Congress Passes HHS Funding Increase, Expands Telehealth, Sets Cybersecurity Reporting Requirements

Stephanie Kennan
McGuireWoods Consulting
Contact
LinkedIn
Facebook
X
Send
Embed

Last week, Congress passed an appropriations package for the rest of fiscal year 2022. While the package increases funding for the Department of Health and Human Services (HHS) by 12 percent, it also contains important provisions related to telehealth and cybersecurity.

The legislation includes provisions to extend and expand telehealth flexibilities for 151 days after the end of the COVID-19 public health emergency. These include:

  • expanding originating site to include any site at which the patient is located, including the patient’s home;
  • expanding eligible practitioners to furnish telehealth services to include occupational therapist, physical therapist, speech-language pathologist and audiologist;
  • extending the ability for federally qualified health centers (FQHCs) and rural health clinics (RHCs) to furnish telehealth services;
  • delaying the six month in-person requirement for mental health services furnished through telehealth until 152 days after the emergency, including the in-person requirements for FQHCs and RHCs;
  • extending coverage and payment for audio-only telehealth services;
  • extending the ability to use telehealth services to meet the face-to-face recertification requirement for hospice care; and
  • requiring the Medicare Payment Advisory Commission to conduct a study on the expansion of telehealth services and require the Department of Health and Human Services (HHS) Secretary to publicly post data with respect to telemedicine utilization.

The only major legislative provision not included on a temporary basis were provisions allowing critical access hospitals (CAHs) to serve as a distant site provider for telehealth and offer services in the same manner as they do for in-person care. Without this flexibility, there is concern that CAHs will not offer telehealth at the end of the public health emergency.

Cybersecurity Reporting Requirements

The legislation also requires critical infrastructure sectors, including hospitals and health systems, to report cyber incidents within 72 hours, and any ransomware payments made within 24 hours to the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security.

Currently, hospitals and health systems are required to report cyber breaches affecting more than 500 people to the Office of Civil Rights at HHS “without unreasonable delay” and “no later than 60 calendar days from the breach.” More time is provided for reporting incidents affecting less than 500 people. The legislation would allow for some exemptions for certain entities that already report similar information on a similar timeline.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© McGuireWoods Consulting | Attorney Advertising

Written by:

McGuireWoods Consulting
McGuireWoods Consulting
Contact
more
less

McGuireWoods Consulting on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide