Skip to content
Project 2025
Donate to support
diverse voices
Search

Latest Stories

Follow Us:
Top Stories
We Can’t Let Hegseth Win His War on Women

We Can’t Let Hegseth Win His War on Women

Trump’s Plan to Gather Data on Every Voter Will Cripple Democracy

Trump’s Plan to Gather Data on Every Voter Will Cripple Democracy

People voting at voting booths.

The Quiet Campaign That Could Rewrite the 2028 Election

A car with a bullet hole in the windshield.

States Sue D.C. at Record Levels — MN Case May Be the Turning Point

Can Things Get Even Worse for Mike Johnson?

Can Things Get Even Worse for Mike Johnson?

New Cybersecurity Rules for Healthcare? Understanding HHS’s HIPPA Proposal

News

New Cybersecurity Rules for Healthcare? Understanding HHS’s HIPPA Proposal
Getty Images, Kmatta
Elaine Kim, Ace
By Elaine Kim, AceJan 20, 2026
Elaine Kim, Ace
See More Writings by author

Background

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to protect sensitive health information from being disclosed without patients’ consent. Under this act, a patient’s privacy is safeguarded through the enforcement of strict standards on managing, transmitting, and storing health information.

In 2003, the U.S. Department of Health and Human Services published the HIPAA Security Rule. The Security Rule aimed to protect the security of a subset of identifiable patient information called Electronic Protected Health Information, or ePHI. Under this rule, regulated entities, such as providers and hospitals, are required to comply with administrative, technical, and physical requirements.

On January 6, 2025, the Office for Civil Rights within the HHS issued a notice of proposed rulemaking (NPRM) for the HIPAA Security Rule. NPRMs are a part of the federal rulemaking process in which a proposed rule is published in the Federal Register and made public and open to feedback from individuals, organizations, and other stakeholders. After reviewing the comments, agencies like the HHS can revise the rule before finalizing it. The proposed rule to the HIPAA Security Rule comes in response to a surge in data breaches in the healthcare industry. Cybersecurity challenges in healthcare top those of any other industry with over $10.93 million lost to breaches in 2024, a number that has been increasing in the past years. This NPRM seeks to “improve cybersecurity and better protect the American health care system from a growing number of cyberattacks” by strengthening the Security Rule. The Security Rule had only been changed once before, in 2013, under the HIPAA Omnibus Rule, and these changes were also aimed at enhancing the privacy of ePHI.

Arguments in Favor

Supporters of the proposed changes to the HIPAA Security Rule argue that it is a crucial and necessary move to strengthen the privacy of electronic protected health information. They contend that the changes will close existing gaps in security by creating a more consistent defense and also increase the public’s trust in digital health systems. Proponents emphasize the stricter wording and removal of ambiguous language will enhance compliance and reduce vulnerabilities in protecting sensitive information.

Enhanced Privacy of ePHI

The proposed changes would ultimately strengthen protections around ePHI in response to the high utilization of electronic records and the increased risk for cyber incidents associated with electronic records. HHS aims to establish more consistent baseline regulations for all covered entities to ensure proper compliance and enhanced protection. The rule enforces more rigorous safeguards on formerly addressable controls through mechanisms such as a technical inventory, data mapping requirements, and mandatory authenticity controls. Together, these measures will aim to close existing security gaps and create a more uniform defense against cyber threats.

Increased Public Trust

The proposed rule is also expected to increase and restore the public’s trust in the new world of digital health systems. Currently, breach costs and high frequency of attacks constantly put patients’ data at risk. Between 2018 and 2023, breach reports made to OCR doubled and the number of people targeted and affected by these attacks increased by more than tenfold, with over 167 million people affected in total in 2023. In early 2024, over 100 million UnitedHealth patients were victims of cyberattacks that leaked their private information, exposing the vulnerabilities across the healthcare industry. Shortly after this incident, the NPRM was introduced as a direct regulatory response to the growing concerns. Through a multi-lever effort in ensuring heightened security of ePHI, the proposed rule works to rebuild patients’ and other stakeholders’ confidence in the protection of their digital health information.

Decreased Ambiguity

Much of the proposed rule’s efforts are directed toward eliminating the ambiguity and leniency around compliance by enforcing more stringent and defined standards. It amends the “addressable” language in the original Security Rule which offers flexibility to covered entities on implementing safeguards and replaces it with required specifications to ensure that entities do not misinterpret “addressable” as optional. The rule changes reduce uncertainties around regulation for healthcare providers and provide clarity for enforcement agencies via more explicit requirements. This would promote more efficient and consistent interpretation and compliance around cybersecurity.

Arguments in Opposition

Opponents of the proposed changes to the HIPAA Security Rule highlight concerns about the costs and practicality of implementing the new rules. They argue that the more stringent requirements may burden smaller or resource-limited healthcare providers, potentially diverting resources from patient care or creating workflow disruptions. Critics also note potential overlaps with existing cybersecurity frameworks, which could result in redundancy, making compliance more difficult.

Resource and Cost

HHS’s proposed changes to the HIPAA Security Rule may place significant financial burdens on smaller or rural healthcare providers. The more stringent requirements on ePHI regulation can put a strain on these providers who may lack resources to conduct annual audits, risk assessments, and other mandatory procedures. This, in turn, can lead to resources being diverted from clinical care, impacting timely patient care. Furthermore, the new regulations would require a significant portion of employees in a practice to engage in HIPAA training, which can lead to even greater workflow disruptions. These providers will also have to ensure that they have sufficient staffing and procedures to provide records in a shortened timeframe. This further widens the equity gap between large and small healthcare entities.

