WEDI Submits Comments on CMS-0062-P Proposed Rule. WEDI submitted comments to the Centers for Medicare & Medicaid Services (CMS) on the Interoperability and Drug Prior Authorization (CMS-0062-P) proposed rule. The proposed rule intends to improve the electronic exchange of health care data and streamline processes related to drug prior authorization by increasing the interoperability of systems used across the health care industry. Proposals also call for “impacted payers” to: (i) Report their application programming interfaces (API) endpoints and related information for the Patient Access, Provider Directory, Provider Access, Payer-to-Payer, and Prior Authorization APIs to CMS; (ii) Collect API usage metrics; (iii) Require certain Health Level Seven (HL7®) Fast Healthcare Interoperability Resources (FHIR®) implementation guides (IGs) that are currently recommended; and (iv) Adopt the HL7 FHIR base standard and certain associated specifications and IGs as the Health Insurance Portability and Accountability Act (HIPAA) standards for referral certification and authorization and eligibility for a health plan transactions associated with prior authorization by all HIPAA covered entities, among other proposals.
WEDI’s comments made multiple recommendations on the proposals as well as overarching comments on topics of adoption of IG versions, cadence for regulatory updates, timing of compliance dates, numerous and overlapping regulatory requirements, and education needs. WEDI thanks the facilitators and attendees at the May 19 WEDI Member Position Advisory event that solicited opinions and recommendations on the regulatory provisions.
OCR Settles Health Plan Ransomware Investigation. The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with an employer-sponsored group health plan over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The settlement resolves an investigation that OCR initiated after the plan filed a breach report on January 24, 2022. The plan had received employee complaints that employees were unable to connect to the virtual private network. The plan discovered that in November 2021, an unauthorized actor accessed the company’s network and deployed ransomware, encrypting data on the company’s systems, including servers storing the plan’s protected health information (PHI), and demanding a ransom. The PHI of 10,023 individuals was potentially affected by the breach, including health plan members' names, addresses, zip codes, phone numbers, email addresses, and Social Security numbers.
OCR found that the Plan had potentially violated provisions of the Privacy and Security Rules, including: (i) Failing to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the Plan prior to the breach incident; and (ii) Failing to implement reasonable and appropriate policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules prior to the breach incident. Under the terms of the resolution, the Plan paid $450,000 and agreed to a two-year corrective action plan monitored by OCR. Go here to access the resolution agreement and corrective action plan.
Representatives Release Discussion Draft of AI Bill. U.S. Representatives Jay Obernolte (R-CA) and Lori Trahan (D-MA) released a discussion draft of the Great American Artificial Intelligence Act, which is bipartisan legislation to create a federal framework for how the US will govern artificial intelligence (AI), if enacted. The discussion draft is intended to solicit feedback from stakeholders, experts, and the public before the bill is formally introduced. The discussion draft is also supported by Representatives Scott Franklin (R-FL), Suhas Subramanyam (D-VA), Erin Houchin (R-IN), and Scott Peters (D-CA). The AI framework is designed to promote innovation, protect workers, establish accountability for frontier systems, and provide transparency and accountability for advanced AI systems. A summary of the discussion draft is available and feedback can be submitted to GAAIA@mail.house.gov.
House E&C Subcommittee Holds Hearing on Price Transparency. The House of Representatives Energy and Commerce (E&C) Subcommittee on Health held a hearing on June 10 titled, “Lowering Health Care Costs for All Americans: Examining Policies to Increase Health Care Transparency.” The hearing, led by Representative Morgan Griffin (R-VA), examined policies for increasing price transparency for patients and employers. Three bills that were discussed throughout the hearing included Lower Costs, More Transparency Act, Patients Deserve Price Tags Act, and Clear Healthcare Expense Cost Knowledge (CHECK) Act.
ONC Releases USCDI+Sickle Cell Disease for Public Comment. The Office of the National Coordinator for Health Information Technology (ONC) released two USCDI+Sickle Cell Disease (SCD) data element lists: SCD Diagnosis and SCD Emergency Care for public comment. Patients living with SCD interact with health care and public health systems throughout their lifetime and limited interoperability across these systems contributes to fragmented care. The USCDI+ SCD aims to support standardized data exchange of electronic health information for improved care access, treatment, and service coordination. Comments are being sought on the importance, ease of collection, and potential burden of capturing and sharing these data elements electronically and any additional data elements that would support SCD diagnosis, identification, and treatment with the supporting rationale. Comments are due by July 25 using the Comment Period feature on the USCDI+ platform.
CISA Releases Binding Operational Directive on Security Updates. The Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 26-04: Prioritizing Security Updates Based on Risk requiring federal agencies to prioritize responses and updates for high-risk vulnerabilities. The goal of this directive is to streamline federal processes to increase efficiency and strengthen cybersecurity policies for modern and increasingly sophisticated threats. The directive establishes a prioritization structure for patching efforts based on specific criteria. Additionally, CISA released Implementation Guidance to help agencies in their response actions and align with the directive’s requirements.
NIST Publishes Cybersecurity and Privacy Annual Report. NIST published the Fiscal Year (FY) 2025 Cybersecurity and Privacy Annual Report, summarizing work by the NIST Information Technology Laboratory (ITL) Cybersecurity and Privacy Program during FY 2025. The report provides an overview of accomplishments in cryptography, cybersecurity and AI, education and workforce, hardware and software security, infrastructure security, and risk management. Throughout FY 2025, the NIST ITL Cybersecurity and Privacy Program responded to numerous challenges and opportunities in security and privacy and research activities, including the ongoing participation and development of international standards, research, and practical applications in the key priority areas.
NIST Hosting Workshop on Hardware CPE and CVSS Updates. NIST is hosting a one-day workshop on June 22 on hardware representation in the Common Platform Enumeration (CPE) and on how the Common Vulnerability Scoring System (CVSS) applies to hardware. The workshop will discuss NIST's plans and potential updates in these areas and gather community feedback from participants across government and industry. Topics will include the current state of hardware coverage in the National Vulnerability Database and CPE, plans and potential changes to CPE for hardware representation, CVSS considerations specific to hardware, and how the community can engage with this work going forward. The event will be held at the NIST National Cybersecurity Center of Excellence in Rockville, Maryland, with a virtual attendance option. Registration is available online.