25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Legislation Introduced to Provide Advance Payments to Providers Affected by Cyberattacks

Posted By on Mar 26, 2024

This week, Senator Mark R. Warner (D-VA) introduced new legislation that will allow for advance and accelerated payments to healthcare providers in the event of a cyberattack. The new legislation was introduced in response to the recent ransomware attack on Change Healthcare, which caused an outage that lasted for more than 4 weeks. The outage prevented physicians and hospitals from processing claims, billing patients, and checking insurance coverage for care, and the reimbursement delays have left many healthcare providers struggling to pay workers and buy supplies, with some placed at risk of becoming financially insolvent.

Given the increase in cyberattacks on the healthcare sector in recent years, a major attack that caused massive nationwide disruption to healthcare was an inevitability, and there will likely be other highly damaging healthcare cyberattacks in the future. The Health Care Cybersecurity Improvements Act of 2024 will help to ensure that in the event of another attack, healthcare providers will not face such challenging financial problems.

Sen. Warner, a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, has been sounding the alarm about healthcare cybersecurity for some time. In 2022, he published a white paper that framed cybersecurity as a patient safety issue. The Change Healthcare ransomware attack demonstrated how a cyberattack can prevent patients from receiving timely care and essential medications. “The recent hack of Change Healthcare is a reminder that the entire healthcare industry is vulnerable and needs to step up its game. This legislation would provide some important financial incentives for providers and vendors to do so.”

The Health Care Cybersecurity Improvements Act of 2024 will allow for advance and accelerated payments to healthcare providers in the event of a cyber incident; however, they would only qualify if they and their vendors meet minimum cybersecurity standards. In the press release announcing the new legislation, Sen. Warner did not mention what those minimum cybersecurity standards are, as that will be left to the HHS Secretary to determine.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Currently, in certain situations, Medicare Part A providers (such as acute care hospitals, skilled nursing facilities, and other inpatient care facilities) and Part B suppliers (including physicians, nonphysician practitioners, durable medical equipment suppliers, and others who furnish outpatient services) can experience cash flow difficulties due to specific circumstances that are beyond their control, as happened following the Change Healthcare ransomware attack. The Centers for Medicare and Medicaid Services (CMS) has provided temporary financial relief to Medicare Part A providers and Part B suppliers through Accelerated and Advance Payment (AAP) programs, which provide advance payments from the federal government, which are later recovered by withholding payments for later claims.

The Health Care Cybersecurity Improvements Act of 2024 will modify the existing Medicare Hospital Accelerated Payment Program and the Medicare Part B Advance Payment Program. If the legislation is passed, the HHS Secretary will determine if the need for payment results from a cyber incident, and if it does, the healthcare provider requiring the payment must meet minimum cybersecurity standards, which will be determined by the Secretary. For instance, a healthcare provider may be required to implement the essential cybersecurity performance goals recently announced by the HHS. If the provider has implemented those minimum cybersecurity measures and the provider’s intermediary was the target of the incident, the intermediary must also meet minimum cybersecurity standards in order for the provider to receive the payments.

If passed, the act would take effect two years from the date of enactment, which will give healthcare organizations sufficient time to ensure they comply with the cybersecurity requirements set by the HHS Secretary.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist