OCR Settles HIPAA Security Rule Investigation with Software Company Business Associate. The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a settlement with a Maryland software company for a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules. As a business associate, the software company received protected health information (PHI) from HIPAA covered entities and its software was used to communicate directly with patients of covered entities. The settlement resolves an investigation by OCR that was initiated in March 2023 after receiving a complaint of an unreported security incident from December 2020 involving the posting of PHI on the dark web. OCR’s investigation determined that an unauthorized actor infiltrated the software company’s information system and accessed PHI resulting in the unauthorized disclosure of approximately 15 million individuals’ PHI. OCR also determined that the company failed to conduct an accurate and thorough risk analysis and failed to notify the covered entities affected by the incident of the breach. This settlement is the 12th enforcement action in OCR’s Risk Analysis Initiative. The company resolved the enforcement action with a settlement agreement and payment of a fine of $10,000 to OCR.
CMS Launches Medicare App Library. The Centers for Medicare & Medicaid Services (CMS) has launched a Medicare App Library as part of the CMS Digital Health Tech Ecosystem. The Medicare App Library is intended to be a trusted, centralized directory where Medicare beneficiaries can find and access vetted digital health care options. The term "apps" (applications) is being used inclusively to encompass traditional mobile and web apps, technology-enabled care services, digital health platforms, and innovative care delivery tools. All care options in the library will have undergone rigorous evaluation to ensure they meet high standards for security, privacy, clinical evidence, usability, and equity.
Senate HELP Committee Passes Health Care Cybersecurity Legislation. The Senate Committee on Health, Education, Labor, and Pensions (HELP) passed out of the Committee bipartisan cybersecurity legislation. The “Health Care Cybersecurity and Resilience Act” (S.3315) was re-introduced in December 2025 by HELP Committee Chair Senator Bill Cassidy, M.D. (R-LA) and Senator Mark Warner (D-VA). The bill aims to strengthen cyber defenses across the health care system, better protect sensitive patient data, and support providers responding to increasingly sophisticated cyber threats. The legislation now advances to the full Senate for consideration.
FDA Holding Town Hall March 11 on CDS Software Final Guidance. The Food and Drug Administration (FDA) will host a town hall on Wednesday March 11 at 1 pm ET to discuss updates to the Clinical Decision Support Software, Final Guidance that was issued on January 6 and re-issued on January 29. This guidance clarifies the types of clinical decision support (CDS) software functions that are excluded from the definition of device, per the Food, Drug, and Cosmetic Act. It also further clarifies that FDA’s existing digital health policies continue to apply to software functions that meet the definition of device, including those that are intended for use by patients or caregivers. Go here to register for the event. Questions can be submitted to digitalhealth@fda.hhs.gov for possible discussion during the town hall.
CMS Outlines Plans for Medicare Advantage Provider Directory. The CMS document “Technical Implementation Guide for Supplying Medicare Advantage (MA) Provider Directory Data for Use in Medicare Plan Finder (MPF)” details the agency’s plans for implementing MA provider directory data in the MPF, with phase one scheduled later this year. This work is designed to meet regulatory requirements promulgated in September 2025. The regulation requires MA organizations to share provider directory data with CMS for inclusion in the MPF to enable Medicare beneficiaries to determine whether specific providers and facilities are in-network when shopping and comparing plans. The CMS document provides MA organizations with technical guidance for supplying provider directory information for the MPF.
CISA and Partners Releases Guidance for Ongoing Global Exploitation of Cisco SD-WAN Systems. The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency, and international partners released guidance and resources for organizations with Cisco Software-Defined Wide-Area Networking (SD-WAN) systems to address ongoing exploitation of multiple vulnerabilities. In response to observed malicious cyber actors targeting and compromising Cisco SD-WAN systems, the guidance outlined requirements to inventory appropriate systems, complete updates, and assess potential compromise.
TEFCA RCE Publishes Consent Management and Consumer Engagement Strategy Guides. The Sequoia Project, the Trusted Exchange Framework and Common Agreement (TEFCA) Recognized Coordinating Entity (RCE), published two guides for the industry on navigating consent management. The first, “Guidance to States: Legislating Technical Standard Definitions for Existing State-Sensitive Health Data Laws,” provides an overview of states’ sensitive health data laws and the need to balance those laws with national technical standards. The guide is intended to be a resource for state’s work on privacy rules and individual’s privacy preferences on how sensitive health data is shared. The second draft guide, “Operationalizing Automated Consent: Actionable Guidance for Health Care Providers, Payors, and Other Health Care Organizations,” provides tools for the collection and management of patient consent. It is open for public feedback until March 13, and comments can be submitted to InteropMatters@sequoiaproject.org. A free, public webinar on the guides is being held on March 24. Go here for more information and to register.
The second project is an output of the Consumer Engagement Strategy Workgroup and is a draft set of best practices for reducing barriers to patients’ access to their health data. The draft document, “Simplifying Data Access for Better Patient Experience: Best Practices and Implementation Toolkit for Providers,” includes an implementation toolkit. The deadline to submit feedback on this document is April 2.
NIST Celebrates Two Years of CSF 2.0. The National Institute of Standards and Technology (NIST) celebrated two years since the publication of the Cybersecurity Framework (CSF) 2.0. CSF 2.0 increased the emphasis on cybersecurity supply chain risk management, updated categories and subcategories to address current threat and technology shifts, and created resources designed to make CSF 2.0 easier to put into practice. It has been widely accepted by organizations of all sizes and sectors and continues to be the most downloaded NIST technical publication. Read more about CSF 2.0 in the NIST Blog Cybersecurity Insights.