Groups ask White House to rescind proposed HIPPA rule update

Seven major industry groups - including one representing healthcare CISOs and CIOs - are urging the Trump administration to rescind a proposed update to the 20-year-old HIPAA Security Rule issued in the final weeks of the Biden administration. The groups say the costs and regulatory burden on the healthcare sector to implement the changes would be "staggering." 

In a Feb. 17 letter to President Trump and U.S. Department of Health and Human Services Secretary Robert F. Kennedy Jr., the College of Healthcare Information Management Executives and the Medical Group Management Association, and five other diverse healthcare associations, said they are "unified" in their opposition to the proposed HIPAA Security Rule. 

"We urge the administration to reconsider this Biden-era regulation, rescind it as soon as possible, and engage with the organizations listed [on the letter] to develop a more balanced approach - one that addresses cybersecurity concerns without imposing excessive burdens on the healthcare sector," the groups said. 

While they acknowledged the health care sector needs a strengthened cybersecurity posture to safeguard patient information, the requirements and timeline contained in the proposed rulemaking, which was unveiled by the Biden administration in late December 2024 and published on Jan. 6 in the Federal Register, was "unreasonable." 

"The unfunded mandates associated with this regulation would place an undue financial strain on hospitals and healthcare systems," the letter said. 

"Furthermore, if this proposal moves forward, we strongly believe that it will stifle innovation in healthcare," they said. "The stringent requirements and the rapid implementation timeline could hinder the development and adoption of new technologies and practices that are essential for improving patient care and operational efficiency." 

The proposed regulations are the first major update to the HIPAA Security Rule in more than two decades. If adopted, the changes would convert some high-level recommendations such as deploying encryption and multifactor authentication into requirements. 

The long list of other HIPAA Security Rule proposals includes more specificity about how to conduct security risk analysis; mandates for regulated firms to prepare an annual technology asset inventory and network map; and requirements for business associates to verify at least once every 12 months that they have deployed technical safeguards required by the rule. 

The MGMA, a professional association of medical practice administrators and other leaders, is calling on the Trump administration to rescind the proposed rule "because, as written, it would impose significant financial and administrative burdens on medical groups that would threaten their sustainability.” 

The proposed update to the HIPAA Security Rule from HHS' Office for Civil Rights was issued at the tail end of a Biden administration that over its four years experienced a steady and unsettling rise in the volume of major health data breaches - especially those involving hacking incidents such as ransomware.