Help for ‘Smalls” Uncertain, HIPAA Revision Still Alive – CHIME Gives Update on Key Policy Issues as New Administration Settles In

CHIME’s Mari Savickis is keeping a close eye on the complex policy landscape confronting healthcare technology executives.

As cyberattacks on healthcare providers surge in scale and sophistication, rural hospitals are emerging as particularly vulnerable targets. According to Mari Savickis, Vice President of Public Policy at CHIME, the challenges facing these smaller health systems are intensifying amid a broader federal reevaluation of HIPAA’s security rule and a rapidly evolving policy environment.

“The rural hospitals—the smalls, as we call them—struggle mightily,” Savickis said, emphasizing that these organizations often lack both the financial and human capital to mount adequate cybersecurity defenses. She described the situation as a “very challenging area,” made worse by regulatory uncertainty and potential budget cuts across federal cybersecurity initiatives.

Cybersecurity Strain in Rural America

Savickis pointed to a spate of recent reports, including publications from Microsoft and the Health Sector Coordinating Council (HSCC), highlighting the dire state of cybersecurity in rural healthcare. These facilities, she noted, face amplified risks due to workforce shortages, limited funding, and inadequate infrastructure. “You don’t want a situation where people can’t get care within 500 miles of where they live,” she said.



Even federal attempts to reorient agencies like the CISA towards more health-sector-specific threats remain uncertain. A proposed 20% across-the-board cut to government agencies, outlined in the administration’s “skinny budget,” could threaten the very resources rural hospitals rely on to navigate mounting digital threats.

Savickis argued that, beyond funding, rural hospitals also need practical assistance. “They don’t just need money—they need help,” she said, referencing common reports from providers who lack the personnel necessary to deploy even basic cyber hygiene measures. In some cases, technical donations could help fill the gap. For instance, Stark Law and Anti-Kickback Statute exceptions allow for the donation of certain cybersecurity hardware and software, yet this opportunity remains underutilized due to regulatory ambiguity.

“We’re looking at what other policy levers can be pulled,” Savickis said. “Even just taking regulatory burdens off their plate might help ease the strain.”

“There’s no provider out there saying, ‘Today I want to suffer a terrible cyber incident,’” Savickis said. “But unless we give rural hospitals the tools, people, and policy flexibility they need, we’re asking them to fight a war without armor.”

HIPAA Security Rule: Still on the Table

Another major concern among healthcare IT leaders is the fate of the proposed HIPAA security rule revision, released under the Biden administration. CHIME has taken a strong stance against the proposal, citing its sweeping documentation requirements and the potentially catastrophic costs of compliance. “This one was so seismic,” said Savickis. “The amount of documentation was enough to strangle any provider.”

While some stakeholders initially speculated the proposal might be quietly shelved, Savickis confirmed that the rule remains active. “We have not done a victory dance,” she noted. “It has not been fully rescinded.”

Among the most contentious aspects of the proposed rule are provisions around encryption and multifactor authentication—requirements that, in CHIME’s reading, could necessitate the wholesale replacement of certain medical devices. “Even if there were enough devices to go around, the cost alone would be prohibitive,” she said.