View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML

HHS/OCR RIN: 0945-AA22 Publication ID: Fall 2023 
Title: ●Proposed Modifications to the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information 

This rule will propose modifications to the Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). These modifications will improve cybersecurity in the health care sector by strengthening requirements for HIPAA regulated entities to safeguard electronic protected health information to prevent, detect, contain, mitigate, and recover from cybersecurity threats.

Agency: Department of Health and Human Services(HHS)  Priority: Section 3(f)(1) Significant 
RIN Status: First time published in the Unified Agenda Agenda Stage of Rulemaking: Proposed Rule Stage 
Major: Yes  Unfunded Mandates: Undetermined 
CFR Citation: 45 CFR 160    45 CFR 164   
Legal Authority: Health Insurance Portability and Accountability Act of 1996 (HIPAA), sec. 262 (42 U.S.C. 1320d-2)    Health Information Technology for Economic and Clinical Health (HITECH) Act, sec. 13401 (42 U.S.C. 17931)   
Legal Deadline:  None

Statement of Need:

In February 2003, the HIPAA Security Rule established standards for the security of electronic protected health information (ePHI) to be implemented by HIPAA covered entities and, by amendment of the HITECH Act, their business associates (collectively, "regulated entities"). Prior to the HIPAA Security Rule, standard security measures did not exist in the health care industry to address the security of ePHI while stored and exchanged between entities. Since 2003, the Department has received  recommendations from the National Committee on Vital and Health Statistics (NCVHS), an advisory committee to the Secretary of HHS, and the public to update and strengthen security standards to protect ePHI, especially in light of newer threats not previously contemplated in 2003 such as ransomware. Additionally, the Department has reviewed media reports advocating the strengthening of protections provided by the HIPAA Security Rule as well as a report from a U.S. Senator advocating for modernizing HIPAA to increase protections of ePHI in the face of current cyber threats.

Summary of the Legal Basis:

The current HIPAA Security Rule has not been updated to address the recent dramatic increase in cyber-attacks on the health care sector that are undermining the security of individuals’ ePHI. Section 1173(d) of the Social Security Act requires the Secretary of HHS to adopt security standards that take into account the technical capabilities of record systems used to maintain health information, the costs of security measures, the need to train persons who have access to health information, the value of audit trails in computerized record systems, and the needs and capabilities of small health care providers and rural health care providers. Since publication of the HIPAA Security Rule in 2003, there has been an evolution in technical capabilities of record systems used to maintain health information and costs of security measures that support updating the HIPAA Security Rule to help ensure that it can continue to provide a baseline of security standards to meet current and emerging security risks and threats to ePHI.


HHS considered whether these policy updates could be implemented through guidance. However, the Department determined that this would be insufficient to prevent and address cybersecurity threats and vulnerabilities facing the U.S. health care system. Revisions to the existing HIPAA Security Rule will help ensure the cybersecurity of individuals’ ePHI.

Anticipated Costs and Benefits:

To be determined.


To be determined.

Action Date FR Cite
NPRM  09/00/2024 
Regulatory Flexibility Analysis Required: Undetermined  Government Levels Affected: Undetermined 
Small Entities Affected: Businesses, Governmental Jurisdictions, Organizations  Federalism: Undetermined 
Included in the Regulatory Plan: Yes 
International Impacts: This regulatory action will be likely to have international trade and investment effects, or otherwise be of international interest.
RIN Data Printed in the FR: No 
Agency Contact:
Marissa Gordon-Nguyen
Senior Advisor for Health Information Privacy, Data, and Cybersecurity Policy
Department of Health and Human Services
Office for Civil Rights
200 Independence Avenue SW,
Washington, DC 20201
Phone:800 368-1019
TDD Phone:800 537-7697