Judge Decides Class Action Can Proceed Against UnitedHealth for Use of AI
Yesterday, a federal court issued a highly anticipated ruling in Estate of Gene B. Lokken v. UnitedHealth Group—denying UnitedHealthcare’s attempt to dismiss certain state law claims and allowing breach of contract and good faith claims to move forward. It’s a major development in a case when back in November 2023 UHG was first sued over AI-driven coverage denials under its Medicare Advantage plans. Given this new ruling, it’s a perfect time to revisit the original lawsuit’s claims and the broader legal risks that AI poses in healthcare.
Tick Tock: The 42 CFR Part 2 Compliance Clock is Counting Down!
One year. That’s all the time left before the February 16, 2026 compliance deadline for the 42 CFR Part 2 Final Rule officially arrives. If you haven’t started preparing yet, now is the perfect time to get things in motion. One of the most challenging aspects of Part 2 implementation is the new consent structure. While the new consent for treatment, payment, and health care operations (“TPO consent”) introduces opportunities for improved data sharing and alignment with HIPAA, it is also complex and requires careful implementation. To help navigate these changes, today’s post offers readers a checklist of the key elements required in Part 2 consents.
Kelly Thompson Joins Legal HIE as its Strategy and Interoperability Lead
Kelly Hoover Thompson has joined Legal HIE Solutions as its new Strategy & Interoperability Lead! Kelly is a powerhouse in healthcare law, interoperability, and transformation. She is the former CEO of SHIEC, and former Deputy Secretary at the Pennsylvania Department of Health, and services in numersou advisory and leadership roles, including for the CDC’s Center for Health Statistics Board, the National POLST Technology Committee, and UPMC’s Patient Safety Committee. Kelly has been at the forefront of shaping health IT, regulatory policy, and organizational development. Learn more about Kelly in today’s post!
The Winding Road of Changes to 42 CFR Part 2
Over the years, 42 CFR Part 2 has traveled a winding road of amendments and updates—beginning with the 2016 Proposed Rule and continuing through a series of updates, each one modernizing how Part 2 information is shared while preserving essential privacy safeguards. Today’s post offers a chronological list of these rulemakings, each with its own executive summary.
State HIE Sued for Alleged “Unauthorized” Use of PHI for Research
On January 3, 2025, a significant lawsuit was filed against a state HIE. The case was brought by a former employee and whistleblower who alleges that the HIE permitted unauthorized access and use of PHI for research purposes in violation of federal and state law, as well as operational policies. Although the facts that are currently known to the public are not sufficient to conclude whether or not HIPAA’s standards applicable to research were met, this case has the potential to influence not only the immediate parties involved but also broader interpretations of HIPAA compliance and enforcement in research settings. At a minimum, the case serves as a reminder that HIEs should be taking proactive steps to ensure that their internal policies, data use agreements, and HIPAA BAAs explicitly address research-related and similar activities in compliance with federal and state laws, including HIPAA.
HIPAA’s Security Rule Glow-Up: What’s Changing and Who’s Affected
On December 27, 2024, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) decided it was time to give the HIPAA Security Rule a much-needed cybersecurity makeover—and let’s just say, it’s not just a light touch-up. These proposed changes mean stricter security rules, fewer loopholes, and a whole lot more paperwork for covered entities, business associates, and especially Health Information Exchanges (HIEs) and Health Information Networks (HINs).
TEFCA Anticipated to Grow in 2025
Since TEFCA went live in December 2023, eight (8) organizations have been designated as Qualified Health Information Networks (QHINs). Each QHIN is a large information network that represents up to hundreds of HINs, health systems, public health agencies, payers, and IT vendors. Epic and Carequality recently announced that they would align their frameworks with TEFCA. TEFCA’s growth will be further supported by regulatory measures to incentivize network participation, such as the Information Blocking Rule.
