HIPAA Security: A Renewed Focus of the Trump Administration?

If the first eight months of the new administration are an indicator, HIPAA Security Rule compliance and enforcement will remain a key priority for the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and other regulatory agencies.  Many commentators point to the current state of the health care information and data security environment, including the constant number of cybersecurity incidents, as justification for the continued focus on information security practices.

To date in 2025, OCR has announced over fifteen (15) HIPAA settlements related to cybersecurity issues and the Security Rule requirements to safeguard electronic protected health information (ePHI). The settlements stem from security incidents that resulted in reportable data breaches to OCR, including ransomware and phishing attacks.  Settlement amounts and civil monetary penalties range from $10,000 to $1,500,000 and include corrective action plans based on the compliance gaps that were identified through OCR’s investigation.

A theme has continued to emerge – OCR is focused on comprehensive risk analysis, timely breach notification, and covered entities’ and business associates’ efforts to safeguard ePHI.  Some notable findings across multiple settlements include failure to complete a risk analysis to assess ongoing vulnerabilities to ePHI, insufficient measures to mitigate security risks, failure to regularly review information system activity, failure to implement sufficient risk management measures to reduce vulnerabilities, and failure to provide timely breach notification to individuals, the media, and OCR.  The message to covered entities and business associates continues to be that proactive approaches to information security must be part of your HIPAA compliance program, with a particular focus on risk assessment, updated policies and procedures, and timely incident response.

Health care information security is not a new priority.  However, many organizations of all sizes have struggled with implementing requirements of the HIPAA Security Rule.  In an effort to significantly overhaul the Security Rule, in December 2024, OCR issued a proposed update (Proposed Rule).  A summary of the Proposed Rule is available here.  The Proposed Rule would incorporate many new cybersecurity standards and mark a significant change to the HIPAA Security Rule, which has historically allowed flexible approaches to compliance.  Many industry groups and trade associations have urged the administration to rescind the Proposed Rule, as it is costly and burdensome for covered entities and business associates.  The outcome of the Proposed Rule is still uncertain, and we will continue to monitor the rulemaking process.

Also in 2025, the U.S. Department of Justice (DOJ) National Security Division’s data security program went into effect.  The program prohibits or restricts the bulk transfer of certain sensitive personal information (even if de-identified, aggregated, or encrypted) to certain foreign nations, individuals and entities.  These regulations impose stringent requirements on health data and will certainly impact health care organizations’ data sharing practices, including information disclosed to vendors such as business associates.  Organizations should assess the impact of the new rules, including reviewing data sharing processes and updating agreements, as necessary.

Health care organizations continue to invest in technology and implement advancements that rely on sensitive data.  With such investment comes increased obligations and security safeguards.  Recent regulatory developments and enforcement activity highlight the importance for covered entities and business associates to remain vigilant with regard to ongoing HIPAA and other data security compliance efforts.