HB912 would amend title V of the Public Health Service Act to secure the national suicide prevention lifeline from cybersecurity threats by adding explicit protections and accountability. The bill establishes a cybersecurity reporting regime requiring vulnerability and incident notifications from the Lifeline’s network administrator and local crisis centers, with privacy protections that align to federal and state law.
It also directs a Comptroller General study to evaluate cybersecurity risks to the Lifeline and report findings to Congress. Taken together, the provisions aim to raise the Lifeline’s resilience against cyber incidents while preserving caller privacy and operational continuity.
At a Glance
What It Does
Adds a new cybersecurity protection mandate for the Lifeline and creates a formal reporting regime for vulnerabilities and incidents. It also requires a GAO study to assess ongoing risks.
Who It Affects
The Lifeline network administrator, local and regional crisis centers, and federal oversight bodies; privacy protections apply to all reporting.
Why It Matters
Establishes a clear security baseline for a critical public health resource and creates accountability channels to detect and respond to cyber threats quickly.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill makes four main moves. First, it adds a new requirement to protect the 9-8-8 suicide prevention lifeline from cybersecurity threats by requiring steps to eliminate known vulnerabilities.
This is a structural upgrade to the lifeline’s security posture. Second, it creates a formal cybersecurity reporting regime.
The Lifeline’s network administrator and local crisis centers must report identified vulnerabilities and incidents to the Assistant Secretary, while respecting privacy laws. Third, it clarifies oversight responsibilities between local crisis centers and the network administrator, preserving local control where appropriate but enabling centralized oversight where agreements require it, and it states that these cyber reporting requirements supplement rather than replace existing federal obligations.
Finally, the bill requires a GAO study within 180 days of enactment to evaluate cybersecurity risks to the lifeline and to report back to Congress. Taken together, these provisions aim to improve resilience without compromising caller privacy or imposing duplicative requirements on providers.
The Five Things You Need to Know
The bill adds a formal security requirement to protect the Lifeline from cybersecurity incidents.
A new reporting regime requires vulnerabilities and incidents to be reported to the Assistant Secretary by network administrators and crisis centers.
Reporting must protect personal privacy and align with federal and state privacy laws.
Oversight can be exercised by local crisis centers or the network administrator depending on network participation agreements.
A GAO study must assess Lifeline cybersecurity risks and report findings to Congress within 180 days.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Cybersecurity protections for the Lifeline program
Section 2(a) adds a new safeguard to Section 520E-3(b) of the Public Health Service Act, requiring steps as may be necessary to ensure the Lifeline is protected from cybersecurity incidents and that vulnerabilities are addressed. This creates a formal security obligation for the program and its infrastructure.
Cybersecurity reporting regime
Section 2(b) reorganizes and expands reporting requirements. It designates a network administrator funded under the Act to report vulnerabilities and incidents to the Assistant Secretary, with privacy protections, and requires local and regional crisis centers participating in the Lifeline program to report similarly. The reporting must occur within reasonable timeframes after identification.
Oversight and supplement not supplant
Section 2(c) clarifies oversight: local crisis centers oversee the technology they use unless network participation agreements assign oversight to the Lifeline network administrator. It also states that the cybersecurity reporting requirements supplement, not replace, other Federal cybersecurity obligations that apply on enactment.
GAO study on Lifeline cybersecurity
Section 2(d) requires the Comptroller General to conduct a study within 180 days to evaluate cybersecurity risks and vulnerabilities associated with the Lifeline and to report findings to relevant Senate and House committees.
This bill is one of many.
Codify tracks hundreds of bills on Healthcare across all five countries.
Explore Healthcare in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- The Lifeline network administrator (and the agency’s program staff) gains clearer security governance and oversight.
- Local and regional crisis centers participating in the Lifeline program benefit from standardized reporting and improved incident handling.
- Individuals who rely on the Lifeline gain reduced exposure to service interruptions and better privacy protections.
- Public health agencies coordinating mental health crisis response gain better data on cybersecurity risks and can respond more effectively.
- Cybersecurity professionals embedded in Lifeline operations gain clearer obligations and performance benchmarks.
Who Bears the Cost
- Local and regional crisis centers must implement reporting processes and cybersecurity improvements, incurring personnel and IT costs.
- The Lifeline network administrator bears the cost of expanded oversight, reporting systems, and potential additional compliance requirements.
- Health care and crisis response providers may need to align with privacy protections and reporting protocols, increasing administrative workload.
- Federal and state privacy compliance costs may rise as more data handling and breach-notification duties are formalized.
Key Issues
The Core Tension
The central dilemma is balancing the urgency of promptly reporting cybersecurity vulnerabilities with protecting caller privacy and avoiding administrative burdens that could slow Lifeline operations or constrain local crisis centers' ability to function effectively.
The bill’s cybersecurity requirements introduce tensions between the need for rapid vulnerability disclosure and the protection of personal privacy. While reporting is essential for risk management, the law must be reconciled with existing privacy rules and data-collection practices across jurisdictions.
There is potential for duplication with other federal cybersecurity obligations, and the language leaves some implementation details to be worked out in network participation agreements, creating variability across crisis centers. The absence of explicit funding language could influence how quickly centers can upgrade systems and adopt reporting processes.
Core to the bill’s design is a choice between centralized oversight and local control. Which entities oversee technology and reporting may shift based on network participation agreements, potentially creating uneven security postures across the Lifeline network.
The act also relies on the Comptroller General’s study to identify risks and propose fixes, but it does not pre-commit to additional funding or specific remediation timelines, leaving questions about near-term governance and resource allocation.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.