On January 13, 2017, the Centers for Medicare and Medicaid
Services ("CMS") sent a Memorandum ("Memo") to
State survey agency directors encouraging long-term care providers
to "consider cybersecurity when developing or reviewing their
emergency preparedness plans." The Memo was a follow-up to the
CMS long-term care emergency preparedness rule published in the
Federal Register on September 16, 2016: "Medicare and
Medicaid Programs; Emergency Preparedness Requirements for Medicare
and Medicaid Participating Providers and Suppliers." Under
that final rule, long-term care facilities were held to additional
standards, including requirements to have emergency and standby
power systems in place. Nursing homes were also required to create
plans regarding missing residents that could be activated
regardless of whether the facility has activated its full-scale
emergency plan. The rule was spurred on by recent flooding in Baton
Rouge, Louisiana, and other emergency disasters, such as Hurricane
Sandy and the 2009 H1N1 pandemic, according to CMS.
Whether State surveyors will actually enforce lack of
cybersecurity plans for emergency preparedness as violations
remains to be seen from this Memo. But certainly, a State survey
agency could impose deficiencies for failure to have a proper
cybersecurity plan and/or a proper cybersecurity back‑up plan
as part of a facility's emergency preparedness going forward.
It is not clear why CMS decided to send this encouragement Memo
three months after the Final Rule on emergency preparedness, but it
likely has something to do with the fact that 2016 was a banner
year for HIPAA privacy infractions and HIPAA enforcement by the
Office for Civil Rights ("OCR"), the entity responsible
for HIPAA compliance. In 2016, payouts for HIPAA violations
skyrocketed to record heights of $23.51 million from OCR enforcers
against health care providers. That number was triple the previous
record of almost $7.94 million in payouts in 2014, followed by
$6.19 million in payouts in 2015.
Now more than ever, HIPAA compliance and preparedness for
cybersecurity threats are warranted in the post-acute care
Disclaimer:This Alert has been
prepared and published for informational purposes only and is not
offered, nor should be construed, as legal advice. For more
information, please see the firm's
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The US Food and Drug Administration (FDA) related portions of the 21st Century Cares Act, found in title III, establish a streamlined process for the exemption of certain Class I and II devices from the premarket notification requirement and allow for the establishment of revised regulatory standards for accessories to high-risk devices.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).