WEDI Holds MPA on Prior Authorization Standard. WEDI held a Member Position Advisory (MPA) facilitated discussion to review questions from the Centers for Medicare & Medicaid Services (CMS) for its December 10 listening session on evaluating the Fast Health Interoperability Resources (FHIR®) prior authorization standard. WEDI, along with the six Designated Standards Maintenance Organizations, was invited by CMS to participate in the listening session and provide input on the benefits, implementation challenges, impact on health care costs, and other issues related to the FHIR prior authorization standard. The MPA was an opportunity for WEDI members to share their perspectives on the future of prior authorization. Feedback gathered during the MPA will be used to develop WEDI’s comments to CMS. Special thanks to the MPA facilitators and attendees who provided their time and expertise to shape WEDI’s position on this important work to standardize and streamline a more efficient and effective prior authorization process.

CMS Holds Health Tech Ecosystem Advancing Interoperability Framework Connectathon. CMS held a Health Tech Ecosystem Connectathon event on for organizations committed to the CMS Interoperability Framework to demonstrate their progress in achieving the initiative’s goals. Breakout sessions focused on patient matching, national provider directory, artificial intelligence, and the Kill the Clipboard initiatives. The CMS Interoperability Framework was announced in July with a goal of developing a patient-centered health care system by aligning a common infrastructure with private-sector innovation across a set of clearly defined categories. CMS is expected to provide updates on the Interoperability Framework’s progress online and via GitHub.

CMS Updates Medicare Telehealth Claims Processing with Government Reopened. CMS released an update on actions to reprocess Medicare claims that were impacted during the government shutdown. Passage of the Continuing Appropriations (Pub. L. 119-37) restored many of the expired Medicare statutory payment provisions that lapsed on October 1. Claims payable under these provisions will be paid retroactively to October 1 and through January 30, 2026. CMS has instructed the Medicare Administrative Contractors (MACs) to perform mass adjustments to any paid claims that are inconsistent with the Continuing Appropriations. This includes payment for telehealth services under the allowed flexibilities that expired on October 1. Medicare telehealth claims that were submitted on or before November 10 and returned as no longer payable are now payable and providers may resubmit those claims, as well as any other telehealth claims held in anticipation of possible Congressional action. Similarly, claims for the Acute Hospital Care at Home initiative for dates of service of October 1 or later can be resubmitted to CMS. Providers should see a return to normal processing of claims in the coming days across the MACs.

Oracle Health Designated as Latest TEFCA QHIN. Oracle Health Information Network Inc., a subsidiary of Oracle, announced it has been designated as a Qualified Health Information Network® (QHIN™) as a part of the Trusted Exchange Framework and Common Agreement™ (TEFCA™) on behalf of the Assistant Secretary for Technology Policy (ASTP). QHINs are networks of organizations that facilitate authorized sharing of health information between providers and other appropriate users. In its announcement, Oracle Health emphasized its commitment to sharing health information efficiently and securely across all Designated QHINs. The goal of QHINs is to increase access to patient health information, which seeks to improve patient care delivery and reduce administrative burden. Learn more about TEFCA and Designated QHINs.

NIST Updating Product Requirements and Cybersecurity Risks, Comment Period Extended. The National Institute of Standards and Technology (NIST) released the “Foundational Activities for IoT Product Manufacturers (NIST IR 8259 Revision 1 Initial Public Draft)” and has extended the comment period through December 10. NIST is also holding a workshop on December 16-17, 2025, to engage with the industry. The document updates recommended activities for manufacturers in developing products that meet cybersecurity needs. Specific updates include splitting certain activities to clarify process steps; focusing on risk assessment and threat modeling to ensure identification and mitigation of risks; incorporating useful references and standards; and improving the overall structure, clarity, and organization of the document. Revisions are the result of feedback gathered from the industry during the comment period on the first draft, workshops held in December 2024 and March 2025, and an event in June 2025 discussing the updates.

DEA Expected to Extend Telehealth Prescribing of Controlled Substances. The Drug Enforcement Agency (DEA) appears ready to issue a fourth temporary extension of the current telehealth flexibility for prescribing of controlled substances. As of now, no date as to when this temporary extension will be published. The third temporary extension was issued in November 2024 with an expiration of December 31, 2025. The flexibility for prescribing controlled substances via telehealth is one of the many flexibilities for telehealth services that were issued during the Covid-19 Public Health Emergency.

CMS HCPCS Public Meeting Scheduled for December 17-18. CMS is holding the Second Biannual 2025 Healthcare Common Procedure Coding System (HCPCS) Public Meeting on December 17. If the agenda items are not completed, an overflow session will be held on December 18. The meeting is a virtual only event. The agendas and guidelines for participation are available here. Interested parties wishing to speak during the meeting must register by December 3. Written comments on agenda items are to be emailed to HCPCS@cms.hhs.gov by December 19. The biannual HCPCS Level II public meetings provide a virtual forum for the public to present information and provide feedback about specific HCPCS Level II coding requests for new products, supplies, and services. Final decisions on the requests are not made at the public meeting.

HSCC Publishes Updated Model Contract. The Healthcare and Public Health Sector Coordinating Council (HSCC), through its Cybersecurity Working Group (CWG), published the Model Contract for Medtech Cybersecurity Version 2 (MC2v.2). MC2v.2 enhances coordination between Healthcare Delivery Organizations and Medical Device Manufacturers on issues including security, compliance, management, operation, and services of medical technology in the clinical environment. MC2v.2 incorporates revisions based on users’ experience and updates security terms and conditions for information being stored, transferred, or accessed. MC2v.2 is one of several publications by the HSCC CWG that provides overall best practices and guidance for cybersecurity and security plans.

CISA Posts Security Advisory for FortiWeb Products. The Cybersecurity & Infrastructure Security Agency (CISA) released a security advisory of a vulnerability in the web application firewall Fortinet FortiWeb. The vulnerability affects several versions of FortiWeb and may allow unauthenticated actors to conduct administrative commands on a system via specially crafted HTTP or HTTPS requests. Users of the products are encouraged to install the upgrades outlined in the security advisory and review logs for unusual activity or unauthorized administrator accounts. If upgrades cannot be performed immediately, HTTP or HTTPS should be disabled for internet-facing interfaces.