Welcome to the November 2025 edition of Verisys’ Legislative and Compliance Update. This month brings notable developments in federal data security oversight, Medicare enrollment, and significant state-level provider misconduct. These updates underscore why comprehensive, continuous monitoring of all providers—employed or contracted—remains essential to safeguarding patients, protecting organizational integrity, and maintaining regulatory alignment. Here’s what you need to know.
Federal Update
OIG Flags Cybersecurity Gaps in NIH’s All of Us Research Program
Agency: Office of Inspector General (OIG), U.S. Department of Health & Human Services
Report Issued: November 14, 2025
The OIG released an audit of the National Institutes of Health (NIH) All of Us Research Program—an initiative collecting genomic and health data from over one million participants. The report identified several critical issues:
-
Insufficient Access Controls: The NIH did not adequately restrict access to highly sensitive research data.
-
Delayed Remediation: Previously reported security vulnerabilities had not been resolved within mandated timeframes.
-
Incomplete Risk Communication: Key security and national-risk concerns were not consistently shared with partner organizations supporting the program.
Why This Matters
Although focused on a research initiative, the findings emphasize a universal compliance truth: when handling sensitive patient or provider information, oversight cannot lapse. Robust access controls, timely remediation, and reliable communication pathways protect data integrity and reduce downstream regulatory exposure.
Key Takeaways for Healthcare Organizations
-
Review and tighten access controls for all sensitive data.
-
Ensure ongoing monitoring processes to capture changes in licensure, sanctions, and affiliations.
-
Maintain thorough documentation of corrective actions for audit readiness.
Read the OIG Report:
https://oig.hhs.gov/reports/all/2025/the-national-institutes-of-health-needs-to-improve-the-cybersecurity-of-the-all-of-us-research-program-to-protect-participant-data/
Medicare Enrollment Reminder
CMS Opens the 2026 Medicare Participation Window
Agency: Centers for Medicare & Medicaid Services (CMS)
Deadline: December 31, 2025
CMS has announced the annual window for providers and suppliers to declare their Medicare participation status for calendar year 2026.
Key Points
-
Participating providers receive full reimbursement based on the Medicare Physician Fee Schedule.
-
Non-participating providers receive slightly reduced reimbursement rates.
-
Accurate NPPES data—including taxonomy, practice location, and contact details—is essential to avoid payment delays and credentialing issues.
Why This Matters
Medicare enrollment accuracy directly affects reimbursement, compliance alignment, and operational efficiency. Outdated or incomplete provider records can create avoidable obstacles.
Action Items for Compliance Teams
-
Confirm each provider’s participation decision and maintain supporting documentation.
-
Verify that all provider records in NPPES are current and accurate.
-
Evaluate internal tracking tools to ensure visibility into upcoming deadlines and changes.
Read the CMS MLN Connects Newsletter:
https://www.cms.gov/training-education/medicare-learning-network/newsletter/mln-connects-newsletter-november-14-2025
State Spotlight: Michigan
Henry Ford Health Reaches $141M Settlement in Physician Misconduct Case
Jurisdiction: Oakland County, Michigan
Henry Ford Health and a former physician agreed to a $141 million settlement following widespread misconduct affecting more than 8,200 patients between January 1, 2018, and August 8, 2024. Investigators uncovered instances of secret recording and abuse across multiple facilities.
Why This Matters
This case reinforces that oversight responsibilities extend to all providers operating within a system—even if they are not directly employed. Organizations are increasingly held accountable for misconduct by contracted or privileged providers.
Lessons for Healthcare Organizations
-
Oversight must include independent, affiliated, and contracted clinicians.
-
Documented monitoring and compliance activities can support rapid response during investigations.
-
Continuous credentialing and behavior monitoring reduce patient and organizational risk.
Read the Full Story:
https://www.clickondetroit.com/news/local/2025/11/05/oakland-county-doctor-sexual-abuse-case-settlement-finalized-millions-to-be-paid-out/
State Spotlight: Iowa
New Sexual Misconduct Charges Filed Against Waterloo Physician
Jurisdiction: Iowa
Update Date: November 3, 2025
The Iowa Board of Medicine has filed new charges against Dr. Danny Lewis Jr., a Waterloo family practice physician, for unprofessional conduct and sexual harassment. Lewis was previously sanctioned in 2020 following similar allegations.
Why This Matters
The case highlights a persistent compliance challenge: repeat disciplinary behavior. Prior board actions do not eliminate ongoing risk. Continuous monitoring, documentation of past issues, and proactive evaluation of provider conduct remain essential to effective risk management.
Conclusion: Looking Ahead
November’s developments illustrate the growing importance of data integrity, provider oversight, and proactive compliance practices. Cases like those in Michigan and Iowa show that risk can emerge—and reemerge—across settings and provider types. The most effective organizations are those that maintain vigilance, document their actions, and continuously monitor for changes that may affect patient safety or regulatory standing.
Verisys partners with healthcare organizations to track and verify provider information across their lifecycle—capturing changes in licensure, sanctions, enrollment, and more—to support compliance, reduce risk, and strengthen trust.
Discover how Verisys’ provider compliance data solutions can help your organization stay aligned with evolving healthcare regulations.
