a close up of a window with a building in the background

Jan 31, 2025 / By

State HIE Sued for Alleged “Unauthorized” Use of PHI for Research

On January 3, 2025, a significant lawsuit was filed against a state HIE. The case was brought by a former employee and whistleblower who alleges that the HIE permitted unauthorized access and use of PHI for research purposes in violation of federal and state law, as well as operational policies. Although the facts that are currently known to the public are not sufficient to conclude whether or not HIPAA’s standards applicable to research were met, this case has the potential to influence not only the immediate parties involved but also broader interpretations of HIPAA compliance and enforcement in research settings. At a minimum, the case serves as a reminder that HIEs should be taking proactive steps to ensure that their internal policies, data use agreements, and HIPAA BAAs explicitly address research-related and similar activities in compliance with federal and state laws, including HIPAA.

Continue Reading the full story
A group of blue and green balls on a black background

Jan 6, 2025 / By

TEFCA Anticipated to Grow in 2025

Since TEFCA went live in December 2023, eight (8) organizations have been designated as Qualified Health Information Networks (QHINs). Each QHIN is a large information network that represents up to hundreds of HINs, health systems, public health agencies, payers, and IT vendors. Epic and Carequality recently announced that they would align their frameworks with TEFCA. TEFCA’s growth will be further supported by regulatory measures to incentivize network participation, such as the Information Blocking Rule.

Continue Reading the full story
white concrete building near trees during night time

Dec 16, 2024 / By

Health Data, Technology, and Interoperability Rules, HTI-1, 2, & 3

The landscape of health IT regulation just took another significant leap forward. In the final days of 2024, federal regulators dropped two game-changing rules—HIT-2 and HTI-3—adding to the foundation set by HTI-1. Together, these regulations are reshaping how healthcare organizations approach interoperability, data sharing, and compliance in an era of rapidly evolving technology. But what do these latest rules really mean for healthcare providers, developers, and patients? Let’s break down the impact and key takeaways you need to know.

Continue Reading the full story
Don’t Make the Mistake of Over-Reporting Data Breaches Under HIPAA

Don’t Make the Mistake of Over-Reporting Data Breaches Under HIPAA

May 11, 2020

Evaluating incidents that affect protected health information (PHI) to determine whether they must be reported under HIPAA’s Breach Notification Rule is a delicate balancing act.  On the one hand, a HIPAA covered entity will want to avoid reporting an incident to the Secretary of HHS if it is not required to do so under the standards set forth in HIPAA’s Breach Notification Rule. On the other hand, a HIPAA covered entity that fails to report a HIPAA Breach risks being exposed to penalties from OCR for each day such Breach was not reported when it should have been. A recent Becker’s Health IT article brought attention to a Notice posted by Ann & Robert H. Lurie Children’s Hospital of Chicago

CMS Continues COVID-19 Assistance for the Promoting Interoperability and Quality Payment Programs

CMS Continues COVID-19 Assistance for the Promoting Interoperability and Quality Payment Programs

May 5, 2020

As hospitals and providers continue to struggle in response to the COVID-19 pandemic, CMS has announced several efforts to provide assistance under the Promoting Interoperability Programs and Quality Payment Program. 

For the Quality Payment Program, CMS had previously extended the deadline for MIPS eligible clinicians to submit data and reopened the application period for MIPS eligible clinicians to file for a hardship exception for the 2019 payment year.  Additionally, CMS announced that any individual MIPS eligible clinician who did not submit data or which submitted data for only one performance category for the 2019 payment year by April 30 will automatically receive a neutral payment instead of a negative payment adjustment (this “extreme and uncontrollable circumstances” policy is not available to groups/virtual groups). If a MIPS eligible clinician is able to submit data, CMS noted that the data submission would override the automatic “extreme and uncontrollable circumstances” policy and the clinician could be eligible for negative, neutral or positive payment adjustments based on the data submission. 

ONC Delays Enforcement of the Information Blocking Certification Provisions of its CURES Act Final Rule for 3 months

ONC Delays Enforcement of the Information Blocking Certification Provisions of its CURES Act Final Rule for 3 months

Apr 22, 2020

Today, ONC announced that it will exercise its discretion in enforcing all new requirements under its Cures Act Final Rule which have compliance dates and time frames until 3 months after each such date identified in the Final Rule.  The ONC Final Rule is scheduled to be published on May 1, 2020 in the Federal Register.  The ONC has developed an “Enforcement Discretion Dates and Time frames” chart which indicates that the Part 170 Information Blocking provisions will have a compliance Enforcement Discretion Date of February 1, 2021.

Subscribe & Survive the onslaught of new healthcare regulations requiring updates to affected compliance programs.

Get access to exclusive subscription-only access to resources, tools, industry analysis and other valuable solutions.

learn about member-only content
Got it!