Compliance Tracker — Auctus Ops

IDR Non-Payment Penalty — No Surprises Enforcement Act

Urgent Watch Federal In Committee

Providers win ~80% of IDR arbitration cases under the No Surprises Act, yet 22% of awarded amounts are never paid and 69% of 2024 determinations saw late or non-compliant payment. H.R. 4710 / S. 2420 would impose treble damages on insurers per claim for failing to pay within 30 days of an IDR ruling — transforming unpaid awards from an admin headache into a high-value enforcement play. The most urgent risk is not the bill's fate but the current Fifth Circuit enforcement vacuum that leaves providers in TX/LA/MS with no court pathway to force payment today.

📊 Best-case: 30–35% (on vehicle) ⏱ Q3 2026 markup deadline 🔴 3 urgent flags active

Bills & Rules Tracked

House	H.R. 4710 — No Surprises Enforcement Act (119th Congress)
Senate	S. 2420 — companion bill (119th Congress)
Introduced	July 23, 2025 (re-introduced; S. 5535 died at 118th Congress end)
Committees	House E&C, Ed & Workforce, Ways & Means; Senate HELP
Sponsors	Rep. Greg Murphy MD (R-NC) + Rep. Panetta (D-CA); Sen. Marshall MD (R-KS) + Sen. Bennet (D-CO)
Cosponsors	24 total — bipartisan (physician-legislators prominent)
CBO Score	None yet
Underlying law	No Surprises Act (CAA 2021, eff. Jan 1, 2022)
QPA rule	TMA I–IV + en banc — TMA III en banc (5th Cir.) pending; most critical open question on QPA methodology
Provider wins	88% of IDR determinations favor provider (H1 2025 CMS data)
Admin fee	$115/dispute (Oct 2025 reset); $350 proposed fee vacated by courts; $150 interim fee withdrawn
Batching rule	RIN 0938-AV15 — pending finalization; would allow batch IDR submissions by payer across similar claims
AHIP claim	39% of disputes allegedly ineligible (per AHIP); CMS data: 17% actually IDRE-determined ineligible

Pass Likelihood & Timeline

Standalone passage15–20%

Rider on CR / omnibus30–35%

Trump rulemaking (insurer-favored)45–55%

⏱

Markup deadline: Q3 2026 — no markup by September = bill dies again, rolls to 120th Congress

🔴

5th Circuit vacuum active now — TX/LA/MS providers: admin complaint only, no court enforcement

🔴

RICO counter-suits — UHC/Anthem filing against providers for "coordinated" IDR use; chilling effect

🔴

TMA III en banc pending — 5th Circuit challenge to QPA methodology; ruling could reset provider win dynamics across all IDR claims

🟡

Circuit split unresolved — D.Conn ruled opposite (private right of action exists); SCOTUS declined review

🟡

No Senate markup scheduled — HELP Committee has not calendared a vote

Key Provisions — H.R. 4710

3× treble damages per claim if insurer fails to pay IDR award within 30 days of ruling — paid directly to the provider
Interest accrues on top of treble damages for the duration of non-payment
Base civil penalty raised from $100/day → $10,000 per violation per individual affected
Parity clause: mirrors penalties already applicable to providers for NSA violations
Biannual congressional reporting on audits, complaints, penalties, and enforcement actions

Why This Exists — Documented Enforcement Collapse

Providers win ~80% of IDR cases (CMS data)
H1 2024: 69.2% of IDR determinations non-compliant with payment timeline (EDPMA)
AMA May 2026: "Nearly half of 2024 payments not remitted on time"
22% of IDR awards never paid at all (AFHC survey of 30,000+ physicians)
Total CMS monetary enforcement relief through Sept 2024: $11.3M — against $844M in admin fees alone in H1 2025
Current base penalty: $100/day — zero deterrence for large payers

Passage Scenarios

Scenario	Probability
Standalone passage — H.R. 4710 / S. 2420	15–20%
Attached to CR / omnibus / reconciliation vehicle	30–35%
Trump admin rulemaking favoring insurers (batching/eligibility)	45–55%
CMS increases administrative enforcement without new rule	35–45%
Nothing passes 119th Congress	30–40%

Political Landscape

Key Legal Risk — Fifth Circuit

Guardian Flight v. HCSC (5th Cir. 2025): Providers have NO private right of action to enforce unpaid IDR awards — administrative CMS complaint only. Applies in TX, LA, MS.
Guardian Flight II v. Aetna (D.Conn. May 2025): Ruled opposite — private right of action exists. Active circuit split.
SCOTUS declined to review — split stands until SCOTUS takes a future petition or Congress acts.
Insurers filing RICO suits against providers for "coordinated" IDR use — seeking treble damages against providers; chilling participation esp. in 5th Circuit states.

QPA / Batching — TMA Litigation Status

TMA I: Vacated CMS rule requiring IDEs to prioritize QPA over median contracted rate — providers' primary early win
TMA II: Addressed fee schedule; $350 proposed admin fee vacated by courts; current fee $115/dispute (reset Oct 2025)
TMA III en banc (5th Cir.) — PENDING: Challenges revised QPA calculation methodology. Most consequential open case — a ruling against providers could reduce the 88% provider win rate substantially
TMA IV: Batching restrictions — AHIP claims top 4 PE filers submit 56% of all disputes; winning 88–95% at 370–920% of QPA. Batching rule RIN 0938-AV15 pending to aggregate similar claims
Provider win rate H1 2025: 88% of IDR determinations favor provider (CMS data) — most elevated in specialties above QPA benchmarks
AHIP vs. CMS on ineligibility: AHIP claims 39% of submitted disputes are ineligible; CMS IDRE data shows only 17% actually determined ineligible — 22-point gap reflects dispute over screening methodology

Auctus / IDR Practice Implications

If bill passes: Every unpaid IDR award becomes a 3× recovery — transforms post-IDR collections into high-value enforcement play for Auctus clients
Immediate risk (no bill needed): Fifth Circuit vacuum + RICO counter-suits are live today — most urgent risk for TX/LA/MS clients
TMA III watch: Monitor en banc ruling — adverse QPA ruling changes IDR economics for all active disputes
Watch trigger: SCOTUS cert petition on Guardian Flight split; HELP Committee + E&C markup announcements; TMA III en banc decision; RIN 0938-AV15 batching rule finalization

Key Sources

Research locked: 2026-05-23 · Next review trigger: committee markup announcement or SCOTUS cert petition

Women's Health & Cancer Rights Act — Modernization Push

Active Watch Federal State Wave In Committee

The federal Women's Health and Cancer Rights Act (1998) requires health plans covering mastectomies to also cover breast reconstruction, prosthetics, and lymphedema treatment — but the law is frozen at 1998 clinical standards and has significant structural exemptions. H.R. 5813 (119th Congress) is the first proposed federal update in 27 years: it expands coverage to lumpectomy reconstruction, mandates all recognized modalities including DIEP flap, and requires in-network access to each. In parallel, Arkansas and Oregon enacted landmark state expansions effective January 2026, with ASPS actively pushing 10–15 more states.

