Dive Brief:
- More than 100 provider organizations are urging the Trump administration to drop a proposed update to the HIPAA security rule that aims to boost healthcare cybersecurity.
- The update, which would require organizations and their business associates to keep security policies in writing, as well as review, test and update them regularly, was first released under the Biden administration in 2024, weeks before President Donald Trump took office.
- In a letter sent to HHS Secretary Robert F. Kennedy Jr. this week, the provider groups argue the HHS should immediately withdraw the regulation, which would create “substantial new financial burdens” with “unreasonable implementation timelines.”
Dive Insight:
The letter, led by the College of Healthcare Information Management Executives and signed by organizations like Advocate Health, Yale New Haven Health System and the American Medical Association, argue the HIPAA proposal clashes with the Trump administration’s deregulatory plans.
Since taking office, Trump has moved to halt Biden-era rules and limit the creation of new regulations without removing existing rules in a bid to cut red tape for industry.
However, the proposed HIPAA update hasn’t been withdrawn, worrying provider groups about regulatory burden associated with the rule, they wrote Monday. Organizations would have to comply with many of the regulations 180 days after the rule is finalized.
Instead of moving ahead with the proposal, the providers urged the Trump administration to “conduct a collaborative outreach initiative” to develop more practical cybersecurity standards.
“We support updating cybersecurity standards for health care, and they must be flexible enough to accommodate the wide range of provider organizations,” they wrote. “Standards should set strong protections while allowing innovation so providers can respond effectively to evolving cybersecurity risks.”
The proposed rule would be the first HIPAA security rule update since 2013, the Biden administration said at the time. It aimed to clarify and provide more specifics on how healthcare organizations and their business associates need to protect health data.
The proposal included a number of reforms, including requiring health care organizations to create a technology asset inventory and network map that details the movement of protected health information through their systems, new details on how to conduct risk analyses and strengthening requirements on how organizations should plan for security incidents.
Cyberattacks have become a critical concern for the healthcare sector. The attacks can derail typical operations, shutting off access to key technology, delaying care and forcing hospitals to divert emergency cases.
In early 2024, an attack on UnitedHealth-owned payment processor and technology firm Change Healthcare roiled the industry for weeks. The incident ultimately exposed data from nearly 193 million people — the largest healthcare breach ever reported to federal regulators.
