Almost 30 years ago, the Health Insurance Portability and Accountability Act of 1996 went into effect to protect the use and disclosure of personal health information. But with a new regime in town, companies are watching closely to see what changes could be in the works under US Department of Health and Human Services (HSS) Secretary Robert F. Kennedy, Jr.
HIPAA‘s primary goal is assuring that individuals’ health information is properly protected, while allowing the flow of health information needed to provide high-quality healthcare to remain safe and securely accessible. The act strikes a balance that permits important uses of patient information while protecting the privacy of people who seek care.
Kennedy became HHS secretary in February and is responsible for administering and overseeing all HHS programs, operating divisions, and activities. Kennedy has yet to make any formal announcements about HIPAA’s future course, but that hasn’t stopped healthcare industry observers from speculating about possible future moves, especially as the agency plans to cut as many as 20,000 jobs as part of the Trump Administration’s efficiency efforts.
Early Signs of Changes to Come?
So far, no communication has come from HHS about HIPAA specifically, says John Zimmerer, vice president, healthcare, for wireless services provider Smart Communications. “Secretary Kennedy has put the agency’s initial focus on understanding the causes of and improving the treatment of chronic diseases, as part of his ‘Make America Healthy Again’ movement,” he observes in an email interview.
Nonetheless, a few policy announcements could impact HIPAA specifically and health privacy in general, Zimmerer says. Most importantly, HHS has reversed a policy regarding the federal rulemaking process that requires getting input from the public.
“Previously, HHS would notify the public about proposed rules and seek input on proposals before finalizing them,” he explains. “By rescinding the Richardson Waiver at the end of February, that appears to no longer be the case.” The waiver guaranteeing public participation in federal rulemaking has been in use since 1971, but following Kennedy’s announcement in February, exemptions for public input could be won more easily.
In late December, prior to the new administration and Kennedy’s appointment, HHS issued a Notice of Proposed Rulemaking (NPRM) to modify the HIPAA Security Rule “to strengthen cybersecurity protections for electronic protected health information (ePHI).” Public comments were filed by March 7 and currently are being considered.
Industry groups sent President Trump and Kennedy a letter asking them to rescind updates to the HIPAA security rule. Zimmerer says it’s unclear what the outcome of the proposed rule changes will be.
David White, president of Axio, a cyber risk management provider, believes the healthcare industry is facing a crisis it’s not prepared for. “The proposed updates to the HIPAA Security Rule are a direct response to a problem that’s been growing unchecked for years,” he warns in an online interview.
“Healthcare organizations aren’t prepared for the sophistication or scale of today’s cyber threats,” White says. “While compliance frameworks like HIPAA set a foundation, they have historically been reactive, evolving only after a crisis.” He points to the recent Change Healthcare breach in February as the latest example of how fragile the current system really is.
Making Changes
“Considering his libertarian leanings, and that the process to update HIPAA actually started during the first Trump administration, I suspect that Secretary Kennedy would be in favor of strengthening privacy protections,” Zimmerer says.
Under the proposed HIPAA Security rules, healthcare organizations would be held to a higher standard of cybersecurity, unless the final rules are changed. New HHS leaders will probably promote more robust HIPAA protections, particularly regarding online health data and patient privacy, says Bill Hall, CEO of OurRecords, a provider of compliance and quality-assurance offerings for businesses in highly regulated industries. He anticipates the arrival of AI-powered tools and deeper regulations on companies’ collection, storage, and data sharing.
“Patients will probably get more control over their information, and businesses will face tougher compliance standards,” Hall says in an online interview. The upcoming changes will affect marketers, insurers, hospitals, and entrepreneurs, he adds. “Consumers will gain more privacy protection, but companies will have to change,” he predicts. The hardest aspect will be maintaining security without stifling tech innovation. “If the rules are clear and practical, they will help build trust in digital health without slowing progress.
Cybersecurity Mandates Needed
Stronger mandates are necessary, but they shouldn’t be viewed as a silver bullet, White warns. Cybersecurity isn’t about checking boxes — it’s about understanding the full attack surface. “Threat actors don’t care whether an organization is a covered entity or a business associate — they exploit the weakest link. That’s why these regulations finally address third-party risk, requiring vendors to verify their security controls annually,” he states. Yet, even with new requirements, many healthcare organizations will still find themselves playing catch-up.
Implementation will come through updated regulations, more enforcement actions, and possibly new guidance for healthcare providers and tech companies, Hall says. “HHS can [also] tighten restrictions on data sharing with third parties, increase audits, and fortify consent regulations,” he observes. “Businesses handling health data — whether in healthcare, insurance, or IT — must evaluate their processes to ensure compliance.”
Going Beyond Compliance
Compliance should be the floor — not the ceiling, White says. “Organizations need to go beyond what’s required by focusing on continuous risk analysis, rapid response capabilities, and a security culture that prioritizes resilience,” he advises. “Because in healthcare, a cyberattack isn’t just an IT issue — it’s a patient safety crisis waiting to happen.”