Few in the healthcare industry question the need to modernize the HIPAA Security Rule, the proposed overhaul of which is expected to be finalized in 2026. But even if the final rule is modified to scale back requirements or lengthen timeframes, compliance will be a heavy lift for many physician practices, hospitals, and health systems.
That reality, coupled with the common-sense need for robust security around protected health information (PHI) and other patient data, makes procrastination a compliance strategy that is doomed to fail.
Cyberattacks have reached unprecedented levels in the two decades since the HIPAA Security Rule was passed. The first, and last, major update to the rule took place in 2013, a year when healthcare organizations experienced just 269 data breaches. By 2024, that number had skyrocketed to 734 incidents involving more than 500 records each. Based on current trends, 2025 could experience 750–800 large breaches and analysts warn that more than 300 million records could be compromised if mega breaches continue.
Also at play are covered entities (CEs) and business associates (BAs), which raise healthcare’s risk profile with the threat of unintentional and nefarious events that can endanger electronic PHI and other sensitive data.
Thus, OCR determined that it was time to update the rule to address technological advancements and evolving breaches and cyberattacks. The proposed rule also acknowledges OCR’s greater enforcement experience, improved guidelines, best practices, methodologies, procedures, and processes for protecting ePHI, and various legal decisions that have impacted enforcement.
It also re-addresses one of OCR’s most significant challenges when it comes to regulating security: the rapid advancement of both health IT and the methods employed by malicious actors.
Too-prescriptive mandates would necessitate updating the rule more frequently than is realistic. Previous iterations of the HIPAA Security Rule attempted to address this by being flexible with compliance and classifying many security measures as “addressable implementations,” meaning they were strongly recommended but not explicitly required.
For example, the current rule requires any organization touching ePHI to conduct a security risk assessment to evaluate potential risks and vulnerabilities, resolve any identified vulnerabilities, and document the steps taken. OCR even provides a tool for use in conducting the evaluation. But beyond that, there is no prescriptive guidance. As a result, many healthcare organizations that lacked the resources or technical knowledge to conduct a comprehensive risk assessment wound up taking shortcuts.
While industry support for the HIPAA Security Rule overhaul is broad, so are concerns that the compliance burden will be too high for many organizations it affects. There was a consensus throughout the nearly 4,750 letters submitted during the proposed rule’s public comment period that many requirements would be almost impossible for some organizations to meet without assistance.
Additionally, the proposed rule converts many addressable implementation specifications to required, eliminating a core flexibility aspect of the rule. Finally, for many, compliance with the updated HIPAA Security Rule will not be feasible with their existing technical infrastructure. It would necessitate significant investments in new technologies capable of protecting ePHI as mandated by the rule.
Lessening the Burden
The good news is that compliance does not have to come at the cost of financial ruin. Small steps toward anticipated mandates can be taken now to lessen the compliance burden—many of which are common-sense protective measures that should be implemented with or without regulatory dictates. For example:
Multifactor authentication (MFA) is a highly effective yet reasonably priced protection against phishing and other forms of infiltration.
Regularly backing up data ensures continuous access to information in the event of a system outage.
Ransomware or exfiltration protection that goes beyond encryption can prevent bad actors from exploiting vulnerable access points once they are inside a system.
Other actions that should be taken now include conducting a security risk assessment and drafting a mitigation and remediation plan. Doing so allows for the prioritization of limited resources.
It is also likely that even well-resourced healthcare organizations will require third-party support to take these early actions or achieve compliance within the timeframes outlined in the final security rule. As such, now is the time to identify the right trusted IT management firm to assist with enhanced security and, eventually, regulatory compliance.
Look for firms with a deep understanding of healthcare-specific compliance requirements. Prospective partners should also offer comprehensive services to ensure they can address the comprehensive needs related to compliance with the HIPAA Security Rule and other issues that may arise, including the ability to future-proof security. They should also possess advanced expertise and the willingness and ability to leverage cutting-edge tools and processes that can outperform older or less adaptive technologies.
Look for a partner that emphasizes long-term relationships and offers personalized customer support. Other must-haves include flexibility and scale in their approach to services, transparent price structures, and simple contracts with clear and fair service terms. Finally, during the evaluation process, be sure to ask prospects about response times and disaster recovery capabilities and obtain—and check—references.
Ending Procrastination
While the final requirements may differ from what has been proposed, there is little likelihood that OCR will retract its decision to overhaul the HIPAA Security Rule. It is an action that is long overdue and should serve as a reminder that strengthening data protection is the right thing to do, whether mandated by OCR or not.
