New Cybersecurity Rules for Healthcare? Understanding HHS’s HIPPA Proposal

Top Stories

Home>
Media & Technology>

        New Cybersecurity Rules for Healthcare? Understanding HHS’s HIPPA Proposal
    News

        Getty Images, Kmatta
    
By Elaine Kim, AceJan 20, 2026
Elaine Kim, Ace
 See More Writings by author 
Background
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to protect sensitive health information from being disclosed without patients’ consent. Under this act, a patient’s privacy is safeguarded through the enforcement of strict standards on managing, transmitting, and storing health information. 
In 2003, the U.S. Department of Health and Human Services published the HIPAA Security Rule. The Security Rule aimed to protect the security of a subset of identifiable patient information called Electronic Protected Health Information, or ePHI. Under this rule, regulated entities, such as providers and hospitals, are required to comply with administrative, technical, and physical requirements. 
On January 6, 2025, the Office for Civil Rights within the HHS issued a notice of proposed rulemaking (NPRM) for the HIPAA Security Rule. NPRMs are a part of the federal rulemaking process in which a proposed rule is published in the Federal Register and made public and open to feedback from individuals, organizations, and other stakeholders. After reviewing the comments, agencies like the HHS can revise the rule before finalizing it. The proposed rule to the HIPAA Security Rule comes in response to a surge in data breaches in the healthcare industry. Cybersecurity challenges in healthcare top those of any other industry with over $10.93 million lost to breaches in 2024, a number that has been increasing in the past years. This NPRM seeks to “improve cybersecurity and better protect the American health care system from a growing number of cyberattacks” by strengthening the Security Rule. The Security Rule had only been changed once before, in 2013, under the HIPAA Omnibus Rule, and these changes were also aimed at enhancing the privacy of ePHI. 
Arguments in Favor
Supporters of the proposed changes to the HIPAA Security Rule argue that it is a crucial and necessary move to strengthen the privacy of electronic protected health information. They contend that the changes will close existing gaps in security by creating a more consistent defense and also increase the public’s trust in digital health systems. Proponents emphasize the stricter wording and removal of ambiguous language will enhance compliance and reduce vulnerabilities in protecting sensitive information.
Enhanced Privacy of ePHI
The proposed changes would ultimately strengthen protections around ePHI in response to the high utilization of electronic records and the increased risk for cyber incidents associated with electronic records. HHS aims to establish more consistent baseline regulations for all covered entities to ensure proper compliance and enhanced protection. The rule enforces more rigorous safeguards on formerly addressable controls through mechanisms such as a technical inventory, data mapping requirements, and mandatory authenticity controls. Together, these measures will aim to close existing security gaps and create a more uniform defense against cyber threats. 
Increased Public Trust
The proposed rule is also expected to increase and restore the public’s trust in the new world of digital health systems. Currently, breach costs and high frequency of attacks constantly put patients’ data at risk. Between 2018 and 2023, breach reports made to OCR doubled and the number of people targeted and affected by these attacks increased by more than tenfold, with over 167 million people affected in total in 2023. In early 2024, over 100 million UnitedHealth patients were victims of cyberattacks that leaked their private information, exposing the vulnerabilities across the healthcare industry. Shortly after this incident, the NPRM was introduced as a direct regulatory response to the growing concerns. Through a multi-lever effort in ensuring heightened security of ePHI, the proposed rule works to rebuild patients’ and other stakeholders’ confidence in the protection of their digital health information. 
