In early January the Department of Health and Human Services Office of Civil Rights (HHSOCR) issued a proposed rule titled: HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information. AHCA/NCAL submitted a comment letter on March 7, acknowledging the importance of cybersecurity stewardship but opposing the proposed rule as written and requesting that it be rescinded. The letter detailed how the unfunded and disproportionate one-size-fits-all burden and cost impact on AHCA/NCAL members would divert critical resources away from patient care and requested the OCR to consider an alternative compliance approach that scales requirements to the risk profile of the HIPAA regulated entities. Additionally, AHCA/NCAL requested that the OCR adopt a more flexible implementation timeline that is based on cybersecurity risk, digital maturity, and resource availability. AHCA/NCAL has also coordinated comment efforts with other impacted organizations to jointly voice opposition to the proposed rule. These include:
- College of Healthcare Information Management Executives (CHIME) February 17, 2025 coalition letter requesting the proposed rule be rescinded.
- Long-Term Post-Acute Care Health Information Technology (LTPAC HIT) Collaborative March 7, 2025 coalition letter
Overview of the Proposed Rule
The proposal includes dozens of policy changes affecting health plans, clearinghouses, providers and their business associates. The proposal would significantly expand cybersecurity compliance requirements across entities that store health information electronically, including SNFs, ALs, and ID/DD providers including 30 regulatory standards and nearly 100 implementation specifications spanning administrative, physical, and technical safeguards requirements. Additionally, the proposed rule would require all regulated entities to be in full compliance within 240 days of finalization. OCR estimates the new unfunded compliance costs will be at least $9 billion for year one, and $6 billion over the following years. Impacted stakeholders have voiced concerns that the impact would be significantly greater.