Preparing for the HIPAA security rule updates

What should healthcare organizations be doing to prepare for the upcoming HIPAA security rule updates?

Our sister publication, Healthcare Innovation, recently sat down with ZwillGen’s Marci Rozen, and Acre Security’s Kumar Sokka to break down the updates, what they mean for the healthcare industry, and how to best prepare for them.

Read a snippet of Healthcare Innovation’s exclusive interview below.

HIPAA Security Rule Updates: What Healthcare Administrators Need to Know

The HIPAA Security Rule is anticipated to be finalized by May 2026, followed by a compliance period. What implications does this have for healthcare organizations, and how can they get ready?

The Department of Health and Human Services (HHS) estimates the initial compliance cost at $9 billion, followed by $6 billion annually from years two to five. Non-compliant facilities face significant penalties, with fines ranging from $141 per violation to over $2.1 million for willful neglect, and annual caps of $2.19 million per violation. Criminal penalties for knowingly disclosing protected health information can be as high as $250,000 and result in up to ten years of imprisonment.

While there will almost certainly be a transition period, likely around 12–24 months, for full compliance, industry leaders say that given the scale of costs and penalties, organizations should not wait to take measures to adhere to the security rules.

Healthcare Innovation spoke with Marci Rozen, senior legal director at the DC-based law firm, ZwillGen, and Kumar Sokka, CEO of Acre Security, a provider of integrated physical and digital security solutions, headquartered in Austin, to learn more.

Could you talk about the update to the HIPAA Security Rule?

Kumar Sokka: There are some significant changes. One is mainly around the fact that it's now mandatory versus addressable. What happens in May is that, essentially, to comply, you have to have systems with access control and be able to protect certain data center or server locations. You also need visitor management.

Marci Rozen: I want to start out by noting that these are the first security rule changes that have happened since 2013.  There have been huge advances in tech and changes in the security threat landscape since then. These high-level changes are intended to address those changes. Some would say they are long overdue. Everything is going to be required now.

It has certainly been a best practice for a long time to encrypt protected health information (PHI). One change that I think perhaps will be the most significant one for business associates in particular is network segmentation. One new requirement is a comprehensive risk analysis.

What does this mean for health organizations?

Kumar Sokka: A lot of hospitals have some level of physical security. One of the challenges to really understand is how to meet those standards. We educate healthcare systems on the meaning of meeting the standard that's now moving from addressable to mandatory: How do you fill the gaps to be mandatory and compliant? You don't know where you sit today in the compliance tree. And I think that's always a challenge.

The second piece that we're hearing is just the cost to implement. A lot of people are challenged by the fact that they think it could be expensive to make these changes. I think what we're seeing is that a lot of these systems are siloed and disparate. You could have a system or a solution that's very separate in terms of the brand and integration that they're doing for access control, versus what they're doing for intrusion, versus what they're doing for visitor management.

Visit Healthcare Innovation for the full Q&A.