Decreased Ambiguity
Much of the proposed rule’s efforts are directed toward eliminating the ambiguity and leniency around compliance by enforcing more stringent and defined standards. It amends the “addressable” language in the original Security Rule which offers flexibility to covered entities on implementing safeguards and replaces it with required specifications to ensure that entities do not misinterpret “addressable” as optional. The rule changes reduce uncertainties around regulation for healthcare providers and provide clarity for enforcement agencies via more explicit requirements. This would promote more efficient and consistent interpretation and compliance around cybersecurity.
Arguments in Opposition
Opponents of the proposed changes to the HIPAA Security Rule highlight concerns about the costs and practicality of implementing the new rules. They argue that the more stringent requirements may burden smaller or resource-limited healthcare providers, potentially diverting resources from patient care or creating workflow disruptions. Critics also note potential overlaps with existing cybersecurity frameworks, which could result in redundancy, making compliance more difficult.
Resource and Cost
HHS’s proposed changes to the HIPAA Security Rule may place significant financial burdens on smaller or rural healthcare providers. The more stringent requirements on ePHI regulation can put a strain on these providers who may lack resources to conduct annual audits, risk assessments, and other mandatory procedures. This, in turn, can lead to resources being diverted from clinical care, impacting timely patient care. Furthermore, the new regulations would require a significant portion of employees in a practice to engage in HIPAA training, which can lead to even greater workflow disruptions. These providers will also have to ensure that they have sufficient staffing and procedures to provide records in a shortened timeframe. This further widens the equity gap between large and small healthcare entities.
Complexity of Implementation
The implementation of the new rule changes may potentially be a complex and disruptive process. Training a large number of employees on HIPAA procedures and performing the now required security evaluations may interfere with workflow and delay timely patient care. With an increase in documentation and compliance burden, entities may necessitate the help of third-party legal and IT experts in order to meet the requirements to implement high level security measures under a shorter timespan. Equity concerns may be raised as a result of disproportionate burdens falling on smaller providers who may face more barriers to compliance than larger organizations. 
Overlapping Policy Frameworks
Redundancy and misalignment of policies may also pose a problem for healthcare organizations and entities that already adhere to existing cybersecurity frameworks. The NIST Cybersecurity Framework (CSF) and HITRUST Common Security Framework (CSF) are two frameworks that contain similar controls in HIPAA risks as the proposed rule. Many of the changes outlined in the NPRM overlap with the rules that are already in place under these existing frameworks which may create confusion and conflicts that can lead to duplicative efforts. Covered entities may face inefficiencies in complying with the proposed rule without clearer guidance on how the rule changes align with existing regulations.
Conclusion
HHS’s proposed rule to the HIPAA Security Rule is a timely response to the rising concern over cybersecurity vulnerabilities in healthcare. As ePHI use and technology are rapidly evolving, the proposed rule is a necessary effort toward modernizing outdated standards for digital health information. However, despite the rule’s potential for strengthening privacy and public trust in digital health, there are equity concerns regarding the financial burdens and complications that smaller entities may face in implementing these changes. Moving forward, it will be important to strike a balance between security and feasibility in the implementation of the proposed rule in order to effectively protect patient privacy while maintaining an equitable healthcare system. 

