MGMA, CHIME ask Trump to rescind proposed HIPAA Security Rule

Prominent industry groups cosigned a letter to President Donald Trump and HHS Secretary Robert F. Kennedy Jr. urging the administration to rescind updates to the HIPAA Security Rule that were proposed in December 2024, during the Biden administration.

Eight industry associations, including the College of Healthcare Information Management Executives, the Medical Group Management Association, the American Health Care Association and the Health Innovation Alliance, signed the letter.

The proposed rule signified the most substantive updates to the HIPAA Security Rule in over a decade. The nearly 400-page notice of proposed rulemaking (NPRM) contained more prescriptive controls and would potentially require HIPAA-covered entities to conduct annual compliance audits, develop an asset inventory and network map and bolster risk management protocols.

HHS estimated that the first-year costs will total approximately $9 billion, and years two through five will cost the sector an estimated $6 billion per year.

"The combination of the depth and breadth of the proposed requirements on an unreasonable timeline presents significant challenges, and the unfunded mandates associated with this regulation would place an undue financial strain on hospitals and healthcare systems," the letter to the Trump administration stated.

The groups urged the Trump administration to rescind the proposal immediately, citing cost concerns and regulatory burden. Specifically, the groups appealed to Trump's executive order entitled "Regulatory Freeze Pending Review," stating that this proposal raises questions about efficiency, fact and law.

The Biden administration's $9 billion first-year estimate is a "woefully inadequate estimate," according to the letter's authors. They said the estimate would increase greatly when government costs are added in.

What's more, the groups raised concerns about the efficiency of enacting a rule that they believe simply increases complexity for the sector while hampering innovation.

"This regulation would result in slower response times to cyber incidents and decreased overall efficiency, making hospitals and healthcare providers -- especially smaller and rural -- more vulnerable to attacks, rather than more secure," the letter continued.

According to these industry groups, "substantial and meaningful security investments are already being made," and those increased investments will continue to increase without "overly prescriptive, heavy handed, and burdensome regulation."

The NPRM is open for public comments until March 7, 2025. The Trump administration's focus on reexamining regulations and outspoken critics of the proposed rule make the rule's future uncertain.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.