New Cybersecurity Rules Target Health Providers
Healthcare providers have often failed in the obligation that they owe you when they collect your personal data. If that is the case, the experienced national data breach attorneys at Federman & Sherwood can file a lawsuit on your behalf.
The federal government proposed a major overhaul of the HIPAA cybersecurity rule. These new rules, if they are implemented, will impose many new requirements on health providers who have your personal data. In addition, the new rule will also standardize how health providers follow certain cybersecurity requirements, and it will keep them from determining how they comply.
Schedule a free initial consultation with a data breach lawyer at Federman & Sherwood by calling us at (800) 237-1277. Obtaining financial compensation for a data breach is both a means of being paid for your difficulties and getting justice at the same time.
The Government Is Seeking to Step in Where Health Providers Have Failed
Health providers have been one of the most common sources of data breaches in recent years, which have caused damage to consumers. When you seek any type of medical care, you are required to entrust the provider with certain sensitive information that must be protected. Unfortunately, health providers have not always lived up to their own legal obligations, making the need for new cybersecurity rules even more pronounced.
In January 2025, the Department of Health and Human Services (HHS) proposed the first update to cybersecurity rules issued under the Health Information Portability and Accountability Act (HIPAA) since 2013. These proposed rules were issued in the wake of numerous high-profile data breaches that affected millions of consumers. Predictably, the industry is doing everything in its power to fight these rules and keep them from becoming finalized.
What the New HIPAA Cybersecurity Rules Would Require
One of the major aspects of the proposed rule is that it would remove some of the discretion that health providers have. Under the existing rule, health providers have the ability to determine whether there are reasonable alternative ways to fulfill a safeguard that is considered to be “addressable.” In other instances, the rule makes certain safeguard requirements that health providers must follow. Under the new rule, the distinction between “ addressable” and “required” will be removed. Health providers would no longer be able to provide a justification that could allow them to avoid implementing certain safeguards.
The proposed rule would also require health providers to conduct more robust risk assessments of potential threats. Many data breaches occur because healthcare providers do not become aware of a threat until a data breach has already occurred. Under the proposed new HIPAA rule, the health provider must draft a comprehensive assessment that identifies threats and vulnerabilities. In addition to the assessment, the provider must also document the mitigation strategies that they would use to counter these threats. This plan must comply with Modern cybersecurity frameworks and best practices.
Under the rule, help providers cannot simply identify a threat and draft a mitigation plan and leave it at that. They must conduct their own tests that include vulnerability scanning every six months and penetration testing that must occur annually. The intent of this requirement is for the health provider to identify a weakness in their own system before it can be exploited by a hacker.
Further, the proposed rules would better allow health providers to comply with their obligation to protect your data by making the use of certain technology mandatory. Since the prior rule was issued in 2013, there are new technologies available that can more effectively deal with cyber threats. The new rule would require the use of the following:
- Encryption of electronic protected health information
- Multi‑factor authentication for systems that access ePHI
- Certain anti-malware protections
Where the New HIPAA Cybersecurity Rules Stand Now
Like every proposed Federal rulemaking, the new HIPAA rules are subject to public review before they can become finalized. At this point, it is unclear how and when HHS will proceed to finalize the rules. HHS is still proceeding with the rulemaking process, leading observers to believe that the agency is still interested in finalizing these rules.
In the meantime, if you have been the victim of a data breach that has occurred under the current rules, the health provider may not be able to defend themselves from allegations of negligence if they have not acted reasonably. You may still be eligible for financial compensation in a class action lawsuit.
Contact a Data Breach Law Firm
Take the first step to making things right when a health provider has acted wrongly by contacting a national data breach lawyer at Federman & Sherwood. You can schedule a free initial consultation by visiting our website or by calling us today at (800) 237-1277.