2 min read

Healthcare leaders push back against new HIPAA cybersecurity rule

Healthcare leaders push back against new HIPAA cybersecurity rule

On February 21, 2025, the Association of American Medical Colleges (AAMC), along with several other healthcare organizations, sent a letter urging the Trump administration to rescind the Biden administration’s proposed rule titledHIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information.”

 

What happened 

The proposed regulation, published by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in the Federal Register on January 6, 2025, aimed to enhance cybersecurity measures for electronic protected health information (ePHI) in response to growing cyber threats and large-scale data breaches affecting millions of Americans. However, the AAMC and other stakeholders raised concerns about the rule’s financial impact. 

Specifically, compliance costs would be staggering, with the Biden administration estimating $9 billion in the first year and $6 billion annually thereafter. A separate letter, dated February 17, 2025, and addressed to President Donald J. Trump and HHS Secretary Robert F. Kennedy, Jr., echoed these concerns, arguing that the regulation’s unreasonable implementation timeline and unfunded mandates would place a severe financial strain on hospitals, especially in rural areas, potentially leading to reduced patient access and higher healthcare costs. 

The letter further warned that the rule would stifle innovation in healthcare and conflict with Public Law 116-321, signed by President Trump on January 5, 2021, which requires HHS to consider a healthcare entity’s adoption of recognized security practices when enforcing HIPAA rules. 

The letter called for the immediate rescission of the proposed rule and urged the administration to engage with healthcare stakeholders in developing a more balanced approach to strengthening cybersecurity without imposing excessive burdens on the healthcare sector. Comments were due by March 7, 2025.

 

Going deeper

The main points of the proposed rule include: 

  • All ePHI must be encrypted to prevent unauthorized access. 
  • Implementing multifactor authentication is required to strengthen access controls. 
  • Healthcare organizations must conduct periodic audits to ensure adherence to security standards. 
  • Organizations are required to segment networks to limit the spread of potential intrusions. 
  • Entities must perform thorough assessments of potential risks and vulnerabilities to ePHI. 
  • Agreements with business associates must reflect the updated security requirements. 
  • All security measures are now mandatory, eliminating the previous flexibility. 
  • The rule encourages adopting standards consistent with frameworks like the NIST Cybersecurity Framework.

What was said 

The letter specifically states,Despite our diverse perspectives, we stand together in our belief that this proposal should be rescinded immediately, for reasons discussed below. The combination of the depth and breadth of the proposed requirements on an unreasonable timeline presents significant challenges, and the unfunded mandates associated with this regulation would place an undue financial strain on hospitals and healthcare systems…This has the very real potential to threaten the financial stability of the American healthcare system, which is already under considerable pressure.”

Related: HIPAA Compliant Email: The Definitive Guide

 

FAQs

Why is the HIPAA Security Rule necessary?

The Security Rule is designed to protect electronic Protected Health Information (ePHI) by requiring covered entities to implement administrative, physical, and technical safeguards. 

 

What kinds of safeguards must be implemented?

The Security Rule mandates administrative, physical, and technical safeguards. Administrative safeguards include policies and procedures. 

 

What is the difference between addressable and required specifications?

Required specifications must be implemented by all covered entities, while addressable specifications require an assessment to determine if they are reasonable and appropriate for the entity's specific situation.