OCR begins reviewing proposed HIPAA Security Rule comments

Since the public comment period closed on Mar. 7, 2025, the HHS Office for Civil Rights has been reviewing the thousands of comments posted on the Federal Register in response to its proposed HIPAA Security Rule updates. Timothy Noonan, deputy director of health information privacy at OCR, shared updates about the process at a session during the Virtual 42nd National HIPAA Summit.

"At this point we've received about 4,745 comments through regulations.gov," Noonan said.

"And so, what is OCR doing at the moment? Well, we are reviewing all the comments. OCR reads every single comment. So, if you've submitted comments, thank you for your comment, and it will be read."

As previously reported, a notice of proposed rulemaking (NPRM) regarding updates to the HIPAA Security Rule was published in the Federal Register on Jan. 6, 2025. Among the numerous proposed updates, the NPRM suggested removing the distinction between "required" and "addressable" implementation specifications and requiring written documentation of all policies and procedures in the HIPAA Security Rule.

What's more, the NPRM contained updated definitions to reflect technological developments, as well as specific compliance timelines.

The nearly 400-page NPRM has been met with criticism by some stakeholders who say that the cost of implementation is too steep. There has also been uncertainty around whether the NPRM would continue through the rulemaking process at all, given that it was introduced during the previous administration.

In February, eight industry associations, including the College of Healthcare Information Management Executives, the Medical Group Management Association, the American Health Care Association cosigned a letter to President Donald Trump and HHS urging the administration to rescind the proposed updates, citing unreasonable timelines and cost expectations.

Noonan did not address specific comments but made it clear that OCR will continue to work through the thousands of comments it received and act accordingly.

"We organize the comments by category and try to get a sense of what the public response is to all the proposals," Noonan said. "We will categorize everything, try to understand it and then work within HHS, as with any rulemaking, on what future actions to take."

Aside from pending HIPAA Security Rule updates, Noonan also shed light on the reemergence of OCR's HIPAA audit program, which has not been active since the 2016-2017 audit cycle. Noonan said that OCR has contacted 50 covered entities and business associates to participate in the 2024-2025 audits. Noonan described the audits as a unique opportunity for OCR to assess compliance and address vulnerabilities before the covered entity finds itself the subject of an investigation.

"We're reviewing the auditees' compliance with selected provisions of the HIPAA Security Rule, most relevant to hacking and ransomware attacks," Noonan explained. "These audits will give us an opportunity to examine their mechanisms for compliance and discover risks and vulnerabilities that may not have been revealed by enforcement activities. It will benefit the auditees by giving them OCR's assessment of their Security Rule compliance and how to improve their cybersecurity."

Noonan said that OCR plans to publish an industry report that will summarize the findings of this round of audits.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.