Proposed HIPAA updates would improve cybersecurity, increase costs for healthcare providers

Editor’s Note

Entities covered by the HIPAA security rule may soon need to adapt to more prescriptive requirements, new compliance mandates, and significantly higher costs, according to a January 24 report from TechTarget.

As outlined in a December notice of proposed rulemaking (NPRM), the proposal by the Department of Health and Human Services (HHS) eliminates the flexibility of current “addressable” implementation specifications, the outlet reports. As a result, all covered entities will be required to uniformly adopt measures like network segmentation, multi-factor authentication (MFA), and encryption of electronic protected health information (ePHI). Annual compliance audits, vulnerability scans, and penetration testing are among the proposed mandates, creating clear timelines for key activities.

Although the updates align with existing best practices already implemented by many organizations, they would formalize these practices as non-negotiable requirements, TechTarget reports, citing HHS cost estimates of $9 billion in the first year and $6 billion annually in subsequent years. The agency asserts the expenses could be offset by a potential 7–16% reduction in breach-related costs. However, quoted experts remain skeptical, noting that cybercriminals often adapt to evolving security landscapes and raising concerns disproportionate financial and operational challenges for smaller providers. 

According to the article, the future of the proposed rule remains uncertain, as a new administration could alter or abandon the updates altogether. The NPRM’s 60-day public comment period, ending March 7, 2025, will likely influence the final rule.