The HIPAA Security Rule is anticipated to be finalized by May 2026, followed by a compliance period. What implications does this have for healthcare organizations, and how can they get ready?

The Department of Health and Human Services (HHS) estimates the initial compliance cost at $9 billion, followed by $6 billion annually from years two to five. Non-compliant facilities face significant penalties, with fines ranging from $141 per violation to over $2.1 million for willful neglect, and annual caps of $2.19 million per violation. Criminal penalties for knowingly disclosing protected health information can be as high as $250,000 and result in up to ten years of imprisonment.

While there will almost certainly be a transition period, likely around 12–24 months, for full compliance, industry leaders say that given the scale of costs and penalties, organizations should not wait to take measures to adhere to the security rules.

Healthcare Innovation spoke with Marci Rozen, senior legal director at the DC-based law firm, ZwillGen, and Kumar Sokka, CEO of Acre Security, a provider of integrated physical and digital security solutions, headquartered in Austin, to learn more.

Could you talk about the update to the HIPAA Security Rule?

Kumar Sokka: There are some significant changes. One is mainly around the fact that it's now mandatory versus addressable. What happens in May is that, essentially, to comply, you have to have systems with access control and be able to protect certain data center or server locations. You also need visitor management.

Marci Rozen: I want to start out by noting that these are the first security rule changes that have happened since 2013.  There have been huge advances in tech and changes in the security threat landscape since then. These high-level changes are intended to address those changes. Some would say they are long overdue. Everything is going to be required now.

It has certainly been a best practice for a long time to encrypt protected health information (PHI). One change that I think perhaps will be the most significant one for business associates in particular is network segmentation. One new requirement is a comprehensive risk analysis.

What does this mean for health organizations?

Kumar Sokka: A lot of hospitals have some level of physical security. One of the challenges to really understand is how to meet those standards. We educate healthcare systems on the meaning of meeting the standard that's now moving from addressable to mandatory: How do you fill the gaps to be mandatory and compliant? You don't know where you sit today in the compliance tree. And I think that's always a challenge.

The second piece that we're hearing is just the cost to implement. A lot of people are challenged by the fact that they think it could be expensive to make these changes. I think what we're seeing is that a lot of these systems are siloed and disparate. You could have a system or a solution that's very separate in terms of the brand and integration that they're doing for access control, versus what they're doing for intrusion, versus what they're doing for visitor management.

Could you talk about the disconnect between physical and digital controls, and why this is a risk?

Kumar Sokka: When thinking of workplace security, there are workplace safety issues that we're all very well aware of. The other aspect of this is cyber and physical, and that's also equally important. Think about breaches: people walking in and taking over your hospital…if someone who's a bad actor can bring in a laptop and hook up to one of the servers, they can shut down a system. There was a ransomware attack at a London hospital that shut down some blood work areas. Those cyber risks are now physical risks if you don't have the right protection in place, because a random person or bad actor can just walk in and have access to certain areas. It's just integrations across the board to protect against bad actors.

If you just look at the workplace side of things, nurses, physicians, and support staff at a hospital or healthcare system are five times more likely to experience workplace violence than any other industry. You've got to have these safeguards.

Where do you think hospitals are right now in terms of compliance?

Kumar Sokka: It’s a mixed bag. There are hospitals that are on the cutting edge. There are some hospitals and ecosystems that have taken it to the full extreme, where they're really doing a great job. There are also some that are not there yet. What's really fundamental is just making sure that we do these assessments with all of them to see where they are today and how they can comply with the rule.

Marci Rozen:  I think actual healthcare organizations…are on the whole prepared. Maybe some smaller organizations store data like HR data alongside PHI; those organizations would have to make changes. That's relatively straightforward. Right now,  a lot of business associates just store the data all in one layer, commingled. They don't have a separate healthcare environment, and those are the ones that will need a significant engineering fix. If all of the data is commingled in the same platform, you would have to build a new separate infrastructure, a new server, a new environment, and duplicate your existing environment, or a PHI-specific environment.

For noncompliant systems, what would enforcement look like?

Marci Rozen: The HHS Office of Civil Rights (OCR) is the office responsible for enforcing the HIPAA Privacy and Security Rule. They have focused most enforcement actions, or almost all of them, on data breaches. I anticipate that it's going to be mostly reactive in the case of a breach. They'll be doing an action, not just for the breach, but failures in the security compliance that might have led to that breach.

What can health organizations do now to prepare?

Kumar Sokka: It's doing those assessments and understanding where you are today, and what the steps are to get compliant. How do you budget for this? Think about technology solutions that can break the silos and unify technology.

Marci Rozen: I think it's a great idea for all companies, whether entities or business associates, to audit their compliance. Have a check-in with your security team to make sure that they know that this is happening.