OCR director defends HIPAA updates: "The cost of doing nothing is very high"

LAS VEGAS -- The HHS Office for Civil Rights, or OCR, is still parsing through the 4,700 public comments it received a year ago on the proposed updates to the HIPAA Security Rule, Paula M. Stannard, OCR's director, said during a Thursday session at the HIMSS conference. Stannard said that no decisions have been made about which of the proposed modifications might be finalized in the future, but urged covered entities to continue prioritizing cyber risk mitigation. 

"After we review the comments, the Trump administration may have a different view on the burdens and benefits of some of the proposed changes," Stannard said.  

The Biden-era proposed rule called for more stringent security controls, granular risk analyses and other provisions that, according to many in the industry, would alter the rule's flexible nature and introduce unrealistic cost burdens.  

In December 2025, more than 100 hospital systems, provider organizations and industry associations urged HHS to rescind the rule altogether, citing potential financial burdens and unreasonable implementation timelines. 

Despite uncertainty about the proposed rule's future, Stannard stressed that the proposal's core principles remain sound best practices for healthcare entities.  

"I've heard complaints about the cost of work that would be imposed by the proposed modifications. I've heard about the lack of flexibility that it proposes. But I want to encourage you to think about it in a different way," Stannard said.  

"There's a very high cost of doing nothing. A successful cyberattack can cost far more in terms of reputation, potentially paying a ransom, remediation of information systems, protection for those whose PHI was accessed, potential civil lawsuits from harm to individuals, and not to mention my investigators coming and knocking on your door and asking for information and talking about penalties." 

Uncertain future of proposed HIPAA Security Rule updates 

The proposed HIPAA Security Rule updates are anticipated to be finalized in 2026 and would become effective 60 days after publication, with compliance required 180 days after publication.  

However, the Trump administration has taken a staunch deregulatory stance, prompting uncertainty about how the proposed changes to the HIPAA Security Rule fit into its agenda. 

On Monday, the White House released its cyber strategy, providing insight into its cybersecurity priorities. The strategy contains six key pillars, including "securing critical infrastructure" and promoting "common sense regulation." 

"Cyber defense should not be reduced to a costly checklist that delays preparedness, action, and response. We will streamline cyber regulations to reduce compliance burdens, address liability, and better align regulators and industry globally," the cyber strategy document states, clarifying its definition of common sense regulation.  

"We will streamline data and cybersecurity regulations to ensure that the private sector has the agility necessary to keep pace with rapidly evolving threats. We will emphasize the right to privacy for Americans and American data." 

Stannard said that the common sense regulation pillar "fits nicely with the way that the Security Rule is currently structured in terms of its adaptability and flexibility, but also the recognition that the ultimate goal is protection of Americans." 

Uncertainty remains as to how the proposal will proceed. Stannard said she could not comment on how OCR plans to finalize the Security Rule modifications. 

"Regardless of what we end up doing with it, the proposal to modify the Security Rule, I think, helped put a spotlight on information security in the healthcare system and drew attention to the need for better compliance and to take cybersecurity seriously. And that alone is an advantage," she said. 

What covered entities can do now in a time of flux 

Given the industry feedback and Trump's deregulatory stance, experts expressed doubt that the proposed modifications would move forward as written. 

"If it moves forward at all, it's going to move forward with a seriously elongated implementation timeline, but I think they're probably not going to do anything with it," Russell Teague, chief strategist and chief information security officer at Fortified Health Security, said in an interview. 

"Nobody has the financial capabilities. My opinion of it is that there's nothing in [the proposed rule] that is really so far outside the bounds that you shouldn't already have it." 

Dave Bailey, vice president of consulting solutions and strategy at Clearwater, also expressed concerns about funding.  

"It's a very simple business problem. There's just not enough money in order for folks to do the necessary things," Bailey said in an interview. "So, I think from my perspective, we are advising clients that it's important still to do proper risk analyses and understand where their risks are. That's not going to change in the event that HIPAA changes." 

However, both experts agreed that some change is needed to move the needle on healthcare cybersecurity. 

"It's been the number one targeted industry for 13 years for a reason, because there's been no significant investment and no regulatory or legislative change in the landscape," Teague said. 

"Banking and finance, retail, oil and gas -- all of those industries were at one time the number one targeted industry. When enough was enough, they implemented regulatory acts or stood up new cyber programs. And everyone said the same thing: 'It can't be done, we'll never be able to implement it.' But yet, it all happened, and we are in a much better security state for it all." 

Teague's advice is to adopt best practices, like those in the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), rather than waiting for a mandate. 

"Because if you wait for a mandate, you're going to be behind and you're not going to have the financial wherewithal to be able to do it," he said. 

Bailey noted that some of the additional clarity provided by the proposal is helpful, especially in distinguishing between required and addressable implementation specifications -- the proposed rule suggests eliminating that distinction.  

Currently, addressable implementation specifications give covered entities the option to address certain security controls in different ways depending on the nature of their data, the size of their organization, and other limiting factors. 

This has been a source of confusion within HIPAA for a long time, Stannard said.  

"We find that they treat addressable as optional and just don't do it. This has resulted in some instances, especially for small and medium-sized providers, lax security of ePHI," she noted. 

Regardless of whether the HIPAA Security Rule changes move forward, healthcare organizations that continually improve their security posture will be in a better position to combat cyber threats and comply with any future regulations. 

Jill Hughes has covered health tech news since 2021.