Public feedback shapes the future of HIPAA security rule amendments

On December 27, 2024, the U.S. Department of Health and Human Services (HHS) released a Notice of Proposed Rulemaking (NPRM) introducing potential updates to the HIPAA Security Rule. The goal was to strengthen safeguards for electronic protected health information (ePHI). The proposal drew plenty of attention. According to Techtarget, by the time the public comment period closed on March 7, 2025, more than 4,700 comments had been submitted.

Let’s take a closer look at what HHS proposed, how the public responded, the main points of concern, and what could happen next in the regulatory process.

What is the HIPAA Security Rule

According to the U.S. Department of Health and Human Services (HHS), “The Security Rule establishes a national set of security standards to protect certain health information that is maintained or transmitted in electronic form.” It “sets forth the administrative, physical, and technical safeguards that covered entities and business associates (collectively, ‘regulated entities’) must put in place to secure individuals’ electronic protected health information.” The Security Rule works alongside the HIPAA Privacy Rule—formally known as the Standards for Privacy of Individually Identifiable Health Information—and the Breach Notification Rule, which implements provisions of the HITECH Act requiring covered entities to notify individuals, HHS, and in some cases the media “when certain information has been acquired, accessed, used or disclosed in a manner not permitted by the Privacy Rule.” Together, these rules “help to protect the privacy and security of protected health information (PHI).” A central objective of the Security Rule is “to protect the security of individuals’ ePHI while allowing regulated entities to adopt new technologies that improve the quality and efficiency of health care.” Designed to be “flexible, scalable, and technology neutral,” the Security Rule enables organizations to implement safeguards that are appropriate for their size, structure, and risk environment.

Why the Security Rule is being revised

The Biden administration is pushing for updates to the HIPAA Security Rule in light of a surge in healthcare data breaches. “The healthcare information of more than 167 million people was affected in 2023 as a result of cybersecurity incidents,” said Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies.

The proposed changes, released by the Office for Civil Rights (OCR) at HHS, try to bring HIPAA standards in line with today’s threats. Neuberger said the cost of implementation is expected to reach $9 billion in the first year and $6 billion over the next four years.

The urgency is driven by sharp increases in cyberattacks targeting healthcare. Since 2019, major breaches caused by hacking and ransomware have risen by 89% and 102%, respectively. Neuberger described the hacking of hospitals and sensitive health data as one of the most disturbing challenges her team deals with. Some hospitals have had to return to paper operations, while leaked mental health data is showing up on the dark web—sometimes used for blackmail.

“We’ve made some significant proposals that we think will improve cybersecurity and ultimately everyone’s health information,” said an OCR spokesperson.

The HIPAA Security Rule, originally introduced in 1996 and last meaningfully updated through the HITECH Act in 2009, hasn’t kept up with how healthcare operates today. Cloud platforms, mobile devices, APIs, and remote care have introduced new vulnerabilities that weren’t part of the picture back then.

The new rule tries to close those gaps with stricter, more detailed requirements. Among them are mandatory encryption of data at rest and in transit, multi-factor authentication, routine vulnerability scans, network segmentation, and tighter access controls. It also calls for better risk assessments, patch management, system restoration protocols, and oversight of business associates.

If finalized, these updates would bring the Security Rule into 2025 with standards that better reflect the realities healthcare organizations now face.

Who provided feedback

According to Security Boulevard, the comment pool was as diverse as the healthcare ecosystem itself:

• Healthcare providers of all sizes, from large health systems like the Cleveland Clinic to rural hospitals and solo practitioners
• Professional organizations, including HIMSS, the American College of Obstetricians and Gynecologists (ACOG), and the National Rural Health Association
• Technology vendors, such as cybersecurity firms, EHR developers, and software providers like Epic Systems
• Individual stakeholders, including clinicians, IT professionals, and data privacy advocates

Template submissions from organizations like the American Psychological Association helped drive volume, but many commenters contributed detailed, thoughtful feedback based on sector-specific concerns.

Themes and concerns from public comments

Public comments on the proposed cybersecurity rule changes reflect widespread support for strengthening protections around electronic protected health information (ePHI) but also highlight serious concerns about feasibility, clarity, and administrative burden. As summarized in the Executive Summary of Comments Received, “commenters are urging HHS to provide more specific guidance, consider the challenges faced by different types and sizes of regulated entities, and ensure that the requirements are feasible and effective in the current threat environment.”

Broad definition of ‘security incident’

Many stakeholders pushed back against the proposed expansion of the term “security incident” to include attempted but unsuccessful intrusions, such as phishing emails. As Security Boulevard reports, “HIMSS specifically recommends excluding ‘unsuccessful attempts,’” arguing that “reporting every attempted intrusion... would be impractical, resource-intensive, and could overwhelm regulatory bodies with non-critical information.” The general consensus was to limit reporting to actual breaches or serious threats that compromise the confidentiality, integrity, or availability of ePHI.

