116 S5218 IS: Health Infrastructure Security and Accountability Act of 2024
U.S. Senate
2024-09-25
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.
1.Short title; table of contents(a)This Act may be cited as the Health Infrastructure Security and Accountability Act of 2024
.(b)The table of contents for this Act is as follows:Sec. 1. Short title; table of contents.Title I—Strengthening and increasing oversight of, and compliance with, security standards for health informationSec. 101. Security requirements.Sec. 102. Security risk management, reporting requirements, and audits for covered entities and business associates.Sec. 103. Increased civil penalties for failure to comply with security standards and requirements for health information.Sec. 104. User fee to support data security oversight and enforcement activities.Title II—Medicare assistance to address cybersecurity incidents201. Medicare safe cybersecurity practices adoption program for eligible hospitals and critical access hospitals.202. Medicare accelerated and advanced payments in response to cybersecurity incidents.<enum>I</enum><header>Strengthening and increasing oversight of, and compliance with, security standards for health information</header><section commented="no" display-inline="no-display-inline" id="idc93e46bfc1454fb081caabc7edc0c3e9"><enum>101.</enum><header>Security requirements</header><subsection commented="no" display-inline="no-display-inline" id="id9ead2454e3fa40719a260412f8b2217a"><enum>(a)</enum><header>In general</header><text>Section 1173(d)(1) of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d-2">42 U.S.C. 1320d–2(d)(1)</external-xref>) is amended—</text><paragraph commented="no" display-inline="no-display-inline" id="idc119a6529ced4bc6a68bc1ed827b7e47"><enum>(1)</enum><text display-inline="yes-display-inline">in subparagraph (A), by redesignating clauses (i) through (v) as subclauses (I) through (V) respectively and indenting appropriately; </text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id1a375c789dbf4fd6ae3997f830882e2d"><enum>(2)</enum><text display-inline="yes-display-inline">by redesignating subparagraphs (A) and (B) as clauses (i) and (ii) respectively and indenting appropriately; </text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id783ce41884c9442ea172fbf29ad65231"><enum>(3)</enum><text display-inline="yes-display-inline">by striking <quote><header-in-text style="OLC" level="paragraph">Security Standards</header-in-text>.—The Secretary</quote> and inserting the following:</text><quoted-block id="idd542b8fd59f74524b89a7bbf029eeae4" display-inline="yes-display-inline"><text><header-in-text level="paragraph" style="OLC">Minimum Security Standards.—</header-in-text></text><subparagraph commented="no" display-inline="no-display-inline" id="idbd974264312f4a74b124b52f486db7e0"><enum>(A)</enum><header>In general</header><text>The Secretary</text></subparagraph><after-quoted-block>; </after-quoted-block></quoted-block></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id7427c56520fc449b8d102dade786a658"><enum>(4)</enum><text>in subparagraph (A), as added by paragraph (3)—</text><subparagraph commented="no" display-inline="no-display-inline" id="id80fac6bde6d0408b924bb915526fd26a"><enum>(A)</enum><text display-inline="yes-display-inline">in clause (i)(V), by striking <quote>and</quote> at the end;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id60b6a853782b476c9fff5016eed086fe"><enum>(B)</enum><text>in clause (ii), by striking the period at the end and inserting <quote>; and</quote>; and</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idfcec9070d6644c3aa3a0a44e626ec611"><enum>(C)</enum><text>by adding at the end the following new clause:</text><quoted-block style="OLC" display-inline="no-display-inline" id="idEE5731C850884977B32D213077B5A655"><clause id="ida2f4298a55e3445c98051d579049fe5b"><enum>(iii)</enum><text>include minimum and enhanced security requirements adopted under subparagraph (B)</text></clause><after-quoted-block>; and</after-quoted-block></quoted-block></subparagraph></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id41b42ad9072c4af2b2b083b4c8008c10"><enum>(5)</enum><text display-inline="yes-display-inline">by adding at the end the following new subparagraph:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id667b9cf19ec540ce9faf0e9808033f58"><subparagraph id="id243f7c1c6aec4a2db812f95af410fe01"><enum>(B)</enum><header>Minimum and enhanced security requirements</header><clause id="ide962e449ff8e4271908631e47b2568ea"><enum>(i)</enum><header>Adoption</header><text>Subject to clauses (iii) and (iv), in order to protect health information, protect patient safety, and ensure the availability and resiliency of health care information systems and health care transactions, the Secretary shall adopt—</text><subclause id="id12bd267b5af14f299ed1205b07c22b8d"><enum>(I)</enum><text>minimum security requirements for covered entities and business associates; and</text></subclause><subclause id="id6d85744762d745cbaa5aafeab10a8f6c"><enum>(II)</enum><text>enhanced security requirements for covered entities and business associates that—</text><item id="id451b6616eace43aa8e8b97155688bcff"><enum>(aa)</enum><text>are of systemic importance, as determined by the Secretary; or</text></item><item id="id59bbe81fb3464a19953829bd1cf6e802"><enum>(bb)</enum><text>are important to national security, as determined by the Secretary, in consultation with the Director of Cybersecurity and Infrastructure Security Agency and the Director of National Intelligence.</text></item></subclause></clause><clause commented="no" display-inline="no-display-inline" id="id85779216b4c448018154a57a7fdefade"><enum>(ii)</enum><header>Application of enhanced security requirements</header><subclause commented="no" display-inline="no-display-inline" id="idecfccfaa11f64770b4e420454204db8f"><enum>(I)</enum><header display-inline="yes-display-inline">Notification</header><text>The Secretary shall, at a time and in a manner determined appropriate by the Secretary, notify each covered entity and business associate that is subject to the enhanced security requirements under clause (i)(II).</text></subclause><subclause commented="no" display-inline="no-display-inline" id="ide70047e623584eeca686ff3dc88ae63c"><enum>(II)</enum><header>Limitation on review</header><text display-inline="yes-display-inline">There shall be no administrative or judicial review under section 1869, 1878, or otherwise of the methodology the Secretary uses to determine whether a covered entity or business associate is subject to the enhanced security requirements under clause (i)(II).</text></subclause></clause><clause id="ida74f6eeeb0b944598eb12d11acb773f7"><enum>(iii)</enum><header>Factors</header><text>In addition to the factors described in subparagraph (A)(i), in developing—</text><subclause id="id3455137e5c684cf9b05868c7d10da40f"><enum>(I)</enum><text> the minimum security requirements under clause (i)(I), the Secretary shall, in consultation with the Director of Cybersecurity and Infrastructure Security Agency and the Director of National Intelligence, design the requirements to prevent—</text><item id="idaee2386189ee4b54b78cf5219aee832d"><enum>(aa)</enum><text>cyber incidents utilizing the tools and strategies used to target covered entities or business associates;</text></item><item id="id8d3b7cb366a24c34b69bfcd46b0d73b0"><enum>(bb)</enum><text>the potential harms, as defined by the Secretary, to national security that could result from a cyber incident involving a covered entity or business associate;</text></item><item id="idc4a5f4e5236f423c856ead6710f876d7"><enum>(cc)</enum><text>the potential harms, as defined by the Secretary, to patients that could result from a cyber incident involving a covered entity or business associate; and</text></item><item commented="no" display-inline="no-display-inline" id="id36de06a45ff24defa7131334c1932ee8"><enum>(dd)</enum><text display-inline="yes-display-inline">other potential harms from cyber incidents, as determined appropriate by the Secretary; and</text></item></subclause><subclause id="id3682799fb3554b6dbda66ee4b6488e03"><enum>(II)</enum><text>the enhanced security requirements under clause (i)(II), the Secretary shall, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the Director of National Intelligence, design the requirements to prevent the potential harms described in subclause (I) and protect against the specific threats the covered entities and business associates described in such clause face.</text></subclause></clause><clause id="ide95e8e85051b4a87ae796394d961e0c1"><enum>(iv)</enum><header>Review and update of requirements</header><text>The Secretary shall review and update the minimum and enhanced security requirements adopted under clause (i) not less frequently than every 2 years.</text></clause><clause id="id8f724bff73cf4876b95a786823464a7d" commented="no"><enum>(v)</enum><header>Effective date and rulemaking</header><subclause commented="no" display-inline="no-display-inline" id="iddcdbb0bed31c48d6961f965823f860bf"><enum>(I)</enum><header>Effective date</header><text display-inline="yes-display-inline">The requirements under this subparagraph shall take effect on the date that is 2 years after the date of enactment of this subparagraph.</text></subclause><subclause commented="no" display-inline="no-display-inline" id="id09e9320e43d44747ac34492e6df93747"><enum>(II)</enum><header>Rulemaking</header><text display-inline="yes-display-inline">Not later than 18 months after the date of enactment of this subparagraph, the Secretary shall promulgate regulations to carry out this subparagraph.