President-Elect Trump Taps Dr. Mehmet Oz to head CMS. President-Elect Donald Trump has nominated Mehmet Oz, M.D. to head the Centers for Medicare & Medicaid Services (CMS). Dr. Oz is a cardiothoracic surgeon, television personality, and Professor Emeritus at Columbia University. Dr. Oz is expected to go before the U.S. Senate for confirmation.  

OCR Imposes a $100,000 CMP Against Mental Health Center for Failure to Provide Timely Access to Patient Records. The Office for Civil Rights (OCR) announced a $100,000 civil monetary penalty (CMP) against a mental health center in California. The penalty resolves an investigation into the center over a failure to provide a patient with timely access to their medical records. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule’s right of access provisions require that individuals or their personal representatives have timely access to their health information (within 30 days, with the possibility of one 30-day extension) and for a reasonable, cost-based fee. This latest action is the 51st against covered entities failure to provide timely access to patient records. 

OCR launched an investigation after receiving a complaint from a patient that they were not given timely access to their medical records, despite multiple requests in writing and by telephone. OCR’s investigation found that it took nearly seven months from the time the patient first requested the records until the center provided them. The patient made multiple telephone calls in July and August 2020, regarding the status of her request, but still did not receive the requested records. Based on the facts, OCR found that the center failed to take timely action in response to the patient’s right of access in accordance with the HIPAA Privacy Rule. In July 2024, OCR issued a Notice of Proposed Determination to impose a $100,000 civil monetary penalty. The center waived its right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination. As a result of OCR’s investigation, the patient received their records in 2020. Access the Notice of Proposed Determination here.  

Sequoia Project Publishes New TEFCA SOPs. The Sequoia Project, as the Trusted Exchange Framework and Common Agreement (TEFCA) Recognized Coordinating Entity (RCE), published new Standard Operating Procedures (SOPs). These SOPs are available now for adoption and implementation. Go here to access the SOPs. Additional resources are available for TEFCA Qualified Health Information Networks (QHINs), Participants, and Subparticipants, or those considering pursuing TEFCA Exchange. In addition to the recently re-published TEFCA Glossary and TEFCA Cross Reference Resource, the RCE also updated the Frequently Asked Questions. 

GAO Issues Report Questioning HHS as Lead on Health Care Cybersecurity. The Government Accountability Office (GAO) issued a report suggesting that HHS faces significant challenges as lead agency for health care cybersecurity. The report argues that HHS has not implemented some policies recommended by GAO, which could pose a risk sector cybersecurity as attacks increase. For example, GAO suggests that HHS has yet to implement policies including tracking industry adoption of ransomware-specific cyber practices or assessing risks from internet of things or operational technology devices. According to the agency, until HHS addresses these gaps, the department could be unable to effectively lead the industry in cybersecurity. 

FTC Announces Crackdown on Deceptive AI Claims and Schemes. The Federal Trade Commission (FTC) has implemented its new law enforcement sweep called Operation AI Comply. This is an enforcement action against multiple companies that have relied on AI to deploy deceptive or unfair conduct that harms consumers. It announced four settlements involving allegedly deceptive claims about AI-driven services, and one settlement involving a company that offered a generative AI tool that allows individuals to create fake consumer reviews. These enforcement actions are part of the FTC’s ongoing work to combat AI-related issues in the marketplace. The FTC stated it is committed to reviewing whether products or services actually use AI as advertised, if so, whether they work as marketers say they will. The agency is also examining whether AI and other automated tools are being used for fraud, deception, unfair manipulation, or other harmful purposes.   

FDA Publishes Digital Health and AI Glossary. The Food and Drug Administration (FDA) published a digital health and AI glossary as an educational resource to help support consistent use of digital health and AI terminology by the FDA and interested parties (e.g., industry, digital health developers, academia, health care professionals, and patients). The glossary is a compilation of commonly used terms in the digital health and AI/ML space and their definitions. These definitions are either directly from, or adapted from, various public sources, including consensus standard organizations and published literature. The FDA plans to update it as needed. 

CISA Plan Seeks to Align Federal Agencies in Cyber Defense. The Cybersecurity and Infrastructure Security Agency (CISA) released the Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan. Developed in collaboration with FCEB agencies, the plan provides standard, essential components of enterprise operational cybersecurity and aligns the collective operational defense capabilities across the federal enterprise. Currently, federal agencies maintain their own networks and system architectures—and they independently manage their cyber risk. CISA’s FOCAL plan aligns the federal enterprise, empowering agencies to better address the dynamic cyber threat environment collectively. The plan recommends actions that substantively advance operational cybersecurity improvements and alignment goals.   

ASTP ONC Highlights PHIT Workforce Development Program Students Exceeding Expectation. In a blog post the Assistant Secretary for Technology Policy, Office of the National Coordinator for Health IT (ONC) discussed that three years into it, the Public Health Informatics and Technology (PHIT) Workforce Development Program at the University of Texas Health Houston (UTHealth) has exceeded expectations and completed award milestones ahead of schedule. The PHIT program is an effort funded and led by ASTP ONC to boost the public health information technology workforce in the US. The agency stated that the program exceeded its original goal of training 1,900 students, reaching 2,065 students one year ahead of schedule. The PHIT Workforce Development Program and GET PHIT Program strive to help students gain long-term employment in public health informatics. UTHealth has already made great progress toward its employment goals, with students accepting full-time positions after completing internships with employers such as the Texas Department of State Health Services (DSHS) and the Research Triangle Institute, International (RTI).