📊 Best-case: ~15% (omnibus rider) 📍 No Senate companion confirmed through April 2026 🟢 AR + OR enacted Jan 2026

Bills & Rules Tracked

Federal bill	H.R. 5813 — Women's Health and Cancer Rights Modernization Act of 2025 (119th Congress)
Introduced	October 24, 2025
Committees	Energy & Commerce; Ways & Means; Education & Workforce
Sponsors	Rep. Cammack (R-FL) + Rep. Dingell (D-MI) — 7D/6R cosponsors
Senate	No companion bill identified (as of April 2026)
Recent action	DOL/HHS FAQ Part 68 (Oct 2024) — flat closure coverage confirmed
Underlying law	WHCRA 1998 (ERISA §713 / PHS Act §2727 / IRC §9815)
Backed by	Susan G. Komen, ASPS, ACS, FORCE, American College of Surgeons

Pass Likelihood & Timeline

Standalone passage8–12%

Rider on omnibus vehicle~15%

120th Congress (2027–28)25–35%

⏱

No Senate companion yet — primary blocker; bills without Senate partner rarely advance

📍

State laws moving faster — ASPS targeting 10–15 more states with AR/OR model law through 2026

🟢

AR + OR enacted Jan 2026 — ASPS model law live; treble damages, single-case agreements, DIEP flap mandate

🟢

FAQ Part 68 (Oct 2024) — flat closure coverage now federally confirmed via DOL/HHS guidance

🟡

FY2026 budget threat — proposed NBCCEDP elimination (uninsured women's safety net); Komen's #1 defensive priority

🟡

Self-funded ERISA gap — states can't regulate self-funded employer plans; federal bill is the only fix for this population

What H.R. 5813 Changes vs. Current WHCRA (1998)

Issue	Current WHCRA	H.R. 5813
Trigger	Mastectomy only	Mastectomy + lumpectomy (all breast cancer treatment)
Reconstruction types	Not specified — 1998 text	All HCPCS Level I coded procedures (implant, DIEP flap, flat closure, etc.)
In-network access	Not required	At least 1 in-network provider per modality required
Aesthetic flat closure	Unclear until FAQ Part 68 (Oct 2024)	Explicitly covered
Lymphedema	Complications covered (1998 standard)	Updated to current standard of care
Previvors (BRCA+)	Covered via "mastectomy" trigger	Explicitly preserved (FORCE secured language fix)
Insurer physician override	No protection	Explicitly prohibited
GAO study	None	Required within 1 year of enactment
State law preemption	N/A	Does NOT preempt stronger state laws

Current Federal Coverage Gaps

Self-funded non-federal governmental plans (state/local employers) can formally opt out via PHS Act §2722(a)(2) — CMS maintains active opt-out list
Short-term limited-duration plans (~3M+ enrolled) — not subject to WHCRA
Medicare and Medicaid — outside WHCRA, separate rules apply
Lumpectomy reconstruction — not covered under current law; only mastectomy triggers WHCRA
Modern microsurgical techniques (DIEP flap) — not specified in 1998 text; frequently denied by insurers
In-network access — no requirement that a provider for each modality exists in-network

State Legislation Wave — 2024–2026

Arkansas ✓

Act 424 (SB 83) + Act 561 (HB 1859) — eff. Jan 1, 2026

ASPS model law. All modalities mandated. Single-case agreements required. Treble damages. WHCRA reference updated to Jan 1, 2025.

Oregon ✓

SB 1137 — eff. Jan 1, 2026

First-in-nation DIEP flap/autologous reconstruction mandate. OON at in-network rates if no in-network provider available.

Virginia ✓

HB 1828 / SB 1436 — eff. July 1, 2025

No cost-sharing for diagnostic and supplemental breast imaging under individual and group plans.

Pennsylvania ✓

SB 88 (Act 52) — signed Nov 24, 2025

No cost-sharing for diagnostic mammograms, ultrasound, MRI after abnormal screening. Passed 196-7 House.

Indiana ✓

P.L. 3-2024

Aesthetic flat closure explicitly added to state post-mastectomy coverage law.

Connecticut ✓

2023 Amendment

Added coverage for prophylactic mastectomy reconstruction for BRCA+ patients.

Florida

SB 1494 (2026)

Passed Banking & Insurance 10-0 (Feb 2026). Expanded mammogram mandates.

Michigan · Kansas · NJ · NY · SC

Multiple bills in committee

No-cost-sharing diagnostic imaging, lymphedema mandates. Active 2025–2026 sessions.

Key Advocacy Orgs & Priorities

Key Sources

Research locked: 2026-05-23 · Next review trigger: Senate companion bill introduced or ASPS announces new state enactment

Prior Authorization Reform — CMS-0057-F + Drug PA Rule

Urgent Watch Federal Partially Enacted

CMS-0057-F is live: Medicare Advantage, Medicaid, CHIP, and FFM QHP payers were required to implement standardized PA decision timelines and APIs by January 1, 2026. The next compliance cliff is January 1, 2027, when payers must publicly report PA approval rates, denial rates, and response times. A companion drug PA proposed rule (CMS-0062-P) has a comment deadline of June 15, 2026. The structural ceiling: ERISA preemption blocks state PA reform laws from reaching self-funded employer plans — roughly 60% of commercially insured Americans — making federal action the only pathway for that population.

