Final Rule Implementing HIPAA Security Rule Updates Edges Closer – The HIPAA Journal
Final Rule Implementing HIPAA Security Rule Updates Edges Closer The HIPAA Journal
Final Rule Implementing HIPAA Security Rule Updates Edges Closer
The HIPAA Security Rule update proposed by OCR in the final days of the Biden administration is only two months away from a final rule, should OCR stick to the proposed timescale for release. OCR has yet to confirm when a final rule will be released or if the proposed rule will actually progress to a final rule.
OCR issued its Notice of Proposed Rulemaking (NPRM) on December 27, 2024, to strengthen cybersecurity protections for electronic protected health information (ePHI). The proposed update, the first significant update to the HIPAA Security Rule in more than two decades, introduced significant new security requirements to ensure the confidentiality, integrity, and availability of ePHI, taking into account changes to business practices and technology since the original rule was enacted.
Several months earlier, in January 2024, OCR published its voluntary Health Care and Public Health Cybersecurity Performance Goals (HPH CPGs) – two sets of voluntary goals (essential and enhanced) that HPH sector organizations were encouraged to adopt to improve resilience to cyber threats, and ensure the fastest possible recovery in the event of a successful cyber incident. Both sets of goals consisted of high impact measures for quickly improving resilience.
The HPH CPGs were the first step in the HHS’s Healthcare Sector Cybersecurity strategy concept paper, published in December 2023. The second step was the provision of incentives to encourage adoption of the HPH CPGs. HHS said at the time that it would work with Congress to establish an upfront investment program to help low-resource healthcare providers adopt the essential goals and an incentives program to encourage the adoption of the enhanced goals. Those programs are key to improving adoption of the HPH CPGs, especially at low-resource hospitals that simply do not have the necessary funds to make significant improvements to cybersecurity.
The voluntary goals were welcomed by HIPAA-regulated entities and industry groups, but they were only a starting point, and OCR explained that the goals would advise future rulemaking. Initially, the measures would be voluntary, but further rulemaking would make some of the cybersecurity requirements mandatory, which was what we saw with the proposed HIPAA Security Rule update.
The HIPAA Security Rule update was poorly received by HIPAA-regulated entities and industry groups and attracted considerable criticism. A coalition of more than 100 hospital systems and provider associations called for the HHS to withdraw the proposed updates to the HIPAA Security Rule, which they said “runs counter to President Trump’s robust deregulatory agenda.”
In its proposed form, the Security Rule update was criticized for placing substantial new financial burdens on HIPAA-regulated entities, and there was an unreasonable timeline for implementation. Instead, the authoring healthcare providers and industry groups called for “a collaborative outreach initiative with our organizations and other regulated entities that are impacted to develop practical and actionable cybersecurity standards for more robust protections of individuals’ health information, without the extreme and unnecessary regulatory burden that health care providers and other stakeholders would face under the crushing and unprecedented provisions of this Proposed Rule.”
During a session at the recent HIMSS conference in Las Vegas, OCR Director Paula M. Stannard said OCR had received more than 4,700 comments in response to the NPRM and is still parsing those comments. Stannard did not confirm whether the proposed Security Rule update will progress to a final rule per OCR’s schedule, nor did she confirm whether the proposed rule will actually progress to a final rule. “After we review the comments, the Trump administration may have a different view on the burdens and benefits of some of the proposed changes,” Stannard said.
Stannard did state that the core requirements of the proposed rule are sound cybersecurity best practices for healthcare organizations. She also acknowledged the criticisms of the proposed rule. Rather than view the requirements of the proposed rule as inflexible and costly to implement, Stannard suggested that viewing things differently, as “there is a high cost of doing nothing.” The proposed changes, if implemented correctly, will improve resilience to cyber threats and reduce the likelihood of costly breaches.
“A successful cyberattack can cost far more in terms of reputation, potentially paying a ransom, remediation of information systems, protection for those whose PHI was accessed, potential civil lawsuits from harm to individuals, and not to mention my investigators coming and knocking on your door and asking for information and talking about penalties,” Stannard said.
It remains to be seen whether the Trump administration will view the benefits of the proposed rule as worth the short term financial and administrative pain of implementation. Based on the feedback received, the proposed rule could be slimmed down to reduce the compliance burden, although doing that would water down the protections. If the final rule is released, OCR could extend the timeframe for compliance to ease the burden on HIPAA-regulated entities, extending the compliance deadline from the standard 180 days following publication in the Federal Register.
Even if the proposed rule does not make it to a final rule, Stannard said there have already been benefits from the proposed rule. “The proposal to modify the Security Rule, I think, helped put a spotlight on information security in the healthcare system and drew attention to the need for better compliance and to take cybersecurity seriously. And that alone is an advantage.”
