WEDI Sends NSA Letter to Ways and Means Outlining Challenges with AEOBs. WEDI sent to the House Committee on Ways and Means its letter on the No Surprises Act (NSA) that it sent on September 8 to the Secretaries of the Departments of Health and Human Services (HHS), Labor, and Treasury and Director of the Office of Personnel Management outlining ongoing challenges with the implementation of the law’s requirements related to the Good Faith Estimate (GFE) and Advanced Explanations of Benefits (AEOBs). The letter highlights the lack of a tested and finalized standard for conducting GFEs and AEOBs, although development work is underway, and supports an appropriate balance between ensuring consumers have access to applicable cost data while not imposing onerous administrative requirements on health plans and providers.

WEDI’s letter was sent to the House Committee on Ways and Means following the letter it sent to the Secretaries calling for action in finalizing the requirements of the NSA, including the AEOB. The Committee’s letter explains that the NSA was enacted to protect patients against surprise medical bills, increase health care cost transparency, and empower patients, and despite clear congressional support for the law’s provisions, they have not been fully implemented. The letter criticizes the fact that requirements for the AEOB that provides price disclosure to patients before scheduled medical procedures remain unimplemented. The Committee calls on the Administration to address their concerns as it prioritizes health care price transparency.

CMS Opens Funding for $50 Billion Rural Health Transformation Program. The Centers for Medicare & Medicaid Services (CMS) announced details on how states can apply to receive funding from the $50 billion new federal program, Rural Health Transformation Program, created to strengthen health care in rural locations. Funding will be allocated to approved states over five years, with $10 billion available each year beginning in federal fiscal year 2026. One of the statutorily approved uses of funds is to develop innovative technologies that promote efficient care delivery, data security, and access to digital health tools by rural facilities, providers, and patients. Overall, the program is intended to empower states to transform the existing rural health care infrastructure and build sustainable health care systems that expand access, enhance quality of care, and improve outcomes for patients. The deadline for states to apply is November 5, 2025, and CMS will announce awardees by December 31, 2025.

ASTP/ONC Seeking Public Comments on HTI-4 Draft Test Procedures, Deadline September 24. The Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP/ONC) is seeking public comments on the draft test procedures for the ONC Health IT Certification Program criteria that were revised in the Health Data, Technology, and Interoperability: Electronic Prescribing, Real-Time Prescription Benefit and Electronic Prior Authorization (HTI-4) Final Rule. Comments are specifically being sought for the draft test procedures for electronic prescribing, real-time prescription benefit, provider prior authorization application provider interface (API) - Coverage Requirements Discovery, provider prior authorization API - Documentation Templates and Rules, and provider prior authorization API - Prior Authorization Support. The comment period closes on September 24, 2025. ASTP/ONC will use the feedback to update the Test Procedures before publishing the finalized Test Procedures around the effective date of the HTI-4 Final Rule.

FBI Warns of Cybercriminals Targeting Salesforce Platforms. The Federal Bureau of Investigation (FBI) disseminated a warning about activities by cybercriminal groups UNC6040 and UNC6395 targeting organizations’ Salesforce platforms. The cybercriminals were identified as being responsible for an increasing number of data theft and extortion events that compromised organizations. The UNC6040 threat actors used voice phishing in calling victims’ call centers, posing as tech support employees, and tricking customer support employees into taking actions that granted the attackers access to customer data. Some victims later received extortion threats demanding payment in cryptocurrency to avoid publication of stolen data. The second cybercriminal group, UNC6395, used compromised OAuth tokens for an AI chatbot that can be integrated with Salesforce allowing them to access and steal data. In August 2025, Salesloft, in collaboration with Salesforce, terminated access to victims’ Salesforce platforms from the previously connected Salesloft app. The FBI recommended organizations mitigate risks of cyberattacks by training call center employees to recognize and report phishing attempts; requiring phishing-resistant multi-factor authentication for as many services as possible; implementing authentication, authorization, and accounting systems to limit actions users can perform; and reviewing all third-party integrations connecting to third-party software.

