| 1 | 1 | | |
|---|
| 2 | 2 | | |
|---|
| 3 | 3 | | EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW. |
|---|
| 4 | 4 | | [Brackets] indicate matter deleted from existing law. |
|---|
| 5 | 5 | | *hb1123* |
|---|
| 6 | 6 | | |
|---|
| 7 | 7 | | HOUSE BILL 1123 |
|---|
| 8 | 8 | | J3, S2 4lr3299 |
|---|
| 9 | 9 | | CF 4lr2135 |
|---|
| 10 | 10 | | By: Delegate Kerr |
|---|
| 11 | 11 | | Introduced and read first time: February 7, 2024 |
|---|
| 12 | 12 | | Assigned to: Health and Government Operations |
|---|
| 13 | 13 | | |
|---|
| 14 | 14 | | A BILL ENTITLED |
|---|
| 15 | 15 | | |
|---|
| 16 | 16 | | AN ACT concerning 1 |
|---|
| 17 | 17 | | |
|---|
| 18 | 18 | | Maryland Health Care Commission – Health Care Facilities – Cybersecurity for 2 |
|---|
| 19 | 19 | | Hospitals 3 |
|---|
| 20 | 20 | | |
|---|
| 21 | 21 | | FOR the purpose of requiring the Maryland Health Care Commission to adopt minimum 4 |
|---|
| 22 | 22 | | cybersecurity standards for hospitals and take certain other actions related to the 5 |
|---|
| 23 | 23 | | cybersecurity of hospitals, including supporting hospitals that do not meet the 6 |
|---|
| 24 | 24 | | minimum cybersecurity standards; requiring hospitals to comply with the 7 |
|---|
| 25 | 25 | | cybersecurity standards adopted by the Commission; requiring the Secretary of 8 |
|---|
| 26 | 26 | | Health to consider cybersecurity standards for hospitals when issuing a license to a 9 |
|---|
| 27 | 27 | | hospital; and generally relating to cybersecurity for hospitals. 10 |
|---|
| 28 | 28 | | |
|---|
| 29 | 29 | | BY repealing and reenacting, with amendments, 11 |
|---|
| 30 | 30 | | Article – Health – General 12 |
|---|
| 31 | 31 | | Section 19–103 13 |
|---|
| 32 | 32 | | Annotated Code of Maryland 14 |
|---|
| 33 | 33 | | (2023 Replacement Volume) 15 |
|---|
| 34 | 34 | | |
|---|
| 35 | 35 | | BY adding to 16 |
|---|
| 36 | 36 | | Article – Health – General 17 |
|---|
| 37 | 37 | | Section 19–113 18 |
|---|
| 38 | 38 | | Annotated Code of Maryland 19 |
|---|
| 39 | 39 | | (2023 Replacement Volume) 20 |
|---|
| 40 | 40 | | |
|---|
| 41 | 41 | | SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 21 |
|---|
| 42 | 42 | | That the Laws of Maryland read as follows: 22 |
|---|
| 43 | 43 | | |
|---|
| 44 | 44 | | Article – Health – General 23 |
|---|
| 45 | 45 | | |
|---|
| 46 | 46 | | 19–103. 24 |
|---|
| 47 | 47 | | |
|---|
| 48 | 48 | | (a) There is a Maryland Health Care Commission. 25 2 HOUSE BILL 1123 |
|---|
| 49 | 49 | | |
|---|
| 50 | 50 | | |
|---|
| 51 | 51 | | |
|---|
| 52 | 52 | | (b) The Commission is an independent commission that functions in the 1 |
|---|
| 53 | 53 | | Department. 2 |
|---|
| 54 | 54 | | |
|---|
| 55 | 55 | | (c) The purpose of the Commission is to: 3 |
|---|
| 56 | 56 | | |
|---|
| 57 | 57 | | (1) Develop health care cost containment strategies to help provide access 4 |
|---|
| 58 | 58 | | to appropriate quality health care services for all Marylanders, after consulting with the 5 |
|---|
| 59 | 59 | | Health Services Cost Review Commission; 6 |
