Bill in Senate would accelerate payments to physicians, hospitals in major health care computer attacks

© wladimir1804 - stock.adobe.com

The computer attack against Change Healthcare has prompted new federal legislation that aims to help physicians and hospitals maintain cash flow during future cyber incidents.

Doctors and hospitals and their vendors would need to meet minimum requirements for cybersecurity to qualify for advance and accelerated payments in future cyberattacks, according to the bill known as the “Health Care Cybersecurity Improvement Act of 2024.” Sen. Mark Warner (D-Virginia) announced the legislation on March 22, 2024.

“I’ve been sounding the alarm about cybersecurity in the health care sector for some time. It was only a matter of time before we saw a major attack that disrupted the ability to care for patients nationwide,” Warner said in the announcement. “The recent hack of Change Healthcare is a reminder that the entire health care industry is vulnerable and needs to step up its game. This legislation would provide some important financial incentives for providers and vendors to do so.”

Sen. Mark R. Warner
_D-Virginia

At times, physicians, hospitals and other health care providers “can face cash flow challenges due to specified circumstances beyond their control,” Warner’s announcement said. Another recent example was the COVID-19 pandemic.

Since the 1980s, the Centers for Medicare & Medicaid Services (CMS) has provided temporary financial relief to participants in the Medicare Part A and Part B programs through Accelerated and Advance Payment (AAP) programs. The health care providers and suppliers of durable medical equipment “receive advance payments from the federal government that are later recovered by withholding payment for subsequent claims,” according to Warner’s office.

The “Health Care Cybersecurity Improvement Act of 2024” would modify the existing accelerated and advance payment programs by:

• Requiring the secretary of the U.S. Department of Health and Human Services (HHS) to determine if the need for payments results from a cyber incident.
• If it does, requiring the health care provider receiving the payment to meet minimum cybersecurity standards.
• If a provider’s intermediary was the target of the incident, the intermediary must also meet minimum cybersecurity standards for the provider to receive the payments.

The HHS secretary would determine the minimum standards for cybersecurity.

The new legislation would go into effect two years from the date of passage, so it would not necessarily provide immediate relief for physicians, other clinicians and hospitals affected by the Change Healthcare hack.

Warner is a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus.

He published the policy options paper, “Cybersecurity Is Patient Safety: Policy Options in the Health Care Sector” in November 2022. Since then, he launched the Health Care Cybersecurity Working Group, a bipartisan group examining ways to bolster cybersecurity in health care and public health.