House Passed Continuing Resolution Extends Telehealth Flexibilities for Medicare. On September 17, the House passed a continuing resolution (CR) by a vote of 216-210 that, if passed by the Senate, will keep the federal government funded until November 21. The CR includes the same extension of the telehealth flexibilities, which were also set to expire on September 30. Both the House and Senate recently introduced bills that, if enacted, would extend telehealth services for Medicare patients for two years. The Telehealth Modernization Act was introduced in the House by Reps. Earl Carter (R-GA) and Debbie Dingell (D-MI), and a bill by the same name was reintroduce in the Senate by Sens. Tim Scott (R-SC) and Brian Schatz (D-HI). Specific provisions that would be extended until September 30, 2027, include removal of geographic requirements and expansion of originating sites for telehealth services, expansion of the practitioners eligible to furnish telehealth services, extension of telehealth services for federally qualified health centers and rural health clinics, audio-only telehealth services, and restrictions on telehealth mental services. Other extensions provided by the bill include the Acute Hospital Care at Home Program, Medicare Diabetes Prevention Program Expanded Model, cardiopulmonary rehabilitation services at home, and use of telehealth to meet face-to-face requirements for hospice care and home dialysis. The House bill has been referred to the Committee on Energy and Commerce and the Committee on Ways and Means. If no action is taken by Congress, the current telehealth flexibilities will expire on September 30.

House Resolution Criticizes Use of Prior Authorization for Medicare Services in WISeR Model. Representatives Jan Schakowsky (D-IL) and Mark Pocan (D-WI) introduced a resolution criticizing the newly created CMS Innovation Wasteful and Inappropriate Service Reduction (WISeR) Model set to go into effect on January 1, 2026. The model will require prior authorization for select services in traditional Medicare in six pilot states – Arizona, New Jersey, Ohio, Oklahoma, Texas, and Washington and use artificial intelligence (AI) as part of the processing of the requests. The resolution expresses disapproval of the WISeR model and the expansion of prior authorization in traditional Medicare and calls on CMS to terminate the model. In requesting this action, the resolution cites several concerns, including requiring prior authorization for traditional Medicare services, using AI and machine learning technology to process prior authorization requests, and setting barriers to care delivery.

ASTP/ONC Approved Standards for 2025 Now Available. The ASTP/ONC Approved Standards for 2025, as developed through the Standards Version Advancement Process (SVAP), are now available for the ONC Health IT Certification Program. The Approved Standards for 2025 include:

• United States Core Data for Interoperability (USCDI), Version 3.1, June 2025
• United States Core Data for Interoperability (USCDI), Version 5, March 2025 Errata
• HL7® FHIR® US Core Implementation Guide STU 8.0.0, (June 2025)
• HL7® Consolidated CDA (C-CDA) 4.0.0 - STU 4 (US Realm) (June 2025)
• 2025 CMS QRDA I Implementation Guide for Hospital Quality Reporting (Updated May 2024)
• 2025 CMS QRDA III Implementation Guide for Eligible Clinicians (Updated December 2024)

Through SVAP, Certified Health IT developers can voluntarily use a newer approved version of a standard than is adopted in regulation and meets the “Real World Testing” Condition of Certification. More information on the list of standards and versions eligible for consideration is available on the SVAP webpage, fact sheet, and blog.

GAO Report Identifies Unaddressed Cybersecurity and IT Concerns by HHS. The Government Accountability Office (GAO) sent a letter to the Chief Information Office (CIO) at HHS alerting the department of its previous recommendations related to cybersecurity and information technology (IT) concerns that have gone unaddressed. The total number of open recommendations is 82 and includes 37 that are considered sensitive, requiring the attention of the CIO, and 49 that are relevant to component-level CIOs. Each of the recommendations relates to a GAO High-Risk area of ensuring the cybersecurity of the nation or improving IT acquisitions and management. The letter asserts that HHS needs to take action to secure the records and the information systems it uses. Other steps are recommended to meet event logging requirements as directed by the Office of Management and Budget that will allow for detection, investigation, and remediation of cyberthreats. HHS also needs to complete an inventory of its Internet of Things, without which is a cyber concern for the department and its agencies. The GAO also referenced unaddressed recommendations from the HHS Inspector General in the areas of cybersecurity and IT acquisitions and management related to the department’s requirements under the Federal Information Security Modernization Act of 2014.