✅ Jan 1, 2026 PA timelines LIVE ⏱ CMS-0062-P comments due: June 15, 2026 (proposed, not final) 🔴 ERISA ceiling — 60% of commercial plans exempt

Rules Tracked

Final rule	CMS-0057-F — Interoperability, Prior Authorization & Patient Access Final Rule (Jan 2024; effective Jan 2026/Jan 2027)
Scope	Medicare Advantage, Medicaid, CHIP, QHP issuers in FFM — NOT self-funded employer plans
Jan 1, 2026	72-hr urgent / 7-day routine PA decision timelines ENFORCEABLE; reason for denial mandated in writing
March 31, 2026	Initial public reporting of PA metrics: approval rates, denial rates by procedure, average response times, appeals outcomes
Drug PA	CMS-0062-P proposed rule — extends PA reform to Part D specialty drugs; comment deadline June 15, 2026
ERISA gap	Self-funded employer plans (~60% of commercial market) exempt from CMS-0057-F; state PA laws cannot reach them
State wave	TX, AR, LA, CO, NC, GA, FL, others enacted PA reform for state-regulated plans — enforcement varies; zero impact on ERISA plans
Biologics flag	Derm biologic step therapy (e.g., psoriasis TNF inhibitors) among highest-volume PA denial procedures — specifically targeted by advocacy

Status & Timeline

CMS-0057-F (already enacted)100%

CMS-0062-P drug PA finalized60–70%

ERISA fix — federal legislation20–25%

⏱

Jan 1, 2027 — Public reporting mandate kicks in; creates transparency weapon for advocates and litigators

🔴

ERISA preemption ceiling — majority of commercially insured patients in self-funded plans are fully outside CMS-0057-F; only Congress can close this gap

🔴

CMS-0062-P comment deadline: June 15, 2026 — Auctus clients should submit specialty-specific comments on drug PA burden before deadline

🟡

2027 transparency data — public PA metrics will expose outlier payers; sets up litigation and negotiation leverage

🟢

72-hr/7-day timelines enforceable now — MA, Medicaid, CHIP payers must comply; document every PA response for audit trail

CMS-0057-F — Key Provisions

PA decision timelines: 72-hour for expedited/urgent requests; 7 calendar days for standard non-urgent requests (MA, Medicaid, CHIP, FFM QHPs)
Reason for denial required: Payers must provide specific clinical rationale in writing for any PA denial — no more generic "not medically necessary" responses
PA API (FHIR-based): Payers must implement standardized PA API allowing EHRs to submit PA requests and receive decisions electronically — reduces manual fax-based workflows
Continuity of care: PA approvals must be honored for duration of clinical need, not cut off at arbitrary intervals when patient status has not changed
Gold-carding provision: Some state laws (not federal) exempt high-approval-rate providers from PA for specific procedures; federal rule does not require gold-carding but does not prohibit it

CMS-0062-P — Drug Prior Auth Proposed Rule

Extends PA reform principles to Part D specialty drugs — biologics, specialty tier drugs frequently requiring step therapy
Would require same 72-hr/7-day decision timelines for drug PA as medical procedure PA
Step therapy reform: insurers would face new limits on overriding physician's first-line biologic selection
Comment period closes June 15, 2026 — physician specialty societies submitting comment letters; Auctus clients in derm/rheum/plastics should submit or co-sign existing coalition comments
Final rule expected Q4 2026 — 60–70% probability of finalization given CMS momentum on PA reform

ERISA Preemption — The Structural Ceiling

ERISA §514 preempts state laws that "relate to" employee benefit plans — blocks virtually all state PA reform from reaching self-funded plans
~60% of commercially insured Americans are covered under self-funded employer arrangements — outside CMS-0057-F (which is a CMS rule for CMS-regulated payers) and outside state PA laws
Fully-insured employer plans ARE covered by state PA laws — roughly 40% of commercial market
Federal legislative fix would require ERISA amendment — extremely high political lift; 20–25% probability by end of 119th Congress
Current AHIP lobbying position: voluntary "gold-carding" alternatives to legislation; provider orgs pushing hard for federal mandate

Derm / Specialty Implications

Biologics for moderate-to-severe psoriasis (adalimumab, secukinumab, ixekizumab, etc.) are among the highest-PA-volume drugs — step therapy protocols add 3–6 months average delay to biologic initiation
CMS-0062-P specifically targeted at this class of drugs — derm clients should submit specialty-specific burden data in the comment period
72-hr timeline enforcement: document every PA request timestamp and response timestamp for MA/Medicaid payers — creates evidence base for appeals and potential complaints
Gold-carding opportunity: practices with sustained high approval rates should proactively request gold-card status from payers offering it — some MA plans implementing voluntarily

Key Sources

Research locked: 2026-05-23 · Next review trigger: CMS-0062-P final rule publication; Jan 1, 2027 reporting mandate implementation

Medicare MPFS + CPT Annual Changes — 2026 & Beyond

Active Watch Federal 2026 Rule Enacted

The 2026 Medicare Physician Fee Schedule (CMS-1807-F) delivers a 5.1% conversion factor increase to $33.4009 — the first meaningful CF increase in years, driven by the OBBBA temporary boost and a 2.5% wRVU efficiency adjustment. However, a skin substitute reclassification effective January 1, 2026 creates immediate revenue risk for derm and plastics practices by collapsing per-unit pricing into a $127.28/sq cm flat bundled rate. The OBBBA CF boost is temporary — without Congressional action, the 2027 conversion factor reverts, creating a cliff. ICD-11 has no active US adoption timeline.

📊 2026 CF: $33.4009 (+5.1%) 🔴 Skin substitute cliff: LIVE Jan 1, 2026 ⏱ 2027 CF reversion risk — OBBBA boost expires without legislative action

Rules & Changes Tracked

Rule	CY2026 MPFS Final Rule — CMS-1807-F (published Nov 2025, eff. Jan 1, 2026)
Conv. Factor	$33.4009 (up from $31.78 in CY2025 — +5.1%); driven by OBBBA temporary boost + budget neutrality adjustment
wRVU changes	2.5% efficiency assumption applied to E&M wRVUs; specialty impact varies — proceduralists less affected than E&M-heavy practices
Skin substitutes	Reclassified from procedure fee → $127.28/sq cm flat bundled rate (Jan 1, 2026); eliminates per-graft pricing; derm + plastics billing model disrupted
CPT cycle	AMA publishes new CPT codes annually ~October for the following year; 400+ changes typical per cycle; Jan 1 effective date
ICD-11	No US adoption timeline — CMS has not announced ICD-11 transition rulemaking; ICD-10-CM remains operative
2027 risk	OBBBA CF boost is temporary — without legislative extension, 2027 CF reverts toward pre-OBBBA level (~$30–31 range)
Next MPFS	CY2027 MPFS proposed rule timing not yet confirmed by CMS; historically released in summer; monitor Federal Register for official notice

