Web Analytics
User journeys, funnels and goals, conversion actions
Campaigns
Attribution, UTM management, channel performance, ROI
Norman AI
AI analytics copilot with natural language queries
Norman AI Reports
Deep AI analysis embedded in every report view
Signals
Conversion signals to Google Ads, Meta, and more
Compliance & Privacy
HIPAA-compliant by design, BAA included as standard
Prove Campaign ROI
Connect ad spend to real visitor actions
Track the Visitor Journey
Full story from first click to conversion
Eliminate Compliance Risk
Analytics your compliance team will approve
Move Beyond Proxy Analytics
Complete data without the proxy tradeoffs
Blog
Insights on healthcare analytics and marketing
About
Learn more about LightTrail
Security
Book a Demo
Back to blog
Compliance & PrivacyMarch 16, 2026

Your Analytics Compliance Strategy Wasn't Built for the HIPAA Security Rule NPRM

Russell ReidRussell Reid

HHS published a 125-page Notice of Proposed Rulemaking on January 6, 2025. It's the most significant proposed overhaul of the HIPAA Security Rule since the original publication in 2003, and most organizations haven't read it. That's a problem.

The proposed rule doesn't just tighten cybersecurity standards for hospitals and health plans. It rewrites compliance obligations for every technology vendor operating as a HIPAA business associate. Every analytics platform. Every tag management tool. Every marketing data intermediary touching electronic protected health information on behalf of a healthcare organization falls within scope, and the compliance frameworks most of these vendors rely on today weren't designed for what the NPRM demands.

What the NPRM actually requires

The current Security Rule distinguishes between "required" and "addressable" implementation specifications. In practice, many organizations have treated "addressable" as optional. The NPRM eliminates that distinction entirely, making every safeguard mandatory with only narrow exceptions for systems that technically can't support a specific control.

The specifics are extensive. Encryption of all ePHI at rest and in transit, multi-factor authentication for every system accessing protected health information, vulnerability scanning every six months, annual penetration testing, network segmentation, incident response plans tested every twelve months, critical system restoration within 72 hours, and patch management with 15-day deadlines for critical vulnerabilities. Covered entities and business associates must conduct formal compliance audits annually, maintain written technology asset inventories, and produce network maps documenting how ePHI flows through their systems.

Financial services firms have operated under comparable mandates for years. But healthcare cybersecurity spending runs 4 to 7 percent of IT budgets compared to roughly 15 percent in banking. The gap between current practice and the NPRM's baseline is substantial.

The requirement nobody is talking about

Buried in the business associate provisions is a single requirement that should concern every healthcare marketing team evaluating its analytics stack.

Annual written verification.

Under the proposed rule, business associates must provide each covered entity client with a written analysis of their technical safeguards, conducted by someone with appropriate cybersecurity knowledge, accompanied by a written certification that the analysis is complete and accurate. This isn't a checkbox. It's a formal deliverable, required every twelve months, that the covered entity must collect and retain.

The cascading effect matters most. Business associates must obtain equivalent written verification from their own subcontractors. So if an analytics vendor processes data and routes it downstream to Google Analytics, Meta, or any other third-party destination, every link in that chain must produce annual written verification of its technical safeguards. Every single one.

Can every vendor in a typical healthcare analytics data flow produce that documentation today? For most organizations, the honest answer is no.

Architecture becomes a compliance question

Since HHS issued its December 2022 bulletin on tracking technologies, the healthcare analytics market has sorted itself into two architectural models.

The first is the privacy proxy. A vendor sits between the healthcare organization's website and non-compliant tools like Google Analytics or Meta's advertising pixels, strips protected health information, masks identifiers, and passes sanitized data downstream. The analytics engine remains Google's. Reporting happens in GA4. The proxy vendor signs a BAA and the healthcare organization keeps using familiar tools.

The second is the self-contained platform. Data gets collected, processed, stored, and analyzed entirely within a HIPAA-compliant environment with no downstream dependency on Google, Meta, or any non-compliant third party for core analytics. The data never leaves compliant infrastructure.

