Health-ISAC Hacking Healthcare 3-4-2025

Welcome back to Hacking Healthcare^®.

HHS Moves to End Public Comment for Some Agency Actions 

On March 3, the United States Department of Health and Human Services (“HHS”) put forward a policy statement^[i] within the Federal Register that could effectively end the ability of the public to submit comments on a range of HHS rulemaking actions. However, before we get to the policy statement, we need to provide some background on the rulemaking issues it relates to.

What is the Administrative Procedure Act?

Within the United States, federal agencies wishing to issue rules do so through processes set out in the Administrative Procedure Act (“APA”). This is a federal act made up of several relatively short sections that govern “how federal administrative agencies make rules and how they adjudicate administrative litigation.”^[ii] The APA is the reason that proposed rulemakings are posted with information like the legal authorities the agency is invoking and a summary of the proposal. It is also the reason entities are able to provide comments intended to help shape the scope and approach ultimately taken in the final rulemaking. 

There are exceptions to the process laid out by the APA. The APA does not apply, and therefore allows an agency to forgo the usual rulemaking process to seek public comment, if it involves a “matter relating to agency management or personnel or to public property, loans, grants, benefits, or contracts.”^[iii] Additionally, the APA contains a provision that allows an agency to forgo the usual rulemaking processes for “good cause” if it finds “that notice and public procedure thereon are impracticable, unnecessary, or contrary to the public interest.” These are two of the provisions at the heart of the new HHS policy statement. 

What is the Richardson Waiver?

The Richardson Waiver is the other relevant part of the new HHS policy statement. Published in the Federal Register in January of 1971, the Richardson Waiver made it “a matter of policy, [that] the department will use notice of proposed rule making procedures in certain cases where not required by law.”^[iv] Essentially, even where the APA allows exceptions to certain procedures, such as providing a public comment period, HHS policy would be to go through them regardless.   

What Does the New HHS Policy Statement Say?

In a statement signed off on by Robert F. Kennedy, Jr., Secretary, Department of Health and Human Services, HHS announced it is “rescinding the policy on Public Participation in Rule Making (Richardson Waiver) and re-aligning the Department’s rule-making procedures with the Administrative Procedure Act.”^[v]

As we move into the Action & Analysis section, let’s explore what this may mean for issues like the ongoing HIPAA Security Rule proposal. 

Action & Analysis 
**Included with Health-ISAC Membership**

^[i]https://www.federalregister.gov/documents/2025/03/03/2025-03300/policy-on-adhering-to-the-text-of-the-administrative-procedure-act

^[ii] https://www.law.cornell.edu/wex/administrative_procedure_act

^[iii] https://www.law.cornell.edu/uscode/text/5/553

^[iv] https://archives.federalregister.gov/issue_slice/1971/2/5/2527-2534.pdf#page=6

^[v]https://www.federalregister.gov/documents/2025/03/03/2025-03300/policy-on-adhering-to-the-text-of-the-administrative-procedure-act

^[vi] https://thehill.com/policy/healthcare/5170090-rfk-jr-hhs-public-comment-rulemaking-ends/

^[vii]https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information