More than one hundred provider organizations say the proposal would impose unworkable cybersecurity mandates.
The College of Healthcare Information Management Executives and more than one hundred hospital systems, provider organizations, and healthcare associations submitted a joint letter urging the Department of Health and Human Services to withdraw its proposed update to the HIPAA Security Rule. According to reporting by Healthcare IT News, the signatories argue that the proposal introduces prescriptive cybersecurity requirements and implementation timelines that many healthcare organizations cannot reasonably meet.
The HIPAA Security Rule was designed to be technology-neutral when it was finalized in 2002, allowing covered entities and business associates to adapt safeguards over time without frequent regulatory revisions. In December 2024, HHS issued a Notice of Proposed Rulemaking that would revise the rule by introducing detailed cybersecurity controls and documentation requirements. Many of these measures reflect practices that were not widely available or affordable when the rule was originally written. The proposal followed the release of voluntary cybersecurity performance goals, which HHS had previously indicated could later become mandatory. Industry groups say the transition from voluntary guidance to binding regulation occurred too quickly and without sufficient consideration of operational complexity.
In their December 8, 2025, letter to HHS Secretary Robert F. Kennedy, Jr., the organizations said the proposed rule would impose substantial financial and technical burdens on healthcare providers, particularly given existing staffing shortages and competing patient care demands. The letter called on HHS to pause the rulemaking process and instead engage in collaborative development of cybersecurity standards that are practical, achievable, and aligned with clinical workflows. While acknowledging that cybersecurity is directly tied to patient safety, the groups said a cooperative approach would better support long-term improvements than rigid mandates.
The pushback comes as federal officials continue to argue that the HIPAA Security Rule no longer reflects today’s threat environment. According to Reuters, the federal government has been pressing for stronger baseline cybersecurity requirements across healthcare, citing the need to modernize protections that “have not kept pace with current threats.” Deputy National Security Advisor Anne Neuberger told Reuters that “the security rule was last revised in 2013, so this update is long overdue,” adding that “encryption and other measures are critical to protecting patient data from being leaked or misused.” Neuberger estimated that adopting the updated rule could cost providers about $9 billion in the first year and roughly $6 billion over the following four years, but warned that “the cost of inaction is far greater,” because weak controls leave patients and healthcare systems exposed to escalating cyber risk. Provider organizations do not dispute the need for stronger security, but argue that the proposed rule’s prescriptive requirements and timelines conflict with the flexible, risk-based approach the HIPAA Security Rule was originally designed to support.
They say the requirements are overly prescriptive, costly, and difficult to implement within the proposed timelines, especially for healthcare environments.
No. The groups broadly agree that cybersecurity must improve and that it affects patient safety, but they want standards developed collaboratively and applied flexibly.
They are voluntary guidelines issued by HHS to help healthcare organizations improve resilience against common cyber threats.
Providers argue that rapid implementation does not account for legacy systems, staffing constraints, and the need to align security controls with patient care workflows.
HHS could proceed with the rule, revise it based on feedback, or withdraw it and pursue a new approach that incorporates provider input before reissuing updates.