HSCC urges consultative process as alternative to HIPAA NPRM

The HSCC CWG urges Trump administration to abandon HIPAA NPRM

The HSCC CWG is a public-private partnership recognized by the government. It consists of an industry council made up of more than 470 healthcare providers, health IT companies, pharmaceutical and medical technology companies and public health and government agencies.

In its policy statement, the HSCC noted that its collaborative work with HHS' 405(d) program on conducting a hospital cybersecurity landscape analysis and crafting sector-wide cybersecurity performance goals (CPGs) already "represent a roadmap for advanced cybersecurity protections."

Both the landscape analysis and the CPGs were published in 2023 and 2024, respectively, long before HHS issued the HIPAA NPRM.

"While we cannot say that these recommended controls are yet as widely adopted as we know they will be with government amplification, leaders in the health sector have forged these recommendations with the recognition that they are affordable, scalable, implementable and effective as a negotiated foundation for a modernized and consensus-based healthcare cybersecurity framework for accountability," the policy statement said.

Considering these recent industry-wide efforts to establish best practices, the HSCC suggested that the HIPAA NPRM "either dismisses these important developments or mischaracterizes their potential for measurable improvement."

What's more, experts are worried about the cost of implementing the NPRM's many provisions.

Some of the NPRM's proposals include requiring covered entities to conduct annualHIPAA Security Rulecompliance audits, develop an asset inventory and network map, tighten compliance time periods and mandate that business associates verify their use of technical safeguards annually.

HHS estimated that the first-year costs will total approximately $9 billion. Years two through five will cost the sector an estimated $6 billion per year. However, several comments posted publicly on the Federal Register from healthcare stakeholders suggest that the department's cost estimates are not realistic, and could ultimately amount to much more.

"A considerable number of the 52 CWG member industry associations that submitted comments representing their constituent members have made their concerns clear in their submissions to HHS about the cost and complexity of implementing the rule and the dubious effectiveness that compliance could achieve at improving security," the policy statement added.

Considering the cost and implementation concerns surrounding the HIPAA NPRM, the HSCC recommended that the Trump administration "suspend any further consideration of the NPRM as written."

This sentiment aligns with that of several other industry groups. In February 2025, eight groups, includingthe College of Healthcare Information Management Executives, the Medical Group Management Association, the American Health Care Association and the Health Innovation Alliance urged the Trump administration to rescind the NPRM.

A potential alternative: Forging a consensus through a consultative process

Rather than moving forward with the NPRM, the HSCC suggested that the administration initiate a series of consultations and workshops with critical healthcare infrastructure owners and operators to reach a consensus on a "modernized policy" for healthcare cybersecurity.

The HSCC cited the National Institute of Standards and Technology's (NIST) work on developing its cybersecurity framework (CSF), which serves as a precedent to the workflow that HSCC is now proposing. A 2013 executive order mandated that NIST lead efforts alongside the private sector to develop the CSF.

"The result was good policy operationalized: the CSF has grown organically over the past 10 years as the guiding reference for essential cybersecurity practices," the policy statement said.

The HSCC suggested that the one-year consultative process would enable it to discern which cybersecurity controls should be mandatory and how to best implement them in a phased approach, keeping resource-strapped entities in mind.

Specifically, the HSCC proposed that leaders convene with government to design a healthcare-specific regulatory framework that maps to CSF.

"A successful consultative process will lead to government promulgating expectations for industry accountability to 'the what' -- measurable cybersecurity outcomes -- and the industry determining 'the how' -- specific governance and technical controls we should be held to," Garcia said during his Apr. 1 testimony before the House Energy and Commerce Oversight and Investigations Subcommittee.

"Then, together, industry and government will be aligned to a framework that is flexible, measurable, accountable and effective, ultimately serving patient safety and infrastructure resilience."

Since the public comment period closed on Mar. 7, 2025, the HHS Office for Civil Rights (OCR) has been reviewing the more than 4,700 comments it received in response to the NPRM. After reviewing and categorizing the comments, OCR will work within HHS to decide on any future rulemaking or actions.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.