“To prohibit the authorization of certain individuals to access certain systems containing individually identifiable health information.”
No CRS summary available for this bill.
This section prohibits authorizing any individual to access Department of Health and Human Services (HHS) systems containing individually identifiable health information (defined in the Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. 1320d(6)), unless (1) the individual is an HHS officer, employee, or contractor eligible to access the system or data prior to January 20, 2025, and remains eligible thereafter; or (2) the individual holds an appropriate security clearance under 50 U.S.C. 3161, their access complies with 18 U.S.C. 208 (conflict of interest), is not a special Government employee (per 18 U.S.C. 202), has at least one year of continuous civil service, has completed required privacy/cybersecurity training, and has signed an ethics agreement with HHS or the Office of Government Ethics. (Thus, special Government employees—typically those serving 130 days or fewer in any 365-day period—are generally barred from such access.) It imposes criminal penalties of up to five years imprisonment or fines for knowing violations, with a 10-year statute of limitations. The HHS Inspector General must investigate unauthorized access and report to Congress within 30 days, detailing the incident, risks to privacy/security/integrity, and any stopped payments.