ASTP/ONC Publishes HTI-3 Final Rule on Reproductive Rights. The Assistant Secretary for Technology Policy, Office of the National Coordinator for Health It (ASTP/ONC) has published a final rule titled Health Data, Technology, and Interoperability: Protecting Care Access (HTI-3). The rule: (i) Finalized the addition of a definition of “reproductive health care” to the defined terms for purposes of the information blocking regulations, which appears in 45 CFR 171.102; (ii) Finalizes revisions to two previously established information blocking exceptions: the Privacy Exception, § 171.202, and Infeasibility Exception, § 171.204; and (iii) Finalizes the new Protecting Care Access Exception.

CMS Publishes New Set of NSA AEOB/GFE FAQs. The Centers for Medicare & Medicaid Services (CMS) published a new set of Frequently Asked Questions (FAQs) on the No Surprises Act (NSA) Advanced Explanation of Benefits (AEOB) and Good Faith Estimation (GFE) provisions of the NSA.

The guidance includes the following GFE (for an uninsured or a self-pay individual) topics: (i) Are providers and facilities required to provide uninsured (or self-pay) GFEs to individuals who are members of health care sharing ministries and not enrolled in other health coverage? (ii) Are providers and facilities required to verify with an individual’s plan or issuer whether the individual is enrolled in a group health plan, group or individual health insurance coverage, federal health care program, or FEHB plan? (iii) Does the requirement to provide GFEs to uninsured (or self-pay) individuals apply to dental and vision providers and facilities? (iv)  Are GFEs required when students who are not licensed providers furnish health care items or services under the supervision of a licensed provider or facility (such as a university clinic)? (v) Are uninsured (or self-pay) GFEs for items or services scheduled fewer than 3 business days before the date of service eligible for the patient-provider dispute resolution (PPDR) process? (vi) Should a provider or facility reschedule an appointment for an individual if the provider or facility is unable to provide a required uninsured (or self-pay) GFE within the timeframes set forth in section 2799B-7 of the PHS Act and implementing regulations? (vii)  What does “business day” mean? and (viii) If a consumer requests a GFE from the wrong point of contact in a provider’s office or facility, is the provider or facility responsible for ensuring the consumer is directed to the right point of contact?

The guidance also includes a report on the progress the government has made toward AEOB Rulemaking and Implementation. It provides updates on both the HL7 Da Vinci Project and X12 efforts to identify data exchange solutions. The new FAQs can be accessed here.

CMS Announces New Framework for Improving Health Care Delivery and Care Experience. CMS announced its "Optimizing Care Delivery: A Framework for Improving the Health Care Experience." The framework lays out CMS’ five-year strategy for improving health care delivery and the care experience by addressing administrative burdens and other frictions in the programs it oversees as well as the health system more broadly.

The Framework identifies the following strategic priorities: (i) Integrate the voice of the patient and caregiver into opportunities to increase equity in care access and delivery (Associated Objective: Engage patients and caregivers to understand their needs and challenges in their care experiences); (ii) Improve patient safety and reduce administrative burden in care transitions (Associated Objective: Ensure safe, coordinated and timely care transitions); (iii) Address well-being and experience for health care workers across the health care enterprise (Associated Objective: Support the overall health and needs of all care team members); (iv) Improve care approval processes to increase access to care and reduce care delays (Associated Objective: Ensure delivery of quality care in a timely manner); (v) Reduce redundant or outdated data collection, documentation, and reporting requirements (Associated Objective: Increase provider time with patients by continuing to reduce redundancy and complexity in data reporting requirements from payers, providers, and regulatory agencies); (vi) Leverage technology to accelerate innovation and the adoption of best practices (Associated Objective: Optimize the care experience through innovative technology and best practices); and (vii) Convene and support public-private partnerships to advance health care experience and burden reduction efforts (Associated Objective: Work across the health care ecosystem to catalyze progress in reducing administrative burden at scale). Access the Framework here.

CMS Releases Comprehensive Care for Joint Replacement Model Evaluation Report. CMS released the Comprehensive Care for Joint Replacement (CJR) Model: Performance Year Six Evaluation Report. The evaluation report presents results for the first year of the CJR model extension (performance year six) after significant changes to the CJR model were implemented. The revisions to the CJR model generated net savings of $54.2 million for Medicare in performance year six while maintaining the quality of care for patients.

