OSHA Updates Heat-Related Hazards National Emphasis Program

Posted by Steve Alder

On April 10, 2026, two days after the Occupational Safety and Health Administration’s (OSHA) Heat National Emphasis Program (NEP) expired, OSHA announced an update to the NEP. The updated NEP is effective immediately and will remain in place for five years after the effective date, unless superseded by an updated directive; however, there are no indications that OSHA’s proposed national heat illness and injury prevention rule will progress to a final rule any time soon.

The NEP – Outdoor and Indoor Heat-Related Hazards was originally issued on April 8, 2022, and was due to expire on April 8, 2025; however, it was extended for a further year in January 2025 by the Biden Administration, shortly before the administration change. The one-year extension was based on OSHA enforcement data. Between April 2022 and December 2024, OSHA conducted approximately 7,000 heat-related inspections, issued 60 citations for violations of the OSH Act related to heat hazards, issued almost 1,400 hazard alerts, and removed around 1,400 employees from hazardous heat conditions.

After analyzing OSHA and the Bureau of Labor Statistics data from calendar years 2022-2025, OSHA revised and extended the NEP again, which took effect on April 10, 2026. The high number of unplanned inspections, almost 3,500 employee days off work each year due to heat-related illnesses and injuries, and around 50 heat-related fatalities each year made it clear that there was a continued need for heat-related outreach and compliance assistance activities, on-site consultation visits, and programmed enforcement. The revised NEP aims to reduce or eliminate worker exposures to heat-related hazards that result in illnesses, injuries, and deaths. OSHA will target industries and worksites where employees are exposed to heat-related hazards and have not been provided with adequate protection.

OSHA identified industries with high rates of heat-related illness and injuries, and employers who have received heat-related citations or hazard letters. The revised NEP directs OSHA inspection priorities to 55 high-risk industries in both indoor and outdoor work settings. OSHA will prioritize on-site (in-person) response for complaints and for all employer-reported hospitalizations related to heat hazards. OSHA has eliminated the former numerical inspection goal and has introduced two reorganized appendices, one for evaluating heat programs and another for citation guidance. The updated NEP also has clearer guidance to improve tracking and more effectively implement the program’s enforcement and outreach efforts.

“Compliance officers will continue to conduct outreach and compliance assistance and expand any inspection where there is evidence of heat-related hazards on heat priority days,” explained OSHA in an announcement about the revised NEP. “Additionally, compliance officers will conduct random inspections focused on heat hazards in high-risk industries on days when the National Weather Service issues a heat advisory or warning.”

OSHA has been working on a permanent federal heat illness and injury prevention standard for several years, and published a notice of proposed rulemaking on August 30, 2024 – Heat Injury and Illness Prevention in Outdoor and Indoor Work Settings. The proposed rule applies to general industry, construction, maritime, and agriculture sectors, and requires employers to develop written heat illness and injury prevention plans, monitor for heat conditions in the workplace, and implement control measures when temperatures reach specific levels. There is an initial trigger point of 80°F, and a second trigger point of 90°F. The required controls include regular rest breaks, provision of drinking water, acclimatization protocols, and training for employees and supervisors. The public comment period closed on January 14, 2025, and the extended comment period ended on October 30, 2025. While the proposed rule has not been withdrawn, no date has been set for a final rule, indicating it is not a priority under the current administration.

The post OSHA Updates Heat-Related Hazards National Emphasis Program appeared first on The HIPAA Journal.

CMS Launches First Wave of Health Tech Ecosystem Health Information Sharing and Access Tools

Posted by Steve Alder

The Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) has launched the first wave of Health Tech Ecosystem tools as part of its initiative to improve interoperability and patient access to their own health information. The CMS launched its Health Technology Ecosystem initiative in July 2025 to boost health data sharing through partnerships with major healthcare and technology firms, including Google, Amazon, Epic, and UnitedHealth Group. The initiative focuses on encouraging the adoption of the CMS Interoperability Framework, which allows patients to access their own healthcare data on any network using the digital health apps of their choice, and to increase the availability of digital health tools for care navigation and chronic disease management. At launch, more than 60 health tech firms had pledged to participate in the initiative.

One of the key aims of the initiative is to allow patients to access all of their healthcare data quickly and easily, including medical records, prior authorizations, explanation of benefits, and claims, including from current and past payers. The initiative also seeks to “kill the clipboard.” Patients should not have to complete paper forms detailing their medical history information before visits. Healthcare providers should have the capability to receive that information digitally. At the launch of the initiative, eleven health systems had pledged to accept patient information through digital tools.

