With the Inpatient Prospective Payment System for 2026 proposed, we now have a view of how HHS intends to administer the “meaningful use” program for hospitals in 2026. In short, most hospitals that do not demonstrate meaningful use of their EMRs will be subject to a 1% penalty on their Medicare revenues. The proposed rule is more significant in that it signals some semblance of stability in the program; however, it remains to be seen how it will be administered with DHHS’s most recent budgetary cuts.
The most significant parts of the proposed rule with respect to meaningful use are likely the reporting period, new security measure, the TEFCA measure, the measure related SAFER guides, two RFIs (one on a prescription drug monitoring program measure – the other on data quality), and the overall scoring methodology. Comment is open until June 10, 2025.
HHS is proposing a reporting period for “promoting interoperability measures” of one hundred and eighty days, holding steady with the reporting period for 2024. For developers, that means measure logic needs to be ready no later than July 24, 2026 for tmeasures, otherwise hospital clients may begin slide on their performance.
The rule also adds a new security requirement to the program. It proposes to requires a risk management attestation in addition to security risk analysis attestation. It specifically references providers to https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool and Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide. As reference guides. This more or less aligns with the security focus HHS first signaled with its new proposed HIPAA Security Rule in December.
Next, it also requires attestation to “yes” to annual self assessment using the eight SAFER guides published in January 2025. When I first wrote about the SAFER Guides, it was broken up into nine subjects. Today, it has been pared down to 8. https://www.healthit.gov/topic/safety/safer-guides, with system configuration and system interfaces merging into systems management. The other guides are: High Priority Practices (e.g. storing lab results in a standard format), Organizational responsibilities, Contingency planning, System configuration, System interfaces, Patient identification, Computerized Provider Order Entry with Decision Support, Test Results Reporting and Follow Up, and Clinician Communication.
Also, the proposed rule would add a bonus measure for submission to a public health agency through TEFCA. This is the strongest signal we have yet that TEFCA, indeed, will survive this administration. Alongside these modifications, HHS is also reminding hospitals to use a BASE EHR, the definition to which has seen some significant changes over the past few years.
CMS has also issues two requests for information: one for prescription drug monitoring program measures and another for data quality. Neither issue is new or novel, but HHS is continuing to try and figure out how it can prevent drug diversion of opiates (including fentanyl) through monitoring, and how it can clean up what has become a fragmented mess in electronic patient records.
Finally, for anybody interested in the proposed scoring, I lifted the following charts from the proposed rule for reference:
eHealth Law Blog 