Healthcare Groups Ask for Proposed HIPAA Security Rule to be Rescinded

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) for HIPAA Security Rule updates in December 2024. The proposed changes came down in the final weeks of the Biden presidency; thus making the status of the Proposed Rule undetermined. Since then, a group of healthcare agencies have teamed up to ask for the proposed HIPAA Security Rule to be rescinded, claiming unreasonable timelines, financial strains on hospitals and healthcare systems, and that the Proposed Rule will stifle innovation in the industry.

In February 2025, the organizations listed below sent a letter to President Trump and the new HHS Secretary Robert Kennedy Jr. asking for the proposed HIPAA Security Rule updates to be immediately rescinded.

• College of Healthcare Information Management Executives (CHIME)
• America’s Essential Hospitals
• American Health Care Association
• Association of American Medical Colleges
• Federation of American Hospitals
• Health Innovation Alliance
• Medical Group Management Association
• National Center for Assisted Living

In the letter sent to President Trump and HHS Secretary Robert Kennedy Jr., the organizations discussed the below objections to the proposed rule changes:

Costs and Regulatory Burden

These organizations spoke to the proposal’s Regulatory Impact Analysis (RIA), that states if the Rule is adopted, it “would impose mandates that would result in the expenditure by State, local, and Tribal governments, in the aggregate, or by the private sector, of more than $183 million in any one year.” These organizations believe the costs would be significantly higher, potentially reaching billions of dollars when accounting for the entire healthcare ecosystem.

Inefficient for Government and Private Sector

These organizations claim that the Proposed Rule is inefficient for both the government and the private sector. They believe the complexity and scope of the requirements would necessitate substantial investments in time, resources, and personnel to achieve compliance. They also claim imposing additional regulatory burdens on rural hospitals would have an inadvertent and devastating impact on these providers and their patients.

Significant Burden Without Improving Cybersecurity

These organizations also argue that the proposed measures do not effectively address the evolving cybersecurity threats faced by the healthcare sector, which would lead to a significant expenditure of resources without benefits in terms of enhanced security. They claim that the regulation would result in slower response times to cyber incidents and decreased overall efficiency; making hospitals and healthcare providers, especially smaller and rural ones, more vulnerable to attacks, rather than more secure.

A Commitment to Security Investments

These organizations argue that providers are continuously investing in robust data security and cybersecurity and will continue to do so without this Proposed Rule. They also claim that additional resources will be more valuable than new mandates in their efforts to defend themselves against foreign and domestic cybercriminals.

Conflicts with Existing Law

These organizations argue that the Proposed Rule imposes numerous new mandates without acknowledging P.L. 116-321, a law that requires HHS to consider a regulated entity’s adoption of recognized security practices. In the letter to the President, they claim that the Proposed Rule fails to address and or incorporate that legal requirement, directly contradicting existing statutes.

Do we need an updated HIPAA Security Rule?

CompliancePoint believes the requirements outlined in the Proposed HIPAA Security Rule update are practices that should be considered basic cybersecurity practices in 2025. An argument can be made, that if the healthcare industry had been more proactive in implementing basic security practices, then HHS might not have been compelled to push the Proposed Rule through. It is discouraging to see that industry organizations are pushing back against what are considered basic cybersecurity practices because of the steep increase in breaches of protected health information affecting an estimated 82% of the population of the United States.

The Proposed Rule addresses some significant risks that continue to impact the security of PHI. For example, the Proposed Rule requires providers to assess the security of their business associates and third-party vendors/partners. It is worth noting, that the 2024 HIMSS Healthcare Cybersecurity Survey pointed out that only 31% of the providers surveyed had a fully implemented risk management program, yet in 2024 reported data breaches showed that at least 80% of the breaches were related to business associates. The Proposed Rule also provides guidance on the performance of security risk assessments, something that has been required by HIPAA since the Security Rule was implemented in 2005. Yet, in all five of the settlement agreements reached as of February 26, 2025; failing to conduct a risk assessment was noted as a contributing factor.

Unfortunately, past experiences indicate that without a more forceful regulatory push, ePHI will be at risk. In the HIMSS survey, 45% of survey responders indicated they did not expect their budget to increase in 2025, even as we face unprecedented risks to ePHI. Implementing security measures that decrease the risk of breaches should be more of an emphasis.

CompliancePoint has a team of professionals dedicated to helping healthcare organizations achieve their cybersecurity and privacy goals, including HIPAA compliance. Reach out to us at connect@compliancepoint.com to learn more about our healthcare services.