"I've heard complaints about the costs and burdens that would be imposed by the security proposed modifications, but I want to encourage you not to overlook the very high cost of doing nothing," Paula Stannard, director of the HHS Office for Civil Rights, said during a HIPAA Summit in April.
HHS Office for Civil Rights, the May deadline and political friction
Federal regulators are scheduled to finalize a long-awaited overhaul of the 23-year-old HIPAA Security Rule in May, according to the federal government's regulatory agenda published during the final days of the previous administration. But whether the HHS Office for Civil Rights (OCR) will meet that deadline remains uncertain. The source notes the Trump administration has broadly promised to reduce regulations rather than add to them, and OCR officials have not publicly committed to a firm publication date.
Several experts quoted in the reporting say a partial or delayed final rule is most likely. Attorney Adam Greene of Davis Wright Tremaine — a former senior adviser to OCR — said his impression is that "OCR currently plans to finalize at least some of the changes that were proposed," but he does not expect publication by the May deadline and predicts "later this year or early next year" is more realistic.
Proposed changes: from "addressable" to required, and more documentation
The proposed rule would make sweeping shifts in how the Security Rule is applied. Chief among them: removing the regulatory distinction between "required" and "addressable" implementation specifications. Under the proposal, implementation specifications that have previously been labeled "addressable" — examples cited in the source include encryption and multifactor authentication — would become mandatory except in narrowly defined cases.
The draft also calls for written documentation across the board: policies, procedures, plans and analyses tied to the Security Rule would need to be documented in writing. Regulators also proposed tighter requirements for business associates, clearer guidance on how to perform security risk analyses, and other prescriptive measures described in the proposed rule.
Micro-segmentation and business associate verifications highlighted by practitioners
Some practitioners have singled out specific technical controls they expect to survive the rulemaking process. Jason Elrod, chief information security officer of MultiCare Health System, predicted micro-segmentation will almost certainly move from being "addressable" to "required," saying he's "almost positive, like 98%" that it will. Meanwhile, Keith Fricke, co-managing partner of consulting firm tw-Security, supported the proposed requirement for annual written verification from business associates that their technical controls are in place, calling that "a must" given the central role third-party vendors play in many health data breaches.
Industry groups, healthcare providers and implementation timelines
Industry groups and many healthcare providers have pushed back, arguing the proposed rule is highly prescriptive and would be costly and difficult for resource-stretched organizations to implement. The reporting notes those objections were prominent in public comments on the proposal.
If OCR finalizes the rule, affected entities would likely have a relatively short compliance window: the source states regulated healthcare firms would probably have "about 180 days to comply." Because that period could strain smaller or under-resourced organizations, Rachel Seeger, founder of North Country Communication and a former longtime HHS OCR adviser, predicted OCR would likely extend timelines or adopt a tiered compliance approach with delayed deadlines for small covered entities "to appease critics." Seeger also said OCR is "highly unlikely to scrap years of work" on the proposal but may narrow or phase the rule to focus on elements with broad consensus.
What this means for technologists, regulators, and healthcare providers
- Technologists and security teams: The proposed rule functions as a detailed playbook of what OCR views as best practices, and practitioners cited in the story recommend treating the proposal as a planning guide now. Specific priorities named in the source include enterprise-wide risk analysis, multifactor authentication, incident response, and micro-segmentation.
- Regulators and policymakers: OCR faces a balancing act between enhancing cybersecurity resilience and responding to a political mandate to reduce regulatory burdens. Several sources expect OCR to finalize a narrower, incremental rule that adopts less controversial items first while deferring more prescriptive measures to later rulemaking or guidance.
- Healthcare providers and business associates: Organizations should inventory documentation, allocate budget and resources, and consider whether they can meet a likely near-term compliance window. The proposed requirement for annual written assurances from business associates means procurement and vendor management processes will receive heightened scrutiny.
Uncertainty remains: OCR could delay, narrow, or phase the final rule, but multiple observers think some elements — notably strengthened risk analysis, multifactor authentication, incident response and tighter business-associate controls — will survive in some form. The practical upshot is straightforward: even if the formal rule is delayed, the proposal gives a clear signal about what OCR considers security best practices and what covered entities should be preparing to implement on a compressed timeline.
