Health Infrastructure Security and Accountability Act of 2024 – Potential Ramifications for Providers

By Elaina M. Maragakis, JD

Originally published in Utah Physician Magazine

Although HIPAA’s privacy and security provisions have been part of the healthcare lexicon for decades, many healthcare providers still lack basic cybersecurity protocols that address the changing privacy landscape and reflect the expanding use of technology and data.

The Senate Finance Committee cited an FBI finding that “the health care sector is now the #1 target of ransomware,”¹ and the failure of many healthcare providers to adequately address on their own this threat prompted Sens. Mark Warner (D-VA) and Ron Wyden (D-OR) to introduce The Health Infrastructure Security and Accountability Act of 2024 (HISSA), which aims to enhance cybersecurity practices and imposes stringent penalties for failure to comply.

Unlike some prior voluntary cybersecurity practices, HISAA would add teeth to its requirements by providing for civil and criminal penalties. Senator Warner explained, “It’s time to go beyond voluntary standards and ensure healthcare providers and vendors get serious about cybersecurity and patient safety.” According to Senator Wyden, “The health care industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy. These commonsense reforms, which include jail time for CEOs that lie to the government about their cybersecurity, will set a course to beef up cybersecurity among healthcare companies across the nation and stem the tide of cyberattacks that threaten to cripple the American healthcare system.”²

HISAA would introduce mandatory cybersecurity standards protocols for covered entities and business associates (collectively, “Entities” or “Entity”), which follows a larger trend emerging across the country of outlining specific standards and requiring mandatory compliance with such standards.

SECURITY REQUIREMENTS

Although the security requirements are not yet outlined with specificity, the U.S. Department of Health and Human Services (HHS) would be charged with developing regulations for minimum security requirements and enhanced security requirements for Entities of “systemic importance to national security,” as determined in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the Director of National Intelligence.³

RISK ANALYSIS, REPORTING, AUDITS

To ensure compliance with the security requirements, HISAA proposes imposing extensive requirements on Entities to conduct and document testing and analysis, including requiring the following annually:

• Conduct and document a security risk analysis
• Document a response plan for a natural disaster, disruptive cyber incident, or other technological failure
• Conduct a “stress test” to determine if the Entity has the capacity to recover essential functions
• Provide a written statement that the Entity is in compliance with applicable security requirements
• Publish specific information regarding HISAA compliance on a publicly available website.⁴

HISAA would also require the Entity to contract with an independent auditor to conduct an annual audit to assess the Entity’s compliance with applicable requirements.⁵

In an effort to demonstrate that HHS will actively enforce HISAA’s provisions, HHS is also required to audit at least 20 Entities annually.⁶

PENALTIES

As with any legislation, HISAA’s effectiveness is largely based on the potential penalties for non compliance, and HISAA would leverage both civil and criminal penalties for failure to comply with its provisions:

In imposing penalties, HHS may consider the Entity’s size, compliance history, and good faith efforts to comply.⁷

Finally, HISAA authorizes HHS to impose a “user fee” on covered Entities “for
the purpose of carrying out oversight and enforcement activities.”⁸

INCENTIVES

HISAA also allocates $800 million in “up-front investment payments over two years for 2,000 rural and urban safety net hospitals to adopt essential cybersecurity standards that address high-risk cybersecurity vulnerabilities to data infrastructure and patient health information,” and $500 million to “incentivize all hospitals to adopt enhanced cybersecurity practices that address known vulnerabilities to data infrastructure and patient health information.”⁹

Although the fate of HISAA remains unknown, it signals a renewed emphasis on protecting patient information, which goes beyond well-established HIPAA requirements and ushers in a new era of cybersecurity regulations for entities.

This article is not legal advice. Contact an attorney for specific advice.

About the Author

Elaina M. Maragakis, JD, is a shareholder and director and practices in Ray Quinney & Nebeker’s litigation section. Her practice focuses on complex commercial litigation, including the representation of healthcare entities in litigation, HIPAA analysis, and medical staffing issues.

Ms. Maragakis is also Chair of the Firm’s Cybersecurity and Privacy practice group.

Endnotes

1. https://www.finance.senate.gov/imo/media/doc/health_infrastructure_security_and_accountability_act_one-pager.pdf
2. https://www.finance.senate.gov/chairmans-news/wyden-and-warner-introduce-bill-to-set-strong-cybersecurity-standards-for-american-health-care-system
3. HISAA § 101(a)(5)(B)(i)
4. Id.§ 102(a)(3)(A)
5. Id. § 102(b)(4)(A)
6. Id. § 102(c)(5)(A)
7. HISAA §§102(d)(6), 103(d); https://www.finance.senate.gov/imo/media/doc/health_infrastructure_security_and_accountability_act_sxs.pdf
8. HISAA § 104(7)(B)
9. https://www.finance.senate.gov/imo/media/doc/health_infrastructure_security_and_accountability_act_sxs.pdf