HHS Releases Proposed Rule on Technology Adoption.  The Department of Health and Human Services (HHS) published a proposed rule in the Federal Register entitled “HHS Acquisition Regulation: Acquisition of Information Technology; Standards for Health Information Technology.” The regulation proposes to amend and update the Health and Human Services Acquisition Regulation (HHSAR) to implement requirements to procure health information technology (health IT) that meets standards and implementation specifications adopted by the Office of the National Coordinator for Health Information Technology (ONC) in the following parts: Acquisition of Information Technology and Solicitation Provisions and Contract Clauses. The public comment period ends Oct. 8, 2024. 

OCR Releases HIPAA Security Rule Guidance on Facility Access Controls. The Office for Civil Rights (OCR) released new guidance titled: “HIPAA Security Rule Facility Access Controls – What are they and how do you implement them?” The Facility Access Controls standard of the HIPAA Security Rule requires that regulated entities implement policies and procedures to limit physical access to [their] electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. The OCR guidance covers the following issues: (i) Contingency Operations; (ii) Facility Security Plan; (iii) Access Control and Validation Procedures; (iv) Access Control and Validation Procedures; and (v) OCR enforcement.  

NIST Releases New Open-Source Platform for AI Safety Assessments. The National Institute of Standards and Technology (NIST) has released a new open-source tool to facilitate artificial intelligence (AI) safety assessments. Dioptra, a downloadable software test platform, is designed to assist AI developers better comprehend unique data risks with AI models, assess its trustworthy characteristics, and help mitigate those risks. According to NIST, trustworthy AI is: (i) valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair - with harmful bias managed. Dioptra supports the Measure function of the NIST AI Risk Management Framework by providing functionality to assess, analyze, and track identified AI risks. 

ASTP ONC Releases New Inferno Test Kit Updates. The Assistant Secretary for Technology Policy, ONC (ASTP ONC) released a new Inferno test kit for software developers and updates to two existing Inferno Test Kits. They include: 

• ONC Certification (g)(10) Standardized API Test Kit, the official testing tool for the § 170.315(g)(10) “Standardized API for patient and population services” certification criterion, has been updated to align with the requirements specified in the HTI-1 Final Rule. Additionally, the ONC Certification Program § 170.315(g)(10) Test Procedure updated to HTI-1 Final Rule requirements is also available on HealthIT.gov. 

• US Core Test Kit has been updated to include tests for the US Core 7.0.0 implementation guide. US Core 7.0.0 supports implementation of the United States Core Data for Interoperability, version 4 (USCDI v4) standard in FHIR®. Developers can use this Test Kit to self-assess whether their servers conform to requirements in the US Core 7.0.0 implementation guide. 

• UDAP Security Test Kit: A new Inferno Test Kit was released to support testing of components of the HL7® UDAP Security v1 implementation guide. HL7® UDAP Security v1 supports implementation of security for scalable registration, authentication, and authorization of consumer-facing and business-to-business applications. This Test Kit provides tests for components of HL7® UDAP Security v1 including metadata discovery, dynamic client registration, and authentication and authorization for consumer-facing and business-to-business apps. Developers can use this Test Kit to self-assess whether their servers conform to the aforementioned components of HL7® UDAP Security v1. 

FDA Spotlights Delivering Safe, Effective AI-enabled Health Care. In a blog post, the Food and Drug Administration’s (FDA’s) Digital Health Center of Excellence (DHCoE) spotlights the need to ensure the safety and effectiveness of AI-enabled medical devices. The post also discusses trustworthiness, fairness, and performance. FDA highlights the ability to utilize Lifecycle Management (LCM) to meet the challenges of generative AI in health care, with practices to help ensure these systems meet real-world needs while managing their inherent risks across the software lifecycle. 

CMS Releases New Hospital Price Transparency Resources and Will Host Webinar. As of July 1, 2024, hospitals must conform to a CMS template layout and data specifications for making public their standard charge information in a comprehensive machine-readable file (MRF). Starting January 1, 2025, impacted hospitals are also required to encode additional data elements. CMS have developed the following resources to assist hospitals meet these new requirements: 

• Data Dictionary GitHub Repository:  

• Required CMS template layouts 

• Data dictionary 

• Examples of how to encode standard charges in the MRF 

• Q&A discussion board 

• Tools webpage: 

• Online validator 

• Command-line interface validator 

• TXT file generator 

• MRF naming convention tool 

• Resources webpage: 

• Final rules 

• FAQs 

• Guides 

• Webinar materials 

Hospital Price Transparency regulations require each hospital operating in the U.S. to publish a comprehensive MRF with the standard charges for all items and services they provide. Email questions to PriceTransparencyHospitalCharges@cms.hhs.gov CMS is also hosting a webinar for hospitals on how to meet the upcoming January 2025 requirements. Go here to register for the October 21 event.  

Registration Open: OCR-NIST Safeguarding Health Information Conference. OCR and the National Institute of Standards and Technology (NIST) Information Technology Laboratory (ITL) have opened registration for its “Safeguarding Health Information Conference: Building Assurance through HIPAA Security” conference. The in-person event will take place in Washington, D.C., with a virtual option. There is a cost for both options. 

The conference will explore the current healthcare cybersecurity landscape and the HIPAA Security Rule. This event will highlight the present state of health care cybersecurity, and practical strategies, tips and techniques for implementing the HIPAA Security Rule. The conference will offer sessions that explore best practices in managing risks and the technical assurance of electronic protected health information. Presentations will cover a variety of topics including managing cybersecurity risk and implementing practical cybersecurity solutions, understanding current cybersecurity threats to the healthcare community, cybersecurity considerations for the Internet of Things (IoT) in healthcare environments, updates from federal healthcare agencies, and more. Registration for the event is now open for both in-person and virtual attendance. Visit the event web page for more details and to register for the conference. 

Study: Telemedicine Feasible Alternative for those with OUD. In a study published in the Journal of Substance Abuse of Addiction Treatment entitled “Comparison of 30-day retention in treatment among patients referred to opioid use disorder treatment from emergency department and telemedicine settings,” researchers examined whether telemedicine is a feasible alternative to in-person evaluations for people with opioid use disorder (OUD). The study described rates of initial outpatient clinic appointment attendance and 30-day retention in care among patients referred by telemedicine compared to emergency department (ED) referrals. 

The researchers found that between October 2020 and September 2022, the MATTERS Network made 1349 referrals; 39.7% originated from an ED and 47.8% originated from telemedicine. For patients with available data, those referred from telemedicine were 1.64 times more likely to attend their initial clinic appointment and 2.59 times more likely be engaged in treatment at 30 days compared to those referred from an ED. More than two-thirds of patients referred from the emergency telemedicine environment followed up at their first clinic visit and more than half of these patients were still retained in treatment 30 days after referral.