Health Care

On January 3, 2025, a significant lawsuit was filed against a state HIE. The case was brought by a former employee and whistleblower who alleges that the HIE permitted unauthorized access and use of PHI for research purposes in violation of HIPAA, as well as state law and policies. Although the facts that are currently known to the public are not sufficient to conclude that HIPAA’s standards applicable to research were not met, this case has the potential to influence not only the immediate parties involved but also broader interpretations of HIPAA compliance and enforcement in research settings. Among other
Continue Reading State HIE Sued for Alleged “Unauthorized” Use of PHI for Research

Since TEFCA went live in December 2023, eight (8) organizations have been designated as Qualified Health Information Networks (QHINs). Each QHIN is a large information network that represents up to hundreds of HINs, health systems, public health agencies, payers, and IT vendors. Epic and Carequality recently announced that they would align their frameworks with TEFCA. TEFCA’s growth will be further supported by regulatory measures to incentivize network participation, such as the Information Blocking Rule.
Continue Reading TEFCA Anticipated to Grow in 2025

The landscape of health IT regulation just took another significant leap forward. In the final days of 2024, federal regulators dropped two game-changing rules—HIT-2 and HTI-3—adding to the foundation set by HTI-1. Together, these regulations are reshaping how healthcare organizations approach interoperability, data sharing, and compliance in an era of rapidly evolving technology. But what do these latest rules really mean for healthcare providers, developers, and patients? Let’s break down the impact and key takeaways you need to know.
Continue Reading Health Data, Technology, and Interoperability Rules, HTI-1, 2, & 3

During the Fall 2024, the HHS OCR concluded 3 investigations resulting in settlement payments relating to ransomware incidents. In all three instances, OCR found that the entities that encountered the cybersecurity incidents had not conducted a compliant risk analysis and did not sufficiently monitor their health information systems’ activity. there has been a 264% uptick in large ransomware breaches since 2018.
Continue Reading OCR Sees Uptick in Ransomware Incidents

Texas Attorney General, Ken Paxton, has sued HHS alleging that the HIPAA Reproductive Health Care Privacy Rule amendments infringe on the state’s investigative authority and that the HIPAA statute does not grant sufficient authority to HHS to promulgate such a rule. Texas is seeking an injunction against enforcement of the final rule.
Continue Reading Texas Sues to Block new HIPAA Reproductive Health Care Rule

A federal district judge has granted preliminary injunctive relief to Real Time Medical Systems, Inc. (“Real Time”) barring the defendant, PointClickCare (“PCC”), from deploying unsolvable CAPTCHAs that interfered with Real Time’s ability to access the data of its skilled nursing facility customers that utilized PCC. As Judge Xinis wrote in the opinion,

“No evidence supports that PCC had any legitimate good faith use for wholly inscrutable CAPTCHAs which, by definition, blocked Real Time from getting the very records it needs to exist….But even more damning is the timing of such deployments, which support that PCC used those CAPTCHAs as a
Continue Reading Lessons Learned from Real Time vs. PointClickCare: Mind your Information Blocking Ps and Qs

June 25, 2024 has arrived! This means that the Final Rule for HIPAA Privacy to Support Reproductive Health Care Privacy is officially in effect, and HIPAA covered entities and business associates may now begin implementing its new requirements! But there are still many questions about how some of the new requirements should be implemented. Among those giving covered entities and business associates the most angst is the new Attestation requirement.
Continue Reading HIPAA Reproductive Health Care Privacy – Attestation Template, Policy Samples, updated HIPAA policies, a HIPAA-New Jersey Reproductive Health Care Law crosswalk, and more!

What should covered entity healthcare providers be considering and doing, especially where Change Healthcare has yet to take any affirmative breach notification actions? In this post, I take a deeper dive into key issues and share suggestions on steps covered entities may wish to take in order to manage ongoing uncertainties and risks that continue to simmer as a result of the Change Healthcare incident.
Continue Reading Who’s On First? Confusion Continues About Who Should be Reporting the Change Healthcare PHI Breaches

The Final Rule amending 42 CFR Part 2 finalizes changes that will align uses and disclosures of Part 2 information with HIPAA for treatment, payment & health care operations. Part 2 providers and others who must comply with Part 2 and this Final Rule have two (2) years to get into compliance. Read more about the changes and how we can help with compliance.
Continue Reading 42 C.F.R. Part 2 Final Rule Amending Privacy of Substance Use Disorder Records Released.

The New Jersey Data Privacy Act (NJDPA) was enacted on January 16, 2024. Although PHI collected by a HIPAA CE or BA is excluded from the NJDPA HIPAA CEs and BAs are NOT wholly excluded from compliance with the NJDPA. Also, HHS’ recent problematic interpretation that IP addresses collected by a healthcare provider’s website may be PHI adds even more complexity in interpreting the NJDPA.
Continue Reading Meet New Jersey’s Brand New Data Privacy Act and Its Impact on Healthcare Organizations & Others

Part 1 – What Data is (maybe?) Covered and Who Must Comply with the New Jersey Data Privacy Act?

This week we take a quick look at the newest state effort to tackle data privacy. New Jersey entered the data privacy playing field last week with Governor Murphy putting pen to paper on a new comprehensive Data Privacy Act. 332_R6 significantly strengthens New Jersey’s consumer protection and privacy laws, placing enforcement in the hands of the New Jersey Division of Consumer Affairs (“DCA”) and the Attorney General’s Office. While it shares some similarities with other recently enacted state privacy laws,
Continue Reading New Jersey’s new data privacy act and its impact on health care orgs

The Proposed Rule for enforcement is out, and the potential financial “hit” that health care providers may face if the OIG finds them to have violated the Information Blocking Rule (IBR) could be substantial. but it’s not time to get spooked, just yet. The reach of the proposed enforcement has limitations. Read more to find out why.
Continue Reading Hefty Monetary Disincentives Proposed for Health Care Providers Engaged in Information Blocking – But Not Every Provider Will Be on the Hook.

The Proposed Rule for enforcement is out, and the potential financial “hit” that health care providers may face if the OIG finds them to have violated the Information Blocking Rule (IBR) could be substantial, but don’t get spooked. The reach of the proposed enforcement has limitations. Read more to find out why.
Continue Reading Hefty Monetary Disincentives Proposed for Health Care Providers Engaged in Information Blocking – But Not Every Provider Is on the Hook.

The Minnesota Supreme Court held that HIPAA “authorizes” disclosures for purposes of state law and consent was not required for a hospital to disclose PHI to its institutionally related foundation for fundraising purposes. Other states might take a similar stance. The Information Blocking Rule (IBR) prohibits health care providers from interfering with the access and exchange of EHI in an unreasonable manner. State with laws containing similar “as authorized by federal law” exceptions to consent must be carefully considered when claiming the IBR’s Privacy Exception to “block” EHI.  
Continue Reading Minnesota Supreme Court Finds State Law Permits Health Information to be Shared Because HIPAA Authorizes It

OCR reaches a new $1.3 million dollar settlement with a health plan for HIPAA violations. OCR says, “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.” Employers that offer Employee Benefits must evaluate if they are responsible for a health plan with HIPAA compliance obligations.
Continue Reading Is Your Organization Paying for the Cost of Health Care? You Might be Responsible for a Health Plan with HIPAA Compliance Obligations.