[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 5218 Introduced in Senate (IS)]
<DOC>
118th CONGRESS
2d Session
S. 5218
To amend titles XI and XVIII of the Social Security Act to strengthen,
increase oversight of, and compliance with, security standards for
health information, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
September 25, 2024
Mr. Wyden (for himself and Mr. Warner) introduced the following bill;
which was read twice and referred to the Committee on Finance
_______________________________________________________________________
A BILL
To amend titles XI and XVIII of the Social Security Act to strengthen,
increase oversight of, and compliance with, security standards for
health information, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Health
Infrastructure Security and Accountability Act of 2024''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
TITLE I--STRENGTHENING AND INCREASING OVERSIGHT OF, AND COMPLIANCE
WITH, SECURITY STANDARDS FOR HEALTH INFORMATION
Sec. 101. Security requirements.
Sec. 102. Security risk management, reporting requirements, and audits
for covered entities and business
associates.
Sec. 103. Increased civil penalties for failure to comply with security
standards and requirements for health
information.
Sec. 104. User fee to support data security oversight and enforcement
activities.
TITLE II--MEDICARE ASSISTANCE TO ADDRESS CYBERSECURITY INCIDENTS
201. Medicare safe cybersecurity practices adoption program for
eligible hospitals and critical access
hospitals.
202. Medicare accelerated and advanced payments in response to
cybersecurity incidents.
TITLE I--STRENGTHENING AND INCREASING OVERSIGHT OF, AND COMPLIANCE
WITH, SECURITY STANDARDS FOR HEALTH INFORMATION
SEC. 101. SECURITY REQUIREMENTS.
(a) In General.--Section 1173(d)(1) of the Social Security Act (42
U.S.C. 1320d-2(d)(1)) is amended--
(1) in subparagraph (A), by redesignating clauses (i)
through (v) as subclauses (I) through (V) respectively and
indenting appropriately;
(2) by redesignating subparagraphs (A) and (B) as clauses
(i) and (ii) respectively and indenting appropriately;
(3) by striking ``Security standards.--The Secretary'' and
inserting the following: ``Minimum security standards.--
``(A) In general.--The Secretary'';
(4) in subparagraph (A), as added by paragraph (3)--
(A) in clause (i)(V), by striking ``and'' at the
end;
(B) in clause (ii), by striking the period at the
end and inserting ``; and''; and
(C) by adding at the end the following new clause:
``(iii) include minimum and enhanced
security requirements adopted under
subparagraph (B)''; and
(5) by adding at the end the following new subparagraph:
``(B) Minimum and enhanced security requirements.--
``(i) Adoption.--Subject to clauses (iii)
and (iv), in order to protect health
information, protect patient safety, and ensure
the availability and resiliency of health care
information systems and health care
transactions, the Secretary shall adopt--
``(I) minimum security requirements
for covered entities and business
associates; and
``(II) enhanced security
requirements for covered entities and
business associates that--
``(aa) are of systemic
importance, as determined by
the Secretary; or
``(bb) are important to
national security, as
determined by the Secretary, in
consultation with the Director
of Cybersecurity and
Infrastructure Security Agency
and the Director of National
Intelligence.
``(ii) Application of enhanced security
requirements.--
``(I) Notification.--The Secretary
shall, at a time and in a manner
determined appropriate by the
Secretary, notify each covered entity
and business associate that is subject
to the enhanced security requirements
under clause (i)(II).
``(II) Limitation on review.--There
shall be no administrative or judicial
review under section 1869, 1878, or
otherwise of the methodology the
Secretary uses to determine whether a
covered entity or business associate is
subject to the enhanced security
requirements under clause (i)(II).
``(iii) Factors.--In addition to the
factors described in subparagraph (A)(i), in
developing--
``(I) the minimum security
requirements under clause (i)(I), the
Secretary shall, in consultation with
the Director of Cybersecurity and
Infrastructure Security Agency and the
Director of National Intelligence,
design the requirements to prevent--
``(aa) cyber incidents
utilizing the tools and
strategies used to target
covered entities or business
associates;
``(bb) the potential harms,
as defined by the Secretary, to
national security that could
result from a cyber incident
involving a covered entity or
business associate;
``(cc) the potential harms,
as defined by the Secretary, to
patients that could result from
a cyber incident involving a
covered entity or business
associate; and
``(dd) other potential
harms from cyber incidents, as
determined appropriate by the
Secretary; and
``(II) the enhanced security
requirements under clause (i)(II), the
Secretary shall, in consultation with
the Director of the Cybersecurity and
Infrastructure Security Agency and the
Director of National Intelligence,
design the requirements to prevent the
potential harms described in subclause
(I) and protect against the specific
threats the covered entities and
business associates described in such
clause face.
``(iv) Review and update of requirements.--
The Secretary shall review and update the
minimum and enhanced security requirements
adopted under clause (i) not less frequently
than every 2 years.
``(v) Effective date and rulemaking.--
``(I) Effective date.--The
requirements under this subparagraph
shall take effect on the date that is 2
years after the date of enactment of
this subparagraph.
