The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), was passed as part of the consolidated Budget Act for 2022, which also included the telehealth provisions I posted about last week.

The definition of “covered entity” in the Act is far greater than covered entity as defined by HIPAA.  Covered entity as per CIRCIA includes all of the entities identified by presidential policy directives as “designated critical infrastructure sector” entities.

However, the recent Medicare Compliance Reporter indicates that this will require hospitals to report cyber breaches in 72 hours and ransom payments within 24 hours to DHS.

The legislation gives the Cybersecurity and Infrastructure Security Agency (CISA) at DHS 24 months to propose implementing regulations, which then must be finalized 18 months thereafter, so we are looking at a window of approximately 3 and a half years at this point.