|---|
| 60 | 60 | | |
|---|
| 61 | 61 | | (2) Promote the development of a health regulatory system that provides, 7 |
|---|
| 62 | 62 | | for all Marylanders, financial and geographic access to quality health care services at a 8 |
|---|
| 63 | 63 | | reasonable cost by: 9 |
|---|
| 64 | 64 | | |
|---|
| 65 | 65 | | (i) Advocating policies and systems to promote the efficient delivery 10 |
|---|
| 66 | 66 | | of and improved access to health care services; and 11 |
|---|
| 67 | 67 | | |
|---|
| 68 | 68 | | (ii) Enhancing the strengths of the current health care service 12 |
|---|
| 69 | 69 | | delivery and regulatory system; 13 |
|---|
| 70 | 70 | | |
|---|
| 71 | 71 | | (3) Facilitate the public disclosure of medical claims data for the 14 |
|---|
| 72 | 72 | | development of public policy; 15 |
|---|
| 73 | 73 | | |
|---|
| 74 | 74 | | (4) Establish and develop a medical care database on health care services 16 |
|---|
| 75 | 75 | | rendered by health care practitioners; 17 |
|---|
| 76 | 76 | | |
|---|
| 77 | 77 | | (5) Encourage the development of clinical resource management systems 18 |
|---|
| 78 | 78 | | to permit the comparison of costs between various treatment settings and the availability 19 |
|---|
| 79 | 79 | | of information to consumers, providers, and purchasers of health care services; 20 |
|---|
| 80 | 80 | | |
|---|
| 81 | 81 | | (6) In accordance with Title 15, Subtitle 12 of the Insurance Article, 21 |
|---|
| 82 | 82 | | develop a uniform set of effective benefits to be included in the Comprehensive Standard 22 |
|---|
| 83 | 83 | | Health Benefit Plan; 23 |
|---|
| 84 | 84 | | |
|---|
| 85 | 85 | | (7) Analyze the medical care database and provide, in aggregate form, an 24 |
|---|
| 86 | 86 | | annual report on the variations in costs associated with health care practitioners; 25 |
|---|
| 87 | 87 | | |
|---|
| 88 | 88 | | (8) Ensure utilization of the medical care database as a primary means to 26 |
|---|
| 89 | 89 | | compile data and information and annually report on trends and variances regarding fees 27 |
|---|
| 90 | 90 | | for service, cost of care, regional and national comparisons, and indications of malpractice 28 |
|---|
| 91 | 91 | | situations; 29 |
|---|
| 92 | 92 | | |
|---|
| 93 | 93 | | (9) Establish standards for the operation and licensing of medical care 30 |
|---|
| 94 | 94 | | electronic claims clearinghouses in Maryland; 31 |
|---|
| 95 | 95 | | |
|---|
| 96 | 96 | | (10) Reduce the costs of claims submission and the administration of claims 32 |
|---|
| 97 | 97 | | for health care practitioners and payors; 33 HOUSE BILL 1123 3 |
|---|
| 98 | 98 | | |
|---|
| 99 | 99 | | |
|---|
| 100 | 100 | | |
|---|
| 101 | 101 | | (11) Determine the cost of mandated health insurance services in the State 1 |
|---|
| 102 | 102 | | in accordance with Title 15, Subtitle 15 of the Insurance Article; 2 |
|---|
| 103 | 103 | | |
|---|
| 104 | 104 | | (12) Promote the availability of information to consumers on charges by 3 |
|---|
