Monthly Newsletter

HIPAA Deadline to Update Notice of Privacy Practices (NPPs) – Office of Civil Rights

• February 16, 2026, is a key deadline for HIPAA compliance, requiring all Covered Entities and Business Associates to update their Notices of Privacy Practices (NPPs) to reflect major changes from the updated 42 CFR Part 2 rules (Substance Use Disorder records), including new patient rights for consent, opt-outs, and protections in legal cases; organizations must have updated policies, consent forms, and training in place to avoid penalties.
• Who Needs to Comply?
  • All HIPAA Covered Entities (providers, health plans, clearinghouses).
  • Lawful Holders of Part 2 records (e.g., many SUD treatment providers).
• This date marks the enforcement deadline for the February 2024 Final Rule modifying 42 CFR Part 2, which aligns SUD privacy with HIPAA.
  • Violations now fall under HIPAA enforcement, meaning potential civil penalties (up to millions) and criminal fines, rather than just the old, rarely-used criminal penalties.
• Key Changes & What to Do by Feb 16, 2026
  • Revised NPPs: Your Notice of Privacy Practices must detail new SUD record protections, how they're used, and patient rights.
  • New Consent Forms: Implement single-consent forms for future SUD data use and disclosures.
  • Patient Rights: Inform patients about their new rights, like requesting privacy, opting out of fundraising, and preventing SUD records from being used in court.
  • Workforce Training: Train staff on these updated procedures and requirements.

Interoperability and Data Exchange – CMS & Compliance to USCDI v3 Now Required Standards

• Health IT (EHRs) and Payers must comply starting January 1, 2026 with the United States Core Data for Interoperability (USCDI) Version 3 which becomes mandatory for all electronic health record (EHR) systems and health IT vendors.
• This update, part of the Health Data, Technology, and Interoperability (HTI-1) Final Rule, adds new data elements like health equity and social factors, Social Determinants of Health (SDoH) and Health Insurance Info to improve equity, patient access, and data sharing, phasing out older versions like USCDI v1 on the same date.
  • Organizations face potential penalties for non-compliance with data sharing and terminology management standards.
  • For educational articles, such as Part 1 and Part 2 on Interoperability, click here.

Artificial Intelligence (AI) Governance and Compliance

• The rapid adoption of generative AI (GenAI) in healthcare is a major focus for 2026 compliance. Health systems will need to implement more formalized governance frameworks and compliance policies to manage the risks of "shadow AI" (unauthorized use of AI tools) and ensure the responsible use of the technology.  
• Key Compliance Focus Areas
  • Risk Management: Implementing tiered controls, shadow testing, and drift monitoring for safety and equity.
  • Documentation & Audits: Building complete AI audit trails for regulators (CMS, OIG).
  • Patient Consent: Ongoing debate and emerging guidelines on disclosure for AI-augmented care.
  • Security & Ethics: Ensuring HIPAA compliance, data privacy, and ethical use, especially for chatbots.
• For educational articles, such as Importance of Addressing Shadow AI for HIPAA Compliance, click here.

Medicare Prior Authorization (PA) Rules

• Impact on Health Plans - New CMS interoperability rules for prior authorization workflows take effect by January 2026, requiring automated, interoperable solutions and high data quality to ensure compliance and avoid processing backlogs. 
• This requires health plans, such as Medicare Advantage, Medicaid, etc., to use Fast Healthcare Interoperability Resources (FHIR)-based APIs, meet strict 72-hour (expedited) / 7-day (standard) decision deadlines, provide specific denial reasons, and report PA data publicly, aiming to cut delays and administrative burden through digital exchange, with full API adoption by 2027.
  

Correctional Health Care Standards

• New federal laws and standards effective January 1, 2026, require states to suspend (not cancel) Medicaid coverage for incarcerated individuals and mandate the provision of medication-assisted treatment (MAT) for opioid use disorder in correctional facilities.
• This creates new administrative tasks for states (data exchange, automated processes) and providers, shifting focus to continuity of care, reducing recidivism, and potentially increasing provider workload for newly covered patients, though challenges remain in implementation and data sharing.
• For healthcare providers, this means a need for better coordination, understanding reentry services (especially for youth/adults), and leveraging Medicaid for post-release support, but facing complexities in billing and the shift in responsibility from correctional to community systems.

Patient-Driven Payment Model (PDPM) ICD-10 Code Mappings

• The primary refinement involves remapping several ICD-10 codes, focusing on ensuring that the primary diagnosis code used in Skilled Nursing Facilities (SNFs) clearly justifies the need for skilled Medicare Part A services.
• The 2026 PDPM Refinements focus on enhancing accuracy by updating ICD-10 code mappings (34 changes), shifting codes to better reflect skilled care needs, reducing billing confusion (moving some to "return to provider"), and ensuring consistency with new codes, aiming for patient-focused payments that truly match care intensity and reduce denials, with implementation starting October 1, 2025, for FY 2026.
• The general FY 2026 ICD-10-CM update includes 487 new diagnosis codes, 38 revisions, and 28 deletions, which must also be incorporated into SNF coding practices.
  • A notable example is the deletion of the general code for multiple sclerosis (G35), replaced by more specific codes.
  • These refinements emphasize the need for rigorous documentation and accurate diagnosis selection to avoid claim denials and ensure appropriate reimbursement.