CMS Administrator Shares Vision for the Agency. In a press release, Dr. Mehmet Oz, the newly confirmed Administrator of the Centers for Medicare & Medicaid Services (CMS) shared his vision for the Agency. CMS will work to modernize Medicare, the Marketplaces and Medicaid. Actions the Agency will take include: (i) Empowering the American People with personalized solutions they can better manage their health and navigate the complex health care system. As a first step, CMS will implement the President’s Executive Order on Transparency to give Americans the information they need about costs; (ii) Equipping health care providers with better information about the patients they serve and holding them accountable for health outcomes, rather than unnecessary paperwork that distracts them from their mission. For example, CMS will work to streamline access to life saving treatments; (iii) Identifying and eliminating fraud, waste, and abuse to stop unscrupulous people who are stealing from vulnerable patients and taxpayers; and (iv) Shifting the paradigm for health care from a system that focuses on sick care to one that fosters prevention, wellness, and chronic disease management.

OCR Settles HIPAA Risk Analysis Investigation with Radiology Group. The Office for Civil Rights (OCR) announced a settlement with a radiology group that provides clinical services at medical imaging centers in New York and Connecticut. The settlement, which marks the sixth enforcement action in OCR’s Risk Analysis Initiative, resolves an investigation concerning a breach of ePHI stored on the group’s Picture Archiving and Communication System (PACS) server for storing, retrieving, managing, and accessing radiology images.

OCR initiated its investigation after receiving a breach report from the group in March 2020 about a breach of unsecured ePHI. They reported that between April 2019 and January 2020, unauthorized individuals had accessed radiology images stored on their PACS server. The group notified the 298,532 patients whose information was potentially accessible on the PACS server of this breach. OCR’s investigation found that they had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI in their information systems.

Under the terms of the resolution agreement, the group agreed to implement a corrective action plan that will be monitored by OCR for two years and paid $350,000 to OCR. Under the corrective action plan, they will take steps to improve its compliance with the HIPAA Security Rule and protect the security of ePHI. Go here to access the resolution agreement and corrective action plan.

 ONC Provides Updates to its Health IT Certification Program. The Assistant Secretary for Technology Policy (ASTP) released updates last week to the Office of the National Coordinator (ONC)Health IT Certification Program, including the submission for attestation by Certified Health IT developers, which opened on April 1 with a deadline of April 30, and updates to the Standards Implementation and Testing Environment (SITE) C-CDA Testing validators for the U.S. Core Data for Interoperability Version 4 (USCDI v4). Other program resources are available here.

Bipartisan Legislation Introduced to Expand Telehealth Coverage. U.S. Senators Brian Schatz (D-HI), Roger Wicker (R-MS), and 60 additional senators introduced the Creating Opportunities Now for Necessary and Effective Care Technologies (CONNECT) for Health Act on April 3. The CONNECT for Health Act will expand Medicare coverage of telehealth services by removing geographic requirements, expanding originating sites to include the home and repealing the in-person visit requirement for telemental health. It will also make COVID-19 telehealth flexibilities permanent, which are currently set to expire on September 30.

FTC Monitoring the 23andMe Bankruptcy. The Federal Trade Commission (FTC) issued a press release and letter to the U.S. Trustee regarding the 23andMe bankruptcy proceeding, expressing the concerns American consumers have with the potential sale or transfer of their 23andMe data. The letter focused on the Agency’s concern regarding the impact of the sale related to the sensitivity of the data, including genetic and health information, and highlighted the company’s promises to protect user privacy. The FTC stipulates that any sale of the company must adhere to 23andMe's privacy policies and commitments, ensuring user data is safeguarded even if transferred to a new entity. The FTC urges that these promises be upheld to protect American consumers' interests.

HSCC Urges Alternative to OCR HIPAA Security Proposed Rule. The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) issued a policy statement recommending an alternative to finalizing the provisions included in the OCR cybersecurity regulation. HSCC urged the Administration to initiate a one-year consultative process with leaders of the health care sector to negotiate sound cybersecurity practices that to which all health care stakeholders can be held accountable. HSCC contends that this collaborative process would better align with the Administration’s pledge to improve the nation’s health-arguing that “cyber safety is patient safety.”

Increasing Interest in Use of AI for Claims Processing. A recent survey by a health care vendor found high levels of interest by providers in implementing artificial intelligence (AI) to streamline billing processes and reduce administrative burdens caused by correcting billing errors. More than half (54%) of the health care professionals responding to the survey indicated their organization plans to adopt an AI-driven billing system, and 30% already have.  It is hoped that AI-based solutions will increase efficiency and accuracy while decreasing costs associated with claims processing and denials.

Medicare Shared Savings Program: Application Deadlines for January 1, 2026, Start Date. Accountable care organizations (ACOs): See Medicare Shared Savings Program Application Types & Timeline to learn about key dates for a January 1, 2026, start date. CMS will accept applications starting May 29 through the ACO Management System. Apply no later than June 12 at noon ET.