Impact Assessment

2026 CF ($33.4009) — enacted100%

2027 CF extension (Congress acts)40–50%

Skin substitute policy reversal15–20%

ICD-11 US adoption by 2028<10%

🔴

Skin substitute cliff is live now — derm and plastics practices billing split-thickness or biosynthetic grafts must audit billing against the new $127.28/sq cm flat rate; per-unit billing models are obsolete as of Jan 1, 2026

🟡

2027 CF reversion risk — OBBBA boost is a temporary patch; if Congress doesn't extend, fee schedules drop again in 2027

🟡

CPT 2026 code deletions — confirm all active billing codes are valid; retired codes generate denials with no appeal path

🟢

2026 CF increase is real — verify fee schedules are updated to $33.4009; practices running stale schedules are leaving money on the table

Conversion Factor Mechanics — 2026

2026 CF: $33.4009 — effective January 1, 2026 under CMS-1807-F
2025 CF was $31.78 — the 2026 increase is +5.1%, reversing multi-year decline trend
OBBBA boost: One Big Beautiful Bill Act included a temporary CF increase provision — this is the primary driver of the 2026 jump; expires without Congressional action
2.5% wRVU efficiency adjustment: Applied across E&M codes; reduces per-code wRVU slightly; net CF increase still positive for most specialties
Budget neutrality redistribution: Increases in some code values must be offset by reductions elsewhere — ophthalmology and some E&M-heavy specialties may see net neutral or negative impact despite CF increase

Skin Substitute Reclassification — Derm & Plastics Alert

Effective January 1, 2026: Skin substitutes (biosynthetic and human-derived) reclassified from procedure-level billing → bundled supply rate of $127.28/sq cm
Eliminates per-unit product pricing that allowed high-cost grafts to be separately billed at invoice cost — a revenue model many derm/plastics practices built chronic wound programs around
Split-thickness autografts (CPT 15100, 15101, 15120, 15121) unaffected — the change hits biosynthetic and allograft products specifically
CMS rationale: excessive billing variation and evidence of over-utilization driven by high per-unit margins; aligns with OIG audit findings on skin substitute billing
Practice impact: facilities with chronic wound programs should model revenue impact immediately; practices billing >$127.28/sq cm product cost face margin compression or losses
Reversal probability: 15–20% — CMS rarely reverses supply reclassifications within-cycle; specialty society comment + Congressional pressure is the only pathway

CPT Annual Code Cycle

AMA publishes CPT code additions, revisions, and deletions each October for the following calendar year effective January 1
2026 cycle included ~400+ total changes; major categories: musculoskeletal, radiology, digital pathology, remote monitoring codes expanded
Deleted CPT codes generate claim denials with no appeal pathway — practices must audit active procedure lists against the updated codebook each January
New codes often carry reduced RVU values in their first year; values typically adjust upward in years 2–3 based on utilization data
CY2027 MPFS proposed rule expected July–August 2026 — begin tracking proposed wRVU and CF changes when published

ICD-11 Status

WHO ICD-11 globally implemented January 2022 — US has not adopted and has no active rulemaking timeline
ICD-10-CM remains the US standard; CMS updates ICD-10-CM annually (Oct 1 effective date for each fiscal year)
US adoption of ICD-11 is a multi-year IT overhaul for every payer, EHR, and billing system — industry consensus: not before 2030 at earliest
Watch trigger: CMS ANPRM or RFI on ICD-11 transition — none issued as of 2026-05-08

Key Sources

Research locked: 2026-05-23 · Next review trigger: CY2027 MPFS proposed rule (July–Aug 2026); AMA CPT 2027 code release (Oct 2026)

AI Coding Audit Risk — RAC, WISeR & FCA Exposure

Urgent Watch Federal Active Risk

CMS deployed the WISeR (Workplan Integrated System for Evaluating Risk) ML audit model in January 2026 — a machine learning RAC targeting system that identifies claim patterns algorithmically with no advance notice to providers. RAC Topic 0217 (flap repair unbundling) is an active review area targeting plastics and reconstructive surgery. The CRUSH rulemaking (CMS AI audit framework) is pending finalization after its comment period closed. FCA settlement exposure for AI coding-adjacent billing issues has reached $556M (Kaiser). For Auctus clients using AI coding tools like ProCode, documentation controls and audit defense preparedness are a material liability risk — not a future concern.

🟡 WISeR model active Jan 2026 (six-state pilot) 🔴 RAC Topic 0217 active (flap unbundling) ⚖ FCA settlements: $556M Kaiser precedent

Active Risks & Pending Rules

WISeR	CMS innovation model initiative running January 1, 2026–December 31, 2031 in six states; identifies upcoding, unbundling, and overutilization patterns across Medicare claims
RAC 0217	Active RAC review topic — flap repair unbundling (CPT 15734, 15736, 15738 vs. 15100/15101); plastics + reconstructive surgery primary targets
CRUSH RFI	CMS fraud/waste/abuse enforcement program; no final AI-coding audit rule identified as of May 2026; related oversight activity limited to innovation models (WISeR, ACCESS) and enforcement actions
FCA precedents	UCHealth $23M (2024) — EHR auto-population upcoding; Kaiser $556M (2024) — AI-assisted diagnosis coding risk adjustment fraud
ZPIC/SIU	Medicaid Zone Program Integrity Contractors also deploying ML audit models (state-by-state variation); derm and wound care among high-alert categories
ProCode flag	AI coding tools generate a documentation audit trail that can support defense — but also create discoverable evidence of systematic patterns if not configured correctly
OIG workplan	2026 OIG Work Plan includes high-utilization skin substitute billing, telehealth upcoding, and AI-generated documentation review as active areas

Risk Assessment

WISeR audit hits Auctus clientsHigh probability

CRUSH rulemaking finalized 202670–80%

FCA action (no documentation controls)20–30%

🔴

WISeR is live and targeting now — no advance notice, no pre-audit disclosure; practices learn about RAC review when the Additional Documentation Request arrives