``(II) Rulemaking.--Not later than
18 months after the date of enactment
of this subparagraph, the Secretary
shall promulgate regulations to carry
out this subparagraph.
``(vi) Definitions.--For purposes of this
subsection:
``(I) Business associate.--The term
`business associate' has the meaning
given such term in section 160.103 of
title 45, Code of Federal Regulations
(or a successor regulation).
``(II) Covered entity.--The term
`covered entity' has the meaning given
that term in section 160.103 of title
45, Code of Federal Regulations (or a
successor regulation).
``(III) Systemic importance.--The
term `systemic importance' means, with
respect to a covered entity or business
associate, that the failure of, or a
disruption to, such entity or associate
would have a debilitating impact on
access to health care or the stability
of the health care system of the United
States (as determined by the
Secretary).''.
(b) Availability of Health Information.--Section 1173(d)(2)(A) of
the Social Security Act (42 U.S.C. 1320d-2(d)(2)(A)) is amended by
striking ``the integrity and confidentiality'' and inserting ``the
availability, integrity, and confidentiality.
SEC. 102. SECURITY RISK MANAGEMENT, REPORTING REQUIREMENTS, AND AUDITS
FOR COVERED ENTITIES AND BUSINESS ASSOCIATES.
(a) Security Risk Management and Reporting.--Section 1173(d) of the
Social Security Act (42 U.S.C. 1320d-2(d)) is amended by adding at the
end the following new paragraph:
``(3) Security risk management and reporting.--
``(A) In general.--Each covered entity and business
associate shall at a minimum, on an annual basis--
``(i) conduct and document a security risk
analysis, including information regarding the
manner and extent to which such entity or
associate is exposed to risk through its
business associates;
``(ii) document a plan for a rapid and
orderly resolution in the event of a natural
disaster, disruptive cyber incident, or other
technological failure to its information
systems or those of its business associates;
``(iii) conduct a stress test to evaluate
whether such entity or associate has the
capabilities and planning necessary to recover
essential functions, such as patient care
operations and transactions described in
subsection (a)(2), following a cyber incident,
a natural disaster, or other substantial threat
to health care operations, as determined by the
Secretary;
``(iv) document whether, based upon the
results of the stress test described in clause
(iii), the covered entity or business associate
revised the most recent plan described in
clause (ii);
``(v) provide a written statement signed by
the chief executive officer and chief
information security officer (or equivalent
thereof) stating that the covered entity or
business associate is in compliance with
security requirements adopted under part 160 of
title 45, Code of Federal Regulations, and
subparts A and C of part 164 of title 45, Code
of Federal Regulations (or a successor
regulation), including the applicable security
requirements adopted under paragraph (1)(B);
and
``(vi) publish on a publicly accessible
website--
``(I) whether the covered entity or
business associate has received a
notification from the Secretary
pursuant to paragraph (1)(B)(ii)(I);
``(II) whether the covered entity
or business associate meets the minimum
security requirements and, if
applicable, the enhanced security
requirements under paragraph (1)(B);
and
``(III) a copy of each statement
provided under clause (v) with respect
to each year in a machine-readable
format.
``(B) Stress test methodology.--The Secretary shall
provide for not less than 2 different sets of
conditions under which the test described in
subparagraph (A)(iii) is to be conducted.
``(C) Waiver authority.--The Secretary may waive
the requirements of this paragraph with respect to a
covered entity or business associate if the burden on
the entity or associate significantly outweighs the
benefits, taking into account the revenue of the entity
or associate, the volume of protected health
information or health care transactions processed by
the entity or associate, and such other factors as the
Secretary determines appropriate.
``(D) Reporting.--
``(i) In general.--Subject to clause (ii),
each covered entity and business associate
shall submit the documentation required under
subparagraph (A) at such time, in such form,
and containing such information as the
Secretary may require.
``(ii) Annual reporting for covered
entities and business associates subject to
enhanced security requirements.--Each covered
entity and business associate that is subject
to enhanced security requirements shall submit
the documentation required under subparagraph
(A) to the Secretary not less frequently than
on an annual basis.
``(E) Definitions.--For purposes of this
subsection:
``(i) Cyber incident.--The term `cyber
incident' has the meaning given the term
`incident' in section 2200(12) of the Homeland
Security Act of 2002 (6 U.S.C. 650(12)).
``(ii) Machine-readable.--The term
`machine-readable' has the meaning given such
term in section 3502 of title 44, United States
Code.
``(iii) Stress test.--The term `stress
test' means an extensive real-world simulation
intended to test the operational resilience of
the health care operations of a covered entity
or business associate in response to a
substantial interruption in information
systems, including the ability to--
``(I) continue to provide essential
care and services during and in the
recovery period from such substantial
interruption; and
``(II) timely rebuild the
information systems (as defined in
section 2200(14) of the Homeland
Security Act of 2002 (6 U.S.C.
650(14))) of such covered entity or
business associate.
``(F) Effective date.--The requirements under this
paragraph shall take effect on the date that is 3 years
after the date of enactment of this paragraph.''.
(b) Independent Security Compliance Audits.--Section 1173(d) of the
Social Security Act (42 U.S.C. 1320d-2(d)), as amended by subsection
(a), is amended by ad