To Comment or Not to Comment: Looking at the Biden Administration’s HIPAA Cybersecurity Proposed Reg
McDermott+ is pleased to bring you Regs & Eggs, a weekly Regulatory Affairs blog by Jeffrey Davis. Click here to subscribe to future blog posts.
January 30, 2025 – One of the Biden Administration’s last healthcare regs was a proposed rule that, if finalized, would make significant changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI). Amid growing cybersecurity breaches, including the Change Healthcare breach that affected more than 100 million individuals, the Administration sought to “better address ever-increasing cybersecurity threats to the health care sector.” The proposed reg includes significant new requirements that would affect both HIPAA covered entities and business associates. A fact sheet on the reg is available here, and our McDermott colleagues have a great summary of the reg with a redline to changes in the HIPAA regulations.
Comments on the reg are due on March 7, 2025. It will be up to the Trump Administration to review comments and decide whether to finalize any of the reg’s proposals or take its own approach to cybersecurity. The Trump Administration’s freeze on new regulations (discussed more in last week’s Regs & Eggs blog post) does not affect proposed regs with an open comment period, so stakeholders are free to comment on this reg until the March 7 deadline. Even if the Trump Administration ultimately takes a different approach, this reg provides an opportunity to inform the new staff about what may or may not work for stakeholders, and whether this is the right direction for regulations in a space that will undoubtedly need to be addressed.
Although the comment period has not yet closed, we have heard some initial reactions from stakeholders. To help me describe these reactions, I’m bringing in my colleague Kristen O’Brien.
- “The proposed changes are not tailored to cybersecurity risks.” A major question to consider is whether this reg would reduce the risk of another cybersecurity attack. Stakeholders aren’t sure about that answer. Much of the reg’s recommended approach is to document, document, and document again. While “leaving no stone unturned” is one way to address risks, many stakeholders note that the proposed documentation requirements could stretch their resources thin and might not effectively target high-risk areas. Others state that the language in the reg overly broad and sometimes incomplete, which could cause confusion about how to adhere to the requirements. For example, they point out that some of the technical terms and definitions (including those around “relevant electronic information systems,” “resiliency,” “network map,” “vulnerabilities,” and “critical risk”) are either confusing, too vague, or may not comply with current industry standards. The cost of compliance is already an issue (more on that later), and HIPAA covered entities and business associates comment that the proposals’ ambiguity could cause them to spend even more time and resources trying to meet the new requirements.
Some stakeholders also comment that addressing cybersecurity issues through modifications to the HIPAA Security Rule alone is an insufficient response. HIPAA only regulates covered entities, such as healthcare providers, healthcare clearinghouses, and health plans. Non-covered entities, such as health apps and other technology platforms, don’t need to comply with HIPAA requirements. The role that these HIPAA-exempt organizations play within the healthcare space continues to grow (especially as use of artificial intelligence increases), so stakeholders say it would be prudent to address cybersecurity risks for these entities as well.
- “The proposed changes eliminate necessary flexibility to address cybersecurity risks.” The HIPAA Security Rule currently allows covered entities and business associates some flexibility in determining how to best meet so-called “addressable” requirements. This flexibility allows entities, especially smaller ones, to effectively manage their resources while ensuring that they are in compliance. Stakeholders note that the proposed reg would eliminate this flexibility, requiring some entities to significantly alter their cybersecurity risk mitigation practices. Eliminating the flexibility could hamper efforts to lower cybersecurity risk, since some entities could adopt less effective and targeted cybersecurity protocols.
- “The proposals would substantially change the relationship between covered entities and business associates.” The reg would add requirements related to covered entities’ arrangements with business entities. One such requirement is to annually obtain written verification that business associates and subcontractors have implemented all required technical safeguards. Covered entities say that this requirement would be extremely burdensome, as some of them likely have many business associate relationships and would need to spend a long time determining how to obtain and validate the verifications. The proposed reg does not provide guidance on how the covered entity is supposed to obtain written verification. Smaller entities express concern that they may not have the resources to separately verify every business associate’s technical security infrastructure. They could have to outsource this work, which is an added cost.
- “The cost of adhering to the requirements would be significant.” As alluded to previously, many stakeholders express concern about the cost of coming into compliance with the proposed requirements. While HHS includes cost and burden estimates for each requirement in the reg, stakeholders say that HHS might have underestimated these costs in many instances, by not appropriately accounting for all the operational changes that many covered entities and business associates would need to make to come into compliance.
- “The compliance timelines are not realistic.” Stakeholders state that many of the proposals set aggressive timelines for action that may not be realistic or reflective of current operations. In general, most requirements must be implemented within 180 days of the effective date of the final reg. Business associates have 240 days from the effective date of the final reg to come into compliance with certain requirements. Both of these timelines, in the views of stakeholders, are too short to allow them to make all the system changes and operational investments that would be necessary.
Most stakeholders agree with the reg’s intent – to address real risks to our healthcare system. It is unclear whether the Trump Administration will take a different approach to such a significant issue. Stakeholders who believe the Biden Administration missed the mark may push the Trump Administration to start from scratch and rely more on the already-establish HHS Healthcare and Public Health (HPH) Cybersecurity Performance Goals (CPGs) when shaping its cybersecurity strategy and issuing cybersecurity-related policies and regs. Some of the proposed policies in this reg do not directly align with the HPH CPGs. Stakeholders may also request that the Trump Administration take a less intrusive approach and not make significant changes to the HIPAA Security Rule, which covered entities and business associates already spend a lot of time and effort trying to follow.
All in all, stakeholders have some qualms with the previous Administration’s last effort to tackle this important issue, but with the changing of the guard (a new administration), these stakeholders now have an opportunity to make their case about the best approach to a new set of ears.
Until next week, this is Jeffrey (and Kristen) saying, enjoy reading regs with your eggs.
For more information, please contact Jeffrey Davis. To subscribe to Regs & Eggs, please CLICK HERE.
