Will Kennedy's HHS Approve New HIPAA Rules?

B. Allen Bradford, Esq.

2025 Sep. 20

In January, 2025, the Office for Civil Rights of the outgoing Biden administration’s Department of Health and Human Services proposed significant changes in the HIPAA security rule: https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information

DHHS stated that its "proposals … would increase the cybersecurity for ePHI by revising the Security Rule to address: changes in the environment in which health care is provided; significant increases in breaches and cyberattacks; common deficiencies the Office for Civil Rights has observed in investigations into Security Rule compliance by covered entities and their business associates (collectively, “regulated entities”); other cybersecurity guidelines, best practices, methodologies, procedures, and processes; and court decisions that affect enforcement of the Security Rule.”

This proposed rule was to be followed by other updates to the HIPAA regulations. The last comprehensive update to HIPAA regulations was in 2013. So, given the rapid growth of Artificial Intelligence, the emergence of ransomware attacks and improved industry security standards since 2013, an update to the rules was badly needed and if anything is overdue.

However, so far, Secretary Robert Kennedy’s DHHS has neither finalized the rule nor indicated whether it plans to do so. We are continuing to monitor developments.