The post Final Rule Implementing HIPAA Security Rule Updates Edges Closer appeared first on The HIPAA Journal.
The Virtual Forty-Third National HIPAA Summit – Wilson Sonsini
The Virtual Forty-Third National HIPAA Summit Wilson Sonsini
Proto Inc. Achieves HIPAA Compliance for Secure Healthcare Communications – rAVe [PUBS]
CISA Advises U.S. Organziations to Harden Microsoft Intune Following Stryker Data Wiping Attack – The HIPAA Journal
CISA Advises U.S. Organziations to Harden Microsoft Intune Following Stryker Data Wiping Attack
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging U.S. organizations to strengthen administrative controls for the Intune endpoint management tool, following the Iran-linked cyberattack on the medical technology company Stryker. The Stryker cyberattack was conducted by a threat actor called Handala – a hacktivist group with links to Iran’s Ministry of Intelligence and Security.
Handala claimed to have exfiltrated 50 terabytes of data in the attack, before wiping data. Handala has claimed that it managed to delete 12 Petabytes of data in the attack from 200,000 devices. Wiper malware was not required, as Handala used the built-in wipe command in the Intune cloud-based endpoint management tool to wipe Windows devices, including mobile phones and laptops. According to Bleeping Computer, a source familiar with the incident claimed that Handala compromised an administrator account and created a new Global Administrator account, which was used to wipe the data.
At the time of writing, the military action against Iran is continuing, and Iran has issued threats of retaliation. In addition to a military response, retaliation is also likely to include further cyberattacks on U.S. companies. “CISA is aware of malicious cyber activity targeting endpoint management systems of U.S. organizations based on the March 11, 2026, cyberattack against U.S.-based medical technology firm Stryker Corporation, which affected their Microsoft environment,” explained CISA in its March 18, 2026, alert. Consequently, CISA is recommending that organizations take steps to harden their endpoint management system configurations by following Microsoft’s recommendations.
The three main actions to take to harden Intune involve adopting a least-privilege approach for admin roles, assigning only the necessary permissions for day-to-day operations through Microsoft’s Intune role-based access control (RBAC). Organizations are advised to enforce phishing-resistant multifactor authentication and privileged access hygiene, including using Microsoft Entra ID capabilities to block unauthorized access to privileged actions in Microsoft Intune. Microsoft also recommends configuring access policies to require multiple admin approvals. Policies should be set up that require approval from a second administrative account in order to make changes to sensitive or high-impact actions, such as wiping devices, applications, scripts, RBAC, and configurations.
According to the Palo Alto Networks Unit 42 team, there has been an increase in cyberattacks related to the war with Iran, including data wiping attacks and data theft. While the attack on Stryker involved misuse of Intune to wipe data, Iran-linked threat groups commonly use wiper malware in their offensive cyber operations. The Unit 42 team has observed Iran-nexus hacking groups and hacktivist groups increasing wiper attacks and spear phishing attacks. In addition to hardening Intune security, organizations should ensure that they patch promptly, have robust data backup systems in place, and have a tested disaster recovery and business continuity plan for data wiping attacks.
The post CISA Advises U.S. Organziations to Harden Microsoft Intune Following Stryker Data Wiping Attack appeared first on The HIPAA Journal.
Free Webinar Today: HIPAA Email Security 101: PHI, Encryption, and What’s Required – The HIPAA Journal
Free Webinar Today: HIPAA Email Security 101: PHI, Encryption, and What’s Required
According to the Paubox 2026 Healthcare Email Security Report, in 2025, 170 email-related data breaches were reported to the HHS’ Office for Civil Rights (OCR). While healthcare organizations are getting better at preventing email-related data breaches, an analysis of email security configurations found that in 2025, 41% of healthcare organizations fell into the high-risk category, an increase from the previous year.
On top of those large healthcare data breaches are the thousands of smaller breaches that affect fewer than 500 individuals, a large percentage of which are due to poor email security configurations and errors by healthcare employees. Each email incident erodes trust, can be costly to resolve, and potentially puts the organization at risk of a HIPAA penalty, yet email compliance failures are easily avoided.
On March 31, 2026, the leading healthcare email security company, Paubox, is hosting a webinar to explain HIPAA email security 101. The webinar consists of a practical session covering the fundamentals of HIPAA-compliant email, what constitutes PHI and how to identify the indicators of PHI, as well as the key email security requirements that HIPAA-regulated entities must have in place to ensure that sensitive information is protected and patient privacy is assured. Attendees will also learn about the common compliance errors made by organizations and healthcare employees when communicating via email, and how to avoid them.
