On September 26, 2024, the Health Infrastructure Security and Accountability Act was introduced in the U.S. Senate. The bill would amend the Health Insurance Portability and Accountability Act (HIPAA) and direct the U.S. Department of Health and Human Services (HHS) to develop new “mandatory minimum cybersecurity standards for health care providers, health plans, clearinghouses and business associates.” It would further mandate annual cybersecurity audits and stress tests for healthcare entities, with particular waivers for small providers. To fund these new endeavors, the bill would remove fine caps for large corporations, fund the HHS’s oversight through user fees, and allocate $1.3 billion to hospitals for cybersecurity improvements.

HHS has indicated its backing of the bill, with Deputy Secretary Andrea Palm stating, “Clear accountability measures and mandatory cybersecurity requirements for all organizations that hold sensitive data are essential.” At this writing, the American Hospital Association (AHA) has declined to comment on the bill.

One of the bill’s sponsors, Senator Ron Wyden of Oregon, has commented that the bill is necessary because “megacorporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result.” UnitedHealth’s subsidiary Change Healthcare was subject to one of the largest ransomware attacks in America’s history, leading to significant impacts on patients and healthcare providers. The fallout from this ransomware breach continues to be felt across the healthcare industry.

Given that the bill was introduced as Congress concluded its last day of business until the upcoming election, it is unlikely to progress any further during this legislative session. Moreover, depending upon the outcome of the upcoming election, the bill faces an uncertain future. Nevertheless, the healthcare industry is likely to continue to face pressure to improve its cybersecurity standards, whether voluntarily or through legal mandates.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of John W. Kaveney John W. Kaveney

Partner, Healthcare and Litigation Departments

Mr. Kaveney focuses his practice in the area of healthcare law, representing a range of clients that includes for-profit and non-profit hospitals and health systems, academic medical centers, individual physicians and physician groups, ambulatory surgery centers, ancillary service…

Partner, Healthcare and Litigation Departments

Mr. Kaveney focuses his practice in the area of healthcare law, representing a range of clients that includes for-profit and non-profit hospitals and health systems, academic medical centers, individual physicians and physician groups, ambulatory surgery centers, ancillary service providers, medical billing companies, skilled nursing and rehabilitation facilities, behavioral health centers and pharmacies.

His practice in the healthcare field encompasses advising healthcare clients on corporate compliance matters, including the implementation of new, and the assessment of existing, corporate compliance programs. He also assists healthcare clients with compliance audits and investigations, as well as guiding clients through the self-disclosure and repayment processes. Finally, he provides general legal advice concerning compliance and regulatory matters under state and federal healthcare laws.

In the area of information privacy and data security, Mr. Kaveney advises healthcare clients on issues arising under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). This includes the implementation and assessment of privacy and security policies and procedures to ensure the proper protection and utilization of protected health information both by healthcare providers and the business associates with which they contract. In addition, he represents healthcare clients in investigating, reporting, and remediating information breaches and the liability such breaches create under various information privacy and security laws.

Additionally, Mr. Kaveney provides counsel on Medicaid and Medicare reimbursement matters before the Division of Medical Assistance and Health Services and the Provider Reimbursement Review Board, as well as assisting clients in civil litigation and with professional licensing and medical staffing concerns.

Contact information:

jkaveney@greenbaumlaw.com | 973.577.1796 | vCard | LinkedIn

For more information visit the Greenbaum, Rowe, Smith & Davis LLP website.