Sec. 201. Medicare safe cybersecurity practices adoption program for eligible hospitals and critical access hospitals
2,190 words·~10 min read·
/bill/118/s/5218/is/section-201A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Section 1886 of the Social Security Act ( 42 U.S.C. 1395ww ) is amended by adding at the end the following new subsection: For fiscal years 2027 and 2028, upon request, a critical access hospital or an eligible high-needs hospital shall be paid from the Federal Hospital Insurance Trust Fund established under section 1817 a proportional share (as determined by the Secretary) of $800,000,000 to adopt essential cybersecurity practices. For fiscal years 2029 and 2030, upon request, a critical access hospital or an eligible hospital shall be paid from the Federal Hospital Insurance Trust Fund established under section 1817 a proportional share (as determined by the Secretary) of $500,000,000 to adopt enhanced cybersecurity practices.
A payment under this subsection may be in the form of a single consolidated payment or in the form of such periodic installments as the Secretary may specify. Beginning in fiscal year 2029 for an eligible hospital, and in calendar year 2029 for a critical access hospital, such hospital or critical access hospital shall be treated as an adopter of essential cybersecurity practices for a payment year if such hospital or critical access hospital submits information to the Secretary, in a form and manner specified by the Secretary, and in addition to the information required by subsection (n)(3)(A)(iii), attesting to implementation of essential cybersecurity practices selected by the Secretary for the EHR reporting period with respect to such year.
Beginning in fiscal year 2030 for an eligible hospital, and in calendar year 2030 for a critical access hospital, such hospital or critical access hospital shall be treated as an adopter of enhanced cybersecurity practices for a payment year if such hospital or critical access hospital submits information to the Secretary, in a form and manner specified by the Secretary, and in addition to the information required by subsection (n)(3)(A)(iii), attesting to implementation of enhanced cybersecurity practices selected by the Secretary during the EHR reporting period with respect to such year.
Beginning in fiscal year 2027, the Secretary shall, through notice and comment rulemaking, identify essential cybersecurity practices for an EHR reporting period that address known vulnerabilities to data infrastructure and patient health information and ensure patient safety and continuity of patient care. Beginning in fiscal year 2028, the Secretary shall, through notice and comment rulemaking, identify enhanced cybersecurity practices for an EHR reporting period that address the safe use of digital data, safety and continuity of patient care, advance cybersecurity resilience across the hospital sector, address high-risk cybersecurity vulnerabilities (as determined by the Secretary), and ensure patient safety and continuity of care.
The Secretary may update essential and enhanced cybersecurity practices required under this subsection through notice and comment rulemaking as needed to reflect evolving cybersecurity practices. There shall be no administrative or judicial review under section 1869, section 1878, or otherwise, of— the methodology and standards for determining payment amounts under this subsection and payment adjustments under subsection (b)(3)(B)(xiii) and section 1814(l)(6)(A); the methodology and standards for determining whether an eligible hospital is an essential or enhanced cybersecurity practices adopter under paragraph
(2)and the Secretary’s determination of whether or not to apply the hardship exception to an eligible hospital under subsection (b)(3)(B)(xiii)(III); or any alteration by the Secretary of the requirements specified in paragraph (2). The Secretary shall post on the Internet website of the Centers for Medicare & Medicaid Services, in an easily understandable format, the number by State of eligible hospitals and critical access hospitals that are not essential or enhanced cybersecurity adopters as applicable for a year. For purposes of this subsection: The term EHR reporting period means the period determined by the Secretary under subsection (n)(6)(A). The term eligible high-needs hospital means an eligible hospital that— is a subsection
(d)Puerto Rico hospital (as defined in subsection (d)(9)(A)); is operated by the Indian Health Service or by an Indian tribe or tribal organization (as those terms are defined in section 4 of the Indian Health Care Improvement Act); has a disproportionate percentage of Medicare beneficiaries who are dually eligible for benefits under this title and title XIX across all subsection
