How the Supreme Court’s Loper Bright Decision Turns Health IT Deregulation Into a Compliance Nightmare

Two simultaneous changes are about to collide in healthcare IT.

In June 2024, the Supreme Court eliminated Chevron deference in Loper Bright v. Raimondo. This fundamentally changed how courts interpret federal regulations.

Now, HHS, through the Office of the National Coordinator for Health Information Technology (ONC), is proposing to remove specific health IT security requirements under HTI-5, claiming “HIPAA covers it.”

Here’s the collision: Without Chevron deference, “HIPAA covers it” is legally meaningless. HTI-5’s reliance on ambiguous statutory authority creates compliance chaos in a post-Loper Bright world.

What Loper Bright Changed

For forty years, courts followed a doctrine called Chevron deference. When a statute was ambiguous, courts deferred to the agency’s interpretation. If HHS said “HIPAA requires X,” courts accepted that interpretation as authoritative.

The old world worked like this:

• The statute said that “appropriate safeguards” for user security would be included (in a health IT system)

• HHS interprets this to require multi-factor login authentication

• When HHS was challenged on the regulation that HHS created in response to the statute, the Court would defer to HHS’ expertise

• The industry had clear guidance on what was or was not required

The new world works like this:

• The statute said that “appropriate safeguards” for user security would be included (in a health IT system)

• HHS interprets this to require multi-factor authentication

• Defendant argues the statute just requires “authentication”—not *multi-factor*

• Without the Chevron deference to the agency’s expertise, the Court will interpret the statute independently, relying on their own knowledge and experience

• Outcome uncertain

This matters enormously for health IT because HIPAA’s Security Rule is deliberately principle-based. Terms like “appropriate,” “reasonable,” and “addressable” have no precise statutory definition. Without Chevron deference, there’s no authoritative interpretation of what these terms mean.

Every requirement becomes potential litigation.

The Specific Ambiguities HTI-5 Creates

Here’s what HTI-5 proposes to remove from certification requirements:

• Multi-factor authentication (MFA)

• Specific audit logging requirements

• Encryption standards (in transit and at rest)

• Automatic access timeout

• Emergency access procedures

• Tamper-resistance for audit logs

The ONC’s position: “HIPAA already covers these.”

But look at what HIPAA actually says:

On authentication: § 164.312(a)(2)(i) requires “a unique name and/or number for identifying and tracking user identity.” Does this require MFA? The statute says “identifying,” not “authenticating.” Arguably, a username alone satisfies this. The statute doesn’t even require a password.

On audit logs: § 164.312(b) requires “hardware, software, and/or procedural mechanisms that record and examine activity.” What must be logged? Could it be just user login/logout, or does every change to electronic protected health information (ePHI) have to record a “before” and “after” snapshot. For how long? In what format? None of that is specified in the statute.

On encryption: § 164.312(e)(1) requires “technical security measures to guard against unauthorized access to ePHI being transmitted over an electronic communications network.” Must this be encryption? Could be a VPN. Could be physical security. Could be policy. And encryption is explicitly listed as an “addressable” element in the statute. It can be “addressed” by the health care entity, stating that it is not “feasible” to implement in their environment. An addressable element is not required; the entity needs only to show that it ‘addressed’ the issue in their planning and implementation.

On access timeout: § 164.312(a)(2)(iii) requires terminating “an electronic session after a predetermined time of inactivity.” How long? The statute doesn’t say. Also addressable, not required.

Without certification, who decides what these terms mean?

Pre-Loper Bright, HHS guidance was authoritative. Post-Loper Bright, courts interpret the statute from scratch. Each vendor and each hospital makes an independent legal judgment. Inconsistent interpretations proliferate. The only resolution is expensive litigation.

The Vendor Catch-22

Consider the impossible position this creates for health IT vendors:

Option 1: Implement expensive security features (MFA, encryption, comprehensive logging)

• Risk: Your competitor doesn’t. They undercut your price. They win the contract.

• Your legal team says: “The statute doesn’t explicitly require this.”

Option 2: Skip expensive features, implement minimal compliance

• Risk: Customer suffers breach. OCR enforcement action follows.

• Your legal team says: “We have met the statutory requirements”, but there is still a long and expensive legal process (or an expensive out-of-court settlement).

But what does “minimal compliance” even mean without authoritative agency guidance?

There’s no safe harbor. No clear standards. No predictability.

The Coming Litigation Explosion

Every breach becomes a statutory interpretation case

Hospital gets breached via credential stuffing—an attack that MFA would have prevented. OCR fines the hospital for inadequate authentication. Hospital argues: “HIPAA doesn’t require MFA. We had passwords. That satisfies ‘identifying and tracking user identity.’”

The court must interpret the statute without deferring to HHS. A tech-savvy district court judge may say that “MFA has been around for many years and is a reasonable expectation requirement.” Whether that holds up at the appellate level is unclear and may depend (again) on the judges’ level of technical sophistication. Outcome: uncertain.

It is not reasonable to expect judges to be experts in every field of study. Judges are already being forced to rule on cases that hinge on areas that only specialists have studied. Judges should focus on the law, not on whether a specific user authentication technique is sufficiently strong to satisfy a vague statutory requirement. Or even worse, whether or not the entity properly “addressed” a technical requirement in that same vague statutory requirement.

Circuit splits are likely

Different federal circuits will interpret HIPAA requirements differently. The Second Circuit might say encryption is required; the Ninth Circuit might say “addressable” means optional. Vendors operating nationally face varying requirements across jurisdictions.

Only the Supreme Court can resolve circuit splits. That takes years. If it even accepted by the Court. Everyone in the industry has been in limbo for years.

Insurance implications

Cyber insurers can’t assess risk without clear compliance standards. How do you underwrite “reasonable security” when no one knows what reasonable means? Premiums increase to cover legal uncertainty. Coverage disputes multiply over whether “appropriate safeguards” were put in place.

The chilling effect

Vendors can’t plan product roadmaps without knowing requirements. Risk-averse vendors over-comply, driving up costs. Risk-tolerant vendors under-comply, creating danger. Small vendors exit the market entirely—they can’t afford the legal uncertainty.

If ONC believes certification is burdensome, post-Loper Bright requires clearer rules, not vaguer ones.

Options they could pursue:

• Seek specific statutory requirements through Congressional legislation

• Issue detailed regulatory text with precise definitions, not ambiguous principles

• Create safe harbor provisions for specific implementations

What they’re actually doing: Removing specific requirements and pointing to an ambiguous statute.

This is exactly backwards in a post-Loper Bright world.

What This Looks Like in Practice

A small EHR vendor launches a product without MFA—it saves $200,000 in development costs. They sell to 30 rural hospitals over two years. Three years after the product is introduced to the market, a breach occurs at Hospital A due to credential theft.

Now the legal questions begin:

• Did HIPAA require MFA? No clear answer.

• Is the vendor liable? They’re not a covered entity under HIPAA.

• Is the hospital liable? The vendor told them the product was “compliant.”

• Will the court agree with OCR’s interpretation? No deference required.

Thirty hospitals. One defective product. No clarity on who’s responsible or what the law actually required.

What Needs to Happen

Loper Bright plus HTI-5 equals compliance chaos

Removing specific certification requirements at the exact moment agencies lost interpretation authority is regulatory malpractice. Healthcare deserves clarity, not ambiguity. Patients deserve protection, not legal uncertainty.

ONC must maintain clear, specific certification requirements. In a post-Loper Bright world, specificity isn’t a bureaucratic burden—it’s the only path to compliance certainty.

Next in the series: The Oversight Vacuum—how HTI-5 creates gaps that no existing agency is positioned to fill.