HIPAA rules unsettled

A federal health privacy rule written in 2003 is still the law in April 2026, even after the Department of Health and Human Services proposed its biggest rewrite in two decades on January 6, 2025 and closed comments on March 7, 2025. (federalregister.gov) That rewrite is now stuck in review. Paula Stannard, director of the Office for Civil Rights at the Department of Health and Human Services, said this week that the administration is still assessing the proposal and that regulators had not yet fully processed roughly 4,700 public comments. (bankinfosecurity.com) The rule covers electronic protected health information, which is just medical data stored or moved on computers, phones, servers, and cloud software instead of paper charts. The Office for Civil Rights enforces those standards for health plans, health care clearinghouses, most providers, and the outside vendors that handle their data. (hhs.gov) The old rule gave companies a lot of wiggle room through a category called “addressable.” That meant a safeguard like encryption often did not have to be used if a company documented why another control was reasonable instead. (hhs.gov) The proposed rewrite would shrink that wiggle room hard. The Department of Health and Human Services said it wants to remove the split between “required” and “addressable” safeguards and make all implementation specifications mandatory except for limited exceptions. (hhs.gov) It would also force a much more detailed map of where health data lives and where it travels. The proposal calls for a technology asset inventory, a network map showing the movement of electronic protected health information, written policies and analyses, and regular updates at least every 12 months and after major changes. (hhs.gov) That is why startups are uneasy. A young telehealth company can build fast with a few cloud tools and software interfaces, but a mandatory asset inventory and network map turn every laptop, backup, vendor connection, and application programming interface into something that has to be tracked and documented. (hhs.gov) Encryption sits at the center of the fight because it works like sealing a letter before it leaves the house. Industry compliance firms are already telling clients to act as if encryption for electronic protected health information at rest and in transit will become the baseline, even though the federal government has not finalized the rewrite. (medcurity.com) That gap between law and preparation is the whole story. Regulators are saying the cost of a cyberattack, ransom payment, credit monitoring, civil liability, and investor scrutiny can exceed the burden of stronger controls, while vendors are selling implementation playbooks before the final text exists. (bankinfosecurity.com) The Office for Civil Rights still lists a final action for May 2026 on its regulatory agenda, but Stannard also said the administration could take a different view of the proposal’s burdens and benefits after reviewing comments. For now, the safest reading is that the old rule remains in force while the market behaves as if a stricter one is coming. (bankinfosecurity.com)