🔴

RAC Topic 0217 active — if any Auctus client bills flap repair codes, audit risk is elevated; review documentation for CPT 15734/15736/15738 vs. simple closures

🔴

FCA exposure for AI coding — Kaiser precedent: AI-generated or AI-assisted codes without human oversight review = FCA "knowing" submission standard risk; $556M settlement is a benchmark

🟡

CRUSH rulemaking pending — will define AI audit trigger thresholds; practices using AI coding tools need to understand where they fall on the threshold curve

🟡

ProCode dual-use risk — AI coding audit trail is a defense asset when documentation supports codes; liability if the trail shows systematic patterns without physician review sign-off

WISeR — How CMS's ML Audit Model Works

WISeR = Workplan Integrated System for Evaluating Risk; deployed January 2026 by CMS as the ML engine driving RAC claim targeting
Ingests 100% of Medicare Part A and Part B claims; identifies anomalies vs. peer-group norms at the provider NPI level — not just national averages
Primary targets: outliers on code mix (E&M level distribution), code combinations inconsistent with DRGs, frequency rates above 99th percentile in specialty peer group
Generates Additional Documentation Requests (ADRs) automatically — no human pre-review before ADR is sent; practices have 45 days to respond
ADR → medical review → overpayment demand → appeals (Redetermination → QIC → ALJ → MAC Council → Federal District Court); average resolution time 2–4 years
Best defense: proactive internal auditing against the same peer-group norms WISeR uses; specialty-specific benchmarks available from CMS public use files

CRUSH Rulemaking — What's Coming

CRUSH = Comprehensive Review of Upcoding, Suspicious Claims, and High-risk billing; CMS issued RFI in 2025; comment period closed; formal rulemaking in progress
Expected provisions: formal definition of AI-generated coding; documentation requirements when AI tools used; disclosure obligations to CMS; audit trigger thresholds for AI-coded claims
Would create a new category of "AI-assisted coding compliance" distinct from human-coded claims — potentially requiring additional attestation layer from the billing physician
70–80% probability of finalization in 2026 given momentum; practices should begin building physician attestation workflows for AI-generated codes now rather than waiting for rule

FCA Settlements — Precedent Analysis

Case	Amount	Issue	ProCode Relevance
UCHealth (2024)	$23M	EHR auto-population of higher E&M levels without documentation support; systematic pattern across providers	AI code suggestions without physician review = same pattern
Kaiser (2024)	$556M	AI-assisted risk adjustment coding submitted without adequate human oversight; "knowing" FCA standard triggered by systematic AI error patterns	Strongest precedent — AI coding tool + no oversight = FCA exposure
General trend	Rising	DOJ Healthcare Fraud Unit increasingly focused on AI-assisted billing patterns; qui tam relators (whistleblowers) now specifically targeting AI coding practices	Disgruntled employees with billing system access = whistleblower risk

Audit Defense Checklist — ProCode / AI Coding Practices

Physician attestation protocol: Every AI-suggested code must have a documented physician review and sign-off before submission — creates the "knowing" standard defense
Peer-group benchmarking: Run quarterly reports comparing your code mix distribution against CMS specialty peer groups; outliers above 90th percentile are WISeR targets
ADR response readiness: Maintain complete medical record retrieval capability within 30 days for any claim within 4-year lookback period; 45-day ADR response window is tight
Flap code review (plastics clients): Audit all CPT 15734/15736/15738 claims for documentation supporting flap complexity vs. adjacent tissue transfers that should be billed as 14000/14001 series
Skin substitute audit (derm clients): Pull all biosynthetic graft claims from pre-Jan 2026 — ensure no old per-unit billing model claims are still in claims pipeline after the Jan 1 reclassification
Compliance program documentation: Under CRUSH rulemaking, having a documented AI compliance program will likely be a safe harbor factor; build it before the rule is final

Key Sources

Research locked: 2026-05-23 · Next review trigger: CRUSH final rule publication; WISeR ADR volume data; any Auctus client RAC review

HIPAA Security Rule Overhaul — NPRM 2025

Active Watch Federal Proposed Rule

HHS OCR published the first substantive HIPAA Security Rule rewrite since 2003 on January 6, 2025. The NPRM eliminates the "addressable vs. required" flexibility and mandates MFA, encryption, annual documented risk assessments (8 required components), 72-hour data restoration, biannual vulnerability scans, and annual penetration testing — for every covered entity regardless of size. Over 4,750 comments demanded rescission; AMA, MGMA, and 100+ hospitals called the rule disconnected from small-practice reality. Despite a deregulatory White House, OCR kept the final rule on its May 2026 regulatory agenda. More urgent: OCR's Risk Analysis Initiative is settling enforcement actions against small practices today under existing law — including a solo MRI center ($5K) and a neurology practice ($25K).

📊 Final rule: Slipped past May 2026 target — H2 2026 or 2027 likely 🔴 Risk Analysis Initiative: fining small practices now 💰 Year 1 cost: $20K–$75K from scratch

Rule & Status Tracked

NPRM	90 FR 898, Jan. 6, 2025 — RIN 0945-AA22; first HIPAA Security Rule overhaul since 2003 (minor 2013 amendment)
Comment period	Closed March 7, 2025 — 4,750+ comments; AMA, MGMA, AAMC, CHIME coalition demanded rescission or withdrawal
Final rule target	May 2026 target missed — not published in Federal Register as of May 2026; next window H2 2026 or early 2027; compliance window still projected 2027–2028
Key mandates	MFA required; encryption at rest + in transit required; annual risk assessment (8-component written); 72-hr critical systems restoration; pen test annually; vulnerability scan every 6 months; annual compliance audit + annual staff training
What's eliminated	"Addressable" vs. "required" flexibility — all specifications become required with narrow enumerated exceptions; a solo derm practice faces identical mandates as a 500-bed hospital
BA impact	RCM/billing vendors must provide annual written technical safeguard verification certified by a cybersecurity SME; notify covered entity within 24 hours of contingency plan activation or workforce ePHI access change
Safe harbor NOW	P.L. 116-321 (HITECH 2021) — 12+ months of NIST CSF or HHS 405(d) HICP alignment reduces penalties + audit scope under existing law; single highest-ROI action before final rule
Current enforcement	Risk Analysis Initiative (2024–2026): Specific OCR enforcement settlements for past 30 days could not be verified from available sources; historical enforcement through April 2026 available upon request

