Sweeping regulatory changes are coming. Are you ready?

The sheer volume of new regulatory changes happening in health care is enough to make any practitioner’s head spin, especially physicians in private practice. As the new administration leans into value-based care and population health, the focus shifts to quality and efficiency, streamlining and taking costs out of health services while maintaining or improving outcomes.

How should physician practices address these changes in the coming months and come out ahead? A good starting place is evaluating your information technology strategy, as the vast majority of today’s quality and efficiency improvements require access to large amounts of sensitive patient data to segment populations, provide personalized care, and optimize workflows to monitor and maintain patient health while protecting privacy.

What are the big takeaways?

For starters, the Trump administration is encouraging participation in advanced payment models (APMs) that reward quality and efficiency rather than volume. This value-based care play will directly impact how much physicians are reimbursed (participants will receive a bigger increase in payment rates with a conversion factor of 0.75 versus 0.25 beginning in calendar year 2026), making it worthwhile to jump on board.

To play in APMs, practices must have the ability to track patient data alongside billing and claims data—individually and in the aggregate—to report on quality measures, patient outcomes, and cost-effectiveness. The goal is to enhance the health of Americans through disease prevention, informed patient choices, and industry competition. Organizations will likely need to increase data storage and leverage emerging technologies such as artificial intelligence to keep pace.

Additionally, telehealth is shifting from temporary to permanent. The U.S. Drug Enforcement Administration has announced new rules to ensure wider accessibility to medical care. Patients can have unlimited telehealth visits with providers, who may prescribe medications through telehealth indefinitely. Special registrations may be required, particularly if the patient is receiving a controlled substance.

To meet new telehealth requirements, clinicians are required to invest in easy-to-use telehealth systems that comply with state-specific licensure requirements. Along with requiring operational guidelines, practitioners must provide telehealth space and technology. The IT challenges become increasingly complex as physicians not only need to see patients but also have access to electronic health records, staff messages, and other pertinent resource information. Collaboration with EHR vendors will be key to ensure practices are adequately equipped to meet telehealth requirements.

To further improve workforce productivity and efficiency gains, practices are further challenged to align workforce planning and development with general operations, requiring a strong IT infrastructure. It is incumbent on practices to identify long-term workforce goals and related investments, understanding that a return on investment may not be achieved short term. Leveraging technologies such as robotic process automation and generative AI can greatly improve productivity and efficiency over the long term.

Protecting patient privacy

With virtually all of these requirements drawing on sensitive information, physicians and practice staff must be vigilant about protecting patient privacy. This includes meeting proposed rules under the Health Insurance Portability and Accountability Act (HIPAA), which calls for stricter security measures. The new guidelines require the encryption of all data, including servers and backups, as well as multi-factor authentication for systems containing electronic patient health information (ePHI).

Security assessments will likely be required every six months, as well as network segmentation and written verification of vendor compliance, which applies to business associates and subcontractors. This will require greater specificity when conducting risk analyses and documenting findings.

Effectively teaming with EHR vendors will be crucial here as well in understanding and aligning with their plans to address the new encryption requirements and obtaining written verification on compliance.

Upping your IT game

All of these changes essentially require solo practices to evaluate and up their IT game. To comply with HIPAA, participate in APMs, increase access to telehealth, and achieve workforce productivity and efficiency gains, we believe the first step should be to perform a network mapping and security assessment. This process identifies gaps and helps to create a roadmap for improvements. As part of this, organizations should review and update their policies and procedures, especially around incident response, disaster recovery and vendor management to align with new security requirements.

With a plan in place, here are the top 10 things organizations can do to update their foundational IT capabilities:

1. Encryption for all ePHIacross all devices, servers, and backups
2. Multi-factor authentication for all systems containing ePHI
3. Network segmentation with detailed network mapping
4. Regular security vulnerability scans (every six months)
5. Robust backup and disaster recovery systems that can restore critical systems within 72 hours
6. Vendor verification documentation
7. Comprehensive asset inventory
8. Incident response and contingency plans
9. Secure access controls
10. Staff training on HIPAA compliance, other security protocols and workflow updates

Having access to IT experts with demonstrated health care experience, including in-depth knowledge of regulatory changes, can ensure practices make a smooth transition and maximize their return on investment. Ultimately, the best scenarios are partnerships where clinical and IT teams work together proactively—not reactively, with IT experts understanding the critical nature of uninterrupted patient care systems to meet everyone’s needs.

James Forsythe is Virtual Technology Executive at Medicus IT, a specialized IT service provider focused on the healthcare industry, offering a range of solutions to help healthcare organizations optimize their operations, grow their processes, and transform their practices. Founded in 2004, Medicus IT is known for its expertise in cybersecurity, cloud solutions, and managed IT services, particularly tailored to the needs of healthcare providers. Visit https://medicusit.com and Medicus IT on X, LinkedIn, and Facebook.