Florida Health Care Provider Latest Subject of OCR Security Rule Settlement. A settlement related to an alleged violation of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule by a provider located in Florida was announced by the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). The investigation by OCR was initiated following a complaint by an individual of unauthorized access to their electronic protected health information (ePHI). The access was determined to have occurred by a former employee, who had access to the electronic medical record. OCR found that the provider violated multiple HIPAA Security Rule requirements, including failing to: implement appropriate policies and procedures for authorizing access to ePHI; reduce risks to ePHI; and regularly review records of information system activity. The provider agreed to implement a corrective action plan that OCR will monitor for two years and pay a fine of $800,000. See the resolution agreement and corrective action plan here. 

ASTP/ONC Announces 2025 SVAP Now Open for Public Comment. The 2025 Standards Version Advancement Process (SVAP) managed by the Assistant Secretary for Technology Policy (ASTP)/Office of the National Coordinator for Health Information Technology (ONC) is open for public comments until June 9. ASTP/ONC created SVAP so that health IT developers could incorporate newer versions of standards and implementation specifications, as part of the “Real World Testing” Condition and Maintenance of Certification requirement (§ 170.405) of the 21st Century Cures Act.

New Guidance from CMS Updates Hospital Price Transparency Requirements. The Centers for Medicare & Medicaid Services (CMS) released new guidance related to Executive Order 14221 addressing Hospital Price Transparency (HPT) regulations. The Departments of HHS, Labor, and Treasury are to take action to: (i) Require the disclosure of actual prices, not estimates; (ii) Ensure pricing information is easily comparable across hospitals and health plans; and (iii) Enforce compliance with the transparency requirements. The guidance directs hospitals to include the standard charge dollar amount in the machine-readable file (MRF) if it can be calculated. Hospitals must also use an actual dollar amount as the estimated allowed amount in the MRF and stop using the 999999999 (nine 9s) code that indicates there was insufficient historical data. 

CMS Seeking Public Input on Hospital Price Transparency Accuracy and Completeness. CMS released a new Request for Information (RFI) for feedback on the accuracy and completeness of the CMS Hospital Price Transparency requirements. The deadline to respond is July 21, 2025. The RFI addresses identifying challenges and improving compliance and enforcement processes for the reporting of complete, accurate, and meaningful pricing data by hospitals. Questions focus on the need for definitions of certain terms, concerns with the completeness and accuracy of MRFs, leveraging external data sources in the MRFs, and improving the Hospital Price Transparency compliance and enforcement processes.

CMS Announces New Strategy to Audit MA Plans. CMS announced that it will expand its audits of Medicare Advantage (MA) plans starting immediately. Audits will increase from approximately 60 per year to all eligible MA plans, approximately 550. CMS will also increase the number of records audited per MA plan per year from 35 to between 35 and 200 records based on the size of the plan. In addition, CMS will expedite the completion of audits for payment years 2018 through 2024. To accomplish this work, CMS will use enhanced technology in reviewing medical records and increase the team of medical coders from 40 to approximately 2,000 by September 1, 2025.

Eight MIPS Improvement Activities Put on Hold. CMS has suspended eight improvement activities included in the measurement options for determining incentive pay through the Merit-Based Incentive Payment System (MIPS) for Medicare providers, per the American Hospital Association. Among the measures placed on hold are clinician leadership in clinical trials or community-based participatory research; food insecurity and nutrition risk identification and treatment protocols; practice improvements that engage community resources to address drivers of health; and use of toolsets or other resources to close healthcare disparities across communities. CMS plans to fully remove these improvement activities in future rulemaking. Providers who have completed or are working on these improvement activities will still receive credit for the 2025 program year. Learn more about the MIPS Program here.

Application Process Now Open for 2025 MIPS Exception. Applications to request an exception to the Quality Payment Program (QPP) Merit-based Incentive Payment System (MIPS) reporting can be submitted now through December 31, 2025. Under the MIPS program, there are two exceptions to the reporting requirements. The first is the Extreme and Uncontrollable Circumstances Exception that allows users to indicate why they are unable to report data for one or more MIPS performance categories due to rare events outside of the control of the provider. The second exception is the MIPS Promoting Interoperability Performance Category Hardship Exception that allows providers to request reweighting specifically for the Promoting Interoperability performance category due to a technology issue specified by the program. Applications must be approved to receive the exception to report data for the performance category or categories included in the application.

Ohio Health System Hit by Ransomware Attack. On May 20, Kettering Health reported a system-wide technology outage  resulting from unauthorized access to their network and ransom demand. Kettering Health is a 14-hospital health system with 1,800 physicians in western Ohio. The ransom note threatened to leak data if the organization did not begin negotiating a payment. The organization stated they were using their procedures and plans to contain the breach and maintain as many patient services as safely possible. Elective inpatient and outpatient procedures were canceled. Kettering Health revealed that while the emergency departments and clinics remained open, patient services were disrupted.