Our inbox is full of questions from people wondering how HIPAA might change under Trump. While it’s too early to predict details, we have important observations to share.

The HIPAA Privacy Rule modifications to support reproductive health privacy will become mandatory on December 23, 2024.

On January 20, 2025, the Trump administration will take office. Soon, there will be a new Secretary of the Department of Health and Human Services (HHS) and a new Director of HHS’s Office for Civil Rights (OCR), which enforces HIPAA.

Some supporters of President-elect Trump predict dramatic changes to the HIPAA Privacy Rule. However, for several reasons, HIPAA changes will not happen quickly.

A Federal law called the Administrative Procedure Act (APA) requires HHS to follow an inclusive and time-consuming process to change federal rules and regulations, including HIPAA Rules. From start to finish, change can take several years.

Moreover, every state has its own health privacy laws, which are enforced by state Attorneys General and are not affected by the administration or Congress.

HIPAA Enforcement by States and the Courts

OCR is not the only HIPAA enforcer. The HITECH Act gave State Attorneys General the power to enforce HIPAA.

A new OCR Director may announce that the agency will use “enforcement discretion” and not investigate or impose penalties for violations of reproductive health privacy under the Privacy Rule. However, enforcement discretion regarding reproductive health will not affect the Security Rule, and all the HIPAA Rules will remain the law until and unless they are modified by the APA process.

Some red State Attorneys General and their political base oppose some elements of the HIPAA Privacy Rule. However, blue State Attorneys General can enforce HIPAA, including its provisions to support reproductive health privacy.

There are no significant differences between the political parties regarding the HIPAA Security Rule.

Class Action Lawsuits Enforce Privacy Laws

Lately, private plaintiffs filing class action lawsuits have become the most aggressive and feared enforcers of laws protecting patient privacy. Lawyers developed a playbook that they use with mounting frequency.

The First Trump Administration Enforced HIPAA

The OCR initiated the Patient Right of Access Initiative during the first Trump administration, and it remained a priority during Biden’s administration. Since 2019, the OCR has enforced HIPAA provisions that ensure individuals can access their health records, resulting in 50 investigations and settlements.

Healthcare Cybersecurity is a Bipartisan Issue

Cybersecurity remains a critical priority for all sectors, including healthcare. Consequently, some privacy experts believe the new Trump administration will continue to push for more robust cybersecurity measures. Healthcare is part of the United States’ critical infrastructure, and the HIPAA Security Rule helps ensure healthcare services remain strong.

The FBI, HHS, and the Cybersecurity and Infrastructure Security Agency (CISA) have long collaborated to guide the healthcare industry in defending against ransomware and other cyber attacks that threaten the delivery of healthcare services.

OCR recently submitted proposed changes to the Security Rule to the White House’s Office for Management and Budget for review, with plans to publish the notice of proposed rulemaking in December, with 60 days of public comment before issuing final rule. Although a new administration will likely scrutinize those changes closely, there is a good chance they will advance after review. Cybersecurity in healthcare is a bipartisan issue.

Protecting Patient Privacy is the Foundation of Quality Health Care

Patients trust that their healthcare providers will protect their privacy rights. This trust is the basis of quality health care. By following HIPAA, regulated entities have the best chance of maintaining that trust and protecting their patient data.

Even if OCR announces selective enforcement discretion of the HIPAA Rules, HIPAA is still the nationwide law that HIPAA-regulated entities must follow. And they should consult legal counsel before deciding how to proceed.