HIPAA could soon get a long overdue makeover.
In January, the US Department of Health and Human Services (HHS) introduced the first new rule for the Health Insurance Portability and Accountability Act—the law that protects patients’ private healthcare information—in more than 15 years. It came with a plethora of new regulations for how covered entities should go about protecting a patient’s health information.
Covered entities include health plans, healthcare intermediaries, and providers.
The proposed regulations would require all covered entities to implement security measures like multi-factor authentication, maintain inventories of all assets that contain or transmit patient data, and conduct annual audits to ensure they’re following the rules.
The updates are “more in alignment with current best practices in cybersecurity” than the original HIPAA rules created in the ’90s and early 2000s, Steven Teppler, chair of cybersecurity and data privacy at the law firm Mandelbaum Barrett, told Healthcare Brew.
Costly concerns
While the healthcare industry largely agrees that stronger cybersecurity measures are needed—especially following incidents like last year’s Change cyberattack that compromised 190 million people’s data—some industry groups have voiced opposition to HHS’s proposed rule.
The primary concern is how expensive it would be to implement.
The Office for Civil Rights, a department within HHS that enforces HIPAA, estimated the rule would cost the healthcare industry $9 billion in its first year and an additional $6.8 billion for the following four years.
Small practices would likely be hit hard by such costs because they would be held to the same standards as large healthcare conglomerates like UnitedHealth Group, James Madara, CEO and EVP of the American Medical Association, wrote in a March 6 letter responding to the proposed rule.
“In a small physician practice, the person who answers the phone is often the same person in charge of compliance,” Madara wrote. “Regulating small physician practices as though they had the same attack surface and posed the same threat of industry disruption as a giant, consolidated enterprise such as [UnitedHealth Group] is an approach disconnected from reality.”
Madara warned that implementing the proposed changes could worsen the trend of independent physician practices closing due to financial pressure.
Navigate the healthcare industry
Healthcare Brew covers pharmaceutical developments, health startups, the latest tech, and how it impacts hospitals and providers to keep administrators and providers informed.
The percentage of physicians working in private practice fell from 60.1% in 2012 to 46.7% in 2022, according to data from the AMA’s physician practice benchmark survey. The AMA cited “increasing economic pressures” as part of the reason for the shift away from private practice.
“By continuing down this path, the already declining number of independent physician practices will dwindle further, unable to withstand disproportionate compliance demands,” Madara wrote.
Healthcare entities may also need to hire additional cybersecurity staff to stay in compliance with the many new requirements, and this would increase overhead costs, according to a statement from nonprofit the American Medical Informatics Association.
And not only would implementing the rules be expensive, but not following them may be as well. HIPAA noncompliance can come with fines up to $500,000, potential criminal penalties, or can result in being kicked out of the Medicare program, Jonathan Jaffery, chief healthcare officer at professional organization the Association of American Medical Colleges, noted in a March 7 letter to HHS.
On the other hand…
Some healthcare cybersecurity experts say covered entities should be doing even more than what HHS’s proposed rule requires.
“Even with these new requirements, many healthcare organizations are still playing catchup,” David White, co-founder and president of cybersecurity company Axio, shared with Healthcare Brew in an email. “The reality is, compliance should be the floor—not the ceiling.”
Teppler added that although the new requirements would be more expensive than the current commonplace cybersecurity practices, “there are offerings that are coming out all the time to make the transition to a more secure environment less expensive and easier to implement.”
The caveat
HHS’s new rule remains a proposal for now, and it’s unclear if and when it will be finalized.
Though healthcare cybersecurity has previously been seen as a bipartisan issue, the proposed rule is “misaligned” with the Trump administration’s focus on deregulation, Madara noted in his comments to HHS.
Additionally, President Trump on Jan. 20 issued an executive order freezing the review of proposed rules in the Federal Register, which could further delay the decision.