</text></subclause></clause><clause id="id7ff5cfa28c79461da67b3c0003c66719"><enum>(vi)</enum><header>Definitions</header><text>For purposes of this subsection:</text><subclause id="id26fbce48e1be408aa874a684ba4ada19" commented="no"><enum>(I)</enum><header>Business associate</header><text>The term <term>business associate</term> has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations (or a successor regulation).</text></subclause><subclause id="id54f666a5be104a23b2c46b9167c0bc8c"><enum>(II)</enum><header>Covered entity</header><text>The term <term>covered entity</term> has the meaning given that term in section 160.103 of title 45, Code of Federal Regulations (or a successor regulation).</text></subclause><subclause id="id29e4890829644bb98e3a1041b3e66783"><enum>(III)</enum><header>Systemic importance</header><text>The term <term>systemic importance</term> means, with respect to a covered entity or business associate, that the failure of, or a disruption to, such entity or associate would have a debilitating impact on access to health care or the stability of the health care system of the United States (as determined by the Secretary).</text></subclause></clause></subparagraph><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection><subsection id="idbcda3f5807c441b3b2f68b6a0b7c8531"><enum>(b)</enum><header>Availability of health information</header><text>Section 1173(d)(2)(A) of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d-2">42 U.S.C. 1320d–2(d)(2)(A)</external-xref>) is amended by striking <quote>the integrity and confidentiality</quote> and inserting “the availability, integrity, and confidentiality. </text></subsection></section><section id="id90da8bea9e9741a6a66b07cdb0e99c15"><enum>102.</enum><header>Security risk management, reporting requirements, and audits for covered entities and business associates</header><subsection id="idbd1412d160974189b1ca4efbb5b530c5"><enum>(a)</enum><header>Security risk management and reporting</header><text>Section 1173(d) of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d-2">42 U.S.C. 1320d–2(d)</external-xref>) is amended by adding at the end the following new paragraph:</text><quoted-block style="OLC" display-inline="no-display-inline" id="idd67249a6919745d4adbb63decaf28fd5"><paragraph id="id92fb256f09b24c71956524bb4e7c3a12"><enum>(3)</enum><header>Security risk management and reporting</header><subparagraph id="idec7ac78e6be847368fee9d54247ba015"><enum>(A)</enum><header>In general</header><text>Each covered entity and business associate shall at a minimum, on an annual basis—</text><clause id="id7ffc44b96438488cbaf5d9fe7f99b1e5"><enum>(i)</enum><text>conduct and document a security risk analysis, including information regarding the manner and extent to which such entity or associate is exposed to risk through its business associates;</text></clause><clause id="idabb0c6f7c9614179b3042015878967cf"><enum>(ii)</enum><text>document a plan for a rapid and orderly resolution in the event of a natural disaster, disruptive cyber incident, or other technological failure to its information systems or those of its business associates;</text></clause><clause id="ida0809bf71a8a4472be93721cfc3fa75e"><enum>(iii)</enum><text>conduct a stress test to evaluate whether such entity or associate has the capabilities and planning necessary to recover essential functions, such as patient care operations and transactions described in subsection (a)(2), following a cyber incident, a natural disaster, or other substantial threat to health care operations, as determined by the Secretary;</text></clause><clause id="ide22dbd2e3d624aee9ba325ec175a55fa"><enum>(iv)</enum><text>document whether, based upon the results of the stress test described in clause (iii), the covered entity or business associate revised the most recent plan described in clause (ii); </text></clause><clause id="id09df14cae7244dbca220bdad79dc6f95"><enum>(v)</enum><text>provide a written statement signed by the chief executive officer and chief information security officer (or equivalent thereof) stating that the covered entity or business associate is in compliance with security requirements adopted under part 160 of title 45, Code of Federal Regulations, and subparts A and C of part 164 of title 45, Code of Federal Regulations (or a successor regulation), including the applicable security requirements adopted under paragraph (1)(B); and</text></clause><clause commented="no" display-inline="no-display-inline" id="id4cb035fac1974f36b8222cc46d12db70"><enum>(vi)</enum><text>publish on a publicly accessible website—</text><subclause commented="no" display-inline="no-display-inline" id="idfbd852ac72ae4a61adb5e92a822117d2"><enum>(I)</enum><text display-inline="yes-display-inline">whether the covered entity or business associate has received a notification from the Secretary pursuant to paragraph (1)(B)(ii)(I);</text></subclause><subclause commented="no" display-inline="no-display-inline" id="ide48e531d12974179aae38810879dc2ca"><enum>(II)</enum><text display-inline="yes-display-inline">whether the covered entity or business associate meets the minimum security requirements and, if applicable, the enhanced security requirements under paragraph (1)(B); and</text></subclause><subclause commented="no" display-inline="no-display-inline" id="id2f57de41f9d046c0a7e8902e822aef47"><enum>(III)</enum><text display-inline="yes-display-inline">a copy of each statement provided under clause (v) with respect to each year in a machine-readable format.</text></subclause></clause></subparagraph><subparagraph id="id338e54bcd1fc4269ae1f1de21baacad5"><enum>(B)</enum><header>Stress test methodology</header><text>The Secretary shall provide for not less than 2 different sets of conditions under which the test described in subparagraph (A)(iii) is to be conducted.</text></subparagraph><subparagraph id="id0deaf152ccd943a1817d4b293edc4389"><enum>(C)</enum><header>Waiver authority</header><text>The Secretary may waive the requirements of this paragraph with respect to a covered entity or business associate if the burden on the entity or associate significantly outweighs the benefits, taking into account the revenue of the entity or associate, the volume of protected health information or health care transactions processed by the entity or associate, and such other factors as the Secretary determines appropriate.</text></subparagraph><subparagraph id="id1013b399a273477485c2ed3a96ec9cd6"><enum>(D)</enum><header>Reporting</header><clause commented="no" display-inline="no-display-inline" id="id9b917520d2d44563a4a852c901502966"><enum>(i)</enum><header>In general</header><text display-inline="yes-display-inline">Subject to clause (ii), each covered entity and business associate shall submit the documentation required under subparagraph (A) at such time, in such form, and containing such information as the Secretary may require.</text></clause><clause id="ida517f689ad5a40eeaffbffe9989b275d"><enum>(ii)</enum><header>Annual reporting for covered entities and business associates subject to enhanced security requirements</header><text>Each covered entity and business associate that is subject to enhanced security requirements shall submit the documentation required under subparagraph (A) to the Secretary not less frequently than on an annual basis.</text></clause></subparagraph><subparagraph id="ideec4cc615387401b8963f9135c1e629b"><enum>(E)</enum><header>Definitions</header><text>For purposes of this subsection:</text><clause id="id5df7a1af3a0146bda764a26dfe99a0c9"><enum>(i)</enum><header>Cyber incident</header><text>The term <term>cyber incident</term> has the meaning given the term <term>incident</term> in section 2200(12) of the Homeland Security Act of 2002 (<external-xref legal-doc="usc" parsable-cite="usc/6/650">6 U.S.C. 650(12)</external-xref>).</text></clause><clause commented="no" display-inline="no-display-inline" id="id4b7ba85e16e940e0b53bcc19cf13a7fd"><enum>(ii)</enum><header>Machine-readable</header><text>The term <term>machine-readable</term> has the meaning given such term in section 3502 of title 44, United States Code.</text></clause><clause commented="no" display-inline="no-display-inline" id="id01ba18d1cf624e8fb07592b59e1937e2"><enum>(iii)</enum><header>Stress test</header><text display-inline="yes-display-inline">The term <term>stress test</term> means an extensive real-world simulation intended to test the operational resilience of the health care operations of a covered entity or business associate in response to a substantial interruption in information systems, including the ability to—</text><subclause id="id413f57d0453342bd958289a23083c530"><enum>(I)</enum><text>continue to provide essential care and services during and in the recovery period from such substantial interruption; and</text></subclause><subclause id="ide325f961c8704171b1334ef19583348f"><enum>(II)</enum><text>timely rebuild the information systems (as defined in section 2200(14) of the Homeland Security Act of 2002 (<external-xref legal-doc="usc" parsable-cite="usc/6/650">6 U.S.C. 650(14)</external-xref>)) of such covered entity or business associate.</text></subclause></clause></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id05100034bea34a7084fd9e7d6f8c2bc2"><enum>(F)</enum><header>Effective date</header><text display-inline="yes-display-inline">The requirements under this paragraph shall take effect on the date that is 3 years after the date of enactment of this paragraph.</text></subparagraph></paragraph><after-quoted-block>.