Medical Groups Ask HHS for HIPAA Cyber Rule Overhaul
The Department of Health and Human Services should withdraw the Biden administration’s proposed Health Insurance Portability and Accountability Act (HIPAA) Security Rule and issue less onerous regulations for healthcare cybersecurity, medical groups said in comments.
Sign up for a free preview to unlock the rest of this article
The Biden administration proposed updates to the HIPAA Security Rule in January, and comments were due March 7. The Security Rule was published in 2003 and last revised in 2013. HHS sought changes in response to increases in cyberattacks against the healthcare sector. The proposed rule contemplates new standards for annual risk assessments, encryption mandates, multi-factor authentication requirements, cyber incident response deadlines and compliance audits. The proposal includes a potential requirement for regulated entities to restore critical electronic information systems and data within 72 hours of an attack.
President Donald Trump has launched several deregulation initiatives and a regulatory freeze to reconsider the previous administration’s rules. HHS didn’t comment Friday on whether the department is reconsidering the Security Rule proposal.
The American Medical Association asked HHS to withdraw the rule because it’s “misaligned with President Trump’s emphasis on deregulation” and doesn’t account for healthcare providers of varying sizes. The rule drew more than 4,500 submissions, including thousands of identical comments from American Psychological Association members claiming the proposed changes would be “especially challenging, if not financially infeasible” for smaller offices.
The proposed rule lacks flexibility, said AMA: If adopted, “federal cybersecurity standards applicable to multibillion-dollar health plans and clearinghouses will continue to be the same as those that apply to rural medical providers.” The Security Rule should account for “the potential attack surface of a regulated entity” and the “possible impact of a breach on industry disruption.”
The Texas Medical Association asked HHS to consider a national cybersecurity approach that doesn’t “require every single business, regardless of size, to do all the heavy lifting.” TMA called the proposal a “gross over-expansion of the original HIPAA legislation.” TMA suggested the rule focus on covered entities and businesses that impact more than 1 million people.
As the healthcare industry evolves, so must the protections for electronic protected health information (ePHI) and the information systems used to manage the data, said HHS in the proposal. There are evolving risks associated with cloud services, connected medical devices and associated networks, it added. Many of the cyber breaches the department has investigated show the attacks could have been avoided if regulated entities had fully implemented Security Rule provisions, it said. The department contends the proposed update is “flexible and scalable.”
University of Iowa Health Care submitted comments citing the potential compliance burdens associated with requirements for encryption, multi-factor authentication, 72-hour system restoration, network segmentation and installation of anti-malware systems. Requiring multi-factor authentication in secure spaces like operating rooms “would be very burdensome to staff and net very little additional security for data,” the organization said.