Capitol Insights Newsletter
Authors: Luke Schwartz and Matt Reiter
What happened in Congress this week?
Congress will be out of session until after the November 5 election.
Senators Introduce Major Healthcare Cybersecurity Bill
On September 26, Senators Ron Wyden (D-OR) and Mark Warner (D-VA) introduced the Health Infrastructure Security and Accountability Act in the Senate. This bill proposes major changes to the cybersecurity requirements for the Health Insurance Portability and Accountability Act (HIPAA)-covered entities (CEs) and HIPAA Business Associates (BAs). This bill aims to improve health sector cybersecurity following cyberattacks on Change Healthcare and other entities this year.
The bill breaks down CEs and BAs into groups:
- Those required to follow Minimum Security Requirements
- Those required to follow Enhanced Security Requirements (in addition to the minimum standards)
All CEs and BAs would be subject to the minimum security requirements. These entities would be responsible for drafting a robust security risk analysis, creating a formal incident response plan, and conducting self-audits and stress tests.
CEs and BAs who are deemed of “systemic importance” will have to follow the minimum standards for the first group plus additional enhanced security requirements. A CE or BA of systemic importance is defined as an entity that with “the failure of, or a disruption to, such entity or associate would have a debilitating impact on access to health care or the stability of the health care system of the United States (as determined by the Secretary)”. It also includes those healthcare entities that are important to national security.
Entities of systemic importance would be required to submit annual submissions of their cybersecurity practices to the Secretary of the Department of Health and Human Services (HHS). Notably, the bill contains language that the Secretary has the decision to waive reporting requirements if the “burden [of submitting a formal cybersecurity annual report] significantly outweighs the benefits.” The Secretary would be required to conduct at least 20 annual audits of the data security practices of CEs or BAs.
The bill requires HHS to create both the minimum and enhanced security requirements within two years of the bill’s enactment.
The bill authorizes HHS to use standard rulemaking procedures to further define the specific standards that entities in each group must follow. This differentiation is crucial, as it separates the cybersecurity requirements for individual physician practices, which will likely adhere to minimum security requirements, from larger organizations such as major healthcare systems or UnitedHealth Care, which would likely be subject to the enhanced requirements.
To pay for the bill, HHS would be authorized to charge CEs and BAs a user fee proportional to their share of National Healthcare Expenditures. The bill also allocates $800 million to help rural and urban safety-net hospitals achieve compliance, and $500 million for other hospitals to do the same.
Additionally, the bill proposes lifting existing HIPAA fine caps, aiming to deter CEs and BAs from possessing non-compliant cybersecurity practices. It also introduces potential jail time for CEOs who provide false information to the government regarding their cybersecurity practices.
The bill would also codify HHS’s authority to provide advanced and accelerated payments to providers for Medicare Part A and B providers if there is a “significant” cash flow problem stemming from a cybersecurity attack. This would address a major issue from the Change Healthcare cyberattack response where it took CMS weeks to determine if it had the authority to make advanced and accelerated Medicare payments available without a public health emergency declaration.
At the time of writing this, the two sponsors are Democrats on the Senate Finance Committee. There are no Republicans on the bill, despite widespread bipartisan interest in passing healthcare cybersecurity legislation this year.
Top Stories in Healthcare Policy
CMS announced that Medicare Advantage and Part D premiums will decrease slightly in 2025, while benefits and the number of MA plans to choose from will remain stable.
Vice President Harris brought health policy to the forefront of her presential campaign last week as her campaign published a report of what health policy would supposedly look like under a second Trump administration. The report focused on reproductive rights, rising premiums and out-of-pocket costs, cuts to Medicare/Medicaid, and an increase in prescription drug prices.
California Governor Gavin Newsom vetoed a bill that would mandate licensing and regulation of pharmacy benefit managers (PBM), despite the bill having almost unanimous support from the state legislature. In his veto letter, Newsom expressed concerns that the bill might not improve access to prescription drugs, claiming more information is needed on PBM’s downstream impacts on drug costs.
HHS has released its final guidance for the second cycle of Medicare Drug Price Negotiations. This year up to 15 Part D drugs will be selected for negotiation. The list of drugs will be released no later than February 1, 2025.
CMS is providing advanced and accelerated Medicare payments to providers impacted by Hurricane Helene.
A GAO Report has found that many hospitals are failing to adhere to public pricing disclosures required by CMS as of 2021. This has renewed calls for healthcare price transparency legislation.
As Medicare’s annual enrollment period approaches, many health insurance providers are decreasing the number of Medicare Advantage plans they are offering for next year, while others are expanding their offerings with new plans and benefits.
CMS announced that for CY 2025, 62 Medicare Advantage organizations will participate in the Value-Based Insurance Design Model across 48 states, Washington D.C., and Puerto Rico. The program will offer enhanced supplemental benefits and aim to address disparities in healthcare.