Association expresses opposition to proposed HIPAA cybersecurity rule
A coalition of organizations representing clinicians, providers and health care stakeholders, including the ADA, sent a letter Feb. 17 expressing unified opposition to the proposed Health Insurance Portability and Accountability Act Security Rule.
The College of Healthcare Information Management Executives also sent a separate letter March 7 that referenced the earlier joint letter. The letter was a regulatory comment submitted to the U.S. Department of Health and Human Services via regulations.gov. The organization said that HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information “raises substantial questions of fact, law and policy that warrant careful consideration.”
The Health Insurance Portability and Accountability Act Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used or maintained by a covered entity. The proposed security rule would place a financial strain on hospitals and health care systems, increase health care costs for patients, and stifle innovation in health care, according to the group.
“This has the very real potential to threaten the financial stability of the American health care system, which is already under considerable pressure,” the group said in the joint letter, addressed to President Donald Trump and Robert F. Kennedy Jr., secretary of the U.S. Department of Health and Human Services.
The coalition goes on to state that the Biden administration estimated the proposal would cost $9 billion in the first year and $6 billion in years two through five.
“Collectively, based on experience of our combined memberships, we believe that this is still a woefully inadequate estimate — and does not account for the significant costs to the federal government,” the group said.
The coalition said the proposed rule is extremely inefficient for the government and private sector, will cause significant burden without improving cybersecurity, and conflicts with existing law that requires Health and Human Services to consider a regulated entity’s adoption of recognized security practices when enforcing the security rule.
“Yet, this proposed regulation fails to address or incorporate that legal requirement, directly contradicting existing statute,” the group said.
The coalition further warned that the proposal could force rural hospitals and smaller health care providers to close or cut services due to its high compliance costs.
Additionally, the coalition said substantial and meaningful security investments are already being made, with health care providers continuously investing in robust data security and cybersecurity. There is a need for increased federal support in resources, according to the group, not additional mandates that divert time and funding from patient care.
The group urged the administration to reconsider the regulation and rescind it as soon as possible. They expressed support for a “more balanced approach” that addresses cybersecurity concerns without imposing excessive burdens on the health care sector.
“Working together through the rulemaking process is just one way we can accomplish our shared goals and make meaningful changes in cybersecurity and health care,” the group said. “We are deeply committed to enhancing cybersecurity but strongly believe that a collaborative and thoughtful approach is necessary to achieve this goal.”