New Cybersecurity Rules for Healthcare? Understanding HHS’s HIPPA Proposal was originally published by the ACE and is republished with permission.

Join a growing community committed to civic renewal.
Subscribe to The Fulcrum and be part of the conversation.

        Confirm that you are not a bot.
      

        ×
      
Latest news
Environment
        East Wing's Demolition Highlights U.S. Construction Waste Problem
    
Mohamed Ismail
8m
Civic Engagement & Education
        Campus Civic Engagement: Democracy Innovation Prizes
    
John Barth
18m
Ethics & Leadership
        “Pulling Donald Trump’s Teeth”
    
Daniel Monti
28m
Elections
        Trump & Hegseth gave Mark Kelly a huge 2028 gift
    
S.E. Cupp
38m

The Top 5

Illinois 2nd District Candidates Meet Up in High-Energy Town Hall

Discover More

Background

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to protect sensitive health information from being disclosed without patients’ consent. Under this act, a patient’s privacy is safeguarded through the enforcement of strict standards on managing, transmitting, and storing health information.

In 2003, the U.S. Department of Health and Human Services published the HIPAA Security Rule. The Security Rule aimed to protect the security of a subset of identifiable patient information called Electronic Protected Health Information, or ePHI. Under this rule, regulated entities, such as providers and hospitals, are required to comply with administrative, technical, and physical requirements.

On January 6, 2025, the Office for Civil Rights within the HHS issued a notice of proposed rulemaking (NPRM) for the HIPAA Security Rule. NPRMs are a part of the federal rulemaking process in which a proposed rule is published in the Federal Register and made public and open to feedback from individuals, organizations, and other stakeholders. After reviewing the comments, agencies like the HHS can revise the rule before finalizing it. The proposed rule to the HIPAA Security Rule comes in response to a surge in data breaches in the healthcare industry. Cybersecurity challenges in healthcare top those of any other industry with over $10.93 million lost to breaches in 2024, a number that has been increasing in the past years. This NPRM seeks to “improve cybersecurity and better protect the American health care system from a growing number of cyberattacks” by strengthening the Security Rule. The Security Rule had only been changed once before, in 2013, under the HIPAA Omnibus Rule, and these changes were also aimed at enhancing the privacy of ePHI.

Arguments in Favor

Supporters of the proposed changes to the HIPAA Security Rule argue that it is a crucial and necessary move to strengthen the privacy of electronic protected health information. They contend that the changes will close existing gaps in security by creating a more consistent defense and also increase the public’s trust in digital health systems. Proponents emphasize the stricter wording and removal of ambiguous language will enhance compliance and reduce vulnerabilities in protecting sensitive information.

Enhanced Privacy of ePHI

The proposed changes would ultimately strengthen protections around ePHI in response to the high utilization of electronic records and the increased risk for cyber incidents associated with electronic records. HHS aims to establish more consistent baseline regulations for all covered entities to ensure proper compliance and enhanced protection. The rule enforces more rigorous safeguards on formerly addressable controls through mechanisms such as a technical inventory, data mapping requirements, and mandatory authenticity controls. Together, these measures will aim to close existing security gaps and create a more uniform defense against cyber threats.

Increased Public Trust

The proposed rule is also expected to increase and restore the public’s trust in the new world of digital health systems. Currently, breach costs and high frequency of attacks constantly put patients’ data at risk. Between 2018 and 2023, breach reports made to OCR doubled and the number of people targeted and affected by these attacks increased by more than tenfold, with over 167 million people affected in total in 2023. In early 2024, over 100 million UnitedHealth patients were victims of cyberattacks that leaked their private information, exposing the vulnerabilities across the healthcare industry. Shortly after this incident, the NPRM was introduced as a direct regulatory response to the growing concerns. Through a multi-lever effort in ensuring heightened security of ePHI, the proposed rule works to rebuild patients’ and other stakeholders’ confidence in the protection of their digital health information.

Decreased Ambiguity

Much of the proposed rule’s efforts are directed toward eliminating the ambiguity and leniency around compliance by enforcing more stringent and defined standards. It amends the “addressable” language in the original Security Rule which offers flexibility to covered entities on implementing safeguards and replaces it with required specifications to ensure that entities do not misinterpret “addressable” as optional. The rule changes reduce uncertainties around regulation for healthcare providers and provide clarity for enforcement agencies via more explicit requirements. This would promote more efficient and consistent interpretation and compliance around cybersecurity.

Arguments in Opposition

Opponents of the proposed changes to the HIPAA Security Rule highlight concerns about the costs and practicality of implementing the new rules. They argue that the more stringent requirements may burden smaller or resource-limited healthcare providers, potentially diverting resources from patient care or creating workflow disruptions. Critics also note potential overlaps with existing cybersecurity frameworks, which could result in redundancy, making compliance more difficult.

