Misinformation Surrounding the HIPAA Security Rule Notice of Proposed Rule Making

In December 2024, the Department of Health and Human Services (HHS) released a Notice of Proposed Rule Making (NPRM) regarding potential changes to the HIPAA Security Rule. This notice opened for a period of public comments, allowing healthcare professionals, organizations, and other stakeholders to voice their opinions on the proposed updates. The comment period closed on March 7, 2025, but the rulemaking process is still far from over.

As often happens with complex regulatory changes, misinformation has begun to spread, leading to confusion and, in some cases, unnecessary alarm. Understanding where we are in the process, what changes may come, and what steps need to be taken is critical for everyone in the healthcare space to avoid falling victim to this confusion.

The Current Status of the NPRM and Public Comments

• The period for submitting public comments has ended, but the next steps are just beginning.
• After reviewing the 4,745 comments submitted, the Office for Civil Rights (OCR) at HHS, which oversees HIPAA compliance, will carefully analyze the feedback.
• Tim Noonan, Deputy Director of Health Information Privacy at OCR, provided an update during the Virtual 42nd National HIPAA Summit, confirming that OCR has received a large volume of comments.
  • Noonan did not provide specific details on how OCR plans to proceed once the comments are reviewed, but he emphasized that OCR is committed to reading every single comment.
  • He also explained that OCR organizes the feedback by category to understand the public’s response to the proposals:

“We will categorize everything, try to understand it, and then work within HHS, as with any rulemaking, on what future actions to take.”

• This process of categorizing and understanding the comments helps ensure that the final rule considers the concerns and recommendations of stakeholders across the healthcare industry.
• However, until HHS completes its review and finalizes the rule, there are no immediate changes to the existing Security Rule.

What the Proposed Changes Could Mean

The proposed revisions to the HIPAA Security Rule aim to modernize the regulation in response to new technological risks, such as:

• The increasing use of cloud computing
• The rise of remote work environments
• The growing threat of sophisticated cyber attacks

Key updates could include:

• Clarifying the definitions of electronic protected health information (ePHI)
• Refining risk analysis requirements
• Ensuring that third-party vendors are held to clearer security expectations

Despite the significance of these changes, it’s important to remember that these are merely proposed modifications at this stage. There will be no immediate changes to HIPAA compliance requirements until the final rule is published in the Federal Register.

Once that happens, healthcare entities and business associates will have 240 days to implement the new rules.

Executive Orders and the Future of HIPAA Changes

In parallel with the proposed Security Rule changes, several Executive Orders were released calling for a reduction in federal regulations. These orders may influence:

• The timeline and scope of the proposed updates.

While it is uncertain how much these orders will impact the process, there is speculation that they could delay or reshape the final rule. However, until HHS makes its final decision, healthcare organizations should continue adhering to current compliance standards.

Debunking the Misinformation

Amid all the speculation, it’s easy for misinformation to spread. Some claims have inaccurately stated:

• That the changes are already in effect.
• That drastic shifts in compliance requirements are imminent.

These claims are misleading and can cause unnecessary stress for healthcare professionals and organizations. The reality is:

• There are no immediate changes to HIPAA until the final rule is published.
• While it’s important to stay informed and understand the proposed updates, it’s equally crucial to avoid reacting prematurely based on incomplete or incorrect information.

HHS has made a helpful fact sheet available to explain the key points of the proposed rule changes. This is a great resource for those who want accurate and up-to-date information.

Conclusion

The proposed changes to the HIPAA Security Rule, while important, have not yet been finalized, and no immediate action is required by healthcare organizations at this stage. Misinformation can be a barrier to clear understanding, so it’s essential to rely on official updates from HHS and to be cautious about unverified claims. With OCR carefully reviewing public comments and planning future actions, the healthcare community will have time to prepare once the final rule is published.

Until then, maintaining awareness and staying grounded in facts will help organizations avoid unnecessary anxiety and confusion.