Providers oppose proposed changes to HIPAA Security Rule

Long-awaited updates to the HIPAA Security Rule are back in the spotlight after 100-plus providers and professional organizations have urged the Department of Health and Human Services to hit the brakes. 

HHS proposed the changes in late 2024. The notice of proposed rulemaking covers a lot of ground, with new requirements for risk analysis, incident response, system configuration, vulnerability scanning, and backup and recovery. The rule also puts into writing a requirement to encrypt electronic protected health information (ePHI) at rest and in transit – a gray area since the Security Rule was last updated in 2013. 

The proposed requirements, which the Office for Civil Rights (OCR) within HHS is due to act upon this May, appear to be too much for hospitals and health systems. Last month, 57 provider organizations plus a similar number of associations wrote a letter to HHS suggesting proposed HIPAA Security Rule updates “should be immediately withdrawn without further consideration.” 

The organizations reiterated their support for HIPAA and its cybersecurity safeguards. However, they added, “the Proposed Rule would place substantial new financial burdens on health care providers and includes unreasonable implementation timelines that make it difficult to reconcile with the information technology complexities of modern health care delivery organizations.”  

Learn from security leaders and regulators on everything from compliance trends to proactive threat strategies at ViVE’s cybersecurity program.

The letter doesn’t provide specific details about the financial burdens, implementation timelines, or IT complexities. OCR has estimated compliance would cost HIPAA covered entities and business associates $9 billion in the proposed rule’s first year, plus $6 billion per year for the next four years, according to an analysis from law firm Alston & Bird. In addition, the firm said, entities would have 240 days to comply with the rule if it were finalized in its current form. 

Organizations signing the letter said new cybersecurity standards “should set strong protections while allowing innovation so providers can respond effectively to evolving cybersecurity risks.” Such standards should be developed through “a collaborative outreach initiative” and be “practical and actionable,” the letter said, “without the extreme and unnecessary regulatory burden that health care providers and other stakeholders would face under the crushing and unprecedented provisions of this Proposed Rule.” 

The harsh wording points to political undertones in the letter. HHS proposed changes to the HIPAA Security Rule in the waning weeks of the Biden administration. Now, the letter indicated, a push for new rules “runs counter to President Trump’s robust deregulatory agenda.” 

The signing organizations may have been on to something. Less than three weeks after writing their letter, the HHS Assistant Secretary for Technology Policy released the Health Data, Technology, and Interoperability (HTI-5) Proposed Rule. In a fact sheet, the agency spelled out plans to remove 34 of 60 existing health IT certification requirements and revise an additional seven, along with plans to reduce the scope of real-world testing and maintenance certification requirements.  

The cybersecurity landscape for provider organizations appears to be shifting as well. As of Dec. 23, 2025, about 500 data breaches had been reported to HHS for the calendar year, impacting just under 43 million Americans. Both trail 2024, when nearly 600 breaches were reported and about 270 million Americans were impacted, including the 190 million hit by the Change Healthcare data breach. 

The industry also seems to be better positioned to identify and contain data breaches, according to the most recent Cost of a Data Breach Report from IBM. Healthcare organizations spent $7.4 million last year to mitigate a breach – well more than the global average of $4.4 million but also a significant drop from $9.7 million in 2024.  

Brian Eastwood is a Boston-based writer with more than 10 years of experience covering healthcare IT and healthcare delivery. He also writes about enterprise IT, consumer technology, and corporate leadership.