The healthcare organizations asking the U.S. Department of Health and Human Services to withdraw the proposed HIPAA Security Rule update say electronic protected health information does need greater protection in today's cybersecurity threat environment.
Photo: SDI Productions/Getty Images
The College of Healthcare Information Management Executives, the American Medical Association, and other healthcare providers and organizations are urging the U.S. Department of Health and Human Services to withdraw its proposed HIPAA Security Rule update.
WHY IT MATTERS
The proposed update to strengthen the cybersecurity of electronic protected health information fails to account for "information technology complexities of modern health care delivery organizations" and also suggests an unreasonable implementation timeline, according to the Dec. 8 letter to HHS Secretary Robert F. Kennedy Jr.
The group, which includes health systems from SSH Health in Massachusetts to the Cleveland Clinic, Stanford Medicine Children's Health and many others, said that the one-size-fits-all approach does not allow for flexibility.
However, they stated that they do support an update of HIPAA standards to address today's cybersecurity risks.
An update to the HIPAA Security Rule needs to accommodate the wide range of provider organizations and their varying technical capabilities and resources, and the proposal should be immediately thrown out.
The group encouraged HHS to conduct a collaborative outreach initiative with them and other regulated healthcare entities to develop more robust protections of individuals' health information.
"Our organizations share a firm conviction of the importance of the Health Insurance Portability and Accountability Act of 1996, and the cybersecurity safeguards it provides," they said in their letter.
"However, the proposed rule would place substantial new financial burdens on healthcare providers and includes unreasonable implementation timelines that make it difficult to reconcile with the information technology complexities of modern healthcare delivery organizations."
THE LARGER TREND
According to an agency fact sheet released ahead of the Notice of Proposed Rulemaking last year, the proposal aligned with the agency's working Healthcare Sector Cybersecurity concept.
The goals, HHS stated at the time in a concept paper, align with the HHS 405(d) Program and the Health Sector Coordinating Council Cybersecurity Working Group's Healthcare Industry Cybersecurity Practices, as well as the National Institute of Standards and Technology Cybersecurity Framework and the Cybersecurity and Infrastructure Security Agency's National Cybersecurity Strategy.
ON THE RECORD
"We urge you to withdraw the proposed rule; our organizations stand ready to work with the Trump Administration to ensure that we develop a more innovative approach and address cybersecurity concerns without imposing excessive burdens on the healthcare sector," the healthcare organizations said in their letter. "We remain deeply committed to enhancing cybersecurity policies collaboratively and thoughtfully."
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
