Why the Proposed HIPAA Security Rule Matters for Healthcare Data Exchange

More than a year after HHS issued the proposed HIPAA Security Rule update, the message still matters. Healthcare data exchange is entering a new phase.

For years, leaders measured interoperability by access and movement. Could systems connect and share information electronically? Did patients, providers, and authorized requestors get the records they needed?

That standard no longer goes far enough.

As health information moves across providers, vendors, portals, APIs, legal request workflows, imaging tools, and release of information systems, healthcare organizations need more than secure transmission. They need accountability.

The proposal continues to signal a higher expectation. Healthcare organizations need to show how ePHI moved, why it moved, who touched it, what safeguards applied, and how leaders can review the exchange.

In my view, this is the next maturity curve for healthcare interoperability. The industry spent years making data more available. Now leaders must prove that availability can support trust at scale.

In practical terms, the proposed HIPAA Security Rule points toward stronger evidence around ePHI movement. Data exchange workflows should show where information went. They should also show who accessed it, what safeguards applied, which vendors were involved, and how the organization can respond with reliable facts.

Has HHS Finalized the Proposed HIPAA Security Rule?

HHS issued the proposed HIPAA Security Rule update on December 27, 2024. The Federal Register published the proposed rule on January 6, 2025.

As of May 29, 2026, HHS has not finalized the proposed Security Rule update. The current HIPAA Security Rule remains in effect while rulemaking continues.

That distinction matters. Healthcare organizations should treat the NPRM as a regulatory direction signal, not final law.

Why Does the Rulemaking Timeline Still Matter?

The timeline should not give leaders a reason to ignore the proposal. Major HIPAA rulemakings do not follow one fixed schedule. Some move faster. Others take much longer.

HHS’s Security Rule history shows the original timeline. HHS proposed the Security and Electronic Signature Standards on August 12, 1998. HHS issued the final Security Standards rule on February 20, 2003. That gap was roughly four and a half years.

HHS also lists the HITECH-related proposed rule on July 14, 2010. The Omnibus HIPAA Final Rule followed on January 25, 2013. That gap was about two and a half years.

More recent HIPAA Privacy Rule changes moved faster. HHS proposed the reproductive health privacy rule on April 17, 2023. HHS issued the final rule on April 26, 2024.

The practical point is not to predict the NPRM timeline. Leaders should use the proposal as a clear signal. Cybersecurity, documentation, and audit readiness expectations are moving toward stronger proof requirements.

Why Is Rulemaking Not the Only Signal?

Rulemaking is not the only signal. OCR enforcement is moving in the same direction.

In April 2026, OCR announced four ransomware settlements affecting more than 427,000 individuals. OCR also noted 19 completed ransomware breach investigations and 13 completed investigations under its Risk Analysis Initiative.

The message is consistent. Organizations should not wait for a final rule to improve risk analysis, documentation, incident response, and evidence around ePHI protection.

What Is the Larger Signal for Healthcare Data Exchange?

The larger shift is toward evidence maturity. Leaders need timely, workflow-level documentation that shows who controlled ePHI movement, how teams monitored it, which protections applied, and what accountability exists when scrutiny arrives.

Data exchange workflows sit directly in that risk zone. Release of information systems, referral platforms, imaging tools, portals, APIs, secure delivery channels, and vendor-managed workflows need visibility. They also need controls, logs, and reviewable evidence.

Without that evidence, the organization may have policy language but not operational proof.

What Does the Proposed HIPAA Security Rule Signal for Healthcare Leaders?

The proposed HIPAA Security Rule should be read as part of a broader market signal. Healthcare data exchange is moving from connection-first interoperability to accountable interoperability.

How Is Interoperability Moving From Access to Accountability?

The first phase of digital exchange focused heavily on access and movement. Organizations needed to determine whether information could move electronically. They also needed to know whether systems could connect. Patients, providers, and authorized requestors still needed the right records.

Those questions still matter. The next phase adds a harder requirement. Can the organization show that exchange was appropriate, secure, and governed?

What Does the NPRM Signal About Workflow-Level Accountability?

HHS says the NPRM proposes to strengthen the Security Rule through more specific expectations. Examples include technology asset inventories, network maps, risk analysis, annual compliance audits, business associate safeguard verification, encryption, and multifactor authentication. HHS frames encryption and multifactor authentication with limited exceptions.