</after-quoted-block></quoted-block></subsection><subsection id="idb0421d231fe04431a04b24b4393d94c9"><enum>(b)</enum><header>Independent security compliance audits</header><text>Section 1173(d) of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d-2">42 U.S.C. 1320d–2(d)</external-xref>), as amended by subsection (a), is amended by adding at the end the following new paragraph:</text><quoted-block id="idfd57f5e5fecf4b5d9b1d83974510f3e9" display-inline="no-display-inline" style="OLC"><paragraph id="id03857f81d7b74d3d938f945a3cf30b35"><enum>(4)</enum><header>Independent security compliance audits</header><subparagraph id="ida976e4eec58441d29da0a0d962bc8cae"><enum>(A)</enum><header>In general</header><text>Each covered entity and business associate must—</text><clause id="idbec1569e9e504a8aa5e8d46818254d80"><enum>(i)</enum><text>contract with an independent auditor that meets such requirements for independence and technical expertise as the Inspector General of the Department of Health and Human Services may establish to conduct an annual audit in accordance with subparagraph (B); and</text></clause><clause id="id2b6cd089459e4081b8b401b5ffd84ed4"><enum>(ii)</enum><text>document the findings of each audit conducted under clause (i).</text></clause></subparagraph><subparagraph id="ida1d43c366ac24aae9fe859d3c24102f1"><enum>(B)</enum><header>Audit requirements</header><text>An audit conducted under subparagraph (A)(i) shall—</text><clause id="idebdac831d91747d4822a47519573209b"><enum>(i)</enum><text>assess compliance of the covered entity or business associate with—</text><subclause commented="no" display-inline="no-display-inline" id="id7ca7153898654795b404d28908db1aa2"><enum>(I)</enum><text display-inline="yes-display-inline">during the period prior to the effective date of the requirements under paragraph (1)(B), the Healthcare and Public Health Sector Cybersecurity Performance Goals as described in the report published by the Department of Health and Human Services as of the date of enactment of this paragraph, and titled <quote>Healthcare and Public Health Sector-Specific Cybersecurity Performance Goals: Strengthening the Cybersecurity of the Healthcare Sector and Keeping Patients Safe and Secure</quote>; and</text></subclause><subclause commented="no" display-inline="no-display-inline" id="idffcb3f94b90b4fb8b237b93fe182b40d"><enum>(II)</enum><text>on or after the effective date of the requirements under paragraph (1)(B), the minimum and enhanced security requirements adopted under such paragraph, as applicable;</text></subclause></clause><clause id="id4a15f72af5a3476f9b41ea1a6ae31fc0"><enum>(ii)</enum><text>identify any areas in which the covered entity or business associate did not meet such goals or requirements, as applicable; and</text></clause><clause id="id4164c872e26149af8203d91e8ffa5345"><enum>(iii)</enum><text>certify that the covered entity or business associate—</text><subclause id="id950cd611ba5743acb6eeecdeb428efc6"><enum>(I)</enum><text>has resolved any areas of noncompliance; or</text></subclause><subclause id="idc85875dea9ca4e0e987dcf817e9b5795"><enum>(II)</enum><text>is implementing an appropriate plan to resolve such areas of noncompliance in a timely manner.</text></subclause></clause></subparagraph><subparagraph id="idb79eb25d20284a21a195cc488562619b" commented="no"><enum>(C)</enum><header>Waiver authority</header><text>The Secretary may waive the requirements of this paragraph with respect to a covered entity or business associate if the burden on the entity or associate significantly outweighs the benefits, taking into account the revenue of the entity or associate, the volume of protected health information or health care transactions processed by the entity or associate, and such as other factors as the Secretary determines appropriate.</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id6f09382f38a94c7391403d487226137d"><enum>(D)</enum><header>Reporting</header><clause commented="no" display-inline="no-display-inline" id="id4e1e84ed87c24a06816ba0307e932dae"><enum>(i)</enum><header>In general</header><text display-inline="yes-display-inline">Subject to clause (ii), each covered entity and business associate shall submit the documentation required under subparagraph (A)(ii) at such time, in such form, and containing such information as the Secretary may require. </text></clause><clause commented="no" display-inline="no-display-inline" id="id8c77879d222149a7ba8700665d4cae85"><enum>(ii)</enum><header>Annual reporting for entities and associates subject to enhanced security requirements</header><text display-inline="yes-display-inline">Each covered entity and business associate that is subject to enhanced security requirements shall submit the documentation required under subparagraph (A)(ii) to the Secretary not less frequently than on an annual basis. </text></clause></subparagraph><subparagraph id="id48b103e39a8a403ea568d39c95af6f77" commented="no" display-inline="no-display-inline"><enum>(E)</enum><header>Effective date</header><text display-inline="yes-display-inline">The requirements under this paragraph shall take effect on the date that is 180 days after the date of enactment of this paragraph.</text></subparagraph></paragraph><after-quoted-block>.</after-quoted-block></quoted-block></subsection><subsection commented="no" display-inline="no-display-inline" id="idee5b9b589c6f4182a88521779c41407a"><enum>(c)</enum><header>Secretarial audits of data security practices</header><text>Section 1173(d) of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d-2">42 U.S.C. 1320d–2(d)</external-xref>), as amended by subsections (a) and (b), is amended by adding at the end the following new paragraph:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id64BBF6D077F14AE8BCB6800C41C967BE"><paragraph id="id0e36325da1b14534a7073bf0347d460d" commented="no"><enum>(5)</enum><header>Secretarial audits of data security practices</header><subparagraph id="id5b300fba4fb24df8b04f9f10f47c4f00" commented="no"><enum>(A)</enum><header>In general</header><text>Each year (beginning on or after the date this is 4 years after the date of enactment of this paragraph) the Secretary shall conduct an annual audit of the data security practices of at least 20 covered entities or business associates under this part. The Comptroller General of the United States shall monitor auditing activities conducted under this paragraph.</text></subparagraph><subparagraph id="id9010623e066e4fc3aa0e10d66734019e" commented="no"><enum>(B)</enum><header>Considerations</header><text>In selecting covered entities or business associates for audit under subparagraph (A) the Secretary shall consider—</text><clause id="id90c6f103aed447c39c9e8723a0968162" commented="no"><enum>(i)</enum><text>whether the covered entity or business associate is of systemic importance;</text></clause><clause id="id23fe31dacbd1459ca6ce0c71bcd2cca8" commented="no"><enum>(ii)</enum><text>whether any complaints have been made with respect to the data security practices of the covered entity or business associate; and</text></clause><clause id="id111b3978ce64400eaea772b6493c103d" commented="no"><enum>(iii)</enum><text>whether the covered entity or business associate has a history of previous violations.</text></clause></subparagraph><subparagraph id="idcd3b12bd2e3648ec9fccbbdf860e1267" commented="no"><enum>(C)</enum><header>Corrective action plan and penalties</header><text>The findings of an audit under this paragraph may result in a civil money penalty based on the failure of a covered entity or business associate to submit documentation demonstrating that the covered entity or business associate has taken corrective actions to achieve compliance in response to a finding of a potential violation of a provision of this part within a period of time specified by the Secretary after receipt of such findings.</text></subparagraph><subparagraph id="id733cb6efbf084c7f96e49c5e44e0e12e" commented="no"><enum>(D)</enum><header>Reports to Congress</header><text>The Secretary shall submit to Congress reports summarizing the results of the audits conducted under this paragraph biennially ending on the date that is 10 years after the date on which the first report is submitted under this subparagraph.</text></subparagraph></paragraph><after-quoted-block>.</after-quoted-block></quoted-block></subsection><subsection id="id3e30c778337f44ed9bce5006d88b169b"><enum>(d)</enum><header>Civil and criminal penalties for failure To comply with documentation, reporting, and audit requirements</header><text>Section 1173(d) of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d-2">42 U.S.C. 1320d–2(d)</external-xref>), as amended by subsections (a), (b), and (c), is amended by adding at the end the following new paragraph:</text><quoted-block id="idAD6DA032087145AEAFCBAE74604CF7EB" display-inline="no-display-inline" style="OLC"><paragraph id="id10fee433ab53426aa91144b81084a139"><enum>(6)</enum><header>Civil and criminal penalties for failure to comply with documentation, reporting, and audit requirements</header><subparagraph id="id6c7fd5e769e54a228a9e57201668e51e"><enum>(A)</enum><header>Civil penalties</header><clause commented="no" display-inline="no-display-inline" id="id478715e6fa424b979805039c9753629d"><enum>(i)</enum><header display-inline="yes-display-inline">In general</header><text>A covered entity or business associate that—</text><subclause commented="no" display-inline="no-display-inline" id="ide2272dab11be4159bf4599427ee2e937"><enum>(I)</enum><text display-inline="yes-display-inline">fails to timely submit documentation or a report required under paragraph (3), (4), or (5),</text></subclause><subclause commented="no" display-inline="no-display-inline" id="idb0be95012e8c4a179ee7a83b830b672d"><enum>(II)</enum><text display-inline="yes-display-inline">fails to comply with an audit under paragraph (5), or</text></subclause><subclause commented="no" display-inline="no-display-inline" id="id69f3e41607124f9e995be2f71917c058"><enum>(III)</enum><text display-inline="yes-display-inline">fails to comply with a responsibility of a covered entity or a business associate under section 160.310 of title 45, Code of Federal Regulations (or a successor regulation),</text></subclause><continuation-text continuation-text-level="clause">shall be subject to a civil money penalty of not more than $5,000 per day for each such failure.