Starting February 16, 2026, Part 2 programs and providers will be required to report unauthorized disclosures of Part 2 information – specifically, any “acquisition, access, use, or disclosure” that violates 42 CFR Part 2. This is a major change that will significantly impact Part 2 programs. Let me explain why.
Continue Reading Beware! New Breach Reporting Obligations Under 42 CFR Part 2 — Even When HIPAA Wouldn’t Require It

On August 6, 2025, ONC unveiled the first public TEFCA Organizational Map, a tool that makes it possible to see which health systems are stepping into the national interoperability framework—and which are not. For some, this marks a milestone in transparency and progress; for others, it raises questions about strategy, governance, and whether more national data sharing is always a good thing. The uneven pace of adoption, particularly among Epic’s vast customer base, shows just how complicated the march into TEFCA has become.
Continue Reading From Dragging Feet to Dragged Along: The Uneven March Into TEFCA

Continue Reading Audacious Inquiry Sues CRISP: A Patent Showdown with National Interoperability Implications

On June 18, 2025, Judge Kacsmaryk of the U.S. District Court for the Northern District of Texas vacated key provisions of HHS’s HIPAA Privacy Rule that had imposed new federal protections for reproductive health care information. This means that HIPAA-covered entities must immediately stop requiring a HIPAA-compliant Attestation from requestors seeking PHI that includes (or is likely to include) reproductive health information. Covered entities must now also reevaluate their current processes for handling requests for PHI related to reproductive health information. However, if you operate in a state that has its own state-level reproductive privacy or provider shield law, those…
Continue Reading Regulatory Roller Coaster: District Court Judge Vacates HIPAA Reproductive Health Privacy Rule

HHS has opened the door to one of the biggest questions in health information law: should the TEFCA exception to the information blocking rules stay or go? The May 16, 2025 RFI asks whether this carve-out encourages participation in TEFCA or instead creates confusion and double standards for networks like Carequality, which already impose requirements stricter than HIPAA. With comments due June 16, stakeholders have just days to weigh in on a decision that could reshape the balance between nationwide interoperability and local control.
Continue Reading Does the TEFCA Exception Hinder Participation?

The U.S. Department of Justice’s Final Rule titled Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons became effective on April 8, 2025, but its compliance requirements are currently stayed until July 8, 2025 to give organizations time to adjust. This sweeping rule applies to U.S. hospitals, health systems, health information exchanges (HIEs), health IT and cloud vendors, research institutions, and any other U.S. persons or entities that handle, transfer, or store large volumes of sensitive personal data. HIEs should coordinate closely with legal counsel to update their compliance programs and ensure…
Continue Reading Impact of Executive Order 14117 and DOJ’s Final Rule on HIEs Operating as Business Associates

New amendments to the Carequality Framework Policies add layers of credentialing, delegation, and identity-verification requirements that go beyond HIPAA, and may raise tough questions under the Information Blocking Rule. With HINs and HIEs held to the stricter ‘knows or should know’ standard, the real issue is whether these governance updates safeguard interoperability or risk crossing the line into unreasonable interference with EHI exchange
Continue Reading Do Recent Changes to the Carequality Framework Policies Implicate the Information Blocking Rule?

Join us for a 1-hour Q&A session addressing some of the most pressing questions that Part 2 Providers and HIE/HINs are asking about the Final Rule for 42 CFR Part 2. The session will cover: Compliance obligations & enforcement risks for Part 2 Providers, QSOs,& “Lawful Holders”; the NEW Part 2 “TPO Consent” and its application in an HIE-networked environment; sharing Part 2 information for Public Health & Scientific Research; QSO language; sharing Part 2 Information through HIE/HINs, and much more!
Continue Reading Join Us June 11th for a Free Q&A Panel on 42 CFR Part 2!

Continuing the saga of Real Time and PointClickCare in the battle of the bots, the U.S. 4th Circuit recently affirmed a preliminary injunction granted in favor of Real Time against PointClickCare, finding, among other things, that PointClickCare was unable to meet a burden of proof that it met its claimed Exceptions to Information Blocking. Therefore, documentation will be critical for actors who may find themselves having to defend similar claims.
Continue Reading Battle of the Bots Continues…Fourth Circuit Affirms Preliminary Injunction Against PointClickCare

Last week, I attended HIMSS 2025 in Las Vegas and came away with four big themes that stood out for me: the industry’s growing focus on Identity & Access Services (IAS) and rock-solid identity verification, the push to expand non-treatment use cases for interoperability (like payment and healthcare operations), the urgent need for modernized consent management, and the overarching importance of trust to tie it all together. Yet of all these, for me, IAS is the real showstopper: if we don’t get identity and access right, the rest of our digital transformations—from AI-driven insights to cross-network data sharing—could quickly unravel.
Continue Reading Preventing IAS from Becoming a Trojan Horse

The wait is finally over!! Our brand-new, UPDATED 42 C.F.R. Part 2 Helper compliance package is now live for current members of Legal HIE. Loaded with carefully crafted checklists, tools, sample forms, policies, and training resources, all updated for the Part 2 Final Rule, it’s just what the doctor ordered for every organization to stay miles ahead of the February 16, 2026 compliance deadline! Read our new blog post for more information about what’s included with our Part 2 Helper and to get access to a sample checklist to update your Part 2 consents!
Continue Reading NOW LIVE! The Updated 42 C.F.R. Part 2 Helper is Available!

Yesterday, a federal court issued a highly anticipated ruling in Estate of Gene B. Lokken v. UnitedHealth Group—denying UnitedHealthcare’s attempt to dismiss certain state law claims and allowing breach of contract and good faith claims to move forward. It’s a major development in a case when back in November 2023 UHG was first sued over AI-driven coverage denials under its Medicare Advantage plans. Given this new ruling, it’s a perfect time to revisit the original lawsuit’s claims and the broader legal risks that AI poses in healthcare.
Continue Reading Judge Decides Class Action Can Proceed Against UnitedHealth for Use of AI

One year. That’s all the time left before the February 16, 2026 compliance deadline for the 42 CFR Part 2 Final Rule officially arrives. If you haven’t started preparing yet, now is the perfect time to get things in motion. One of the most challenging aspects of Part 2 implementation is the new consent structure. While the new consent for treatment, payment, and health care operations (“TPO consent”) introduces opportunities for improved data sharing and alignment with HIPAA, it is also complex and requires careful implementation. To help navigate these changes, today’s post offers readers a checklist of the key…
Continue Reading Tick Tock: The 42 CFR Part 2 Compliance Clock is Counting Down!