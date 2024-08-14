Healthcare organizations are raising red flags over what they consider to be duplicate reporting requirements. Both the American Hospital Association (AHA) and the Medical Group Management Association (MGMA) are concerned that new rules under CIRCIA are effectively redundant versions of those outlined by HIPAA.

The AHA and MGMA make the argument that since healthcare agencies are already responsible for reporting breaches under the HIPAA Breach Notification Rule, similar requirements under CIRCIA will add more work with no benefit. They are especially concerned about potential penalties under the rule, which could see unreported incidents sent to the Attorney General and lead to civil actions or contempt of court charges.

According to a letter from the AHA to CISA Director Jen Easterly, “The AHA acknowledges that the spread and impact of cyber crime require the federal government to take strong actions to protect American citizens, punishing victims is counterintuitive and counterproductive.”

From the perspectives of both the AHA and MGMA, CIRCIA, in its current form, makes it more difficult for healthcare organizations to effectively respond when incidents occur. Instead of protecting patients and dealing with immediate impacts, businesses would instead have to focus on meeting multiple reporting requirements.