25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Over 100 Hospital Systems and Provider Associations Call for Withdrawal of Proposed HIPAA Security Rule Update

Posted By on Dec 9, 2025

The College of Healthcare Information Management Executives (CHIME) and more than 100 U.S. hospital systems, healthcare provider organizations, and provider associations have called for the Department of Health and Human Services (HHS) to withdraw its proposed updates to the HIPAA Security Rule.

The HIPAA Security Rule was enacted in 2002, nine years after HIPAA was signed into law, to establish security standards for electronic protected health information created, received, used, or maintained by a covered entity, with the requirements subsequently expanded to cover business associates of HIPAA-regulated entities. The Security Rule was written to be technology agnostic to avoid frequent rule changes in response to advances in technology; however, 22 years after its initial release, the HHS proposed a substantial update that specified many new cybersecurity requirements.

An update to the HIPAA Security Rule was arguably long overdue, given the massive increase in healthcare cyberattacks since the Security Rule was enacted. The proposed update – Notice of Proposed Rulemaking: HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information – was issued in late December 2024 and was one of the last actions taken by the HHS under the Biden administration. The update ran to more than 390 pages and mandated new cybersecurity measures that were not widely available or were prohibitively expensive when the Security Rule was enacted.

Prior to issuing the proposed HIPAA Security Rule update, the HHS published two sets of voluntary cybersecurity performance goals (CPGs). The CPGs included a set of high-impact basic measures that healthcare and public health sector organizations could implement to improve resiliency against the most pertinent cyber threats, plus a set of enhanced CPGs to mature their cybersecurity programs. At the time, the HHS warned that while the CPGs would initially be voluntary, rulemaking would follow. Within a year of the release of the CPGs, the HIPAA Security Rule update was proposed, which made many of the voluntary cybersecurity requirements mandatory.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

While few healthcare industry stakeholders would disagree with the main purpose of the update – to improve healthcare cybersecurity and prevent costly and damaging cyberattacks that threaten patient safety – the proposed update attracted considerable criticism from healthcare and provider organizations. In February 2025, 8 industry associations, including CHIME, co-signed a letter to President Trump calling for the proposed update to be rescinded, pointing out that under the previous Trump administration, healthcare organizations were incentivized to adopt recognized cybersecurity best practices, and that was a better approach than imposing unreasonable cybersecurity mandates that would be costly and difficult to implement.

In the December 8, 2025, joint stakeholder letter to HHS Secretary Robert F. Kennedy, Jr., the signatories called for the proposed update to be immediately withdrawn, and for the HHS to instead “conduct a collaborative outreach initiative with our organizations and other regulated entities that are impacted to develop practical and actionable cybersecurity standards for more robust protections of individuals’ health information, without the extreme and unnecessary regulatory burden that health care providers and other stakeholders would face under the crushing and unprecedented provisions of this Proposed Rule.”

According to the letter, the proposed Security Rule update would place substantial new financial burdens on HIPAA-regulated entities and had an unreasonable timeline for implementation, given the information technology complexities of modern health care delivery organizations. While the organizations that signed the letter support updating cybersecurity standards and agree that cybersecurity is a patient safety issue, they instead call for the HHS to develop an effective policy with input from providers and patients “to ensure protections fit seamlessly into clinical workflows, adapt to emerging threats, and safeguard both care delivery and patient trust” without imposing excessive burdens on the health care sector.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist