Background
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to protect sensitive health information from being disclosed without patients’ consent. Under this act, a patient’s privacy is safeguarded through the enforcement of strict standards on managing, transmitting, and storing health information.
In 2003, the U.S. Department of Health and Human Services published the HIPAA Security Rule. The Security Rule aimed to protect the security of a subset of identifiable patient information called Electronic Protected Health Information, or ePHI. Under this rule, regulated entities, such as providers and hospitals, are required to comply with administrative, technical, and physical requirements.
On January 6, 2025, the Office for Civil Rights within the HHS issued a notice of proposed rulemaking (NPRM) for the HIPAA Security Rule. NPRMs are a part of the federal rulemaking process in which a proposed rule is published in the Federal Register and made public and open to feedback from individuals, organizations, and other stakeholders. After reviewing the comments, agencies like the HHS can revise the rule before finalizing it. The proposed rule to the HIPAA Security Rule comes in response to a surge in data breaches in the healthcare industry. Cybersecurity challenges in healthcare top those of any other industry with over $10.93 million lost to breaches in 2024, a number that has been increasing in the past years. This NPRM seeks to “improve cybersecurity and better protect the American health care system from a growing number of cyberattacks” by strengthening the Security Rule. The Security Rule had only been changed once before, in 2013, under the HIPAA Omnibus Rule, and these changes were also aimed at enhancing the privacy of ePHI.
Arguments in Favor
Supporters of the proposed changes to the HIPAA Security Rule argue that it is a crucial and necessary move to strengthen the privacy of electronic protected health information. They contend that the changes will close existing gaps in security by creating a more consistent defense and also increase the public’s trust in digital health systems. Proponents emphasize the stricter wording and removal of ambiguous language will enhance compliance and reduce vulnerabilities in protecting sensitive information.
Enhanced Privacy of ePHI
The proposed changes would ultimately strengthen protections around ePHI in response to the high utilization of electronic records and the increased risk for cyber incidents associated with electronic records. HHS aims to establish more consistent baseline regulations for all covered entities to ensure proper compliance and enhanced protection. The rule enforces more rigorous safeguards on formerly addressable controls through mechanisms such as a technical inventory, data mapping requirements, and mandatory authenticity controls. Together, these measures will aim to close existing security gaps and create a more uniform defense against cyber threats.
Increased Public Trust
The proposed rule is also expected to increase and restore the public’s trust in the new world of digital health systems. Currently, breach costs and high frequency of attacks constantly put patients’ data at risk. Between 2018 and 2023, breach reports made to OCR doubled and the number of people targeted and affected by these attacks increased by more than tenfold, with over 167 million people affected in total in 2023. In early 2024, over 100 million UnitedHealth patients were victims of cyberattacks that leaked their private information, exposing the vulnerabilities across the healthcare industry. Shortly after this incident, the NPRM was introduced as a direct regulatory response to the growing concerns. Through a multi-lever effort in ensuring heightened security of ePHI, the proposed rule works to rebuild patients’ and other stakeholders’ confidence in the protection of their digital health information.
Decreased Ambiguity
Much of the proposed rule’s efforts are directed toward eliminating the ambiguity and leniency around compliance by enforcing more stringent and defined standards. It amends the “addressable” language in the original Security Rule which offers flexibility to covered entities on implementing safeguards and replaces it with required specifications to ensure that entities do not misinterpret “addressable” as optional. The rule changes reduce uncertainties around regulation for healthcare providers and provide clarity for enforcement agencies via more explicit requirements. This would promote more efficient and consistent interpretation and compliance around cybersecurity.
Arguments in Opposition
Opponents of the proposed changes to the HIPAA Security Rule highlight concerns about the costs and practicality of implementing the new rules. They argue that the more stringent requirements may burden smaller or resource-limited healthcare providers, potentially diverting resources from patient care or creating workflow disruptions. Critics also note potential overlaps with existing cybersecurity frameworks, which could result in redundancy, making compliance more difficult.
Resource and Cost
HHS’s proposed changes to the HIPAA Security Rule may place significant financial burdens on smaller or rural healthcare providers. The more stringent requirements on ePHI regulation can put a strain on these providers who may lack resources to conduct annual audits, risk assessments, and other mandatory procedures. This, in turn, can lead to resources being diverted from clinical care, impacting timely patient care. Furthermore, the new regulations would require a significant portion of employees in a practice to engage in HIPAA training, which can lead to even greater workflow disruptions. These providers will also have to ensure that they have sufficient staffing and procedures to provide records in a shortened timeframe. This further widens the equity gap between large and small healthcare entities.
Complexity of Implementation
The implementation of the new rule changes may potentially be a complex and disruptive process. Training a large number of employees on HIPAA procedures and performing the now required security evaluations may interfere with workflow and delay timely patient care. With an increase in documentation and compliance burden, entities may necessitate the help of third-party legal and IT experts in order to meet the requirements to implement high level security measures under a shorter timespan. Equity concerns may be raised as a result of disproportionate burdens falling on smaller providers who may face more barriers to compliance than larger organizations.
Overlapping Policy Frameworks
Redundancy and misalignment of policies may also pose a problem for healthcare organizations and entities that already adhere to existing cybersecurity frameworks. The NIST Cybersecurity Framework (CSF) and HITRUST Common Security Framework (CSF) are two frameworks that contain similar controls in HIPAA risks as the proposed rule. Many of the changes outlined in the NPRM overlap with the rules that are already in place under these existing frameworks which may create confusion and conflicts that can lead to duplicative efforts. Covered entities may face inefficiencies in complying with the proposed rule without clearer guidance on how the rule changes align with existing regulations.
Conclusion
HHS’s proposed rule to the HIPAA Security Rule is a timely response to the rising concern over cybersecurity vulnerabilities in healthcare. As ePHI use and technology are rapidly evolving, the proposed rule is a necessary effort toward modernizing outdated standards for digital health information. However, despite the rule’s potential for strengthening privacy and public trust in digital health, there are equity concerns regarding the financial burdens and complications that smaller entities may face in implementing these changes. Moving forward, it will be important to strike a balance between security and feasibility in the implementation of the proposed rule in order to effectively protect patient privacy while maintaining an equitable healthcare system.
New Cybersecurity Rules for Healthcare? Understanding HHS’s HIPPA Proposal was originally published by the ACE and is republished with permission.