| 105 | 105 | | practitioners and reimbursements from payors; 4 |
|---|
| 106 | 106 | | |
|---|
| 107 | 107 | | (13) Oversee and administer the Maryland Trauma Physician Services 5 |
|---|
| 108 | 108 | | Fund in conjunction with the Health Services Cost Review Commission; [and] 6 |
|---|
| 109 | 109 | | |
|---|
| 110 | 110 | | (14) Establish policies and standards to protect the confidentiality of patient 7 |
|---|
| 111 | 111 | | and health care practitioner information related to legally protected health care as defined 8 |
|---|
| 112 | 112 | | in § 4–301 of this article; AND 9 |
|---|
| 113 | 113 | | |
|---|
| 114 | 114 | | (15) ESTABLISH AND ENFORCE CYBERSECURIT Y STANDARDS AND 10 |
|---|
| 115 | 115 | | PRACTICES FOR HEALTH CARE FACILITIES . 11 |
|---|
| 116 | 116 | | |
|---|
| 117 | 117 | | (d) The Commission shall coordinate the exercise of its functions with the 12 |
|---|
| 118 | 118 | | Department and the Health Services Cost Review Commission to ensure an integrated, 13 |
|---|
| 119 | 119 | | effective health care policy for the State. 14 |
|---|
| 120 | 120 | | |
|---|
| 121 | 121 | | 19–113. 15 |
|---|
| 122 | 122 | | |
|---|
| 123 | 123 | | (A) IN THIS SECTION, “HOSPITAL” HAS THE MEANING STAT ED IN § 19–301 16 |
|---|
| 124 | 124 | | OF THIS TITLE. 17 |
|---|
| 125 | 125 | | |
|---|
| 126 | 126 | | (B) THE COMMISSION SHALL : 18 |
|---|
| 127 | 127 | | |
|---|
| 128 | 128 | | (1) ADOPT MINIMUM CYBERSE CURITY STANDARDS FOR HOSPITALS 19 |
|---|
| 129 | 129 | | THAT: 20 |
|---|
| 130 | 130 | | |
|---|
| 131 | 131 | | (I) PROTECT PRIVATE DATA , SUCH AS PATIENT AND EMPLOYEE 21 |
|---|
| 132 | 132 | | RECORDS, HELD BY THE HOSPITAL ; 22 |
|---|
| 133 | 133 | | |
|---|
| 134 | 134 | | (II) ENABLE A HOSPITAL TO MAINTAIN ROUTINE FUN CTIONS; 23 |
|---|
| 135 | 135 | | AND 24 |
|---|
| 136 | 136 | | |
|---|
| 137 | 137 | | (III) ARE CONSISTENT WITH T HE NATIONAL INSTITUTE OF 25 |
|---|
| 138 | 138 | | STANDARDS AND TECHNOLOGY AND CYBERSECURITY AND INFRASTRUCTURE 26 |
|---|
| 139 | 139 | | SECURITY AGENCY RECOMMENDATION S FOR HOSPITALS ; 27 |
|---|
| 140 | 140 | | |
|---|
| 141 | 141 | | (2) REVIEW AND REVISE THE STANDARDS SET UNDER ITEM (1) OF 28 |
|---|
| 142 | 142 | | THIS SUBSECTION ON A REGULAR BASIS ; 29 |
|---|
| 143 | 143 | | 4 HOUSE BILL 1123 |
|---|
| 144 | 144 | | |
|---|
| 145 | 145 | | |
|---|
| 146 | 146 | | (3) PARTICIPATE IN OPPORT UNITIES TO LEARN ABO UT HOSPITAL 1 |
|---|
| 147 | 147 | | CYBERSECURITY FROM E XPERT ENTITIES; 2 |
|---|
| 148 | 148 | | |
|---|
| 149 | 149 | | (4) LEARN FROM THE EXPERI ENCES OF GOVERNMENT AGENCIES IN 3 |
|---|
| 150 | 150 | | OTHER STATES THAT SE T MINIMUM CYBERSECUR ITY STANDARDS FOR HO SPITALS; 4 |
|---|
| 151 | 151 | | |
|---|
| 152 | 152 | | (5) PROVIDE FOR THIRD –PARTY ASSESSMENTS OF HOSPITALS FOR 5 |
|---|
| 153 | 153 | | COMPLIANCE WITH MINI MUM CYBERSECURITY ST ANDARDS; 6 |
|---|
| 154 | 154 | | |
|---|
| 155 | 155 | | (6) ON OR BEFORE JANUARY 1, 2026, AND EVERY 2 YEARS 7 |
|---|
| 156 | 156 | | THEREAFTER : 8 |
|---|
| 157 | 157 | | |
|---|