A Look Back at 2024: HIPAA Enforcement Year in Review
Calendar year 2024 brought a range of high-impact HIPAA enforcement actions from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). By the year’s end, OCR had collected over $9 million through various settlements and final determinations. Interestingly, 2024 stands out for having the most final determinations (i.e., definitive impositions of a Civil Money Penalty) in OCR’s HIPAA enforcement history. However, it remains the case that most matters are resolved cooperatively through settlement agreements. Across hospitals, nursing facilities, EMS providers, physician offices (including dental and specialty practices), and even a health care clearinghouse, OCR’s actions highlighted the ongoing importance of thorough risk analyses, timely patient access to records, comprehensive workforce training, and secure system configurations.
Health Data, Technology, and Interoperability Rules, HTI-1, 2, & 3
The landscape of health IT regulation just took another significant leap forward. In the final days of 2024, federal regulators dropped two game-changing rules—HIT-2 and HTI-3—adding to the foundation set by HTI-1. Together, these regulations are reshaping how healthcare organizations approach interoperability, data sharing, and compliance in an era of rapidly evolving technology. But what do these latest rules really mean for healthcare providers, developers, and patients? Let’s break down the impact and key takeaways you need to know.
Battle of the Bots Continues…Fourth Circuit Affirms Preliminary Injunction Against PointClickCare
Continuing the saga of Real Time and PointClickCare in the battle of the bots, the U.S. 4th Circuit recently affirmed a preliminary injunction granted in favor of Real Time against PointClickCare, finding, among other things, that PointClickCare was unable to meet a burden of proof that it met its claimed Exceptions to Information Blocking. Therefore, documentation will be critical for actors who may find themselves having to defend similar claims.
Preventing IAS from Becoming a Trojan Horse
Last week, I attended HIMSS 2025 in Las Vegas and came away with four big themes that stood out for me: the industry’s growing focus on Individual Access Services (IAS) and rock-solid identity verification, the push to expand non-treatment use cases for interoperability (like payment and healthcare operations), the urgent need for modernized consent management, and the overarching importance of trust to tie it all together. Yet of all these, for me, IAS is the real showstopper: if we don’t get identity and access right, the rest of our digital transformations—from AI-driven insights to cross-network data sharing—could quickly unravel. In today’s post, I want to zero in on IAS—where it fits into HIPAA’s right of access, where personal representatives enter the picture, and why it risks becoming a Trojan Horse for unauthorized data if we don’t take the proper safeguards.
NOW LIVE! The Updated 42 C.F.R. Part 2 Helper is Available!
The wait is finally over!! Our brand-new, UPDATED 42 C.F.R. Part 2 Helper compliance package is now live for current members of Legal HIE. Loaded with carefully crafted checklists, tools, sample forms, policies, and training resources, all updated for the Part 2 Final Rule, it’s just what the doctor ordered for every organization to stay miles ahead of the February 16, 2026 compliance deadline! Read our new blog post for more information about what’s included with our Part 2 Helper and to get access to a sample checklist to update your Part 2 consents!
Judge Decides Class Action Can Proceed Against UnitedHealth for Use of AI
Yesterday, a federal court issued a highly anticipated ruling in Estate of Gene B. Lokken v. UnitedHealth Group—denying UnitedHealthcare’s attempt to dismiss certain state law claims and allowing breach of contract and good faith claims to move forward. It’s a major development in a case when back in November 2023 UHG was first sued over AI-driven coverage denials under its Medicare Advantage plans. Given this new ruling, it’s a perfect time to revisit the original lawsuit’s claims and the broader legal risks that AI poses in healthcare.
Tick Tock: The 42 CFR Part 2 Compliance Clock is Counting Down!
One year. That’s all the time left before the February 16, 2026 compliance deadline for the 42 CFR Part 2 Final Rule officially arrives. If you haven’t started preparing yet, now is the perfect time to get things in motion. One of the most challenging aspects of Part 2 implementation is the new consent structure. While the new consent for treatment, payment, and health care operations (“TPO consent”) introduces opportunities for improved data sharing and alignment with HIPAA, it is also complex and requires careful implementation. To help navigate these changes, today’s post offers readers a checklist of the key elements required in Part 2 consents.
