Industry Continues to Push Back on HIPAA Security Rule Overhaul

The HHS proposal arrives at a moment when ransomware attacks—most notably the Change Healthcare breach affecting 190 million patients—have exposed the fragility of health‑care data pipelines. By expanding patch‑management mandates, MFA requirements, and network‑segmentation controls, the updated HIPAA Security Rule seeks to bring the sector in line with modern cyber‑risk realities. However, the regulatory draft assumes a one‑to‑two‑hour rollout for complex controls, a timeline that clashes with the 24/7 patient‑care mandate and legacy system constraints that dominate most hospitals.

Industry reaction has coalesced around a broad coalition led by the College of Healthcare Information Management Executives (CHIME). Members argue that a 60‑day post‑publication compliance window, followed by a 180‑day full implementation period, ignores the extensive testing, workflow redesign, and contract renegotiation required for Business Associate Agreements. For large health systems, updating MFA across thousands of clinical workstations or re‑architecting network segmentation can span weeks to months, not hours. The financial burden—especially for rural clinics and under‑funded hospitals—has prompted calls for a more realistic schedule and for HHS to collaborate directly with providers.

The dispute underscores a larger policy dilemma: how to enforce robust security without crippling health‑care delivery. Proponents of the rule point to the 2013 HIPAA baseline, which no longer reflects today’s threat landscape. Yet critics suggest that a risk‑based, phased rollout—potentially tied to the Health Care Cybersecurity and Resilience Act, which pairs mandates with grant funding—could achieve the same security outcomes with fewer disruptions. As regulators, vendors, and providers negotiate the final shape of the rule, the outcome will influence capital allocation, cyber‑insurance pricing, and the overall resilience of the U.S. health‑care ecosystem.