WEDI Submits Comments for OCR’s HIPAA Security Rule Video, Submissions Due Today. WEDI submitted comments on the Department of Health and Human Services’ (HHS) Office for Civil Rights’ (OCR) request for input on topics and questions to be addressed in a video it is producing on requirements for the Health Insurance Portability and Accountability Act (HIPAA) Security Rule’s Risk Management implementation specification. The video is intended to educate HIPAA covered entities and business associates. Topics will include HIPAA Security Rule Risk Management requirements, OCR investigations with potential Risk Management violations, Risk Management and cybersecurity resources, and responses to select submitted questions. WEDI’s comments focused on having OCR include in its video a reminder to organizations of the priority of conducting a comprehensive Risk Analysis, the importance of data management, and the need to incorporate Incident Response and Business Continuity/Disaster Recovery plans. Special thanks to the WEDI Privacy & Security Workgroup co-chairs, Lesley Berkyheiser (DirectTrust) and Thanh-Thien Nguyen (Kaiser Permanente), for developing the comments. The deadline to submit questions for the video is today. Submissions to OCR can be made at OCRPresents@hhs.gov. View WEDI’s submission here.

CMS ACCESS Model Expands Access to Technology-Supported Care in Medicare. The Centers for Medicare & Medicaid Services’ (CMS) new 10-year voluntary payment model, Advancing Chronic Care with Effective, Scalable Solutions (ACCESS), will test an outcome-aligned payment approach for Medicare patients. CMS will begin accepting applications for ACCESS on January 12, 2026, with an initial deadline of April 1, 2026. ACCESS will provide new options intended to improve health and prevent and manage chronic disease with technology-supported care within four clinical tracks, which are: (i) Early cardiometabolic conditions (hypertension, abnormal lipids and cholesterol, obesity, and prediabetes); (ii) Cardio-kidney-metabolic conditions (diabetes, chronic kidney disease, and heart disease); (iii) Musculoskeletal conditions (chronic pain); and (iv) Behavioral health conditions (depression and anxiety). The model will begin July 1, 2026. The Request for Applications will be available soon, and organizations can submit the ACCESS Model Interest Form to be notified when the application becomes available.

HHS Releases AI Strategy for Department. HHS released its AI Strategy for implementing artificial intelligence (AI) throughout HHS operations, research, and public health initiatives. The strategy is intended to integrate technologies to enhance efficiency, foster innovation, and improve patient outcomes, and is identified as a first step for HHS in its work integrating AI into its services. The AI Strategy is organized into five pillars: (i) Ensure governance and risk management for public trust; (ii) Design infrastructure and platforms for user needs; (iii) Promote workforce development and burden reduction for efficiency; (iv) Foster health research and reproducibility through gold standard science; and (v) Enable care and public health delivery modernization for better outcomes. The AI Strategy supports a "OneHHS" approach for the Department and its agencies.

ASTP Information Session on Insights Conditions, December 18. The Assistant Secretary for Technology Policy (ASTP) is holding an information session on the Insights Condition and Maintenance of Certification requirements for developers participating in the Office of the National Coordinator for Health Information Technology (ONC) Health IT Certification Program. The session will be held on December 18, from 2:00-3:00 pm ET and provide a general update on the Insights Condition, provide eligibility and timeline reminders, review key developer responsibilities, and provide an overview of documentation and templates that will support the 2026 reporting for the "Use of FHIR in Apps" measure. Register for the information session at: ASTP Events.

ASTP/ONC’s Electronic Prescribing Beta Testing Tool Closes December 31. ASTP/ONC’s beta testing tool for the National Council for Prescription Drug Programs SCRIPT Standard Version 2023011 updates closes on December 31. Interested developers can create a Stage environment login and beta test on weekdays between 7:00 am and 8:00 pm ET. ASTP/ONC is also encouraging users of the tool to submit feedback in a dedicated beta testing Google Group.

ASTP Highlights Ongoing Work for Trusted Data Exchange. In the latest Health IT Buzz post, Steve Posnack, Principal Deputy Assistant Secretary for Technology Policy, Principal Deputy National Coordinator for Health Information Technology, discusses the continued lag in data exchange despite regulatory requirements and policies for the sharing of health information. The blog focuses on the role of trust and emphasizes that the purpose of the Trusted Exchange Framework and Common Agreement^™ (TEFCA^™) is to create trusted conditions for the sharing of health information and then establish them at scale nationwide. Posnack contends, however, that ongoing debates and interpretations of the definitions of “treatment” and “health care provider” are hindering TEFCA’s ability to facilitate data exchange. ASTP is continuing to work to put in place the conditions that will deliver on TEFCA’s goal.

TEFCA RCE Releases SOPs and QHIN Technical Framework. The TEFCA Recognized Coordinating Entity^® (RCE^®), the Sequoia Project, along with ASTP ​​​​​​and the Social Security Administration (SSA) released standard operating procedures (SOPs) including the TEFCA Exchange Purpose Implementation SOP: Government Benefits Determination V1.0 and corresponding Exchange Purposes SOP V4.1 and Qualified Health Information Network Technical Framework (QTF) V2.1. The Government Benefits Determination exchange purpose supports the use case for sharing clinical information with SSA for disability benefits determination. Feedback on the Government Benefits Determination SOP and Exchange Purposes SOP v4.1 was solicited in October prior to their approval. QTF V2.1 provides technical and functional requirements focused on three information exchange modalities for QHINs, including QHIN Query, QHIN Message Delivery, and Facilitated FHIR.

Senators Warner and Whitehouse Send Letter Urging DEA to Extend Flexibilities for Telehealth Prescribing. U.S. Senators Mark Warner (D-VA) and Sheldon Whitehouse (D-RI), both members of the Senate Finance Committee, sent a letter to Drug Enforcement Administration (DEA) Administrator Terry Cole urging the agency to extend telemedicine flexibilities for prescribing controlled substances. The current flexibilities, which were put in place during the Covid-19 Public Health Emergency, are set to expire December 31. The letter outlines how treatment via telehealth has been critical in expanding access to health care, especially for individuals in rural and under-resourced areas. The DEA has extended these temporary flexibilities three times since January 2020. In October, Senators Warner and Whitehouse reintroduced the bipartisan “Telehealth Response for E-prescribing Addiction Therapy Services (TREATS) Act,” which addresses regulatory hurdles to accessing telehealth services.

CISA Releases Principles for Secure Integration of AI in Operational Technology. The Cybersecurity & Infrastructure Security Agency (CISA), in collaboration with other federal and international partners, released “Principles for the Secure Integration of Artificial Intelligence in Operational Technology” offering new guidance for the industry. The guidance is intended to assist critical infrastructure owners and operators in integrating AI into operational technology (OT) systems securely. The guidance calls on organizations to: (i) Educate personnel on AI risks, impacts, and secure development lifecycles; (ii) Evaluate business cases, manage OT data security risks, and address immediate and long-term integration challenges; (iii) Implement governance frameworks, test AI models continuously, and ensure regulatory compliance; and (iv) Maintain oversight, ensure transparency, and integrate AI into incident response plans.