Kelly Thompson Joins Legal HIE as its Strategy and Interoperability Lead
Kelly Hoover Thompson has joined Legal HIE Solutions as its new Strategy & Interoperability Lead! Kelly is a powerhouse in healthcare law, interoperability, and transformation. She is the former CEO of SHIEC, and former Deputy Secretary at the Pennsylvania Department of Health, and services in numersou advisory and leadership roles, including for the CDC’s Center for Health Statistics Board, the National POLST Technology Committee, and UPMC’s Patient Safety Committee. Kelly has been at the forefront of shaping health IT, regulatory policy, and organizational development. Learn more about Kelly in today’s post!
The Winding Road of Changes to 42 CFR Part 2
Over the years, 42 CFR Part 2 has traveled a winding road of amendments and updates—beginning with the 2016 Proposed Rule and continuing through a series of updates, each one modernizing how Part 2 information is shared while preserving essential privacy safeguards. Today’s post offers a chronological list of these rulemakings, each with its own executive summary.
State HIE Sued for Alleged “Unauthorized” Use of PHI for Research
On January 3, 2025, a significant lawsuit was filed against a state HIE. The case was brought by a former employee and whistleblower who alleges that the HIE permitted unauthorized access and use of PHI for research purposes in violation of federal and state law, as well as operational policies. Although the facts that are currently known to the public are not sufficient to conclude whether or not HIPAA’s standards applicable to research were met, this case has the potential to influence not only the immediate parties involved but also broader interpretations of HIPAA compliance and enforcement in research settings. At a minimum, the case serves as a reminder that HIEs should be taking proactive steps to ensure that their internal policies, data use agreements, and HIPAA BAAs explicitly address research-related and similar activities in compliance with federal and state laws, including HIPAA.
HIPAA’s Security Rule Glow-Up: What’s Changing and Who’s Affected
On December 27, 2024, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) decided it was time to give the HIPAA Security Rule a much-needed cybersecurity makeover—and let’s just say, it’s not just a light touch-up. These proposed changes mean stricter security rules, fewer loopholes, and a whole lot more paperwork for covered entities, business associates, and especially Health Information Exchanges (HIEs) and Health Information Networks (HINs).
TEFCA Anticipated to Grow in 2025
Since TEFCA went live in December 2023, eight (8) organizations have been designated as Qualified Health Information Networks (QHINs). Each QHIN is a large information network that represents up to hundreds of HINs, health systems, public health agencies, payers, and IT vendors. Epic and Carequality recently announced that they would align their frameworks with TEFCA. TEFCA’s growth will be further supported by regulatory measures to incentivize network participation, such as the Information Blocking Rule.
A Look Back at 2024: HIPAA Enforcement Year in Review
Calendar year 2024 brought a range of high-impact HIPAA enforcement actions from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). By the year’s end, OCR had collected over $9 million through various settlements and final determinations. Interestingly, 2024 stands out for having the most final determinations (i.e., definitive impositions of a Civil Money Penalty) in OCR’s HIPAA enforcement history. However, it remains the case that most matters are resolved cooperatively through settlement agreements. Across hospitals, nursing facilities, EMS providers, physician offices (including dental and specialty practices), and even a health care clearinghouse, OCR’s actions highlighted the ongoing importance of thorough risk analyses, timely patient access to records, comprehensive workforce training, and secure system configurations.
Health Data, Technology, and Interoperability Rules, HTI-1, 2, & 3
The landscape of health IT regulation just took another significant leap forward. In the final days of 2024, federal regulators dropped two game-changing rules—HIT-2 and HTI-3—adding to the foundation set by HTI-1. Together, these regulations are reshaping how healthcare organizations approach interoperability, data sharing, and compliance in an era of rapidly evolving technology. But what do these latest rules really mean for healthcare providers, developers, and patients? Let’s break down the impact and key takeaways you need to know.
Subscribe & Survive the onslaught of new healthcare regulations requiring updates to affected compliance programs.
Get access to exclusive subscription-only access to resources, tools, industry analysis and other valuable solutions.