How proposed HISAA rules could change healthcare data protection

In an era where healthcare data breaches have become alarmingly routine, costing the industry what the IBM 2024 Data Breach Report identifies as $9.77 million per incident on average and, according to the HHS, affecting over 258 million patients in 2024, existing regulatory frameworks appear insufficient. Despite HIPAA's long-standing presence as the cornerstone of healthcare information protection, healthcare organizations continue to face relentless cyber threats of growing sophistication. HHS breach data shows 80% of 2024 breaches stemmed from hacking and IT incidents and the 2024 IBM report revealed that third-party breaches increased costs by 240,599 per incident, showing how vendor vulnerabilities now amplify financial risks. Now, policymakers are considering more dramatic measures to address systemic vulnerabilities exposed by breaches like Change Healthcare's 190 million-record compromise and Kaiser Permanente's 13.4 million-record exposure.

The Health Information Security and Accountability Act (HISAA) aims to improve how patient data is protected. Unlike adjustments to existing rules, HISAA represents a potential paradigm shift in healthcare security regulation, moving away from HIPAA's flexible approach toward a more prescriptive framework.

As cybersecurity expert Brent Hoard observes, "On one hand, the HISAA would provide for consistent standards and a more proactive approach to address cybersecurity and breach risk (i.e., set the baseline). This approach is consistent with the proposed HIPAA Security Rule update's move away from 'addressable' implementation specifications to requirements. On the other hand, health care is a diverse ecosystem. A large hospital system will have different needs than a small medical practice or pharmacy. Minimum security standards could result in under- or over-protection depending on an entity's size, risk profile, data footprint, and other factors."

This tension between standardization for security's sake and the diverse operational realities of healthcare organizations lies at the heart of the HISAA debate. 

Learn more: 

• The latest HIPAA updates and what's coming in 2025 
• How HISAA could benefit healthcare

HIPAA's Security Rule 

HIPAA's Security Rule, implemented nearly two decades ago, was designed to protect electronic protected health information (ePHI) while acknowledging the vast diversity of the healthcare ecosystem. Its foundational principle requires covered entities to implement "reasonable and appropriate" safeguards to protect patient data.

The Security Rule distinguishes between two types of implementation specifications: "Required" and "Addressable." Required specifications must be implemented as written, while Addressable specifications provide flexibility. Organizations must assess whether each is reasonable and appropriate based on their unique circumstances, including size, complexity, technical infrastructure, costs, and potential risks. If deemed inappropriate, organizations can implement an alternative measure that achieves the same objective or document why no action is necessary.

This flexible framework was intentionally designed to vary across the healthcare industry, from major hospital systems to small rural clinics. However, this same flexibility has sometimes led to inconsistent protection levels across the industry. What qualifies as "reasonable and appropriate" can be subjective, potentially creating security gaps.

As Hoard points out, "OCR has recently started to focus enforcement efforts on the existing risk analysis requirement under the Security Rule." His observation suggests that better enforcement of current regulations, rather than entirely new frameworks, might be a viable approach to improving healthcare data security.

HISAA as the new standard

HISAA represents a fundamental shift in regulatory compliance, aiming to replace HIPAA's flexible safeguards with mandatory, standardized rules intended to create a uniform security baseline across all healthcare organizations. At its core, HISAA seeks to remove ambiguity by specifically dictating what constitutes adequate protection rather than leaving these determinations to individual risk assessments.

According to Hoard, HISAA would introduce several significant changes to the current regulatory landscape:

"The proposed legislation would include more prescriptive technology requirements, annual independent audit and testing requirements, additional vendor oversight, and enhanced penalties that could even include criminal charges. The requirements would be costly, but likely manageable, for larger, more resource-rich organizations."

The shift represents a move from a risk-based approach, where organizations identify and address their specific vulnerabilities, to a compliance-based model, where meeting predefined standards becomes the primary focus. This new standard alters how healthcare organizations would approach data security planning, implementation, and governance.

Potential benefits of HISAA

According to the recently introduced legislation, HISAA would create significant benefits for healthcare data security through a more standardized and rigorous approach. The Senate Finance Committee's summary of the legislation shows an urgent need, noting that "According to the FBI, the health care sector is now the #1 target of ransomware. These hacks are entirely preventable and are the direct result of lax cybersecurity practices by health care providers and their business partners."

One of HISAA's most notable strengths is its establishment of a consistent baseline for cybersecurity practices across the healthcare ecosystem. As detailed in the bill, HHS would develop two sets of security regulations: minimum security requirements for all HIPAA covered entities and business associates, and enhanced requirements for organizations determined to be of "systemic importance" to national security. These requirements, according to section 101 of the HISAA bill, would be developed in consultation with both the Director of Cybersecurity and Infrastructure Agency (CISA) and the Director of National Intelligence, bringing national security expertise directly into healthcare cybersecurity planning.

