May 1, 2025

CMS Proposes Revision to FY 2026 Medicare Inpatient Prospective Payment System – Comment by June 10

This proposed rule would revise the Medicare hospital inpatient prospective payment systems (IPPS) for

• operating and capital-related costs of acute care hospitals;
• make changes relating to Medicare graduate medical education (GME) for teaching hospitals;
• update the payment policies and the annual payment rates for the Medicare prospective payment system (PPS) for inpatient hospital services provided by long-term care hospitals (LTCHs);
• update and make changes to requirements for certain quality programs; and
• make other policy-related changes.

To be assured consideration, comments must be received no later than 5 p.m. EDT on June 10, 2025.

In commenting, please refer to file code CMS-1833-P. Because of staff and resource limitations, comments cannot be accepted by facsimile transmission.

Comments, including mass comment submissions, must be submitted in one of the following ways:

• Electronically – You may submit electronic comments on this regulation to: https://www.regulations.gov.
• Regular Mail – You may mail written comments to the following address ONLY: Centers for Medicare & Medicaid Services, Department of Health and Human Services, Attention: CMS-1833-P, PO Box 8013, Baltimore, MD 21244-8013.
• Be sure to allow sufficient time for mailed comments to be received before the close of the comment period.
• Express or Overnight Mail – You may send written comments vi express or overnight mail to the following address ONLY: Centers for Medicare & Medicaid Services, Department of Health and Human Services, Attention: CMS-1833-P, Mail Stop C4-26-05, 7500 Security Boulevard, Baltimore, MD 21244-1850

Click Here to View CMS Fact Sheet on Proposed Rule

Click Here to Learn More

February 25, 2025

DEA & HHS Delay Implementation of Final Rules

The Drug Enforcement Administration (DEA) and the Department of Health and Human Services (HHS) have announced a delay in the effective date for the recently issue final rules regarding the telemedicine prescribing of buprenorphine and telemedicine for Veterans Affairs Patients. Originally scheduled to become effective February 18, the rules will now take effect on March 21, 2025.

This decision aligns with the White House memorandum issued on January 20, which called for “A Regulatory Freeze Pending Review” to allow agencies further review of any fact, law, and policy considerations prior to proposing, issuing, or finalizing any regulatory activities. In particular, the DEA/HHS announcement cites the third paragraph of the Freeze Memo, which ordered agencies to consider postponing the effective dates for any recently published rules that have yet to take effect.

The DEA and HHS have also confirmed that the waiver provisions established in the third extension of telemedicine flexibilities for prescribing controlled substances will remain in effect through December 31, 2025, ensuring that in-person visit requirements continue to be waived for the remainder of 2025.

Click Here to Read More

Click Here to Read Buprenorphine Rule

Click Here to Read Veterans Affair Rule

Click Here to Read Telemedicine Special Registration Rule

February 18, 2025

HHS Proposes Major Updates to HIPAA Security Rule to Strengthen Cybersecurity, Comments due March 7

For the first time in two decades, the Department of Health and Human Services (HHS) has proposed significant updates to the HIPAA Security Rule to better protect electronic protected health information (ePHI) from increasing cyber threats. The Notice of Proposed Rulemaking (Proposed Rule) seeks to modernize security safeguards in response to a significant increase in large-scale healthcare breaches caused by hackers and ransomware between 2018 and 2023.

If enacted, the rule would require all HIPAA-regulated entities to:

• Enhance cybersecurity practices, including maintaining an up-to-date inventory of technology assets,
• Conducting annual risk analyses,
• Implementing stronger patch management policies, and
• Using multi-factor authentication.

Additionally, covered entities would be obligated to:

• Encrypt ePHI,
• Perform vulnerability scans and penetration testing, and
• Ensure more rigorous oversight of business associates handling sensitive health data.

As remote care platforms manage vast amounts of ePHI, these new cybersecurity rules could significantly impact telehealth services.

The Proposed Rule also emphasizes stricter compliance documentation and monitoring, including mandating a 72-hour disaster recovery plan, annual compliance audits, and stronger incident response protocols. Notably, business associates would be required to notify covered entities of any contingency plan activation within 24 hours.

The proposed rule also seeks comments on emerging technologies such as artificial intelligence, quantum computing, virtual and augmented reality, and HIPAA’s role in regulating these emerging technologies.

Comments are due by March 7, 2025 and can be submitted through the federal register.

Click Here to Read More