HIPAA rules and FedRAMP tightening

A hospital software startup can now get squeezed from both sides at once: health regulators are moving to harden medical data rules, and the federal cloud gatekeeper is rewriting how vendors must report security incidents. (hhs.gov) (fedramp.gov) The health side starts with the Health Insurance Portability and Accountability Act, the 1996 law that tells hospitals, insurers, and their contractors how to protect patient data. The cloud side starts with the Federal Risk and Authorization Management Program, the federal system for approving cloud services used by government agencies. (hhs.gov) (gsa.gov) On December 27, 2024, the United States Department of Health and Human Services proposed the biggest rewrite of the Health Insurance Portability and Accountability Act Security Rule since 2013. The proposal was published in the Federal Register on January 6, 2025. (hhs.gov) (federalregister.gov) That rule covers electronic protected health information, which is the digital version of your medical chart, insurance details, lab results, and billing records. If a company stores, moves, or analyzes that data for a clinic or insurer, it usually becomes a business associate under the law. (hhs.gov) The old rule let many safeguards stay “addressable,” which worked like a landlord saying a lock is recommended but not always mandatory. The new proposal would convert many of those flexible items into required controls with narrower exceptions. (hhs.gov) (federalregister.gov) The Department of Health and Human Services says the draft would require written asset inventories, network maps, multi-factor authentication, encryption, vulnerability scanning every six months, annual penetration testing, and stronger backup and recovery planning. It also says entities would need to restore critical systems and data within 72 hours after a loss. (hhs.gov) (federalregister.gov) Now add the federal cloud piece. On April 8, 2026, the Federal Risk and Authorization Management Program opened public comment on updated incident communications procedures and said the comment window runs until May 12, 2026. (fedramp.gov) (executivegov.com) FedRAMP says its older incident rules were so broad and unclear that many certified cloud providers rarely notified the program at all. The new draft tries to replace that vagueness with a rules-based system that tells vendors what to report, when to report it, and how severity changes the deadline. (fedramp.gov) One proposed change moves plain service outages into public status pages instead of forcing every downtime event into a federal incident channel. Another makes reporting much stricter for providers seeking Class D High certifications, which cover systems where a serious incident could cause greater harm to government operations. (fedramp.gov) Put those two tracks together and the procurement meeting changes shape. A hospital buyer that used to ask “Are you Health Insurance Portability and Accountability Act compliant?” can now ask for a system inventory, a recovery clock, a logging plan, and a written incident workflow that matches customer notice deadlines. (hhs.gov) (fedramp.gov) That is especially rough on early-stage vendors because the proposed Health Insurance Portability and Accountability Act rewrite turns security from a policy binder into an operations checklist. If a startup cannot show where patient data lives, who can reach it, how fast backups restore, and when customers get alerted, larger buyers now have more reason to walk away. (nchstats.com) (hhs.gov) Neither change is fully finished yet: the Health Insurance Portability and Accountability Act update is still a proposed rule, and the Federal Risk and Authorization Management Program incident document is still a request for comment expected to feed into 2026 consolidated rules by the end of June 2026. But both are already telling vendors what enterprise customers will treat as table stakes this year. (federalregister.gov) (fedramp.gov)