Skip to content
Search

Latest Stories

Follow Us:
Top Stories

New Cybersecurity Rules for Healthcare? Understanding HHS’s HIPPA Proposal

News

New Cybersecurity Rules for Healthcare? Understanding HHS’s HIPPA Proposal
Getty Images, Kmatta

Background

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to protect sensitive health information from being disclosed without patients’ consent. Under this act, a patient’s privacy is safeguarded through the enforcement of strict standards on managing, transmitting, and storing health information.


In 2003, the U.S. Department of Health and Human Services published the HIPAA Security Rule. The Security Rule aimed to protect the security of a subset of identifiable patient information called Electronic Protected Health Information, or ePHI. Under this rule, regulated entities, such as providers and hospitals, are required to comply with administrative, technical, and physical requirements.

On January 6, 2025, the Office for Civil Rights within the HHS issued a notice of proposed rulemaking (NPRM) for the HIPAA Security Rule. NPRMs are a part of the federal rulemaking process in which a proposed rule is published in the Federal Register and made public and open to feedback from individuals, organizations, and other stakeholders. After reviewing the comments, agencies like the HHS can revise the rule before finalizing it. The proposed rule to the HIPAA Security Rule comes in response to a surge in data breaches in the healthcare industry. Cybersecurity challenges in healthcare top those of any other industry with over $10.93 million lost to breaches in 2024, a number that has been increasing in the past years. This NPRM seeks to “improve cybersecurity and better protect the American health care system from a growing number of cyberattacks” by strengthening the Security Rule. The Security Rule had only been changed once before, in 2013, under the HIPAA Omnibus Rule, and these changes were also aimed at enhancing the privacy of ePHI.

Arguments in Favor

Supporters of the proposed changes to the HIPAA Security Rule argue that it is a crucial and necessary move to strengthen the privacy of electronic protected health information. They contend that the changes will close existing gaps in security by creating a more consistent defense and also increase the public’s trust in digital health systems. Proponents emphasize the stricter wording and removal of ambiguous language will enhance compliance and reduce vulnerabilities in protecting sensitive information.

Enhanced Privacy of ePHI

The proposed changes would ultimately strengthen protections around ePHI in response to the high utilization of electronic records and the increased risk for cyber incidents associated with electronic records. HHS aims to establish more consistent baseline regulations for all covered entities to ensure proper compliance and enhanced protection. The rule enforces more rigorous safeguards on formerly addressable controls through mechanisms such as a technical inventory, data mapping requirements, and mandatory authenticity controls. Together, these measures will aim to close existing security gaps and create a more uniform defense against cyber threats.

Increased Public Trust

The proposed rule is also expected to increase and restore the public’s trust in the new world of digital health systems. Currently, breach costs and high frequency of attacks constantly put patients’ data at risk. Between 2018 and 2023, breach reports made to OCR doubled and the number of people targeted and affected by these attacks increased by more than tenfold, with over 167 million people affected in total in 2023. In early 2024, over 100 million UnitedHealth patients were victims of cyberattacks that leaked their private information, exposing the vulnerabilities across the healthcare industry. Shortly after this incident, the NPRM was introduced as a direct regulatory response to the growing concerns. Through a multi-lever effort in ensuring heightened security of ePHI, the proposed rule works to rebuild patients’ and other stakeholders’ confidence in the protection of their digital health information.

Decreased Ambiguity

Much of the proposed rule’s efforts are directed toward eliminating the ambiguity and leniency around compliance by enforcing more stringent and defined standards. It amends the “addressable” language in the original Security Rule which offers flexibility to covered entities on implementing safeguards and replaces it with required specifications to ensure that entities do not misinterpret “addressable” as optional. The rule changes reduce uncertainties around regulation for healthcare providers and provide clarity for enforcement agencies via more explicit requirements. This would promote more efficient and consistent interpretation and compliance around cybersecurity.

Arguments in Opposition

Opponents of the proposed changes to the HIPAA Security Rule highlight concerns about the costs and practicality of implementing the new rules. They argue that the more stringent requirements may burden smaller or resource-limited healthcare providers, potentially diverting resources from patient care or creating workflow disruptions. Critics also note potential overlaps with existing cybersecurity frameworks, which could result in redundancy, making compliance more difficult.

Resource and Cost

HHS’s proposed changes to the HIPAA Security Rule may place significant financial burdens on smaller or rural healthcare providers. The more stringent requirements on ePHI regulation can put a strain on these providers who may lack resources to conduct annual audits, risk assessments, and other mandatory procedures. This, in turn, can lead to resources being diverted from clinical care, impacting timely patient care. Furthermore, the new regulations would require a significant portion of employees in a practice to engage in HIPAA training, which can lead to even greater workflow disruptions. These providers will also have to ensure that they have sufficient staffing and procedures to provide records in a shortened timeframe. This further widens the equity gap between large and small healthcare entities.