Webinar attendees will learn about:
- The HIPAA requirements for email
- How encryption works and why it is vital for HIPAA compliance
- What qualifies as protected health information, and how to identify PHI indicators in day-to-day emails
- The email security requirements for healthcare organizations
- Common email compliance mistakes when sending PHI and how to avoid them
Reserve your spot today to learn how HIPAA applies to email and the requirements for HIPAA-compliant email communications.
Why Attend?
- Attendees will learn the fundamentals of HIPAA-compliant email communications, what constitutes PHI, and the common compliance mistakes made by healthcare organizations and how to avoid them. This webinar is eligible for 1 self-reported CPE. Attendees will receive a certificate of attendance that may be used as supporting documentation when submitting credits to applicable certifying bodies.
WEBINAR DETAILS
HIPAA Email Security 101: PHI, Encryption, and What’s Required
Date: Tuesday, March 31, 2026
Time: 18:00 GMT | 13:00 ET | 12:00 CT | 11:00 MT | 10:00 PT
Format: Live webinar (Zoom)
Speaker: Dawn Halpin, Demand Generation Manager, Paubox
Dawn Halpin, a Marquette University and University of Wisconsin-Milwaukee graduate, is the Demand Generation Manager at the email security firm Paubox. Paubox is a leader in HIPAA-compliant email security for the healthcare industry and is trusted by more than 8,000 organizations, including Cost Plus Drugs, Rippling, and Covenant Health.
The post Free Webinar Today: HIPAA Email Security 101: PHI, Encryption, and What’s Required appeared first on The HIPAA Journal.
Trinity Health & UPMC Notify Patients About Potential Unauthorized Data Access via HIE
Trinity Health and the University of Pittsburgh Medical Center are notifying patients about potential unauthorized access to patient data by third parties via a Health Information Exchange (HIE).
Trinity Health, a not-for-profit Michigan-based Catholic health system that operates more than 92 hospitals in 22 states, has informed state attorneys general that some of its patients may have had their protected health information accessed without authorization. Trinity Health participates in automated electronic data exchanges with Health Information Exchanges (HIEs), which ensure that patient data can be easily accessed by other healthcare providers for treatment purposes, regardless of where the provider is located.
On January 13, 2026, Trinity Health was informed by its HIE partner that there had potentially been unauthorized access to the protected health information of certain Trinity Health patients. The incident involves an HIE member called Health Gorilla, which provides an interoperability platform and manages data access requests for client companies. Health Gorilla grants access to its network to companies that require access to patient data for treatment purposes. The HIE partner warned Trinity Health that Health Gorilla claimed that health information was required for treatment purposes; however, the HIE partner said it was unable to verify whether the statements made by Health Gorilla were accurate, and whether the recipient companies had authorizations for the information they obtained via the HIE.
Data potentially accessed without authorization included clinical care details, demographic information, insurance information, and potentially driver’s license numbers. Health Gorilla has suspended access to the HIE for the companies concerned. Trinity Health is providing the affected individuals with complimentary credit monitoring and identity theft protection services for 24 months. The number of affected individuals has not yet been disclosed.
University of Pittsburgh Medical Center (UPMC) patients have also been affected and are in the process of being notified about the potential unauthorized access. Data potentially accessed without a valid authorization included names, ages, diagnoses, and other information from patients’ medical histories. UPMC said it was informed about the potential unauthorized access by its electronic medical record vendor (Epic), and similarly, the unauthorized access occurred through an HIE via Health Gorilla. The incident has been reported to the HHS’ Office for Civil Rights, although it is not yet shown on the breach portal, so it is unclear how many patients have been affected.
Further healthcare providers are expected to issue similar notices in the coming days and weeks.
Legal Action Taken Over Alleged Unauthorized Access and Disclosures
Legal action is being taken over the alleged impermissible disclosures by Epic, OCHIN, and several healthcare providers who allege that Health Gorilla and others enabled “sham” companies to access their platforms to obtain patient data from national HIEs. While not stated in the breach notice, the information accessed by the sham companies may have been disclosed to third parties, such as law firms. One of the companies named as a defendant has admitted to making fraudulent claims that data was required for treatment purposes, when the data was disclosed to law firms. The lawsuit is proceeding against the other named defendants. Health Gorilla, a Qualified Health Information Network (QHIN), denies any wrongdoing, and so far, only one of the defendants has admitted wrongdoing. You can read more about the lawsuit in this post.
The post Trinity Health & UPMC Notify Patients About Potential Unauthorized Data Access via HIE appeared first on The HIPAA Journal.