OCR Director Responds to Criticism of Proposed HIPAA Security Rule

At the HIMSS conference on Thursday, Paula M. Stannard, Director of the HHS Office for Civil Rights (OCR), discussed proposed regulatory changes, including the HIPAA Security Rule update proposed by OCR in the final days of the Biden Administration. The HIPAA Security Rule has been in effect for more than two decades, yet as technology has advanced considerably during that time, the Security Rule has not been updated. While the Security Rule was written to be technology agnostic, it is clear that updates are necessary to improve healthcare cybersecurity.

The proposed HIPAA Security Rule update requires extensive changes to cybersecurity, including making some of the HHS’s Health and Public Health Sector Cybersecurity Performance Goals (HPH CPGs) mandatory requirements. The proposed rule has attracted considerable criticism from health systems, provider organizations, and other stakeholders due to the cost of implementation, the perceived inflexibility of the proposed requirements, and the burden compliance would place on providers, especially low-resource providers such as rural healthcare providers and critical access hospitals.

OCR received substantial feedback on the proposed rule and has been reviewing the comments. A final rule is due in May 2026, although whether the rule will be issued in its current form, is modified, or is shelved, will be down to the Trump administration. “I’ve heard complaints about the cost of work that would be imposed by the proposed modifications. I’ve heard about the lack of flexibility that it proposes. But I want to encourage you to think about it in a different way,” Stannard said at the HIMSS conference. “There’s a very high cost of doing nothing. A successful cyberattack can cost far more in terms of reputation, potentially paying a ransom, remediation of information systems, protection for those whose PHI was accessed, potential civil lawsuits from harm to individuals, and not to mention my investigators coming and knocking on your door and asking for information and talking about penalties.”

If the HHS sticks to the proposed timescale and publishes a final rule in the Federal Register in May, the HIPAA Security Rule update would take effect within 60 days, although HIPAA-regulated entities would be given time to comply with the new requirements, which is typically 180 days – 6 months – after publication. It is likely, however, given the extensive requirements, that such a timeline would be unworkable for many HIPAA-regulated entities, so that time frame may in fact be extended.

OCR is also continuing to obtain feedback on a HIPAA Privacy Rule update proposed by OCR under the first Trump administration. While little happened with that update during the Biden administration, there appears to have been some progress, and a final rule is also expected this year. Again, whether that will happen will be down to the Trump administration, which favors deregulation rather than further industry regulations.

In President Trump’s cyber strategy, published this week, the President explained that his administration plans to streamline cybersecurity regulations to reduce the compliance burden on companies, stating that “Cyber defense should not be reduced to a costly checklist that delays preparedness, action, and response.” While President Trump’s Cyber Strategy may be at odds with further regulatory requirements in healthcare, it is clear that the current privacy and security requirements are no longer effective at preventing cyberattacks and data breaches, given that more than 700 large healthcare data breaches have been reported to OCR each year since 2021, and the industry continues to be targeted by financially motivated cybercriminals.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

“Regardless of what we end up doing with it, the proposal to modify the Security Rule, I think, helped put a spotlight on information security in the healthcare system and drew attention to the need for better compliance and to take cybersecurity seriously. And that alone is an advantage,” Stannard said.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/