Seven industry groups co-signed a letter to President Trump and HHS Secretary Robert F. Kennedy, Jr., requesting they rescind the proposed HIPAA Security Rule update filed by the Biden administration in December.

The College of Healthcare Information Management Executives (CHIME), the Medical Group Management Association (MGMA), and five other healthcare associations stated they are “unified” in their opposition to the proposed HIPAA Security Rule, arguing that the costs and burden of implementing the changes would be “staggering.”

The groups noted Trump’s executive order entitled “Regulatory Freeze Pending Review,” stating that this proposal raises questions about efficiency, fact, and law.

“We urge the administration to reconsider this Biden-era regulation, rescind it as soon as possible, and engage with the organizations listed [on the letter] to develop a more balanced approach – one that addresses cybersecurity concerns without imposing excessive burdens on the healthcare sector.”

In addition to CHIME and MGMA, the American Health Care Association, the Association of American Medical Colleges, the Federation of American Hospitals, the Health Innovation Alliance, and the National Center for Assisted Living are the other groups that signed the letter.

The industry groups on the letter agree that cybersecurity is important and offer to work with the administration to find less burdensome solutions for the healthcare sector.

Notably, the American Medical Association (AMA) and the American Hospital Association (AHA) are not part of the group. Both have expressed concerns about the burdens of the proposed HIPAA update, but separately from this letter.

Security Rule Update History

The proposed HIPAA Security Rule update was filed in the last weeks of the Biden administration, which had seen a steady and troubling rise in healthcare data breaches in recent years.

The largest was the February 2024 ransomware attack on UnitedHealth Group’s Change Healthcare IT system. For months, this attack disrupted thousands of healthcare entities’ business and clinical processes, compromising health data for a record-breaking 190 million individuals nationwide.

Another reason for the update is the increased use of electronic health records (80% of physicians’ offices and 96% of hospitals as of 2021) over the 20-year history of the Security Rule. Therefore, HHS believes healthcare entities must update their cybersecurity practices to accommodate these changes.

HHS Signalled Security Rule Update for a Year

About a year before the Security Rule update was filed, HHS published a cybersecurity Strategy describing 10 voluntary “essential” and 10 “enhanced” cybersecurity performance goals (CPGs) for the healthcare sector. Then, in February 2024, HHS and the National Institute of Standards and Technology (NIST) published a revised guide on Security rule compliance. Under the proposed Security Rule update, many of the voluntary CPGs are mandatory.

The proposed update is open to public comment until March 7, 2025. After evaluating the comments, HHS may revise the update in part or rescind it entirely. If it decides to revise the proposal, it can take many months. It is unlikely that any final changes will occur this year.

Stay the Course and Follow HIPAA

Whether the proposed Security Rule update is rescinded or revised, existing HIPAA rules require strong cybersecurity practices. Start with an annual Risk Analysis, follow a Risk Management plan year-round, and train the workforce in HIPAA essentials and cybersecurity awareness.

The voluntary “essential goals” set out in the original concept paper form a sound basis for strong cybersecurity:

• mitigating known vulnerabilities;
• using email security, multi-factor authentication, strong encryption, and incident response planning;
• separating user and privileged accounts;
• addressing vendor and supplier risk; and
• offering cybersecurity training to employees.

The HIPAA E-Tool^®  is a one-stop shop for everything needed to remain HIPAA compliant. From policies to Risk Analysis, to training and answers to all your questions, you stay up-to-date and in charge of your success.