Privacy rules are shifting

A doctor’s office used to worry about locked filing cabinets. Now a two-person telehealth practice can store appointment notes, insurance details, and lab results across cloud software, video platforms, and billing vendors in three different states. (hhs.gov) Washington is deciding whether to tighten the main federal rule that protects electronic patient records under the Health Insurance Portability and Accountability Act, the 1996 health privacy law better known as HIPAA. The Department of Health and Human Services said on December 27, 2024 that it proposed updating the HIPAA Security Rule to strengthen cybersecurity protections for electronic protected health information. (hhs.gov) That rule is still not final. BankInfoSecurity reported on April 9, 2026 that the administration has not yet decided whether to move ahead with the proposed overhaul, even as federal officials continue discussing what stronger safeguards should look like. (bankinfosecurity.com) The proposed changes are more concrete than the old checklist-style approach. They would push organizations toward steps like encryption, multi-factor authentication, written asset inventories, and regular testing, which is a shift from “we considered security” to “show us exactly how you do it.” (hhs.gov) Small medical groups and telehealth providers feel that shift first because they often buy software from outside vendors instead of running their own data centers. Every extra login system, contractor, and connected app creates another doorway into patient data that someone has to monitor. (hhs.gov) States are sending the same message from another direction. A March 2026 analysis of Connecticut’s 2025 privacy enforcement report said regulators now expect compliance programs to be “operational, not just on paper,” with real processes for notices, opt-outs, identity checks, and response deadlines. (mondaq.com) That phrase matters because privacy failures are no longer hypothetical. On April 8, 2026, Providence said 1,200 patients may have had information exposed, including items such as names, dates of birth, addresses, phone numbers, insurance details, emergency contact information, and dates of service. (msn.com) The Hong Kong case was much larger and more public. Government and local news reports said more than 56,000 Hospital Authority patient records were leaked online, including names, identity card numbers, hospital file numbers, and surgical procedure details from the Kowloon East Cluster. (news.gov.hk) (news.rthk.hk) Police then arrested a 30-year-old employee of a systems maintenance contractor hired by the Hospital Authority. That detail is the whole modern privacy problem in one sentence: the risk is not only hackers breaking in from outside, but also insiders and vendors who already have a way in. (msn.com) So the new standard forming around healthcare is less about binders full of policies and more about daily routines. Regulators are asking who can open the data, how access is limited, how quickly unusual activity is spotted, and whether a clinic can prove those controls worked on a real Tuesday afternoon, not just in an annual training slide deck. (bankinfosecurity.com) (mondaq.com) For patients, that means the privacy question is getting simpler and sharper. When a family hands over a child’s therapy notes or an older parent’s medication list through a telehealth portal, they increasingly have reason to ask three plain questions: where is this stored, which companies can see it, and what stops one mistaken click from turning it into the next breach notice. (hhs.gov) (times-standard.com)