Essential to Democracy
    
Joel Gurin
Apr 22, 2026
In March 2026, more than a hundred information and data experts gathered in a converted Christian Science church to confront a problem most Americans never see, but that shapes nearly every public debate we have. The nonprofit Internet Archive convened this national Information Stewardship Forum at their San Francisco headquarters because something fundamental is breaking: the country’s shared foundation of facts.
For decades, the United States has relied on a vast ecosystem of federal data on health, climate, the economy, education, demographics, scientific research, and more. This data is the backbone of journalism, policymaking, scientific discovery, and public accountability. It is how we know whether the air is safe to breathe, whether unemployment is rising or falling, whether a new disease is spreading, or whether a community is being left behind.
Keep ReadingShow less
As the 2026 election approaches, doomscrolling and social media are shaping voter behavior through fear and anxiety. Learn how digital news consumption influences political decisions—and how to break the cycle for more informed voting.

        Getty Images, gorodenkoff
    

        Americans Are Doomscrolling Their Way to the Ballot Box and Only Getting Empty Promises
    
Andrew  Selepak, Ph.D.
Apr 21, 2026
As the spring primary cycle ramps up, voters are deciding which candidates to elect in the November general election, but too much doomscrolling on social media is leading to uninformed — and often anxiety-based — voting. Even though online platforms and politicians may be preying on our exhaustion to further their agendas, we don’t have to fall for it this election cycle.
Doomscrolling is, unfortunately, part of daily life for many of us. It involves consuming a virtually endless amount of negative social media posts and news content, causing us to feel scared and depressed. Our brains have a hardwired negativity bias that causes us to notice potential threats and focus on them. This is exacerbated by the fact that people who closely follow or participate in politics are more likely to doomscroll. 
Keep ReadingShow less
AI has the potential to transform education, mental health, and accessibility—but only if society actively shapes its use. Explore how community-driven norms, better data, and open experimentation can unlock better AI.

        Getty Images, sarawuth702
    

        Build Better AI
    
Kevin Frazier
Apr 10, 2026
Something I think just about all of us agree on: we want better AI. Regardless of your current perspective on AI, it's undeniable that, like any other tool, it can unleash human flourishing. There's progress to be made with AI that we should all applaud and aim to make happen as soon as possible.
There are kids in rural communities who stand to benefit from AI tutors. There are visually impaired individuals who can more easily navigate the world with AI wearables. There are folks struggling with mental health issues who lack access to therapists who are in need of guidance during trying moments. A key barrier to leveraging AI "for good" is our imagination—because in many domains, we've become accustomed to an unacceptable status quo. That's the real comparison. The alternative to AI isn't well-functioning systems that are efficiently and effectively operating for everyone. 
Keep ReadingShow less
Load More

Site Navigation

Prediction Markets Are Gambling, Despite What They Tell The Government

Saving Medicare Republicans Are Privatizing Medicare

MAGA is starting to question Trump

May 5 primary ballot issues affect Ohioans' daily lives

Just the Facts: What the Iran Nuclear Deal Was and Why It Matters

New Cybersecurity Rules for Healthcare? Understanding HHS’s HIPPA Proposal

News

Latest news

America’s Greatest Geopolitical Blind Spot

Republican Attacks on Citizen Ballot Measures Undermine Democracy

Key Senate panel advances Trump’s pick for Fed chair

The Top 5

Rolling Back Health Equity Training Requirements in Medical Schools Harms Us All

The Mirror Has Cracked: How the Three Branches Failed America

Gerrymandering: The Maps Shaping Power Ahead of the 2026 Midterms

Latino Voters Signal Changing Views as Midterm Elections Approach

xAI Pushes Free Speech Theory Into New AI Lawsuits

Discover More

Read More

The Only Radical Move Forward: Swarm Digital Democracy

Recommended

Balance – The Golden Mean

Redistricting

Best and Worst U.S. Presidential Cabinets Ranked: What the Research Reveals

Independents and Republicans May Hold the Power in Los Angeles – If They Actually Vote

Trump’s Iran “Victory” Echoes Iraq’s "Mission Accomplished"

America's Data Crisis: Saving Trusted Facts Is Essential to Democracy

Build Better AI

Latest Stories

Join a growing community committed to civic renewal.

New Cybersecurity Rules for Healthcare? Understanding HHS’s HIPPA Proposal

News

Join a growing community committed to civic renewal.

Latest news

Read More

Recommended