</continuation-text></clause><clause id="idde7159ee083c4244809a44193a54bc2a"><enum>(ii)</enum><header>Procedures</header><text>The provisions of section 1128A (other than subsections (a), (b), and (d)(1), and the second sentence of subsection (f)) shall apply to the imposition of a civil money penalty under this subparagraph in the same manner as such provisions apply to the imposition of a penalty under such section 1128A.</text></clause><clause commented="no" display-inline="no-display-inline" id="idc039f977e18a456fa656f5b8639de7c6"><enum>(iii)</enum><header>Clarification</header><text>Any civil money penalty under this subparagraph with respect to a failure described in clause (i) shall be in lieu of the penalties described in section 1176.</text></clause></subparagraph><subparagraph id="ida2e484ba60364f108dce5ea074f59418" commented="no" display-inline="no-display-inline"><enum>(B)</enum><header>Criminal penalties</header><text>In addition to any penalties imposed under subparagraph (A), whoever submits, or causes to be submitted, any documentation or report required of a covered entity or business associate under paragraph (3), (4), or (5) knowing that such documentation or report contains false information, or willfully fails to timely submit, or willfully causes to not be timely submitted, such a document or report, shall be guilty of a felony and upon conviction thereof fined not more than $1,000,000 or imprisoned for not more than 10 years, or both.</text></subparagraph></paragraph><after-quoted-block>.</after-quoted-block></quoted-block></subsection></section><section id="ida1307029b52640fa8b0f002606c39863"><enum>103.</enum><header>Increased civil penalties for failure to comply with security standards and requirements for health information</header><subsection commented="no" display-inline="no-display-inline" id="ida57a20a3744e426fb42ae2ed5065cdf4"><enum>(a)</enum><header>Increased civil penalties</header><text display-inline="yes-display-inline">Section 1176 of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d-5">42 U.S.C. 1320d–5</external-xref>) is amended—</text><paragraph commented="no" display-inline="no-display-inline" id="id12fdd6cd72e642bc8cd0d905ef00d89b"><enum>(1)</enum><text display-inline="yes-display-inline">in subsection (a)(1), in the matter preceding subparagraph (A), by striking <quote>subsection (b)</quote> and inserting <quote>subsections (b) and (d)</quote>; </text></paragraph><paragraph id="idf3631e3c347e42cd970626bf544fb851"><enum>(2)</enum><text>by redesignating subsections (d) and (e) as subsections (e) and (f); and</text></paragraph><paragraph id="id6a635e4919fa4170ab10458d11b548d9"><enum>(3)</enum><text>by inserting after subsection (c) the following new subsection:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id9201FBE2CABC49FE8103B3DCEBB9F140"><subsection commented="no" display-inline="no-display-inline" id="id0e35ac9bf2684cab81727c5a64b4838a"><enum>(d)</enum><header>Special rules for failure To comply with security standards and requirements for health information</header><paragraph commented="no" display-inline="no-display-inline" id="idb3349fd59fc4440aa8e0ad80c1c00ca9"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">In the case of a violation of the security standards and requirements under section 1173(d) that occurs after the effective date of the requirements under paragraph (1)(B) of such section, the following rules shall apply:</text><subparagraph commented="no" display-inline="no-display-inline" id="idfd2ce929349f4ef1b41d2eae2f583085"><enum>(A)</enum><text>Subsection (a)(1)(A) shall be applied by substituting <quote>that is at least $500</quote> for <quote>that is at least the amount described in paragraph (3)(A) but not to exceed the amount described in paragraph (3)(D)</quote>.</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id61202751606546C7B16A5F45E8A09E0F"><enum>(B)</enum><text>Subsection (a)(1)(B) shall be applied by substituting <quote>that is at least $5,000</quote> for <quote>that is at least the amount described in paragraph (3)(B) but not to exceed the amount described in paragraph (3)(D)</quote>.</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id7A5E4F2A93A34DCA8D615AE9C294373C"><enum>(C)</enum><text>Subsection (a)(1)(C)(i) shall be applied by substituting <quote>that is at least $50,000</quote> for <quote>that is at least the amount described in paragraph (3)(C) but not to exceed the amount described in paragraph (3)(D)</quote>.</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id241E8A2EFBC449768229098C3D541D2F"><enum>(D)</enum><text>Subsection (a)(1)(C)(ii) shall be applied by substituting <quote>that is at least $250,000</quote> for <quote>that is at least the amount described in paragraph (3)(D)</quote>. </text></subparagraph><subparagraph id="id4b2cd655af494c37bf31c5db79c7dc50"><enum>(E)</enum><text>In addition to the factors described in the second sentence of subsection (a)(1), in determining the amount of a penalty under this section for a violation of the security standards and requirements under section 1173(d), the Secretary shall also base such determination on—</text><clause commented="no" display-inline="no-display-inline" id="id6cd92621dffa405bb98f45164d59c021"><enum>(i)</enum><text display-inline="yes-display-inline">the size of the covered entity or business associate (as such terms are defined in section 1173(d)(1)(B)(vi)) subject to the penalty; </text></clause><clause commented="no" display-inline="no-display-inline" id="id3cfdbf203b2e4aa3aae3e0a5b815bf0d"><enum>(ii)</enum><text display-inline="yes-display-inline">the full compliance history of the covered entity or business associate, </text></clause><clause commented="no" display-inline="no-display-inline" id="id5b2f17e335ac40f7b8ea349b46533944"><enum>(iii)</enum><text display-inline="yes-display-inline">good faith efforts to comply with the security standards and requirements; and</text></clause><clause commented="no" display-inline="no-display-inline" id="id9a39030174f346b49de89eb887ba6404"><enum>(iv)</enum><text>such other matters as the Secretary determines appropriate.</text></clause></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id37f631bfe98845d398d822688116d363"><enum>(F)</enum><text>Subsection (a)(3) shall not apply.</text></subparagraph></paragraph><paragraph id="id796B806A1E864ECBA45A4787DF72F8A0"><enum>(2)</enum><header>Distribution of certain civil monetary penalties collected</header><subparagraph id="idD23BC3AA6A584F5CBC6468199CF3EB22"><enum>(A)</enum><header>In general</header><text>Subject to the regulation promulgated pursuant to subparagraph (B), any civil monetary penalty or monetary settlement collected with respect to a violation of the security standards and requirements under section 1173(d) that occurs after the effective date of such requirements under paragraph (1)(B) of such section shall be transferred to the Office for Civil Rights of the Department of Health and Human Services to be used for the purposes of enforcing the provisions of this part and subparts C and E of part 164 of title 45, Code of Federal Regulations (or any successor regulation).</text></subparagraph><subparagraph id="idB2D2AEC901A740A7ACA03E5E5DEDB56A"><enum>(B)</enum><header>Establishment of methodology to distribute percentage of CMPs collected to harmed individuals</header><text>Not later than 18 months after the date of the enactment of this subparagraph, the Secretary shall establish by regulation a methodology under which an individual who is harmed by an act that constitutes a violation referred to in subparagraph (A) may receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such violation.</text></subparagraph><subparagraph id="idAC014F4F30C543618D07C466232E548A" commented="no" display-inline="no-display-inline"><enum>(C)</enum><header>Application of methodology</header><text>The methodology under subparagraph (B) shall be applied to any civil monetary penalty or monetary settlement collected with respect to a violation of the security standards and requirements under section 1173(d) that occurs after the effective date of such requirements under paragraph (1)(B) of such section.</text></subparagraph></paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection><subsection id="id758933f4fb0c47088f292a6ce38d9645"><enum>(b)</enum><header>Striking amendment to the Health Information Technology for Economic and Clinical Health Act related to fines and audits</header><paragraph commented="no" display-inline="no-display-inline" id="id9ee56247564c494cb0fbb502d943c677"><enum>(1)</enum><header display-inline="yes-display-inline">In general</header><text>Part 1 of subtitle D of the Health Information Technology for Economic and Clinical Health Act (<external-xref legal-doc="usc" parsable-cite="usc/42/17931">42 U.S.C. 17931 et seq.</external-xref>), as amended by <external-xref legal-doc="public-law" parsable-cite="pl/116/321">Public Law 116–321</external-xref>, is amended by striking section 13412.</text></paragraph><paragraph id="id952aed01365a4748a08f8d79e21fb53b" commented="no" display-inline="no-display-inline"><enum>(2)</enum><header>Effective date</header><text>The amendment made by this subsection shall take effect on the date of enactment of this Act, and apply to determinations made on or after such date.</text></paragraph></subsection></section><section id="id33b52f8c81114cd7802f741189d4f76f"><enum>104.