Over 100 provider organizations just sent a message to the new administration. They want this Biden-era regulation to go.
More than 100 healthcare organizations are begging the Trump administration to scrap a proposed cybersecurity rule they say will drain their budgets and force impossible deadlines on an already struggling industry.
The rule in question? A major update to HIPAA security standards that dropped in the final weeks of the Biden administration.
What’s Got Everyone So Worried?
The proposed regulation would force healthcare organizations and their business partners to put all their security policies in writing, then constantly review, test, and update them. Sounds reasonable on paper, but provider groups say it’s a regulatory nightmare wrapped in substantial new financial burdens with unreasonable implementation timelines.
In a letter fired off to HHS Secretary Robert F. Kennedy Jr. this week, the groups didn’t mince words: withdraw this thing immediately.
The letter was led by the College of Healthcare Information Management Executives and backed by heavy hitters like Advocate Health, Yale New Haven Health System, and the American Medical Association.
Why This Clashes With Trump’s Plan?
Trump came into office swinging at Biden-era regulations. His whole approach has been cutting red tape, halting old rules, and making sure any new regulation means getting rid of existing ones first.
So why is this HIPAA update still hanging around? That’s exactly what the issue is. They thought it would get axed along with everything else from the previous administration, but it’s still on the table. And if it goes through, organizations would have just 180 days after finalization to comply with most of the requirements.
Here’s What Will Actually Happen
This would be the first update to HIPAA security rules since 2013. The Biden administration argued healthcare needed clearer, more specific requirements for protecting patient data in 2024.
- Technology asset inventory and network mapping: Organizations would need to create detailed maps showing exactly how protected health information moves through their systems. Every device, every connection, every pathway.
- Beefed-up risk analysis requirements: New specifics on how to conduct security risk assessments. Not just doing them, but doing them the right way with documentation to prove it.
- Stronger incident response planning: More robust requirements for how organizations prepare for and respond to security breaches.
- Written policies for everything: All security measures would need to be documented in writing and regularly updated.
The whole package aims to close gaps that hackers have been exploiting for years.
The Cyberattack Problem Is Real And Is Getting Worse
Nobody’s arguing that healthcare cybersecurity isn’t a massive problem. It absolutely is.
Cyberattacks on healthcare have become a crisis. They shut down hospitals, block access to critical systems, delay patient care, and force emergency rooms to turn away ambulances. People’s lives are literally at stake.
The biggest example? Early 2024 saw an attack on Change Healthcare, a payment processor and tech firm owned by UnitedHealth that absolutely wrecked the industry for weeks.
That single incident exposed data from nearly 193 million people. It’s the largest healthcare data breach ever reported to federal regulators. The fallout crippled billing systems nationwide and left providers scrambling.
What Providers Want In Order To Be Secure
The healthcare groups aren’t saying “don’t regulate us at all.” They’re saying this specific approach is the wrong one.
Instead of jamming through this proposal with its tight timelines and massive costs, they want the Trump administration to “conduct a collaborative outreach initiative” to develop cybersecurity standards that actually work in the real world.
We support updating cybersecurity standards for health care, and they must be flexible enough to accommodate the wide range of provider organizations,” they wrote in Monday’s letter. “Standards should set strong protections while allowing innovation so providers can respond effectively to evolving cybersecurity risks.
Let’s work together on rules that protect patients without bankrupting hospitals and clinics or forcing cookie-cutter solutions on organizations of wildly different sizes and resources.
The Deregulation Wildcard
This situation puts the Trump administration in an interesting spot. On one hand, the president has made killing Biden-era regulations a signature move. On the other hand, healthcare cybersecurity is a legitimate national security and patient safety issue that can’t be ignored.
Provider groups are betting Trump’s deregulatory instincts will win out, especially when they’re arguing the rule conflicts with his broader agenda of cutting red tape and easing burdens on industry.
The Ending Note
For now, the proposed rule hasn’t been withdrawn, which means it’s technically still moving forward. The comment period has passed, and unless the Trump administration acts, it could be finalized and enforced.
If that happens, healthcare organizations across the country will have to scramble to meet requirements within 180 days—a timeline the groups say is simply not realistic given the scope and cost of the changes required.
The ball is in RFK Jr.’s court. Does he pull the plug on a Biden regulation that healthcare groups hate, or does he let it ride because cybersecurity is too important to ignore?
Either way, MIPS healthcare organizations are making it clear: they want better cybersecurity standards, just not these ones, and definitely not on this timeline.
May You Need to Read:
Trump Admin Just Dropped $100 Million to Cover Alternative Health Care For CMS
AI in Healthcare: Shaping the Future of Medicine and Big Investments