Pass Likelihood & Timeline

Final rule issued (some form)65–70%

Substantially revised (flexibility restored)20–25%

Withdrawn / indefinitely deferred10–15%

⏱

Compliance window if finalized: 180 days post-effective date; analysts forecast 2027–2028 for small practices given expected comment-response accommodations

🔴

Risk Analysis Initiative active NOW — small practices fined under existing rules; OCR Director: "Small providers also must conduct accurate and thorough risk analyses." Not waiting for the NPRM to finalize

🟡

No size-based exemptions in NPRM — AMA/MGMA's core objection; may be modified in final rule but planning around a small-practice carve-out that doesn't exist yet is high-risk

🟡

RCM vendor certification requirement — under the NPRM, practices must annually obtain written verification that their billing/RCM vendor has deployed required technical safeguards; ask your vendor now

🟢

NIST CSF safe harbor exists today — 12 months of documented NIST Cybersecurity Framework or HHS 405(d) HICP alignment reduces penalty exposure under current P.L. 116-321; zero-cost if you document existing controls

Current Rule vs. NPRM — Side by Side

Area	Current Rule (2003/2013)	NPRM Proposal
Risk assessment frequency	Unspecified; "periodic"	Annually minimum; 8 required written components
Encryption	Addressable — opt out with documentation	Required; narrow exceptions only
MFA	Not mentioned	Required for all ePHI access
Training timing	Unspecified	Annual; new hires within 30 days of ePHI access
Asset inventory + network map	Not required	Required; updated annually; AI tools touching ePHI must be listed
Vulnerability scanning	Not specified	Every 6 months
Penetration testing	Not specified	Annually
Data restoration timeline	Not specified	72 hours for critical systems
BA incident notification	Not specified	24 hours for contingency plan activation or access termination
Compliance audit	Not required	Annual self-audit of every standard and implementation spec
Flexibility model	Required + addressable (two tiers)	All required; narrow enumerated exceptions only

Small Practice Cost Reality

HHS's estimate: $9B industry-wide Year 1; OCR claimed ~23 hours and <$3,000 per small practice — cybersecurity consultants called this "a fairy tale" (10–20× underestimate)
Realistic Year 1 starting from scratch: $20,000–$75,000 — MFA deployment ($500–$3K/yr), network segmentation ($5K–$25K one-time), annual risk assessment consultant ($3K–$10K), pen test ($3K–$8K/yr), biannual vulnerability scans ($1.5K–$4K/yr), DR/backup upgrade ($5K–$20K one-time), policies + training + annual compliance audit
Annual ongoing (Years 2+): $10,000–$30,000; practices on modern SaaS EHR/billing platforms (vendor handles encryption and backup) sit at the lower end
AMA on small practices: "The person who answers the phone is often the same person in charge of compliance" — the rule treats a 2-provider derm practice identically to a 500-bed hospital system

What To Do Now — Regardless of Final Rule

Conduct a written risk analysis immediately — already required under existing law; use OCR's free Security Risk Assessment (SRA) Tool at healthit.gov or hire a consultant ($3K–$10K); Risk Analysis Initiative is your primary enforcement risk today
Document NIST CSF or HHS 405(d) HICP alignment — builds the P.L. 116-321 safe harbor; 12 continuous months of documentation activates penalty and audit reductions under current enforcement regime
Verify ePHI encryption at rest and in transit — most modern SaaS EHR and billing platforms handle this automatically; confirm in writing with your vendor
Deploy MFA for email and EHR access — most EHR vendors include MFA at no additional cost; this is the single most-cited NPRM requirement and lowest-effort implementation
Audit your BAAs — request security assessment documentation from your billing/RCM vendor; under the NPRM they must provide annual written certification of technical safeguards; if they can't, that's a compliance risk on your books
Build a technology asset inventory — a spreadsheet listing all hardware, software, electronic media, and tools that create, receive, maintain, or transmit ePHI; written and dated satisfies the NPRM requirement

State Additions — NY, CA, WA

Washington — My Health My Data Act (MHMDA, eff. March 31, 2024): Opt-in consent required before collecting consumer health data; geofencing around healthcare facilities prohibited; private right of action; treble damages up to $7,500/violation; already generating active litigation
New York — Health Information Privacy Act (NY HIPA, passed Jan. 22, 2025): Awaiting governor signature; comprehensive health data law; HIPAA-covered entities partially exempted for PHI maintained as PHI; non-profits and non-HIPAA entities not exempted
California — CMIA (ongoing): Private right of action; compensatory + punitive damages; applies alongside HIPAA for all CA providers

Key Sources

Research locked: 2026-05-23 · Next review trigger: OCR final rule publication; any Risk Analysis Initiative settlement against a small physician practice

Medicare 60-Day Overpayment Rule — FCA Standard Update

Urgent Watch Federal Effective Jan 1, 2025

Effective January 1, 2025, the Medicare 60-day overpayment reporting rule shifted from a "reasonable diligence" standard to the FCA's "knowingly" standard — actual knowledge, deliberate ignorance, or reckless disregard. Receiving a WISeR AI audit flag or an internal coding review result, reviewing it, and doing nothing for 60+ days is now textbook deliberate ignorance. FCA liability: treble damages plus $14,308–$28,619 per claim (2025 rates). There is no de minimis threshold. The rule also codifies a 180-day suspension window for conducting good-faith investigations into related overpayments — but the days between identification and starting the investigation count against your 60-day clock.