</enum><header>User fee to support data security oversight and enforcement activities</header><text display-inline="no-display-inline">Section 1173(d) of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1320d-2">42 U.S.C. 1320d–2(d)</external-xref>), as amended by section 102, is amended by adding at the end the following new paragraph:</text><quoted-block id="idD668E603FD1F49B5A57B1500332B47BD" display-inline="no-display-inline" style="OLC"><paragraph id="id75faa1d51bc04e228d15fc1422f202ff"><enum>(7)</enum><header>User fee to support data security oversight and enforcement activities</header><subparagraph id="id874344f219964836a5c9fe73a711655b"><enum>(A)</enum><header>In general</header><text>Each covered entity and business associate shall pay the fee established by the Secretary under subparagraph (B).</text></subparagraph><subparagraph id="idf309c6889e7c48dfb2598773c4088d88"><enum>(B)</enum><header>Authorization</header><text>The Secretary is authorized to charge a fee to each covered entity and business associate that is equal to the pro rata share of the entity or associate (equal to the ratio, as estimated by the Secretary, of the revenue of the entity or associate for the preceding fiscal year to national health expenditures, as determined by the Secretary, for the preceding fiscal year) of the aggregate amount of fees which the Secretary is directed to collect in a fiscal year. Any amounts collected shall be available without further appropriation to the Secretary for the purpose of carrying out oversight and enforcement activities under this subsection.</text></subparagraph><subparagraph id="id71a3046b8b89454394a49fcd12cff113"><enum>(C)</enum><header>Limitation</header><text>In any fiscal year (beginning with fiscal year 2026) the fees collected by the Secretary under subparagraph (B) shall not exceed the lesser of—</text><clause id="id85555d67bfc147619068d5ec11b50ff5"><enum>(i)</enum><text>the estimated costs to be incurred by the Secretary in the fiscal year in carrying out oversight and enforcement activities under this subsection; or</text></clause><clause id="idc8d2c362e35f4e73beaf381011a60bda"><enum>(ii)</enum><subclause commented="no" display-inline="yes-display-inline" id="id69d4e455e83943c39c9dced3d906bf6d"><enum>(I)</enum><text>in fiscal year 2026, $40,000,000;</text></subclause><subclause id="id144e645c3356456ea6ba9dd4886c1824" indent="up1"><enum>(II)</enum><text>in fiscal year 2027, $50,000,000; and</text></subclause><subclause id="id16743a350000440388ed1a53e4da2170" indent="up1" commented="no" display-inline="no-display-inline"><enum>(III)</enum><text>in fiscal year 2028 or a subsequent fiscal year, the amount determined under this clause for the preceding fiscal year, increased by the percentage increase in the consumer price index for all urban consumers (all items; United States city average) over the previous year.</text></subclause></clause></subparagraph></paragraph><after-quoted-block>.</after-quoted-block></quoted-block></section><enum>II</enum><header>Medicare Assistance to address cybersecurity incidents</header><section id="idd5112a0117874d8aafb5f069492e4048"><enum>201.</enum><header>Medicare safe cybersecurity practices adoption program for eligible hospitals and critical access hospitals</header><subsection id="id09b48c70f0494607b5dd420f79b08cd6"><enum>(a)</enum><header>Incentive payments</header><text>Section 1886 of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1395ww">42 U.S.C. 1395ww</external-xref>) is amended by adding at the end the following new subsection:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id72F07452FCE74D97B5B01601C309A2BF"><subsection id="id2e95d603b0eb450eb852a2b03c8cba47"><enum>(u)</enum><header>Incentives for adoption of essential and enhanced cybersecurity practices</header><paragraph id="ida465a4e2809d443ca0f79d3c97e07f62" commented="no"><enum>(1)</enum><header>Investment</header><subparagraph commented="no" display-inline="no-display-inline" id="id356e64e2cb5e406f9743b0aca3776d35"><enum>(A)</enum><header display-inline="yes-display-inline">Fiscal years 2027 and 2028</header><text>For fiscal years 2027 and 2028, upon request, a critical access hospital or an eligible high-needs hospital shall be paid from the Federal Hospital Insurance Trust Fund established under section 1817 a proportional share (as determined by the Secretary) of $800,000,000 to adopt essential cybersecurity practices.</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id88122110cf854871a6e2ba95c50a8b37"><enum>(B)</enum><header>Fiscal years 2029 and 2030</header><text display-inline="yes-display-inline">For fiscal years 2029 and 2030, upon request, a critical access hospital or an eligible hospital shall be paid from the Federal Hospital Insurance Trust Fund established under section 1817 a proportional share (as determined by the Secretary) of $500,000,000 to adopt enhanced cybersecurity practices.</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idd0b0db4fe434495c8b4825558d697396"><enum>(C)</enum><header>Form of payment</header><text display-inline="yes-display-inline">A payment under this subsection may be in the form of a single consolidated payment or in the form of such periodic installments as the Secretary may specify.</text></subparagraph></paragraph><paragraph id="iddd5f1b43709e48e18a67e3c48235f41b" commented="no"><enum>(2)</enum><header>Adoption</header><subparagraph commented="no" display-inline="no-display-inline" id="id2eccaec3bcd6416d95740e971874713c"><enum>(A)</enum><header display-inline="yes-display-inline">Essential cybersecurity practices</header><text>Beginning in fiscal year 2029 for an eligible hospital, and in calendar year 2029 for a critical access hospital, such hospital or critical access hospital shall be treated as an adopter of essential cybersecurity practices for a payment year if such hospital or critical access hospital submits information to the Secretary, in a form and manner specified by the Secretary, and in addition to the information required by subsection (n)(3)(A)(iii), attesting to implementation of essential cybersecurity practices selected by the Secretary for the EHR reporting period with respect to such year.</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id2fed9de872ed4c45b122b676c6a971a4"><enum>(B)</enum><header>Enhanced cybersecurity practices</header><text display-inline="yes-display-inline">Beginning in fiscal year 2030 for an eligible hospital, and in calendar year 2030 for a critical access hospital, such hospital or critical access hospital shall be treated as an adopter of enhanced cybersecurity practices for a payment year if such hospital or critical access hospital submits information to the Secretary, in a form and manner specified by the Secretary, and in addition to the information required by subsection (n)(3)(A)(iii), attesting to implementation of enhanced cybersecurity practices selected by the Secretary during the EHR reporting period with respect to such year.</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id958f7832edf446ddbbc5c7a08cf1917a"><enum>(C)</enum><header>Identification of essential cybersecurity practices</header><text display-inline="yes-display-inline">Beginning in fiscal year 2027, the Secretary shall, through notice and comment rulemaking, identify essential cybersecurity practices for an EHR reporting period that address known vulnerabilities to data infrastructure and patient health information and ensure patient safety and continuity of patient care.</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idbe009e9dfc6b4a269898306ad65a3ff0"><enum>(D)</enum><header>Identification of enhanced cybersecurity practices</header><text display-inline="yes-display-inline">Beginning in fiscal year 2028, the Secretary shall, through notice and comment rulemaking, identify enhanced cybersecurity practices for an EHR reporting period that address the safe use of digital data, safety and continuity of patient care, advance cybersecurity resilience across the hospital sector, address high-risk cybersecurity vulnerabilities (as determined by the Secretary), and ensure patient safety and continuity of care.</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id8ea137632eb5492c838b31e3a9553cea"><enum>(E)</enum><header>Updating</header><text display-inline="yes-display-inline">The Secretary may update essential and enhanced cybersecurity practices required under this subsection through notice and comment rulemaking as needed to reflect evolving cybersecurity practices.</text></subparagraph></paragraph><paragraph id="id76942de760df49f6a8edd6602066921d"><enum>(3)</enum><header>Application</header><subparagraph id="idc384a5246eae47dcb662820b17906c1f"><enum>(A)</enum><header>Limitations on review</header><text>There shall be no administrative or judicial review under section 1869, section 1878, or otherwise, of—</text><clause id="id3df969903bb54ae2afcacc54277dea4d"><enum>(i)</enum><text>the methodology and standards for determining payment amounts under this subsection and payment adjustments under subsection (b)(3)(B)(xiii) and section 1814(l)(6)(A);</text></clause><clause id="idfe8e08bf92784413b70f5e6f33a32346"><enum>(ii)</enum><text>the methodology and standards for determining whether an eligible hospital is an essential or enhanced cybersecurity practices adopter under paragraph (2) and the Secretary’s determination of whether or not to apply the hardship exception to an eligible hospital under subsection (b)(3)(B)(xiii)(III); or</text></clause><clause id="id7b9c04b2be1846938358696b6785c84e"><enum>(iii)</enum><text>any alteration by the Secretary of the requirements specified in paragraph (2).