Complexity of Implementation

The implementation of the new rule changes may potentially be a complex and disruptive process. Training a large number of employees on HIPAA procedures and performing the now required security evaluations may interfere with workflow and delay timely patient care. With an increase in documentation and compliance burden, entities may necessitate the help of third-party legal and IT experts in order to meet the requirements to implement high level security measures under a shorter timespan. Equity concerns may be raised as a result of disproportionate burdens falling on smaller providers who may face more barriers to compliance than larger organizations.

Overlapping Policy Frameworks

Redundancy and misalignment of policies may also pose a problem for healthcare organizations and entities that already adhere to existing cybersecurity frameworks. The NIST Cybersecurity Framework (CSF) and HITRUST Common Security Framework (CSF) are two frameworks that contain similar controls in HIPAA risks as the proposed rule. Many of the changes outlined in the NPRM overlap with the rules that are already in place under these existing frameworks which may create confusion and conflicts that can lead to duplicative efforts. Covered entities may face inefficiencies in complying with the proposed rule without clearer guidance on how the rule changes align with existing regulations.

Conclusion

HHS’s proposed rule to the HIPAA Security Rule is a timely response to the rising concern over cybersecurity vulnerabilities in healthcare. As ePHI use and technology are rapidly evolving, the proposed rule is a necessary effort toward modernizing outdated standards for digital health information. However, despite the rule’s potential for strengthening privacy and public trust in digital health, there are equity concerns regarding the financial burdens and complications that smaller entities may face in implementing these changes. Moving forward, it will be important to strike a balance between security and feasibility in the implementation of the proposed rule in order to effectively protect patient privacy while maintaining an equitable healthcare system.


New Cybersecurity Rules for Healthcare? Understanding HHS’s HIPPA Proposal was originally published by the ACE and is republished with permission.


Latest news

USA, Washington D.C., Supreme Court building and blurred American flag against blue sky.
Ethics & Leadership

Hypocrisy in Leadership Corrodes Democracy

ICE Shooting of Renee Good Revives Kent State’s Stark Warning
Democracy

ICE Shooting of Renee Good Revives Kent State’s Stark Warning

Portrait of John Adams.
Ethics & Leadership

John Adams and the Line a Republic Must Not Cross

Read More

Two people looking at screens.

A case for optimism, risk-taking, and policy experimentation in the age of AI—and why pessimism threatens technological progress.

Getty Images, Andriy Onufriyenko

In Defense of AI Optimism

Society needs people to take risks. Entrepreneurs who bet on themselves create new jobs. Institutions that gamble with new processes find out best to integrate advances into modern life. Regulators who accept potential backlash by launching policy experiments give us a chance to devise laws that are based on evidence, not fear.

The need for risk taking is all the more important when society is presented with new technologies. When new tech arrives on the scene, defense of the status quo is the easier path--individually, institutionally, and societally. We are all predisposed to think that the calamities, ailments, and flaws we experience today--as bad as they may be--are preferable to the unknowns tied to tomorrow.

Keep Reading Show less
Trump Signs Defense Bill Prohibiting China-Based Engineers in Pentagon IT Work

President Donald Trump with Secretary of State Marco Rubio, left, and Secretary of Defense Pete Hegseth

Tasos Katopodis/Getty Images

Trump Signs Defense Bill Prohibiting China-Based Engineers in Pentagon IT Work

President Donald Trump signed into law this month a measure that prohibits anyone based in China and other adversarial countries from accessing the Pentagon’s cloud computing systems.

The ban, which is tucked inside the $900 billion defense policy law, was enacted in response to a ProPublica investigation this year that exposed how Microsoft used China-based engineers to service the Defense Department’s computer systems for nearly a decade — a practice that left some of the country’s most sensitive data vulnerable to hacking from its leading cyber adversary.

Keep Reading Show less
Someone using an AI chatbot on their phone.

AI-powered wellness tools promise care at work, but raise serious questions about consent, surveillance, and employee autonomy.

Getty Images, d3sign

Why Workplace Wellbeing AI Needs a New Ethics of Consent

Across the U.S. and globally, employers—including corporations, healthcare systems, universities, and nonprofits—are increasing investment in worker well-being. The global corporate wellness market reached $53.5 billion in sales in 2024, with North America leading adoption. Corporate wellness programs now use AI to monitor stress, track burnout risk, or recommend personalized interventions.

Vendors offering AI-enabled well-being platforms, chatbots, and stress-tracking tools are rapidly expanding. Chatbots such as Woebot and Wysa are increasingly integrated into workplace wellness programs.

Keep Reading Show less
Meta Undermining Trust but Verify through Paid Links
Facebook launches voting resource tool
Facebook launches voting resource tool

Meta Undermining Trust but Verify through Paid Links

Facebook is testing limits on shared external links, which would become a paid feature through their Meta Verified program, which costs $14.99 per month.

This change solidifies that verification badges are now meaningless signifiers. Yet it wasn’t always so; the verified internet was built to support participation and trust. Beginning with Twitter’s verification program launched in 2009, a checkmark next to a username indicated that an account had been verified to represent a notable person or official account for a business. We could believe that an elected official or a brand name was who they said they were online. When Twitter Blue, and later X Premium, began to support paid blue checkmarks in November of 2022, the visual identification of verification became deceptive. Think Fake Eli Lilly accounts posting about free insulin and impersonation accounts for Elon Musk himself.

This week’s move by Meta echoes changes at Twitter/X, despite the significant evidence that it leaves information quality and user experience in a worse place than before. Despite what Facebook says, all this tells anyone is that you paid.

Keep Reading Show less