HIPAA's Security Rule meets quantum risk: A renovation that needs one more fix

In January 2025, the U.S. Department of Health and Human Services issued a notice of proposed rulemaking to update the Security Rule under the Health Insurance Portability and Accountability Act, the most significant overhaul of healthcare data security obligations since 2013. While encryption standards currently used to satisfy the rule may not hold beyond 2030, and the U.S. National Institute of Standards and Technology has already published replacements designed for a quantum computing future. 

Discussions around quantum computing often swing between "not in our lifetime" and "everything breaks tomorrow." The reality sits somewhere in between. It is not here yet in a way that disrupts cybersecurity, but it is close enough that decisions made today will determine whether sensitive personal data remains protected 10 or 20 years from now. 

This matters because healthcare data is unusually long-lived. A credit card number expires. A genomic profile, clinical trial dataset or decade-long patient record does not. That changes how we think about data security under the HIPAA Security Rule and its proposed update. 

What is quantum computing, and why does it matter here?

Classical computers process information in binary, as either zero or one. Quantum computers use qubits, which can exist in multiple states simultaneously. This allows them, at sufficient scale, to solve certain mathematical problems exponentially faster than any conventional machine. 

Modern encryption relies on those problems being effectively unsolvable. That assumption underpins widely used algorithms such as RSA-2048, which protect electronic protected health information across healthcare systems. Quantum computing changes that assumption. Once sufficiently advanced, it is expected to render these encryption algorithms vulnerable.