(d)hospitals in the baseline period (as specified by the Secretary) of at least 75 percent; has a disproportionate percentage of Medicare beneficiaries who are subsidy eligible individuals (as defined in section 1860D–14(a)(3)) across all subsection
(d)hospitals in the baseline period (as specified by the Secretary) of at least 75 percent (as determined by the Secretary under subsection (d)(5)(F)(vi)); is located in a rural area (as defined in subsection (d)(2)(D)); is classified as a rural referral center under subsection (d)(5)(C); is a sole community hospital (as defined in subsection (d)(5)(D)(iii)); is a low-volume hospital (as defined in subsection (d)(12)(C)(i)); or is a medicare-dependent, small rural hospital (as defined in subsection (d)(5)(G)). The term eligible hospital has the meaning given that term in subsection (n)(6)(B). The term enhanced cybersecurity practices means enhanced security requirements adopted under section 1173(d)(1)(B)(i)(II) and such additional practices as the Secretary may select for a year that are greater than essential cybersecurity practices. The term essential cybersecurity practices means the minimum security requirements adopted under section 1173(d)(1)(B)(i)(I) and such additional practices as the Secretary may select for a year. . Section 1886(b)(3)(B) of the Social Security Act ( 42 U.S.C. 1395ww(b)(3)(B) ) is amended by adding at the end the following new clause: For purposes of clause (i)— for fiscal year 2029, in the case of an eligible hospital that is not an adopter of the essential cybersecurity practices for a payment year (as determined under subsection (u)(2)(A)) for an EHR reporting period for such year, the applicable percentage increase otherwise applicable under clause
(i)(determined without regard to clause
(viii)or (xi)) for such fiscal year shall be reduced (but not below zero) by 0.25 percentage point; for fiscal year 2030, in the case of an eligible hospital that is not an adopter of the essential cybersecurity practices for a payment year (as determined under subsection (u)(2)(A)) for an EHR reporting period for such year— the applicable percentage increase otherwise applicable under clause
(i)(determined without regard to clause
(viii)or (xi)) for such fiscal year shall be reduced (but not below zero) by 0.50 percentage point; and the base operating DRG payment amount (as defined in subsection (o)(7)(D)) for such hospital for each discharge in such fiscal year shall be reduced by 0.25 percent; for fiscal year 2031, in the case of an eligible hospital that is not an adopter of the enhanced cybersecurity practices for a payment year (as determined under subsection (u)(2)(B)) for an EHR reporting period for such fiscal year— the applicable percentage increase otherwise applicable under clause
(i)(determined without regard to clause
(viii)or (xi)) for such fiscal year shall be reduced (but not below zero) by 0.75 percentage point; and the base operating DRG payment amount (as defined in subsection (o)(7)(D)) for such hospital for each discharge in such fiscal year shall be reduced by 0.50 percent; for fiscal year 2032, in the case of an eligible hospital that is not an adopter of the enhanced cybersecurity practices for a payment year (as determined under subsection (u)(2)(B)) for an EHR reporting period for such fiscal year— the applicable percentage increase otherwise applicable under clause
(i)(determined without regard to clause
(viii)or (xi)) for such fiscal year shall be reduced (but not below zero) by 1.0 percentage point; and the base operating DRG payment amount (as defined in subsection (o)(7)(D)) for such hospital for each discharge in such fiscal year shall be reduced by 0.75 percent; and for fiscal year 2033 and each subsequent fiscal year, in the case of an eligible hospital that is not an adopter of the enhanced cybersecurity practices for a payment year (as determined under subsection (u)(2)(B)) for an EHR reporting period for such fiscal year— the applicable percentage increase otherwise applicable under clause
(i)(determined without regard to clause
(viii)or (xi)) for such fiscal year shall be reduced (but not below zero) by 1.0 percentage point; and the base operating DRG payment amount (as defined in subsection (o)(7)(D)) for such hospital for each discharge in such fiscal year shall be reduced by 1.0 percent. A reduction under subclause
(I)shall apply only with respect to the fiscal year involved, and the Secretary shall not take into account such reduction in making payments to a hospital under this section in a subsequent fiscal year. The Secretary may, on a case-by-case basis, except an eligible hospital from the application of subclause
