WEDI Urges Action on No Surprises Act GFE and AEOB Provisions. WEDI sent a letter to the Departments of Health and Human Services (HHS), Labor, Treasury, and the Office of Personnel Management (OPM) outlining critical data exchange issues related to the Good Faith Estimation (GFE) and Advanced Explanation of Benefits (AEOB). Both the GFE and AEOB were mandated under the No Surprises Act. In the letter, WEDI raised a number of issues, including urging that the AEOB not be required by health plans before an electronic standard is developed, tested, and deployed nationally and only apply to services that have been or in the process of being scheduled. WEDI also called for the “convening provider” requirement for insured individuals to be delayed until a standard id developed. Special thanks to the co-chairs of the WEDI No Surprises Act Task Group, Terry Cunningham (American Hospital Association), Beth Davis (Veradigm Payerpath), and Stanley Nachimson (Nachimson Advisors), and Task Group members for their work on this letter.

HHS Releases Updated Security Risk Assessment Tool. The HHS Office for Civil Rights (OCR) and the Assistant Secretary for Technology Policy (ASTP) released version 3.6 of the Security Risk Assessment (SRA) Tool. Version 3.6 incorporates important updates to support HIPAA risk assessment processes, including: (i) New reviewed-by confirmation button to record approvals and dates for audit tracking; (ii) Updated NIST-aligned risk scale, changing “medium” to “moderate;” (iii) Enhanced reports with section-specific details and updated disclaimers; and (iv) Refreshed library files to mitigate vulnerabilities in outdated components. Download the SRA Tool v3.6 here.

ASTP and OCR will host live webinars on September 15 at noon ET or September 16 at 3pm ET to discuss the revised SRA Tool. Agency experts will demonstrate new features, walk through reports, and answer questions. Go here to register for the webinar.

CMS targets ASC procedures for prior authorization pilot. The Centers for Medicare & Medicaid Services (CMS) announced it will initiate a five-year prior authorization demonstration on December 15 for certain Ambulatory Surgical Center (ASC) services in California, Florida, Texas, Arizona, Ohio, Tennessee, Pennsylvania, Maryland, Georgia and New York. According to the agency, the targeted procedure categories include: (i) Blepharoplasty; (ii) Botulinum toxin injections; (iii) Panniculectomy; (iv) Rhinoplasty; and (v) Vein ablation procedures.

ASCs may begin submitting prior authorization requests on December 1, 2025, for dates of service on or after the December 15 start date. CMS clarified that prior authorization is voluntary under the demonstration. However, facilities that choose not to participate will have applicable ASC claims subject to prepayment medical review.

House Subcommittee Conducts Hearing on AI in Health Care. The U.S. House Of Representatives Committee on Energy and Commerce’s (E&C) Health Subcommittee held a hearing titled “Examining Opportunities to Advance American Health Care through the Use of Artificial Intelligence Technologies.” Lawmakers discussed how artificial intelligence (AI) could enhance patient care, streamline administrative tasks, and improve access – especially in rural areas. Republicans focused on the potential of AI to support clinicians and reduce administrative burden. Democrats discussed concerns regarding the potential of algorithmic bias and health equity. Witnesses highlighted both the promise and risks of AI, stressing the need for human oversight in sensitive areas like mental health and pediatrics. Despite differing priorities, there was bipartisan agreement that AI can improve outcomes if implemented responsibly. Go here to watch the hearing.

CMS to Host Events Focused on Security of Health Plan Identifiers. The Centers for Medicare & Medicaid Services (CMS) will host two in-person events to combat fraud involving health plan identifiers (ID) and enhance the security of those IDs. These collaborative events will bring together experts from diverse backgrounds to develop innovative ways to protect patient information. Attendees will spend a full day working in small teams of diverse, professional backgrounds to develop ideas to improve member ID security. At the end of the day, each group will pitch their solutions to CMS and vote on a winning concept. The agency is seeking participants who can offer varied perspectives to better protect patient information. No advance preparation is required, and you do not need technical skills to participate.

Event Dates:

• November 5, 2025, 9:00 AM – 5:00 PM PST, San Francisco, California
• November 13, 2025, 9:00 AM – 5:00 PM EST, New York, New York

To learn more, view the event webpage. To participate, submit an interest form by September 26, 2025.

CMS to Host Webinar on EPCS Program. The CMS Electronic Prescribing for Controlled Substances (EPCS) Program is hosting a public webinar on Thursday, September 18, 2025, at 2 p.m. (ET). The 1-hour webinar is titled “CMS EPCS Prescriber Portal: Checking a Prescriber’s Compliance Status and Submitting a Waiver Application for MY 2024.” The webinar will include: (i) An overview of the CMS EPCS Program; (ii) A review of the uses for the CMS EPCS Prescriber Portal; (iii) An overview of 2025 updates to the EPCS Prescriber Portal; (iv) A demonstration of the EPCS Prescriber Portal, including how to: access the EPCS Prescriber Portal,look up and understand a prescriber’s compliance status, submit, monitor, and withdraw a waiver application, log out of the EPCS Prescriber Portal. Time permitting, a Q&A session will be held after the main presentation. Go here to register for the webinar.

HHS Announces Stepped Up Enforcement of Substance Abuse Confidentiality Policies. HHS Secretary Robert F. Kennedy, Jr. has directed OCR to enforce the “Confidentiality of Substance Use Disorder (SUD) Patient Records” policies under 42 CFR Part 2. Industry compliance with the updated regulations is required by Feb. 16, 2026. This move follows a February 2024 final rule that aligns Part 2 with HIPAA, enhances privacy protections, and improves care coordination. OCR can now investigate violations, impose civil penalties, and require corrective actions. The rule also mandates breach notifications and allows individuals to file complaints. Go here to access a fact sheet on the final rule.

TEFCA RCE Joins with Feds to issue GBD Exchange Purpose SOP. The Sequoia Project (the Trusted Exchange Framework and Common Agreement Recognized Coordinating Entity (TEFCA RCE)) and the ASTP/ONC, in coordination with the Social Security Administration published a Government Benefits Determination (GBD) Exchange Purpose Standard Operating Procedure (SOP) and draft Exchange Purposes SOP v4.1 for public feedback. The GBD Exchange Purpose allows government entities at the federal, state, local, or tribal level to determine an individual's eligibility for non-healthcare government benefits. In addition, the GBD Exchange Purpose SOP identifies implementation specifications and details workflow interactions that Qualified Health Information Networks, Participants, and Subparticipants must follow when asserting the GBD Exchange Purpose. Public feedback will be accepted through September 17.