Kelly Hoover Thompson has joined Legal HIE Solutions as its new Strategy & Interoperability Lead! Kelly is a powerhouse in healthcare law, interoperability, and transformation. She is the former CEO of SHIEC, and former Deputy Secretary at the Pennsylvania Department of Health, and services in numersou advisory and leadership roles, including for the CDC’s Center for Health Statistics Board, the National POLST Technology Committee, and UPMC’s Patient Safety Committee. Kelly has been at the forefront of shaping health IT, regulatory policy, and organizational development. Learn more about Kelly in today’s post!
Continue Reading Kelly Thompson Joins Legal HIE as its Strategy and Interoperability Lead

Over the years, 42 CFR Part 2 has traveled a winding road of amendments and updates—beginning with the 2016 Proposed Rule and continuing through a series of updates, each one modernizing how Part 2 information is shared while preserving essential privacy safeguards. Today’s post offers a chronological list of these rulemakings, each with its own executive summary.
Continue Reading The Winding Road of Changes to 42 CFR Part 2

On January 3, 2025, a significant lawsuit was filed against a state HIE. The case was brought by a former employee and whistleblower who alleges that the HIE permitted unauthorized access and use of PHI for research purposes in violation of HIPAA, as well as state law and policies. Although the facts that are currently known to the public are not sufficient to conclude that HIPAA’s standards applicable to research were not met, this case has the potential to influence not only the immediate parties involved but also broader interpretations of HIPAA compliance and enforcement in research settings. Among other…
Continue Reading State HIE Sued for Alleged “Unauthorized” Use of PHI for Research

On December 27, 2024, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) decided it was time to give the HIPAA Security Rule a much-needed cybersecurity makeover—and let’s just say, it’s not just a light touch-up. These proposed changes mean stricter security rules, fewer loopholes, and a whole lot more paperwork for covered entities, business associates, and especially Health Information Exchanges (HIEs) and Health Information Networks (HINs).
Continue Reading HIPAA’s Cybersecurity Glow-Up: What’s Changing and Who’s Affected

Since TEFCA went live in December 2023, eight (8) organizations have been designated as Qualified Health Information Networks (QHINs). Each QHIN is a large information network that represents up to hundreds of HINs, health systems, public health agencies, payers, and IT vendors. Epic and Carequality recently announced that they would align their frameworks with TEFCA. TEFCA’s growth will be further supported by regulatory measures to incentivize network participation, such as the Information Blocking Rule.
Continue Reading TEFCA Anticipated to Grow in 2025

Calendar year 2024 brought a range of high-impact HIPAA enforcement actions from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). By the year’s end, OCR had collected over $9 million through various settlements and final determinations. Interestingly, 2024 stands out for having the most final determinations (i.e., definitive impositions of a Civil Money Penalty) in OCR’s HIPAA enforcement history. However, it remains the case that most matters are resolved cooperatively through settlement agreements. Across hospitals, nursing facilities, EMS providers, physician offices (including dental and specialty practices), and even a health care clearinghouse, OCR’s actions…
Continue Reading A Look Back at 2024: HIPAA Enforcement Year in Review

The landscape of health IT regulation just took another significant leap forward. In the final days of 2024, federal regulators dropped two game-changing rules—HIT-2 and HTI-3—adding to the foundation set by HTI-1. Together, these regulations are reshaping how healthcare organizations approach interoperability, data sharing, and compliance in an era of rapidly evolving technology. But what do these latest rules really mean for healthcare providers, developers, and patients? Let’s break down the impact and key takeaways you need to know.
Continue Reading Health Data, Technology, and Interoperability Rules, HTI-1, 2, & 3

During the Fall 2024, the HHS OCR concluded 3 investigations resulting in settlement payments relating to ransomware incidents. In all three instances, OCR found that the entities that encountered the cybersecurity incidents had not conducted a compliant risk analysis and did not sufficiently monitor their health information systems’ activity. there has been a 264% uptick in large ransomware breaches since 2018.
Continue Reading OCR Sees Uptick in Ransomware Incidents

Texas Attorney General, Ken Paxton, has sued HHS alleging that the HIPAA Reproductive Health Care Privacy Rule amendments infringe on the state’s investigative authority and that the HIPAA statute does not grant sufficient authority to HHS to promulgate such a rule. Texas is seeking an injunction against enforcement of the final rule.
Continue Reading Texas Sues to Block new HIPAA Reproductive Health Care Rule

A federal district judge has granted preliminary injunctive relief to Real Time Medical Systems, Inc. (“Real Time”) barring the defendant, PointClickCare (“PCC”), from deploying unsolvable CAPTCHAs that interfered with Real Time’s ability to access the data of its skilled nursing facility customers that utilized PCC. As Judge Xinis wrote in the opinion,

“No evidence supports that PCC had any legitimate good faith use for wholly inscrutable CAPTCHAs which, by definition, blocked Real Time from getting the very records it needs to exist….But even more damning is the timing of such deployments, which support that PCC used those CAPTCHAs as a…
Continue Reading Lessons Learned from Real Time vs. PointClickCare: Mind your Information Blocking Ps and Qs

June 25, 2024 has arrived! This means that the Final Rule for HIPAA Privacy to Support Reproductive Health Care Privacy is officially in effect, and HIPAA covered entities and business associates may now begin implementing its new requirements! But there are still many questions about how some of the new requirements should be implemented. Among those giving covered entities and business associates the most angst is the new Attestation requirement.
Continue Reading HIPAA Reproductive Health Care Privacy – Attestation Template, Policy Samples, updated HIPAA policies, a HIPAA-New Jersey Reproductive Health Care Law crosswalk, and more!

What should covered entity healthcare providers be considering and doing, especially where Change Healthcare has yet to take any affirmative breach notification actions? In this post, I take a deeper dive into key issues and share suggestions on steps covered entities may wish to take in order to manage ongoing uncertainties and risks that continue to simmer as a result of the Change Healthcare incident.
Continue Reading Who’s On First? Confusion Continues About Who Should be Reporting the Change Healthcare PHI Breaches

The Final Rule amending 42 CFR Part 2 finalizes changes that will align uses and disclosures of Part 2 information with HIPAA for treatment, payment & health care operations. Part 2 providers and others who must comply with Part 2 and this Final Rule have two (2) years to get into compliance. Read more about the changes and how we can help with compliance.
Continue Reading 42 C.F.R. Part 2 Final Rule Amending Privacy of Substance Use Disorder Records Released.