Sponsors (6)
The bill strengthens patient data privacy, cybersecurity controls, and federal oversight to reduce breaches, but does so at the cost of tighter access for researchers and contractors, greater legal risk and compliance costs for staff, and potentially reduced workforce flexibility during emergencies.
Patients (especially those with chronic conditions) and hospitals/health systems will face stronger protections and controls on identifiable health records — including access restrictions and staff training — reducing the risk of privacy breaches and care-disrupting data incidents.
Federal oversight will increase because the bill requires OIG investigations of incidents and 30-day reporting to Congress, improving transparency and accountability after breaches.
Researchers, contractors, and some specialists may lose or face more restricted access to identifiable health data, delaying research and operational work that depends on that data.
New criminal penalties and a 10-year statute of limitations increase legal risk for staff and contractors, which could deter legitimate support or outsourcing and raise staffing or compliance costs for affected organizations.
Restrictive eligibility rules for access (e.g., requiring one year of continuous civil service and excluding special government employees) may reduce surge capacity and complicate interagency collaboration during emergencies.
Based on analysis of 2 sections of legislative text.
Stops most access to HHS systems with identifiable health data except narrowly defined HHS personnel and specially vetted individuals, adds criminal penalties, and requires 30-day OIG reports on unauthorized access.
Introduced March 26, 2025 by Diana DeGette · Last progress March 26, 2025
Prohibits authorization or access to HHS computer systems that contain individually identifiable health information except for narrowly defined HHS personnel and specially vetted non-HHS individuals, and creates criminal penalties and a 10-year statute of limitations for violations. Requires the HHS Inspector General to investigate and report to Congress within 30 days on any unauthorized access to those systems. Access is limited to HHS officers, employees, or contractors who were eligible before Jan 20, 2025 and remained eligible, or to non-HHS persons who meet strict criteria (national-security clearance, not a special Government employee, at least one year of continuous civil service, completed training, and signed an ethics agreement). The measure defines covered systems as HHS-maintained systems containing individually identifiable health information under existing law.