As we start the new year, it is a great time to review regulatory updates and implement necessary changes to reduce your risk. This article summarizes billing and coding changes as well as HIPAA updates.

Billing and Coding

• Skin substitute grafts: On December 24, 2025, CMS withdrew the Local Coverage Determinations (LCDs) for skin substitute grafts that were scheduled to take effect on January 1, 2026. Because these unified policies have been eliminated, there is currently no revised version of that specific LCD scheduled for 2026. Instead, coverage rules revert to the existing individual Medicare Administrative Contractor (MAC) policies.
• CPT 2026 Code Set: The American Medical Association released the CPT 2026 Code Set, effective January 1, 2026. Practices should update coding and billing systems accordingly to avoid denials and compliance issues.
• ICD-10-PCS Procedure Codes: New ICD-10-PCS procedure codes effective April 1, 2026, have been released by CMS. These codes affect inpatient procedures during portions of FY 2026. ICD-10-CM/PCS updates for FY 2025 went into effect October 1, 2024. Practices should review and update coding reference libraries to incorporate all changes to prevent claims rejection due to outdated or incorrect coding.
• E/M Documentation and Audits Focus: Proposed changes in the 2026 Physician Fee Schedule underscore continued audit scrutiny around outpatient E/M coding, emphasizing documentation that supports medical decision-making and complexity rather than history and exam elements alone. Practices should verify that their documentation templates and workflows support the correct E/M level billed.

HIPAA 
HIPAA compliance continues to evolve, with significant security changes expected in 2026. Key proposed changes to the HIPAA Security Rule include:

• Multi-Factor Authentication (MFA): MFA will become a mandatory requirement for accessing systems that contain ePHI, extending beyond remote access to all access points.
• Encryption: Encryption of ePHI at rest and in transmission would shift from "addressable" to required, with limited justified and documented exceptions.
• Asset Inventory: Regulated entities must keep an accurate, current inventory of all hardware, software, and systems that store, process, or transmit ePHI.
• Risk Analysis and Testing: More specific requirements for continuous risk analysis, including regular vulnerability scans (e.g., every six months) and yearly penetration testing to detect and fix vulnerabilities.
• Patch Management: Policies and procedures for the prompt implementation of software patches and updates to fix known vulnerabilities would be explicitly required.
• Documentation and Audits: All security rule policies, procedures, risk analyses, and related documentation must be documented in writing, regularly reviewed, tested, and updated. Annual evaluations of security controls, effectively internal audits, should be conducted to confirm their effectiveness.
• Formal Annual Compliance Audits: The proposals would require yearly (or every 12 months) evaluations of security measures and comprehensive documentation, both of which are essential for demonstrating compliance during OCR investigations.

To prepare your practice for future needs and strengthen your current cybersecurity stance:

• Engage a qualified expert to conduct a comprehensive security risk assessment, identifying gaps and prioritizing remediation.
• Implement MFA for all access to ePHI systems (in-office and remote).
• Provide regular training to all staff members with access to ePHI, covering HIPAA requirements and emerging threats.
• Review and update business associate agreements to ensure alignment with current and anticipated Security Rule standards.

If you are not currently insured with PICA, take a moment to see how we protect our podiatrists. Fill out our online form to receive a free, no-obligation quote.

Disclaimer: The information contained on the PICA Blog does not establish a standard of care, nor does it constitute legal advice. The information is for general informational purposes only. We encourage all blog visitors to consult with their personal attorneys for legal advice, as specific legal requirements may vary from state to state. Links or references to organizations, websites, or other information is for reference use only and do not constitute the rendering of legal, financial, or other professional advice or recommendations. In the event any of the information presented conflicts with the terms and conditions of any policy of insurance offered by ProAssurance Insurance Company of America, the terms and conditions of the actual policy will apply. All information contained on the blog is subject to change.