HIPAA rule changes are coming, but can they stand up against AI?

Signing in to your Facebook or your email? Even a MyChart account? You’re likely not simply typing in just a username and password anymore. You’re probably also getting a text or email to confirm it’s really you.

This process is pretty standard nowadays, as multi-factor authentication (MFA) has become a baseline cybersecurity protection. But surprise, surprise, the federal government—specifically the Health Insurance Portability and Accountability Act (HIPAA)—is only just catching up.

The HIPAA Security Rule, established in 2005, is expected to be updated any day now to require MFA, encryption, continuous monitoring of systems for “anomalous activity,” and regular testing following all the cyberattacks of 2015.

In an industry with access to sensitive patient information that’s often targeted by hackers (an estimated 700 breaches affecting at least 500 people get reported each year, according to the HIPAA Journal), experts told Healthcare Brew they’re happy HIPAA is finally catching on but say it still has a long way to go to meet modern security standards, especially in the AI age.

“They’re good changes because they’ll protect data,” Robert Andrews, CEO of employer collective Health Transformation Alliance, told us. But he worries the federal government isn't addressing the “frightening power of AI to pierce what we think are safe systems.”

HIPAA-story. Until about 2009, HIPAA only applied to “covered entities” like hospitals and health plans. These days, there are HIPAA business associate agreements (BAAs), which are contracts between covered entities and businesses they work with. These apply to third-party companies that can also access sensitive patient information. (Think AI scribes or revenue cycle management tools.)

“The proposed HIPAA updates are basically trying to modernize the cybersecurity footprint for AI and ransomware and helping health systems mitigate that risk,” Akash Magoon, CEO and co-founder of BAA and revenue platform company Adonis, told us.

But some big hospital systems, like California-based Kaiser Permanente and Cleveland Clinic, have already implemented technology governance programs, which are systems meant to protect hospitals against AI harm. Magoon said “the government’s catching up” to those hospitals by looking at “what the best of the best is doing and mandating that across the rest of the environment.” At the same time, other research has shown that hospital cybersecurity is not as robust as some systems believe and that AI is moving faster than regulations.

Clearing things up. So, if some hospitals are already taking these extra security steps, why does HIPAA need to mandate it?

HIPAA’s update should make things more clear and set a standard for more careful practices, Magoon said. These regulations are “adding a lot of the things that everyone assumes people are already doing, but maybe that’s not super well written into the regulation,” he added.

Plus, he still wants clarity for companies like his, which have BAAs. He noted it’d be helpful to have “a little bit more governance around what vendors can do. And there should be a consistent framework around how that’s audited and explained by the new regulation.”

Andrews added he’s concerned about the rise of AI in healthcare and said the threats the tech presents may outpace regulations needed to protect patient data.

“Most of our company organizations require [updated HIPAA rules] anyway. So the fact that they’re now required rather than suggested is welcome, but isn’t going to make that much of a difference,” he said.

Meanwhile, the Trump administration has seemed hesitant to regulate AI, and in fact may try to loosen security protocols for AI tools used in healthcare, KFF reported, which could make it even more difficult to update protections.

“Rather than enshrine a particular privacy standard at whatever level we’re at right now, the standard should automatically increase as the technology gets stronger,” Andrews said. “I’d ultimately look for a HIPAA regime that requires real-time, constant updating.”