Cybersecurity and Medical Debt Regulations Face Uncertainty in New Administration

With one week to go before President-Elect Trump is sworn in for the second time, the Biden Administration is hurrying to check final things off the to-do list.

This has included two major rules – one proposed and one finalized – that could drastically change the healthcare landscape. Let’s look into the two of them, as well as what their future could be.

First up is a newly proposed Healthcare Insurance Portability and Accountability Act (HIPAA) update that addresses cybersecurity practices. As we all know, 2024 felt like the year of cybersecurity incidents within the industry. Reports indicate that the number of people affected by healthcare data breaches since 2018 has increased by 1,000 percent.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights has been planning this update to HIPAA since late 2023, when they first released a working paper on cybersecurity strategy for the agency – and President Biden similarly released the National Cybersecurity Strategy. The newly proposed rule would be the first update to the famed HIPAA law since 2013, and would require health plans, clearinghouses, providers, and other parties to strengthen cybersecurity protections for their patients’ personal health information (PHI).

This includes, among many other more technical aspects, drafting, testing, and updating cybersecurity policies regularly, strengthening breach notification timelines, and creating contingency plans and incident responses. HHS identified in its own rule that the annual cost of compliance activities will be approximately $9 billion for the first year, with $6 billion for years two through five.

The second rule that was officially finalized in recent days is one that removes a staggering $49 billion in unpaid medical bills from the credit reports of 15 million American citizens. Mitigating medical debt has been an ongoing priority for the Biden Administration.

The Consumer Financial Protection Bureau (CFPB) published a large report in 2022 highlighting how much of a burden medical debt is on Americans. This saw several credit reporting companies voluntarily remove some debt amounting to under $500 from their credit reports.

The finalized rule, in its simplified form, prevents medical debt from showing up on credit reports and prohibits lenders from utilizing medical information in lending decisions. This alone is estimated in some reports to raise credit scores of Americans with medical debt by an average of 20 points and lead to an additional 22,000 mortgages being approved every year.

It is set to take effect in March. During the public comment period, providers and collection companies raised concerns that patients would feel less of an obligation to pay bills, which could financially harm vulnerable providers and lead to upfront payment for nonemergency services.

However, what we can expect under President-Elect Trump’s new administration is essentially a freeze on either or both of these rules – and any other rule not made effective by the inauguration.

So, what can we expect? Likely a freeze memo by the Office of Management and Budget (OMB) that is sent to agency heads, which gives the new administration time to look at pending rules and decide whether to finalize them or toss them out. For finalized rules, if they have not yet taken effect – and the CFPB rule does not for 60 more days – the new administration can suspend the rule and ultimately has the power to modify or rescind it.

So, both of these are technically on the chopping block for President-Elect Trump’s second term. On the one hand, cybersecurity protections and medical debt relief may not be enough of a priority for the Trump Administration to completely reverse course on.

On the other hand, a new administration always results in a long period of regulatory uncertainty – so ultimately, it’s anyone’s guess at this point!