(I)with respect to a fiscal year if the Secretary determines, subject to annual renewal, that requiring such hospital to be an essential or enhanced cybersecurity practices adopter during such fiscal year would result in a significant hardship, such as in the case of a natural disaster, a bankruptcy, limited internet connectivity, an incident (as defined in section 2200 of the Homeland Security Act of 2002) that significantly disrupts medicare claims processing, or any other similar situation that the Secretary determines interfered with the ability of the eligible hospital to meet the requirements. An eligible hospital may not be granted an exemption under this subclause for more than 5 years, except in cases where the Secretary determines such hospital has experienced an incident (as so defined) that significantly disrupts medicare claims processing. The Secretary shall establish an exception process and post an application for an exception on the Internet website of the Centers for Medicare & Medicaid Services. Such process shall require that the application be submitted to the Secretary by not later than 6 months after the conclusion of the EHR reporting period for the relevant year. In the case of a State for which the Secretary has waived all or part of this section under the authority of section 1115A, nothing in this section shall preclude such State from implementing an adjustment similar to the adjustment under subclause (I). In this clause, the term eligible hospital has the meaning given such term in subsection (u)(4). . Section 1814(l) of the Social Security Act ( 42 U.S.C. 1395f(l) ) is amended— by redesignating paragraph
(5)as paragraph (6); by inserting after paragraph
(4)the following new paragraph: Subject to subparagraphs
(B)and (C), for cost reporting periods beginning in— fiscal year 2029, in the case of a critical access hospital that is not an essential cybersecurity practices adopter (as determined under section 1886(u)(3)(A)) for an EHR reporting period with respect to such fiscal year, the percent described in paragraph
(1)shall be reduced by 0.25 percent; fiscal year 2030, in the case of a critical access hospital that is not an essential cybersecurity practices adopter (as determined under section 1886(u)(3)(A)) for an EHR reporting period with respect to such fiscal year, the percent described in paragraph
(1)shall be reduced by 0.50 percent; fiscal year 2031, in the case of a critical access hospital that is not an enhanced cybersecurity practices adopter (as determined under section 1886(u)(3)(B)) for a EHR reporting period with respect to such fiscal year, the percent described in paragraph
(1)shall be reduced by 0.75 percent; and fiscal year 2032 or a subsequent fiscal year, in the case of a critical access hospital that is not an enhanced cybersecurity practices adopter (as determined under section 1886(u)(3)(B)) for a EHR reporting period with respect to such fiscal year, the percent described in paragraph
(1)shall be reduced by 1 percent. The percent described in paragraph
(1)shall be reduced by no more than a total of 1 percent for a fiscal year as the result of the application of this paragraph and other sections of this title. The provisions of subclause
(III)of section 1886(b)(3)(B)(xiii) shall apply with respect to subparagraph
(A)for a critical access hospital with respect to a cost reporting period in the same manner as such subclause applies with respect to subclause
(I)of such section for an eligible hospital. ; and in paragraph (6), as redesignated by subparagraph (A)— in subparagraph (C), by striking and at the end; in subparagraph (D), by striking the period at the end and inserting ; and ; and by adding at the end the following new subparagraphs: the methodology and standards for determining payment amounts for critical access hospitals under section 1886(u) and payment adjustments under paragraph (5); the methodology and standards for determining whether a critical access hospital is an essential or enhanced cybersecurity practices adopter under section 1886(u)(2) and the Secretary’s determination of whether or not to apply the hardship exception under subsection (b)(3)(B)(xiii)(III) to a critical access hospital pursuant to paragraph (5)(C); or any alteration by the Secretary of the requirements specified in section 1886(u)(2) with respect to a critical access hospital. . In addition to any amounts otherwise made available, there is appropriated to the Centers for Medicare & Medicaid Services Program Management Account from the Federal Hospital Insurance Trust Fund under section 1817 of the Social Security Act ( 42 U.S.C. 1395i ), $40,000,000 for fiscal year 2025 and $15,000,000 for each of fiscal years 2027 through 2031, to remain available until expended, to carry out the amendments made by this section.
Connectionstraces to 3
Citation graph
cites case law
Sec. 201
Medicare safe cybersecurity practices adoption program for eligible hospitals and critical access hospitals
Cites 3Cited by 0 across 0 sources