ASTP/ONC Announces Enforcement Discretion for ONC Health IT Certification Program. The Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP/ONC) announced an enforcement discretion notice that applies to the Attestations Condition and Maintenance of Certification requirements and updates related to the Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Final Rule due to the lapse in appropriations that occurred from October 1, 2025, through November 12, 2025. ASTP/ONC determined that the lapse in appropriations impacted the ability of health information technology developers to comply with certain ONC Health IT Certification Program requirements, including submitting their semi-annual attestations for the April-September period. This enforcement discretion took effect immediately and will remain in effect until December 31, 2025. Health IT developers can submit their attestations for the April-September 2025 period beginning December 1, 2025, through December 31, 2025. The April 2026 attestation submission window, covering the period from October 2025 through March 2026, will remain the same.

The HTI-1 enforcement discretion includes ASTP/ONC not enforcing the January 1, 2026, compliance date for health IT developers’ updates to health IT modules certified to impacted certification criteria. This enforcement discretion will be in effect from January 1, 2026, through March 1, 2026.

CMS Releases RFI on Potential Improvements to Medicare Advantage, Deadline January 26. The Centers for Medicare & Medicaid Services (CMS) released a Request for Information (RFI) seeking public feedback on potential improvements to the Medicare Advantage (MA) program that can be implemented through either programmatic changes or through implementation of a CMS Innovation Center model. The RFI is included in the 2027 Part C and D Proposed Rule (CMS-4212-P) and the deadline to comment is January 26. Specific topics for comment include risk adjustment methodologies, quality bonus payment policies, and wellness and nutrition policies. The RFI is seeking input on how to enhance competition in the MA program, level the playing field for smaller, regional, and less well-resourced plans, improve health outcomes, and maximize the value of the MA program.

Senate Introduces Bill to Reauthorize CISA. Sen. Gary Peters (D-MI) introduced S.2983 titled “Extending Expired Cybersecurity Authorities Act” that calls for the reauthorization of the Cybersecurity Information Sharing Act (CISA) of 2015. The bipartisan bill, with 11 co-sponsors, would extend the authorization of CISA until September 30, 2035, and would rename the act “Protecting America from Cyber Threats Act.” The bill has been placed on the Senate Legislative Calendar under General Orders.

CMS Hosting WISeR Model Office Hour for Providers, December 4. The CMS Innovation Center will host an office hour for providers on December 4 from 1:00 to 2:00 pm ET to discuss the Wasteful and Inappropriate Service Reduction (WISeR) Model. Specifically, speakers will address the WISeR Model’s impact on providers, address frequently asked questions, and respond to live inquiries from the audience. Register here to attend. Questions can be submitted at the time of registration. Presentation materials will be available on the WISeR Model webpage following the webinar.

HL7 Spotlights AI Challenge Winners. Health Level Seven (HL7) is hosting a webinar on December 9 to spotlight its inaugural HL7 AI Challenge recipients. HL7 announced the artificial intelligence (AI) challenge in May with the intent of highlighting innovative solutions incorporating AI in health care, sharing best practices with the use of AI, and demonstrating how AI can be scaled within health care. The winners of the challenge include Quantek Systems, Inc., Verto Health, Trisotech, Robert Lario, PhD (Xzyos.ai) and Kevin Baskin, MD (Vanguard), Omni Health Nexus, and Let’s Talk Doc. The initiatives focus on clinical workflow, data integration, information management, and patient communication.

CISA Issues Alert on Spyware Targeting Messaging Apps. The Cybersecurity & Infrastructure Security Agency (CISA) issued an alert on cyber threat actors using commercial spyware to target users of mobile messaging applications (apps). The spyware is delivered to a user’s app through targeted and social engineering tactics giving the criminals unauthorized access. Additional malware can then be loaded on the victim’s mobile device. Threat actors use phishing and device-linking, zero-click exploits, and impersonation of messaging apps to carry out malicious activities. Individuals deemed to be of “high value” are the likely targets of this cyber threat. CISA urges messaging app users to take steps to protect their mobile devices from this threat.

CISA Releases Guide on Bulletproof Defense. CISA, in collaboration with the U.S. National Security Agency, U.S. Department of Defense Cyber Crime Center, U.S. Federal Bureau of Investigation, and international partners, released the guide “Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providers” to enable Internet Service Providers and network defenders to reduce cybercriminal activity supported by Bulletproof Hosting (BPH) providers. BPH providers lease infrastructure to cybercriminals allowing them to conduct malicious activities. The guide provides recommendations to minimize these vulnerabilities, including developing lists of malicious resources, applying filters to block malicious traffic, monitoring network traffic to identify threats, and collaborating with public and private entities.

Leavitt Partners Report Recommends Actions to Support Administration’s Information Blocking Priority. Leavitt Partners released a report outlining policy proposals to ensure timely access to electronic health data by addressing information blocking through regulatory reforms and improved enforcement. The Department of Health and Human Services  recently announced that reducing information blocking is a priority for the Administration. The current enforcement process relies on filing of complaints, which remain low and has resulted in minimal action against violators. ​Recommendations proposed in the report involve increasing awareness of the complaint and reporting options, establishing a uniform enforcement approach, expanding investigative capabilities, and enforcing penalties. ​WEDI will hold a special Spotlight Webinar on Information Blocking featuring leading industry experts on December 3. Register for the free event here.