Communications Director, Connecticut Hospital Association
110 Barnes Road, Wallingford, CT
rall@chime.org, 203-265-7611
DAILY NEWS CLIP: March 7, 2025
STAT News – Friday, March 7, 2025
By Katie Palmer
After yet another record year for health data breaches, updated federal security rules to protect patient information are on the table in 2025. Patients and providers have long complained that HIPAA, or the Health Insurance Portability and Accountability Act, is ill-suited to protect patients’ sensitive health data in the digital age — and in January, the Department of Health and Human Services proposed updated regulations to protect against the growing threat of cyberattacks.
But in thousands of public comments, health systems and providers have pushed back aggressively against the suggested changes to the security rule. Increased privacy protections, in their view, would impact the financial viability of medical practices — especially small ones — and even timely patient care.
“It’s frankly a blizzard of very technical requirements, which I think would understandably be intimidating and frightening to anything but the largest health care systems,” said David Blumenthal, who was national coordinator for health information technology under the Obama administration, of the proposed HIPAA security rule. “It does raise significant issues about whether small practices and small institutions can effectively protect patient privacy in the new age we’re living in.”
Many commenters threw the onus of patient privacy on big technology vendors and health IT intermediaries, which have been the source of some of the largest and most damaging cyberattacks. The American Medical Association, in a comment from CEO James Madara, pointed to the absurdity of applying the same cybersecurity measures to a small practice and an enormous health data clearinghouse like Change Healthcare, whose hack last year led to the breach of data from at least 100 million individuals.
“In a small physician practice, the person who answers the phone is often the same person in charge of compliance,” wrote Madara, yet they “are subject to the very same cybersecurity standards.”
Under the deregulatory priorities of the Trump administration, said Blumenthal, it’s not unlikely that the proposed rule would be rolled back. “The government has a choice: It can either create strong incentives to implement effective security and leave the details to the providers, or it can lay down a very complicated menu of specific requirements,” he said. With the proposed rule, “clearly the government went in the latter direction.”
Among many updates, the proposed HIPAA security rule from HHS’ Office for Civil Rights suggests two new technical provisions: requirements for multi-factor authentication and data encryption, both with limited exceptions. It also would establish new timelines for cyber incident response and prevention, including written plans to restore data within 72 hours of a breach and a one-hour deadline to cut off patient data access when an employee leaves their job.
Multi-factor authentication — which requires codes from a personal device to complete a system log-in — is a standard security measure that wasn’t used on the server used to hack Change. Many comments on the proposed rule agreed it was a vital tool to protect health information. “There are some basic elements of data hygiene that are absolutely essential, and that should be manageable,” said Blumenthal: “One of them is two factor authentication.”
But some commenters claimed that the proposed implementations left too much room for authentication to interfere with timely patient care — a plausible concern to anyone who’s waited, toes tapping, for a text to come through with the six-digit code to get into their account. “Requiring authentication each time a physician opens a patient record or enters a new room could delay the physician from engaging directly and attentively with the patient,” wrote Ross Hilliard, chair of the medical informatics committee for the American College of Physicians, especially in care settings where clinicians frequently share workstations.
Other commenters worried that encryption standards would make it harder to share patient data with external partners like labs and pharmacies, and that certain health care data standards, like DICOM for medical images, don’t currently support encryption.
But a more dominant concern was the threat to medical practices’ bottom lines. “OCR has admitted that the costs associated with implementing the proposed regulatory changes are astronomical,” wrote the American College of Allergy, Asthma & Immunology in a comment. The proposed rule would give covered entities 180 days from the effective date of the final rule to come into compliance, which many commenters suggested would be impossible.
That could be especially true for smaller medical practices, which came out in force to object to the proposed rule. The American Psychological Association rallied its members, many of whom operate in small or solo practices, to fight back against new restrictions, flooding the Federal Register with nearly identical comments.
“While it is imperative to protect patient’s electronic health records, most threats are faced by large corporations like hospitals and insurance companies, not practices like mine,” wrote Sara Eldridge, a therapist with a small group practice. “The labor and cost of implementing this rule would be prohibitive to our practice and would likely have little impact on patient privacy.”
Some providers expressed frustration that they were being held accountable for a problem created by the electronic health records incentivized by 2009’s HITECH Act. All the consolidated medical information in electronic format has made health systems a prime target for cyberattackers, some wrote, without the government providing enough resources to go after criminals or support cybersecurity efforts for under-resourced practices.
“Instead of unfunded mandates, rural providers need resources to help them achieve cybersecurity preparedness,” wrote Alan Morgan, CEO of the National Rural Health Association. Others, including the Health Business Management, called on HHS to focus on enforcing compliance with existing guidance before adding more restrictions. The agency’s Office of Inspector General recently reported that OCR has not conducted HIPAA audits since 2017, relying on covered entities to self-report breaches.
Patients likely see the proposed rule differently. Several anonymous commenters were frustrated by health care providers’ buck-passing. “It’s deeply concerning to see how many clinics and medical professionals have submitted comments expressing more concern about the cost of protecting medical records than about safeguarding their patients’ privacy,” wrote one commenter.
To them, the reasoning behind the proposed privacy updates is still intact: “HIPAA is not protection and is no longer enough,” wrote another anonymous commenter. Even with enhanced systems to protect patients’ medical records, HIPAA “is a fig leaf in the modern era,” said Blumenthal. “It covers something. And it’s appropriate for the profession to do its part, and for the hospitals and other facilities to do their part. But the government needs to step up.”