As we start the new year, it is a great time to review regulatory updates and implement necessary changes to reduce your risk. This article summarizes billing and coding changes as well as HIPAA updates.

Billing and Coding

• CPT 2026 Code Set: The American Medical Association released the CPT 2026 Code Set, effective January 1, 2026. Chiropractors should ensure their EHR and billing systems reflect the new codes to avoid denials. Updates include expanded telehealth and remote monitoring codes, which may apply if your practice offers virtual consultations or uses digital tools for patient engagement.
• E/M Documentation and Audits Focus: CMS continues to emphasize medical decision-making (MDM) and complexity over history/exam checklists for E/M coding. Chiropractors who bill E/M for new patient exams or re-evaluations should review templates to ensure they support MDM-based coding. Expect ongoing audit scrutiny in 2026.
• ICD-10-CM Updates: Effective October 1, 2025, ICD-10-CM changes for 2026 include 487 new codes and 38 revisions. While core spinal subluxation codes remain unchanged, updates affect symptom codes (e.g., abdominal and pelvic pain) and social determinant Z-codes. These may apply when documenting comorbidities or socioeconomic factors impacting care.

HIPAA 
HIPAA compliance continues to evolve, with significant security changes expected in 2026. Key proposed changes to the HIPAA Security Rule include:

• Multi-Factor Authentication (MFA): MFA will become a mandatory requirement for accessing systems that contain ePHI, extending beyond remote access to all access points.
• Encryption: Encryption of ePHI at rest and in transmission would shift from "addressable" to required, with limited justified and documented exceptions.
• Asset Inventory: Regulated entities must keep an accurate, current inventory of all hardware, software, and systems that store, process, or transmit ePHI.
• Risk Analysis and Testing: More specific requirements for continuous risk analysis, including regular vulnerability scans (e.g., every six months) and yearly penetration testing to detect and fix vulnerabilities.
• Patch Management: Policies and procedures for the prompt implementation of software patches and updates to fix known vulnerabilities would be explicitly required.
• Documentation and Audits: All security rule policies, procedures, risk analyses, and related documentation must be documented in writing, regularly reviewed, tested, and updated. Annual evaluations of security controls, effectively internal audits, should be conducted to confirm their effectiveness.
• Formal Annual Compliance Audits: The proposals would require yearly (or every 12 months) evaluations of security measures and comprehensive documentation, both of which are essential for demonstrating compliance during OCR investigations.

To prepare your practice for future needs and strengthen your current cybersecurity stance:

• Engage a qualified expert to conduct a comprehensive security risk assessment, identifying gaps and prioritizing remediation.
• Implement MFA for all access to ePHI systems (in-office and remote).
• Provide regular training to all staff members with access to ePHI, covering HIPAA requirements and emerging threats.
• Review and update business associate agreements to ensure alignment with current and anticipated Security Rule standards.

If you are not currently insured with OUM, take a moment to see how we protect our chiropractors. Fill out our online form to receive a free, no-obligation quote.

Disclaimer: “OUM” and “OUM Chiropractor Program” do not refer to a legal entity or insurance company but to a program or symbol of a program underwritten, insured, and administered by ProAssurance Insurance Company of America. The information contained on the OUM Chiropractor Blog does not establish a standard of care, nor does it constitute legal advice. The information is for general informational purposes only. We encourage all blog visitors to consult with their personal attorneys for legal advice, as specific legal requirements may vary from state to state. Links or references to organizations, websites, or other information is for reference use only and do not constitute the rendering of legal, financial, or other professional advice or recommendations. In the event any of the information presented conflicts with the terms and conditions of any policy of insurance offered by ProAssurance Insurance Company of America, the terms and conditions of the actual policy will apply. All information contained on the blog is subject to change.