Download PDF

February 17, 2025

President Donald J. Trump

The White House

1600 Pennsylvania Avenue NW

Washington, DC 20500

Secretary Robert F. Kennedy, Jr

U.S. Department of Health & Human Services

200 Independence Avenue SW

Washington, DC 20201

RE: Request for Rescission of Biden Administration’s Proposed Regulation on HIPAA Security

Dear President Trump & Secretary Kennedy,

The undersigned organizations, representing a broad range of clinicians, providers, and other healthcare stakeholders nationwide, write to you today to express our unified opposition to the proposed HIPAA Security Rule. Firstly, we look forward to continuing to be a trusted stakeholder and resource to you and continuing to deepen the long-standing relationship we have shared.

However, we all share deep concerns regarding the Biden administration's proposed regulation from the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) titled “HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information,” as published in the Federal Register on January 6, 2025. As stated in your Executive Order “Regulatory Freeze Pending Review,” we believe that this proposal raises substantial questions of fact, law, and policy that warrant careful consideration. Despite our diverse perspectives, we stand together in our belief that this proposal should be rescinded immediately, for reasons discussed below.

The combination of the depth and breadth of the proposed requirements on an unreasonable timeline presents significant challenges, and the unfunded mandates associated with this regulation would place an undue financial strain on hospitals and healthcare systems.

Additionally, the economic impact of this proposed rule cannot be overlooked or overstated. The healthcare sector is a significant contributor to the national economy, and the financial burden imposed by these new requirements could have far-reaching consequences. Increased costs for compliance would lead to higher healthcare costs for patients, reduced investment in other critical areas, and devastate patient access – particularly in rural America. The economic ripple effect could extend beyond healthcare, affecting related industries and the broader economy.

Furthermore, if this proposal moves forward, we strongly believe that it will stifle innovation in healthcare. The stringent requirements and the rapid implementation timeline could hinder the development and adoption of new technologies and practices that are essential for improving patient care and operational efficiency. Additionally – it conflicts with an existing law, which you passed under your first administration. This has the very real potential to threaten the financial stability of the American healthcare system, which is already under considerable pressure.

• Staggering costs and regulatory burden: The financial implications of this regulation are staggering. The proposal’s Regulatory Impact Analysis (RIA) states, in part, that if adopted, it “would impose mandates that would result in the expenditure by State, local, and Tribal governments, in the aggregate, or by the private sector, of more than $183 million in any one year [emphasis added].” However, we believe the actual costs would be significantly higher, potentially reaching billions of dollars when considering the entire healthcare ecosystem. The Biden administration publicly estimated that this proposal “would cost an estimated $9 billion in the first year, and $6 billion in years two through five.”2 Collectively, based on experience of our combined memberships, we believe that this is still a woefully inadequate estimate — and does not account for the significant costs to the federal government.

• Extremely inefficient for government and private sector: The proposed rule is extremely inefficient for both the government and the private sector. The complexity and scope of the requirements would necessitate substantial investments in time, resources, and personnel to achieve compliance, diverting attention and funds away from other critical areas. Imposing additional regulatory burdens on rural hospitals would have an inadvertent and devastating impact on these providers and the patients they serve.

• Significant burden without improving cybersecurity: Despite the significant costs associated with the proposed rule, we do not believe it will result in meaningful improvements to security. The proposed measures do not effectively address the evolving cybersecurity threats faced by the healthcare sector, leading to a significant expenditure of resources without commensurate benefits in terms of enhanced security. This regulation would result in slower response times to cyber incidents and decreased overall efficiency, making hospitals and healthcare providers – especially smaller and rural – more vulnerable to attacks, rather than more secure.

• Substantial and meaningful security investments are already being made: Healthcare providers are continuously investing in robust data security and cybersecurity and will continue to do so without overly prescriptive, heavy handed, and burdensome regulation. When cybercriminals – often operating from hostile nation-states including the People’s Republic of China, Iran, and other non-cooperative foreign jurisdictions – target American healthcare providers, we need increased federal support and resources, not additional mandates that divert critical time and funding away from patient care. Critically, these attacks pose an imminent risk to our national defense. Bringing down a hospital or multiple healthcare delivery organizations (HDOs) at once is a risk for the nation and it shakes the confidence and trust of everyday Americans which is precisely what hostile nation states intend – they are looking to exact physical, financial, and psychological harm.

• Conflicts with existing law: This rule imposes numerous new mandates without acknowledging P.L. 116-321, which you signed into law on January 5, 2021. This law explicitly requires HHS to consider a regulated entity’s adoption of recognized security practices when enforcing the Security Rule. Yet, this proposed regulation fails to address or incorporate that legal requirement, directly contradicting existing statute.

We urge the administration to reconsider this Biden-era regulation, rescind it as soon as possible, and engage with the organizations listed below to develop a more balanced approach – one that addresses cybersecurity concerns without imposing excessive burdens on the healthcare sector. Working together through the rulemaking process is just one way we can accomplish our shared goals and make meaningful changes in cybersecurity and healthcare. We are deeply committed to enhancing cybersecurity but strongly believe that a collaborative and thoughtful approach is necessary to achieve this goal.

Additionally, we recognize the importance of protecting not only the patients we care for – but their health information – and are dedicated to working with you and your administration to develop effective and sustainable solutions that foster a strong cybersecurity posture without unfunded mandates that will only serve to detract from our ability to make needed investments.

Thank you for your attention to this critical matter. We look forward to working with you to find a solution that achieves a strengthened cybersecurity posture for our sector and safeguards patient information. Should you have any questions or if we can be of assistance, please contact Chelsea Arnone, Director, Federal Affairs at [email protected].

Sincerely,

College of Healthcare Information Management Executives (CHIME)

American's Essential Hospitals

American Health Care Association

Association of American Medical Colleges

Federation of American Hospitals

Health Innovation Alliance

Medical Group Management Association

National Center for Assisted Living

cc: The Honorable Russell Vought

Mr. Elon Musk, Chair, Department of Government Efficiency