Resource and Cost

HHS’s proposed changes to the HIPAA Security Rule may place significant financial burdens on smaller or rural healthcare providers. The more stringent requirements on ePHI regulation can put a strain on these providers who may lack resources to conduct annual audits, risk assessments, and other mandatory procedures. This, in turn, can lead to resources being diverted from clinical care, impacting timely patient care. Furthermore, the new regulations would require a significant portion of employees in a practice to engage in HIPAA training, which can lead to even greater workflow disruptions. These providers will also have to ensure that they have sufficient staffing and procedures to provide records in a shortened timeframe. This further widens the equity gap between large and small healthcare entities.

Complexity of Implementation

The implementation of the new rule changes may potentially be a complex and disruptive process. Training a large number of employees on HIPAA procedures and performing the now required security evaluations may interfere with workflow and delay timely patient care. With an increase in documentation and compliance burden, entities may necessitate the help of third-party legal and IT experts in order to meet the requirements to implement high level security measures under a shorter timespan. Equity concerns may be raised as a result of disproportionate burdens falling on smaller providers who may face more barriers to compliance than larger organizations.

Overlapping Policy Frameworks

Redundancy and misalignment of policies may also pose a problem for healthcare organizations and entities that already adhere to existing cybersecurity frameworks. The NIST Cybersecurity Framework (CSF) and HITRUST Common Security Framework (CSF) are two frameworks that contain similar controls in HIPAA risks as the proposed rule. Many of the changes outlined in the NPRM overlap with the rules that are already in place under these existing frameworks which may create confusion and conflicts that can lead to duplicative efforts. Covered entities may face inefficiencies in complying with the proposed rule without clearer guidance on how the rule changes align with existing regulations.

Conclusion

HHS’s proposed rule to the HIPAA Security Rule is a timely response to the rising concern over cybersecurity vulnerabilities in healthcare. As ePHI use and technology are rapidly evolving, the proposed rule is a necessary effort toward modernizing outdated standards for digital health information. However, despite the rule’s potential for strengthening privacy and public trust in digital health, there are equity concerns regarding the financial burdens and complications that smaller entities may face in implementing these changes. Moving forward, it will be important to strike a balance between security and feasibility in the implementation of the proposed rule in order to effectively protect patient privacy while maintaining an equitable healthcare system.

New Cybersecurity Rules for Healthcare? Understanding HHS’s HIPPA Proposal was originally published by the ACE and is republished with permission.

Related Articles Around the Web

Read More
General view of Galileo Ferraris Ex Nuclear Power Plant on February 3, 2024 in Trino Vercellese, Italy. The former "Galileo Ferraris" thermoelectric power plant was built between 1991 and 1997 and opened in 1998. 

        Getty Images, Stefano Guidi
    

        Powering the Future: Comparing U.S. Nuclear Energy Growth to French and Chinese Nuclear Successes
    
Maya Ducker
Feb 24, 2026
With the rise of artificial intelligence and a rapidly growing need for data centers, the U.S. is looking to exponentially increase its domestic energy production. One potential route is through nuclear energy—a form of clean energy that comes from splitting atoms (fission) or joining them together (fusion). Nuclear energy generates energy around the clock, making it one of the most reliable forms of clean energy. However, the U.S. has seen a decrease in nuclear energy production over the past 60 years; despite receiving 64 percent of Americans’ support in 2024, the development of nuclear energy projects has become increasingly expensive and time-consuming. Conversely, nuclear energy has achieved significant success in countries like France and China, who have heavily invested in the technology. 
In the U.S., nuclear plants represent less than one percent of power stations. Despite only having 94 of them, American nuclear power plants produce nearly 20 percent of all the country’s electricity. Nuclear reactors generate enough electricity to power over 70 million homes a year, which is equivalent to about 18 percent of the electricity grid. Furthermore, its ability to withstand extreme weather conditions is vital to its longevity in the face of rising climate change-related weather events. However, certain concerns remain regarding the history of nuclear accidents, the multi-billion dollar cost of nuclear power plants, and how long they take to build. 
Keep ReadingShow less
Recommended
Glossary
        Redistricting
    
