MGMA urges HHS to rescind proposed update to HIPAA Security Rule (March 7, 2025)

March 7, 2025 

The Honorable Robert F. Kennedy, Jr.
Secretary
U.S. Department of Health and Human Services
200 Independence Avenue, SW
Washington, DC 20201                                    

Re: Health Insurance Portability and Accountability Act Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information

Dear Secretary Kennedy:

On behalf of our medical group practices, the Medical Group Management Association (MGMA) thanks you for the opportunity to comment on the Office for Civil Rights’ proposed Health Insurance Portability and Accountability Act Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information. While we appreciate the general intent of this proposal, it is far too burdensome to implement in practice and represents such government overreach, it threatens the very sustainability of medical groups in this country. Low reimbursement coupled with onerous government regulations have already driven 80% of physicians in the U.S. into employment arrangements with larger healthcare entities. Proposals like this will only exacerbate this troublesome trend, and we urge you to withdraw it in its entirety.

With a membership of more than 60,000 medical practice administrators, executives, and leaders, MGMA represents more than 15,000 group medical practices ranging from small private medical practices to large national health systems representing more than 350,000 physicians. MGMA’s diverse membership uniquely situates us to offer the following perspectives.

Overview

During President Trump’s first term, MGMA valued the opportunity to collaborate with the administration on initiatives that focused on prioritizing patients over paperwork. Unfortunately, this proposed update to the HIPAA Security Rule is not only a departure from the administration’s commitment to reducing burdensome regulations but is also an example of government overreach. While we agree with the importance of strengthening cybersecurity, this Biden-era proposal does not inherently create a better system for securing electronic protected health information (ePHI).

View the full letter