The HIPAA Security Rule is on the chopping block — here’s what comes next

Cybersecurity professionals have long relied on the HIPAA Security Rule to guide their compliance strategies, but a proposed overhaul issued during the final days of the Biden administration has stirred significant controversy. 

The proposed HIPAA Security Rule update, issued in late 2024, would mandate new administrative and technical safeguards for electronic protected health information (ePHI), including stricter timelines for breach notification and enhanced obligations for business associates. Supporters of the rule — primarily privacy advocates and some consumer groups — argue that these changes are long overdue in light of increasing data breaches and evolving threats. 

However, the proposed rule has been met with strong resistance from major healthcare provider groups, including the College of Healthcare Information Management Executives (CHIME) and the Health Sector Coordinating Council (HSCC). They argue the proposal is both overly burdensome and disconnected from operational realities, with potential conflicts against other federal cybersecurity efforts. 

“We and other provider stakeholders have continually requested recession [of the HIPAA Security Rule], and asked them to kind of start over,” said Chelsea Arnone, CHIME’s Director of Federal Affairs in reference to a letter CHIME sent to the Department of Health and Human Services (HHS).  

The rule has been widely criticized for its impracticality and potential conflicts with existing law, namely P.L. 116-321, which was signed in Trump’s first term and requires HHS to consider existing security practices when enforcing regulations. The Health Sector Coordinating Council (HSCC), which includes over 400 healthcare organizations, has joined CHIME in asking the White House to withdraw the proposal and begin a collaborative process with industry. 

Trump’s administration has launched a government-wide deregulatory push, and the HIPAA rule is one of many in the crosshairs. The Office of Management and Budget (OMB) issued a request for information (RFI) asking agencies to identify rules that are burdensome or in conflict with federal law. Comments are due May 12. 

CHIME plans to use the RFI to reiterate the need to eliminate the HIPAA proposal.  

“Even though it’s just a proposal, we still would like it to be unalived,” Arnone added. 

New compliance measures still moving forward 

While the future of the HIPAA Security Rule is uncertain, other federal compliance initiatives continue to evolve. One example is CMS’s FY26 payment rule, which introduces updated requirements for hospitals participating in Medicare’s Promoting Interoperability Program. 

Starting in 2026, hospitals and critical access hospitals will need to attest to: 

• A Security Risk Analysis (SRA) – an evaluation of potential risks and vulnerabilities to ePHI. 

• A new Security Risk Management (SRM) plan – a distinct attestation focused on how the hospital actively mitigates identified risks. 

In addition, CMS is requiring use of updated SAFER Guides. 

What are the SAFER Guides? 

The Safety Assurance Factors for EHR Resilience (SAFER) Guides are a series of checklists and best practices designed by ONC and CMS to help healthcare organizations assess and improve the safety and effectiveness of their EHR systems. 

Originally introduced in 2016, the SAFER Guides include topics like system configuration, contingency planning, and test result management. In 2025, the guides were revised and consolidated from nine to eight categories, streamlining some of the original content. 

Beginning in 2026, hospitals will need to attest that they have completed a self-assessment using all eight updated guides. This attestation is part of CMS’s broader goal to enhance health IT safety and minimize patient harm related to EHR use. 

“Folks will need to attest to the 2016 versions this year, and then in 2026, they will need to use all eight updated SAFER Guides,” Arnone explained. 

While many health systems already use SAFER Guides voluntarily, formalizing the requirement adds another layer of compliance complexity. The convergence of overlapping rules from different agencies has led organizations like CHIME to advocate for a streamlined, coordinated cybersecurity framework rather than fragmented mandates.