New cyber legislation would provide advance payments to providers facing hacks

March 25, 2024 - Senator Mark Warner (D-VA) has introduced the Health Care Cybersecurity Improvement Act of 2024, which would allow for advance and accelerated payments to providers in the event of a cybersecurity incident, so long as they meet minimum cybersecurity standards. The new legislation arrives as the sector continues to rebuild in the wake of the Change Healthcare cyberattack, which has impacted providers nationwide.

Specifically, the legislation seeks to modify the existing Medicare Hospital Accelerated Payment Program and the Medicare Part B Advance Payment Program. CMS manages both programs and has provided temporary financial relief to participants in the past via its Accelerated and Advance Payment (AAP) programs.

These programs proved useful during the COVID-19 pandemic, for example, when providers faced significant cash flow challenges. Through the AAP programs, providers were able to receive advance payments that the government could later recuperate by withholding payment for subsequent claims. The Change Healthcare cyberattack has similarly caused cash flow problems for providers, necessitating government intervention.

Warner’s legislation proposes modifying these programs by requiring the HHS secretary to determine if the need for accelerated payments results from a cyber incident. If that is the case, the legislation would require the provider receiving the payment to meet minimum cyber standards to be eligible for payment. If the cyber incident originated from a vendor, that vendor must also meet minimum cybersecurity standards in order for the provider to receive payments.

The bill did not delve into the details of what the minimum cybersecurity standards would entail but noted that these standards would be determined by the HHS secretary.

For Warner, who serves as co-chair of the Senate Cybersecurity Caucus and has previously spoken up about healthcare cybersecurity challenges, the Change Healthcare cyber incident exposed troubling trends.

“I’ve been sounding the alarm about cybersecurity in the [healthcare] sector for some time. It was only a matter of time before we saw a major attack that disrupted the ability to care for patients nationwide,” Warner said in a press release accompanying the bill.

“The recent hack of Change Healthcare is a reminder that the entire [healthcare] industry is vulnerable and needs to step up its game. This legislation would provide some important financial incentives for providers and vendors to do so.” 

If passed, the provisions of the Health Care Cybersecurity Improvement Act of 2024 will go into effect two years after the legislation is enacted.