Included in this newsletter
- A Shift in Federal DME Fraud Oversight Demands a Shift in Compliance Thinking
- CMS Announces Aggressive Nationwide Crackdown on Fraud with Six-Month Hospice & Home Health Agency Enrollment Moratoria
- HHS’ Office for Civil Rights Settles Four HIPAA Security Rule Ransomware Investigations
- Tennessee Bans PBMs from Owning Pharmacies
- FDA Proposes to Exclude Semaglutide, Tirzepatide, and Liraglutide on 503B Bulks List
- Is 340B Miscategorization Stealing Your MFP Refunds?
- TrumpRx Adds Generic Drugs
A Shift in Federal DME Fraud Oversight Demands a Shift in Compliance Thinking
CMS is moving deliberately away from the “pay-and-chase” enforcement model that has defined Medicare fraud responses for decades. In its place, the agency is investing in advanced analytics, real-time oversight and proactive detection. The federal government is no longer simply responding to fraud after the fact. It is building systems designed to prevent it from occurring in the first place.
For DMEPOS providers, that distinction carries significant weight. Organizations that have approached compliance reactively, responding to audits and correcting deficiencies after the fact, will find this new environment increasingly difficult to navigate. The suppliers best positioned to meet this moment are those that have already established a proactive standard of accountability. In this context, accreditation represents one of the most meaningful commitments an organization can make to communicate reputational integrity and adherence to standards of care.
Accreditation is not simply a credential. It is the result of a rigorous, independent evaluation of an organization’s policies, procedures, patient care practices and operational integrity against nationally recognized standards. Accreditation through a reputable, independent body also sends a meaningful signal to CMS, referral partners, and the patients an organization serves. It communicates that the organization has been independently verified as meeting the highest standard of quality and compliance, a distinction that carries considerable credibility in an environment where program integrity is a federal and business priority.
For suppliers that are evaluating their next steps, the most prudent course is to begin building the operational and compliance foundation CMS and the broader healthcare community are expecting. Organizations that invest now in stronger compliance frameworks and independent validation will be best positioned to succeed in this evolving regulatory environment. Accreditation is one of the clearest ways to demonstrate that readiness.
A shift in federal DME fraud oversight demands a shift in compliance thinking - McKnights Home Care
CMS Announces Aggressive Nationwide Crackdown on Fraud with Six-Month Hospice & Home Health Agency Enrollment Moratoria
In coordination with Vice President JD Vance’s Anti-Fraud Task Force, CMS is taking decisive action to protect Medicare beneficiaries and taxpayer dollars through implementation of a six-month, nationwide data-driven moratoria on new Medicare enrollment for hospices and home health agencies (HHAs). The moratoria will allow CMS to temporarily halt the influx of new providers into these high-risk categories, which are a key source of fraudulent activity.
HHS’ Office for Civil Rights Settles Four HIPAA Security Rule Ransomware Investigations
On April 23, 2026, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced settlements with four regulated entities following separate ransomware investigations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. Ransomware is malicious software that blocks access to data—typically by encrypting it with a key known only to the attacker—until a ransom is paid. The resolutions announced mark 19 completed investigations from ransomware breaches and 13 completed investigations in OCR’s Risk Analysis Initiative.
OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers), and business associates must follow to protect the privacy and security of protected health information (PHI). The HIPAA Security Rule establishes national standards to protect and secure our health care system by requiring administrative, physical, and technical safeguards to ensure the confidentiality, integrity, security, and availability of electronic PHI (ePHI). The Risk Analysis provision requires regulated organizations (covered entities and business associates) to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by those organizations.
“Hacking and ransomware are the most frequent type of large breach reported to OCR,” said OCR Director Paula M. Stannard. “Proactively implementing the HIPAA Security Rule before a breach or an OCR investigation not only is the law but also is a regulated entity’s best opportunity to prevent or mitigate the harmful effects of a successful cyberattack.”
The settlements follow investigations into separate ransomware breaches that collectively affected over 427,000 individuals and involved the exposure of unsecured ePHI. The types of ePHI affected include demographic data, Social Security numbers (SSNs), financial information, lab results, medications, and diagnoses or conditions. Under the settlements, the regulated entities have agreed to implement corrective action plans subject to OCR monitoring for two years and paid a total of $1,165,000 to OCR. Click here to see specific details on each settlement.
OCR recommends that health care providers, health plans, health care clearinghouses, and business associates that are covered by the HIPAA Security Rule take the following steps to prevent or mitigate cyber-threats:
- Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
- Periodically conduct, and update as needed, a risk analysis and develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
- Ensure audit controls are in place to record and examine information system activity.
- Implement regular review of information system activity.
- Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
- Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
- Incorporate lessons learned from incidents into the organization’s overall security management process.
- Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.
OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of individuals’ health information. Guidance about the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, and the Security Rule’s Risk Analysis requirement, can also be found on OCR’s website.
Covered entities must comply with breach notification obligations under the HIPAA Breach Notification Rule. In submitting a notice of a breach of unsecured PHI to the HHS Secretary, covered entities must use the HHS Breach Portal.
HHS’ Office for Civil Rights Settles Four HIPAA Security Rule Ransomware Investigations | HHS.gov
Tennessee Bans PBMs from Owning Pharmacies
Governor Bill Lee (R-Tenn.) signed the Freedom, Access and Integrity in Registered Pharmacy (FAIR Rx) Act into law on May 22, 2026, making Tennessee the second state to pass legislation prohibiting PBMs from owning or operating pharmacies. This comes after a hard-fought battle during which PBMs and their allies reportedly spent over $7 million and hired more than 60 additional lobbyists for their campaign opposing the legislation.