The proposal also points toward resilience. HHS says the NPRM would strengthen contingency planning and security incident response. The proposal includes written restoration procedures, criticality analysis, and written security incident response plans. It also references restoration of certain electronic information systems and data within 72 hours.

The direction is bigger than a longer compliance checklist. It points toward accountability that leaders can see inside the workflow.

Leaders need to know where ePHI enters, moves, resides, and leaves. Controls should limit access by role and workflow need. Documentation should show what happened. Business associate oversight should make vendor accountability visible. Response plans should be ready during an incident, audit, complaint, or partner review.

Why Is This Bigger Than Penalty Risk?

Weak audit readiness costs more than a regulatory penalty. In healthcare data exchange, the larger risk is losing control of the story when something goes wrong.

What Breaks When Evidence Is Missing?

When a breach, complaint, subpoena dispute, vendor incident, patient access issue, or internal review occurs, leaders need more than a policy. They need a defensible record.

That record should show where ePHI moved, who accessed it, what the organization disclosed, which systems and vendors supported the workflow, and how the organization responded.

Evidence gaps create operational consequences. Incident response slows because teams must manually reconstruct activity. Legal and compliance teams lose confidence in breach scope. IT teams spend more time pulling logs from disconnected systems.

HIM teams face more status pressure, rework, and escalation. Executives have fewer reliable facts when patients, regulators, partners, or board members ask what happened.

Why Is Trust Part of the Infrastructure Conversation?

HHS reports that large breach reports increased 102% from 2018 to 2023. The agency also reports that affected individuals increased 1002% during that period. HHS ties the increase mainly to hacking and ransomware.

That framing matters. The risk is not only that a regulator may identify a gap later. Weak controls can disrupt care. They can also weaken confidence and leave leaders without the visibility needed to respond quickly.

Patients, providers, requestors, attorneys, payors, and partners depend on accurate and secure health information movement. When an organization cannot explain what happened, trust erodes. That can happen even when the original process was well-intentioned.

What Controlled Liquidity Means in Healthcare Data Exchange

The future of healthcare data exchange depends on a difficult balance. Information must move more easily. Evidence around that movement must get stronger too.

The proposed HIPAA Security Rule is not an interoperability rule. Even so, it lands in a market where interoperability expectations keep expanding. Security and data exchange now belong in the same operational conversation.

Why Must Data Move Without Becoming Untraceable?

The current HIPAA Security Rule requires safeguards for ePHI. The proposed HIPAA Security Rule would make certain expectations more specific if finalized.

At the same time, the 21st Century Cures Act information blocking framework pushes healthcare actors away from unnecessary barriers to electronic health information access, exchange, and use.

TEFCA points in the same operational direction. It establishes a nationwide framework for health information sharing and secure exchange across networks.

These frameworks do not use identical definitions or obligations. Together, they point toward the same operational reality. Health information needs to move more reliably, while organizations maintain stronger accountability for that movement.

Sensitive record rules point in the same direction. HHS’s 2024 Part 2 final rule aligned certain substance use disorder record confidentiality provisions more closely with HIPAA and HITECH. It also preserved additional protections for Part 2 records.

That reinforces the future-state challenge for healthcare data exchange. Information must move more reliably. Organizations still need to understand when specific data types carry additional consent, redisclosure, notice, or breach response obligations.

How Does Controlled Liquidity Support Trust?

The next phase requires a better balance between access and control. Health information should move when access is appropriate. Traceability should show why it moved, who touched it, what safeguards applied, and whether leaders can reconstruct the exchange without manual guesswork.

Stronger security should not mean slower access by default. The goal is appropriate exchange that moves faster because the workflow is controlled, documented, and easier to trust.

Connectivity alone does not set the next standard. Trusted movement does. Data should travel efficiently without losing the accountability needed to support patients, partners, and regulators.

Why Evidence Maturity Will Define Secure Exchange

Evidence maturity means the organization can produce reliable facts from the workflow itself. Teams should not have to rebuild the story after the fact.

What Should the Audit Trail Show Across the Record Lifecycle?

In health information management, the audit trail should follow the full record lifecycle. It should show who submitted the request and what authority supported it. It should also show identity checks, requestor legitimacy, records requested, records included, records excluded, user activity, delivery steps, vendor systems, and exception resolution.

Many healthcare organizations have policies, vendors, and system logs. They still may lack a connected evidence trail.

Leaders need to connect the request, user activity, disclosure decision, delivery event, and vendor pathway into one defensible record. Without that connection, audit readiness remains immature.