Taking steps now will significantly ease compliance burdens and protect one of healthcare’s most valuable assets. For provider organizations with limited resources, taking small steps towards compliance now will go a long way toward protecting patient data.
The data backup plan was established as a mandatory stage of HIPAA compliance to create, implement and maintain a set of rules and procedures for healthcare organizations to follow when managing the backup and restore requirements of electronic protected health information (ePHI). A data backup plan is part of the HIPAA Security Rule and encompasses wider contingency planning processes that any chosen business associate (BA) or managed service provider (MSP) must be able to demonstrate a compliant backup service capable of backing up and restoring exact copies of healthcare data when required.
The data backup plan should be integrated within a wider contingency plan because it is designed as a failsafe for the protection of patient data. Most MSPs will already be offering disaster recovery technology capable of moving over data and services to a secondary location almost instantaneously. But backups are often considered the last line of defense in the event of a catastrophic system failure. It allows for data restoration capability to be available in the worst possible scenarios.
The Health Insurance Portability and Accountability Act (HIPAA) is US legislation that was signed into law by President Bill Clinton in 1996. This law, enacted through regulations overseen by the Department of Health and Human Services (HHS), sets rules for the protection of healthcare information (called protected health information, or PHI) and the ability to maintain coverage when your employment changes. One of the core elements of HIPAA is the protection of electronic protected health information (ePHI) through physical, technical, disciplinary and administrative defenses.
HIPAA applies to two types of organizations, covered entities and business associates. While covered entities are organizations involved in healthcare payment, operations, and treatment, business associates are institutions that process patient data in the course of performing services for covered entities and their business associates. Companies within both of these categories need HIPAA-compliant storage and to generally follow the parameters established by the HHS.
Look to the Security Rule for guidance
Your primary consideration when you are considering HIPAA storage is the Security Rule, which includes physical, administrative and technical protections that should be used to prevent unauthorized access. Following the Security Rule requires organizations to do the following:
Verify that the electronic health records they produce, receive, store, or send are all strongly available, with their integrity and privacy maintained.
Determine and set up defenses against threats to the data that are reasonably anticipated.
Set up protections to prevent use or disclosure that is not allowed and is reasonably foreseen.
Be certain that your employees are following compliance guidelines.
The Security Rule is written in flexible language, with parameters that need to be met but no specific steps forward. That looseness of language, per the agency, is intended to allow individual organizations to come up with their own solutions based on the scope and nature of their institution.
Essential HIPAA-compliant storage safeguards
Here are the specific ePHI safeguards you need, whether internally or through an organization you contract, across the three Security Rule categories:
Technical safeguards
Transmission security – A HIPAA-compliant organization needs to deploy technical security mechanisms that keep nefarious parties from being able to unlawfully access health records that are being sent through the network.
Access controls – Companies must enact technical policy and procedure documents that outline rules for access to electronic health records.
Integrity control – To maintain HIPAA compliance, an organization must develop policies and procedures intended to prevent the manipulation or destruction of health data. Plus, there should be tools implemented to verify that information alteration or elimination is not occurring.
Audit controls – For any systems that hold or utilize electronic health data, institutions have to set up software, equipment, and process elements to log and analyze access and the related activities by users.
Physical safeguards
Workstation and device protections – Access to and use of electronic media and workstations should be governed by policies and procedures developed by the organization. A HIPAA-compliant company should have official policies and procedures related to how electronic media is moved, reused, decommissioned, and discarded.
Facility access – Institutions should verify that physical access to their data center is limited to authorized parties.
Administrative safeguards
Assessment – A HIPAA-compliant company has to routinely evaluate the extent to which its policies and procedures are aligned with the Security Rule.
Security point-person – There should be a designated security officer who creates and launches policy and procedure documents.
Staff management and training – There should be proper authorization and oversight of any staff members who handle patient data. All members of your workforce should have security training, and there must be consequences when anyone disregards the official guidelines.
Data access management – Follow the Privacy Rule’s principle of “minimum necessary” related to the use and disclosure of health data. The Security Rule mandates that the policies and procedures used by a HIPAA-compliant organization should only allow an individual to access data when their role gives them that permission (called role-based access).
Security management – To achieve HIPAA compliance, a company must identify risks and take steps to mitigate them. Risk analysis is critical because it will impact all the above efforts, so it is discussed in its own section below.
Risk analysis and management
All HIPAA compliant storage should be assessed for any risks on a regular basis. Here is how you move forward:
Assess risks to the data, potential results of related attacks, and how likely they are to occur.
