HHS proposes removing the thirteen security certification requirements (§ 170.315(d)(1)-(d)(13)) for health IT systems in the HTI-5 proposed rule. The justification: “HIPAA already covers security.” This logic fundamentally misunderstands what HIPAA regulates and creates a dangerous gap in healthcare cybersecurity.

I. The Proposed HTI-5 Rule Changes Eliminate the Entire Existing Security Certification Requirements

HHS, in the HTI-5 proposal, states that its existing certification requirements do not fully meet a covered entity’s HIPAA privacy and security requirements, and that is true. However, the answer is not “let’s remove what we have,” but rather “let’s leave our health IT certification security requirements in place because they remain sound policy regardless of HIPAA.”

The HTI-5 proposal removes all of the security standards currently required for certification (§ 170.315(d)(1)-(d)(13)). Among the thirteen requirements (all important), four should be components of any decent health IT system. They are the requirements for multi-factor authentication, audit logging, encryption, and automatic access timeout. The current standards do not require a specific technical solution; they only specify a result that should be the bare minimum for any IT system handling private health information. The ONC argues that they are “duplicative” of the HIPAA requirements. But are they duplicative, or do they meet part of the HIPAA requirements while maintaining the essential data security any system needs?

II. What HIPAA Actually Regulates

HIPAA regulates entities—healthcare providers, payers, clearinghouses, and their business associates. It does not directly regulate technology products, software vendors, or IT systems. This distinction is critical: HIPAA tells covered entities “you must have appropriate security,” but it doesn’t verify that the software you purchase *can* provide that security.

HIPAA is based on principles that must be met and does not set prescriptive requirements. HIPAA sets performance targets but does not specify how a covered entity or business associate meets them. If the ONC’s intent is to foster innovation while setting reasonable requirements, the existing rules achieve that with the flexibility software vendors need to help their clients (covered entities and business associates) reach that goal. It sets a reasonable minimum set of standards.

For example, HIPAA treats encryption as “addressable”—not truly optional, but requiring a risk assessment and documented decision if not implemented. In practice, encryption is the only reasonable and appropriate safeguard for most scenarios, but HIPAA doesn’t mandate the specific technical implementation. Similarly, if the data comes to “rest” on an end-user system, it needs to be encrypted under the current ONC regulations. But if the data is not stored on the end-user system, it does not need to be encrypted.

III. The Enforcement Gap

HIPAA enforcement targets healthcare organizations AFTER breaches, not before. It doesn’t verify software capabilities before deployment. Software vendors are not regulated by HIPAA (unless they are also business associates). Meeting the existing ONC certification requirements can help a healthcare organization or business associate satisfy HIPAA security requirements. As mentioned earlier, it does not cover all the HIPAA requirements but it is a solid starting point for HIPAA compliance.

IV. The Certification Gap

ONC certification ensures that the software must demonstrate (in advance, before deployment) that it has the required security features. HIPAA requires healthcare organizations to implement security measures. ONC certification helps the organization know in advance that many HIPAA requirements are in place and have been tested. Without certification, there is no verification that the software meets the requirements.

The ONC certification is a preventive verification that helps protect the entity from the consequences of a HIPAA violation. Removing that certification shifts all the burden to the covered entity or business associate. Using multi-factor authentication as an example: if a hospital purchases a new electronic health record system without pre-market ONC certification, assumes the software is compliant, and a breach occurs, the hospital bears all liability and enforcement actions, while the vendor faces no consequences.

A Real-World Scenario

Consider a hospital purchasing a new patient portal from a startup vendor:

• With ONC certification: The hospital knows the software has MFA, encryption at rest, audit logging, and automatic timeout before deployment.

• Without ONC certification: The hospital must independently verify these capabilities, negotiate requirements, conduct security testing, and bear all liability if the vendor’s claims prove false.

Now multiply this scenario across thousands of healthcare organizations and dozens of competing vendors. The administrative burden shifts entirely to providers while eliminating any market incentive for vendors to maintain security standards.

V. The Loper Bright Complication

The Supreme Court’s Loper Bright decision eliminated Chevron deference—courts no longer defer to agency interpretations of ambiguous statutes. This fundamentally changes the HIPAA landscape:

HIPAA doesn’t explicitly require specific security implementations like MFA or encryption. Pre-Loper Bright, HHS could authoritatively interpret what HIPAA’s “appropriate and reasonable” security measures meant. Post-Loper Bright, HHS cannot impose those interpretations—courts will decide, case-by-case, through litigation.

The result:

• Litigation will determine requirements through a slow, expensive, inconsistent process

• Vendors will choose the least-costly interpretation to minimize legal risk

• A race to the bottom on security features as ambiguity favors minimalism

• Innovation paralyzed by legal uncertainty rather than enabled by clear standards

• Hospitals can’t rely on compliance guidance without risking judicial reversal

The ONC certification standards provided clarity that *Loper Bright* has now made impossible through HIPAA alone. Removing certification in this post-Chevron environment doesn’t eliminate duplication—it eliminates certainty.

VI. Why “Already Implemented” Doesn’t Hold Up

Today’s health IT vendors already have the ONC security features in place, but new entrants into the market will not be required to meet that part of the certification. These new vendors may skip the security features to save money, leading to another “race to the bottom” by competing vendors who will eliminate their security features to remain competitive. Without the certification, there is no mechanism to verify or enforce. Market dynamics favor cost-cutting over security when the regulations disappear.

VII. The Path Forward: The Current Standards Must Remain

HIPAA and ONC certifications serve complementary purposes:

• HIPAA: Requires entities to implement appropriate security

• ONC certification: Verifies that health IT products can provide security

They are not duplicative—they address different parts of the security ecosystem. Removing the ONC security certification doesn’t eliminate duplication; it eliminates the only pre-market verification mechanism that ensures health IT products meet at least part of the HIPAA requirements.

The comment period opens December 29th. Submit comments at opposing the removal of § 170.315(d)(1)-(d)(13) security requirements. Healthcare cybersecurity deserves better than regulatory shell games that shift all risk to providers while eliminating vendor accountability.

Want to submit a comment but not sure what to say? Consider including:

• Your role in healthcare/health IT

• Specific security requirements you rely on (MFA, encryption, audit logs, timeout)

• The Loper Bright concern about interpretive authority

• Opposition to removing § 170.315(d)(1)-(d)(13)