Why Is Fragmented Evidence the Real Risk?

Many systems log activity. The problem starts when audit response depends on fragments.

Evidence may sit across platforms. It may lack a clear connection to the request record. It may be hard to export. Teams may review it only after a complaint.

A patient disclosure question can create the same pressure. If a patient says records went to the wrong recipient, the organization needs a clear answer. Leaders need to know which request initiated the disclosure, how the requestor was verified, what delivery method applied, who approved the release, and whether the audit trail supports the response.

Without connected evidence, even a routine question can become an extended investigation.

How Can Evidence Maturity Become a Leadership Metric?

The proposed HIPAA Security Rule makes the gap more visible. It points toward stronger documentation and more specific evidence expectations. Information blocking rules and TEFCA make the gap more consequential because exchange keeps becoming broader, faster, and more networked.

In that environment, evidence maturity becomes more than a compliance advantage. It becomes a market advantage.

Organizations with cleaner evidence can respond faster. They can govern vendors more effectively, strengthen partner trust, and reduce uncertainty when questions arise.

Evidence maturity should also become part of leadership reporting. Executives do not need every access log. They should see whether high-volume exchange workflows have current risk analysis coverage. They should know whether vendor evidence is complete, access reviews occur, exceptions trend down, and incidents can be scoped without manual reconstruction.

That is how audit readiness becomes an operating discipline instead of a one-time compliance project.

How Does AI Raise the Stakes for Data Exchange Governance?

AI will not change the core security question in health information management. It will make the question more urgent.

What New Data Access Questions Does AI Create?

If an AI-enabled tool classifies a request, summarizes a record, detects an exception, or prioritizes a queue, leaders still need clear answers. What data did the tool access? Which action did it influence? Who reviewed it? Which vendor obligations apply? What audit trail remains?

AI will make weak evidence practices harder to hide. More workflow decisions will receive system assistance, acceleration, or influence. Leaders must be able to explain those workflows.

Why Does Governed AI Matter More Than Fast AI Adoption?

Federal policy already points toward more transparency and governance around AI in health technology. ONC’s HTI-1 final rule established transparency requirements for artificial intelligence and other predictive algorithms in certified health IT.

HTI-1 does not govern every AI tool used in healthcare. It still reflects a broader policy direction toward transparency, explainability, and governance for technology that influences health information workflows.

For HIM and data exchange workflows, the practical issue is whether leaders can govern AI-enabled workflows. Where AI tools touch ePHI or influence workflow decisions, leaders should expect access limits, vendor oversight, human review, documentation, and audit trails.

The organizations that benefit most from AI will not be the fastest adopters. They will be the ones with the clearest governance.

What Should Audit-Ready Data Exchange Be Able to Prove?

Audit-ready data exchange requires structured evidence. Leaders should be able to show how the organization protected ePHI before, during, and after exchange.

This requires more than a policy binder or annual risk assessment. It depends on operational visibility from the systems and workflows where records move.

For data exchange leaders, HIPAA Security Rule audit readiness should answer a direct question. Can the organization produce a clear, request-specific record of access, disclosure, delivery, exceptions, and review?

How Should Logs Support a Defensible Timeline?

HHS explains that the current HIPAA Security Rule establishes national standards for certain health information in electronic form. The Security Rule sets administrative, physical, and technical safeguard expectations for regulated entities that handle ePHI.

The current Security Rule’s administrative safeguards include procedures to regularly review records of information system activity. Examples include audit logs, access reports, and security incident tracking reports.

HIPAA audit log requirements matter most when logs connect activity to context. Strong logs connect access, views, exports, transmissions, configuration changes, and exceptions to the relevant user, timestamp, system, record, or request.

Why Does Audit Readiness Depend on the Full Exchange Context?

In release of information and medical records exchange, audit readiness should answer a practical question. Can the organization show where ePHI entered the workflow, who accessed it, what controls applied, what logs support the activity, how delivery occurred, and how teams reviewed abnormal activity or exceptions?

This same evidence model applies across HIPAA compliance and medical records exchange. Each request needs a clear purpose, defined scope, identity checks, secure delivery, and an audit trail that can show what happened later.

The goal is not to collect logs for their own sake. The goal is a clear, reviewable timeline of access and disclosure activity. That timeline supports compliance, security investigations, continuity planning, and faster executive decision-making.

What Should Leaders Expect From Their Data Exchange Ecosystem?

