Groups Push Back on HHS’ Proposed Health IT Rollbacks
In March 2026, numerous healthcare organizations, including the College of Healthcare Information Management Executives (CHIME) and the American Hospital Association (AHA), voiced significant concerns regarding a proposal by the U.S. Department of Health and Human Services (HHS) that aims to simplify health IT certification requirements. This proposal seeks to reduce the existing 60 certification criteria down to 34 and amend seven others, particularly those related to privacy and security controls. According to the HHS, this streamlining effort intends to lift regulatory burdens on health IT developers and foster innovation in the sector. However, critics argue that this will inadvertently shift the burden of responsibility onto healthcare providers, increasing the risks associated with patient data protection.
The proposal from the Office of the National Coordinator for Health IT marks a significant change in regulatory approaches since its inception in 2010, which directly followed the HITECH Act. Initially focused on electronic health records (EHRs), the certification requirements were designed to ensure compliance and improve healthcare delivery. However, according to the HHS, the evolving landscape of health IT suggests that these certification requirements are no longer as critical for compliance or improving privacy and security standards. They contend that many of these concerns are already addressed under existing HHS regulations.
Despite these claims, stakeholder groups emphasize the vital role that current certification criteria play in maintaining robust cybersecurity protocols. For instance, CHIME noted that the removal of authentication, access controls, and authorization from the Certification Program places an undue burden on providers. They argue that such changes could severely compromise the ability of healthcare organizations to uphold their Cybersecurity Posture, thereby threatening compliance with the Health Insurance Portability and Accountability Act (HIPAA) and jeopardizing patient data safety.
Their concerns are mirrored by other prominent healthcare organizations. A letter co-signed by CHIME and various associations, including the American Academy of Pediatrics and the American College of Physicians, calls for HHS to maintain and even strengthen privacy and security criteria within its certification frameworks. The message is clear: deregulating these critical areas could lead to increased vulnerabilities in a sector that has already been heavily targeted by ransomware attacks.
In a recent discussion, Chelsea Arnone, senior director of federal affairs at CHIME, articulated that baseline privacy and security certification criteria are not mere ancillary features; they are fundamental safeguards integral to the operational framework of hospitals’ enterprise security architecture. Features like access controls, audit logging, and encryption are crucial for ensuring HIPAA compliance and facilitating effective incident response. The removal of such foundational requirements, according to Arnone, poses a tangible risk rather than a hypothetical one.
In addition, CHIME raised alarms about possible changes to the "transitions of care" criteria regarding patient matching. The proposal to eliminate specific requirements that assist with patient identification and tracking—such as name, date of birth, current address, phone number, and sex—could introduce considerable risks in terms of patient safety. According to CHIME, maintaining these criteria within the certification program is essential for minimizing errors associated with patient misidentification.
Similarly, the American Hospital Association echoed these sentiments in its comments to HHS. While they recognize the importance of fostering innovative health IT applications, they stressed that such innovation should not come at the expense of safeguarding sensitive patient data. The AHA cautioned that the immediate removal of privacy and security certification criteria could inadvertently shift the burden and costs onto healthcare providers. They warned that developers might start imposing additional fees for these critical features, which could ultimately negate any cost-saving advantages initially anticipated from the proposed changes.
In conclusion, the pushback from healthcare groups against HHS’s proposed rollbacks indicates a significant divide between the federal approach to regulation and the practical implications for providers. Stakeholders argue that the proposed changes prioritize innovation over essential safeguards needed to protect patients and healthcare organizations, a dilemma that may compromise patient safety in an increasingly complex digital health landscape. As these discussions evolve, the ongoing debate highlights the necessity for balanced regulations that both encourage innovation and enforce critical security standards.