Mar 25, 2025 / By

Battle of the Bots Continues…Fourth Circuit Affirms Preliminary Injunction Against PointClickCare

Continuing the saga of Real Time and PointClickCare in the battle of the bots, the U.S. 4th Circuit recently affirmed a preliminary injunction granted in favor of Real Time against PointClickCare, finding, among other things, that PointClickCare was unable to meet a burden of proof that it met its claimed Exceptions to Information Blocking. Therefore, documentation will be critical for actors who may find themselves having to defend similar claims.

Mar 9, 2025 / By

Preventing IAS from Becoming a Trojan Horse

Last week, I attended HIMSS 2025 in Las Vegas and came away with four big themes that stood out for me: the industry’s growing focus on Individual Access Services (IAS) and rock-solid identity verification, the push to expand non-treatment use cases for interoperability (like payment and healthcare operations), the urgent need for modernized consent management, and the overarching importance of trust to tie it all together. Yet of all these, for me, IAS is the real showstopper: if we don’t get identity and access right, the rest of our digital transformations—from AI-driven insights to cross-network data sharing—could quickly unravel. In today’s post, I want to zero in on IAS—where it fits into HIPAA’s right of access, where personal representatives enter the picture, and why it risks becoming a Trojan Horse for unauthorized data if we don’t take the proper safeguards.

silhouette of woman holding rectangular board

Mar 2, 2025 / By

NOW LIVE! The Updated 42 C.F.R. Part 2 Helper is Available!

The wait is finally over!! Our brand-new, UPDATED 42 C.F.R. Part 2 Helper compliance package is now live for current members of Legal HIE. Loaded with carefully crafted checklists, tools, sample forms, policies, and training resources, all updated for the Part 2 Final Rule, it’s just what the doctor ordered for every organization to stay miles ahead of the February 16, 2026 compliance deadline! Read our new blog post for more information about what’s included with our Part 2 Helper and to get access to a sample checklist to update your Part 2 consents!

OCR Sees Uptick in Ransomware Incidents

OCR Sees Uptick in Ransomware Incidents

During the Fall 2024, the HHS OCR concluded 3 investigations resulting in settlement payments relating to ransomware incidents. In all three instances, OCR found that the entities that encountered the cybersecurity incidents had not conducted a compliant risk analysis and did not sufficiently monitor their health information systems’ activity. there has been a 264% uptick in large ransomware breaches since 2018.

Unmasking the Issues: The Final Resolution in the Epic v. Particle Health Dispute

Unmasking the Issues: The Final Resolution in the Epic v. Particle Health Dispute

In a decision that will have lasting implications for interoperability and health information exchange, earlier this month Carequality issued its Final Resolution in the dispute between Epic and Particle Health. This follows months of deliberation, multiple rounds of evidence submission, and deep scrutiny of the rules governing data sharing. This latest resolution delivers much-needed clarity on several key concerns—but it also introduces fresh questions around enforcement, reciprocity, and how trusted exchange will continue to evolve.

Texas Sues to Block new HIPAA Reproductive Health Care Rule

Texas Sues to Block new HIPAA Reproductive Health Care Rule

Texas Attorney General, Ken Paxton, has sued HHS alleging that the HIPAA Reproductive Health Care Privacy Rule amendments infringe on the state’s investigative authority and that the HIPAA statute does not grant sufficient authority to HHS to promulgate such a rule. Texas is seeking an injunction against enforcement of the final rule.

Lessons Learned from Real Time vs. PointClickCare: Mind your Information Blocking Ps and Qs

Lessons Learned from Real Time vs. PointClickCare: Mind your Information Blocking Ps and Qs

A federal district judge has granted preliminary injunctive relief to Real Time Medical Systems, Inc. (“Real Time”) barring the defendant, PointClickCare (“PCC”), from deploying unsolvable CAPTCHAs that interfered with Real Time’s ability to access the data of its skilled nursing facility customers that utilized PCC. As Judge Xinis wrote in the opinion, “No evidence supports that PCC had any legitimate good faith use for wholly inscrutable CAPTCHAs which, by definition, blocked Real Time from getting the very records it needs to exist….But even more damning is the timing of such deployments, which support that PCC used those CAPTCHAs as a device to hamstring or eliminate Real Time as a competitor.” Keep reading for additional details regarding Real Time’s complaints against PointClickCare.

Update: On August 19, 2024, PointClickCare filed a Motion to Expedite Appeal with the United States Court of Appeals for the Fourth Circuit.

HIPAA Reproductive Health Care Privacy – Attestation Template, Policy Samples, updated HIPAA policies, a HIPAA-New Jersey Reproductive Health Care Law crosswalk, and more!

