OCR Settles HIPAA Ransomware Investigation with New York ASC. The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced a settlement with a New York ambulatory surgical center (ASC) for potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security and Breach Notification Rules. The investigation by OCR followed a report from the provider of a ransomware attack on its network in March 2021. The electronic protected health information (ePHI) of nearly 25,000 individuals was compromised because of the event. OCR concluded that the provider failed to complete a thorough risk analysis of potential risks and vulnerabilities to its ePHI. Additionally, OCR found that the provider did not notify the affected individuals and the Secretary of the breach in a timely manner. This settlement is OCR’s 14th ransomware enforcement action. Under the terms of the resolution agreement, the provider agreed to implement a corrective action plan that OCR will monitor for two years and pay a fine of $250,000.
White House Releases AI Action Plan. The White House released its artificial intelligence (AI) Action Plan that lays out three pillars for the U.S. advancement of AI. The plan follows Executive Order 14179, “Removing Barriers to American Leadership in Artificial Intelligence,” that was signed in January. The first pillar is the acceleration of AI innovation supported through several measures, including removing regulations, using open sources, enabling AI adoption, and advancing the science of AI. The second pillar calls for building the AI infrastructure along with training. The third pillar focuses on international AI diplomacy and security. While the plan is not specific to the health care sector, the Administration believes its actions will play a role in ongoing innovation, development, adoption, and implementation of AI in health care. The plan envisions collaboration among federal partners and the inclusion of the National Institute of Standards and Technology (NIST) and its work to date on AI.
Joint Advisory Alerts Organizations to Threats of Interlock Ransomware. A joint Cybersecurity Advisory on protecting against the Interlock ransomware was issued by the Cybersecurity & Infrastructure Security Agency, in partnership with the Federal Bureau of Investigation, HHS, and the Multi-State Information Sharing and Analysis Center. The advisory provides actions organizations can take to lessen the threat and protect their business, including ensuring operating systems, software, and firmware are current; segmenting networks to restrict the spread of any infected devices; and implementing thorough identity, credential, and access management policies.
CMS Opens Qualified Health Plan Directory Pilot’s Portal. The Centers for Medicare & Medicaid Services (CMS) released information on its Qualified Health Plan (QHP) Directory Pilot and opened the portal for use. The QHP Directory Pilot is a collaboration between CMS and the state of Oklahoma and is part of CMS’s ongoing work to improve access to care, reduce clinician burden, and support interoperability. The Center for Consumer Information and Insurance Oversight and Office of Healthcare Experience and Interoperability within CMS announced the plan for the pilot in September 2024. The pilot is intended to demonstrate that a single, statewide directory for QHPs and providers can improve data accuracy, which in turn will decrease administrative burden and costs. CMS plans to use knowledge gained from this pilot to inform future work in developing a National Directory of Healthcare. Additional resources from CMS about the pilot include Frequently Asked Questions, a Fact Sheet, and a QHP Directory Pilot Toolkit.
Bipartisan Price Transparency Legislation Introduced. U.S. Senators Roger Marshall, M.D. (R-KS) and John Hickenlooper (D-CO) introduced the “Patients Deserve Price Tags Act.” The legislation seeks to improve the transparency of health care costs by giving patients the true price of procedures, medications, and services before receiving them. The bill, if enacted, will require public reporting of negotiated rates, costs, and cash prices for services provided at hospitals, ASCs, imaging centers, and clinical laboratories. The bill also requires group health plans to have access to claims data and prevents third-party administrators from restricting data access. Providers will also be required to include a detailed itemized bill of each distinct item or service, or an all-in total price for bundled items if offered to the patient as an option.
NIST Hosting Cybersecurity Webinar for Small Businesses on Phishing Risks. NIST is hosting a virtual webinar on August 14, 2025, at 2:00PM ET that will cover different types of phishing attacks. Phishing is a common method used by criminals to commit cybercrime. Small and medium-sized businesses are vulnerable to these types of attacks and usually have fewer resources for preventing or responding to an attack. The webinar will address different types of phishing attacks, the importance of being proactive, how to spot phishing attempts, and steps to take if you become a victim.
ASTP Reports Increase in Electronic Transmission of Health Information. The Assistant Secretary for Technology Policy (ASTP) reported that hospitals using electronic data exchange methods to send and receive patient health information increased from 2018 while the use of mail and fax decreased. These findings come from the most recent American Hospital Association Information Technology Supplement survey. In the survey, hospitals were asked to identify which of five exchange methods they used “often” or “sometimes” to send or receive health information. The exchange methods were: (i) Mail or fax; (ii) Health information service providers (HISP); (iii) Regional, state, or local health information exchange (HIE); (iv) Electronic health record (EHR) vendor-based network; and (v) National networks. From 2018 to 2023, the use of HISPs increased from 61% to 74%; HIEs increased from 59% to 72%; EHR networks increased from 43% to 55%; and national networks increased from 34% to 67%. During this same period, the use of mail and fax decreased from 71% to 67%.
HCPCS Level II Q2 2025 Codes Released by CMS. The Healthcare Common Procedure Coding System (HCPCS) Level II code updates for the second quarter of 2025 were released by CMS. The document contains the final coding decisions, including new codes and revisions to existing codes. Additional information on the topic, applicant’s request, and coding decision is also included.