Complexity of Implementation

The implementation of the new rule changes may potentially be a complex and disruptive process. Training a large number of employees on HIPAA procedures and performing the now required security evaluations may interfere with workflow and delay timely patient care. With an increase in documentation and compliance burden, entities may necessitate the help of third-party legal and IT experts in order to meet the requirements to implement high level security measures under a shorter timespan. Equity concerns may be raised as a result of disproportionate burdens falling on smaller providers who may face more barriers to compliance than larger organizations.

Overlapping Policy Frameworks

Redundancy and misalignment of policies may also pose a problem for healthcare organizations and entities that already adhere to existing cybersecurity frameworks. The NIST Cybersecurity Framework (CSF) and HITRUST Common Security Framework (CSF) are two frameworks that contain similar controls in HIPAA risks as the proposed rule. Many of the changes outlined in the NPRM overlap with the rules that are already in place under these existing frameworks which may create confusion and conflicts that can lead to duplicative efforts. Covered entities may face inefficiencies in complying with the proposed rule without clearer guidance on how the rule changes align with existing regulations.

Conclusion

HHS’s proposed rule to the HIPAA Security Rule is a timely response to the rising concern over cybersecurity vulnerabilities in healthcare. As ePHI use and technology are rapidly evolving, the proposed rule is a necessary effort toward modernizing outdated standards for digital health information. However, despite the rule’s potential for strengthening privacy and public trust in digital health, there are equity concerns regarding the financial burdens and complications that smaller entities may face in implementing these changes. Moving forward, it will be important to strike a balance between security and feasibility in the implementation of the proposed rule in order to effectively protect patient privacy while maintaining an equitable healthcare system.


New Cybersecurity Rules for Healthcare? Understanding HHS’s HIPPA Proposal was originally published by the ACE and is republished with permission.


Read More

Keeping Kids Safe Online?: Understanding the Debate Over AI Age Verification
boy in gray shirt using black laptop computer
Photo by Thomas Park on Unsplash

Keeping Kids Safe Online?: Understanding the Debate Over AI Age Verification

This nonpartisan policy brief, written by an ACE fellow, is republished by The Fulcrum as part of our partnership with the Alliance for Civic Engagement and our NextGen initiative — elevating student voices, strengthening civic education, and helping readers better understand democracy and public policy.

Key Takeaways

Keep ReadingShow less
Global leaders sitting around a circular table at the G7 Summit on June 18, 2026.

G7 leaders, G7 outreach partners and global tech CEOs attend a working lunch on innovation and AI at the G7 Summit on June 17, 2026 in Evian-les-Bains, France.

Anna Moneymaker / Getty Images

At G7 Meeting, AI Titans Showed Themselves to Be the World’s New “Power Elite”

Seventy years ago, in 1956, the sociologist C. Wright Mills published a startling exposé of the hidden forces controlling the government in the United States. What Mills labeled “the power elite” occupied leading roles in corporations, the military, and political institutions.

Mills’ book was designed to explore the shadowy world in which the power elite operated and to expose the enormous behind-the-scenes influence of a group whose decisions had great consequences for “the underlying populations of the world.” At the time it appeared, commentators credited Mills with “developing a theory of where the decisive power lies in American society, how it got there, and how it is exercised.”

Keep ReadingShow less
The U.S. Pentagon.

Buried in the 2027 NDAA, Section 224 could fundamentally reshape U.S.-Israel defense ties. Is Congress creating an irreversible military partnership?

Getty Images, Westend61

America Should Stay Single

As we wait to see what comes of ceasefire negotiations between the United States and Iran, the House just released its 2027 National Defense Authorization Act (NDAA). Buried within it lies Section 224, titled the “United States-Israel Defense Technology Cooperation Initiative,” a provision representing what would be a radical departure from how we work with even our strongest allies, turning America’s relationship with a close collaborator into a permanent military-industrial integration. The U.S. has worked with NATO partners on co-production and shared supply chains in the past, but never like this. Many are calling it a merger. We should all be calling it off.

Section 224 could inextricably link the fate of our country’s defense to another’s. The Secretary of Defense would be directed to designate an executive agent to fuse ventures with Israel so significantly that it would touch almost every area of defense tech: AI, autonomous systems, energy, cyber, biotech, and beyond. It also proposes “network” and “data fusion,” which means, as the director of the Democratizing Foreign Policy program at the Quincy Institute warned, “the U.S. military’s data could soon be the Israeli military’s data.America First may soon sound more like a sarcastic punchline than a platform.

Keep ReadingShow less
AI Could Save Thousands—So Why Is Healthcare Still Hitting the Brakes?

Discover how generative AI in healthcare could reduce misdiagnoses, improve chronic disease management, and save hundreds of thousands of lives—if policymakers accelerate adoption instead of waiting for risk-free perfection.

Getty Images / Pakorn Supajitsoontorn

AI Could Save Thousands—So Why Is Healthcare Still Hitting the Brakes?

Imagine that the only way Americans traveled was on foot or on horseback. And assume that 100,000 people died each year because they couldn’t reach a hospital in time or firefighters arrived too late.

Suddenly, they learned that thanks to a technological breakthrough, cars and trucks will become widely available within three years.

Keep ReadingShow less