More than 100 healthcare organizations are calling on HHS to withdraw the proposed HIPAA Security Rule update and pursue a collaborative approach to cybersecurity standards.
A coalition of healthcare organizations led by the College of Healthcare Information Management Executives (CHIME) is urging the US Department of Health and Human Services (HHS) to withdraw a proposed update to the HIPAA Security Rule, citing concerns about cost, feasibility, and implementation timelines.
In a letter dated Dec 8, 2025, and addressed to HHS Secretary Robert F. Kennedy Jr, the organizations opposed the Office for Civil Rights’ (OCR) Notice of Proposed Rulemaking titled HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information, which was proposed on Jan 6, 2025.
“The undersigned organizations, representing a broad range of clinicians, providers, and other health care stakeholders nationwide, have united to oppose,” the proposed rule, the letter states. The coalition called on HHS to withdraw the rule “without further consideration” and instead pursue a collaborative outreach process with regulated entities.
While reaffirming support for HIPAA and the importance of cybersecurity safeguards, the organizations wrote that the proposed rule “would place substantial new financial burdens on health care providers and includes unreasonable implementation timelines that make it difficult to reconcile with the information technology complexities of modern health care delivery organizations.”
The letter also referenced broader federal regulatory priorities, stating that the proposed rule “runs counter to President Trump’s robust deregulatory agenda.” According to the signatories, updates to cybersecurity standards should be flexible enough to account for the wide range of healthcare organizations while still allowing providers to adapt to evolving cyber threats.
“Cybersecurity is a patient safety issue,” the letter states. The coalition argued that effective cybersecurity policy must be developed with providers and patients to ensure protections integrate into clinical workflows, adapt to emerging risks, and safeguard both care delivery and patient trust.
In closing, the organizations urged HHS to withdraw the proposed rule and expressed willingness to work with the administration on alternative approaches. “Our organizations stand ready to work with the Trump Administration to ensure that we develop a more innovative approach and address cybersecurity concerns without imposing excessive burdens on the health care sector,” the letter states.
The letter was signed by more than 100 organizations, including national medical societies, hospital systems, provider associations, and healthcare IT groups.
ID 299333998 © Mohamed Ahmed Soliman | Dreamstime.com
