OCR Announces Civil Enforcement Program for Confidentiality of SUD Records. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a new program to implement and enforce statutory and regulatory requirements that protect the confidentiality of substance use disorder (SUD) patient records beginning February 16, 2026. The program puts in place enforcement of the SUD confidentiality provisions of section 3221 of the Coronavirus Aid, Relief, and Economic Security Act and its implementing regulation at 42 CFR part 2 (“Part 2”). Entities and persons subject to the regulation must comply with all applicable requirements.

The penalties for noncompliance align with the penalties available under the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules. OCR investigations conducted under the new program may be resolved through a range of civil enforcement mechanisms, including a resolution agreement, monetary settlement, commitment for corrective action, or civil money penalty. OCR has also developed a model patient notice and updated its model HIPAA Notices of Privacy Practices. Visit OCR’s Part 2 webpage for more information and resources.

ASTP/ONC Releases USCDI+ Quality Version 1 (January 2026), Comment Period Opens for Version 2. The Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP/ONC) released the final U.S. Core Data for Interoperability (USCDI)+ Quality Version 1 and opened a comment period for Version 2. USCDI+ Quality supports digital quality measurement and reporting and advances the use of quality data across federal programs and health systems. USCDI+ Quality Version 1 focuses on data elements that are standardized, ready for implementation, and directly support electronic clinical quality measures. Draft USCDI+ Quality Version 2 is open for comments on edits on existing data elements as well as new data elements. More information on the comment process is available at: USCDI+ Platform. Comments are due March 17. 

CISA Issues Directive 26-02 on Mitigating Risks from EOS Edge Devices. The Cybersecurity & Infrastructure Security Agency (CISA) issued “Binding Operational Directive 26-02: Mitigating Risk from End-of-Support Edge Devices” requiring federal agencies to identify edge device hardware and software that is approaching or has reached end-of-support (EOS). The agency calls for immediate action to address identified unsupported devices operating on federal networks. CISA requires federal agencies to: (i) Update vendor supported edge devices running EOS software; (ii) Inventory all devices that are EOS or will become EOS within the next 12 months; (iii) Remove EOS devices from networks and replace them with vendor-supported devices that receive security updates; and (iv) Establish a process for continuous discovery of edge devices and regularly update your edge device inventory.

TEFCA RCE Releases Approved SOPs. The Trusted Exchange and Common Agreement™ (TEFCA™) Recognized Coordinating Entity® (RCE®) and the ASTP released five updated Standard Operating Procedures (SOPs), as approved by the Caucuses, on the TEFCA Topics in Change Management webpage. The Health Care Operations SOP v2.0, Treatment Implementation SOP v1.2, and Exchange Purposes SOP v5.0 became effective February 15, 2026. The Facilitated FHIR Implementation SOP Version 2.0 is effective March 8, 2026. The IAS Provider Requirements SOP v2.1 is effective March 17, 2026.

ASTP Announces EHIgnite Challenge to Advance Use of EHI. ASTP announced the EHIgnite Challenge to spur innovation with the transformation of raw electronic health information (EHI) into actionable data for patients and clinicians. Registration for the Challenge will open soon. The goal of the EHIgnite Challenge is to transform raw exports, which are often difficult to integrate, into computable data. Participants will be encouraged to develop tools, platforms, and workflows that turn the raw EHI into usable, readable, and actionable information that supports clinical care, patient engagement, and informed decision-making. A webinar is being held on March 11 at 2 pm ET to provide details on the challenge’s mission, submission guidelines, and multi-phase prize structure. Go here to register for the webinar.

CMS Updates Open Payments Data. The Centers for Medicare & Medicaid Services (CMS) updated the Open Payments data to include changes that took place since the June 2025 publication. The Open Payments data is refreshed annually to include updates from disputes and other data corrections made since the initial data publication. Updates in this release include: (i) Changes to non-disputed records made on or before November 15, 2025; (ii) Completed dispute resolutions on or before December 31, 2025; and (iii) Removal of records deleted before December 31, 2025. The updated dataset is available here.

OIG Releases Findings from Audit of Hospital’s Security Controls for Cyberattacks. The HHS Office of Inspector General (OIG) released its findings of an audit it completed of a large southeastern hospital’s security controls for cyberattacks. In one scenario, the audit found that a web application lacked strong user identification and authentication controls, such as multi-factor authentication. These failings permitted OIG to gain account access using login credentials captured from a phishing campaign. OIG also found an internet-facing web application had a cybersecurity control weakness related to system and information integrity. OIG made recommendations for the entity to improve its cybersecurity controls, to which the entity agreed.

CMS Hosting Webinar on Innovation in Behavioral Health Model Cohort II NOFO. The CMS Innovation Center will host a webinar on March 5 at 2 pm ET to discuss the Innovation in Behavioral Health (IBH) Model’s Cohort II Notice of Funding Opportunity (NOFO). Topics that will be covered include model payment methodology, federal award details, and the application process. IBH is a state-based model that leverages the relationships of people with Medicare and/or Medicaid with specialty behavioral health practices to provide whole-person, integrated care that better addresses their behavioral, mental, and physical health. Go here to register for the webinar.