</text></clause></subparagraph><subparagraph id="id0c56263d501d4495b24292f6edcd1bb2"><enum>(B)</enum><header>Posting on website</header><text>The Secretary shall post on the Internet website of the Centers for Medicare & Medicaid Services, in an easily understandable format, the number by State of eligible hospitals and critical access hospitals that are not essential or enhanced cybersecurity adopters as applicable for a year.</text></subparagraph></paragraph><paragraph id="idf9d729f0e97b41d2938a580f40ae8d41"><enum>(4)</enum><header>Definitions</header><text>For purposes of this subsection:</text><subparagraph id="id61a1d460231a497b954c357af1081efb"><enum>(A)</enum><header>EHR reporting period</header><text>The term <term>EHR reporting period</term> means the period determined by the Secretary under subsection (n)(6)(A). </text></subparagraph><subparagraph id="ida5de948e8e8a46e38f8cfd7001ced26f"><enum>(B)</enum><header>Eligible high-needs hospital</header><text>The term <term>eligible high-needs hospital</term> means an eligible hospital that—</text><clause id="id0d2cb302af5d486597111c53d2bec59e"><enum>(i)</enum><text>is a subsection (d) Puerto Rico hospital (as defined in subsection (d)(9)(A));</text></clause><clause id="id804052470f7a42cab4bc91152a1eb27e"><enum>(ii)</enum><text>is operated by the Indian Health Service or by an Indian tribe or tribal organization (as those terms are defined in section 4 of the Indian Health Care Improvement Act); </text></clause><clause id="id0d00c279bdd24a9da2606feda6bb1b00" commented="no"><enum>(iii)</enum><text>has a disproportionate percentage of Medicare beneficiaries who are dually eligible for benefits under this title and title XIX across all subsection (d) hospitals in the baseline period (as specified by the Secretary) of at least 75 percent;</text></clause><clause id="id5cf38170440a4fa18640e97394995a9a" commented="no"><enum>(iv)</enum><text>has a disproportionate percentage of Medicare beneficiaries who are subsidy eligible individuals (as defined in section 1860D–14(a)(3)) across all subsection (d) hospitals in the baseline period (as specified by the Secretary) of at least 75 percent (as determined by the Secretary under subsection (d)(5)(F)(vi));</text></clause><clause id="id574db89608044279a00dc6b68eaf39e7"><enum>(v)</enum><text>is located in a rural area (as defined in subsection (d)(2)(D));</text></clause><clause id="id7fe24e66eb0244f8b7ee5a9556876b07"><enum>(vi)</enum><text>is classified as a rural referral center under subsection (d)(5)(C);</text></clause><clause id="id0e147b381797478c98afab46d5c57d57"><enum>(vii)</enum><text>is a sole community hospital (as defined in subsection (d)(5)(D)(iii));</text></clause><clause id="id086f750b42514f7e825a283ae1535156"><enum>(viii)</enum><text>is a low-volume hospital (as defined in subsection (d)(12)(C)(i)); or</text></clause><clause id="id7616f3e29ed94453b5e4cd017f66892f"><enum>(ix)</enum><text>is a medicare-dependent, small rural hospital (as defined in subsection (d)(5)(G)).</text></clause></subparagraph><subparagraph id="id9c6af21b444c40f88d4197501c7199f7"><enum>(C)</enum><header>Eligible hospital</header><text>The term <term>eligible hospital</term> has the meaning given that term in subsection (n)(6)(B). </text></subparagraph><subparagraph id="idb49e77f79ea945d1869fe46e2ff6015f"><enum>(D)</enum><header>Enhanced cybersecurity practices</header><text>The term <term>enhanced cybersecurity practices</term> means enhanced security requirements adopted under section 1173(d)(1)(B)(i)(II) and such additional practices as the Secretary may select for a year that are greater than essential cybersecurity practices. </text></subparagraph><subparagraph id="id9677fb8317cb4e19afc014084f02aab0"><enum>(E)</enum><header>Essential cybersecurity practices</header><text>The term <term>essential cybersecurity practices</term> means the minimum security requirements adopted under section 1173(d)(1)(B)(i)(I) and such additional practices as the Secretary may select for a year.</text></subparagraph></paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block></subsection><subsection id="id93af668796d0462dbd90535cbff6f605"><enum>(b)</enum><header>Payment reductions for failure To adopt safe cybersecurity practices; significant hardship exception</header><paragraph id="idb302561d1043482cba11d97570b8030a"><enum>(1)</enum><header>Hospitals</header><text>Section 1886(b)(3)(B) of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1395ww">42 U.S.C. 1395ww(b)(3)(B)</external-xref>) is amended by adding at the end the following new clause:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id0469223F41B9489BA57BECB0DBD84055"><clause id="idcd137c799a0a4492b3677540a9905ea0"><enum>(xiii)</enum><subclause commented="no" display-inline="yes-display-inline" id="id7da5c80381514f6b93c687cf7faa3dad"><enum>(I)</enum><text>For purposes of clause (i)—</text><item indent="up1" commented="no" display-inline="no-display-inline" id="idd70c553668304d2ca7fec2908634d09f"><enum>(aa)</enum><text>for fiscal year 2029, in the case of an eligible hospital that is not an adopter of the essential cybersecurity practices for a payment year (as determined under subsection (u)(2)(A)) for an EHR reporting period for such year, the applicable percentage increase otherwise applicable under clause (i) (determined without regard to clause (viii) or (xi)) for such fiscal year shall be reduced (but not below zero) by 0.25 percentage point;</text></item><item indent="up1" commented="no" display-inline="no-display-inline" id="id77e245d6c59943d293652748200c2329"><enum>(bb)</enum><text>for fiscal year 2030, in the case of an eligible hospital that is not an adopter of the essential cybersecurity practices for a payment year (as determined under subsection (u)(2)(A)) for an EHR reporting period for such year—</text><subitem commented="no" display-inline="no-display-inline" id="ide75e3c5c978d4216a29773a2d038d79a"><enum>(AA)</enum><text display-inline="yes-display-inline">the applicable percentage increase otherwise applicable under clause (i) (determined without regard to clause (viii) or (xi)) for such fiscal year shall be reduced (but not below zero) by 0.50 percentage point; and </text></subitem><subitem commented="no" display-inline="no-display-inline" id="id58a447f3b2a04b2cae8b5da2c85e515d"><enum>(BB)</enum><text display-inline="yes-display-inline">the base operating DRG payment amount (as defined in subsection (o)(7)(D)) for such hospital for each discharge in such fiscal year shall be reduced by 0.25 percent;</text></subitem></item><item indent="up1" commented="no" display-inline="no-display-inline" id="id07ff1e9e679f4cd8a6910cc0d870cc80"><enum>(cc)</enum><text>for fiscal year 2031, in the case of an eligible hospital that is not an adopter of the enhanced cybersecurity practices for a payment year (as determined under subsection (u)(2)(B)) for an EHR reporting period for such fiscal year—</text><subitem commented="no" display-inline="no-display-inline" id="ida9701509c6fd48c48657ea08118082e3"><enum>(AA)</enum><text display-inline="yes-display-inline">the applicable percentage increase otherwise applicable under clause (i) (determined without regard to clause (viii) or (xi)) for such fiscal year shall be reduced (but not below zero) by 0.75 percentage point; and </text></subitem><subitem commented="no" display-inline="no-display-inline" id="iddaea0ea864b74f28b025fa474ae13101"><enum>(BB)</enum><text display-inline="yes-display-inline">the base operating DRG payment amount (as defined in subsection (o)(7)(D)) for such hospital for each discharge in such fiscal year shall be reduced by 0.50 percent;</text></subitem></item><item indent="up1" commented="no" display-inline="no-display-inline" id="id0abf949e95074aa59244bf5678ce49c5"><enum>(dd)</enum><text>for fiscal year 2032, in the case of an eligible hospital that is not an adopter of the enhanced cybersecurity practices for a payment year (as determined under subsection (u)(2)(B)) for an EHR reporting period for such fiscal year—</text><subitem commented="no" display-inline="no-display-inline" id="idf426b0e9ccac467b98c393194b271c71"><enum>(AA)</enum><text display-inline="yes-display-inline">the applicable percentage increase otherwise applicable under clause (i) (determined without regard to clause (viii) or (xi)) for such fiscal year shall be reduced (but not below zero) by 1.0 percentage point; and </text></subitem><subitem commented="no" display-inline="no-display-inline" id="id31de079607e9424f9a9e42852ca7770f"><enum>(BB)</enum><text display-inline="yes-display-inline">the base operating DRG payment amount (as defined in subsection (o)(7)(D)) for such hospital for each discharge in such fiscal year shall be reduced by 0.75 percent; and</text></subitem></item><item indent="up1" commented="no" display-inline="no-display-inline" id="id1cf2bca94f6c434181e1b70bfde8b8f1"><enum>(ee)</enum><text>for fiscal year 2033 and each subsequent fiscal year, in the case of an eligible hospital that is not an adopter of the enhanced cybersecurity practices for a payment year (as determined under subsection (u)(2)(B)) for an EHR reporting period for such fiscal year—</text><subitem commented="no" display-inline="no-display-inline" id="idb0b34a45b8914661b9bf4d7626234bd3"><enum>(AA)</enum><text display-inline="yes-display-inline">the applicable percentage increase otherwise applicable under clause (i) (determined without regard to clause (viii) or (xi)) for such fiscal year shall be reduced (but not below zero) by 1.0 percentage point; and </text></subitem><subitem commented="no" display-inline="no-display-inline" id="idcd6fc31ebf8644d3bf4dbff7daff69c2"><enum>(BB)</enum><text display-inline="yes-display-inline">the base operating DRG payment amount (as defined in subsection (o)(7)(D)) for such hospital for each discharge in such fiscal year shall be reduced by 1.0 percent.