Health Infrastructure Security and Accountability Act: A New Era for Healthcare Cybersecurity

PDF

In September 2024, Senators Ron Wyden (D-OR) and Mark Warner (D-VA) introduced the Health Infrastructure Security and Accountability Act, which is new legislation aimed to improve healthcare cybersecurity by imposing greater accountability for providers who fail to meet the minimum standards for cybersecurity, including jail time for executives. Although the Healthcare Insurance Portability and Accountability Act of 1996 (“HIPAA”) currently sets minimum standards for cybersecurity for HIPAA “covered entities,” i.e., healthcare providers, health plans, and healthcare clearinghouses, and “business associates” of those entities, there has been ongoing criticism of the law being antiquated - it has not received a material update since 2013 – and without material ramifications for neglectful providers.

As we all know by experience, large scale healthcare data breaches are becoming an extremely common occurrence.  According to the supporters of the bill, stronger cybersecurity measures can be preventative: 

“hacks of the American health care system are out of control—with health care organizations reporting 725 data breaches in 2023 impacting over 120 million Americans.  The health care sector is now the primary target of ransomware. These hacks are entirely preventable and are the direct result of lax cybersecurity practices by health care providers and their business partners. Cybersecurity failures have delayed and disrupted patient care, and have harmed patient health and privacy, as well as national security.” (Bill Summary)

The bill appears to be a response to the Change Healthcare cybersecurity attack from earlier this year.  The ransomware attack in February 2024 forced Change Healthcare to shut down its systems, many of which remained offline for months.  The lack of access to those systems meant many healthcare providers across the country could not bill or be paid for their services, with many pushed to the brink due to a lack of funding. The concern is that similar cyber-attacks most assuredly will happen again, and the impacts may be even further reaching.

The Health Infrastructure Security and Accountability Act generally sets more stringent minimum cybersecurity standards, requires annual audits for compliance, and creates repercussions for companies that fail to meet those requirements. The legislation is divided into two main parts. The first part addresses strengthening and increasing cybersecurity standards, as well as the oversight of such standards. The second part of the bill addresses financial support, including Medicare assistance for cybersecurity incidents.

Part 1 – Strengthening and increasing cybersecurity standards, and oversight of such standards

New, Modernized Security Standards

The first part of the bill requires the Secretary of Health and Human Services (the “Secretary”) to adopt enhanced and modernized security requirements to protect health information, patient safety, and ensure the availability and resiliency of health care information systems and health care transactions. The minimum standards would take into account the ways in which health care entities are targeted for cybersecurity threats and apply to covered entities and business associates. The Secretary would adopt these enhanced standards within two years and be required to update the standards every two years thereafter.

Stress Testing and Additional Oversight

The bill requires entities to go beyond a typical HIPAA-required risk assessment. Specifically, not later than three years after enactment, covered entities and business associates are required to conduct and document a security risk analysis that includes (i) information on the manner and extent to which such entity or associate is exposed to risk through its business associates and vendors, (ii) document a plan for a rapid and orderly resolution in the event of a natural disaster, a disruptive cyber incident, or other technological failure of its information or those of its business associate, and (iii) a “stress test” to evaluate whether such entity or associate has the capabilities and planning to recover essential functions.  The “stress test” should document whether any changes are made to the plan for a rapid and orderly resolution in the event of an incident. Similar to the requirements of the Sarbanes-Oxley Act, the bill requires executives of healthcare organizations to annually sign off confirmations that they are fully compliant with these cybersecurity requirements.

Entities subject to the enhanced security requirements are required to submit these documents to the Secretary on an annual basis, but all other entities are required to provide the documentation upon request by the Secretary.  Covered entities and business associates would be required to post the written statement attesting that the company is in compliance on a public website. Similar to how HIPAA penalties have been historically assessed, the Secretary may waive the reporting requirements if the burden significantly outweighs the benefits, taking into consideration the entity or associate’s revenue, volume of protected health information retained, or volume of health care transactions processed.

Further, not later than six months after enactment, covered entities and business associates are required to contract with an independent auditor that meets such requirements set by the Inspector General to assess its compliance with security requirements. Covered entities and business associates subject to enhanced standards are required to submit their audit findings to the Secretary. The Secretary may waive this requirement if the burden on the covered entity or business associate significantly outweighs the benefits. The Secretary is required to annually audit the data security practices of at least 20 covered entities or business associates. In selecting entities for audit, the Secretary shall consider whether the entity is of systemic importance, whether complaints were made with respect to the entity’s data security practices, and any history of previous violations.

The bill explicitly notes that failure to comply with these requirements would be subject to fines no greater than $5,000 per day, and criminal penalties for whoever knowingly submits a report containing false information.

Increased Civil Penalties

Currently, the financial penalties for HIPAA violations are relatively low and are capped. The bill proposes a removal of those penalty caps to ensure that penalties can be imposed on mega-corporations that are large enough to deter lax cybersecurity. The bill includes enhanced civil money penalties of: a minimum of $500 for no knowledge, $5,000 for reasonable cause, $50,000 for willful neglect corrected, and $250,000 for willful neglect uncorrected. In determining penalties, the Secretary may consider the entity’s size, compliance history, and good faith efforts to comply with the security requirements.

User Fee

The increased security oversight and enforcement work of the HHS would be funded through a user fee on all regulated entities. The Bill authorizes the Secretary to charge a user fee to each covered entity and business associates of a covered entity that is equal to each entity’s pro rata share of national health expenditures. The aggregate amount of fees cannot exceed the lesser of (i) the estimated cost to carry out oversight and enforcement activities or (ii) $40 million in fiscal year 2026, $50 million in 2027, and increased in subsequent years by the consumer price index.

Part 2 – Financial support and Medicare assistance (and reductions) for cybersecurity incidents

Financial Support for Rural and Urban Safety Net Hospitals

Many healthcare providers simply do not have the necessary funds to make significant improvements to cybersecurity, especially rural and urban safety net hospitals.  The bill provides for $800 million in up-front investment payments over two years for 2,000 rural and urban safety net hospitals to adopt essential cybersecurity standards that address high risk cybersecurity vulnerabilities to data infrastructure and patient health information over a two-year period. 

Further, and after the two-year period during which rural and urban safety net hospitals receive funding, $500 million will be provided to incentivize all hospitals to adopt enhanced cybersecurity practices that address known vulnerabilities to data infrastructure and patient health information. Hospitals would be subject to a payment reduction if they do not adopt these enhanced practices after two years.

Medicare Payments in Response to Cybersecurity Incidents

The bill would provide the Secretary with legislative authority to provide advanced and accelerated payments to Part A and Part B providers when there is a significant cash flow problem resulting from operations of its Medicare Administrative Contractor or in unusual circumstances of such provider’s operation, including significant disruption to Medicare claims processing due to a cybersecurity incident.

In summary, although it is not clear whether the bill can gather enough support to be passed into law, the proposed legislation reflects a strong push to enhance existing cybersecurity requirements and the need to bring greater attention to cybersecurity practices in the healthcare industry.