A Closer Look at the 2025 IPPS Rule and What It Means for Hospitals, Health IT, and Interoperability

The Centers for Medicare & Medicaid Services (CMS) just dropped its 2025 IPPS final rule, and if you’re in health IT, cybersecurity, public health data exchange, or prior authorization reform, this one’s for you. While payment updates are the headline (a 2.6% increase for compliant hospitals), the real buzz lies in how CMS and ONC are threading technology, security, and interoperability tighter into the fabric of Medicare hospital operations. Let’s dive into the highlights.

1. TEFCA is officially in the mix – Public Health Bonus

Hospitals now have the option to earn a bonus under the Public Health and Clinical Data Exchange objective by using TEFCA to exchange data with public health agencies, starting in 2026. Why this matters:

TEFCA—The Trusted Exchange Framework and Common Agreement—represents a new national backbone for health information exchange. Tying it to public health data exchange is a subtle nudge toward adoption and real-world utility. This creates a path for hospitals to be rewarded for participating in more scalable, interoperable, and trusted data sharing across the ecosystem. Win-win. But let’s not forget the established pathways that are already working for public health data exchange, such as Direct Secure Messaging. Hospitals will need to weigh the cost and benefit of moving public health data reporting to TEFCA. But if you are already transitioning to TEFCA, here’s your bonus for incentives!

2. Security Risk Analysis…Now with Risk Management

Also effective in 2026: CMS is beefing up the Promoting Interoperability Program’s security requirements. Hospitals will now attest not just to conducting a Security Risk Analysis, but also to performing Security Risk Management.

This isn’t a new burden—it’s a clarification and accountability moment. Since 2003, the HIPAA Security Rule has required covered entities to both analyze and manage risks to electronic protected health information (ePHI). But now, hospitals must formally attest that they’re doing both.

No extra time or phase-in here. As CMS put it bluntly (and I have said the same): You’ve had 20+ years to prepare. This step ensures cybersecurity isn’t just a compliance checkbox—it’s a living, breathing responsibility embedded in your operations.

3. HTI-4 Makes a Surprise Unveiling in a Payment Rule—

It might raise eyebrows that a technology rule (HTI-4, led by ONC/ASTP) is now being rolled into a payment rule (IPPS). Is it effective? Potentially. Efficient? Arguably. Telling of structural changes within HHS? For sure. It streamlines regulatory alignment but might leave stakeholders flipping between rulebooks.

Still, the HTI-4 portions finalized here pack a punch—especially on electronic prior authorization, real-time prescription benefits.

4. Electronic Prior Authorization (ePA) - Keymaster to the Gatekeeper (CMS-0057-F)

ASTP is finalizing three certification criteria to enable electronic prior authorization via APIs, guided by HL7® FHIR® implementation guides. These modules will allow providers to interact with payer systems seamlessly🤞—an essential building block in CMS’s broader interoperability push.

This comes on the heels of a public-private pledge between HHS, CMS, and major payers to fix prior auth. (If you missed it, check out this HHS Press Release).

These new certification criteria aren’t theoretical—they pave the way for actual systems that help providers avoid phone trees, faxes, and the time-sucking slog of manual prior auth. It’s a huge deal for reducing provider burnout and speeding up patient care that I’ve screamed for since 1990-something.

5. What’s the Deal with Real-Time Prescription Benefit?

ASTP also finalized several FHIR® specs, including for real-time prescription benefit checks, though they held off on requiring usability or alert design measures just yet. For now, it’s about getting the infrastructure right—and then iterating based on how it works in practice.

6. FHIR®, FHIR®, Everywhere

FHIR® continues its reign as the foundational standard across APIs and data exchange. New adoption of multiple FHIR® implementation guides—CARIN, Da Vinci PDex, US Drug Formulary, and Plan Net—further cements its role as the interoperability language of the future. These are key to empowering data portability between payers, providers, and patients.

7. What’s Missing? Equity.

A notable—and disappointing—absence: health equity and social drivers of health. Not a single required metric related to SDOH or equity made the cut (want to see my ‘shocked’ face??). At a time when disparities persist across nearly every aspect of healthcare, their omission in this rule is glaring but expected.

8. Connecting to the Broader Ecosystem

Want to know where all of this fits? Check out CMS’s Health Tech Ecosystem Early Adopters. These updates align with the broader shift toward data networks, interoperability, and shared standards that bring government and private actors together. The IPPS rule isn’t just about reimbursement—it's shaping a smarter, more connected digital health infrastructure.

Need help navigating the evolving policy landscape or implementing these changes? Let’s connect—because interoperability, security, and strategy are my jam and I’d love to help! Susan.Clark@ConvergeHLTH.com