As we march closer to World Data Privacy Day on January 28, it’s a good time to take stock of recent privacy developments involving health care delivery.
No – this isn’t an article about the New York Health Information Privacy Act, which this author synopsized during last year’s privacy day ramp up. Various constituencies filed their opposition to the 2025 bill language, which New York Governor Kathy Hochul ultimately vetoed while expressing concern about unintended consequences.
Moreover – this isn’t an article about a potential modification to the Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). A Notice of Proposed Rulemaking issued last year by the Trump administration, the “HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information,” would update the HIPAA Security Rule (Security Rule) for the first time in more than a decade. Thus far, it has not resulted in rulemaking, and it has stirred strong industry opposition, including in the form of a December 2025 sign-on letter directed to Health and Human Services Secretary Robert F. Kennedy, Jr.
Instead, this article focuses on the warning issued by Secretary Kennedy’s agency, specifically its Office for Civil Rights (which oversees health care data from an enforcement perspective). In its January 2026 OCR Cybersecurity Newsletter, HHS issued stern guidance that HIPAA Covered Entities and Business Associates must heed the Security Rule and harden their infrastructure – all to ensure the “confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the regulated entity creates, receives, maintains or transmits” (see 45 CFR 164.306(a)(1)). In its bulletin, OCR calls for careful attention to “patching known vulnerabilities” of electronic devices, and outlines steps for so doing. Later, it calls on those same regulated entities (that’s you, health care delivery providers), to remove or disable “unneeded software and services.” Later, the authors stress the importance of “enabling and configuring security measures.”
This author remains a member of the Health Sector Coordinating Council Cybersecurity Working Group, which is tracking these issues closely in public-private partnership with the Federal government. As 2026 unfurls, undoubtedly there will be developments in the space, but for now, a key takeaway for entities in the health care space is to remain vigilant: OCR continues to enforce in the space, and upstream focus and risk analysis can mitigate painful downstream consequences. Bond is here to help with the operational and compliance steps necessary to build proper safeguards and systems that satisfy regulatory requirements and keep constituents’ data safe.
As we march closer to World Data Privacy Day on January 28, it’s a good time to take stock of recent privacy developments involving health care delivery.
No – this isn’t an article about the New York Health Information Privacy Act, which this author synopsized during last year’s privacy day ramp up. Various constituencies filed their opposition to the 2025 bill language, which New York Governor Kathy Hochul ultimately vetoed while expressing concern about unintended consequences.
Moreover – this isn’t an article about a potential modification to the Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). A Notice of Proposed Rulemaking issued last year by the Trump administration, the “HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information,” would update the HIPAA Security Rule (Security Rule) for the first time in more than a decade. Thus far, it has not resulted in rulemaking, and it has stirred strong industry opposition, including in the form of a December 2025 sign-on letter directed to Health and Human Services Secretary Robert F. Kennedy, Jr.
Instead, this article focuses on the warning issued by Secretary Kennedy’s agency, specifically its Office for Civil Rights (which oversees health care data from an enforcement perspective). In its January 2026 OCR Cybersecurity Newsletter, HHS issued stern guidance that HIPAA Covered Entities and Business Associates must heed the Security Rule and harden their infrastructure – all to ensure the “confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the regulated entity creates, receives, maintains or transmits” (see 45 CFR 164.306(a)(1)). In its bulletin, OCR calls for careful attention to “patching known vulnerabilities” of electronic devices, and outlines steps for so doing. Later, it calls on those same regulated entities (that’s you, health care delivery providers), to remove or disable “unneeded software and services.” Later, the authors stress the importance of “enabling and configuring security measures.”
This author remains a member of the Health Sector Coordinating Council Cybersecurity Working Group, which is tracking these issues closely in public-private partnership with the Federal government. As 2026 unfurls, undoubtedly there will be developments in the space, but for now, a key takeaway for entities in the health care space is to remain vigilant: OCR continues to enforce in the space, and upstream focus and risk analysis can mitigate painful downstream consequences. Bond is here to help with the operational and compliance steps necessary to build proper safeguards and systems that satisfy regulatory requirements and keep constituents’ data safe.
