The Senate Health, Education, Labor and Pensions Committee held a hearing on Wednesday to address consumer health data privacy and cybersecurity vulnerabilities for healthcare organizations.
The hearing was led by Republican Senator Bill Cassidy, a physician from Louisiana. While Cassidy attempted to keep the hearing focused on the issues of data privacy and cybersecurity, Senator Bernie Sanders, I-Vt., kept his remarks and questioning focused on the impacts of Trump’s domestic policy agenda, signed into law last week.
Sanders said in his opening remarks that the issue of cybersecurity pales in comparison when considering the healthcare impacts of reconciliation. He cited the projections of the Congressional Budget Office that 17 million people will lose healthcare coverage because of the passage of the bill and the expiration of the enhanced Affordable Care Act premium tax credits.
He also cited research from Yale and the University of Pennsylvania that found 51,000 individuals will die each year from reduced access to healthcare because of the bill. Two witnesses, an epidemiologist at Yale and co-president of the advocacy group Public Citizen, echoed Sanders' concerns and cited the same statistics.
Chairman Cassidy grew increasingly frustrated with Sanders’ insistence on rehashing the tax package. “No, I’ve got the gavel, Bernie,” Cassidy said, banging the gavel as Sanders tried to rebut a comment. “Thank you [to] those of you who are actually talking about cybersecurity.”
Cassidy promoted his bill, the Health Care Cybersecurity and Resiliency Act of 2024, which would provide grants to healthcare organizations victimized by cyberattacks, support education on cybersecurity and improve federal agency coordination during cyber incidents.
Cassidy asked if the Health Insurance Portability and Accountability Act (HIPAA) would be expanded to cover consumer health data, such as the data collected by wearables. Wearables were a notable topic of conversation during the hearing, echoing the assertion by HHS Secretary Robert F. Kennedy Jr. that all Americans will have a wearable in the next five years.
Rene Quashie, vice president of digital health at the Consumer Technology Association, advocated for a new federal health privacy law that considers modern technology rather than expanding the 1996 law.
The two other Democrats who questioned the witnesses, Sen. Maggie Hassan, New Hampshire, and Sen. John Hickenlooper, Colorado, discussed the healthcare cuts in reconciliation, but also spent a portion of their five-minute allotments on cybersecurity.
The senators spoke about rural hospitals in their states affected by cyberattacks, especially the Change Healthcare cyberattack in February 2024. Hassan said rural hospitals in her state are still dealing with the impacts of the breach.
Linda Stevenson, chief information officer at Fisher-Titus, a health system in Ohio, told Hassan that the federal government should offer rural hospitals leniency in required breach reporting requirements, extensions of claim processing deadlines, assistance with advanced payments, support with emergency services and reduced liability for reporting breaches.
“When hospitals face budget constraints due to stagnant payment rates, they are often forced to reprioritize spending, redirecting limited resources toward immediate operational and patient care needs and away from long-term investments like cybersecurity,” Stevenson said in her opening statement. “This challenge is even more acute for rural hospitals, the majority of which are operating at a loss—50% are in the red in 2024, up from 43% the previous year. Their ability to make strategic investments in cybersecurity and workforce is severely limited.”
Sen. Jon Husted, R-Ohio, countered Sanders, submitting a letter from rural hospitals in Ohio that support the reconciliation bill and say their funding will increase by 24% due to the passage of the Republican-led reconciliation bill. Husted pointed to the $50 billion rural hospital fund that was included in the package.
Robert Weissman, co-President of Public Citizen, said rural hospitals are projected to lose three times as much money due to the cuts to Medicaid. "The bill’s Medicaid cuts will strip an estimated $155 billion from rural health care, far more than the bill’s rural health fund will provide," he said in his opening statement. "Modeling from the National Rural Health Association suggests rural hospitals will lose more than $70 billion—a more than 20% reduction in their Medicaid funding."
Sen. Josh Hawley, R-Mo., emphasized the importance of rural hospitals in serving their communities and highlighted their need for additional assistance to respond to cyberattacks. Hawley promoted his bill the Rural Hospital Cybersecurity Enhancement Act, which would require HHS to create a strategy to increase the cybersecurity workforce.
Several policy recommendations were made during the hearing. Witnesses Greg Garcia, CEO of the Cybersecurity Working Group at the Healthcare Sector Coordinating Council, and Stevenson urged HHS to rework the proposed changes to the HIPAA Security Rule.
Quashie urged Congress to enact a comprehensive federal privacy law that preempts the current patchwork of state privacy laws. He argued that allowing states to govern data privacy is burdensome for companies and confusing for consumers.
“Currently, there is a patchwork of 20 state privacy laws,” Quashie said. “For businesses, especially small businesses and startups, this stifles innovation and creates unnecessary barriers to entry. Navigating conflicting or inconsistent requirements increases legal risk, drives up operational costs and makes it harder to build uniform products and services that meet consumer expectations nationwide. For consumers, it makes little sense why one person located in one state might have differing rights than another in a different state, even if they are using the same product.”