OCR Settles with Texas Behavioral Health Provider Following Privacy and Security Investigation. The settlement with the Department of Health and Human Services (HHS), Office of Civil Rights (OCR) resolves potential violations by a Texas behavioral health provider under the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The investigation by OCR started in May 2023 following a complaint that the provider had disclosed electronic protected health information (ePHI) of individuals without permission by posting discharge summaries online, which the provider asserted was caused by a coding error in an online patient portal. The initial scope of the potential violation was 35 individuals, but the investigation was expanded following a ransomware attack in August 2023 involving over 171,000 individuals. OCR concluded that the provider failed to conduct a risk analysis of potential risks and vulnerabilities to its ePHI. Under the terms of the resolution agreement, the provider agreed to implement a corrective action plan that OCR will monitor for two years and pay a fine of $225,000.

ASTP/ONC Announces Enforcement Discretion for Real-World Testing Requirements. In alignment with the Administration’s efforts for deregulation, the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP/ONC) announced its enforcement discretion for the real-world testing of technology regulatory requirement. Specifically, the 21st Century Cures Act requires health information technology (IT) developers to conduct real-world testing of their interoperability products in the setting in which they would be used. Health IT developers would have been required to submit plans and results for annual testing for certification criteria that includes care coordination; clinical quality measures; view, download, and transmit to a third- party; public health; application programming interface; and transport methods and other protocols. For the calendar year 2025, developers will not be required to submit testing plans for the 2026 testing year, and no enforcement action will be taken. In 2026, only certain developers will be required to submit 2025 real-world testing results. The enforcement discretion is effective immediately, and will remain in effect until December 31, 2026, or until HHS acts on deregulation of these requirements.

CMS Innovation Center Holding “Office Hour” on New WISeR Model. Registration is now open for the Centers for Medicare & Medicaid Services (CMS) Innovation Center “Office Hour” event on July 17 at 1:00 pm ET to discuss the new Wasteful and Inappropriate Service Reduction (WISeR) model. The recently announced model will use enhanced technologies, including artificial intelligence and machine learning, to analyze Medicare claims for select items and services for appropriateness for payment. During the virtual event, staff from the CMS Innovation Center will provide an overview of the model, address frequently asked questions, and respond to questions from the attendees.

Senate HELP Committee Holds Cybersecurity Hearing. The U.S. Senate Committee on Health, Education, Labor & Pensions (HELP) held a hearing on July 9 on enhancing cybersecurity and protecting individuals’ health care privacy. Testifiers at the hearing included:

• Alison Galvani, Professor, Yale School of Public Health
• Greg Garcia, Executive Director, Healthcare and Public Health Sector Coordinating Council
• Rene Quashie, Vice President of Digital Health, Consumer Technology Association
• Linda Stevenson, Chief Information Officer, Fisher-Titus
• Robert Weissman, President, Public Citizen

The panelists spoke about challenges regarding privacy and cybersecurity in health care, including difficulty with staffing cybersecurity positions in small, rural facilities; resource constraints of small, rural facilities; burden of complying with numerous regulatory mandates; punishment of providers who are the target of malicious actors; vulnerabilities from third-party partners; and increase in health information not subject to the protections of HIPAA. Recommendations from the panelists for government support for health care cybersecurity included the need for a safety net for under resourced providers; federal tools; an approved list of vendor products that meet a baseline standard for privacy and security; a uniform, risk-based, and innovation-friendly federal privacy law; and a systemic health infrastructure mapping and risk assessment.

ASTP/ONC Releases Report on Patient Access and Use of Health Information. A report released by ASTP/ONC provides data and shows progress on patients’ access and use of their health information through patient portals and health applications (apps). Data analyzed for the report came from the 2024 Health Information National Trends Survey. While data trends in the report are positive, it also highlights the need for continued education of both patients and providers on the value and use of patient portals and online medical records in care management. Specific findings in the report include:

• The number of individuals who were offered and accessed their patient portal or online medical record increased from 25% in 2014 to 65% in 2024.
• Caregiver access to a patient’s portal or online medical record increased from 24% in 2020 to 51% in 2024.
• Patients whose health care providers encouraged them to access and use their patient portal or online medical record had a higher rate of accessing their information, 87% compared to 57%.

• The number of individuals using an app to their online medical records increased from 38% in 2020 to 57% in 2024. 

CMS Hospital Price Transparency Accuracy and Completeness RFI, Deadline July 21. The deadline to respond to the CMS Request for Information (RFI) on the accuracy and completeness of the CMS Hospital Price Transparency requirements is July 21. The RFI addresses identifying challenges and improving compliance and enforcement processes for the reporting of complete, accurate, and meaningful pricing data by hospitals. Questions focus on the need for definitions of certain terms, concerns with the completeness and accuracy of machine-readable files (MRF), leveraging external data sources in the MRFs, and improving the Hospital Price Transparency compliance and enforcement processes.

FDA Issues Updated Recommendations for Medical Device Cybersecurity. The Food and Drug Administration (FDA) released a guidance document with updated recommendations for premarket submissions for design, labeling, and documentation of medical devises with cybersecurity risk. The recommendations are specific to device submissions to the Center for Devices and Radiological Health and Center for Biologics Evaluation and Research. Updates were made to the previously issued guidance document to improve the premarket review process and highlight cybersecurity threats during the review process. The June 2025 guidance document replaces the previously issued guidance in September 2023.

Civitas Issues Report Highlighting ROI from Quality Improvement Initiatives. Data presented in the 2025 “Saving Lives and Money: Civitas Networks for Health Quality Improvement Organizations (QIOs) Impact Report” show a savings of $4.7 billion to Medicare achieved by QIOs. Findings in the report come from a survey of 11 Civitas members. The calculations demonstrate the success and return on investment (ROI) of initiatives conducted by the QIOs. The savings were seen across 11 states in 2022-2024 and came mainly from decreases in the number of preventable emergency department visits, hospitalizations, and 30-day hospital readmissions. Savings in nursing homes in 20 states resulted in $165 million savings during the two-year period. Initiatives at rural hospitals brought an ROI of $114 million across 30 states in 2023-2024 from focusing on decreasing hospital inpatient stays and readmissions. The report calls on CMS to continue supporting the QIOs and improving the digital tools for data exchange, technical assistance to the organizations, and resources for staffing and retention at participating facilities.