On December 27, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a proposal to update the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
The primary goal of these updates is to better protect patient data from cyber threats. To information security professionals, this proposal brings the healthcare sector in line with the security expectations placed on other high-risk industries such as banks, credit unions, and stock brokers.
Why Now?
The last major update to HIPAA occurred in 2013. Since then, healthcare has become increasingly reliant on digital technology for patient care. Electronic Health Records (EHRs) are now used alongside connected medical devices and Internet of Things (IoT) devices, many of which lack adequate security protections.
This shift has led to a dramatic increase in data breaches. The number of reported breaches affecting 500 or more records has more than doubled, rising from 329 in 2016 to 745 in 2023—the most recent year for which complete data is available.1
A December 2020 report from the Department of Health and Human Services revealed that only 6% of healthcare entities are fully HIPAA compliant. This means an alarming 94% of healthcare providers fail to meet the required security standards.
If we assume that non-compliant organizations either do not detect breaches or fail to report them as required, the actual number of breaches could be significantly higher than currently reported.
Is HIPAA Compliance a Burden on Providers?
The short answer: Yes.
Healthcare professionals—including doctors, mental health providers, pharmacists, and dentists—did not enter their fields to play around with computers or become cybersecurity experts. Many cite the increasing documentation burden and being compliant with various mandates as the greatest challenges in modern healthcare. No matter how justified security mandates may be, compliance remains an uphill battle.
HIPAA compliance is often viewed as a requirement for large hospitals and healthcare networks, but small providers must also comply. Consider these statistics:
- The average primary care physician manages 1,200–2,000 patients.
- Specialists typically maintain a patient panel of 300–1,000 individuals.
- Independent pharmacies serve approximately 300–500 patients weekly, translating to 15,000–25,000 unique patients annually.
- Small clinical laboratories process 50–150 patients daily, amounting to 12,000–40,000 patients per year.
Despite their size, these providers house vast amounts of sensitive patient data. While they may feel they lack the financial or technical resources to comply, the right guidance and support can help them meet regulatory requirements without undue burden. By leveraging appropriate security solutions and expert assistance, even smaller providers can achieve compliance more efficiently than they might expect.
Financial and Demographic Information Under HIPAA
HIPAA primarily protects Protected Health Information (PHI), which includes individually identifiable health details related to a person’s condition, treatment, or healthcare payments. Financial and demographic data are covered under HIPAA when they can be used to identify an individual in connection with their health records.
Examples of Financial Information Protected by HIPAA:
- Insurance Details: Policy numbers, coverage information.
- Billing Information: Payment details linked to healthcare services.
- Payment Records: Information on who paid for medical services.
Examples of Demographic Information Considered PHI:
- Name
- Address (if fewer than 20,000 people live in that area)
- Dates (e.g., birthdate, admission, discharge, death)
- Social Security Number
- Contact information (phone numbers, email addresses, etc.)
The Impact of Data Breaches: Beyond IT Costs
A data breach is more than just an IT issue—it can have devastating consequences for patients. When healthcare data is compromised, individuals may fall victim to identity theft, credit card fraud, and financial loss.
Beyond financial harm, there is increasing evidence that identity theft leads to long-term psychological distress. Recent research highlights the emotional toll of identity fraud, emphasizing the need for stronger security measures in healthcare.
Final Thoughts
The proposed HIPAA Security Rule updates are a necessary step in addressing the growing cyber threats facing the healthcare industry. However, compliance remains a significant challenge, particularly for smaller providers. As technology continues to evolve, so must the safeguards that protect patient data. Striking a balance between security and the practical realities of healthcare delivery will be crucial moving forward.
At Magister Business Advisors we have answers for many of your HIPAA questions. Please reach out to us at 760-759-5900 or check out our website at https://www.magisterba.com We can help regardless of your location.
—
