Groups Call for Trump to Rescind Proposed HIPAA Rule Update

Seven major industry groups – including one representing healthcare CISOs and CIOs – are urging the Trump administration to rescind a proposed update to the 20-year-old HIPAA security rule issued in the final weeks of the Biden administration. The groups say the costs and regulatory burden on the healthcare sector to implement the changes would be “staggering.”

See Also: Using the Netskope HIPAA Mapping Guide

In a Feb. 17 letter to President Donald Trump and U.S. Department of Health and Human Services Secretary Robert F. Kennedy Jr., the College of Healthcare Information Management Executives and the Medical Group Management Association, and five other diverse healthcare associations, said they are “unified” in their opposition to the proposed HIPAA Security Rule.

“We urge the administration to reconsider this Biden-era regulation, rescind it as soon as possible, and engage with the organizations listed [on the letter] to develop a more balanced approach – one that addresses cybersecurity concerns without imposing excessive burdens on the healthcare sector,” the groups said.

While they acknowledged the healthcare sector needs a strengthened cybersecurity posture to safeguard patient information, the requirements and timeline contained in the proposed rulemaking, which was unveiled by the Biden administration in late December and published on Jan. 6 in the Federal Register, was “unreasonable.”

“The unfunded mandates associated with this regulation would place an undue financial strain on hospitals and healthcare systems,” the letter said.

“Furthermore, if this proposal moves forward, we strongly believe that it will stifle innovation in healthcare,” they said. “The stringent requirements and the rapid implementation timeline could hinder the development and adoption of new technologies and practices that are essential for improving patient care and operational efficiency.”

The proposed regulations are the first major update to the HIPAA security rule in more than two decades. If adopted, the changes would convert some high-level recommendations such as deploying encryption and multifactor authentication into requirements (see: White House Clears HIPAA Security Rule Update).

The long list of other HIPAA security rule proposals includes more specificity about how to conduct security risk analysis; mandates for regulated firms to prepare an annual technology asset inventory and network map; and requirements for business associates to verify at least once every 12 months that they have deployed technical safeguards required by the rule.

‘Unrealistic’ Expections

The MGMA, a professional association of medical practice administrators and other leaders, is calling on the Trump administration to rescind the proposed rule “because, as written, it would impose significant financial and administrative burdens on medical groups that would threaten their sustainability,” said Anders Gilberg, MGMA senior vice president of government affairs.

“The proposed rule includes complex new requirements, removes the Security Rule’s prior flexibilities, and imposes unrealistic deadlines requiring substantial time, money and personnel investments,” Gilberg told Information Security Media Group.

“Most importantly, the proposed rule is inefficient for both government and the private sector and does not effectively improve cybersecurity in the healthcare industry,” he said.

The proposed update to the HIPAA security rule from HHS’ Office for Civil Rights was issued at the tail end of a Biden administration that over its four years experienced a steady and unsettling rise in the volume of major health data breaches – especially those involving hacking incidents such as ransomware.

That included the February 2024 ransomware attack on UnitedHealth Group’s Change Healthcare IT services unit that disrupted the business and clinical processes of thousands of healthcare entities for months and resulted in a health data compromise affected a record-breaking 190 million individuals (see: Change Healthcare’s Mega Attack: 1 Year Later).

The proposed update to the HIPAA security rule is open to public comment until March 7. A causal look by ISMG at some of 1,919 comments submitted online to the federal government as of Thursday appeared to show a heavy criticism of the proposal.

“There is significant resources needs to achieve this level of cybersecurity,” wrote a commenter from Northeast Georgia Health System. “In our system we would need at least four times the compute power alone. What has been proposed would be impossible to achieve for most health systems who are under financial strain to serve all patients regardless their ability to pay.”

“This is overly burdensome to small medical practices and will put them out of business and have a dangerous impact,” said a comment submitted by the Nephrology Associates of Syracuse.

Still, some industry groups were not nearly as negative about the proposals. DirectTrust, is a nonprofit, vendor-neutral alliance that developed standards around a “trusted” secure messaging protocol in healthcare, wrote that it “supports the notion that it is time to update the HIPAA Security Rule in order to ‘raise the floor’ of expectations for regulated entities.”

But DirectTrust’s main complaints – similar to other commenters – focused on the likely heavy cost of compliance – especially for smaller healthcare entities – as well as the tight timeline.

“DirectTrust believes the compliance date of 180 days after the final rule is published may be too aggressive for many organizations to comply,” the alliance said. “We recommend that 360 days would be more reasonable, especially for certain requirements that are new or require additional time to appropriately implement.”

Other Proposals

Back in December 2023 – nearly a year before the Biden administration released the HIPAA Security Rule updates, HHS issued a concept paper describing 10 voluntary “essential” and 10 “enhanced” cybersecurity performance goals for the healthcare sector (see: Feds Wave Sticks, Carrots at Health Sector to Bolster Cyber).

HHS soon after floated the idea of issuing regulations that would make the CPGs new requirements for many hospitals. But HHS never ended up doing that before the Biden administration left office.

The essential CPGs include security controls such as multifactor authentication and strong encryption, while the enhanced CPGs include network segmentation and asset inventory.

“The HHS CPGs were developed with the industry – however; the security rule proposal didn’t meaningfully incorporate them,” said Chelsea Arnone, director of federal affairs at CHIME, an association of healthcare CIOs and CISOs.

“It also went way beyond what the essential and enhanced CPGs would have required. We supported the CPGs, with a step-wise approach to meeting them that is accompanied by funding for those that are in need. That’s not what we saw with this proposal,” she said.

Many of the proposed new HIPAA security rule requirements would be overly burdensome without a corresponding increase in meaningful ways to strengthen and enhance the sector’s cybersecurity posture, she said.

“I could see our members being supportive of an approach that ensures current cybersecurity best practices are reflected, while maintaining flexibility to adapt to evolving threats, while avoiding redundant or conflicting requirements that may complicate compliance rather than improve security outcomes,” she said.

“We are hopeful that the Trump administration will engage with our members and other industry experts to ensure feasibility and alignment with real-world cybersecurity operations.”

HHS did not immediately respond to ISMG’s request for comment on the groups’ letter.

Besides CHIME and MGMA, the other groups signing the letter to the administration include the American Health Care Association, the Association of American Medical Colleges, the Federation of American Hospitals, the Health Innovation Alliance and the National Center for Assisted Living.