Health Infrastructure Security and Accountability Act – Legislation to watch

© yurchello108 - stock.adobe.com

Prompted by the number and scope of cyberattacks on the health care sector, in late September 2024, The Health Infrastructure Security and Accountability Act (HISAA) was introduced by Senators Ron Wyden and Mark Warner and amends the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements. As Senator Wyden stated, “[m]egacorporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result … The health care industry has some of the worst cybersecurity practices in the nation despite its critical importance to American’s well-being and privacy.”

The argument has been posed that rural hospitals don’t have the resources. To the contrary, they had and continue to have access to financial resources to comply with existing HIPAA technical, administrative, and physical safeguards; however, “[l]ess than a quarter of rural hospitals have used a new program that provides free cybersecurity assistance from Microsoft and Google.”

Given that the health care sector tops the Federal Bureau of Investigation’s (FBI) list as the top target of ransomware, it is not a surprise that the Senate has a bill on the table to increase minimum cybersecurity standards, ensure that annual HIPAA risk analyses are done, and creates significant accountability for companies that fail to meet these requirements. HIPAA civil and criminal penalties are not new.

Here are some of the key highlights of HISAA:

• Build upon the existing Security Rule safeguards and modernize HIPAA security requirements.
• Requirement that covered entities and business associates alike submit to annual independent cybersecurity audits, with the ability for HHS to take into account small providers and business associates, which was also expressly stated in the 2013 Omnibus Rule.
• Eliminate statutory caps on HHS’ fining authority.
• Provide $800 million in up-front investment payments to rural and urban safety net hospitals and $500 million to all hospitals to adopt enhanced cybersecurity standards.
• Codifies the Secretary’s authority to provide advanced and accelerated Medicare payments in the event of a cybersecurity disruption to the U.S. health system, which is what happened during the Change Healthcare attack.

In sum, HISAA builds upon the Congressional intent of HIPAA – to ensure that the confidentiality, integrity and availability of patient records remains intact in order to protect patient privacy through implementing adequate security safeguards for all types of PHI. Cybersecurity is material to the United States and the healthcare sector in particular. Therefore, health care sector participants should be able to substantiate compliance, as a variety of government agencies, including those tasked with protecting citizens, patients, and consumers, are taking enforcement action.