Industry Groups Urge Trump to Rescind Proposed HIPAA Rule
In a letter dated February 17, several industry associations, including the Medical Group Management Association (MGMA) and the College of Healthcare Information Management Executives (CHIME), cosigned a letter urging the current administration to rescind updates to the HIPAA Security Rule that were proposed in December 2024.
The notice of proposed rulemaking (NPRM) contained more prescriptive controls and would potentially require HIPAA-covered entities to conduct annual audits, develop an asset inventory and network map, and bolster risk management protocols, Jill McKeon reported for TechTarget on February 25.
“The rule would clarify and provide more specific instruction about what covered entities and their business associates must do to protect the security of electronic protected health information. The proposed rule also would require that policies and procedures be in writing, reviewed, tested, and updated on a regular basis,” Healthcare Innovation’s David Raths reported on December 28.
In the letter, groups appealed to President Donald Trump and Secretary Robert F. Kennedy, Jr., stating the economic impact of the proposed rule. “Increased costs for compliance would lead to higher healthcare costs for patients, reduced investment in other critical areas, and devastate patient access – particularly in rural America. The economic ripple effect could extend beyond healthcare, affecting related industries and the broader economy.”
“The stringent requirements and the rapid implementation timeline could hinder the development and adoption of new technologies and practices that are essential for improving patient care and operational efficiency,” the letter furthermore stated.
“[W]e recognize the importance of protecting not only the patients we care for – but their health information – and are dedicated to working with you and your administration to develop effective and sustainable solutions that foster a strong cybersecurity posture without unfunded mandates that will only serve to detract from our ability to make needed investments,” the letter concluded.
“While this(the proposed bill) is a good start, it is not enough to help smaller, cash-strapped healthcare organizations implement and maintain cybersecurity standards continuously….The healthcare sector needs stronger resources and financial support for smaller hospitals and healthcare provider groups,” Steve Cagle, CEO of Nashville-based Clearwater, told Healthcare Innovation in a recent interview about the proposed removal of limits on HIPAA fines, an element of HISAA (The Health Infrastructure Security and Accountability Act that amends HIPAA).
