OCR Settles HIPAA Phishing Cybersecurity Investigation for $3M. The Office for Civil Rights (OCR) announced a settlement with a supplier and direct-to-patient distributor of continuous glucose monitors, insulin pumps, and other supplies to diabetics, concerning potential violations of the HIPAA Security Rule and Breach Notification Rule following a breach of electronic protected health information (ePHI) caused by a phishing incident.

In November 2019, OCR received a breach report concerning a phishing attack in which an unauthorized third party gained access to eight of the supplier’s employees’ email accounts between April and June 2019, resulting in the breach of 114,007 individuals’ ePHI. In January 2020, OCR received notification of a second breach, when they reported that it had sent 1,531 breach notification letters to the wrong mailing addresses. OCR’s investigation determined that the supplier failed to conduct a compliant risk analysis to identify the potential risks and vulnerabilities to ePHI in the supplier’s systems; failed to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level; and failed to provide timely breach notification to individuals, HHS, and the media. 

Under the terms of the resolution agreement, the supplier agreed to implement a corrective action plan that will be monitored by OCR for two years and pay $3,000,000 to OCR. Under the corrective action plan, they will be required to take definitive steps to resolve potential violations of the HIPAA Security and Breach Notification Rules, including: (i) Conducting an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI in its systems; (ii) Implementing a written risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis; (iii) Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules; and (iv) Training its workforce on its HIPAA policies and procedures. The resolution agreement and corrective action plan may be found here.

HHS Publishes AI Strategic Plan. The Department of Health and Human Services (HHS) published its Artificial Intelligence (AI) Strategic Plan, laying out its vision for how AI can revolutionize health care, human services, and public health. This comprehensive roadmap outlines the department’s commitment to trustworthy, ethical, and equitable AI use. Key highlights of the Strategic Plan include catalyzing health AI innovation and adoption to unlock new ways to improve people’s lives, promoting trustworthy AI development and ethical and responsible use to avoid potential harm, democratizing AI technologies and resources to promote access, and cultivating AI-empowered workforces and organization cultures to effectively and safely use AI.

DEA Publishes 3 Telemedicine Proposed Rules. The U.S. Drug Enforcement Administration (DEA) announced three new rules to make permanent some temporary telemedicine flexibilities established during the COVID-19 public health emergency. According to the agency, in developing these rules it has focused on the patient to ensure telemedicine is accessible for medical care. Importantly, these rules do not apply to telemedicine visits in which a patient has already been seen in-person by a medical provider. Once a patient has had an in-person visit with a medical provider, the medical provider may prescribe any medications through telemedicine indefinitely. Also, if a telemedicine visit does not involve a patient being prescribed medications, then the telemedicine rules do not apply. Patients can always have telemedicine visits with medical providers. These rules only apply if a patient has never been seen in-person by the medical provider and the patient is being prescribed controlled medication.

This rule provides patients with remote access to buprenorphine, the medicine used to treat opioid use disorder. This change allows a patient to receive a 6-month supply of buprenorphine through a telephone consultation with a provider. Further prescriptions of buprenorphine will require an in-person visit to a medical provider. Go here to access this rule.   

A second proposed rule would establish special registrations that will permit a patient to receive prescribed medications through telemedicine visits without ever having an in-person medical evaluation from a medical provider. The special registration is available to medical providers who treat patients for whom they will prescribe Schedule III-V controlled substances. An Advanced Telemedicine Prescribing Registration is available for Schedule II medications when the medical practitioner is board certified in one of the following specialties: psychiatrists; hospice care physicians; physicians rendering treatment at long term care facilities, and pediatricians for the prescribing of medications identified as the most addictive and prone to diversion to the illegal drug market. This regulation allows specialized medical providers to issue telemedicine prescriptions for Schedule II-V medications. 

DEA is seeking public comment on additional medical specialists that should be authorized to issue Schedule II medications. Public comments will also be requested on additional patient protections for the prescribing of Schedule II medications by telemedicine, including whether the special registrant should be physically located in the same state as the patient being prescribed schedule II medications; whether to limit schedule II medications by telemedicine to medical practitioners whose practice is limited to less than 50% of prescriptions by telemedicine; and the appropriate duration needed for the rules’ provisions to be enacted.

For the first time online platforms that facilitate connections between patients and medical providers that result in the prescription of medications will be required to register with DEA.  This is critical as DEA has found some unscrupulous medical providers on online platforms have used flexible telemedicine rules to put profit ahead of the well-being of patients.

The special registration rule will also require the establishment of a national PDMP to help the health industry protect against abuse and the diversion of controlled substances into the illegal drug market. A national PDMP will provide pharmacists and medical practitioners with visibility of a patient’s prescribed medication history. Go here to access this rule.

A third proposed rule was done in consultation with the U.S. Department of Veterans Affairs (VA).  It exempts VA practitioners from Special Registrations requirements. Once a patient has received an in-person medical examination from a VA medical practitioner, the provider-patient relationship is extended to all VA practitioners engaging in telemedicine with the patient. Go here to access the rule.

