Senators Introduce Major Healthcare Cybersecurity Bill
On September 26, Senators Ron Wyden (D-OR) and Mark Warner (D-VA) introduced the
Health Infrastructure Security and Accountability Act in the Senate. This bill proposes major
changes to the cybersecurity requirements for the Health Insurance Portability and
Accountability Act (HIPAA)-covered entities (CEs) and HIPAA Business Associates (BAs).
This bill aims to improve health sector cybersecurity following cyberattacks on Change
Healthcare and other entities this year.
The bill breaks down CEs and BAs into groups:
- Those required to follow Minimum Security Requirements
- Those required to follow Enhanced Security Requirements (in addition to the minimum
standards)
All CEs and BAs would be subject to the minimum security requirements. These entities would
be responsible for drafting a robust security risk analysis, creating a formal incident response
plan, and conducting self-audits and stress tests.
CEs and BAs who are deemed of “systemic importance” will have to follow the minimum
standards for the first group plus additional enhanced security requirements. A CE or BA of
systemic importance is defined as an entity that with “the failure of, or a disruption to, such
entity or associate would have a debilitating impact on access to health care or the stability of the
health care system of the United States (as determined by the Secretary)”. It also includes those
healthcare entities that are important to national security.
Entities of systemic importance would be required to submit annual submissions of their
cybersecurity practices to the Secretary of the Department of Health and Human Services (HHS).
Notably, the bill contains language that the Secretary has the decision to waive reporting requirements if the “burden [of submitting a formal cybersecurity annual report] significantly
outweighs the benefits.” The Secretary would be required to conduct at least 20 annual audits of
the data security practices of CEs or BAs.
The bill requires HHS to create both the minimum and enhanced security requirements within
two years of the bill’s enactment.
The bill authorizes HHS to use standard rulemaking procedures to further define the specific
standards that entities in each group must follow. This differentiation is crucial, as it separates
the cybersecurity requirements for individual physician practices, which will likely adhere to
minimum security requirements, from larger organizations such as major healthcare systems or
UnitedHealth Care, which would likely be subject to the enhanced requirements.
To pay for the bill, HHS would be authorized to charge CEs and BAs a user fee proportional to
their share of National Healthcare Expenditures. The bill also allocates $800 million to help rural
and urban safety-net hospitals achieve compliance, and $500 million for other hospitals to do the
same.
Additionally, the bill proposes lifting existing HIPAA fine caps, aiming to deter CEs and BAs
from possessing non-compliant cybersecurity practices. It also introduces potential jail time for
CEOs who provide false information to the government regarding their cybersecurity practices.
The bill would also codify HHS’s authority to provide advanced and accelerated payments to
providers for Medicare Part A and B providers if there is a “significant” cash flow problem
stemming from a cybersecurity attack. This would address a major issue from the Change
Healthcare cyberattack response where it took CMS weeks to determine if it had the authority to
make advanced and accelerated Medicare payments available without a public health emergency
declaration.
At the time of writing this, the two sponsors are Democrats on the Senate Finance Committee.
There are no Republicans on the bill, despite widespread bipartisan interest in passing healthcare
cybersecurity legislation this year.