HIPAA Reproductive Health Care Privacy – Attestation Template, Policy Samples, updated HIPAA policies, a HIPAA-New Jersey Reproductive Health Care Law crosswalk, and more!

June 25, 2024 has arrived! This means that the Final Rule for HIPAA Privacy to Support Reproductive Health Care Privacy is officially in effect, and HIPAA covered entities and business associates may now begin implementing its new requirements! But there are still many questions about how some of the new requirements should be implemented. Among those giving covered entities and business associates the most angst is the new Attestation requirement.

Who’s On First? Confusion Continues About Who Should be Reporting the Change Healthcare PHI Breaches (UPDATED)

Who’s On First? Confusion Continues About Who Should be Reporting the Change Healthcare PHI Breaches (UPDATED)

What should covered entity healthcare providers be considering and doing, especially where Change Healthcare has yet to take any affirmative breach notification actions? In this post, I take a deeper dive into key issues and share suggestions on steps covered entities may wish to take in order to manage ongoing uncertainties and risks that continue to simmer as a result of the Change Healthcare incident.

FTC Expands Health Breach Notification Rule: What It Means for Health Apps, HIEs, and the Future of Health Data Privacy

FTC Expands Health Breach Notification Rule: What It Means for Health Apps, HIEs, and the Future of Health Data Privacy

The FTC has finalized significant changes to the Health Breach Notification Rule (HBNR), a regulation originally designed to ensure that personal health records (PHRs) and similar digital health platforms notify consumers in the event of a data breach. These updates clarify the rule’s applicability to technologies outside the scope of HIPAA and impose stricter notification and transparency requirements on companies handling sensitive health data. The amendments also carry broad implications for HIEs and HINs, which are at the forefront of data interoperability and patient information sharing.

The 2023 HITECH Report to Congress: Big Steps in Interoperability—No April Fools’ Gimmicks

The 2023 HITECH Report to Congress: Big Steps in Interoperability—No April Fools’ Gimmicks

The latest HITECH Report to Congress, released earlier this month, outlines the evolving landscape of health information technology and the continued push toward a more connected, interoperable health care system. With electronic health records (EHRs) now a staple in most clinical settings, the focus has shifted from adoption to enhancing how data is exchanged and used. The report highlights major achievements, persistent challenges, and future priorities in the journey toward seamless health information sharing.

OCR Sees Uptick in Ransomware Incidents

OCR Sees Uptick in Ransomware Incidents

During the Fall 2024, the HHS OCR concluded 3 investigations resulting in settlement payments relating to ransomware incidents. In all three instances, OCR found that the entities that encountered the cybersecurity incidents had not conducted a compliant risk analysis and did not sufficiently monitor their health information systems’ activity. there has been a 264% uptick in large ransomware breaches since 2018.

Unmasking the Issues: The Final Resolution in the Epic v. Particle Health Dispute

Unmasking the Issues: The Final Resolution in the Epic v. Particle Health Dispute

In a decision that will have lasting implications for interoperability and health information exchange, earlier this month Carequality issued its Final Resolution in the dispute between Epic and Particle Health. This follows months of deliberation, multiple rounds of evidence submission, and deep scrutiny of the rules governing data sharing. This latest resolution delivers much-needed clarity on several key concerns—but it also introduces fresh questions around enforcement, reciprocity, and how trusted exchange will continue to evolve.

Texas Sues to Block new HIPAA Reproductive Health Care Rule

Texas Sues to Block new HIPAA Reproductive Health Care Rule

Texas Attorney General, Ken Paxton, has sued HHS alleging that the HIPAA Reproductive Health Care Privacy Rule amendments infringe on the state’s investigative authority and that the HIPAA statute does not grant sufficient authority to HHS to promulgate such a rule. Texas is seeking an injunction against enforcement of the final rule.

Lessons Learned from Real Time vs. PointClickCare: Mind your Information Blocking Ps and Qs

Lessons Learned from Real Time vs. PointClickCare: Mind your Information Blocking Ps and Qs

A federal district judge has granted preliminary injunctive relief to Real Time Medical Systems, Inc. (“Real Time”) barring the defendant, PointClickCare (“PCC”), from deploying unsolvable CAPTCHAs that interfered with Real Time’s ability to access the data of its skilled nursing facility customers that utilized PCC. As Judge Xinis wrote in the opinion, “No evidence supports that PCC had any legitimate good faith use for wholly inscrutable CAPTCHAs which, by definition, blocked Real Time from getting the very records it needs to exist….But even more damning is the timing of such deployments, which support that PCC used those CAPTCHAs as a device to hamstring or eliminate Real Time as a competitor.” Keep reading for additional details regarding Real Time’s complaints against PointClickCare.

