WEDI Holds FPC on X12 Version 008060 HIPAA Transactions. WEDI held its first Federal Policy Consultation (FPC) event on April 22 exploring the benefits, costs, and opportunities with adopting X12’s updated Version 008060 standards under the Health Insurance Portability and Accountability Act (HIPAA). The FPC process was developed by WEDI to support the Department of Health and Human Services (HHS) and its agencies by proactively convening consultation events prior to regulatory action. The purpose of the FPC is to gather information on topics for potential regulatory actions by convening industry stakeholders to collect feedback and data.

The event brought together over 220 industry stakeholders, including payers, providers, clearinghouses, vendors, Designated Standards Maintenance Organizations, and other interested organizations, to discuss the critical topic of potentially updating these administrative transactions. The Centers for Medicare & Medicaid Services (CMS) gave an opening presentation that outlined the process of standards adoption and X12 outlined the development work for Version 008060. The FPC process was undertaken at the request of CMS as part of its work to evaluate X12’s recommendation to adopt the Version 008060 transactions under HIPAA. The outcome of the FPC will be a report that is submitted to CMS and made public. Additional information about WEDI’s FPC process is available here. 

CMS Releases Additional CMS-0062-P Resources. CMS released additional resources for the CMS Interoperability Standards and Prior Authorization for Drugs Proposed Rule (CMS-0062-P) on its webpage to further educate health care stakeholders and assist with public comment submissions. The recently published proposed rule continues CMS’ efforts to promote electronic prior authorization and reduce burden through a more timely, transparent, and reliable process. The added resources include technical workflows for the proposed National Council of Prescription Drug Programs standards and existing Payer-to-Payer and Prior Authorization application programming interfaces; a summary of the proposed reporting metrics; a summary of proposed provisions; and slides and recording from the April 16 Town Hall.

OCR Settles Four HIPAA Security Rule Ransomware Investigations. The HHS Office for Civil Rights (OCR) announced settlements with four organizations in separate ransomware investigations under the HIPAA Security Rule affecting over 427,000 individuals and involving the exposure of unsecured electronic protected health information (ePHI). The resolutions mark 19 completed investigations from ransomware breaches and 13 completed investigations in OCR’s Risk Analysis Initiative. The four settlements are:

• A network of women’s health care providers in New Jersey, Pennsylvania, Ohio, Indiana, and Kentucky with a ransomware breach affecting 37,989 individuals through exposure of names, addresses, dates of birth, social security numbers (SSNs), driver’s license numbers, diagnoses or conditions, lab results, and medications. The incident, reported in December 2020, occurred when an unauthorized third-party gained access to its network. OCR’s investigation found that the entity failed to conduct an accurate and thorough risk analysis, and it agreed to pay HHS $320,000.
• A medical imaging and screening service provider in Arizona and California with a ransomware breach that affected 244,813 individuals through exposure of names, addresses, dates of birth, diagnosis and conditions, lab results, medications, and treatment information. The incident was reported in May 2020 and occurred when a server on its network was infected with ransomware. OCR’s investigation determined that the entity failed to conduct an accurate and thorough risk analysis and failed to timely notify affected individuals of the breach. In addition to committing to corrective actions, the entity agreed to pay HHS $375,000.

• A third-party administrator of employee-sponsored benefit programs with a ransomware breach that affected approximately 136,539 individuals with exposure of names, addresses, dates of birth, driver’s license numbers, SSNs, credit card or bank account numbers, and diagnoses or conditions. The incident, reported in November and December 2021, occurred when some information systems were encrypted in a ransomware attack. OCR’s investigation determined that the entity had failed to conduct an accurate and thorough risk analysis The entity committed to corrective actions and agreed to pay HHS $225,000.
• A self-funded employee benefits plan with a ransomware breach of 9,316 individuals’ names, addresses, dates of birth, SSNs, and health insurance information. The entity reported in October 2021 that an unauthorized actor deployed ransomware on its information system affecting the ePHI. OCR’s investigation determined that the entity failed to conduct an accurate and thorough risk analysis. The entity committed to corrective actions and agreed to pay HHS $245,000.

ONC Announces Additional ePA Testing in Collaboration with CMS. The Office of the National Coordinator for Health Information Technology (ONC) announced additional electronic prior authorization (ePA) testing in its collaborative work with CMS. The two agencies have developed a testing strategy focused on preparing stakeholders for nationwide ePA deployment. The two areas of focus are pre-production testing and engagement and conformance testing. Planned activities include: (i) Provider-side and payer-side testing of Da Vinci IGs v2.0.1 using the Inferno Testing Tool; (ii) Coverage Requirements Discovery Implementation Guide (IG) v2.2.0 Inferno Testing Tool update to support provider-side and payer-side testing; and (iii) a virtual CMS & HL7 Connectathon in development for June or July with a dedicated track to test Da Vinci IGs.Bottom of Form Subscribe to ONC email updates here.

CMS Proposes Expansion of CJR Model. CMS proposed an expansion of the Comprehensive Care for Joint Replacement (CJR) Model that supports the recovery experience for Medicare beneficiaries undergoing hip, knee, and ankle replacements. The Comprehensive Care for Joint Replacement Expanded (CJR-X) Model intends to continue the success of CJR, which generated an estimated $112.7 million in net Medicare savings while maintaining quality for over 98,000 knee and hip replacement patients across 323 hospitals.

HSCC Releases Guide on AI Risks in Health Care. The Health Sector Coordinating Council (HSCC) Cybersecurity Working Group released a new guide addressing artificial intelligence (AI) risks in health care titled, “Third-Party AI Risk and Supply Chain Transparency Guide.” HSCC is a coalition of private-sector health care organizations operating within a national public-private partnership framework and advises the government on threats and vulnerabilities facing health care. The Guide highlights the growing need for stronger transparency, governance, and strategic risk management when working with external AI vendors and solutions. HSCC calls on health care organizations to adopt more proactive due diligence practices, implement dynamic risk profiling, and prioritize greater contractual transparency when engaging AI vendors.

HL7 Da Vinci Holding April Community Roundtable on CMS-0062-P. The Health Level Seven (HL7) Da Vinci Project is holding its April Community Roundtable on the topic of the CMS Interoperability Standards and Prior Authorization for Drugs Proposed Rule (CMS-0062-P). The event will take place April 29 from 4-5:30 pm ET and review the new rule, discuss its implications for HL7 Fast Healthcare Interoperability Resources® (FHIR®) implementation and the industry at large, and help attendees better understand the proposed provisions on current workflows. The event will be recorded and the recording and slide deck will be available for viewing here after the event.

HL7 Announces AI Challenge 2026. HL7 announced the HL7 AI Challenge 2026, an international competition focused on the use of AI in open health data standards. The goal of the challenge is to promote scalable innovation across the health care ecosystem. Individuals, teams, and organizations from academia, industry, government, and the public sector can participate by submitting AI solutions using HL7 standards to advance the data standards needs for clinical care, operations, or human factors. Participants in the challenge do not need to be HL7 members and there is no entry fee. Submissions are due June 30, 2026, and winners will be announced at HL7’s 40th Annual Plenary & Working Group Meeting in September. Additional details are available here.