Monthly Newsletter

Agency for Healthcare Research and Quality (AHRQ)

Voluntary data submission for AHRQ’s Surveys on Patient Safety Culture^® (SOPS^®) Ambulatory Surgery Center (ASC) Database will be open Jun. 2-20 for ASCs that have administered and collected data for AHRQ’s Ambulatory Surgery Center Survey on Patient Safety Culture between Jul. 2023 and Jun. 2025.

ASCs are facilities: (1) where patients have surgeries, procedures, and treatments and are not expected to need an inpatient stay, and (2) that have been certified and approved to participate in the Centers for Medicare & Medicaid Services' ASC program.

Click Here for more information. Participating ASCs will receive feedback reports, comparing their results to aggregated, de-identified data from all database participants.

Targeted Probe and Educate (TPE) Project

Beginning September 1, 2025, inpatient hospital short stay patient status reviews for acute care inpatient hospitals, long-term care hospitals, and inpatient psychiatric facilities will transition from the Beneficiary and Family Centered Care (BFCC) Quality Improvement Organizations’ (QIOs) (BFCC-QIO) to the Medicare Administrative Contractors (MACs). 

MACs will perform reviews on a sample of Medicare pre-payment Part A claims as part of CMS’s current Targeted Probe and Educate (TPE) program. The purpose of this type of medical review activity is to determine the appropriateness of Part A payment for short stay inpatient hospital claims and, when warranted, offer provider education.   MACs will conduct patient status reviews in accordance with established CMS policy. CMS believes this change will have minimal impact on providers and beneficiaries since there has been no change in policy.

Privacy Law Compliance

In summary, 2025 is proving to be a significant year for privacy law compliance in the United States, with businesses needing to adapt to new federal and state regulations, particularly in the areas of consumer rights, transparency, data security, and the protection of children's data.

In the early part of the year, a "regulatory freeze" directive was issued, halting non-emergency rulemaking and regulatory activity. This was done to allow new administrations to review existing regulations. The White House has also issued an executive order directing the repeal of unlawful regulations, prioritizing a review of regulations against specific Supreme Court decisions.

While the federal government might be reviewing and potentially pausing some actions, state-level privacy laws are still actively being passed and enforced.

Several states have enacted or are enacting comprehensive privacy laws with provisions for data protection assessments, consumer opt-out mechanisms for targeted advertising or sale, and requirements for data security. Some states are introducing new rules for mobile health apps, telemedicine platforms and online health data storage.

• As an example, Montana is establishing confidentiality standards for mental health digital services, requiring secure data handling.

United States companies (and multinationals operating in the states) have three significant new state privacy laws going into effect in the second-half of 2025:

Tennessee’s privacy law (“TIPA”) is effective July 1, 2025.

• Tennessee’s TIPA provides for an affirmative defense related to following the NIST Privacy Framework (similar to Colorado’s AI Act call-out for the NIST AI RMF).
  • TIPA includes a unique "right to cure" provision, allowing businesses to mitigate liability by demonstrating compliance with industry-recognized privacy frameworks like NIST. 
• It's a comprehensive law that regulates how businesses handle and protect the personal data of Tennessee residents. TIPA applies to businesses that either control or process the data of 175,000 or more Tennessee consumers, or control or process the data of 25,000 consumers if they derive more than 50% of their gross revenue from selling personal information.

Minnesota’s privacy law is effective July 13, 2025.

• The law grants consumers in Minnesota specific rights regarding their personal data and imposes obligations on businesses that process or control personal data.
• The law offers heightened protection for sensitive personal data, which includes information revealing racial or ethnic origin, religious beliefs, mental or physical health, sexual orientation, citizenship, biometric data, genetic information, the data of known children, and specific geolocation data.

Maryland’s privacy law (“MODPA”) is effective October 1, 2025.

• Maryland’s MODPA limits collection of personal data to that reasonably necessary and proportionate for providing specific products or services – and otherwise requires consumer consent.
• It grants residents rights to access, delete, and control their data, requires opt-in for sensitive data, and mandates transparency, data minimization, and safeguards against misuse.

Stay up to date about your state privacy laws:

A few resources are listed below.  Also, consult your organization’s legal counsel or Risk Attorney through provider malpractice company for more information related not only to your state, but specialty.

National Association of Attorneys General

• https://www.naag.org/

State Governments Website

• https://www.usa.gov/state-governments

Termly US Data Privacy Laws Tracker State-by-State Map

• https://termly.io/us-data-privacy-laws/

Current Updates from Center for Connected Health Policy [CCHP]

The Continuing Resolution (H.R. 1968) has extended key Medicare telehealth flexibilities initially established in 2020, until September 30, 2025. As a result of the recent enactment of H.R. 1968 some key Medicare materials posted by CMS may be out of date, including the MLN Medicare Telehealth Booklet, which was updated in January 2025 and still indicates the Medicare telehealth statutory flexibilities listed above will go back into effect April 1.

Additionally, a recent Medicare Update about Therapy Services from March is already out of date, given the most recent extensions in H.R. 1968. The Therapy Services Update specifically clarified that telephone assessment and management codes (98966–98968) for physical therapists, occupational therapists, and speech-language pathologists will continue to be valid until March 31, 2025. However, given the extension of the telehealth allowances to September 30, 2025, it is expected that this allowance for therapists to bill the telephone assessment and management codes will also be extended until September 30, 2025, pending further clarification from Medicare.

A frequently asked question (FAQ) telehealth document on Medicare’s Calendar Year 2025 policy will also need to be updated. The document includes the incorrect expiration date of the telehealth waivers (March 31, 2025) throughout.

CCHP’s Telehealth Policy Finder look-up tool and Policy Trend Maps were updated throughout the past month based on the latest information from our ongoing state telehealth policy tracking. The latest states to be updated include:  Alabama, Alaska, Colorado, Kansas, Kentucky, Minnesota, Nevada, New Hampshire, New Jersey, North Carolina, Oklahoma, Oregon, South Carolina, Utah, and Vermont.