The Fulcrum
01 January 2025
Democracy
        Balance – The Golden Mean
    
Amy Lockard
19 May 2025
Education
        The Fulcrum Opens Applications for 2026 Summer Journalism Fellowship
    
The Fulcrum
03 January
Business & Democracy
        Just the Facts: Canadian Tariffs
    
David L. Nevins
09 March 2025
Governance & Legislation
        Warrantless home searches sparked the American Revolution – now ICE wants to bring them back
    
Amanda  Cats-Baril
21 February
Rule of Law
        The Legal Costs and Risks of Trump’s 328 Lawsuits
    
Steve Corbin
21 May 2025

        As AI reshapes jobs and politics, America faces a choice: resist automation or embrace innovation. The path to prosperity lies in AI literacy and adaptability.
    

        Getty Images, Douglas Rissing
    

        Why Should I Be Worried About AI?
    
Jeff  Dauphin
Feb 17, 2026
For many people, the current anxiety about artificial intelligence feels overblown. They say, “We’ve been here before.” Every generation has its technological scare story. In the early days of automation, factories threatened jobs. Television was supposed to rot our brains. The internet was going to end serious thinking. Kurt Vonnegut’s Player Piano, published in 1952, imagined a world run by machines and technocrats, leaving ordinary humans purposeless and sidelined. We survived all of that.
So when people today warn that AI is different — that it poses risks to democracy, work, truth, our ability to make informed and independent choices — it’s reasonable to ask: Why should I care?
Keep ReadingShow less
AI-generated “nudification” is no longer a distant threat—it’s harming students now. As deepfake pornography spreads in schools nationwide, educators are left to confront a growing crisis that outpaces laws, platforms, and parental awareness.

        Getty Images, d3sign
    

        How AI Deepfakes in Classrooms Expose a Crisis of Accountability and Civic Trust
    
Julienne  Louis-Anderson
Feb 16, 2026
While public outrage flares when AI tools like Elon Musk’s Grok generate sexualized images of adults on X—often without consent—schools have been dealing with this harm for years. For school-aged children, AI-generated “nudification” is not a future threat or an abstract tech concern; it is already shaping their daily lives.
Last month, that reality became impossible to ignore in Lafourche Parish, Louisiana. A father sued the school district after several middle school boys circulated AI-generated pornographic images of eight female classmates, including his 13-year-old daughter. When the girl confronted one of the boys and punched him on a school bus, she was expelled. The boy who helped create and spread the images faced no formal consequences.
Keep ReadingShow less

        a remote control sitting in front of a television
    

        Photo by Pinho . on Unsplash

        Democracies Don’t Collapse in Silence; They Collapse When Truth Is Distorted or Denied
    
Carolyn  Goode
Feb 16, 2026
Even with the full protection of the First Amendment, the free press in America is at risk. When a president works tirelessly to silence journalists, the question becomes unavoidable: What truth is he trying to keep the country from seeing? What is he covering up or trying to hide?
Democracies rarely fall in a single moment; they erode through a thousand small silences that go unchallenged. When citizens can no longer see or hear the truth — or when leaders manipulate what the public is allowed to know — the foundation of self‑government begins to crack long before the structure falls. When truth becomes negotiable, democracy becomes vulnerable — not because citizens stop caring, but because they stop receiving the information they need to act.
Keep ReadingShow less
Load More

Latest Stories

Join a growing community committed to civic renewal.

New Cybersecurity Rules for Healthcare? Understanding HHS’s HIPPA Proposal

News

Join a growing community committed to civic renewal.

Latest news

Read More

Recommended

This Isn’t About Robots — It’s About Judgment

What Do We Mean by “Judgment”?

Why AI Feels So Convincing

Conversation Changes Everything

How Judgment Gradually Shifts

Why Scale Makes This a Public Issue

The Global Dimension We’re Ignoring

Why Markets Alone Aren’t Enough

So, Why Should You Care?