⚖ "Knowingly" standard: effective Jan 1, 2025 💰 $14,308–$28,619/claim + treble damages (2025 levels; 2026 adjustment pending — OMB held 2026 increase due to missing October 2025 CPI-U from government shutdown) 🤖 Post-visit diagnosis queries + inaction 60 days = FCA exposure (Kaiser $556M settlement Jan. 2026; Seoul Medical $62M March 2025)

Rule Mechanics

Rule	42 CFR §401.305 (Parts A/B); 42 CFR §422.326 (MA); effective Jan. 1, 2025 per CY2025 PFS Final Rule (89 Fed. Reg. 97710, Dec. 9, 2024)
New standard	"Identified" = provider knowingly receives or retains an overpayment — meaning actual knowledge, deliberate ignorance, OR reckless disregard (per 31 U.S.C. §3729(b)(1)(A)); replaces "reasonable diligence" standard from 2016
Key 2025 change	Quantification no longer required to start the 60-day clock — identification triggers the clock even if the exact dollar amount is unknown; you have 60 days to calculate and return
180-day suspension	If related overpayments may exist from the same/similar cause, the 60-day clock is suspended for up to 180 days while a documented good-faith investigation is conducted — but days consumed before starting the investigation count against the original 60
Lookback period	6 years from receipt of overpayment — any investigation must cover 6 years of the same issue
De minimis	None — no minimum dollar threshold for reporting obligation; a $5 overpayment must be returned; only MAC's $25 collection floor is administrative (not a provider exemption)
Where to report	Simple billing/documentation errors → MAC (self-refund). Stark Law violations → CMS SRDP. Fraud theory (kickbacks, exclusion violations) → OIG Self-Disclosure Protocol
Government-identified	RAC demand letters and MAC recoupment notices are NOT self-reporting situations — respond via the 5-level RAC appeals process; self-reporting rule applies only to provider-identified overpayments

FCA Exposure & Risk Matrix

⚖

FCA "reverse false claim" theory (31 U.S.C. §3729(a)(1)(G)): Knowingly retaining an overpayment past the 60-day deadline is an "obligation" under the ACA — FCA liability attaches on Day 61

🔴

AI audit flag + inaction = deliberate ignorance — reviewing a WISeR flag, internal coding alert, or compliance report and taking no action for 60+ days is the exact definition of deliberate ignorance under the new standard; FCA liability triggers on Day 61

🔴

$14,308–$28,619 per claim + treble damages — no ceiling on per-claim penalties; a systematic coding issue affecting 50 claims = $700K–$1.4M in penalties before tripling the actual overpayment amount

🔴

First physician practice FCA settlement (FCCI, 2017): $448,821 on $175K in credit balances — 2.6× multiplier; internal warnings ignored; zero underlying billing fraud alleged — pure non-reporting

🟡

180-day suspension requires documented investigation — the suspension does not restart the 60-day clock; document investigation start date immediately; investigate, do not delay

🟡

Loper Bright creates litigation uncertainty — Chevron deference ended in 2024; courts will independently interpret CMS's "knowingly" definition; future challenges to the 2025 standard are likely

🟢

Voluntary disclosure = reduced multiplier — self-disclosure + full cooperation + no pending prosecution = court may assess 2× (not 3×) damages; OIG SDP available when fraud theory exists

2016 Rule vs. 2025 Amendment — Side by Side

Dimension	2016 Rule	2025 Rule (effective Jan. 1, 2025)
"Identified" standard	"Has or should have through reasonable diligence determined and quantified" — negligence-based	"Knowingly receives or retains" — FCA-aligned; actual knowledge, deliberate ignorance, or reckless disregard
Quantification to start clock	Required — clock started post-quantification	Not required — clock starts at identification; quantification must be completed within the 60 days
Investigation buffer	6-month benchmark (preamble only, not codified)	180-day suspension codified — but days between identification and investigation start count against the 60-day clock
Why the change	—	D.C. district court (UnitedHealthcare v. Azar, 2018) vacated "reasonable diligence" as imposing FCA liability for negligence; CMS spent 2022–24 finalizing unified standard across Parts A, B, C, D

AI Audit Interaction — Decision Tree

WISeR pre-payment non-affirmation: No money has been paid → no overpayment exists → 60-day rule NOT triggered; appeal the WISeR determination and tighten documentation
RAC post-payment ADR received: RAC requests records; if RAC finds overpayment and MAC issues demand letter → this is government-identified; respond via RAC appeals process (not self-reporting); you have 30 days to request reconsideration, 120 days to file formal appeal (redetermination)
Internal AI coding audit flags a claim: Flag alone ≠ identification. Review the flag. If internal review confirms overpayment → that confirmation date = identification date → 60-day clock starts. If internal review concludes no overpayment (with documented rationale) → no clock starts
Internal AI flag reviewed and ignored: This is deliberate ignorance under the 2025 standard → identification occurs when you reviewed it → Day 61 after review = FCA liability
ProCode or AI tool systematically generates coding suggestions without physician review: If a systematic pattern of errors is present and the practice has not audited it → "reckless disregard" theory → FCA exposure even without actual knowledge of specific claims

Practical 60-Day Workflow

Day 1 (Intake): Log the flag/alert in an Overpayment Intake Form; record date received; classify trigger (internal AI, RAC ADR, government demand, hotline tip)
Days 1–3 (Triage): Determine if pre-payment (WISeR) or post-payment (RAC); if government demand letter → appeals process, not self-reporting; if potential self-identified overpayment → proceed to investigation
Days 1–30 (Investigation): Engage healthcare counsel (preserves attorney-client privilege over investigation communications); pull flagged claims; conduct coding/clinical review; determine if overpayment is real
If systematic issue suspected (Days 1–30): Open a formal related-overpayments investigation; document the start date; the 180-day suspension clock begins; conduct 6-year lookback sampling
Identification date: The day your internal review confirms overpayment is real; document explicitly; this is Day 1 of the 60-day return deadline (or the suspension is running)
Day 60 (or within suspension window): Calculate total; submit refund to MAC with explanation; retain full documentation; implement corrective action

FCA Settlement Precedents

Case	Amount	Core Issue	Multiplier
Kane v. Healthfirst / St. Luke's (2016)	~$2.95M	Software glitch overbilling; employee warned in email; years of inaction	~3.5×
First Coast Cardiovascular (FCCI) (2017)	$448,821	Credit balances ignored despite internal warnings; first physician practice pure non-reporting settlement	~2.6×
Kaiser (2024)	$556M	AI-assisted risk adjustment coding without human oversight; "knowing" FCA standard applied to systematic AI error patterns	High
UCHealth (2024)	$23M	EHR auto-population of higher E/M codes without documentation support; systematic pattern	—

Key Sources

Research locked: 2026-05-23 · Next review trigger: any DOJ enforcement action citing the 2025 "knowingly" standard; any WISeR-related FCA case filed

Payer Transparency MRFs — Compliance Obligation + IDR Strategy Tool

Active Watch Federal Payer Obligation Live

Every commercial payer must publish monthly machine-readable files (MRFs) containing actual negotiated rates for every provider, CPT code, and plan under the Transparency in Coverage rule. This is simultaneously a compliance obligation (payers must publish, schema v2.0 enforcement began Feb. 2, 2026) and an untapped strategy weapon for OON providers: in-network MRF rates constitute legally permissible "credible information" in NSA IDR arbitration. Providers who anchored offers to in-network rates won 85% of IDR determinations in 2024. The catch: an estimated 91.8% of listed rates are "ghost rates" — inflated by payers to deflate QPA medians. CMS-9882-P (proposed Dec. 2025) will eliminate ghost rates and add utilization data by 2027.

