Hospitals and Industry Associations Urge HHS to Withdraw Proposed Security Rule Update
More than 100 hospital systems, healthcare provider organizations, and industry associations have petitioned the HHS to withdraw the proposed update to the HIPAA Security Rule and instead engage with providers to develop a practical risk-based cybersecurity framework.
The HIPAA Security Rule update – Notice of Proposed Rulemaking: HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information – proposed by the HHS’ Office for Civil Rights (OCR) under the Biden administration, has proven unpopular for several reasons – the number of new requirements, the cost and difficulty of implementation, and the relatively short time frame for compliance.
While healthcare organizations are committed to protecting patient data, understand that cybersecurity is a patient safety issue, and support updating cybersecurity standards in healthcare, many disagree with the proposed update. Instead, they believe that standards should set strong protections but with flexibilities to support innovation and accommodate a wide range of different providers.
“The Proposed Rule would place substantial new financial burdens on health care providers and includes unreasonable implementation timelines that make it difficult to reconcile with the information technology complexities of modern health care delivery organizations,” wrote the signatories in the joint stakeholder letter to HHS Secretary Robert F. Kennedy, Jr.
The effort is led by the College of Healthcare Information Management Executives (CHIME), which has previously petitioned President Trump to ditch the proposed update, claiming it goes against his pledge of deregulation rather than further regulatory requirements.
“Our members are not asking for less security—they are asking for smarter policy. This proposal would impose rigid technical mandates that add cost and complexity without meaningfully improving cybersecurity,” wrote CHIME. “We urge HHS to withdraw the rule and work with providers on a flexible, risk-based approach that meaningfully strengthens patient safety.”
