HHS, Labor, Treasury, and OPM Release Final Rule on Federal IDR Operations. The Departments of Health and Human Services (HHS), Labor, and Treasury and the Office of Personnel Management (OPM) released the Federal Independent Dispute Resolution (IDR) Operations final rule on updated standards for payers, providers, and certified IDR entities related to the Federal IDR process under the No Surprises Act (NSA). The final rule aims to improve the function of the Federal IDR process by streamlining communication between payers, providers, and certified IDR entities and clarifying timelines and processes making the overall process more efficient and transparent. A fact sheet on the final rule is available here.

CMS Reorganizes Leadership. The Centers for Medicare & Medicaid Services (CMS) Administrator Oz reorganized leadership to focus on AI, Medicaid modernization, and fraud reduction. Rebekah Armstrong, former head of the Office of Legislation, is now the Chief of Staff. Stephanie Carlton, previously the Chief of Staff, is transitioning to role as Deputy Administrator focusing on clinical artificial intelligence (AI) and modernizing Medicaid quality measures. These changes support Administrator Oz’s four focus areas on leveraging AI, reducing fraud, improving health outcomes, and advancing value-based care.

CMS Innovation Center to Hold June 4 Webinar on ACCESS Model. The CMS) Innovation Center will hold a webinar on the Advancing Chronic Care with Effective, Scalable Solutions (ACCESS) Model on June 4 at 2 pm ET. The webinar will provide an overview of the model and the roles of primary care providers and referring clinicians, care coordination requirements, and co-management payment. The ACCESS Model tests an outcome-aligned payment approach in Medicare to expand access to new technology-supported care options that seeks to assist individuals improve their health and prevent and manage chronic disease. The model focuses on conditions including high blood pressure, diabetes, chronic musculoskeletal pain, and depression. It will run for 10 years beginning July 5, 2026.

CMS Releases Updated eCQM Specifications and Implementation Resources for 2027 Reporting and Performance Period. CMS released the electronic clinical quality measure (eCQM) specifications for the 2027 reporting/performance period for hospital - inpatient, hospital - outpatient, and eligible clinician quality reporting programs. CMS updates the specifications annually to align with current clinical guidelines and code systems, so they remain relevant and actionable within clinical care settings. The updated eCQM specifications are available on the Hospital - Inpatient, Hospital - Outpatient, and Eligible Clinician pages under the 2027 reporting/performance period. Other resources are also available on the eCQM Resources pages. The eCQM Data Element Repository will be updated in June to reflect data element updates.

FBI Warns of Silent Ransom Group Impersonating IT Personnel to Access Data. The Federal Bureau of Investigation (FBI) released a warning on the Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, targeting law firms using social engineering techniques to access the victims’ data. Through phone calls and phishing emails, SRG actors pose as information technology (IT) support to establish access to victim computers and exfiltrate data. SRG has also victimized companies in other sectors, including health care, insurance, and finance.

Indicators of an SRG attack may include: (i) New, unauthorized downloads of system management or remote access tools; (ii) Unauthorized installation of external hard drives or USB drives on company computers; (iii) Exfiltration of data to Microsoft OneDrive, Google Drive, or external servers; (iv) Unidentified or unauthorized individuals attempting to access computers and claiming to be IT support; and (v) Emails, phone calls, or voicemails from an unnamed group claiming data was stolen. The FBI is seeking any information from SRG victims that can be shared. The FBI recommends organizations implement and practice basic cyber hygiene to defend against ransomware attacks.

House E&C Subcommittee Hearing Addresses Administrative Burden in QPP and APMs. The U.S. House Energy and Commerce (E&C) Subcommittee on Health held a hearing on the Medicare Physician Fee Schedule and Medicare Access and CHIP Reauthorization Act with a focus on administrative burdens within the CMS Quality Payment Program (QPP) and advanced payment models (APMs). Witnesses spoke about the complexity and burden of quality metrics and reporting requirements. Recommendations made by witnesses included decreasing the reporting requirements, standardizing quality and performance measures, improving data integration, focusing on patient outcomes, and supporting the transition to value-based care models.

House E&C Subcommittee Reviews Bill Addressing Quality Measures. The House E&C Subcommittee on Health reviewed proposed legislation titled the “Health Care Efficiency Through Flexibility Act” (H.R. 5347), introduced by Rep. Vern Buchanan (R-FL). The bill would require the Secretary of HHS to make available certain collection types for quality measures that accountable care organizations (ACO) are required to report for performance years (PY) 2025 through 2029, including eCQMs, Merit-based Incentive Payment System clinical quality measures, and Medicare clinical quality measures for ACOs participating in the Medicare Shared Savings Program. The bill would also require the HHS Secretary to establish a pilot program for digital quality measure reporting for PYs 2028 through 2032.

CISA Releases New Known Exploited Vulnerability Nomination Form. The Cybersecurity & Infrastructure Security Agency (CISA) released a new Known Exploited Vulnerability (KEV) Nomination Form to make it easier for organizations to report on vulnerabilities that meet the criteria for potential inclusion in the KEV Catalog. CISA maintains the catalog as a source of vulnerabilities that have been exploited, in support of network defenders and the cybersecurity community. The new form is a secure, web-based tool that will improve CISA’s ability to intake and analyze reported vulnerabilities and assist organizations in effectively keeping pace with threat activity.