CISA Requesting Public Comments on National Cyber Incident Response Plan Update. The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Joint Cyber Defense Collaborative and in coordination with the Office of the National Cyber Director (ONCD), published the National Cyber Incident Response Plan (NCIRP) Public Comment Draft. CISA is requesting public comments on the draft NCIRP and its outline of a national approach to cyber incident detection and response coordination. The public comment period concludes on January 15, 2025. Read the draft updated NCIRP here.

ASTP Redesigns its SITE Testing Hub. ASTP announced in a blog post the unveiling of its redesigned Standards Implementation & Testing Environment (SITE), a testing hub for the ONC Health IT Certification Program (Certification Program). The updated SITE platform offers a more seamless and efficient user experience, empowering users to take full advantage of the system’s tools and resources. The testing hub assists developers validate certain interoperability capabilities or testing against certification criteria. The redesigned platform includes: (i) A unified platform: Now, health IT developers can find all Certification Program conformance testing tools, general testing tools, and resources in one convenient location; (ii) User-friendly interface and messages: New icons, visual markers, and a notifications panel to help guide users around the site has been added. Website error messages are now clearer and more consistent; (iii) Tools tagged by certification criteria: It is now easier to locate the tools needed by labeling them with the applicable certification criterion name and number; and (iv) Enhanced functionality: the agency improved how you can interact with documentation—from saving to printing. Form validation has also been added to reduce errors and increase security.

One of ASTP’s most significant changes is the integration of SITE and the Edge Testing Tool (ETT) into a single, cohesive platform. ASTP has developed SITE to be a developers one-stop-shop for all Certification Program conformance testing-related needs, including electronic prescribing, public health, and Inferno FHIR tools and resources.

HITAC Sends Annual Report for FY 2024 to HHS and Congress. The Health Information Technology Advisory Committee (HITAC) has sent its Annual Report for Fiscal Year (FY) 2024 to the HHS Secretary and Congress. HITAC is required to submit this report annually under the 21st Century Cures Act. The report details the health IT and health care industries’ progress in advancing the health IT infrastructure in several target areas. In its report, HITAC assesses the health IT infrastructure landscape for gaps and opportunities and recommends activities for the Committee to consider across six target areas: (i) Use of Artificial Intelligence that Improves Health and Health Care; (i) Design and Use of Technologies that Advance Health Equity; (iii) Use of Technologies that Support Public Health; (iv) Interoperability; (v) Privacy and Security; and (vi) Patient Access to Information. Go here to access the report.

ASTP Releases AI Use Case Inventory. In a blog post, ASTP through its Office of the Chief Artificial Intelligence Officer (OCAIO) has released the Department of Health and Human Services (HHS’) 2024 AI Use Case Inventory.

This artificial intelligence (AI) use case publication requirement was first initiated by President Trump through Executive Order 13960 “Promoting the Use of Trustworthy Artificial Intelligence in the Federal Government” and further enhanced by President Biden’s Executive Order 14110 “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” and its implementing Office of Management and Budget (OMB) Memoranda M-24-10 “Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence.”

ASTP lists three points regarding the 2024 Inventory: (i) HHS has more AI use cases than last year. In comparison to our 2023 AI use case inventory, which included 163 use cases, the 2024 inventory now includes 271, representing a 66% increase. It’s important to keep in mind that use cases come in various sizes and are at various development stages. Out of the 271 use cases, 59 are “Initiated,” 57 are in “Acquisition and/or Development,” 35 are in “Implementation and Assessment,” 104 are in “Operation and Maintenance,” and 16 are “Retired;” (ii) New use case information is now available. The 2024 AI use case inventory includes a range of additional information beyond just use case summaries. It includes information on data, IT infrastructure, internal governance, and much more; and (iii) The agency has already started planning for the 2025 inventory and improvements. It will also be using this curated list to engage sister agencies and execute additional ongoing responsibilities included in M-24-10, including working with them, where applicable and appropriate, to share their AI code, models, and data.

