Proposed HIPAA update sparks cost vs. protection debate

Healthcare leaders across the nation are grappling with a significant regulatory challenge as the Biden administration’s proposed HIPAA Security Rule update faces strong industry opposition. The proposed changes, introduced in January 2025, would be the first major security overhaul in over two decades and have sparked intense debate about costs, implementation feasibility, and impact on patient care.

A costly security mandate

The White House projects implementation costs at $9 billion for the first year with $6 billion annually thereafter. However, industry groups like the College of Health Information Management Executives (CHIME) and the Association of American Medical Colleges argue these figures severely underestimate the true financial burden.

“The combination of the depth and breadth of the proposed requirements on an unreasonable timeline presents significant challenges,” wrote seven major healthcare associations in their February 17 letter to President Trump and Secretary Kennedy, with a copy to Elon Musk. They warned that the “unfunded mandates would place an undue financial strain on hospitals and healthcare systems.”

In addition to insurmountable costs, the healthcare associations also pointed to a legal conflict with P.L. 116-321 (signed in January 2021), which requires HHS to consider existing security practices when enforcing regulations—a requirement they claim the new proposal ignores.

Security requirements vs. implementation realities

The proposed rule would require healthcare organizations to:

• Implement mandatory encryption and multifactor authentication
• Conduct comprehensive technology asset inventories
• Perform more rigorous security risk analyses
• Verify business associate security measures annually
• Complete implementation within six months of the final rule

“I understand that my patients’ health care data contains sensitive information and that we must take reasonable precautions to ensure that that data is not accessible to unauthorized parties. However, as we all learned during the recent Change Healthcare data breach resulting from a cyberattack, even the largest firms struggle to have adequate protections in place to prevent breaches. Putting such a responsibility on the smallest companies instead is an inefficient and ineffective way to provide security,” said licensed therapist Elizabeth Didie in a March 1 comment. 

Addressing the cybersecurity gap

While opposing this specific proposal, industry representatives acknowledge the need for improved security. The Change Healthcare ransomware attack in February 2024 affected an unprecedented 190 million individuals and cost UnitedHealth nearly $2.9 billion, demonstrating the stakes involved.

Looking forward

As the March 7 comment period draws to a close with over 3,000 submissions, healthcare executives find themselves at a crossroads. Should the rule proceed as written, organizations face significant implementation challenges within the proposed six-month compliance window.

Regardless of the regulatory outcome, healthcare leaders should consider strengthening their security posture by prioritizing high-impact controls, documenting existing security investments, and exploring resource-sharing models that could help smaller organizations achieve compliance.

The challenge remains finding an approach that meaningfully improves healthcare cybersecurity without jeopardizing the operational and financial viability of the organizations that patients rely on for care.