Press "Enter" to skip to content

Cyberbreach notifications become law

Congress passed the omnibus spending bill, which includes expanding coverage of telehealth services under the Centers for Medicare and Medicaid Services—a big win for telehealth companies.   The provision does a few things. First, it extends coverage for certain telehealth services under Medicare and Medicaid for 151 days after the pandemic-era public health emergency comes to an end in April. Second, it adds audiology, occupational therapy, physical therapy, and speech pathology to its list of reimbursable telehealth services. Third, over the next year, the Medicare Payment Advisory Commission, an independent federal body that advises Congress on Medicare policy, is charged with studying the use and impact of telehealth services on patients with an eye to whether it diminishes the quality of care. 

The spending bill also, as noted previously, includes mandatory cyber incident reporting rules for critical infrastructure operators.    CISA is up next to determine the specific rules here, as the legislation gives the agency up to 24 months to publish a notice of proposed rulemaking to implement the program.    The President signed the bill into law on Tuesday.     Senator Mark Warner of Virginia highlighted provisions in the law to grant companies immunity and stressed that the law was about going after threat actors, not holding the company accountable.    

The SEC is considering a proposal to require public companies to report data breaches and other cybersecurity incidents within four days of discovery.    Per newly proposed amendments to existing rules, listed companies would have to provide periodic report filings on policies, implemented procedures, and the measures taken to identify and manage cybersecurity risks. The amended rules would also instruct companies to update previously reported security breaches.

There’s also much activity now at the state level on privacy bills, per coverage in Axios.     While technology companies would prefer a federal law without movement, those companies are lobbying at the state level to prevent stricter laws like California’s.     Utah passed a bill that is now awaiting the governor’s signature, which would make it the fourth state after Colorado, Virginia, and California, and Iowa, Tennessee, and Maryland are considering such bills.      The question – how tough will they be?    

Why do we care?

Why the telehealth note?  Because that’s all technology implementation, and it’s now more widely covered.     That’s an opportunity.

The cybersecurity disclosure laws were both inevitable and accelerated.   Listeners could see this train coming in the extensive coverage over the years… and the war in Ukraine just accelerated it.  Just weeks ago, this was left out.. and how quickly events change.

I’m with the companies on the desire for a federal one on privacy.   I don’t anticipate it… and instead, we’ll get this patchwork, and across the US, I suspect two types based on political party.  Although the complexity can fuel both lawyers and IT companies, that doesn’t seem like an excellent solution for the consumer.