CMS Releases Data on Accountable Care Goals; Launches ACO PC Flex Model. The Centers for Medicare & Medicaid Services (CMS) has released participation data that shows substantial progress on its goal for all people with Traditional Medicare to be in a care relationship with accountability for quality and total cost of care by 2030. The agency reports that, as of January 2025, 53.4% of people with Traditional (fee-for-service) Medicare are in an accountable care relationship with a provider. This represents more than 14.8 million people and marks a 4.3 percentage point increase from January 2024, the largest annual increase since CMS began tracking accountable care relationships. These relationships include patients whose providers are in Accountable Care Organizations (ACOs), including the Medicare Shared Savings Program ACOs and Center for Medicare and Medicaid Innovation (Innovation Center) accountable care models, as well as other Innovation Center models focused on total cost of care, advanced primary care, and specialty care.

For 2025, 103 ACOs are continuing their participation in the Innovation Center’s ACO Realizing Equity, Access, and Community Health Model, and 78 Kidney Contracting Entities and 15 CMS Kidney Care First Practices are continuing their participation in the Kidney Care Choices Model.

The Innovation Center also launched the ACO Primary Care Flex (ACO PC Flex) Model on January 1. The model includes 24 ACOs that jointly participate in the Medicare Shared Savings Program. ACO PC Flex is a voluntary model that focuses on primary care delivery in the Medicare Shared Savings Program and aims to increase the number of low-revenue ACOs in the program. PC Flex ACOs partner with several types of providers, including approximately 1,013 Federally Qualified Health Centers, 58 Rural Health Clinics, and 8 Critical Access Hospitals.

Additionally, for the 2025 performance year, CMS approved 228 applications for the Medicare Shared Savings Program, including 55 new ACOs and 173 renewing or reentering ACOs, the largest annual number of renewals in the 12-year history of the program. This brings the total number of ACOs participating in the Medicare Shared Savings Program for Performance Year 2025 to 476.

Go here for additional Information on 2025 CMS ACO participation.

CMS Call for Health Equity Conference Session Proposals Ends Jan. 21. The deadline to submit proposals for CMS’ 2025 Health Equity Conference: Building a Healthier America is approaching. The event will take place April 23-24, 2025, in Bethesda, MD, and is available online for virtual participation. The theme of this year's conference is Building a Healthier America. The agency is now accepting proposals for breakout session speakers and poster presenters. Authors of accepted proposals will be invited to present at the conference. For the opportunity to share your work at the conference, please submit your proposal by 5 p.m. PT on Tuesday, January 21, 2025.  Information on what to propose and how to propose it can be found on the CMS conference website.  

CISA Publishes Report on Cybersecurity Performance Goals Adoption. The Cybersecurity and Infrastructure Security Agency (CISA) published its Cybersecurity Performance Goals (CPGs) Adoption Report spotlighting how adoption of CPGs can improve critical infrastructure sectors. Originally released in October 2022, CISA’s CPGs are voluntary practices that critical infrastructure owners can take to protect themselves against cyber threats. The report includes analysis of 7,791 critical infrastructure organizations enrolled in CISA’s Vulnerability Scanning service from Aug. 1, 2022, through Aug. 31, 2024. CISA identifies four critical infrastructure sectors most impacted by CPG adoption: Health care and Public Health, Water and Wastewater Systems, Communications, and Government Services and Facilities.

HC3 Releases Analyst Note on Telehealth. The HHS Health Sector Cybersecurity Coordination Center (HC3) has released a new Analyst Note titled Securing Telehealth: Challenges and Solutions. Telehealth applications can extend beyond traditional clinical settings into the homes of patients through virtual consultations and remote monitoring. These venues, while adding convenience for the patient, bring with them additional security and other challenges. The Analyst Note discusses the integration of technology into health care services and outlines potential vulnerabilities that bad actors may exploit. HC3 contends understanding cybersecurity risks is important for developing approaches to safeguard patient data, maintain privacy, and ensure the integrity of telehealth systems.

Study Examines Use of AI for EM Department Summaries and Hospital Handoffs. An article published in the Journal of the American Medical Association (JAMA) Network Open titled “Developing and Evaluating Large Language Model–Generated Emergency Medicine Handoff Notes,” researchers examine if a large language model (LLM) can generate emergency medicine (EM)-to-inpatient (IP) handoff notes that are useful and safe for EM care. This cohort study used 1600 EM patient medical records with acute hospital admissions that occurred in 2023 at New York-Presbyterian/Weill Cornell Medical Center. A customized clinical LLM pipeline was trained, tested, and evaluated to generate templated EM-to-IP handoff notes. Researchers concluded that LLM-generated EM-to-IP handoff notes were determined superior compared with physician-written summaries via conventional automated evaluation methods, but marginally inferior in usefulness and safety via a novel evaluation framework. This study suggests the importance of a physician-in-loop implementation design for this model and demonstrates an effective strategy to measure pre-implementation patient safety of LLM models.