Health Industry

Proposed HIPAA Rule Changes: Stronger Safeguards For Healthcare

by Linda
by Linda

Tamsin Gable is the head of PR at Municorn.

I lead PR and communications at Municorn, where brand trust meets data protection. If customers doubt their health information is safe, there’s no brand to build.

I’ve seen how breaches erode trust overnight. For privacy-sensitive apps used in healthcare workflows, the proposed HIPAA Security Rule is not just compliance—it’s a chance to strengthen reputation and confidence.

The proposal turns abstract cyber risk into concrete controls marketers can champion across vendors and campaigns. This is vital as AI and cloud reshape how protected health information (PHI) moves through tools we recommend.

But What Is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is nearly 30 years old; protection of electronic health data has changed dramatically since then.

Given the need for an upgrade to take into account the technological innovation that has occurred in recent decades, plus the corresponding threats that come with that innovation, the U.S. Department of Health and Human Services (HHS) has proposed a series of modifications to HIPAA that should strengthen data security in the age of AI.

These suggested changes are still being discussed by the government and are substantive.

HIPAA was created with the aim of regulating the transfer of healthcare information in order to protect individuals, as well as the healthcare and health insurance industries, from fraud and theft. It has evolved over time, with its Privacy Rule and Security Rule coming into force in 2003. The former covers national regulations for the use and disclosure of protected health information, and the latter deals specifically with electronic protected health information.

The proposed changes deal specifically with the Security Rule through updating its standards to better mitigate cybersecurity threats to the healthcare sector. HHS first published a notice discussing the proposed rule changes in December 2024 and followed it up with a more detailed proposal in January 2025. This has been followed by an ongoing public consultation period.

Proposed Changes

The proposal contains some fascinating information. Eighty percent of physician offices and 96% of hospitals have adopted EHRs as of 2021. But this shift to EHRs has also left healthcare providers ever more exposed. In 2021, a cyberattack on cloud-based systems compromised the electronic health information of more than 200,000 people, and also affected the software for linear accelerators used in radiotherapy, disrupting patients’ cancer treatment.

The proposed rule changes include a series of safeguards. These include making security and risk analysis testing like vulnerability scans and penetration tests more frequent, or even automated with the use of AI. Compliance audits would be expected to be carried out at least once a year. HHS is also proposing that multifactor authentication become mandatory and is providing a host of updated definitions to reflect state-of-the-art technology.

Entities covered by HIPAA would also need to create and maintain technology asset inventories and network maps, which would detail all systems that manage electronic personal healthcare information.

An Expensive Mistake To Make

While these proposed changes are still being worked out, the fact remains that a lack of compliance with HIPAA, even under existing rules, can be expensive for any organization, costing them hundreds of thousands or even millions of dollars, depending on the violation.

In the meantime, data breaches continue to happen, in part because of the increased vulnerability of personal electronic healthcare information. Such data in the U.S. is particularly at risk of cyberattack. IBM and the Ponemon Institute have collected interesting data on this topic. According to their 2024 study, the global average cost of a data breach hit $4.45 million in 2023, driven by rising expenses associated with lost business and post-breach response actions.

As reported by Medical Buyer, “The United States exceeded all other nations in the highest average cost per breach at $9.48 million. As in past years, the healthcare industry suffered the highest average breach costs at $10.93 million, followed by the financial sector at $5.9 million. Healthcare data breaches typically last 213 days before discovery, more than the average of 194 days across other industries.”

These costs were down slightly in this year’s report, but even those who have adopted AI automation to ward off potential cyberattacks must contend with AI designed to overwhelm their systems.

Help Is Out There

Any entity handling personal electronic healthcare information therefore should take the initiative to ensure compliance. This will include implementing regular audits and updated security policies, training staff to make them more aware of the regulations, partnering when necessary with experienced providers and adopting new tools for secure data transmission.

In my role at Municorn, I’ve observed that many vendors we evaluate still lack complete technology asset inventories or network maps, which is exactly the kind of oversight the new HIPAA Security Rule updates aim to correct.

Fortunately, there are a host of technology providers and consultancies out there that can help integrate AI-driven monitoring, compliance automation and traditional channels, like conventional and electronic faxing, into security strategies as the HIPAA continues to evolve.

There is also a need to better communicate about these changes. What I tell our partners is that they must ensure their communications highlight not just compliance, but the specific controls, such as annual risk analyses and MFA adoption, that protect customer data.

They should also frame data protection as part of their brand trust narrative, as in healthcare privacy and reputation are inseparable. I also recommend collaborating closely with their IT and security teams to translate risk language into brand language that customers understand.

To sum up, HIPAA’s proposed Security Rule changes are more than regulatory updates; they’re an opportunity for marketing and communications leaders to take a visible role in safeguarding the trust that defines their brands. And never forget that data security is a leadership-level responsibility. It’s up to real leaders to make the best choices.

Forbes Communications Council is an invitation-only community for executives in successful public relations, media strategy, creative and advertising agencies. Do I qualify?

You may also like

Home Health Services Drive Elevated Medical Costs For UnitedHealth Group

Kentucky Democratic leaders argue healthcare costs will ‘skyrocket’ without solution to shutdown

UK Healthcare receives $50 million gift to transform pediatric care

Morocco Advances Rural Healthcare Projects

Elixir Medical’s arterial implant drops coronary events by nearly 50%

Utah Mammoth and University of Utah Health to Honor Healthcare Heroes

Top Pharmaceutical Companies Shaping The Future Of Healthcare

Community Healthcare Trust Inc (CHCT) Q3 2025 Earnings Report Preview: What To Expect

The Pitt is changing how people see healthcare and inspiring real-world action, study shows

Newly-licensed Pharmacists urged to drive innovation in Guyana’s Health Sector

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by