Two federal actions have downstream implications for providers
A CMS interim final rule on Medicaid work requirements and an executive order on AI could broadly affect healthcare organizations.
Here are some updates regarding stories that Health Data Management has recently covered.
In both cases, certain aspects will have downstream effects on provider organizations, especially as they anticipate changes in revenue and increased use of artificial intelligence.
More clarity on work requirements
An earlier article in HDM noted that states were expected to shoulder the burden of implementing systems that will check recipients to ensure they are complying with work requirements codified in the 2025 reconciliation bill (at the time, called the One Big Beautiful Bill). Under those requirements, recipients of aid will need to demonstrate that they log work hours or prove that they’re students or working as volunteers.
Now, the Centers for Medicare & Medicaid Services has laid out an interim final rule that delineates specifics for how they expect states to implement Medicaid work requirements nationwide.
And indeed, states are going to be carrying much of the burden. CMS officials said successful implementation of Medicaid work requirements will depend heavily on states investing in technology and data integration to support verification and compliance processes. The federal agency expects states to make investments in technology infrastructure, data sharing and verification systems to support implementation.
The expectation is that states will ultimately achieve “data-first” Medicaid systems by Jan. 1, 2028. CMS says it’s working with vendors to provide discounted or free services to states to meet this goal. The law stipulates that states must be able to verify work activity, exemptions, renewals and ongoing compliance for millions of Medicaid recipients.
To no one’s surprise, this will be a heavy lift, and most states have a lot of work ahead. New findings of a survey by KFF show that only six states are planning to use artificial intelligence to help implement Medicaid work requirements; that technology could greatly reduce the manual lift of meeting the new mandates. The KFF survey also noted that 21 states are still deciding whether to use the technology.
Seamless implementation has obvious implications for providers, which could see larger numbers of Medicaid patients fail to meet work requirements – or fall through bureaucratic cracks because of states’ lack of capabilities – and thus lose reimbursement for services.
States are likely to struggle because of funding constraints and technology hurdles. “The biggest challenge ahead is not policy implementation but operational execution,” contends Peter Justen, founder and CEO of AmeriTrust Solutions. The company helps programs like Medicaid process applications faster and more accurately by modernizing intake and reducing manual verification work.
The President weighs in on AI
Also this week, the White House released an executive order on “promoting advanced artificial intelligence innovation and security.”
While noting the potential for AI and the need for accelerating the responsible use of the technology, the order acknowledges that AI comes with growing security risks, both to users and as a result of giving bad actors new tools that could compromise information systems.
“Advanced AI capabilities make our nation stronger but also introduce new national security considerations that require coordinated action across executive departments and agencies,” it notes.
Among other initiatives, the order seeks to “establish or expand federal programs and cybersecurity services that enhance AI-enabled defensive tools, and facilitate access to cybersecurity tools and services including, where appropriate, covered frontier models for agencies, state and local authorities, and operators of critical infrastructure such as rural hospitals, community banks and local utilities.”
The order aims to amp up enforcement of laws punishing the criminal use of AI. “The Attorney General shall prioritize the enforcement of … applicable federal criminal laws against anyone who utilizes AI to illegally access or damage a computer without authorization, or who utilizes AI while engaged in such illegal access to further any other crime,” it notes. “This includes breaching any public or private information technology system or employing AI agents to unlawfully access data or information that is subsequently used for a criminal or unlawful purpose.”
The executive order has implications for providers, particularly rural hospitals and other small organizations, says Jen Sovada, public sector CM at Claroty, a company with experience in securing healthcare cyber-physical systems and connected medical environments.
The order identifies rural hospitals among the critical infrastructure organizations that could benefit from enhanced cybersecurity tools and services, “reflecting growing concern around the challenges healthcare providers face in defending increasingly complex environments,” she says.
AI, in the wrong hands, can compress the time between vulnerability discovery and exploitation, Sovada adds. “Recent research from Claroty's Team82 found that an LLM was able to conduct end-to-end vulnerability research in less than 10 minutes, uncovering previously identified flaws and producing a disclosure-grade report with minimal human intervention.”
However, “many healthcare organizations, particularly rural hospitals and community health systems, operate below the ‘cyber poverty line,’ facing sophisticated cyber threats without the resources available to larger institutions,” Sovada explains. Ensuring resilience is crucial because the systems of small organizations “cannot easily be patched or taken offline without affecting patient care.
“It’s important that our government agencies move with intentionality when it comes to AI adoption and take a resilience-first approach,” she concludes. “Agencies need to keep in mind the domain-specific needs of critical infrastructure sectors. Foremost among these considerations is establishing robust network segmentation as the primary defense strategy, especially in operational technology environments where devices are often end-of-life, lack encryption and cannot be taken offline for updates due to mission-critical functions.”
Fred Bazzoli is the Editor in Chief of Health Data Management.