Resources & Products

AHRA Advocacy

Capitol Insights

The Capitol Insights newsletter is provided by our regulatory affairs contractor, Capitol Associates Inc. While not specific to imaging, the newsletter covers the top federal health policy activity of the week.

Senators Introduce Major Healthcare Cybersecurity Bill - 10/4/24

What Happened in Congress this Week?

 Congress will be out of session until after the November 5 election.

Senators Introduce Major Healthcare Cybersecurity Bill

On September 26, Senators Ron Wyden (D-OR) and Mark Warner (D-VA) introduced the 
Health Infrastructure Security and Accountability Act in the Senate. This bill proposes major 
changes to the cybersecurity requirements for the Health Insurance Portability and 
Accountability Act (HIPAA)-covered entities (CEs) and HIPAA Business Associates (BAs).
This bill aims to improve health sector cybersecurity following cyberattacks on Change 
Healthcare and other entities this year.

The bill breaks down CEs and BAs into groups:

  • Those required to follow Minimum Security Requirements
  • Those required to follow Enhanced Security Requirements (in addition to the minimum 
    standards)

All CEs and BAs would be subject to the minimum security requirements. These entities would 
be responsible for drafting a robust security risk analysis, creating a formal incident response 
plan, and conducting self-audits and stress tests. 

CEs and BAs who are deemed of “systemic importance” will have to follow the minimum 
standards for the first group plus additional enhanced security requirements. A CE or BA of 
systemic importance is defined as an entity that with “the failure of, or a disruption to, such 
entity or associate would have a debilitating impact on access to health care or the stability of the 
health care system of the United States (as determined by the Secretary)”. It also includes those 
healthcare entities that are important to national security. 

Entities of systemic importance would be required to submit annual submissions of their 
cybersecurity practices to the Secretary of the Department of Health and Human Services (HHS). 
Notably, the bill contains language that the Secretary has the decision to waive reporting requirements if the “burden [of submitting a formal cybersecurity annual report] significantly 
outweighs the benefits.” The Secretary would be required to conduct at least 20 annual audits of 
the data security practices of CEs or BAs.

The bill requires HHS to create both the minimum and enhanced security requirements within 
two years of the bill’s enactment. 

The bill authorizes HHS to use standard rulemaking procedures to further define the specific 
standards that entities in each group must follow. This differentiation is crucial, as it separates 
the cybersecurity requirements for individual physician practices, which will likely adhere to 
minimum security requirements, from larger organizations such as major healthcare systems or 
UnitedHealth Care, which would likely be subject to the enhanced requirements.

To pay for the bill, HHS would be authorized to charge CEs and BAs a user fee proportional to 
their share of National Healthcare Expenditures. The bill also allocates $800 million to help rural 
and urban safety-net hospitals achieve compliance, and $500 million for other hospitals to do the 
same.

Additionally, the bill proposes lifting existing HIPAA fine caps, aiming to deter CEs and BAs 
from possessing non-compliant cybersecurity practices. It also introduces potential jail time for 
CEOs who provide false information to the government regarding their cybersecurity practices.

The bill would also codify HHS’s authority to provide advanced and accelerated payments to 
providers for Medicare Part A and B providers if there is a “significant” cash flow problem 
stemming from a cybersecurity attack. This would address a major issue from the Change 
Healthcare cyberattack response where it took CMS weeks to determine if it had the authority to 
make advanced and accelerated Medicare payments available without a public health emergency 
declaration.

At the time of writing this, the two sponsors are Democrats on the Senate Finance Committee. 
There are no Republicans on the bill, despite widespread bipartisan interest in passing healthcare 
cybersecurity legislation this year.

Top Stories in Healthcare Policy

  • CMS announced that Medicare Advantage and Part D premiums will decrease slightly in 
    2025, while benefits and the number of MA plans to choose from will remain stable.

  • Vice President Harris brought health policy to the forefront of her presential campaign last 
    week as her campaign published a report of what health policy would supposedly look like 
    under a second Trump administration. The report focused on reproductive rights, rising 
    premiums and out-of-pocket costs, cuts to Medicare/Medicaid, and an increase in prescription 
    drug prices.  

  • California Governor Gavin Newsom vetoed a bill that would mandate licensing and 
    regulation of pharmacy benefit managers (PBM), despite the bill having almost unanimous 
    support from the state legislature. In his veto letter, Newsom expressed concerns that the bill 
    might not improve access to prescription drugs, claiming more information is needed on PBM’s 
    downstream impacts on drug costs.

  • HHS has released its final guidance for the second cycle of Medicare Drug Price 
    Negotiations. This year up to 15 Part D drugs will be selected for negotiation. The list of drugs 
    will be released no later than February 1, 2025. 

  • CMS is providing advanced and accelerated Medicare payments to providers impacted by 
    Hurricane Helene. 

  • A GAO Report has found that many hospitals are failing to adhere to public pricing 
    disclosures required by CMS as of 2021. This has renewed calls for healthcare price 
    transparency legislation.

  • As Medicare’s annual enrollment period approaches, many health insurance providers are 
    decreasing the number of Medicare Advantage plans they are offering for next year, while 
    others are expanding their offerings with new plans and benefits.

  • CMS announced that for CY 2025, 62 Medicare Advantage organizations will participate in 
    the Value-Based Insurance Design Model across 48 states, Washington D.C., and Puerto 
    Rico. The program will offer enhanced supplemental benefits and aim to address disparities in 
    healthcare.