More than 100 hospital systems, healthcare provider organizations, and provider associations have signed a joint stakeholder letter led by the College of Healthcare Information Management Executives (CHIME) calling on the U.S. Department of Health & Human Services (HHS) to withdraw its proposed update to the HIPAA Security Rule and instead engage with healthcare providers to develop a more practical, risk-based cybersecurity framework.
The proposal would dramatically expand and fundamentally alter existing federal cybersecurity requirements for hospitals and healthcare providers. While providers firmly agree that cyber safety is patient safety, signatories warn that the rule would impose significant unfunded mandates, mandate prescriptive technical controls that conflict with modern healthcare IT architectures, and substantially increase documentation, reporting, and compliance burdens for already stretched IT and security teams.
Provider organizations caution that the proposal would drive up costs, require extensive infrastructure redesigns, and divert limited resources away from patient care and frontline operations. Healthcare organizations have already made significant investments in cybersecurity and resilience. However, the proposal’s rigid, one-size-fits-all requirements could ultimately undermine providers’ ability to effectively manage evolving cyber risks in real-world clinical environments.
“CHIME members are deeply committed to protecting patient data and strengthening cyber resilience,” said Russell Branzell, President and CEO of CHIME. “Our members are not asking for less security—they are asking for smarter policy. This proposal would impose rigid technical mandates that add cost and complexity without meaningfully improving cybersecurity. We urge HHS to withdraw the rule and work with providers on a flexible, risk-based approach that meaningfully strengthens patient safety.”
The proposed rule was issued in January 2025, prior to the current Administration taking office. Despite broader efforts to reduce unnecessary regulatory burden and promote innovation, the proposal remains active, prompting widespread concern across the provider community. Signatories are urging HHS to withdraw the rule and collaborate with healthcare providers on a more workable, risk-informed framework that reflects the operational realities of modern healthcare delivery.
About CHIME
The College of Healthcare Information Management Executives (CHIME) is the leading professional organization for digital health executives and leaders. CHIME provides a trusted, collaborative environment where members and partners connect, share best practices, advance professional development, and advocate for the effective use of information and technology to improve health and care in the communities they serve.