CMS Infographic Highlights Medicare Beneficiary Internet Access and Use. CMS released an infographic   highlighting information on internet access and use among people with Medicare by metropolitan residence status. CMS also released updated data on internet access and use among people with Medicare, with data for 2023, and an annual data update on socio-demographic and health characteristics of people with Medicare by metropolitan residence status, with data for 2022.

Article Discusses Use of AI for EM Department Summaries and Hospital Handoffs. An article published in the Journal of the American Medical Association (JAMA) Network Open titled “Developing and Evaluating Large Language Model–Generated Emergency Medicine Handoff Notes,” researchers examine if a large language model (LLM) can generate emergency medicine (EM)-to-inpatient (IP) handoff notes that are useful and safe for EM care. This cohort study used 1600 EM patient medical records with acute hospital admissions that occurred in 2023 at New York-Presbyterian/Weill Cornell Medical Center. A customized clinical LLM pipeline was trained, tested, and evaluated to generate templated EM-to-IP handoff notes. Researchers concluded that LLM-generated EM-to-IP handoff notes were determined superior compared with physician-written summaries via conventional automated evaluation methods, but marginally inferior in usefulness and safety via a novel evaluation framework. This study suggests the importance of a physician-in-loop implementation design for this model and demonstrates an effective strategy to measure pre-implementation patient safety of LLM models.

CMS Innovation Center Releases Report to Congress. CMS published the Center for Medicare and Medicaid Innovation’s (the CMS Innovation Center) 2024 Report to Congress. During the period of report, more than 192,000 providers and/or plans participated in CMS Innovation Center models and initiatives, serving more than 57 million beneficiaries. This seventh report features strategic accomplishments, updates on 37 models and initiatives (including 9 newly announced models), 52 evaluations, and more activities from October 1, 2022 through September 30, 2024. Also, new to this year’s report is an introduction from Center Director Dr. Liz Fowler and an infographic of Center highlights.

New FTC Post - Preventing & Mitigating Digital Security Risks

Key Takeaway: The Federal Trade Commission (FTC) has released a new post from its Office of Technology, titled “Lenses of Security: Preventing and mitigating digital security risks through data management, software development, and product design for humans,” which you can find here.

Why It Matters: The post emphasizes the importance of addressing systemic risks to protect consumers from data breaches and other security threats. The FTC highlights actions such as enforcing data retention schedules, mandating data deletion, limiting third-party data sharing, and encrypting sensitive information to enhance security and privacy. The Commission also highlights how it has taken action against misrepresentations of security practices and misuse of security data. 

HC3 Releases November Vulnerability Bulletin

Key Takeaway: Today HHS' Health Sector Cybersecurity Coordination Center (HC3) has released their Vulnerability Bulletin for November which contains vulnerabilities that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches.

Why It Matters: The Vulnerabilities for November are from Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, Adobe, Fortinet, Ivanti, VMware and Atlassian. A vulnerability is given the classification of a zero-day when it is actively exploited with no fix available, or if it publicly disclosed. HC3 recommends patching all vulnerabilities, with special consideration to the risk management posture of the organization.

HC3 Threat Brief on Wi-Fi 7 for the Health Sector

Key Takeaway: HC3 has released a new Threat Brief on Wi-Fi 7 for the healthcare sector. The next generation of Wi-Fi 7 - has begun to deploy and has security implications for the sector to begin considering.

Why It Matters: This threat brief provides an overview and basic concepts, capabilities and limitations, security protocols, attack examples, and defense and mitigations. The slides in the Threat Brief are both non-technical and technical for a variety of audiences. It also includes links to resources and reference materials.

CISA Releases New Resource: The De-Escalation Action Guide 

Key Takeaway: The Cybersecurity and Infrastructure Security Agency (CISA) released a new resource, the De-escalation Action Guide, a companion to the De-escalation Series, and is intended for critical infrastructure owners and operators, as well as any personnel responsible for securing public gathering locations and venues.

Why It Matters: This resource provides an overview of four categories of actions that may be taken to de-escalate a potentially violent situation and consolidates the CISA De-escalation Series into a single, easy to use resource to help users identify and navigate suspicious activity or potentially escalating situations. This resource is one of many CISA offers to assist the critical infrastructure community with conflict prevention.