Senators Ron Wyden (D-OR) and Mark Warner (D-VA)recently introduced the Health Infrastructure Security and Accountability Act in the Senate. This bill proposes major changes to the cybersecurity requirements for HIPAA-covered entities (CEs) and HIPAA Business Associates (BAs). The bill aims to improve health sector cybersecurity following cyberattacks on Change Healthcare and other entities this year.
The bill breaks down CEs and BAs into groups:
- Those required to follow Minimum Security Requirements
- Those required to follow Enhanced Security Requirements (in addition to the minimum standards)
Minimum Security Requirements
All CEs and BAs would be subject to the minimum-security requirements and would be responsible for:
- drafting a robust security risk analysis
- creating a formal incident response plan
- conducting self-audits and stress tests
CEs and BAs who are deemed of “systemic importance” will have to follow the minimum standards plus additional enhanced security requirements. A CE or BA of systemic importance is defined as an entity that “the failure of, or a disruption to, such entity or associate would have a debilitating impact on access to health care or the stability of the health care system of the United States (as determined by the Secretary)”.
It also includes those health care entities that are important to national security.
Entities of systemic importance would be required to submit annual submissions of their cybersecurity practices to the Secretary of HHS. The bill states that the Secretary can waive reporting requirements if the burden of submitting a formal cybersecurity annual report significantly outweighs the benefits. The Secretary would be required to conduct at least 20 annual audits of the data security practices of CEs or BAs.
The bill requires HHS to create both the minimum and enhanced security requirements within two years of the bill’s enactment.
The bill authorizes HHS to use standard rulemaking procedures to further define the specific standards that entities in each group must follow. This differentiation is crucial, as it separates the cybersecurity requirements for individual physician practices, which will likely adhere to minimum security requirements, from larger organizations, such as major health care systems like UnitedHealth Care, which most likely will follow the enhanced requirements.
To pay for the bill, HHS would be authorized to charge CEs and BAs a user fee proportional to their share of National Health care Expenditures. The bill also allocates $800 million to help rural and urban safety-net hospitals achieve compliance, and $500 million for other hospitals to do the same.
Independent practices, including allergy practices, are not eligible for this funding.
Additionally, the bill proposes lifting existing HIPAA fine caps, aiming to deter CEs and BAs from possessing noncompliant cybersecurity practices. It also introduces potential jail time for CEOs who provide false information to the government regarding their cybersecurity practices.
The bill would also codify HHS’s authority to provide advanced and accelerated payments to providers for Medicare Part A and B if there is a “significant” cash flow problem stemming from a cybersecurity attack. This would address a major issue from the Change Healthcare cyberattack response. It took CMS weeks to determine if it had the authority to make advanced and accelerated Medicare payments available without a public health emergency declaration.
At the time of this writing, the two sponsors are Democrats on the Senate Finance Committee. There are no Republicans on the bill, despite widespread bipartisan interest in passing health care cybersecurity legislation this year.
While ACAAI fully acknowledges the critical importance of health care cybersecurity, the Advocacy Council plans to support exceptions for small practices and will continue to advocate against unfinanced directives that serve as de facto decreases to allergists’ reimbursements and increase administrative burdens on allergy practices.
The Advocacy Council – ADVOCATING FOR ALLERGISTS AND THEIR PATIENTS.