The proactive approach embedded in HISAA's framework represents a significant improvement over current practices. The legislation would require each covered entity and business associate to conduct annual cybersecurity risk assessments, including documented plans for rapid resolution of cyber incidents, stress tests to evaluate recovery capabilities, and written compliance statements from executive leadership. This systematic evaluation creates a regular rhythm of security assessment that many organizations currently lack.

Additionally, HISAA would mandate independent security audits, a powerful accountability mechanism. Each organization would be required to contract with an independent auditor to assess compliance with both minimum security requirements and HHS's Healthcare and Public Health Sector Cybersecurity Performance Goals. This third-party verification would help identify security gaps that might otherwise go unnoticed in self-assessments.

The bill also provides significant financial support for implementation, particularly for organizations that might struggle with the transition. It allocates 800 million to assist critical access hospitals and eligible high-need hospitals with adopting essential cybersecurity practices, and an additional 500 million to incentivize broader hospital adoption. This funding acknowledges the substantial investment required and helps ensure that financial constraints don't prevent critical security improvements.

Finally, HISAA would modernize the regulatory framework by requiring regular updates to security requirements, at least every two years. The provision recognizes the rapidly evolving nature of cyber threats and ensures that regulations don't become outdated as attack methodologies evolve.

These benefits could significantly strengthen healthcare's cybersecurity posture at a time when, according to the Senate Finance Committee, "health care has some of the weakest cybersecurity rules of any federally regulated industry."

Analyzing HISAA's downsides

Despite these potential benefits, HISAA's approach raises significant concerns about the burdens it would impose, particularly on smaller healthcare organizations. Brent Hoard's analysis stresses several substantial challenges that merit careful consideration.

First and foremost is the financial impact. "The requirements would be costly, but likely manageable, for larger, more resource-rich organizations," Hoard explains. "However, similar to the proposed revamp of HIPAA's Security Rule, the administrative, assessment/audit, and testing requirements could pose significant challenges, especially for smaller health care entities."

According to research published in the Journal of Biology Agriculture and Healthcare, rural healthcare facilities face considerable cybersecurity challenges due to limited resources. This study on cybersecurity in rural healthcare settings found that approximately 50% of facilities struggle with outdated systems, while 25% face significant financial limitations that make implementing security measures extremely difficult. As the authors note, "The combination of outdated systems, financial limitations, and limited cybersecurity personnel creates significant vulnerabilities".

The administrative burden compounds these concerns. As Hoard notes, "The HISAA would also layer material administrative burdens on an already heavily regulated industry." For smaller healthcare organizations without dedicated security staff, these additional requirements could divert critical resources away from patient care. The research above also found that 25% of rural healthcare facilities lack adequate cybersecurity expertise, leaving them particularly vulnerable when facing complex regulatory requirements.

While HISAA does include significant funding provisions, questions remain about whether this funding will be sufficient to address the full scope of implementation challenges. The legislation acknowledges the need for financial support, which aligns with recommendations from researchers of the rural hospitals study above, who advocate for "targeted funding specifically designed to help rural and smaller healthcare facilities modernize outdated systems and implement appropriate cybersecurity measures."

However, it's worth noting that the financial burden extends beyond initial implementation costs to include ongoing compliance activities, staffing requirements, and technology maintenance. Additionally, funding provisions may not fully address the operational and administrative complexities that smaller organizations will face when implementing the prescriptive requirements.

The researchers further identified significant disparities in cybersecurity capabilities between large urban healthcare systems and rural providers. Their research revealed that rural healthcare facilities often face unique challenges that require tailored approaches rather than one-size-fits-all solutions. These facilities usually have fewer resources to dedicate to cybersecurity implementation and less access to specialized expertise.

Despite the funding provisions in HISAA, Hoard's overall assessment remains cautious: "As proposed, I think the burden outweighs the benefit." This suggests that while the financial support is valuable, the broader regulatory approach may still not adequately account for the diverse operational realities across healthcare's varied landscape. The question remains whether standardized requirements, even with financial support, can effectively address the security needs of organizations with vastly different capabilities, resources, and risk profiles.

FAQs

What is a covered entity?

A covered entity is an organization directly subject to HIPAA regulations. The three types are health plans (insurance companies, Medicare), healthcare clearinghouses (entities that standardize health information), and healthcare providers (doctors, hospitals, pharmacies) that transmit health information electronically.

What is a business associate?

A business associate is a person or entity that performs functions involving PHI on behalf of a covered entity.

What is a cybersecurity "stress test" under HISAA?

A cybersecurity "stress test" under HISAA would be an extensive simulation to evaluate an organization's ability to recover essential functions following a cyber incident. Organizations would need to conduct these tests annually to demonstrate they can continue providing essential care during and after a substantial interruption to their information systems, and that they can rebuild affected systems. HHS would provide at least two different sets of test conditions under which these evaluations must be conducted.