Set up security protections against the risks discovered.
Record the security steps that are taken and why they were taken (as relevant).
Set up and support ongoing, appropriate, and reasonable safeguards.
Cloud providers and importance of the BAA
Many organizations work with outside parties to protect their ePHI. The Healthcare Industry Cybersecurity Task Force (HCIC) released a 2017 report of healthcare cybersecurity recommendations that addressed cloud relationships. One key point was to embrace cloud service providers, especially if your organization is smaller, since “smaller healthcare organizations often do not have the resources to fully staff a credible cybersecurity group.”
While cloud may make sense, the business associate agreement is critical to relationships with third parties. While you still must carefully vet these organizations, the BAA establishes responsibility for all aspects of the handling of the information that might otherwise be unclear.
Cloud security may now be stronger than at the typical traditional data center, but the risk still must be addressed. The essential nature of the BAA is underscored in the HHS’s “Guidance on HIPAA & Cloud Computing.”
More and more healthcare practitioners are turning to social media to disseminate health related information and communicate with customers and others in their field. However, healthcare practitioners should pay close attention to the information that they share out there to ensure that they comply with HIPAA Security Rule. Here are a few guidelines to assist you in implementing a social media strategy that complies with HIPAA standards.
What is HIPAA?
First, let’s begin with a basic understanding of the law. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law mandating the non-disclosure of private and personal patient information by healthcare professionals and their business associates. The exception to this rule is that the patient’s information can be shared internally within the confines of the hospital between doctors and healthcare professionals, or between the hospital and the insurance company for payment purposes. Unless the patient voids the non-disclosure, their information has no place outside of the databases of both the hospital and the insurance company.
Guidelines for remaining HIPAA compliant
An accidental error in the information that has been shared on social media can mean that HIPAA compliance has been inadvertently violated. While the mistake may not be on your part, it could mean a host of problems for you, your business, and your reputation. Staying cautious about the information that is disseminated through your organization’s Facebook, Twitter, or other social media pages is significantly important to your career.
Seek patient consent before you post anything – Before you write about a case, seek your patient’s consent. Confidentiality is a fundamental aspect of the relationship you share with those who have sought your professional assistance. Acquiring prior consent should never be overruled, regardless of whether your client’s identity has been omitted from the information you shared online.
Inform before you engage – Some patients are less private about their medical conditions, and would like to communicate with you through social media. You should attempt to take the conversation into the privacy of your workplace. If your patient persists on an online dialogue, inform them of the risks associated with revealing personal information online, then acquire the patient’s consent before communicating through social media.
Sending text messages has become a common method of communication among teenagers, adults, and more recently, medical professionals. Physicians are discovering that texting provides a quick and efficient way to communicate with colleagues, patients, and office or hospital staff. A recent survey by QuantiaMD of 38,000 physicians found that approximately “83 percent of physicians own at least one mobile device and about one in four doctors are ‘super mobile’ users who leverage both smartphones and tablet computers in their medical practices.”
As patients and healthcare providers increasingly use mobile devices to communicate with each other, concerns are raised about the security of electronic protected health information (e-PHI). The Health Insurance Portability and Accountability Act (HIPAA) Security Rule allows healthcare providers to communicate electronically with patients, but it also outlines standards to protect individuals’ e-PHI with appropriate safeguards to protect confidentiality, integrity and security of e-PHI. The following identifies security issues raised by texting of PHI between healthcare providers or provider and patient and how unsecure texting may violate the HIPAA Security Rule and create liability for healthcare providers.
As a general rule, texting of PHI by healthcare providers is strongly discouraged. Texting, or traditional short message service (SMS) messaging, is non-secure and non-compliant with HIPAA because data stored on personal mobile devices is not encrypted and is usually stored within the computer memory or on a smartphone SIM card or memory chip. The lack of encryption and the easily accessible storage methods allow any e-PHI communication on a mobile device to be retrieved and shared by anyone with access to the mobile device. This means that messages containing PHI can be read by anyone, forwarded, remain unencrypted on phone company servers, and stay forever on the sender and receiver’s phones.
Another reason why physician-patient texting is discouraged is that standard texting/SMS limits the message to 160 characters. This limited text field may cause critical information or options to be eliminated. According to a recent policy statement from the American College of Physicians and the Federation of State Medical Boards, physicians should understand text messaging is “not analogous to e-mail because of its abbreviated format and the greater possibility of missed messages.” Physicians are urged not to use text messaging even with established patients “except with extreme caution and with patient consent.”
