Brent Hoard, partner in the Privacy + Cyber practice group at Troutman Pepper Locke, states, "On one hand, the HISAA would provide for consistent standards and a more proactive approach to address cybersecurity and breach risk (i.e., set the baseline). This approach is consistent with the proposed HIPAA Security Rule update’s move away from ‘addressable’ implementation specifications to requirements. On the other hand, health care is a diverse ecosystem. A large hospital system will have different needs than a small medical practice or pharmacy. Minimum security standards could result in under- or over-protection depending on an entity’s size, risk profile, data footprint, and other factors. The HISAA would also layer material administrative burdens on an already heavily regulated industry. To that end, the OCR has recently started to focus enforcement efforts on the existing risk analysis requirement under the Security Rule. I think enforcement of existing requirements, together with targeted modernization of the rule, would be a less onerous alternative.”
This shows a central dilemma in healthcare cybersecurity regulation: how to impose consistent, enforceable security baselines without suffocating the varied realities of hospitals, clinics, pharmacies, and other providers. On one side, the proposed Health Infrastructure Security and Accountability Act (HISAA) aims to bring discipline, consistency, and enhanced regulatory enforcement to managing cyber risks in healthcare, while on the other hand, critics are concerned that a "one-size-fits-all" approach could backfire, as it may be too lenient for large, intricate systems while being overly burdensome for smaller practices.
Hoard also points to a practical alternative: lean harder on enforcement of existing HIPAA rules (especially the risk analysis requirement) while modernizing parts of the regulation. That approach might achieve many of the same goals without the full weight of sweeping new legislation.
The reason for HISAA's baseline is that it helps to eliminate disparities across the ecosystem. According to Hoard, "setting the baseline" acts as a safeguard against allowing weaker links, such as small practices, vendors, or rural facilities, to undermine the overall resilience of the system.
This reasoning is reflected in regulatory perspectives. The OCR’s Risk Analysis Initiative itself reinforces that proper risk analysis is a linchpin for effective cybersecurity. According to the OCR, a risk analysis is “the foundation for effective cybersecurity practices and the protection of ePHI.”
This suggests that without a standardized expectation of baseline competence, many entities may disregard or underinvest in core safeguards.
Hoard and supporters of HISAA recognize the benefit of transitioning from a reactive stance to one focused on prevention. This aligns with larger trends: as threats become more advanced and numerous, many experts contend that responding only after incidents occur is insufficient.
The Biden administration has took note of this shift in 2024. Reuters reported that the administration proposed new cybersecurity rules to tighten health data protections, in part by requiring encryption and compliance checks. “Hospitals have been forced to operate manually … the healthcare information of more than 167 million people was affected in 2023,” said Anne Neuberger, US Deputy National Security Advisor for Cyber.
Hoard indicates that HISAA’s “material administrative burdens” are a concern, but one alternative is that the added enforcement capability itself is the discouraging needed to push laggards to improve. HISAA would remove caps on penalties and require executive accountability, making noncompliance riskier.
Indeed, the ongoing enforcement under HIPAA is already exercising this lever. OCR’s enforcement actions under its Risk Analysis Initiative show how penalties for deficient risk analysis are emerging as a major regulatory tool.
Related: Who conducts a risk assessment?
Hoard’s caution is sharpest in recognizing that large hospitals and small practices differ dramatically. That variance complicates a regime that imposes uniform standards.
Under HISAA, small clinics may be required to comply with the same audit, verification, and stress-testing obligations that large hospital systems must adhere to. This might lead to an inefficient allocation of limited compliance resources or even compel smaller practices to merge with others or outsource services simply to handle the burden.
Similarly, excessively minimal baselines can be inadequate for large systems dealing with more advanced attackers or extensive digital footprints. For substantial high-risk organizations, a required baseline could act as a ceiling instead of serving as a foundation.
When regulations require formality (audits, attestations, and stress tests), organizations may focus on checking boxes rather than improving their security posture. This is dangerous because compliance becomes symbolic rather than significant. As Mitchell Parker, CISO at Temple Health, says, “You can say you make systems secure and compliant. Or you can have operational checks and balances to make sure they actually stay compliant.”
Regulations naturally often fall behind new threats as they emerge. If baseline standards are set too rigidly, organizations might struggle to adopt new architectures or emerging safeguards. Security norms change fast: cloud models, zero trust, AI-driven defenses, evolving supply chain threats. A static baseline may not allow flexibility.
Regulatory frameworks must incorporate this dynamism to avoid becoming outdated or ineffective.
In October 2024, the OCR introduced the "Risk Analysis Initiative," aimed at improving entities' compliance with the risk analysis requirements outlined in the HIPAA Security Rule. The agency observed that numerous entities had incomplete risk analyses, frequently missing thorough inventories of ePHI locations or comprehensive threat assessments. Since that launch, OCR has announced multiple enforcement actions:
More broadly, OCR has stated it will investigate whether entities have proof of an up-to-date, thorough risk analysis in any breach or complaint review.
According to an article published by Feldesman, in its first six months, the initiative produced at least seven enforcement actions.
OCR’s posture sends a clear signal: risk analysis is no longer optional or perfunctory, but foundational and enforceable.
According to legal counsel Gayland Hethcoat, “In most of the Risk Analysis Initiative enforcement actions to date, the CE [covered entity] or BA [business associate] … failed to conduct a sufficient risk analysis (if at all).” And, “OCR’s position is that compliance with the risk analysis requirement is the linchpin to preventing these breaches.”
In a recent enforcement involving a CPA firm, OCR Director Paula Stannard said: “A HIPAA risk analysis is essential for identifying where ePHI is stored and what security measures are needed to protect it. Completing an accurate and thorough risk analysis … is a foundational step to mitigate or prevent cyberattacks and breaches.”
These statements point to the logic behind HISAA’s baseline: unless we establish minimum expectations for risk analysis, many entities may never cross a threshold of adequacy.
Read also: How HISAA could benefit healthcare
Considering the strengths and trade-offs of both the HISAA approach and a focus on modernization/enforcement, a hybrid model appears to be the most promising solution. Below is an outline for how to balance these conflicting priorities:
To address Hoard’s concern that a small clinic shouldn’t carry the same burden as a large hospital:
This differential approach respects diversity while still raising universal expectations.
To maximize impact:
To ensure the regime stays relevant:
This architecture ensures the system evolves with threats, not freezes in time.
See also: HIPAA Compliant Email: The Definitive Guide (2025 update)
The proposal stems from an increase in healthcare ransomware attacks and data breaches.
OCR is the primary enforcement body for HIPAA and would likely oversee HISAA compliance as well. The agency has recently increased audits and investigations focusing on risk analysis and risk management, signaling stricter enforcement trends regardless of HISAA’s final status.
No. HISAA would complement and strengthen HIPAA, not replace it. It aims to modernize existing standards and close regulatory gaps that cybercriminals have exploited in recent years.