Opposition is building as industry organizations weigh in on the public comment period for proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
In January 2025, the US Department of Health and Human Services (HHS) announced its proposed update to HIPAA, intended to strengthen cybersecurity in light of intensifying damaging attacks and data breaches against the healthcare sector. The HIPAA Security Rule, applies to electronic protected health information and addresses a multitude of concerns: patch management, asset control requirements, compliance audits, and security controls such as multi-factor (MFA) authentication and network segmentation.
HHS gave a March 7 deadline for submitting public comments, and organizations did not hold back. A lot of concerns were over the practicality of implementing the rule, and noted both the time constraints and whether the expectations were realistic to begin with.
CHIME Calls for Security Rule to Be 'Immediately Withdrawn'
The latest opposition comes from 100 healthcare organizations nationwide. A coalition letter, led by the College of Healthcare Information Management Executives (CHIME), cited "new financial burdens" and "unreasonable implementation deadlines" as major hurdles with the proposed updates. The rule "should be immediately withdrawn without further consideration."
Related:How Cyber Insurance MGAs Shape Policies for Evolving Cyber-Risks
Last week's letter doesn't mean CHIME and signees, which includes Yale New Haven Health System and American Medical Association, don't believe cybersecurity standards for healthcare need to be revised. They urged HSS to collaborate with them and other entities that the rule change would impact to create more realistic standards.
One major area of concern is the compliance deadline, says Chelsea Arnone, director of federal affairs at Chime. As currently proposed, the deadline for compliance with the rule changes would be 60 days after publication. Regulated entities must comply with the applicable new standards or implementation specifications no later than 180 days from the effective date, Arnone says.
Implementation Challenges Aplenty
The compliance deadline, like many aspects of the proposal, highlights a disconnect between what HHS expects and how cybersecurity in the healthcare sector actually works, experts say. For example, healthcare organizations can't afford the downtime that many updates require due to the simple fact that organizations need to deliver around-the-clock patient care.
... continue reading