Balancing Cybersecurity and Practicality: MGMA’s Call to Rescind Proposed HIPAA Security Rule

The Medical Group Management Association (MGMA), alongside other healthcare organizations, has raised significant concerns about the proposed updates to the HIPAA Security Rule. In a letter dated February 17, 2025, addressed to President Donald J. Trump and Secretary Robert F. Kennedy Jr., MGMA urged the administration to rescind the regulation introduced during the final weeks of the Biden administration. This advocacy highlights the complexities of balancing enhanced cybersecurity measures with the operational realities of the healthcare sector.

The Proposed Changes and Their Implications

The proposed updates to the HIPAA Security Rule aim to strengthen safeguards for electronic protected health information (ePHI). Key changes include mandatory encryption, multifactor authentication, detailed security risk analyses, and annual technology asset inventories. While these measures are intended to address the rising threat of data breaches and ransomware attacks, MGMA and other stakeholders argue that the regulation imposes significant financial and administrative burdens on healthcare providers.

For smaller practices and rural healthcare providers, the costs associated with implementing these changes could be prohibitive. The unfunded mandates outlined in the proposal may lead to higher operational expenses, reduced investment in patient care, and, in some cases, the closure of medical practices. MGMA has emphasized that these challenges could ultimately hinder innovation and limit access to healthcare services, particularly in underserved areas.

Cybersecurity vs. Feasibility

The healthcare sector has faced a steady increase in data breaches over the past decade, with hacking incidents accounting for nearly 80% of reported breaches in recent years. Strengthening cybersecurity is undeniably critical to protecting patient information. However, MGMA contends that the proposed rule’s stringent requirements and rapid implementation timeline are neither practical nor effective in achieving this goal.

The organization has called for a more balanced approach that addresses cybersecurity concerns without imposing excessive burdens on healthcare providers. This includes engaging with stakeholders to develop regulations that are both feasible and impactful.

Economic and Operational Concerns

MGMA’s letter highlights the broader economic implications of the proposed rule. The healthcare sector is a significant contributor to the national economy, and the financial strain imposed by these regulations could have ripple effects beyond individual practices. Increased compliance costs may lead to higher healthcare expenses for patients and reduced resources for other critical areas of healthcare delivery.

Additionally, the removal of flexibilities previously allowed under the HIPAA Security Rule could stifle the adoption of new technologies and practices essential for improving patient care and operational efficiency. MGMA has warned that the proposed changes could exacerbate existing challenges in the healthcare system, including workforce shortages and disparities in access to care.

A Call for Collaboration

MGMA’s advocacy underscores the importance of collaboration between policymakers and healthcare stakeholders. By engaging in open dialogue, the administration has an opportunity to craft regulations that enhance cybersecurity while supporting the sustainability of medical practices. This approach would ensure that patient care remains a top priority without compromising the financial and operational stability of the healthcare sector.

Conclusion

The proposed updates to the HIPAA Security Rule represent a well-intentioned effort to address cybersecurity challenges in healthcare. However, MGMA’s concerns highlight the need for a more balanced and practical approach. As the healthcare landscape continues to evolve, it is crucial to develop policies that protect patient information while supporting the long-term viability of medical practices.