| 158 | 158 | | (I) COLLECT CERTIFICATION S OF A HOSPITAL’S COMPLIANCE 9 |
|---|
| 159 | 159 | | WITH THE MINIMUM CYB ERSECURITY STANDARDS ADOPTED UNDER ITEM (1) OF 10 |
|---|
| 160 | 160 | | THIS SUBSECTION ; AND 11 |
|---|
| 161 | 161 | | |
|---|
| 162 | 162 | | (II) SUBMIT A REPORT TO TH E STATE CHIEF INFORMATION 12 |
|---|
| 163 | 163 | | SECURITY OFFICER, OR THE OFFICER’S DESIGNEE; AND 13 |
|---|
| 164 | 164 | | |
|---|
| 165 | 165 | | (7) SUPPORT HOSPITALS THA T DO NOT MEET THE MI NIMUM 14 |
|---|
| 166 | 166 | | CYBERSECURITY STANDA RDS ADOPTED UNDER IT EM (1) OF THIS SUBSECTION T O 15 |
|---|
| 167 | 167 | | REMEDIATE VULNERABIL ITIES OR ADDRESS CYB ERSECURITY ASSESSMEN T 16 |
|---|
| 168 | 168 | | FINDINGS. 17 |
|---|
| 169 | 169 | | |
|---|
| 170 | 170 | | (C) EACH HOSPITAL SHALL : 18 |
|---|
| 171 | 171 | | |
|---|
| 172 | 172 | | (1) (I) COMPLY WITH THE CYBERSECURITY STANDA RDS ADOPTED 19 |
|---|
| 173 | 173 | | UNDER SUBSECTION (B)(1) OF THIS SECTION; AND 20 |
|---|
| 174 | 174 | | |
|---|
| 175 | 175 | | (II) SUBMIT A CERTIFICATIO N OF COMPLIANCE WITH THE 21 |
|---|
| 176 | 176 | | STANDARDS AS DIRECTE D BY THE COMMISSION; 22 |
|---|
| 177 | 177 | | |
|---|
| 178 | 178 | | (2) DESIGNATE A CHIEF INF ORMATION SECURITY OF FICER TO 23 |
|---|
| 179 | 179 | | OVERSEE COMPLIANCE W ITH THE REQUIREMENTS OF T HIS SECTION; 24 |
|---|
| 180 | 180 | | |
|---|
| 181 | 181 | | (3) IMMEDIATELY REPORT A CYBERSECURITY INCIDE NT TO THE 25 |
|---|
| 182 | 182 | | COMMISSION, RELEVANT LAW ENFORCE MENT AGENCIES , AND HOSPITAL 26 |
|---|
| 183 | 183 | | ADMINISTRATORS ; 27 |
|---|
| 184 | 184 | | |
|---|
| 185 | 185 | | (4) MAINTAIN A CYBERSECUR ITY INCIDENT RESPONS E PLAN AND 28 |
|---|
| 186 | 186 | | TEST THE PLAN AT LEA ST ANNUALL Y; AND 29 |
|---|
| 187 | 187 | | |
|---|
| 188 | 188 | | (5) MAINTAIN A MOBILE DEV ICE MANAGEMENT PROGR AM THAT: 30 HOUSE BILL 1123 5 |
|---|
| 189 | 189 | | |
|---|
| 190 | 190 | | |
|---|
| 191 | 191 | | |
|---|
| 192 | 192 | | (I) IS CONSISTENT WITH FE DERAL GUIDANCE ; 1 |
|---|
| 193 | 193 | | |
|---|
| 194 | 194 | | (II) INCLUDES AN ENTERPRIS E MOBILE PLATFORM ; AND 2 |
|---|
| 195 | 195 | | |
|---|
| 196 | 196 | | (III) INCLUDES A MOBILE THR EAT DEFENSE PROGRAM . 3 |
|---|
| 197 | 197 | | |
|---|
| 198 | 198 | | (D) THE SECRETARY SHALL CONSI DER THE STANDARDS ADOPTED UN DER 4 |
|---|
| 199 | 199 | | THIS SECTION WHEN IS SUING A LICENSE TO A HOSPITAL. 5 |
|---|
| 200 | 200 | | |
|---|
| 201 | 201 | | SECTION 2. AND BE IT FURTHER ENACTED, That it is the intent of the General 6 |
|---|
| 202 | 202 | | Assembly that the Maryland Health Care Commission work with the Cybersecurity and 7 |
|---|
| 203 | 203 | | Infrastructure Security Agency and the Office of Security Management to improve the 8 |
|---|
| 204 | 204 | | Commission’s capacity to implement the provisions of this Act. 9 |
|---|
| 205 | 205 | | |
|---|
| 206 | 206 | | SECTION 3. AND BE IT FURTHER ENACTED, That this Act shall take effect 10 |
|---|
| 207 | 207 | | October 1, 2024. 11 |
|---|
| 208 | 208 | | |
|---|