Under today's regulatory framework, both models can claim compliance with reasonable credibility. Both sign BAAs. Both function.

But the NPRM changes the math. Annual written verification turns architectural decisions into compliance obligations. A proxy vendor must now verify not just its own safeguards but the safeguards of every downstream destination in its data flow. If Google Analytics sits in that flow, someone needs to produce annual written verification of Google's technical safeguards as they apply to the healthcare organization's data. Google doesn't provide that. Not in the form the NPRM envisions. Not for GA4 as most healthcare organizations use it.

A self-contained platform faces a simpler compliance conversation. One vendor. One BA relationship. One verification chain. The data lives in one place, protected by one set of safeguards that can be documented, audited, and certified annually without depending on a third party that doesn't participate in the healthcare compliance ecosystem.

The point here isn't that proxy models are non-compliant. It's that the NPRM introduces a verification burden that scales directly with architectural complexity. More links in the chain means more certifications required and more surface area for gaps that a compliance audit or OCR investigation could expose.

$9.3 billion, 4,745 comments, and an uncertain path forward

The NPRM isn't final. HHS estimated first-year implementation costs at $9.3 billion with ongoing annual costs of approximately $6 billion. The industry pushed back hard. During the 60-day comment period, OCR received 4,745 comments, and over 100 hospital systems and provider organizations signed a letter demanding the rule be withdrawn entirely. CHIME led the effort. Cleveland Clinic, Yale New Haven Health, and the AMA joined.

Their objections are substantive. The rule proposes a 240-day compliance timeline with no phased approach and no differentiation by size, which means a three-physician practice faces the same requirements and deadlines as a 50-hospital health system. No federal funding accompanies the mandate. Small and rural providers argue the costs could force closures, and given that many already operate at negative margins, that argument carries real weight.

The political landscape complicates things. The Trump administration's January 2025 regulatory freeze, issued just fourteen days after publication, directed agencies to pause rulemaking pending review. HHS Secretary Robert F. Kennedy Jr. and OCR Director Paula M. Stannard haven't publicly stated whether the rule will proceed. And DOGE-driven restructuring has cut HHS from 82,000 to approximately 62,000 employees while more than doubling OCR's open case backlog.

The rule remains on OCR's official regulatory agenda with a May 2026 finalization target. It hasn't been withdrawn, delayed, or modified. A competing legislative effort tells a parallel story: the Health Care Cybersecurity and Resiliency Act advanced through the Senate HELP Committee on a 22-1 bipartisan vote, carrying many of the same requirements but adding federal grants to help healthcare organizations comply.

The direction of travel is clear

The specific mechanism may change. The destination won't.

Healthcare organizations should be asking their analytics vendors three questions right now. Can you produce annual written verification of your technical safeguards, covering encryption, access controls, vulnerability testing, and incident response? Does your architecture depend on downstream destinations that can't independently produce that same verification? And if the NPRM finalizes in any form resembling the current proposal, what changes?

Vendors who answer those questions clearly and immediately are the ones whose architecture was built for this regulatory environment. Vendors who need time are the ones whose compliance strategy belongs to an era that's ending.

The 125-page NPRM is a signal. Whether it finalizes as written, gets scaled back, or gives way to the Congressional alternative, the era of treating a signed BAA as the full measure of analytics compliance is over. Architecture, documentation, and provable security practices will determine which vendors survive procurement review and which get replaced. That shift is already underway.

Healthcare marketing teams have navigated three years of tracking technology upheaval since the December 2022 OCR bulletin. The NPRM is the next chapter. And the organizations that evaluate their analytics infrastructure now, before a final rule lands, are the ones that won't be scrambling when a deadline arrives.

Russell Reid is CTO and co-founder of Alliance Innovations, the company behind LightTrail, a HIPAA-compliant web analytics platform built for healthcare marketing teams.