The HIMSS Electronic Health Record (EHR) Association has responded to the proposed HIPAA Security Rule update by urging the Office for Civil Rights (OCR) to factor in EHR developer company time when determining compliance timelines and requirements to ensure that EHR developers can effectively meet expectations without disrupting essential health IT services.
In February, seven organizations, including the College of Healthcare Information Management Executives (CHIME), the Association of American Medical Colleges, the Federation of American Hospitals, and the Medical Group Management Association, sent a letter to the Department of Health & Human Services asking that the proposed rule be rescinded. They said the “unfunded mandates associated with this regulation would place an undue financial strain on hospitals and healthcare systems.”
It is not clear yet whether the Trump Administration will follow through with the rule proposed under the Biden Administration.
The EHR Association, which has 27 member companies, prepared an analysis that shows that the compliance effort would require 12,572 hours—more than 314 person-weeks—which is in addition to the hours OCR estimated for covered entities and group health plan sponsors.
The EHR Association also stressed that continuing to offer flexibility in the finalized policies will be essential to avoid adding excessive or unmanageable burden for smaller organizations that may have only a few staff members (and, in some cases, may not have even one team member focused on compliance with the security rule).
The association also recommended clarifying several definitions in the final rule. For instance, it suggests that it would be helpful to align the definition of “Security Incident” with NIST standards to ensure consistency in cybersecurity incident response expectations across different contexts. Additionally, it suggested removing or clarifying references to “attempted” breaches to avoid unnecessary reporting burdens for routine network activity, such as pings, which do not constitute meaningful security threats. Instead, the definition should focus on concerted efforts to breach or compromise a system, ensuring that compliance efforts are directed toward addressing genuine security risks.
Regarding business associate contracts, the EHR Association recommends that OCR provide specific examples of what constitutes sufficient “assurances” in Business Associate Agreements (BAAs), such as ISO certifications, SOC 2 Type II reports, or similar industry-recognized security attestations. Clear guidance on acceptable assurance methods would streamline compliance efforts for regulated entities and business associates while ensuring consistent security expectations across the healthcare ecosystem, the association said.
To help regulated entities balance security and system efficiency, OCR should provide clear guidance on appropriate encryption levels within a system, given the multiple layers where encryption can be applied, the group said. This would enable organizations to meet compliance obligations while optimizing costs and system performance, avoiding
unnecessary expenditures on additional hardware or capacity.