Update: On August 19, 2024, PointClickCare filed a Motion to Expedite Appeal with the United States Court of Appeals for the Fourth Circuit.

HIPAA Reproductive Health Care Privacy – Attestation Template, Policy Samples, updated HIPAA policies, a HIPAA-New Jersey Reproductive Health Care Law crosswalk, and more!

HIPAA Reproductive Health Care Privacy – Attestation Template, Policy Samples, updated HIPAA policies, a HIPAA-New Jersey Reproductive Health Care Law crosswalk, and more!

June 25, 2024 has arrived! This means that the Final Rule for HIPAA Privacy to Support Reproductive Health Care Privacy is officially in effect, and HIPAA covered entities and business associates may now begin implementing its new requirements! But there are still many questions about how some of the new requirements should be implemented. Among those giving covered entities and business associates the most angst is the new Attestation requirement.

Who’s On First? Confusion Continues About Who Should be Reporting the Change Healthcare PHI Breaches (UPDATED)

Who’s On First? Confusion Continues About Who Should be Reporting the Change Healthcare PHI Breaches (UPDATED)

What should covered entity healthcare providers be considering and doing, especially where Change Healthcare has yet to take any affirmative breach notification actions? In this post, I take a deeper dive into key issues and share suggestions on steps covered entities may wish to take in order to manage ongoing uncertainties and risks that continue to simmer as a result of the Change Healthcare incident.

FTC Expands Health Breach Notification Rule: What It Means for Health Apps, HIEs, and the Future of Health Data Privacy

FTC Expands Health Breach Notification Rule: What It Means for Health Apps, HIEs, and the Future of Health Data Privacy

The FTC has finalized significant changes to the Health Breach Notification Rule (HBNR), a regulation originally designed to ensure that personal health records (PHRs) and similar digital health platforms notify consumers in the event of a data breach. These updates clarify the rule’s applicability to technologies outside the scope of HIPAA and impose stricter notification and transparency requirements on companies handling sensitive health data. The amendments also carry broad implications for HIEs and HINs, which are at the forefront of data interoperability and patient information sharing.

The 2023 HITECH Report to Congress: Big Steps in Interoperability—No April Fools’ Gimmicks

The 2023 HITECH Report to Congress: Big Steps in Interoperability—No April Fools’ Gimmicks

The latest HITECH Report to Congress, released earlier this month, outlines the evolving landscape of health information technology and the continued push toward a more connected, interoperable health care system. With electronic health records (EHRs) now a staple in most clinical settings, the focus has shifted from adoption to enhancing how data is exchanged and used. The report highlights major achievements, persistent challenges, and future priorities in the journey toward seamless health information sharing.

42 C.F.R. Part 2 Final Rule Amending Privacy of Substance Use Disorder Records Released.

42 C.F.R. Part 2 Final Rule Amending Privacy of Substance Use Disorder Records Released.

The Final Rule amending 42 CFR Part 2 finalizes changes that will align uses and disclosures of Part 2 information with HIPAA for treatment, payment & health care operations. Part 2 providers and others who must comply with Part 2 and this Final Rule have two (2) years to get into compliance. Read more about the changes and how we can help with compliance.

Meet New Jersey’s Brand New Data Privacy Act and Its Impact on Healthcare Organizations & Others

Meet New Jersey’s Brand New Data Privacy Act and Its Impact on Healthcare Organizations & Others

The New Jersey Data Privacy Act (NJDPA) was enacted on January 16, 2024. Although PHI collected by a HIPAA CE or BA is excluded from the NJDPA HIPAA CEs and BAs are NOT wholly excluded from compliance with the NJDPA. Also, HHS’ recent problematic interpretation that IP addresses collected by a healthcare provider’s website may be PHI adds even more complexity in interpreting the NJDPA.

When AI Denies Your Healthcare: The UnitedHealthcare Lawsuit and the Legal Dangers of AI in Medicine

When AI Denies Your Healthcare: The UnitedHealthcare Lawsuit and the Legal Dangers of AI in Medicine

icial intelligence (AI) is supposed to make healthcare smarter, more efficient, and—ideally—better for patients. But as UnitedHealthcare Group (UHG) recently learned, AI can also go horribly wrong, leading to denied care, regulatory scrutiny, and class-action lawsuits. Today’s posts breaks down what happened in the UHG case, what it reveals about some of AI’s legal minefields, and how healthcare organizations can avoid becoming the next target of an AI-related lawsuit.

Subscribe & Survive the onslaught of new healthcare regulations requiring updates to affected compliance programs.

Get access to exclusive subscription-only access to resources, tools, industry analysis and other valuable solutions.