On February 21, 2025, the Association of American Medical Colleges (AAMC), along with several other healthcare organizations, sent a letter urging the Trump administration to rescind the Biden administration’s proposed rule titled “HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information.”
The proposed regulation, published by the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) in the Federal Register on January 6, 2025, aimed to enhance cybersecurity measures for electronic protected health information (ePHI) in response to growing cyber threats and large-scale data breaches affecting millions of Americans. However, the AAMC and other stakeholders raised concerns about the rule’s financial impact.
Specifically, compliance costs would be staggering, with the Biden administration estimating $9 billion in the first year and $6 billion annually thereafter. A separate letter, dated February 17, 2025, and addressed to President Donald J. Trump and HHS Secretary Robert F. Kennedy, Jr., echoed these concerns, arguing that the regulation’s unreasonable implementation timeline and unfunded mandates would place a severe financial strain on hospitals, especially in rural areas, potentially leading to reduced patient access and higher healthcare costs.
The letter further warned that the rule would stifle innovation in healthcare and conflict with Public Law 116-321, signed by President Trump on January 5, 2021, which requires HHS to consider a healthcare entity’s adoption of recognized security practices when enforcing HIPAA rules.
The letter called for the immediate rescission of the proposed rule and urged the administration to engage with healthcare stakeholders in developing a more balanced approach to strengthening cybersecurity without imposing excessive burdens on the healthcare sector. Comments were due by March 7, 2025.
The main points of the proposed rule include:
The letter specifically states, “Despite our diverse perspectives, we stand together in our belief that this proposal should be rescinded immediately, for reasons discussed below. The combination of the depth and breadth of the proposed requirements on an unreasonable timeline presents significant challenges, and the unfunded mandates associated with this regulation would place an undue financial strain on hospitals and healthcare systems…This has the very real potential to threaten the financial stability of the American healthcare system, which is already under considerable pressure.”
Related: HIPAA Compliant Email: The Definitive Guide
The Security Rule is designed to protect electronic Protected Health Information (ePHI) by requiring covered entities to implement administrative, physical, and technical safeguards.
The Security Rule mandates administrative, physical, and technical safeguards. Administrative safeguards include policies and procedures.
Required specifications must be implemented by all covered entities, while addressable specifications require an assessment to determine if they are reasonable and appropriate for the entity's specific situation.