C4BH HIPAA Cybersecurity Proposed Rule Response

March 6, 2025

The Honorable Robert F. Kennedy Jr., Secretary

U.S. Department of Health and Human Services

200 Independence Ave, S.W.

Washington, D.C. 20201

Re: HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information

Dear Secretary Kennedy,

On behalf of Connecting for Better Health, thank you for the opportunity to respond to the proposed “HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information.” We applaud the U.S. Department of Health and Human Services (HHS) for its efforts to modernize the HIPAA Security Rule by advancing cybersecurity protections for electronic protected health information (ePHI) in our evolving digital landscape. 

Connecting for Better Health (C4BH) is a diverse coalition of providers, patient advocates, caregivers, health plans, technology innovators, and community-based organizations dedicated to advancing health and social data sharing to improve the health of all Californians. Our vision is that every Californian and their care team will have the information and insights they need to make care seamless, high-quality, and affordable. Guiding our work for connected health data, the coalition firmly believes that data privacy and security must be reinforced. As the electronic collection, storage, and transmission of patient information continues to expand, processes must be conducted in secure systems to uphold patient privacy. Safeguarding patient information is a fundamental responsibility of our health care system to build and maintain the trust that underpins patient care. 

We support clarifications that all implementation specifications are required as baseline mandatory security measures with regulated entities retaining flexibility in how to comply with specifications. However, C4BH has concerns about cybersecurity requirement expansions that would impose substantial compliance burdens on regulated entities, especially without considering differences in size and capabilities. While the proposed requirements are generally best practices in the industry, it is important to acknowledge that many regulated entities will struggle to meet this high bar for compliance. Regulated entities prioritize security, but often have not yet implemented these best practices due to resource constraints. For example, penetration tests are particularly prohibitive to perform annually due to steep costs, staff expertise, and time limitations. 

While there are concerns regarding some proposed cybersecurity requirements for feasibility, prescriptiveness, and overall burden, C4BH supports the addition of relatively straightforward measures that are essential for data security, including multi-factor authentication, encryption, and automatic suspension after failed logins, that should already be in practice with affordable solutions available. In particular, encryption capabilities are a critical prerequisite for organizations to participate in data sharing with other organizations. 

The coalition is further supportive of proposed measures to increase accountability among Business Associates at no additional cost with annual written verification and certification of deployed technical safeguards and notification requirements to report activation of contingency plans within 24 hours. Additionally, there should be allowances for the robust security frameworks already established within the industry, such as such as HITRUST, the National Institute of Science and Technology (NIST) Cybersecurity Framework, and SOC2, to reduce burdensome duplication in audits for compliant regulated entities. 

As HHS seeks to enhance cybersecurity protections for ePHI, there must be considerations to assist smaller entities, such as clinics, rural providers, independent medical groups, and community-based organizations, without penalizing their current state of readiness. To mitigate industry concerns around the burden of adopting stronger cybersecurity requirements, targeted funding opportunities are needed to support capacity-building efforts for regulated entities with limited resources.  This is especially critical as more community-based organizations nationwide become regulated entities through partnerships with state Medicaid programs to provide care management and social services. 

C4BH additionally supports the HHS discussion and statement on how HIPAA Rules apply to artificial intelligence (AI), which concludes that ePHI, including ePHI in AI training data, prediction models, and algorithm data that is maintained by a regulated entity for covered functions is protected by the HIPAA Rules and all applicable standards and specifications. We agree that ePHI must be safeguarded within emerging technologies to ensure that privacy and security standards are upheld throughout all stages of data processing. 

We appreciate the opportunity to provide these comments to HHS and commend the initiative to strengthen cybersecurity protections for ePHI. Should you have any questions, please reach out to Stephanie Thornton at Connecting for Better Health at stephanie@connectingforbetterhealth.com

Sincerely,

Connecting for Better Health

OFFICE

80 E. Sir Francis Drake Blvd.
Larkspur, CA 94939

Linkedin

OFFICE

80 E. Sir Francis Drake Blvd.
Larkspur, CA 94939

Linkedin Twitter

© 2025 Connecting for Better Health. All Rights Reserved

CBH_tweet_icon_152x152

Sign Up for the C4BH Newsletter.

Yes! I want to receive the Weekly Round-Up newsletter, which curates news and events relevant to health data exchange in California and beyond.