WASHINGTON, DC - As the Department of Government Efficiency (DOGE) continues its efforts to eliminate wasteful spending and excessive regulation, a proposed rule put in place by the previous administration, the “HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information,” published in the Federal Register on January 6, 2025, serves as a key example of a burdensome mandate that risks imposing significant financial and operational strain on the healthcare sector.
When President Trump took office on January 20, 2025, one of the first actions he took by executive order was a “Regulatory Freeze Pending Review.” In a letter to the president, Russell P. Branzell, President and CEO of CHIME, the College of Healthcare Information Management Executives, asked him to consider the above executive order in overturning Biden’s proposed regulation.
Branzell writes that “the depth and breadth of the proposed requirements on an unreasonable timeline presents significant challenges” while noting that “unfunded mandates associated with this regulation would place an undue financial strain on hospitals and healthcare systems.”
Branzell reasons that since the healthcare sector is such a vital part of the national economy, the financial burdens placed by Biden’s executive order would have “far-reaching consequences,” including increased costs for compliance that would be passed on to patients. It would also have the residual effect of reducing investment in other critical areas and would significantly impact patient access, “particularly in rural America.” Finally, the economic aftershocks “could extend beyond healthcare, affecting related industries and the broader economy.”
Beyond that, CHIME believes that Biden’s order “will stifle innovation in healthcare.”
“The stringent requirements and the rapid implementation timeline could hinder the development and adoption of new technologies and practices that are essential for improving patient care and operational efficiency,” Branzell wrote. “Beyond that, it conflicts with an existing law, supported by CHIME, which you passed under your first administration. This has the very real potential to implode the American healthcare system, which is already under considerable pressure.”
Among issues CHIME and Branzell raised include:
- Significant workforce dissatisfaction for healthcare providers and the teams that enable their care delivery: The proposed rule would exacerbate workforce dissatisfaction among healthcare clinicians and providers, as well as the health IT professionals and others who support them. The additional administrative burden and compliance requirements will lead to increased stress and burnout, further straining an already overburdened workforce.
- Staggering costs and regulatory burden: The financial implications of this proposed rule are overwhelming. The proposal’s Regulatory Impact Analysis (RIA) states, in part, that if adopted, it “would impose mandates that would result in the expenditure by State, local, and Tribal governments, in the aggregate, or by the private sector, of more than $183 million in any one year [emphasis added].” However, we believe the actual costs would be significantly higher, potentially reaching billions of dollars when considering the entire healthcare ecosystem.
- Extremely inefficient for government and private sector: The proposed rule is extremely inefficient for both the government and the private sector. The complexity and scope of the requirements would necessitate substantial investments in time, resources, and personnel to achieve compliance, diverting attention and funds away from other critical areas.
- Significant costs without improving security: Despite the significant costs associated with the proposed rule, we do not believe it will result in meaningful improvements to security. The proposed measures do not effectively address the evolving cyber security threats faced by the healthcare sector, leading to significant expenditure of resources without commensurate benefits in terms of enhanced security.
- Substantial and meaningful security investments are already being made: Healthcare providers are continuously investing in robust data security and cybersecurity and will continue to do so without overly prescriptive, heavy handed, and burdensome regulation. When cybercriminals–often operating from hostile nation-states, including the People’s Republic of China–target American healthcare providers, we need increased federal support and resources, not additional mandates that divert critical time and funding away from patient care.
- Conflicts with existing law: This rule imposes new mandates without acknowledging P.L. 116-321, which [President Trump] signed into law on January 5, 2021. This law, which CHIME supported and continues to support, explicitly requires the Department of Health and Human Services (HHS) to consider a regulated entity’s adoption of recognized security practices when enforcing the Security Rule. Yet, this proposed regulation fails to address or incorporate that legal requirement, directly contradicting existing statute.
CHIME is asking President Trump to engage with stakeholders to work collaboratively to implement “a more balanced approach that addresses cybersecurity concerns” while at the same time not “imposing excessive burdens on the healthcare sector.”
“CHIME recognizes the importance of protecting not only the patients we care for–but their health information–and are dedicated to working with you and your administration to develop effective and sustainable solutions that foster a strong cybersecurity posture without unfunded mandates that will only serve to detract from our ability to make needed investments.”
In a similar letter addressed to both President Trump and HHS Secretary Kennedy and copied to Russel Vought, Director of the Office of Management and Budget (OMB), and Elon Musk, Chair of the Department of Government Efficiency (DOGE), CHIME was joined in asking the president to rescind Biden’s order by a number of organizations, including America’s Essential Hospitals, the American Dental Association, the American Health Care Association, the Association of American Medical Colleges, the Federation of American Hospitals, the Health Innovation Alliance, the Medical Group Management Association, and the National Center for Assisted Living.
Law Enforcement Today reached out to Mr. Branzell, who told us that the impact of Biden’s order would have a detrimental effect both in a bureaucratic sense as well as a financial one that could “be devastating to the health systems” that are out there.
Branzell said Biden’s order was an “unnecessary unfunded mandate” and amounted to significant “government overreach.” He said the order would have an economic impact of “multiple billions of dollars” on the healthcare system. He said the order will increase costs for consumers. He said health insurers only make margins of around 12%, so any additional costs would have to be passed on.
As expected, Branzell confirmed that Biden’s goal was to create a bigger government bureaucracy requiring “significantly increased government manpower to implement, enforce, and manage” the program. In other words, this mandate runs counter to President Trump’s goal of reducing the size of government and getting rid of unelected bureaucrats.
Hopefully, President Trump, HHS Secretary Robert F. Kennedy Jr., and Trump’s administration work together with CHIME to accomplish this critical task.
Comments