Fifty-seven hospitals and health systems are calling on HHS to drop a proposed HIPAA security update they say would impose undue financial and time hardships on them.
In a letter to HHS Secretary Robert F. Kennedy Jr., the organizations said the cybersecurity proposal “would place substantial new financial burdens on healthcare providers and includes unreasonable implementation timelines that make it difficult to reconcile with the information technology complexities of modern healthcare delivery organizations.”
The rule, proposed near the end of the Biden administration, would require most hospitals and health systems to encrypt electronic protected health information, implement multifactor authentication and plan to restore EHRs and patient data within 72 hours of a cyberattack.
“The Proposed Rule runs counter to President Trump’s robust deregulatory agenda,” wrote the stakeholder group led by the College of Healthcare Information Management Executives, aka CHIME. “We support updating cybersecurity standards for healthcare, and they must be flexible enough to accommodate the wide range of provider organizations. Standards should set strong protections while allowing innovation so providers can respond effectively to evolving cybersecurity risks.”
The hospitals and health systems that signed the Dec. 8 letter are:
— Advocate Health (Charlotte, N.C.)
— Baptist Health (Jacksonville, Fla.)
— Bayhealth Medical Center (Dover, Del.)
— Beacon Health System (South Bend, Ind.)
— Blanchard Valley Health System (Findlay, Ohio)
— Bryan Health (Lincoln, Neb.)
— Christus Health (Irving, Texas)
— Claiborne Memorial Medical Center (Homer, La.)
— Cleveland Clinic
— Corewell Health (Grand Rapids and Southfield, Mich.)
— Dayton (Ohio) Children’s Hospital
— Faith Regional Health Services (Norfolk, Neb.)
— FirstHealth of the Carolinas (Pinehurst, N.C.)
— Fisher-Titus Health (Norwalk, Ohio)
— Guthrie (Sayre, Pa.)
— Highmark Health, including Allegheny Health Network (Pittsburgh)
— Holzer Health System (Gallipolis, Ohio)
— Inova Health System (Falls Church, Va.)
— Lake Charles (La.) Memorial Health System
— Lakeland (Fla.) Regional Health
— Lakewood Health System (Staples, Minn.)
— LifeBridge Health (Baltimore)
— MaineHealth (Portland, Maine)
— Marshall Browning Hospital (Du Quoin, Ill.)
— Mary Washington Healthcare (Fredericksburg, Va.)
— Mason District Hospital (Havana, Ill.)
— MedStar Health (Columbia, Md.)
— Methodist Health System (Dallas)
— Midland (Texas) Health
— Midwest Medical Center (Galena, Ill.)
— Nathan Littauer Hospital & Nursing Home (Gloversville, N.Y.)
— Natividad Medical Center (Salinas, Calif.)
— NMC Health (Newton, Kan.)
— Northeast Georgia Health System (Gainesville, Ga.)
— Oregon Health & Science University (Portland, Ore.)
— Orlando (Fla.) Health
— Ozarks Healthcare (West Plains, Mo.)
— Rady Children’s Hospital (San Diego)
— Reid Health (Richmond, Ind.)
— Riverside Health (Newport News, Va.)
— Schneck Medical Center (Seymour, Ind.)
— Sharp HealthCare (San Diego)
— Signature Healthcare (Brockton, Mass.)
— Southcoast Health (New Bedford, Mass.)
— Southwest General Health Center (Middleburg Heights, Ohio)
— SSM Health (St. Louis)
— St. Bernards Healthcare (Jonesboro, Ark.)
— St. Joseph’s Health (Syracuse, N.Y.)
— Stanford Medicine Children’s Health (Palo Alto, Calif.)
— United Health Services (Binghamton, N.Y.)
— University of Kansas Health System (Kansas City, Kan.)
— University of Utah Health (Salt Lake City)
— University of Vermont Health Network (Burlington, Vt.)
— Vandalia Health (Charleston, W.Va.)
— WakeMed (Raleigh, N.C.)
— Wooster (Ohio) Community Hospital Health System
— Yale New Haven (Conn.) Health
