HHS Sends Healthcare IT Deregulatory NPRM to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking from the HHS National Coordinator for Health IT (ONC) on “Health Data, Technology, and Interoperability: ASTP/ONC Deregulatory Actions to Unleash Prosperity ”. This would appear to be part of the Trump Administration’s aggressive attempt at reducing the regulatory requirements of the Federal Government.

According to the abstract for this rulemaking in the Spring 2025 Unified Agenda:

“The rulemaking would focus on potential deregulatory actions identified in 45 CFR part 170 (Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health IT). Inclusive of proposals would be those that propose to codify all or parts of recent enforcement discretion guidance (Enforcement Discretions | HealthIT.gov) and propose, to remove certain certification criteria, Condition and Maintenance of Certification requirements, and other ONC Health IT Certification Program requirements. Additionally, we are evaluating other potential deregulatory actions under 45 CFR parts 171 (Information Blocking) and 172 (Trusted Exchange Framework and Common Agreement).”

This is not an area that I have spent much time looking at, nor do I expect to cover this rulemaking in any depth in this blog, but I am concerned that this rulemaking could remove or reduce the minimal cybersecurity standards for healthcare IT operations. The history of major healthcare cybersecurity breaches over that last couple of years does little to engender confidence in the adequacy of current cybersecurity regulations in this field, and would seem to argue for additional, not less, regulatory efforts.