HIMSS Calls for New Approach to Cybersecurity in HIPAA Security Rule Comments

In public comments HIMSS submitted to the US Department of Health and Human Services, HIMSS called for the HHS Office for Civil Rights to consider different approaches to make security, risk assessment and documentation requirements more scalable to the security needs of small practices and practices caring for rural and underserved communities and their business associates.   

HIMSS comments , made in response to OCRs HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information proposed rule, recommended that OCR convene a wide array of regulated entities, including significant representation from small clinician practices, critical access hospitals, federally qualified health centers and Tribal health providers, to receive feedback on appropriate and scalable use of multi-factor authentication, encryption, risk assessments and other tools to effectively protect electronic protected health information.  

HIMSS suggested that OCR leverage the 2024 HIMSS Healthcare Cybersecurity Survey Report for insights into how regulated entities view security best practices.  

HIMSS also recommended that any updates to the Security Rule should: 

• Leverage the NIST Cybersecurity Framework 2.0 and the HHS Cybersecurity Performance Goals Essential Goals as guideposts, while noting that the Enhanced CPGs were not scalable to small, under-resourced regulated entities 
• Be scalable to the risk-level and resource capacity of each kind of regulated entity 
• Allow larger and well-resourced regulated entities to provide technical support and tools to smaller entities with resource challenges leveraging Physician Self-Referral exception and Anti-Kickback Safe Harbor enacted by Congress in 2023 
• Hold business associates more accountable for protecting ePHI while meeting requirements scaled to their unique security needs 
• Not go into effect until at least 18 months following the publication of a final rulemaking codifying the new requirements 

HIMSS made these recommendations after receiving very concerned feedback from a wide array of members, including leading security experts, health system leaders and developers indicating that the new requirements would create significant additional administrative burden and hardware costs.  

Requiring encryption of emails indicating a patient had a secure message, documenting failed attempted security breaches and prescriptive requirements for conducting inventories of technology assets and penetration testing were particularly targeted as adding burden with little additional value in protecting ePHI. 

Join policy professionals, industry experts and healthcare innovators to discuss these recommendations and more at The 2025 HIMSS Global Health Conference and Exhibition, taking place March 3-6 in Las Vegas.