By Víctor M. Rodríguez-Reyes, Esq. – Senior Member Attorney at Ferraiuoli
The healthcare regulatory landscape is undergoing transformative changes as federal agencies recalibrate policies across electronic health records, telehealth, data privacy, and long-term care. These developments signal fundamental shifts in Federal budgets and deregulation.
Understanding these changes is essential for healthcare organizations seeking to maintain compliance while adapting to evolving federal priorities.
The Electronic Health Record Reset: FHIR Takes Center Stage
The Department of Health and Human Services has proposed eliminating 34 of 60 certification requirements for electronic health record systems, representing the most significant overhaul of the Health IT Certification Program since its inception. The Assistant Secretary for Technology Policy/Office of the National Coordinator for Health IT (ASTP/ONC) published the Health Data, Technology, and Interoperability: ASTP/ONC Deregulatory Actions to Unleash Prosperity (HTI-5) Proposed Rule on December 22, 2025, marking what officials describe as a complete program reset.
This deregulatory initiative removes requirements that ASTP/ONC determined are no longer necessary to advance interoperability and no longer provide strong market drivers for adoption. The proposal pivots decisively toward Fast Healthcare Interoperability Resources (FHIR)-based application programming interfaces (APIs), reflecting congressional direction under the 21st Century Cures Act to prioritize seamless data exchange over prescriptive functionality requirements.
For health IT developers, this shift reduces compliance burdens while narrowing regulatory focus to interoperability standards that enable creative AI-enabled solutions. The 60-day comment period closes February 27, 2026, giving stakeholders limited time to influence the final framework that will govern health IT certification for years to come.
Telehealth Prescribing: The Fourth Extension and Continued Uncertainty
Federal agencies have issued a fourth temporary extension allowing telehealth-only prescribing of controlled substances through December 31, 2026, averting what stakeholders have termed the “telemedicine cliff” that would have severely restricted patient access. The Drug Enforcement Administration (DEA), working jointly with HHS, published the extension on December 31, 2025, maintaining COVID-19 era flexibilities that have become integral to modern healthcare delivery.
Under these flexibilities, DEA-registered practitioners may remotely prescribe Schedule II-V controlled medications via audio-video telemedicine without having conducted an in-person medical evaluation, provided prescriptions comply with federal and state law.
The extension reflects continued regulatory hesitation following the pandemic. While permanent rules remain unsettled, the temporary framework allows prescribers to continue serving patients who rely on telehealth, particularly in rural areas, while federal agencies work toward finalizing the Special Registration for Telemedicine proposed in January 2025. However, the Trump administration’s position on this proposed rule remains unclear, leaving the regulatory future beyond 2026 uncertain.
Patient Privacy Meets Immigration Enforcement: The Medicaid Data Sharing Controversy
A federal court ruling has clarified that the Centers for Medicare and Medicaid Services (CMS) may share limited Medicaid data with Immigration and Customs Enforcement (ICE) when explicitly authorized by statute. U.S. District Judge Vince Chhabria ruled on December 29, 2025, that basic biographical, location, and contact information sharing is clearly authorized by law, while maintaining restrictions on sensitive health data.
The ruling, issued in a lawsuit brought by 20 state attorneys general, represents a partial victory for the Trump administration’s immigration enforcement priorities. CMS may share citizenship status, addresses, phone numbers, dates of birth, and Medicaid IDs for individuals residing in the United States unlawfully, effective January 6, 2026. However, the court maintained an injunction prohibiting sharing of detailed medical information, data about U.S. citizens or legal permanent residents, and information from other CMS-administered programs.
This policy reverses decades of practice. As Judge Chhabria noted in his ruling, CMS has maintained since at least 2013 a policy of not sharing Medicaid data for immigration enforcement, and ICE similarly maintained public policies against using such data. The abrupt reversal, implemented through a November 2025 Federal Register notice, underscores that healthcare data privacy protections have statutory limits when immigration enforcement authority is explicitly granted by Congress.
Artificial Intelligence Enters Medicare Reviews: The WISeR Model Launch
CMS launched the Wasteful and Inappropriate Service Reduction (WISeR) Model on January 1, 2026, introducing artificial intelligence and machine learning tools to Medicare claims review for the first time. This six-year voluntary pilot operates in six states—Arizona, New Jersey, Ohio, Oklahoma, Texas, and Washington—targeting services historically vulnerable to fraud, waste, and abuse.
The model employs third-party technology companies rather than healthcare providers as participants, marking an unprecedented approach. Six technology vendors—Cohere Health, Genzeon Corporation, Humata Health, Innovaccer, Virtix Health, and Zyter—will use AI to streamline prior authorization and pre-payment review for select services including skin substitutes, electrical nerve stimulators, and knee arthroscopy for osteoarthritis.
Critically, final coverage decisions remain with licensed clinicians with relevant clinical expertise. The AI serves primarily as a process tool to flag high-risk claims and streamline approvals. When coverage is denied, human review is required. Technology participants receive payment tied to demonstrated savings, though CMS emphasizes they are incentivized to reach correct determinations rather than deny claims.
WISeR addresses significant concerns about wasteful spending.
Nursing Home Staffing: A Decade-Long Pause on Federal Minimums
CMS repealed minimum staffing requirements for long-term care facilities on December 2, 2025, eliminating Biden-era standards that would have required nursing homes to provide 3.48 hours of nursing care per resident daily, including specific ratios for registered nurses and nurse aides. The repeal also removed requirements for 24/7 onsite registered nurse coverage.
This action follows Congressional intervention through the July 2025 budget reconciliation bill (Public Law 119-21), which imposed a moratorium on implementation and enforcement until September 30, 2034. Additionally, federal courts in Texas and Iowa had already vacated key provisions, finding they exceeded CMS’s statutory authority.
CMS justified the repeal citing concerns that one-size-fits-all requirements disproportionately burden rural and Tribal communities facing critical workforce shortages. The agency reinstated prior standards requiring registered nurse coverage for at least eight consecutive hours daily rather than around-the-clock.
However, research from the University of Pennsylvania estimated the original rule would have saved approximately 13,000 residents’ lives annually. Notably, CMS retained enhanced facility assessment requirements from the 2024 rule, which mandate facilities staff according to actual resident needs and acuity rather than minimums.
Understanding the New Regulatory Landscape
These five developments collectively represent a fundamental recalibration of healthcare regulation, reflecting competing priorities around deregulation, technology innovation, immigration enforcement, fraud prevention, and workforce realities. For healthcare organizations, the implications are significant and multifaceted.
The EHR certification overhaul demands attention from health IT developers who must prepare for a standards-based future while contributing to the ongoing comment period. Telehealth providers face another year of temporary flexibility but must plan for permanent rule implementation, whenever it arrives. Healthcare organizations handling Medicaid data must understand new sharing obligations and their privacy limits.
Providers in WISeR pilot states should prepare for AI-enhanced prior authorization processes. And long-term care facilities must navigate the absence of federal staffing minimums while meeting resident needs through facility-specific assessments.
As these policies evolve, healthcare organizations require strategic legal guidance to maintain compliance while adapting operations to the shifting regulatory environment. The intersection of technology advancement, political priorities, and practical healthcare delivery challenges creates complexity that demands careful navigation.
This article is provided for educational purposes only and does not constitute legal advice. Healthcare organizations facing questions about these regulatory developments should consult qualified legal counsel.
For guidance on healthcare regulatory changes, contact Víctor M. Rodríguez-Reyes, Attorney at Ferraiuoli.