Yesterday, a federal court issued a highly anticipated ruling in Estate of Gene B. Lokken v. UnitedHealth Group—denying UnitedHealthcare’s attempt to dismiss certain state law claims and allowing breach of contract and good faith claims to move forward. It’s a major development in a case when back in November 2023 UHG was first sued over AI-driven coverage denials under its Medicare Advantage plans. Given this new ruling, it’s a perfect time to revisit the original lawsuit’s claims and the broader legal risks that AI poses in healthcare.
Continue Reading Judge Decides Class Action Can Proceed Against UnitedHealth for Use of AI

One year. That’s all the time left before the February 16, 2026 compliance deadline for the 42 CFR Part 2 Final Rule officially arrives. If you haven’t started preparing yet, now is the perfect time to get things in motion. One of the most challenging aspects of Part 2 implementation is the new consent structure. While the new consent for treatment, payment, and health care operations (“TPO consent”) introduces opportunities for improved data sharing and alignment with HIPAA, it is also complex and requires careful implementation. To help navigate these changes, today’s post offers readers a checklist of the key…
Continue Reading Tick Tock: The 42 CFR Part 2 Compliance Clock is Counting Down!

Kelly Hoover Thompson has joined Legal HIE Solutions as its new Strategy & Interoperability Lead! Kelly is a powerhouse in healthcare law, interoperability, and transformation. She is the former CEO of SHIEC, and former Deputy Secretary at the Pennsylvania Department of Health, and services in numersou advisory and leadership roles, including for the CDC’s Center for Health Statistics Board, the National POLST Technology Committee, and UPMC’s Patient Safety Committee. Kelly has been at the forefront of shaping health IT, regulatory policy, and organizational development. Learn more about Kelly in today’s post!
Continue Reading Kelly Thompson Joins Legal HIE as its Strategy and Interoperability Lead

Over the years, 42 CFR Part 2 has traveled a winding road of amendments and updates—beginning with the 2016 Proposed Rule and continuing through a series of updates, each one modernizing how Part 2 information is shared while preserving essential privacy safeguards. Today’s post offers a chronological list of these rulemakings, each with its own executive summary.
Continue Reading The Winding Road of Changes to 42 CFR Part 2

On January 3, 2025, a significant lawsuit was filed against a state HIE. The case was brought by a former employee and whistleblower who alleges that the HIE permitted unauthorized access and use of PHI for research purposes in violation of HIPAA, as well as state law and policies. Although the facts that are currently known to the public are not sufficient to conclude that HIPAA’s standards applicable to research were not met, this case has the potential to influence not only the immediate parties involved but also broader interpretations of HIPAA compliance and enforcement in research settings. Among other…
Continue Reading State HIE Sued for Alleged “Unauthorized” Use of PHI for Research

On December 27, 2024, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) decided it was time to give the HIPAA Security Rule a much-needed cybersecurity makeover—and let’s just say, it’s not just a light touch-up. These proposed changes mean stricter security rules, fewer loopholes, and a whole lot more paperwork for covered entities, business associates, and especially Health Information Exchanges (HIEs) and Health Information Networks (HINs).
Continue Reading HIPAA’s Cybersecurity Glow-Up: What’s Changing and Who’s Affected

Since TEFCA went live in December 2023, eight (8) organizations have been designated as Qualified Health Information Networks (QHINs). Each QHIN is a large information network that represents up to hundreds of HINs, health systems, public health agencies, payers, and IT vendors. Epic and Carequality recently announced that they would align their frameworks with TEFCA. TEFCA’s growth will be further supported by regulatory measures to incentivize network participation, such as the Information Blocking Rule.
Continue Reading TEFCA Anticipated to Grow in 2025

Calendar year 2024 brought a range of high-impact HIPAA enforcement actions from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). By the year’s end, OCR had collected over $9 million through various settlements and final determinations. Interestingly, 2024 stands out for having the most final determinations (i.e., definitive impositions of a Civil Money Penalty) in OCR’s HIPAA enforcement history. However, it remains the case that most matters are resolved cooperatively through settlement agreements. Across hospitals, nursing facilities, EMS providers, physician offices (including dental and specialty practices), and even a health care clearinghouse, OCR’s actions…
Continue Reading A Look Back at 2024: HIPAA Enforcement Year in Review

The landscape of health IT regulation just took another significant leap forward. In the final days of 2024, federal regulators dropped two game-changing rules—HIT-2 and HTI-3—adding to the foundation set by HTI-1. Together, these regulations are reshaping how healthcare organizations approach interoperability, data sharing, and compliance in an era of rapidly evolving technology. But what do these latest rules really mean for healthcare providers, developers, and patients? Let’s break down the impact and key takeaways you need to know.
Continue Reading Health Data, Technology, and Interoperability Rules, HTI-1, 2, & 3

During the Fall 2024, the HHS OCR concluded 3 investigations resulting in settlement payments relating to ransomware incidents. In all three instances, OCR found that the entities that encountered the cybersecurity incidents had not conducted a compliant risk analysis and did not sufficiently monitor their health information systems’ activity. there has been a 264% uptick in large ransomware breaches since 2018.
Continue Reading OCR Sees Uptick in Ransomware Incidents

Texas Attorney General, Ken Paxton, has sued HHS alleging that the HIPAA Reproductive Health Care Privacy Rule amendments infringe on the state’s investigative authority and that the HIPAA statute does not grant sufficient authority to HHS to promulgate such a rule. Texas is seeking an injunction against enforcement of the final rule.
Continue Reading Texas Sues to Block new HIPAA Reproductive Health Care Rule

A federal district judge has granted preliminary injunctive relief to Real Time Medical Systems, Inc. (“Real Time”) barring the defendant, PointClickCare (“PCC”), from deploying unsolvable CAPTCHAs that interfered with Real Time’s ability to access the data of its skilled nursing facility customers that utilized PCC. As Judge Xinis wrote in the opinion,

“No evidence supports that PCC had any legitimate good faith use for wholly inscrutable CAPTCHAs which, by definition, blocked Real Time from getting the very records it needs to exist….But even more damning is the timing of such deployments, which support that PCC used those CAPTCHAs as a…
Continue Reading Lessons Learned from Real Time vs. PointClickCare: Mind your Information Blocking Ps and Qs

June 25, 2024 has arrived! This means that the Final Rule for HIPAA Privacy to Support Reproductive Health Care Privacy is officially in effect, and HIPAA covered entities and business associates may now begin implementing its new requirements! But there are still many questions about how some of the new requirements should be implemented. Among those giving covered entities and business associates the most angst is the new Attestation requirement.
Continue Reading HIPAA Reproductive Health Care Privacy – Attestation Template, Policy Samples, updated HIPAA policies, a HIPAA-New Jersey Reproductive Health Care Law crosswalk, and more!