Comments were due March 7. HHS has received at least 4,749 comments, according to the Regulations.gov docket for the draft regulations.

America's Health Insurance Plans and the Council of Insurance Agents & Brokers are some of the commenters that have joined in ERIC in objecting to efforts by HHS to require a group health plan sponsor to put provisions in its plan documents requiring "any agent to whom it provides ePHI to implement the administrative, physical, and technical safeguards of the Security Rule."

"Whether intended or not, this proposed rule is a back-door way of requiring plan sponsors to comply with the HIPAA Security Rule and adopt all the proposed security requirements," Gelfand writes in ERIC's comment letter. "As the department rightly points out, plan sponsors are not directly liable for compliance with the HIPAA Security Rule because plan sponsors are not 'regulated entities.'"

HHS appears to be using the Employee Retirement Income Security Act fiduciary liability provisions to require plan sponsors that are not subject to the HIPAA Security Rule to comply with the Security Rule, Gelfand says.

"A court of law would never allow this department to use another federal law that they do not have jurisdiction over as the means for forcing compliance with HIPAA's Security Rule and adoption of the proposed security requirements," Gelfand says.

The backdrop: HHS OCR developed the new draft regulations in response to waves of ransomware attacks and other attacks that have hit health-related organizations hard.

An attack on UnitedHealth's Change Healthcare data exchange services unit may have affected 190 million people, and a breach affecting a firm that stored data for HealthEquity, a health savings account services provider, may have affected 4.3 million people.

The rules appear to affect many benefits brokers, plan administrators and support services providers as well as health insurers.

The group now known as the National Association of Benefits and Insurance Professionals noted in a 2019 comment letter that it believed that most of its 100,000 members qualified either as covered entities or business associates.

The regulations: The draft regulations would require a covered entity, such as a hospital or a health insurer, to create lists of technology assets and maps showing how health information flows through the regulated entity's electronic information systems.

The draft would require the entity to update the technology lists and network maps at least once every 12 months and to create written analyses of the network vulnerabilities, and the entity would have to show that its business associates were meeting the same standards.

The Biden administration's own regulation impact reviews showed that complying with the new requirements could cost $9 billion in the first year.

Related: New patient health data security regs may cost $9B in first year: HHS

Compliance could cost $6 billion per year in later years, officials estimated.

Practical concerns: Ellen Kelsay, president of the Business Group on Health, and the other insurance and benefits group commenters say a provision requiring covered entities to comply with the regulation within 180 days is unrealistic.

AHIP is asking regulators to avoid overwhelming cybersecurity professionals with recordkeeping requirements.

"The structure of the proposed rule would necessitate near-continuous document review and updating, resulting in cybersecurity professionals' time being spent on paperwork instead of critical, proactive efforts to protect patients and their information from growing cyber threats," according to Danielle Lloyd, a senior vice president at AHIP. "Requirements should be streamlined to focus on preparations that will prevent cybersecurity incidents and hasten recovery efforts."

Steve Postal, a senior director at the National Community Pharmacists Association, objected to a requirement that affected entities terminate a departing worker's access to ePHI within one hour of the worker's departure. Removing a former employee's access to all data systems may take more time than that, he says.

Joel Wood, CIAB's president, wants regulators to rethink the technology list and data flow mapping requirements, arguing that the requirements would create a tool that would make any attackers who obtained the lists and maps more dangerous.

"If a covered entity is breached, for instance, the malicious threat actor now has a roadmap for going even further and breaching all of the breached entity's business associates and subcontractors," Wood writes.

The future: One question is how the new administration of President Donald Trump will handle proposed regulations developed under a previous administration.

The Senate confirmed a new HHS secretary, Robert F. Kennedy Jr., in February, and it has just confirmed a new secretary of Labor, Lori Chavez-DeRemer.

The Trump administration may have no interest in supporting a controversial proposal developed by a previous administration, but the idea of improving health data security has strong support from Republicans as well as Democrats.

Both Trump and Kennedy, the son of former Attorney General Robert F. Kennedy and the nephew of the late President John F. Kennedy, may have a personal stake in improving health information privacy and data security.