Regulatory Initiatives

On June 18, 2025, the U.S. District Court for the Northern District of Texas issued an order declaring unlawful and vacating most of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy at 89 Federal Register 32976 (April 26, 2024). With regard to the modifications to the HIPAA Privacy Rule Notice of Privacy Practices (NPP) requirements at 45 CFR 164.520, the court vacated only the provisions that were deemed unlawful, namely 164.520(b)(1)(ii)(F), (G), and (H). The remaining modifications to the NPP requirements are undisturbed and remain in effect, see Carmen Purl, et al. v. U.S. Department of Health and Human Services, et al., No. 2:24-cv-00228-Z (N.D. Tex. June 18, 2025). Compliance with the remaining NPP modifications is required by February 16, 2026. HHS will determine next steps after a thorough review of the court’s decision.

HIPAA Security Rule NPRM

On December 27, 2024, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued a proposed rule to improve cybersecurity and better protect the U.S health care system from a growing number of cyberattacks. The proposed rule would modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to require health plans, health care clearinghouses (an organization that enables the exchange of health care data between a provider and a payer (insurance company)), and most health care providers, and their business associates, to strengthen cybersecurity protections for individuals’ protected health information. This proposed rule is the latest step taken by OCR to address more frequent cyberattacks targeting the U.S. health care system, consistent with the HHS Healthcare and Public Health critical infrastructure sector Cybersecurity Performance Goals.

OCR has seen a substantial increase in reports of large breach reports received over the last five years. From 2018-2023, reports of large breaches increased by 102 percent, and the number of individuals affected by such breaches increased by 1002 percent, primarily because of increases in hacking and ransomware attacks. In 2023, over 167 million individuals were affected by large breaches—a new record. Since 2019, large breaches caused by hacking and ransomware have increased 89 percent and 102 percent.

Accordingly, the proposed rule would modify the HIPAA Security Rule to require health plans, health care clearinghouses, and most health care providers, and their business associates to better protect individuals’ electronic protected health information against both external and internal threats. It would clarify and provide more specific instruction about what covered entities and their business associates must do to protect the security of electronic protected health information. The proposed rule also would require that policies and procedures be in writing, reviewed, tested, and updated on a regular basis. Additionally, it would better align the Security Rule with modern best practices in cybersecurity.

Content created by Office for Civil Rights (OCR)
Content last reviewed