Providers urge HHS to scrap proposed HIPAA Security Rule updates

More than 100 hospital systems, provider organizations and associations urged HHS Secretary Robert F. Kennedy, Jr., to rescind Biden-era proposed updates to the HIPAA Security Rule. Led by the College of Healthcare Information Management Executives, or CHIME, the organizations sent a letter to HHS asking it to instead conduct a collaborative outreach initiative to develop actionable cybersecurity standards without increasing regulatory burden. 

In January 2025, the HHS Office for Civil Rights (OCR) proposed changes to the HIPAA Security Rule to clarify HIPAA's requirements and refine its provisions. The proposed updates called for more stringent controls to combat the increasing volume of cyberattacks and data breaches against the healthcare sector. 

Specifically, the proposed changes would require healthcare organizations to conduct more granular risk analyses and create a technology asset inventory and network map to be revised annually. Other proposed updates included mandating multi-factor authentication and requiring entities to scan for vulnerabilities every six months. 

The public comment period for the proposed update closed in March, and OCR said at the time that it would begin reviewing the comments and factoring them into any revisions. 

In the letter, CHIME and its fellow signees emphasized that they value HIPAA and the safeguards it provides. However, the organizations argued that the proposed rule would place substantial financial burdens on providers and hold them to unreasonable implementation timelines. 

"The Proposed Rule runs counter to President Trump's robust deregulatory agenda," the letter noted. "We support updating cybersecurity standards for health care, and they must be flexible enough to accommodate the wide range of provider organizations. Standards should set strong protections while allowing innovation so providers can respond effectively to evolving cybersecurity risks." 

Rather than taking a regulatory approach, the organizations suggested developing a policy with providers and patients in mind that fits seamlessly into clinical workflows and adapts to emerging threats. The provider organizations and associations pledged to work with the Trump administration to develop these policies. 

"CHIME members are deeply committed to protecting patient data and strengthening cyber resilience," Russell Branzell, president and CEO of CHIME, said in an accompanying press release.  

"Our members are not asking for less security -- they are asking for smarter policy. This proposal would impose rigid technical mandates that add cost and complexity without meaningfully improving cybersecurity. We urge HHS to withdraw the rule and work with providers on a flexible, risk-based approach that meaningfully strengthens patient safety." 

Cleveland Clinic, Yale New Haven Health System, WakeMed Health and Hospitals, Advocate Health and the American Academy of Pediatrics were among the organizations that signed the letter. 

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.