Preventing IAS from Becoming a Trojan Horse

Preventing IAS from Becoming a Trojan Horse

Last week, I attended HIMSS 2025 in Las Vegas and came away with four big themes that stood out for me: the industry’s growing focus on Individual Access Services (IAS) and rock-solid identity verification, the push to expand non-treatment use cases for interoperability (like payment and healthcare operations), the urgent need for modernized consent management, and the overarching importance of trust to tie it all together. Yet of all these, for me, IAS is the real showstopper: if we don’t get identity and access right, the rest of our digital transformations—from AI-driven insights to cross-network data sharing—could quickly unravel. In today’s post, I want to zero in on IAS—where it fits into HIPAA’s right of access, where personal representatives enter the picture, and why it risks becoming a Trojan Horse for unauthorized data if we don’t take the proper safeguards.

read more
NOW LIVE!  The Updated 42 C.F.R. Part 2 Helper is Available!

NOW LIVE! The Updated 42 C.F.R. Part 2 Helper is Available!

The wait is finally over!! Our brand-new, UPDATED 42 C.F.R. Part 2 Helper compliance package is now live for current members of Legal HIE. Loaded with carefully crafted checklists, tools, sample forms, policies, and training resources, all updated for the Part 2 Final Rule, it’s just what the doctor ordered for every organization to stay miles ahead of the February 16, 2026 compliance deadline! Read our new blog post for more information about what’s included with our Part 2 Helper and to get access to a sample checklist to update your Part 2 consents!

read more
Judge Decides Class Action Can Proceed Against UnitedHealth for Use of AI

Judge Decides Class Action Can Proceed Against UnitedHealth for Use of AI

Yesterday, a federal court issued a highly anticipated ruling in Estate of Gene B. Lokken v. UnitedHealth Group—denying UnitedHealthcare’s attempt to dismiss certain state law claims and allowing breach of contract and good faith claims to move forward. It’s a major development in a case when back in November 2023 UHG was first sued over AI-driven coverage denials under its Medicare Advantage plans. Given this new ruling, it’s a perfect time to revisit the original lawsuit’s claims and the broader legal risks that AI poses in healthcare.

read more
Tick Tock: The 42 CFR Part 2 Compliance Clock is Counting Down!

Tick Tock: The 42 CFR Part 2 Compliance Clock is Counting Down!

One year. That’s all the time left before the February 16, 2026 compliance deadline for the 42 CFR Part 2 Final Rule officially arrives. If you haven’t started preparing yet, now is the perfect time to get things in motion. One of the most challenging aspects of Part 2 implementation is the new consent structure. While the new consent for treatment, payment, and health care operations (“TPO consent”) introduces opportunities for improved data sharing and alignment with HIPAA, it is also complex and requires careful implementation. To help navigate these changes, today’s post offers readers a checklist of the key elements required in Part 2 consents.

read more
Kelly Thompson Joins Legal HIE as its Strategy and Interoperability Lead

Kelly Thompson Joins Legal HIE as its Strategy and Interoperability Lead

Kelly Hoover Thompson has joined Legal HIE Solutions as its new Strategy & Interoperability Lead! Kelly is a powerhouse in healthcare law, interoperability, and transformation. She is the former CEO of SHIEC, and former Deputy Secretary at the Pennsylvania Department of Health, and services in numersou advisory and leadership roles, including for the CDC’s Center for Health Statistics Board, the National POLST Technology Committee, and UPMC’s Patient Safety Committee. Kelly has been at the forefront of shaping health IT, regulatory policy, and organizational development. Learn more about Kelly in today’s post!

read more
The Winding Road of Changes to 42 CFR Part 2

The Winding Road of Changes to 42 CFR Part 2

Over the years, 42 CFR Part 2 has traveled a winding road of amendments and updates—beginning with the 2016 Proposed Rule and continuing through a series of updates, each one modernizing how Part 2 information is shared while preserving essential privacy safeguards. Today’s post offers a chronological list of these rulemakings, each with its own executive summary.

read more
State HIE Sued for Alleged “Unauthorized” Use of PHI for Research

State HIE Sued for Alleged “Unauthorized” Use of PHI for Research

On January 3, 2025, a significant lawsuit was filed against a state HIE. The case was brought by a former employee and whistleblower who alleges that the HIE permitted unauthorized access and use of PHI for research purposes in violation of federal and state law, as well as operational policies. Although the facts that are currently known to the public are not sufficient to conclude whether or not HIPAA’s standards applicable to research were met, this case has the potential to influence not only the immediate parties involved but also broader interpretations of HIPAA compliance and enforcement in research settings. At a minimum, the case serves as a reminder that HIEs should be taking proactive steps to ensure that their internal policies, data use agreements, and HIPAA BAAs explicitly address research-related and similar activities in compliance with federal and state laws, including HIPAA.

