Empowering Compliance Professionals Through Awareness and Insight
From the expiration of key Medicare telehealth flexibilities to new cybersecurity mandates in New York and expanded oversight of private equity healthcare acquisitions in California, October 2025 brings major compliance developments that affect healthcare organizations nationwide. These updates underscore the importance of maintaining agile compliance programs and proactive risk management strategies.
Federal Update: Expiration of Medicare Telehealth Flexibilities
Effective Date: October 1, 2025
Agency: Centers for Medicare & Medicaid Services (CMS)
Several Medicare telehealth waivers introduced during the COVID-19 Public Health Emergency officially expired this month. These changes affect:
-
Originating site requirements for telehealth visits
-
Eligible billing providers
-
Documentation and reimbursement procedures
CMS also instructed Medicare Administrative Contractors (MACs) to temporarily hold certain claims dated on or after October 1, pending finalization of updated reimbursement guidelines.
What This Means for Healthcare Providers
-
Review your telehealth offerings and confirm compliance with reinstated limitations.
-
Issue Advance Beneficiary Notices of Noncoverage (ABNs) for services no longer reimbursable.
-
Update billing and patient communication practices to prevent compliance risks.
HIPAA Enforcement: HHS OCR Settles with Cadia Healthcare
Agency: U.S. Department of Health and Human Services, Office for Civil Rights (OCR)
The HHS OCR announced a settlement with Cadia Healthcare Facilities following potential violations of the HIPAA Privacy and Breach Notification Rules. This resolution reinforces the government’s ongoing commitment to protecting patient data and underscores the serious consequences of HIPAA noncompliance.
Key Takeaways for Compliance Teams
-
Reevaluate data security protocols and ensure regular employee training.
-
Conduct risk assessments and simulate breach response drills.
-
Strengthen documentation and audit readiness to mitigate investigation risks.
State Spotlight: New York Hospitals Face Enhanced Cybersecurity Mandates
Effective Date: October 2, 2025
Jurisdiction: State of New York
New York now requires hospitals to comply with stricter cybersecurity regulations aimed at enhancing patient data protection. The new mandates include:
-
Adoption of advanced cybersecurity frameworks
-
Routine risk assessments and system testing
-
Incident response protocols for breach prevention and mitigation
Action Steps for New York Healthcare Entities
-
Update internal cybersecurity policies and vendor management procedures.
-
Conduct comprehensive data protection training for all staff.
-
Implement a regular vulnerability assessment schedule to ensure ongoing compliance.
California Expands Oversight of Private Equity Healthcare Acquisitions
Effective Date: January 1, 2026
Legislation: Assembly Bill 1415 (AB 1415)
Signed: October 11, 2025, by Governor Gavin Newsom
Under AB 1415, the California Office of Health Care Affordability (OHCA) gains expanded authority to review private equity and hedge fund healthcare acquisitions. The legislation aims to increase transparency and protect patients from cost-driven consolidation impacts.
What Healthcare Investors Need to Know
-
All medical buyouts and acquisitions must now be reported to OHCA for approval.
-
Expect longer review timelines and enhanced disclosure requirements.
-
Collaborate with legal and compliance teams early to ensure seamless filings.
Conclusion: Staying Ahead in a Changing Compliance Landscape
As the regulatory environment continues to evolve, compliance leaders must not only stay informed but also anticipate how policy changes impact operations, patient care, and organizational risk.
Verisys remains dedicated to helping compliance professionals stay confident and prepared through real-time legislative insights and tailored compliance solutions.
Explore how Verisys provider compliance data solutions can help your organization align with the latest healthcare regulations.
References
