Prohibiting the authorization of certain individuals to access certain systems containing individually identifiable health information

(a)

In general

Notwithstanding any other provision of law, no individual may be authorized to use, exercise administrative control over, or otherwise access any specified system (as defined in subsection (d)), or any data from any such system, unless—(1)such individual is an officer, employee, or contractor of the Department of Health and Human Services who—(A)was otherwise eligible to access such system or data prior to January 20, 2025; and(B)continued to be otherwise eligible to access such system or data between January 20, 2025, and the date of access to such system or data; or(2)in the case of an individual not described in paragraph (1)—(A)such individual holds a security clearance at the appropriate level with respect to such system or data and such clearance was granted pursuant to the procedures established under section 801 of the National Security Act of 1947 (50 U.S.C. 3161);(B)such individual’s access to such system or data, or use thereof, does not constitute a violation of section 208 of title 18, United States Code (determined after the application of subsection (b));(C)such individual is not a special Government employee (as defined in section 202 of title 18, United States Code); (D)such individual’s current continuous service in the civil service (as that term is defined in section 2101 of title 5, United States Code) as of the date of such access is for a period of at least 1 year; (E)such individual has completed any required training or compliance procedures with respect to privacy laws and cybersecurity and national security regulations and best practices; and(F)such individual has signed a written ethics agreement with either the Department of Health and Human Services or the Office of Government Ethics.(b)

Application of penalties

(1)

In general

Whoever knowingly—(A)uses, exercises administrative control over, or otherwise accesses any system or data described in subsection (a) in violation of such subsection, or(B)authorizes the use, exercise of administrative control over, or other access to any system or data described in subsection (a) in violation of such subsection,

shall be imprisoned not more than 5 years or fined under title 18, United States Code, or both.

(2)

Statute of limitations

Notwithstanding section 3282 of title 18, United States Code, no person shall be prosecuted, tried, or punished for any offense under this subsection unless the indictment is found or the information is instituted not later than 10 years after the date on which the offense was committed.(c)

Reports on unauthorized use

The Inspector General of the Department of Health and Human Services shall investigate, and submit a report to Congress on such investigation, each instance of unauthorized use or other access of any specified system. Any such report shall be submitted not later than 30 days after any such instance and shall include—(1)a detailed description of the unauthorized use or access, including any actions the individual carried out; (2)a risk assessment of any threat to privacy, national security, cybersecurity, or the integrity of the applicable system as a result of such unauthorized use or access; and(3)a detailed description of any stopped payments during the unauthorized use or access.(d)

Specified system

For purposes of this section, the term specified system means any system maintained by the Department of Health and Human Services that contains individually identifiable health information (as defined in section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6))).