</text></subitem></item></subclause><subclause indent="up1" commented="no" display-inline="no-display-inline" id="id844aabed922a48058196875290172567"><enum>(II)</enum><text>A reduction under subclause (I) shall apply only with respect to the fiscal year involved, and the Secretary shall not take into account such reduction in making payments to a hospital under this section in a subsequent fiscal year.</text></subclause><subclause indent="up1" commented="no" display-inline="no-display-inline" id="id939b08708de349dab5de1786f60fd826"><enum>(III)</enum><text>The Secretary may, on a case-by-case basis, except an eligible hospital from the application of subclause (I) with respect to a fiscal year if the Secretary determines, subject to annual renewal, that requiring such hospital to be an essential or enhanced cybersecurity practices adopter during such fiscal year would result in a significant hardship, such as in the case of a natural disaster, a bankruptcy, limited internet connectivity, an incident (as defined in section 2200 of the Homeland Security Act of 2002) that significantly disrupts medicare claims processing, or any other similar situation that the Secretary determines interfered with the ability of the eligible hospital to meet the requirements. An eligible hospital may not be granted an exemption under this subclause for more than 5 years, except in cases where the Secretary determines such hospital has experienced an incident (as so defined) that significantly disrupts medicare claims processing. The Secretary shall establish an exception process and post an application for an exception on the Internet website of the Centers for Medicare & Medicaid Services. Such process shall require that the application be submitted to the Secretary by not later than 6 months after the conclusion of the EHR reporting period for the relevant year. </text></subclause><subclause indent="up1" commented="no" display-inline="no-display-inline" id="id84118e34fda749599077378eda316122"><enum>(IV)</enum><text>In the case of a State for which the Secretary has waived all or part of this section under the authority of section 1115A, nothing in this section shall preclude such State from implementing an adjustment similar to the adjustment under subclause (I).</text></subclause><subclause indent="up1" commented="no" display-inline="no-display-inline" id="id0bb0374eb5904b45ae97e6490e09480e"><enum>(V)</enum><text>In this clause, the term <quote>eligible hospital</quote> has the meaning given such term in subsection (u)(4).</text></subclause></clause><after-quoted-block>.</after-quoted-block></quoted-block></paragraph><paragraph id="id5c316c30cb9a478fafa8b00d9f7d3591"><enum>(2)</enum><header>Critical access hospitals</header><text>Section 1814(l) of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1395f">42 U.S.C. 1395f(l)</external-xref>) is amended—</text><subparagraph commented="no" display-inline="no-display-inline" id="id95cba3463d1a423e95413523c6ce3c04"><enum>(A)</enum><text>by redesignating paragraph (5) as paragraph (6);</text></subparagraph><subparagraph id="idedfef5c9bff14260b33aeec22e208a81" commented="no" display-inline="no-display-inline"><enum>(B)</enum><text display-inline="yes-display-inline">by inserting after paragraph (4) the following new paragraph: </text><quoted-block style="OLC" display-inline="no-display-inline" id="id64C7843816614AD1BAF3F605DFB7D936"><paragraph id="id11d33f67818a4576848fc631de04ba45"><enum>(5)</enum><subparagraph commented="no" display-inline="yes-display-inline" id="id90c5c30c438a41b4b9968e9e07a6eda1"><enum>(A)</enum><text>Subject to subparagraphs (B) and (C), for cost reporting periods beginning in—</text><clause indent="up1" commented="no" display-inline="no-display-inline" id="id133aaaed0c82480986dfc815290adeed"><enum>(i)</enum><text>fiscal year 2029, in the case of a critical access hospital that is not an essential cybersecurity practices adopter (as determined under section 1886(u)(3)(A)) for an EHR reporting period with respect to such fiscal year, the percent described in paragraph (1) shall be reduced by 0.25 percent;</text></clause><clause indent="up1" commented="no" display-inline="no-display-inline" id="idba528ddc20b34e269a683f3d17f81079"><enum>(ii)</enum><text>fiscal year 2030, in the case of a critical access hospital that is not an essential cybersecurity practices adopter (as determined under section 1886(u)(3)(A)) for an EHR reporting period with respect to such fiscal year, the percent described in paragraph (1) shall be reduced by 0.50 percent;</text></clause><clause indent="up1" commented="no" display-inline="no-display-inline" id="idcf30613a8acb46518bb007e5afb21104"><enum>(iii)</enum><text>fiscal year 2031, in the case of a critical access hospital that is not an enhanced cybersecurity practices adopter (as determined under section 1886(u)(3)(B)) for a EHR reporting period with respect to such fiscal year, the percent described in paragraph (1) shall be reduced by 0.75 percent; and</text></clause><clause indent="up1" commented="no" display-inline="no-display-inline" id="id37197445d10f49efb676235c095073ba"><enum>(iv)</enum><text>fiscal year 2032 or a subsequent fiscal year, in the case of a critical access hospital that is not an enhanced cybersecurity practices adopter (as determined under section 1886(u)(3)(B)) for a EHR reporting period with respect to such fiscal year, the percent described in paragraph (1) shall be reduced by 1 percent.</text></clause></subparagraph><subparagraph indent="up1" commented="no" display-inline="no-display-inline" id="idaf813ab290814eefbda82a36890b088d"><enum>(B)</enum><text>The percent described in paragraph (1) shall be reduced by no more than a total of 1 percent for a fiscal year as the result of the application of this paragraph and other sections of this title.</text></subparagraph><subparagraph indent="up1" commented="no" display-inline="no-display-inline" id="id6f2112c9441844a085535ecc499d0675"><enum>(C)</enum><text>The provisions of subclause (III) of section 1886(b)(3)(B)(xiii) shall apply with respect to subparagraph (A) for a critical access hospital with respect to a cost reporting period in the same manner as such subclause applies with respect to subclause (I) of such section for an eligible hospital.</text></subparagraph></paragraph><after-quoted-block>; and</after-quoted-block></quoted-block></subparagraph><subparagraph id="id8e6f622103dc4ec598177bedb11dae1f" commented="no"><enum>(C)</enum><text>in paragraph (6), as redesignated by subparagraph (A)—</text><clause commented="no" display-inline="no-display-inline" id="id7433a705665847b28b55f9644f68e04c"><enum>(i)</enum><text display-inline="yes-display-inline">in subparagraph (C), by striking <quote>and</quote> at the end;</text></clause><clause commented="no" display-inline="no-display-inline" id="id29d3f255ee234fbeae28e9407a40f0d1"><enum>(ii)</enum><text>in subparagraph (D), by striking the period at the end and inserting <quote>; and</quote>; and</text></clause><clause commented="no" display-inline="no-display-inline" id="id97098e9921d3417c87fae59e91318004"><enum>(iii)</enum><text>by adding at the end the following new subparagraphs:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id24D022C4B4E7499387BC05C0F1FBB49F"><subparagraph id="id09142807d47f4311872ead2d705ef40a" indent="up1" commented="no"><enum>(E)</enum><text>the methodology and standards for determining payment amounts for critical access hospitals under section 1886(u) and payment adjustments under paragraph (5);</text></subparagraph><subparagraph id="id64f9e9d4e313441da906f6237c6265e5" indent="up1" commented="no"><enum>(F)</enum><text>the methodology and standards for determining whether a critical access hospital is an essential or enhanced cybersecurity practices adopter under section 1886(u)(2) and the Secretary’s determination of whether or not to apply the hardship exception under subsection (b)(3)(B)(xiii)(III) to a critical access hospital pursuant to paragraph (5)(C); or</text></subparagraph><subparagraph id="idfff7c1cb7ead419a8fdc1d9669251a53" indent="up1" commented="no"><enum>(G)</enum><text>any alteration by the Secretary of the requirements specified in section 1886(u)(2) with respect to a critical access hospital.</text></subparagraph><after-quoted-block>.</after-quoted-block></quoted-block></clause></subparagraph></paragraph></subsection><subsection id="id0acd27e78cad437ab82a0a95eef43de7"><enum>(c)</enum><header>Implementation funding</header><text>In addition to any amounts otherwise made available, there is appropriated to the Centers for Medicare & Medicaid Services Program Management Account from the Federal Hospital Insurance Trust Fund under section 1817 of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1395i">42 U.S.C. 1395i</external-xref>), $40,000,000 for fiscal year 2025 and $15,000,000 for each of fiscal years 2027 through 2031, to remain available until expended, to carry out the amendments made by this section. </text></subsection></section><section commented="no" display-inline="no-display-inline" section-type="subsequent-section" id="id1eeb6eaba64047f9897dc12dd0196403"><enum>202.