It has now been eight months since the launch, and more than 700 organizations have pledged to support the initiative. More than 120 of those organizations have products that are either close to completion or ready to use. At the recent CMS HealthTech Ecosystem Live! First Wave Launch event, the CMS announced the launch of a new Medicare App Library – A centralized directory that Medicare beneficiaries can use to find and access vetted digital health care tools, including mobile and web applications, tech-enabled healthcare services, digital health platforms, and innovative care delivery tools. While concerns have been voiced about potential privacy risks associated with improving patient access to their health information, according to the CMS, “all care options in the library will have undergone rigorous evaluation to ensure they meet high standards for security, privacy, clinical evidence, usability, and equity.”

The initial launch includes apps and other digital tools to kill the clipboard by eliminating manual check-in forms through FHIR-based data exchange at the point of care, AI-based tools with secure access to medical histories that provide personalized health guidance, and tools that provide personalized, tailored guidance on nutrition, wellness, and chronic disease management, such as for diabetes and obesity prevention and management.

“For too long, Americans have navigated a health system that lags behind the technology they use everywhere else,” said CMS Administrator Dr. Mehmet Oz. “Today, CMS is bringing healthcare into the modern era—aligning innovators to deliver solutions that make care easier, more connected, and more personalized.” The CMS has highlighted tools from more than 50 companies that are either ready for use or will be released to the public soon. “The First Wave Launch marks a significant step toward a fully digital, patient-centered health system—demonstrating how coordinated infrastructure and private-sector innovation can deliver simpler, more connected experiences for patients,” explained the CMS in a press release.

The post CMS Launches First Wave of Health Tech Ecosystem Health Information Sharing and Access Tools appeared first on The HIPAA Journal.

Data Breaches Announced by DermCare Management; Option Care Health; Aetna

Posted by Steve Alder

Data breaches have recently been announced by DermCare Management in Florida, Option Care Health in New York, and Aetna in Connecticut.

DermCare Management Discloses 2025 Hacking Incident

DermCare Management, a Florida-based provider of practice management services to dermatology practices in Florida, Texas, California, and Virginia, has identified unauthorized access to its computer systems. Suspicious activity was identified within its computer network on February 26, 2025, and, assisted by third-party digital forensics specialists, DermCare Management determined on March 3, 2025, that there had been unauthorized network access between February 14, 2025, and February 26, 2025. During that time, patient information was either accessed or acquired.

DermCare Management engaged data review specialists to determine the individuals affected and the types of data involved. Due to the complexity of the data, it took until March 2, 2026, to identify the individuals affected, the types of data involved, and obtain sufficient information to issue individual notification letters. DermCare Management confirmed that the information exposed or acquired in the incident included names, Social Security numbers, driver’s license numbers, credit and debit card information, financial account information, and medical information.

The affected individuals have been notified by mail and offered complimentary credit monitoring and identity restoration services. Regulators have been notified about the incident; however, the incident has yet to be added to the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Aetna Notifies 11,663 Individuals About Third-Party Mailing Error

The Hartford, CT-based health insurance provider Aetna recently disclosed two data breaches to the HHS’ Office for Civil Rights affecting 10,888 and 775 individuals. Both incidents were unauthorized access/disclosure incidents and occurred in 2025. There was no unauthorized access to its network or computer systems, as both incidents involved mailing errors involving a third-party vendor.

Aetna’s parent company, CVS Health, issued a statement confirming that the information disclosed as a result of the mailing error was minimal. The error occurred on mailings sent on behalf of two health plans and involved letters sent to a plan member that may have inadvertently included the name of another individual who was not a member of their health plan. Aetna has implemented additional measures to prevent similar incidents in the future, and while only minimal data was impermissibly disclosed, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Option Care Health Identifies Unauthorized Email Access

Option Care Health, Inc., a Ridgewood, NY-based provider of home infusion services, has identified unauthorized access to an employee’s email account. The unauthorized access was detected on or around February 9, 2026, and the forensic investigation confirmed unauthorized access to the account between February 6, 2026, and February 9, 2026. The account was reviewed, and on February 26, 2026, Option Care Health confirmed that the information exposed in the incident included names, dates of birth, medical record numbers, and treatment information. Option Care Health has reviewed its technical security measures and has taken steps to prevent similar incidents in the future. The incident has been reported to regulators, but it is currently unclear how many individuals have been affected.

The post Data Breaches Announced by DermCare Management; Option Care Health; Aetna appeared first on The HIPAA Journal.