OCR Director Responds to Criticism of Proposed HIPAA Security Rule
At the HIMSS conference on Thursday, Paula M. Stannard, Director of the HHS Office for Civil Rights (OCR), discussed proposed regulatory changes, including the HIPAA Security Rule update proposed by OCR in the final days of the Biden Administration. The HIPAA Security Rule has been in effect for more than two decades, yet as technology has advanced considerably during that time, the Security Rule has not been updated. While the Security Rule was written to be technology agnostic, it is clear that updates are necessary to improve healthcare cybersecurity.
The proposed HIPAA Security Rule update requires extensive changes to cybersecurity, including making some of the HHS’s Health and Public Health Sector Cybersecurity Performance Goals (HPH CPGs) mandatory requirements. The proposed rule has attracted considerable criticism from health systems, provider organizations, and other stakeholders due to the cost of implementation, the perceived inflexibility of the proposed requirements, and the burden compliance would place on providers, especially low-resource providers such as rural healthcare providers and critical access hospitals.
OCR received substantial feedback on the proposed rule and has been reviewing the comments. A final rule is due in May 2026, although whether the rule will be issued in its current form, is modified, or is shelved, will be down to the Trump administration. “I’ve heard complaints about the cost of work that would be imposed by the proposed modifications. I’ve heard about the lack of flexibility that it proposes. But I want to encourage you to think about it in a different way,” Stannard said at the HIMSS conference. “There’s a very high cost of doing nothing. A successful cyberattack can cost far more in terms of reputation, potentially paying a ransom, remediation of information systems, protection for those whose PHI was accessed, potential civil lawsuits from harm to individuals, and not to mention my investigators coming and knocking on your door and asking for information and talking about penalties.”
If the HHS sticks to the proposed timescale and publishes a final rule in the Federal Register in May, the HIPAA Security Rule update would take effect within 60 days, although HIPAA-regulated entities would be given time to comply with the new requirements, which is typically 180 days – 6 months – after publication. It is likely, however, given the extensive requirements, that such a timeline would be unworkable for many HIPAA-regulated entities, so that time frame may in fact be extended.
OCR is also continuing to obtain feedback on a HIPAA Privacy Rule update proposed by OCR under the first Trump administration. While little happened with that update during the Biden administration, there appears to have been some progress, and a final rule is also expected this year. Again, whether that will happen will be down to the Trump administration, which favors deregulation rather than further industry regulations.
In President Trump’s cyber strategy, published this week, the President explained that his administration plans to streamline cybersecurity regulations to reduce the compliance burden on companies, stating that “Cyber defense should not be reduced to a costly checklist that delays preparedness, action, and response.” While President Trump’s Cyber Strategy may be at odds with further regulatory requirements in healthcare, it is clear that the current privacy and security requirements are no longer effective at preventing cyberattacks and data breaches, given that more than 700 large healthcare data breaches have been reported to OCR each year since 2021, and the industry continues to be targeted by financially motivated cybercriminals.
“Regardless of what we end up doing with it, the proposal to modify the Security Rule, I think, helped put a spotlight on information security in the healthcare system and drew attention to the need for better compliance and to take cybersecurity seriously. And that alone is an advantage,” Stannard said.