</enum><header display-inline="yes-display-inline">Medicare accelerated and advance payments in response to cybersecurity incidents</header><subsection commented="no" display-inline="no-display-inline" id="id6ad38167187c4d7dbb6e3a6745bfc6f7"><enum>(a)</enum><header display-inline="yes-display-inline">Part A</header><text display-inline="yes-display-inline">Section 1815(e)(3) of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1395g">42 U.S.C. 1395g(e)(3)</external-xref>) is amended to read as follows:</text><quoted-block style="OLC" display-inline="no-display-inline" id="idD275AA69897B4863A0C3C1242E5A1EE4"><paragraph id="id75407c61ba9a438bb982516ee99bf9bf" indent="up1"><enum>(3)</enum><subparagraph commented="no" display-inline="yes-display-inline" id="id068dbfd4d89846ef9997449d3e78b292"><enum>(A)</enum><text>Subject to subsection (f), in the case of an eligible provider of services (as defined in subparagraph (B)) that has an agreement in effect under section 1866 and that has significant cash flow problems resulting from operations of its medicare administrative contractor under section 1874A or from unusual circumstances of such provider’s operation, including significant disruption to Medicare claims processing due to a cybersecurity incident (as defined in subparagraph (C)), the Secretary may make available appropriate accelerated payments subject to appropriate safeguards against fraud, waste, and abuse determined by the Secretary.</text></subparagraph><subparagraph id="id6e629c73fec04a3faddd69d830cbd1b9" indent="up1"><enum>(B)</enum><text>In this paragraph, the term <quote>eligible providers of services</quote> means—</text><clause id="id86eeee7d8c0843779dfc4f424cb2fcd3"><enum>(i)</enum><text>a subsection (d) hospital or a subsection (d) Puerto Rico hospital (as defined for purposes of section 1886);</text></clause><clause id="idc44be37539774b0f942cba9f92049eae"><enum>(ii)</enum><text>a hospital described in any of clauses (i) through (vi) of section 1886(d)(1)(B);</text></clause><clause id="id8da947f25d494a7aab9c4e177feb2da1"><enum>(iii)</enum><text>a critical access hospital (as defined in section 1861(mm)(1));</text></clause><clause id="idae6962031d764f7e9b204265c6bd1aed"><enum>(iv)</enum><text>a rural emergency hospital (as defined in section 1861(kkk)(2));</text></clause><clause id="id452859ddac5740b5b55e908b7b32f883"><enum>(v)</enum><text>a skilled nursing facility (as defined in section 1819(a));</text></clause><clause id="idf7a41fdf65a44203bc5e5f0d41ee6bbb"><enum>(vi)</enum><text>a home health agency (as defined in section 1861(o));</text></clause><clause id="id16fc1cfb4f9d4d5f989cd409330c8ef5"><enum>(vii)</enum><text>a hospice program (as defined in section 1861(dd)(2));</text></clause><clause id="ideff9d0c3053f4d0099aac4547c6f7a24"><enum>(viii)</enum><text>a comprehensive outpatient rehabilitation facility (as defined in section 1861(cc)(2));</text></clause><clause id="id172a35032057455ca108c5864cbbfe51"><enum>(ix)</enum><text>a rural health clinic (as defined in section 1861(aa)(2));</text></clause><clause id="id53c8c2c62fd74a378753f92b8e54d958"><enum>(x)</enum><text>a Federally qualified health center (as defined in section 1861(aa)(4));</text></clause><clause id="idb5b1d70237994bcfa252cdc4c1af7ea1"><enum>(xi)</enum><text>an opioid treatment program (as defined in section 1861(jjj)(2)); and</text></clause><clause id="id2178b18e947640558dff6230a61a4c5b"><enum>(xii)</enum><text>a community mental health center (as defined in section 1861(ff)(3)(B)).</text></clause></subparagraph><subparagraph id="idbaf1a984a9004fe0aa0fce56c703a58b" indent="up1"><enum>(C)</enum><text>In this paragraph, the term <quote>cybersecurity incident</quote> has the meaning given the term <quote>incident</quote> in section 2200 of the Homeland Security Act of 2002.</text></subparagraph><subparagraph id="id46a573d6e4bb49eaa6ad0adc280d7ce6" indent="up1"><enum>(D)</enum><text>Notwithstanding any other provision of law, the Secretary may implement the provisions of this paragraph by program instruction or otherwise.</text></subparagraph></paragraph><after-quoted-block>.</after-quoted-block></quoted-block></subsection><subsection commented="no" display-inline="no-display-inline" id="id43a43f0db9e24cf3a37d9ba381e809e9"><enum>(b)</enum><header>Part B</header><text>Section 1835 of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1395n">42 U.S.C. 1395n</external-xref>) is amended by adding at the end the following new subsection:</text><quoted-block style="OLC" display-inline="no-display-inline" id="iddd9537079b6e489192a120f9a3884dce"><subsection id="id19896b0559114e0f81515891c87b7ed2"><enum>(f)</enum><paragraph commented="no" display-inline="yes-display-inline" id="idb22fa6cdb84245269e17654facdd752f"><enum>(1)</enum><text>Upon the request of a supplier (as defined in section 1861(d)) that is participating in the Medicare program under this title, that is furnishing items or services under this part, and that has significant cash flow problems resulting from operations of its medicare administrative contractor under section 1874A or from unusual circumstances of such supplier’s operation, including significant disruption to Medicare claims processing due to a cybersecurity incident (as defined in paragraph (2)), the Secretary may make available appropriate advance payments subject to appropriate safeguards against fraud, waste, and abuse determined by the Secretary.</text></paragraph><paragraph indent="up1" commented="no" display-inline="no-display-inline" id="id4eced6c4c71341859fd759d33d78046f"><enum>(2)</enum><text>In this paragraph, the term <quote>cybersecurity incident</quote> has the meaning given the term <quote>incident</quote> in section 2200 of the Homeland Security Act of 2002.</text></paragraph><paragraph indent="up1" commented="no" display-inline="no-display-inline" id="id7f09cfea5ccf45a3ac661b523ffaba24"><enum>(3)</enum><text>Notwithstanding any other provision of law, the Secretary may implement the provisions of this subsection by program instruction or otherwise.</text></paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block></subsection><subsection commented="no" display-inline="no-display-inline" id="ide5f7b009931845ef996536f6a510739c"><enum>(c)</enum><header>Protection of Trust Funds</header><paragraph commented="no" display-inline="no-display-inline" id="idC3FCF37CD7F14E8E817D8A5588B04B03"><enum>(1)</enum><header>Part A</header><text display-inline="yes-display-inline">Section 1817 of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1395i">42 U.S.C. 1395i</external-xref>) is amended by adding at the end the following new subsection:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id9C27CA86BF974B3A8DCB0B3CD9CFF7E9"><subsection commented="no" display-inline="no-display-inline" id="id570C96A02F064B88A74A1645A9B608B7"><enum>(l)</enum><paragraph commented="no" display-inline="yes-display-inline" id="idA21BCDBC123B4E698C84BE643600F757"><enum>(1)</enum><text>Beginning on the date of enactment of this subsection, there shall be transferred from the General Fund of the Treasury to the Trust Fund an amount, as estimated by the Chief Actuary of the Centers for Medicare & Medicaid Services, equal to the amount of accelerated payments made for items and services under this part.</text></paragraph><paragraph id="id1F1CE04C0A6C4C0180EF9E1A916D57A7" indent="up1"><enum>(2)</enum><text>There shall be transferred from the Trust Fund to the General Fund of the Treasury amounts equivalent to the sum of—</text><subparagraph commented="no" display-inline="no-display-inline" id="idAD72D14C52814AC39A663FE9C7B1285D"><enum>(A)</enum><text>the amounts by which claims have offset (in whole or in part) the amount of such payments described in paragraph (1); and </text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idAFDDC2C00B5C4AB18754D99B7AF97CFB"><enum>(B)</enum><text display-inline="yes-display-inline">the amount of such payments that have been repaid (in whole or in part). </text></subparagraph></paragraph><paragraph id="idC33B4B3F29FF4571B3D7345D423A88AB" indent="up1"><enum>(3)</enum><text>Amounts described in paragraphs (1) and (2) shall be transferred from time to time as determined appropriate by the Secretary.</text></paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id0a2618fb8d4a4ce8838481dd1bc659b2"><enum>(2)</enum><header>Part B</header><text display-inline="yes-display-inline">Section 1844 of the Social Security Act (<external-xref legal-doc="usc" parsable-cite="usc/42/1395w">42 U.S.C. 1395w</external-xref>) is amended by adding at the end the following new subsection:</text><quoted-block style="OLC" display-inline="no-display-inline" id="idC3D610C601AD443D9CC7AEE45C3ACD0A"><subsection commented="no" display-inline="no-display-inline" id="id6006067d734c4f65bb4b90419cee3316"><enum>(g)</enum><paragraph commented="no" display-inline="yes-display-inline" id="id0792d14893eb4bd3a8a0eb6bc70a19d9"><enum>(1)</enum><text>Beginning on the date of enactment of this subsection, there shall be transferred from the General Fund of the Treasury to the Trust Fund an amount, as estimated by the Chief Actuary of the Centers for Medicare & Medicaid Services, equal to amounts paid in advance for items and services under this part.</text></paragraph><paragraph id="idfab4355802e54864a40ed13963883f0f" indent="up1"><enum>(2)</enum><text>There shall be transferred from the Trust Fund to the General Fund of the Treasury amounts equivalent to the sum of—</text><subparagraph commented="no" display-inline="no-display-inline" id="id5160b8829efb4be3b9ae648f16783433"><enum>(A)</enum><text>the amounts by which claims have offset (in whole or in part) the amount of such payments described in paragraph (1); and </text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idb682ef6eaccf42b5830eb3ddaca35ad0"><enum>(B)</enum><text display-inline="yes-display-inline">the amount of such payments that have been repaid (in whole or in part). </text></subparagraph></paragraph><paragraph id="id9214e1a0c06341d5999f257a58bdea49" indent="up1"><enum>(3)</enum><text>Amounts described in paragraphs (1) and (2) shall be transferred from time to time as determined appropriate by the Secretary.</text></paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection></section>