[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2363 Introduced in House (IH)]

<DOC>






119th CONGRESS
  1st Session
                                H. R. 2363

To prohibit the authorization of certain individuals to access certain 
    systems containing individually identifiable health information.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             March 26, 2025

   Ms. DeGette (for herself, Mr. Goldman of New York, Mr. Carter of 
  Louisiana, Ms. Pressley, and Ms. Sanchez) introduced the following 
    bill; which was referred to the Committee on Energy and Commerce

_______________________________________________________________________

                                 A BILL


 
To prohibit the authorization of certain individuals to access certain 
    systems containing individually identifiable health information.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Data Of Government health Entities 
must be Protected from Overreach by Unelected Nonsecure Disruption Act 
of 2025'' or the ``DOGE POUND Act of 2025''.

SEC. 2. PROHIBITING THE AUTHORIZATION OF CERTAIN INDIVIDUALS TO ACCESS 
              CERTAIN SYSTEMS CONTAINING INDIVIDUALLY IDENTIFIABLE 
              HEALTH INFORMATION.

    (a) In General.--Notwithstanding any other provision of law, no 
individual may be authorized to use, exercise administrative control 
over, or otherwise access any specified system (as defined in 
subsection (d)), or any data from any such system, unless--
            (1) such individual is an officer, employee, or contractor 
        of the Department of Health and Human Services who--
                    (A) was otherwise eligible to access such system or 
                data prior to January 20, 2025; and
                    (B) continued to be otherwise eligible to access 
                such system or data between January 20, 2025, and the 
                date of access to such system or data; or
            (2) in the case of an individual not described in paragraph 
        (1)--
                    (A) such individual holds a security clearance at 
                the appropriate level with respect to such system or 
                data and such clearance was granted pursuant to the 
                procedures established under section 801 of the 
                National Security Act of 1947 (50 U.S.C. 3161);
                    (B) such individual's access to such system or 
                data, or use thereof, does not constitute a violation 
                of section 208 of title 18, United States Code 
                (determined after the application of subsection (b));
                    (C) such individual is not a special Government 
                employee (as defined in section 202 of title 18, United 
                States Code);
                    (D) such individual's current continuous service in 
                the civil service (as that term is defined in section 
                2101 of title 5, United States Code) as of the date of 
                such access is for a period of at least 1 year;
                    (E) such individual has completed any required 
                training or compliance procedures with respect to 
                privacy laws and cybersecurity and national security 
                regulations and best practices; and
                    (F) such individual has signed a written ethics 
                agreement with either the Department of Health and 
                Human Services or the Office of Government Ethics.
    (b) Application of Penalties.--
            (1) In general.--Whoever knowingly--
                    (A) uses, exercises administrative control over, or 
                otherwise accesses any system or data described in 
                subsection (a) in violation of such subsection, or
                    (B) authorizes the use, exercise of administrative 
                control over, or other access to any system or data 
                described in subsection (a) in violation of such 
                subsection,
        shall be imprisoned not more than 5 years or fined under title 
        18, United States Code, or both.
            (2) Statute of limitations.--Notwithstanding section 3282 
        of title 18, United States Code, no person shall be prosecuted, 
        tried, or punished for any offense under this subsection unless 
        the indictment is found or the information is instituted not 
        later than 10 years after the date on which the offense was 
        committed.
    (c) Reports on Unauthorized Use.--The Inspector General of the 
Department of Health and Human Services shall investigate, and submit a 
report to Congress on such investigation, each instance of unauthorized 
use or other access of any specified system. Any such report shall be 
submitted not later than 30 days after any such instance and shall 
include--
            (1) a detailed description of the unauthorized use or 
        access, including any actions the individual carried out;
            (2) a risk assessment of any threat to privacy, national 
        security, cybersecurity, or the integrity of the applicable 
        system as a result of such unauthorized use or access; and
            (3) a detailed description of any stopped payments during 
        the unauthorized use or access.
    (d) Specified System.--For purposes of this section, the term 
``specified system'' means any system maintained by the Department of 
Health and Human Services that contains individually identifiable 
health information (as defined in section 1171(6) of the Social 
Security Act (42 U.S.C. 1320d(6))).
                                 <all>