‘Reasonably anticipated’ threats

Concerns were also raised about the ambiguity of what constitutes a “reasonably anticipated” threat. The Cleveland Clinic mentioned that the language should not be interpreted as requiring covered entities to eliminate all possible risks, noting that “this is often impossible with external actors.” Instead, they recommend that HHS “focus on implementing reasonable and effective security measures and continuous improvement.”

Patch management and restoration timelines

The proposed 72-hour timeframe for restoring critical systems after a security incident created considerable concern. While commenters acknowledged that it’s an admirable goal, many cautioned that “the timeframe should be case-dependent, particularly as forensic reviews might be necessary before restoration.” The Wisconsin Primary Health Care Association (WPHCA) went further, recommending “removing the 72-hour timeframe” altogether. Similarly, commenters questioned the feasibility of applying rigid patch timelines, especially for large and complex infrastructures.

Access termination and notifications

Under the new rule, covered entities would need to notify other entities within 24 hours of revoking a workforce member’s access to ePHI. While the intent was generally supported, commenters asked “whether the 24-hour timeframe... is appropriate,” and whether “a shorter or longer timeframe would be more reasonable,” considering the wide range of operational environments and technical limitations.

Business associate verification

One of the most contested changes involves requiring annual written verification from business associates that technical safeguards are in place. As noted in the executive summary, some called the requirement “burdensome and potentially unnecessary,” pointing out that “business associates are already legally required to comply with HIPAA.” Others suggested expanding the requirement to include administrative and physical safeguards, and proposed that HHS allow entities to use “generally accepted cybersecurity principles and methods or NIST Special Publications as a guide” for verification.

Definitions and terminology

Many commenters stated the need for precise and practical language in the final rule. Specific terms like “deploy,” “information system,” and “security incident eradication” were flagged as needing refinement. The executive summary reports “concerns about technical feasibility and the concept of ‘direct management control’ in cloud computing environments,” while also noting that the new definition of “malicious software” was “generally seen as a positive improvement,” provided additional guidance is issued on firmware-level threats.

Impact on small and solo practices

Cost and complexity were major concerns for small and rural providers. Many warned that implementing enterprise-grade cybersecurity protocols would be overwhelming without the necessary resources. According to the executive summary, “some commenters feel the implementation timelines and cost projections are unrealistic,” and urged HHS to consider “tiered requirements based on organizational size and capacity.”

Multi-factor authentication and device-specific concerns

While most commenters supported multi-factor authentication (MFA), there was confusion around acceptable methods. Stakeholders specifically requested “clarification... particularly [on] the status of SMS-based MFA.” Others pushed for a “risk-based selective use of MFA,” with the ability to maintain a single MFA credential over a reasonable timeframe. Epic Systems and others also raised concerns about applying anti-malware requirements to devices like smartphones and wearables, suggesting that “a risk-based, platform-specific approach” is more practical than a blanket standard.

The mobile app gap

Commenters indicated an oversight: the rule’s lack of attention to mobile healthcare applications. As Security Boulevard notes, “Approov and others argued that the rule should explicitly include mobile devices and applications within its safeguards.” These apps are increasingly used by both patients and clinicians and present risks such as insecure APIs and exposed code. Epic echoed the concern, asking OCR for “guidance on what platforms require anti-malware protection” and cautioning that omission “would leave a vast attack surface unprotected.”

Alignment with existing frameworks

To streamline compliance, many organizations called on HHS to align the new rule with widely used frameworks such as NIST. One commenter shared that they “use NIST and other frameworks to create assessment tools,” suggesting this approach is not only practical but already embedded in current industry best practices.

Suggestions for centralized reporting

Finally, to address regulatory overlap, commenters proposed “a unified cybersecurity incident reporting mechanism across federal agencies.” This would prevent duplicate or inconsistent reporting processes, especially for organizations accountable to multiple regulatory bodies.

Where things stand now

Although HHS is expected to analyze and respond to the public comments, the timeline for the final rule is unclear. On January 20, 2025, President Trump issued an executive order placing a freeze on all pending federal rulemaking. As a result, the HIPAA Security Rule amendment is on hold for the time being.

Still, many in the healthcare industry are hoping that strengthening cybersecurity can be one of the rare areas for bipartisan agreement, especially in light of recent high-profile breaches. If the freeze is lifted or an exception is granted, a revised version of the rule could move forward relatively quickly.

FAQs

How can healthcare organizations prepare for possible changes if the rule remains on hold?

Organizations can begin by aligning current cybersecurity practices with NIST standards, enhancing mobile app security, and addressing known gaps in encryption, access controls, and endpoint protection—even if final rules are delayed.

What role do legal and compliance teams play in interpreting HIPAA rule changes?

Legal and compliance professionals help translate regulatory language into actionable policies. Their guidance is needed in risk assessments, workforce training, and vendor contract reviews to ensure readiness.

What does a 'tiered compliance model' mean for smaller providers?

Tiered models adjust requirements based on an organization's size, capacity, and risk level. This can mean phased timelines, scaled expectations, or support grants for security upgrades for small or rural providers.