Connecticut Lawmakers Pass Bill to Improve Preparedness for Cyberattacks and Safety for Home Health Care Workers
On May 6, 2024, lawmakers in Connecticut passed a bill that improves protections for home care workers and requires healthcare facilities to demonstrate they have a plan for responding to cyberattacks. The House passed the bill with a vote of 112-37 and it now awaits Governor Ned Lamont’s signature.
The home healthcare worker provisions of the bill were prompted by the attempted sexual assault and murder of visiting nurse Joyce Grayson, who was killed by a convicted sex offender in October 2023 while she was working at a halfway house in Willimantic. The bill requires home health agencies to collect information on clients, such as if they have a history of violence against healthcare workers, domestic abuse, and substance use, as well as information on their psychiatric history, if there are weapons or safety hazards in their homes and the crime rate in the area where they live. That information must be made available to any employee assigned to clients, but healthcare agencies are not permitted to deny services to clients based on the information collected.
The bill also requires home health agencies to perform monthly safety assessments with direct care staff and develop and implement a health and safety training curriculum for home healthcare workers. Home healthcare agencies will be required to provide evidence that training has been implemented in order to continue receiving Medicaid reimbursements. The bill also requires home health agencies to report verbal threats and abuse by clients to the state and the Public Health Department must submit annual reports to the Public Health Committee on the number of incidents that occurred, and the steps taken to ensure the safety of home health workers.
The cybersecurity provisions of the bill were prompted by a cyberattack on Prospect Medical Holdings, which affected three Connecticut hospitals, Rockville General, Manchester Memorial, and Waterbury Hospital, and medical offices associated with the hospitals. The cyberattack occurred in August 2023 and caused disruption to services for more than 40 days and resulted in emergency rooms being placed on divert and more than half of elective procedures being canceled. The bill requires healthcare facilities to annually submit plans for responding to a cyberattack from January 1, 2025, to an independent auditor, who will assess whether the plans are adequate and will suggest areas for improvement. The plans will also be made available to the Public Health Department for inspection.
The bill implements several other changes including new rules regarding the statewide health information exchange. Providers will be prohibited from connecting to the network if they have no patient medical records or are licensed in the state and are exclusively practicing as employees of a HIPAA-covered entity if the covered entity is legally responsible for decisions on the safeguarding or release of health information.