read more
HIPAA’s Security Rule Glow-Up: What’s Changing and Who’s Affected

HIPAA’s Security Rule Glow-Up: What’s Changing and Who’s Affected

On December 27, 2024, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) decided it was time to give the HIPAA Security Rule a much-needed cybersecurity makeover—and let’s just say, it’s not just a light touch-up. These proposed changes mean stricter security rules, fewer loopholes, and a whole lot more paperwork for covered entities, business associates, and especially Health Information Exchanges (HIEs) and Health Information Networks (HINs).

read more
A Look Back at 2024: HIPAA Enforcement Year in Review

A Look Back at 2024: HIPAA Enforcement Year in Review

Calendar year 2024 brought a range of high-impact HIPAA enforcement actions from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). By the year’s end, OCR had collected over $9 million through various settlements and final determinations. Interestingly, 2024 stands out for having the most final determinations (i.e., definitive impositions of a Civil Money Penalty) in OCR’s HIPAA enforcement history. However, it remains the case that most matters are resolved cooperatively through settlement agreements. Across hospitals, nursing facilities, EMS providers, physician offices (including dental and specialty practices), and even a health care clearinghouse, OCR’s actions highlighted the ongoing importance of thorough risk analyses, timely patient access to records, comprehensive workforce training, and secure system configurations.

read more
Unmasking the Issues: The Final Resolution in the Epic v. Particle Health Dispute

Unmasking the Issues: The Final Resolution in the Epic v. Particle Health Dispute

In a decision that will have lasting implications for interoperability and health information exchange, earlier this month Carequality issued its Final Resolution in the dispute between Epic and Particle Health. This follows months of deliberation, multiple rounds of evidence submission, and deep scrutiny of the rules governing data sharing. This latest resolution delivers much-needed clarity on several key concerns—but it also introduces fresh questions around enforcement, reciprocity, and how trusted exchange will continue to evolve.

read more
HIPAA Reproductive Health Care Privacy – Attestation Template, Policy Samples, updated HIPAA policies, a HIPAA-New Jersey Reproductive Health Care Law crosswalk, and more!

HIPAA Reproductive Health Care Privacy – Attestation Template, Policy Samples, updated HIPAA policies, a HIPAA-New Jersey Reproductive Health Care Law crosswalk, and more!

June 25, 2024 has arrived! This means that the Final Rule for HIPAA Privacy to Support Reproductive Health Care Privacy is officially in effect, and HIPAA covered entities and business associates may now begin implementing its new requirements! But there are still many questions about how some of the new requirements should be implemented. Among those giving covered entities and business associates the most angst is the new Attestation requirement.

read more
Who’s On First? Confusion Continues About Who Should be Reporting the Change Healthcare PHI Breaches (UPDATED)

Who’s On First? Confusion Continues About Who Should be Reporting the Change Healthcare PHI Breaches (UPDATED)

What should covered entity healthcare providers be considering and doing, especially where Change Healthcare has yet to take any affirmative breach notification actions? In this post, I take a deeper dive into key issues and share suggestions on steps covered entities may wish to take in order to manage ongoing uncertainties and risks that continue to simmer as a result of the Change Healthcare incident.

read more
FTC Expands Health Breach Notification Rule: What It Means for Health Apps, HIEs, and the Future of Health Data Privacy

FTC Expands Health Breach Notification Rule: What It Means for Health Apps, HIEs, and the Future of Health Data Privacy

The FTC has finalized significant changes to the Health Breach Notification Rule (HBNR), a regulation originally designed to ensure that personal health records (PHRs) and similar digital health platforms notify consumers in the event of a data breach. These updates clarify the rule’s applicability to technologies outside the scope of HIPAA and impose stricter notification and transparency requirements on companies handling sensitive health data. The amendments also carry broad implications for HIEs and HINs, which are at the forefront of data interoperability and patient information sharing.

read more
The 2023 HITECH Report to Congress: Big Steps in Interoperability—No April Fools’ Gimmicks

The 2023 HITECH Report to Congress: Big Steps in Interoperability—No April Fools’ Gimmicks

The latest HITECH Report to Congress, released earlier this month, outlines the evolving landscape of health information technology and the continued push toward a more connected, interoperable health care system. With electronic health records (EHRs) now a staple in most clinical settings, the focus has shifted from adoption to enhancing how data is exchanged and used. The report highlights major achievements, persistent challenges, and future priorities in the journey toward seamless health information sharing.

read more

Archives