Congress Considers New Cybersecurity Legislation Adjunct to HIPAA

In the wake of Change Healthcare’s February 2024 ransomware attack, which affected the protected health information (PHI) of at least 100 million individuals — the largest breach of PHI in history — the federal government’s regulation of cybersecurity through HIPAA (Health Insurance Portability and Accountability Act) has come under intense scrutiny. In response, a bipartisan bill has been introduced to Congress that details a new law that stands beside HIPAA called the Health Infrastructure Security and Accountability Act (HISAA), which would create significant new security requirements for HIPAA-covered entities and business associates, especially those that governmental authorities consider to be important to US national security.

Cybersecurity in Healthcare

The health sector has long been a target for ransomware, given the value of its data and the costs associated with protecting that data. Many small health providers consider the costs of establishing strong security controls to be prohibitive. Moreover, health providers are not alone in this struggle; vendors of health providers are also vulnerable to cyberattacks, and governmental authorities have recently been discussing increased enforcement of security compliance for such healthcare-focused vendors. Cybersecurity failures such as the Change Healthcare ransomware incident have resulted in disruptions to patient care and threats to patient identities and data on a larger scale; such vendors aggregate data from many health providers and thus maintain the PHI of many patients.

The Current State of HIPAA

Security requirements are detailed under the HIPAA Security Rule. These include administrative safeguards, such as security awareness training; physical safeguards, including facility access control and password management; and technical safeguards, such as transmission security and audits controls. An important piece of these requirements is the periodic security risk assessment, which is intended to identify potential risks and vulnerabilities that can be addressed to improve overall security posture. It is not uncommon for small health providers and vendors to fail to perform periodic security risk assessments, which would otherwise uncover abusable entry points for ransomware attacks and other cybersecurity threats.

HISAA Versus HIPAA

HISAA would create new security requirements that go beyond the HIPAA Security Rule under two sets of regulations: one to establish minimum security requirements and one to establish additional, enhanced security requirements for certain entities determined to be important to US national security. New regulations would be developed in consultation with the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence, and they would be reviewed semiannually in consideration of revisions and updates. These new requirements would include annual risk assessments (more stringent than the HIPAA security risk assessment) and stress tests to evaluate recovery capabilities and plans for rapid case resolution in the event of a cyber incident, along with annual audits by independent third parties to access compliance with HISAA, which are reported to the Department of Health and Human Services (HHS). Fines for noncompliance with the HISAA requirements would be based on a tier system similar to that of HIPAA but with no statutory caps. HISAA would also include criminal penalties for false reporting.

The biggest concern regarding HISAA is likely to be the added costs associated with new cybersecurity requirements. HISAA authorizes HHS to charge fees to covered entities and business associates to cover costs associated with enforcement and oversight. HISAA would provide $800 million in Medicare assistance to critical access hospitals and $500 million to other hospitals that adopt HISAA-compliant cybersecurity policies. Questions remain as to how HISAA would affect smaller health providers that already struggle to comply with HIPAA security requirements.

Conclusion

HISAA would create new cybersecurity requirements, adjunct to HIPAA’s Security Rule, with a new framework for enforcement and oversight. Goodwin’s healthcare regulatory attorneys will continue to monitor HISAA and other cybersecurity regulation proposals.

 

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.