Healthcare leaders do not need to manage every control directly. They should expect a shared operating view across the teams and vendors responsible for ePHI movement.

Why Should Risk Analysis Reflect Real Exchange Pathways?

IT, HIM, compliance, legal, and vendor owners should be able to answer the same core questions. Where does ePHI move? Who can access it? Which systems and vendors take part? What evidence exists? How quickly can the organization respond when someone questions the activity?

A strong HIPAA Security Risk Analysis should reflect real exchange pathways. That includes release of information systems, referral platforms, imaging tools, APIs, interfaces, vendor-managed systems, subcontractor pathways, shared inboxes, portals, fax workflows, manual workarounds, and AI-enabled tools.

The analysis should focus on the places where ePHI actually moves. It should not rely only on system names, policy categories, or vendor lists.

Why Is Vendor Oversight an Evidence Continuity Issue?

Vendor oversight should follow the same logic. A Business Associate Agreement creates contractual obligations. It does not automatically give leaders operational visibility.

The organization still needs to understand where the vendor fits in the ePHI flow. Leaders should know what evidence the vendor can produce. That evidence may include access logs, incident timelines, subcontractor details, and delivery or transmission records. Leaders also need to know how quickly the vendor can support incident response.

Consider a vendor incident. A third-party platform reports that a file transfer environment may have been exposed. The first question is not only whether a Business Associate Agreement exists.

Leaders need to know which records moved through that environment. They need to know which requestors received them, whether delivery logs are complete, whether access remained limited, and whether the organization can determine scope without days of manual reconstruction.

The leadership question is not whether every technical detail can change overnight. The question is whether the organization has a clear view of its highest-risk exchange workflows. Leaders also need a documented plan to close evidence gaps and accountable owners for systems and vendors that move ePHI.

How Do We Support More Accountable Data Exchange?

We help healthcare organizations make record exchange more accountable by connecting request activity, access events, fulfillment steps, delivery evidence, and exceptions inside one workflow.

Why Does Record Exchange Need a Connected Evidence Layer?

In a controlled liquidity model, the platform layer matters. It determines whether exchange activity becomes searchable, reviewable, and defensible. Without that layer, activity can remain scattered across disconnected handoffs.

The value is not simply that records move faster. The value is that record exchange becomes easier to govern, review, and explain when questions arise.

Request activity, access events, exceptions, transmissions, and delivery evidence should not live across scattered systems. They should connect inside a workflow that supports compliance, operational control, and audit response.

HIPAA ROI compliance should connect standardized intake, requestor verification, secure delivery choices, role-based access, audit trails, and real-time metrics. That visibility helps leaders spot bottlenecks before deadlines slip.

Release of information software should centralize intake, routing, fulfillment, reporting, secure delivery, and automatic audit trails. That structure helps HIM teams reduce reliance on scattered fax queues, portals, email, and spreadsheets.

Why Does the Next Era of Interoperability Require Accountability?

The proposed HIPAA Security Rule reinforces a direction healthcare leaders already understand. Stronger security depends on visibility, standardization, and accountability.

Written policies still matter. They are not enough if daily exchange workflows cannot show who accessed ePHI, what moved, how the organization protected it, and which controls operated at the time.

The organizations that lead the next era of interoperability will make data movement faster and easier to trust.

What Should Healthcare Leaders Do Next?

The proposed HIPAA Security Rule is not final, but the broader direction is clear. Rulemaking, enforcement, interoperability policy, and cyber risk trends all point toward stronger cybersecurity, clearer documentation, and better visibility into how ePHI moves across systems and vendors.

For data exchange workflows, that visibility matters before something goes wrong. It matters when leaders need to evaluate a vendor incident, scope a breach, respond to a complaint, support litigation, answer an auditor, or reassure patients and partners.

The best next step is to review the workflows where ePHI moves most often. Identify where records enter and leave. Confirm who can access them. Review whether logs are complete and exportable. Reassess vendor documentation. Identify where AI-enabled tools touch ePHI. Connect gaps back to the HIPAA Security Risk Analysis.

Then prioritize improvements that reduce compliance risk and operational uncertainty.

The organizations that lead the next era of healthcare data exchange will not be the ones that only move records faster. They will make exchange easier to trust, review, and explain when questions arise.

Schedule a data exchange workflow review to see where your organization can strengthen visibility, close evidence gaps, and build more accountable record exchange before requirements change.

Frequently Asked Questions