A similar bill was signed into law in Arkansas in 2025. A federal bill to require companies that own health insurers or PBMs to divest their pharmacy businesses was reintroduced in Congress on May 13, 2026.
TPA, NCPA Applaud Tennessee Law Banning PBMs from Owning Pharmacies | NCPA
FDA Proposes to Exclude Semaglutide, Tirzepatide, and Liraglutide on 503B Bulks List
The FDA announced a proposal to exclude semaglutide, tirzepatide, and liraglutide from the 503B bulks list after determining there is no clinical need for outsourcing facilities to compound these drugs from bulk substances, given that FDA-approved versions already exist. Outsourcing facilities generally may not compound from bulk ingredients unless a substance appears on the 503B list or the drug is in shortage, so the agency reviewed nominations for these three substances and found insufficient evidence to justify their inclusion. Emphasizing patient safety and the integrity of the drug approval process, FDA noted that compounding from bulk ingredients is only lawful when a clear clinical need exists. The agency is now accepting public comments, here, on the proposal through June 29, 2026.
FDA Proposes to Exclude Semaglutide, Tirzepatide, and Liraglutide on 503B Bulks List | FDA
Is 340B Miscategorization Stealing Your MFP Refunds?
Pharmacies have alerted NCPA that Beacon MFP is inappropriately rejecting MFP refund claims due to 340B discounts and subsequently denying good faith inquiries (GFI) by pharmacies that have no contract pharmacy relationships or have reasonable belief that a claim is not 340B-eligible. Pharmacies should access their 835 remittance advice available in the Medicare Transaction Facilitator and review lines with Remittance Advice Remark Code (RARC) = N907 “No refund because this claim has been identified as 340B-eligible with a ceiling price lower than the maximum fair price” to identify any rejected MFP refunds.
The first step to correct this is to use the Beacon MFP GFI process. All of the manufacturers with an MFP drug in 2026 use Beacon MFP to handle GFIs from pharmacies, but you need to sign in or enroll to open a GFI. If using the Beacon MFP GFI process does not correct MFP refund payment, pharmacies should use CMS' dispute form in the MTF. It is critical that CMS receives disputes to have data it can use in compliance discussions with manufacturers.
Is 340B miscategorization stealing your MFP refunds? | NCPA
Electronic Prior Authorization Improvements: Get Involved & Start Testing
The current prior authorization process can create unnecessary delays and burden for providers. It has eroded trust between payers and providers even as we all work to ensure patients get the high-quality care they need. This past summer, HHS Secretary Robert F. Kennedy, Jr., CMS Administrator Dr. Mehmet Oz, and National Coordinator for Health IT Dr. Thomas Keane announced a landmark health care industry pledge with major health plans from across the country to streamline and improve the prior authorization system. This pledge reflects a shared commitment to modernize prior authorization and create a more responsive, patient-centered health care experience.
CMS strongly encourages providers to take an active role in advancing electronic prior authorization by participating in Fast Healthcare Interoperability Resources® (FHIR) Application Programming Interface (API) testing with your electronic health record (EHR) vendor and payer partners. Contact your EHR vendor to learn how you can test to make sure your systems are ready for electronic prior authorization. Early testing and collaboration between your practice, EHR vendor, and payers is essential to ensure seamless, real-world implementation of electronic prior authorization workflows. Engage now to:
- Identify gaps
- Validate workflows
- Build the technical readiness needed to meet upcoming implementation goals
- Improve the experience for your patients and staff
Visit the new Electronic Prior Authorization webpage to get started.
MLN Connects Newsletter for May 7, 2026 | CMS
Virginia Governor Abigail Spanberger signs bipartisan bills to cap cost of insulin, lower health care and prescription drug costs
Governor Spanberger of Virginia signed a bipartisan package of bills aimed at lowering health care costs for Virginians. The bills include (HB1214) a cap of $35 for a 30-day supply of insulin for state-regulated plans and (HB625) require Marketplace insurers to offer plans with capped monthly prescription drug costs. There are also provisions that (HB736) limit prior authorizations to reduce delays in care, (HB328) expand the state's essential health benefits to include services such as doula care, infertility treatment, and hearing aids, and (HB484, SB164) restrict insurers from downcoding certain claims to encourage more affordable care. All the measures passed with bipartisan support.
TrumpRx Adds Generic Drugs
President Trump announced on May 18, 2026, that he has made partnerships with GoodRx, Amazon Pharmacy, and Mark Cuban's Cost Plus Drug Company to make 602 additional generic medications available on the TrumpRx website. TrumpRx does not actually sell prescription drugs but instead helps identify the lowest prices of certain medicines for customers without insurance. The new additions include widely used generic antihypertensive medications, antibiotics, and statins with many costing less than $5. Only a limited segment of the population is benefiting from the White House's one-on-one deals with drug-makers earlier this year. Manufacturers were promised insulation from tariffs if they reduced some of their prices and offered certain drugs directly to consumers via TrumpRx. Click here to see a fact sheet from the White House.
White House adds generic drugs to direct-to-consumer TrumpRx site
Reminder for Pennsylvania Pharmacies
The deadline for grandfathering pharmacy technicians in Pennsylvania is June 28, 2026. Any applications submitted after that date will be denied.
Compliance Tip of the Month
Maintain a license, certification, insurance and all annual renewals tracking calendar for the pharmacy and all staff to prevent lapses. You can utilize the License Verification Tool on the R.J. Hedges & Associates Compliance Portal® to create reminders for any important renewals. It also allows you to scan the most recent associated document for easy reference and retrieval.
