More than 100 health systems and other provider organizations “have united to oppose” cybersecurity and privacy regulations proposed back in January.
The groups, corralled by the College of Healthcare Information Management Executives, wrote the Department of Health and Human Services this week, warning that the financial burdens and “unreasonable implementation timelines” outlined by the prior administration run counter to President Donald Trump’s deregulatory agenda.
“This rule … should be immediately withdrawn without further consideration,” the groups wrote in their letter. “We instead encourage HHS to conduct a collaborative outreach initiative with our organizations and other regulated entities that are impacted to develop practical and actionable cybersecurity standards for more robust protections of individuals’ health information, without the extreme and unnecessary regulatory burden that healthcare providers and other stakeholders would face under the crushing and unprecedented provisions of this Proposed Rule.”
Major organizations that signed onto the letter include the American Medical Association, the Federation of American Hospitals, the Association of American Medical Colleges, the American Health Care Association/National Center for Assisted Living and several specialty-based associations. Among the health system signatories were Advocate Health, Christus Health, Cleveland Clinic, Inova Health, Orlando Health, SSM Health and Yale New Haven Health System.
HHS said back in January that its proposed rule would be the first significant update to the Health Information Portability and Accountability Act (HIPAA) Security Rule since 2013. The department, via its Office for Civil Rights, proposed updating the administrative, technical and physical safeguards expected of HIPAA-covered entities, as well as an organization’s ability to recover in the event of a safety breach.
Other portions propose updates to various term definitions, including a clarification that “all” electronic protected health information is subject to the rule, and float a six-month effective compliance date from its finalization.
The updates, HHS said at the time, are necessary considering the substantial changes in technology over the past decade, as well as recent years’ upticks in cyberattacks and security breaches.
The provider groups, in this week’s letter, cited the same complexities of modern healthcare IT as evidence against the proposed rule’s tight implementation timeline. They told HHS they “share a firm conviction in the importance” of HIPAA and support cybersecurity standards updates, but argued they “must be flexible enough to accommodate the wide range of provider organizations. Standards should set strong protections while allowing innovation so providers can respond effectively to evolving cybersecurity risks.”
Industry representatives have made similar pleas directly to federal lawmakers alongside calls to preempt patchwork state privacy laws with a national standard. Such an industry-preferred approach may have emerged this past week with the introduction of a bipartisan bill that would change HHS’ existing cybersecurity protocols, along with guidance, training and infrastructure grants for healthcare delivery organizations.