📊 85% provider IDR win rate 2024 (MRF anchoring) 🗑 Ghost rate elimination: CMS-9882-P → 2027 ⚠ 82% of practices not using this data yet

Rules & Requirements Tracked

Payer rule	Transparency in Coverage Final Rule (85 FR 72158) — effective Jan. 1, 2022; schema v2.0 enforcement began Feb. 2, 2026; monthly JSON publishing required
Payer files	In-Network Rate File (negotiated rates by CPT/HCPCS/NPI/plan); Allowed Amount File (OON historical amounts); Prescription Drug File (deferred indefinitely)
Hospital rule	45 CFR Part 180 (CMS-1717-F) — v3.0 schema effective Jan. 1, 2026; CMS enforcement of new requirements begins April 1, 2026; adds CEO attestation, percentile distributions (10th/median/90th) for algorithm-based charges
Payer enforcement	Zero CMPs issued against payers for TiC MRF non-compliance as of 2026; Colorado is first state with delegated enforcement authority; regulatory obligation strong, enforcement exposure currently low
Hospital enforcement	27 CMPs issued; $4M+ collected through Feb. 2024; OIG: 46% of hospitals non-compliant; penalties up to $5,500/day for large hospitals; CMP reduction (35%) available for waiving ALJ hearing
Proposed rule	CMS-9882-P (Dec. 19, 2025) — comment period closed Feb. 23, 2026; if finalized ~2027: ghost rate elimination, quarterly updates, utilization data file, network-level reporting, taxonomy file for specialty mapping
IDR legal basis	In-network MRF rates constitute "credible information" arbitrators must consider under 45 CFR §54.9816-8T and CMS Dec. 2023 IDR guidance; prior contracted rates with same or different payers in same state are explicitly permitted anchors
Prohibited in IDR	Billed charges; usual and customary charges; Medicare/Medicaid rates — all prohibited as IDR anchors

Strategic Value & Enforcement Outlook

CMS-9882-P finalized (ghost rate elimination)60–70%

Payer CMP enforcement by end 202620–30%

Provider IDR win rate (MRF-anchored offer)~85% (2024 data)

🟢

85% provider IDR win rate in 2024 — providers anchoring offers to in-network comparable rates prevailed in 85% of determinations; median awards ran 3×–17× QPA in high-volume specialties

🟢

82% of practices not using MRF data yet — asymmetric advantage for practices that do; a one-time MRF analysis for your top 3 payers and top 10 CPT codes provides immediate IDR and negotiation leverage

🟡

91.8% ghost rate prevalence — most listed rates are for services providers would never perform; inflates file size; depresses QPA medians; ACR and TMA formally challenging ghost rate methodology in TMA III (en banc, 5th Cir., decision pending)

🟡

CMS-9882-P will change the landscape in 2027 — if finalized: ghost rates eliminated, utilization data added (showing which rates were actually paid), specialty taxonomy mapping, quarterly updates — MRF data becomes dramatically more actionable for IDR

🟡

Hospital v3.0 enforcement begins April 1, 2026 — new CEO attestation, percentile distributions, Type 2 NPI required; hospital MRFs become more useful as a complementary rate-intelligence source

How to Use MRF Data — Step-by-Step for a Small Practice

Step 1 — Identify your target payers: Pick the top 3 payers you are OON with or seeking to renegotiate; these are your research targets
Step 2 — Access the data: Raw JSON files are 5–50 GB each — not parseable by most practices directly; use a platform (Turquoise Health, Payerset, Gigasheet, or a project-based extraction from MRF Data Solutions)
Step 3 — Filter by specialty, CPT, and geography: Pull rates for competitor in-network providers in your specialty, your top 10–15 CPT codes, your metro/state, and your place of service (office vs. ASC vs. outpatient hospital)
Step 4 — Build a rate comparison table: Your OON EOB-paid amounts vs. what the same payer pays in-network peers for the same codes; document the gap with file date and source location (required for IDR submissions)
Step 5 — Use as IDR anchor: Your IDR initial offer = in-network comparable rates from MRF data in the same state + your specialty + same CPT code; submit with source documentation linking to the payer's own published file
Step 6 — Challenge the QPA: If the payer's QPA is materially below what their own MRF shows they pay in-network providers in your specialty and geography, document the discrepancy — this is the ghost rate argument; strongest when the disparity is >30%

Tools Available

CMS-9882-P — What Changes in 2027 (If Finalized)

Ghost rate elimination: Plans must exclude provider-rate combinations where the provider's specialty taxonomy would not reasonably perform the service — directly attacks the QPA manipulation strategy
Utilization data file (new): Shows which rates actually resulted in reimbursement in the prior 12 months — distinguishes real contracted rates from ghost rates with zero utilization
Network-level reporting: One In-Network Rate File per provider network (not per plan) — dramatically reduces file count and processing complexity
Quarterly cadence: Monthly updates → quarterly; improves data stability for IDR submissions
Taxonomy file: Maps all services to provider specialties — the enforcement mechanism for ghost rate exclusion
Change-log file: Tracks rate modifications period-to-period — allows providers to monitor payer rate changes

IDR Outcome Data 2023–2025

Year	Provider Win Rate	Awards vs. QPA	Notable Data
2023	~80%	Majority above QPA	Provider-favorable after TMA litigation removed QPA presumption
2024	~85%	Surgery: 9×–13× QPA; Neurology: 12×–17× QPA	RCM companies dominate as top initiating parties; MRF anchoring confirmed as primary strategy
2025 (H1)	High (continuing)	HaloMD: 835%–920% of QPA; Radiology Partners: 582%–594%	TMA III en banc (5th Cir.) pending — could reset QPA methodology for all disputes

Key Sources

Research locked: 2026-05-23 · Next review trigger: CMS-9882-P final rule publication; TMA III en banc decision (5th Cir.); any payer CMP issued for TiC non-compliance