OCR Gives Update on Proposed HIPAA Security Rule
On January 6, 2025, OCR published a notice of proposed rulemaking (NPRM) in the Federal Register detailing proposed changes to the HIPAA Security Rule. If implemented, it will be the first major update to the Security Rule in two decades. The comment period closed on March 7, 2025, and the process of reviewing the comments has now begun. The NPRM was issued by OCR under the Biden Administration, and it is unclear whether the update will be pushed through by OCR or shelved, as was the case with the proposed update to the HIPAA Privacy Rule under the previous Trump administration.
Given the extent to which the healthcare industry is being targeted by cyber actors and the number of successful attacks, it is clear that healthcare cybersecurity needs to improve. OCR, under the Biden administration, felt that the voluntary cybersecurity performance goals published in January 2024 would not be sufficient to drive the behavioral change that is needed, and regulatory updates are necessary to force HIPAA-regulated entities to improve cybersecurity.
The NPRM runs to almost 400 pages and includes changes to definitions, the removal of the distinction between required and addressable implementation specifications, and extensive updates to cybersecurity requirements. The NPRM has received considerable criticism from regulated entities and industry groups, in particular due to the burden it will place on HIPAA-regulated entities and the high cost of compliance.
In February 2025, eight industry associations, including the College of Healthcare Information Management Executives and the American Health Care Association, co-signed a letter to President Trump calling for the proposed update to be rescinded. CHIME said, “Our members strongly believe that the combination of the depth and breadth of the proposed requirements on an unreasonable timeline presents significant challenges, and the unfunded mandates associated with this regulation would place an undue financial strain on hospitals and healthcare systems.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
CHIME points out that under the previous Trump administration, a new law (P.L. 116-321) was enacted that incentivized the adoption of recognized cybersecurity best practices by HIPAA-regulated entities, and that rather than impose unreasonable mandates the HHS should focus on encouraging proactive cybersecurity measures, and focus on policies that support flexible, evidence-based security frameworks that align with industry best practices and the rapidly evolving cyber threat landscape.
There is no denying the alarming increase in hacking incidents and ransomware attacks, but CHIME believes that the proposed update will do little to decrease the number of data breaches, the overall number of individuals affected by those breaches, or provide any meaningful reduction to the escalation of cyberattacks using hacking and ransomware.
At the Virtual 42nd National HIPAA Summit, Tim Noonan, deputy director of health information privacy, gave an update on the status of the NPRM, although he did not indicate how OCR plans to proceed once the comments have been reviewed. Noonan confirmed that OCR has received 4,745 comments on the proposed Security Rule update, and said OCR will be reading every single submitted comment. “We organize the comments by category and try to get a sense of what the public response is to all the proposals,” said Noonan. “We will categorize everything, try to understand it, and then work within HHS, as with any rulemaking, on what future actions to take.”
Noonan also confirmed that the long-awaited third phase of HIPAA compliance audits commenced in December 2024 and will involve audits of 50 HIPAA-covered entities and business associates, specifically looking at the most important Security Rule provisions for hacking and ransomware attack prevention.
