Feds Are Still Assessing Proposed HIPAA Security Rule Update

HIPAA/HITECH , Standards, Regulations & Compliance Feds Are Still Assessing Proposed HIPAA Security Rule Update HHS OCR Director Says Cost of Inaction May Outweigh Compliance Burdens Marianne Kolbasuk McGee (HealthInfoSec) • April 8, 2026     Share Post Share Credit Eligible Get Permission Paula Stannard, director of the U.S. Department of Health and Human Services' Office for Civil Rights, provided some insight into the agency's latest HIPAA efforts during a HIPAA Summit this week. (Image: HHS) The Trump administration has yet to decide whether to continue a proposed overhaul of the HIPAA Security Rule floated by its predecessor administration. But the nation's top federal enforcer of health regulation provided some insight into what regulators are thinking. See Also: Driving Growth vs. Delivering on Patient Expectations Speaking at the virtual HIPAA Summit on Monday, Paula Stannard, director of the Department of Health and Human Services' Office for Civil Rights, said she's aware that many healthcare lobbies that have argued that a Biden-era proposal to toughen the rule would be expensive and difficult to implement (see: Groups Call for Trump to Rescind Proposed HIPAA Rule Update). HHS OCR published a 125-page proposed update to the 23-year-old HIPAA Security Rule just before President Donald Trump resumed residency in the White House (see: What's in HHS' Proposed HIPAA Security Rule Overhaul?). The proposal would remove the distinction between "required" and "addressable" implementation specifications, making all implementation specifications mandatory except under specific, limited cases. The proposal also mandated written documentation for all security rule policies, procedures, plans and analyses. Regulators have not yet fully processed all 4,700 public comments - but the Trump administration overall is committed to streamlining regulation, Stannard said. A final action for the proposed rulemaking is still anticipated for May on HHS OCR regulatory agenda. "I can't say much about what we will end up doing on it, and after we review the comments, the Trump administration may have a different view on the burdens and benefits of the proposed changes, because the proposal-making is quite lengthy," Stannard said. Stannard signaled she's not inclined to a wholesale rejection of the proposal. "I've heard complaints about the costs and burdens that would be imposed by the security proposed modifications, but I want to encourage you not to overlook the very high cost of doing nothing," she said. "A successful cyberattack can cost far more in terms of reputation - the need to pay ransom, remediation of your systems, [credit monitoring] protection for those whose protected health information was accessed, potential civil liability - and investors knocking at your door asking for documents and initiating an investigation," she said. At the same time, Stannard is well aware of the opposition to more regulation. "I've heard complaints about the fact that the proposed rule would eliminate the flexibility," she said. "The current security rule is flexible and scalable largely because of the presence of addressable implementation specifications." Those "addressable" implementation specifications in the current iteration of the Security Rule include encryption - which today seems like a no-brainer for safeguarding protected health information at rest and transmission, yet is up to the discretion of regulated entities to implement. "In practice, regulated entities, especially small and medium sized entities, have treated addressable implementation specifications as optional, and this means that they have not done it," she said. "This has resulted in much more lax security. PHI encryption is a good example under the current security rule." "It was understandable when we first adopted the Security Rule in 2003 encryption technology was not available. It was very expensive, and for many entities, it may not have been reasonable and appropriate," she said. That's no longer always the case, she said. "It's quite likely that that analysis would lead to the conclusion that encryption would now be a reasonable and appropriate measure to adopt in most instances, and that should already be implemented." The office is still vetting the proposed rulemaking's provisions that require greater specificity when regulated entities conduct security risk analysis and manage those risks. Risk analysis has been a perpetual weak spot for many covered entities and business associates, she said. Stannard said its lack "is the most common compliance failure we see in security rule investigations" (see: Why Do HIPAA Risk Analyses Miss the Mark So Often?). Regulators often find incomplete, outdated or non-existent risk analysis. "How can you effectively reduce risks to ePHI if you don't know what those risks are? So the proposed risk analysis modifications would clarify what a risk analysis must contain," she said. Privacy Rulemaking Another top rulemaking is finalization of modifications to the HIPAA Privacy Rule that were proposed at the end of Trump's first term in 2020. That proposed rulemaking was put on the backburner during the Biden administration (see: HHS Reveals Proposed Changes to HIPAA Privacy Rule). The proposed rulemaking focuses on modifications to the HIPAA Privacy Rules to support and remove barriers to coordinated care and individual engagement. Stannard touted the rule as strengthening individuals' right to access their health information. "It would improve information sharing for care coordination and case management, facilitate greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises, and reduce administrative burdens on HIPAA-covered entities." A final rule for the proposed modifications to the HIPAA Privacy Rule is also anticipated for May. Federal agencies often end up extending deadlines when they update their regulatory agenda, usually twice a year. The next regulatory agenda update for federal agencies is slated for publication in the coming weeks.