2022 Budget Bill Includes Mandatory Healthcare Cyber Incident Reporting

Tucker Arensberg, P.C.
Contact

Tucker Arensberg, P.C.

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), was passed as part of the consolidated Budget Act for 2022, which also included the telehealth provisions.

The definition of “covered entity” in the Act is far greater than covered entity as defined by HIPAA.  Covered entity as per CIRCIA includes all of the entities identified by presidential policy directives as “designated critical infrastructure sector” entities.

However, the recent Medicare Compliance Reporter indicates that this will require hospitals to report cyber breaches in 72 hours and ransom payments within 24 hours to DHS.

The legislation gives the Cybersecurity and Infrastructure Security Agency (CISA) at DHS 24 months to propose implementing regulations, which then must be finalized 18 months thereafter, so we are looking at a window of approximately 3 and a half years at this point.

Written by:

Tucker Arensberg, P.C.
Contact
more
less

Tucker Arensberg, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide