CMS Provides Overview and Template for CMS-0057-F Health Plan Metrics Reporting. The Centers for Medicare & Medicaid Services (CMS) published the “Prior Authorization Metrics Reporting – Overview & Template” to assist payers impacted by the CMS Interoperability and Prior Authorization (CMS-0057-F) final rule in understanding the metrics reporting requirements. Beginning in 2026, and annually thereafter, impacted payers must publicly report certain prior authorization metrics from the previous year on their website. The template provided by CMS is not required to be used by the payers, but they are encouraged to provide their data in a similar format. Payers must report metrics for: (i) All medical items and services (excluding drugs) that require prior authorization; (ii) Percentage of standard prior authorization requests that were approved, denied, approved after appeal, and were extended, aggregated for all items and services; (iii) Percentage of expedited prior authorization requests that were approved and denied, aggregated for all items and services; and (iv) Average and median elapsed time between submission of request and determination of standard and expedited prior authorizations, aggregated for all items and services. Impacted payers subject to this requirement include Medicare Advantage organizations, state Medicaid and Children’s Health Insurance Program (CHIP) fee-for-service programs, Medicaid managed care plans, CHIP managed care entities, and Qualified Health Plan issuers on the Federally Facilitated Exchanges.

CMS Final Rule Requires Medicare Advantage Provider Directory Data in Medicare Plan Finder. CMS published a final rule requiring Medicare Advantage provider directory data be submitted for inclusion in the CMS Medicare Plan Finder (MPF) tool. The requirements become effective January 1, 2026. The intent of including the data in the online CMS MFP is to increase patients’ access to provider data while comparing health plans, allowing for more informed decisions about their health care. The final rule also requires the provider directory data be updated within 30 days of the date a Medicare Advantage organization becomes aware of changes to that data. Medicare Advantage organizations will also be required to attest at least annually that their provider directory information is accurate. These regulatory changes will increase the transparency of online resources and provide better information for Medicare patients making choices about their coverage.

ASTP Releases Data Brief Showing Increased Use of AI in Hospitals. The Assistant Secretary of Technology Policy (ASTP) released “Hospital Trends in the Use, Evaluation, and Governance of Predictive AI, 2023-2024” showing an increase in the use of artificial intelligence (AI) by hospitals in care delivery. The data comes from the 2023 and 2024 American Hospital Association Information Technology Supplement. Findings from the data showed: (i) 71% of hospitals in 2024, up from 66% in 2023, use predictive AI integrated into the electronic health record; (ii) Small, rural, independent, government-owned, and critical access hospitals lag in their adoption of predictive AI; (iii) The most common use of predictive AI is in predicting health outcomes or risks for inpatients; and (iv) The fastest growing uses of predictive AI are to simplify billing and facilitate scheduling. Conclusions from the data show a continuing digital divide in hospitals’ adoption and use of predictive AI based on their size. The increased use of predictive AI for billing and scheduling parallels the growth of generative AI to address administrative processes, reduce burden on staff, and lower operational costs.

NIST Publishes New Data Exchange Algorithms. The National Institute of Standards and Technology (NIST) published Recommendations for Key-Encapsulation Mechanisms (NIST Special Publication 800-227) for implementing key-encapsulation mechanism (KEM) algorithms that help organizations protect their data against possible future attacks from quantum computers. KEM is a set of algorithms that serve as a first handshake between two parties that want to securely exchange confidential information. The publication describes the basic definitions, properties, and applications of KEMs and provides recommendations for implementing and using KEMs securely. It also offers guidelines for implementing both conventional and quantum algorithms together that require an attacker to break both to gain system access. This final version of the publication includes updates from public comments received on the initial draft and input from NIST’s virtual Workshop on Guidance for KEMs held Feb. 25-26, 2025. 

CISA Directs Federal Agencies to Act on Potential Compromise of Cisco Devices. The Cybersecurity & Infrastructure Security Agency (CISA) issued an Emergency Directive ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices to address vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Cisco Firepower devices. The directive was issued after CISA became aware of an ongoing exploitation campaign targeting the Cisco devices. The threat campaign was characterized as widespread and exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory to remain through reboot and system upgrade. CISA assessed the potential compromise as a significant risk to federal information systems and mandated immediate action by agencies to identify and mitigate the risks. 

CMS Seeking Feedback through MIPS MVP Adoption Survey. CMS is seeking input from individuals and organizations who submitted Payment Year 2024 data through Merit-based Incentive Payment System (MIPS) Value Pathways (MVPs), Traditional MIPS, or other options, as part of the Quality Payment Program. CMS will use the feedback to improve the MIPS MVP reporting experience. The survey takes approximately 15 minutes to complete and is voluntary and confidential. Eligible clinicians may receive Improvement Activity credit for completing the survey. The survey can be accessed at: The MVP Adoption Survey.

Joint Commission and CHAI Release Initial Guidance on Responsible Adoption of AI Adoption in Health Systems. Joint Commission and Coalition for Health AI (CHAI) released “Guidance on Responsible Use of AI in Healthcare,” which is their first joint resource on the use of AI following their announced partnership in June. The purpose of the guidance document is to assist health systems safely and effectively implement AI. The elements for Responsible Use of AI in Healthcare (RUAIH™) include AI policies and governance structures, patient privacy and transparency, data security and protections, quality monitoring, reporting of AI safety-related events, risk and bias assessment, and education and training. Additional products are expected from the collaboration, with the next being governance playbooks followed by a series of workshops. Based on this work, Joint Commission intends to create a voluntary AI certification for health care organizations based on the final set of playbooks.

NIST Supports Cybersecurity Workforce Development with $3 Million in Cooperative Agreements. NIST announced awards of more than $3.3 million in cooperative agreements in 13 states to further develop the U.S. cybersecurity workforce and address the more than 514,000 current job openings. The 17 awards of about $200,000 each will go to educational and community organizations to educate cybersecurity professionals. The agreements will be administered by NICE, previously known as the National Initiative for Cybersecurity Education, which is a NIST-led collaboration among government, academia, and the private sector. NICE focuses on cybersecurity education and training and on the development of a skilled workforce. The selected organizations will lead Regional Alliances and Multistakeholder Partnerships to Stimulate cybersecurity workforce and education initiatives with many focused on developing curricula or providing education and training at the high school, college, or professional levels.