Dr. Thomas Keane Named New Assistant Secretary/National Coordinator. Thomas Keane, MD, MBA, has been named by the U.S. Department of Health and Human Services (HHS) as the new Assistant Secretary for Technology Policy (ASTP) and National Coordinator for Health Information Technology (National Coordinator). Prior to this appointment, Dr. Keane held previous roles within HHS since 2018, including Senior Advisor to the Deputy Secretary of HHS and Senior Advisor in the Office of the National Coordinator for Health Information Technology (ONC). He also served as administrator of the COVID-19 Provider Relief Fund and led the Agency for Healthcare Research and Quality (AHRQ) National Nursing Home COVID Action Network. He completed an interventional radiology fellowship at Johns Hopkins Hospital and earned his Master of Business Administration from The University of Chicago Booth School of Business. Prior to medical school, he worked as a software developer and engineer.

Paula Stannard Appointed as OCR Director. Paula Stannard has been appointed as the new Director of the Office for Civil Rights (OCR). As Director, Stannard will serve as chief officer and adviser to the Secretary relating to the implementation, compliance, and enforcement of Federal health information privacy, security, and breach notification rules under the HIPAA and Federal civil rights laws within HHS’ jurisdiction. Director Stannard comes to OCR with previous Federal government experience, including having served as a Senior Counselor and Advisor to Tom Price and Alex Azar, former HHS Secretaries, and Acting General Counsel and Deputy General Counsel under the George W. Bush Administration.

CMS Outlines Health IT Priorities. The Centers for Medicare & Medicaid Services (CMS) announced it would move forward on a number of initiatives “designed to help build the foundational infrastructure needed for a healthcare system that will help fulfill Secretary Kennedy’s vision to Make America Healthy Again.” These initiatives include:

• Building a dynamic, interoperable national provider directory
• Bringing modern identity verification processes to Medicare.gov to streamline credentials across the health care system
• Expanding functionality of CMS’ Blue Button 2.0 patient access application programming interface (API)
• Transitioning CMS’s Data at the Point of Care pilot to general availability
• Enhancing CMS’ participation in trusted data exchange

According to the agency, these efforts reflect CMS’ broader modernization agenda to accelerate digital health innovation, strengthen data security, enhance program integrity, and drive operational efficiencies across Medicare, Medicaid, and federal marketplaces.

 X12 Announces Withdrawal of Version 8030 Update Recommendation, Paves Way for Version 8060. X12 announced the withdrawal of its previous recommendation for the adoption of three updated mandated transactions. The Version 8030 transactions are the Health Care Claim Status Request and Response (276/277), Benefit Enrollment and Maintenance (834), and Payroll Deducted and Other Group Premium Payment for Insurance Products (820). Reasons cited for the withdrawal include the length of time from the initial recommendation without regulatory action, the subsequent improvements to the transactions through the X12 version update process, and industry feedback requesting the full suite of X12 transactions be recommended at one time for review and consideration for adoption. Industry feedback on withdrawing the recommendation for these transactions was received through multiple channels, including events held by WEDI. X12’s plans in the coming weeks to recommend the Version 8060 mandated transactions for adoption under the Health Insurance Portability and Accountability Act (HIPAA).

OCR Announces Settlement for Ransomware Cybersecurity Investigation. OCR announced a settlement with a Massachusetts billing company due to potential violations of the HIPAA Security Rule. The investigation by OCR followed a report from the organization that an unknown actor had gained unauthorized access to its network servers in March 2022. Ransomware was used to encrypt the network servers and the electronic protected health information (ePHI) of over 550,000 individuals was compromised. OCR concluded that the organization failed to conduct an accurate and thorough risk analysis to identify potential risks and vulnerabilities to its ePHI. The organization agreed to implement a corrective action plan that OCR will monitor for two years and paid a $75,000 fine. This settlement is OCR’s 13^th ransomware enforcement action and ninth risk analysis initiative enforcement action. See the resolution agreement and corrective action plan here. 

GAO: CMS Should Audit Prior Authorizations for Behavioral Health Services. The Government Accountability Office (GAO) released a report on the use of prior authorization (PA) for behavioral health services in Medicare Advantage (MA) plans. The review of nine MA plans found that eight require providers get (PA) for behavioral health services to confirm the service meets their criteria for payment. However, CMS oversight of PA criteria does not evaluate behavioral health services in its audits to determine any effects PAs have on beneficiaries' access to care. CMS cited the reason for not addressing behavioral health requests in recent audits was because these services make up a small percentage of the overall MA services. The GAO report came from a provision in the Consolidated Appropriations Act of 2023 that called for a review of behavioral health benefits and the use of PA in traditional Medicare and MA plans. CMS’s response was that they could not commit to including PAs for behavioral health services in audits but would consider it in the future. 

Feds Release New Guidance on AI and ML Data Security. The National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation, and other agencies released a Cybersecurity Information Sheet outlining guidance on securing data used in artificial intelligence (AI) and machine learning (ML) systems. The intent of the guidance is to: (i) Raise awareness of the potential risks related to data security in the development, testing, and implementation of AI systems; (ii) Provide guidance and best practices for securing AI data across various stages of the AI lifecycle; and (iii) Establish a strong foundation for data security in AI systems through robust data security measures and proactive risk mitigation strategies.

Medicare Release of QPP Data Resources for Performance Year 2023. CMS released the Quality Payment Program (QPP) Participation and Performance Results At-a-Glance resources that provide an overview of Merit-based Incentive Payment System (MIPS) and Alternative Payment Model (APM) participation, MIPS final scores, and payment adjustments. According to the results, more clinicians achieved Qualifying APM Participant (QP) and Partial QP status in the 2023 performance year than in prior years. CMS expects to release the 2023 QPP Experience Report and QPP Public Use File in June, which will include additional information on participation, scoring, and payment adjustments in MIPS and APMs.