Mar 25, 2025 / By

Battle of the Bots Continues…Fourth Circuit Affirms Preliminary Injunction Against PointClickCare

Continuing the saga of Real Time and PointClickCare in the battle of the bots, the U.S. 4th Circuit recently affirmed a preliminary injunction granted in favor of Real Time against PointClickCare, finding, among other things, that PointClickCare was unable to meet a burden of proof that it met its claimed Exceptions to Information Blocking. Therefore, documentation will be critical for actors who may find themselves having to defend similar claims.

Mar 9, 2025 / By

Preventing IAS from Becoming a Trojan Horse

Last week, I attended HIMSS 2025 in Las Vegas and came away with four big themes that stood out for me: the industry’s growing focus on Individual Access Services (IAS) and rock-solid identity verification, the push to expand non-treatment use cases for interoperability (like payment and healthcare operations), the urgent need for modernized consent management, and the overarching importance of trust to tie it all together. Yet of all these, for me, IAS is the real showstopper: if we don’t get identity and access right, the rest of our digital transformations—from AI-driven insights to cross-network data sharing—could quickly unravel. In today’s post, I want to zero in on IAS—where it fits into HIPAA’s right of access, where personal representatives enter the picture, and why it risks becoming a Trojan Horse for unauthorized data if we don’t take the proper safeguards.

silhouette of woman holding rectangular board

Mar 2, 2025 / By

NOW LIVE! The Updated 42 C.F.R. Part 2 Helper is Available!

The wait is finally over!! Our brand-new, UPDATED 42 C.F.R. Part 2 Helper compliance package is now live for current members of Legal HIE. Loaded with carefully crafted checklists, tools, sample forms, policies, and training resources, all updated for the Part 2 Final Rule, it’s just what the doctor ordered for every organization to stay miles ahead of the February 16, 2026 compliance deadline! Read our new blog post for more information about what’s included with our Part 2 Helper and to get access to a sample checklist to update your Part 2 consents!

AHA Writes Letter to HHS and Pushes Back on OCR’s Online Tracking Guidance

AHA Writes Letter to HHS and Pushes Back on OCR’s Online Tracking Guidance

After OCR created a Morton’s Fork for hospitals and health systems by publishing its HIPAA Guidance on the Use of Online Tracking Technologies, the American Hospital Association initially stayed out of the fray. Not any more. In its letter dated May 22, 2023, AHA makes its case to HHS as to why OCR’s Online Tracking Guidance should be suspended or amended.

FTC Finds that Ovulation Tracking App Violated the Health Breach Notification Rule

FTC Finds that Ovulation Tracking App Violated the Health Breach Notification Rule

The FTC releases its second enforcement action under the Health Breach Notification Rule in just over 3 months. This time, the FTC found that a fertility app called Premom shared sensitive fertility information with third parties for unauthorized purposes. While Premom told its users that it would not share their health information with third parties without users’ consent, it used third-party automated tracking tools known as software development kits (SDKs) which shared highly sensitive health information (e.g., data about an individual user’s sexual & reproductive health, pregnancy status etc.) for advertising and marketing purposes.

ONC Says “Vetting” Mobile Apps is Information Blocking

ONC Says “Vetting” Mobile Apps is Information Blocking

ONC says actors that require third-party apps to be “vetted” by them for security reasons before allowing patients to use such apps to receive EHI via API technology certified to the Standardized API certification criterion is likely to be information blocking. However, my concern with relying solely on the security criteria required for API certification is that it is too low of a bar to adequately protect patients and other individuals from developers of apps that fail to keep promises to keep individuals’ information confidential.

ONC Publishes New FAQs on Information Blocking focused on the Privacy Exception.

ONC Publishes New FAQs on Information Blocking focused on the Privacy Exception.

The Office of National Coordinator says it receives a lot of questions regarding how the Information Blocking Rule is supposed to work in tandem with the HIPAA Privacy Rule and other federal and state laws governing privacy and confidentiality. Their new FAQs aim to help clarify when actors can choose to not respond to a request for access, exchange, or use of electronic health information.

ONC Vindicated. Patients Want Immediate Access to Test Results

ONC Vindicated. Patients Want Immediate Access to Test Results

JAMA published a study earlier this week finding more than 95% wanted immediate access to test results. However, when speaking to ONC, the study’s lead researcher specifically noted that although 95.3% of patients who received abnormal test results responded that they still would like to continue to receive immediately released results, this was associated with nearly twice the likelihood of worry compared to respondents who received normal results.

FTC Orders BetterHelp Health App to Pay $7.8M for Sending User Data to Facebook & Snapchat

FTC Orders BetterHelp Health App to Pay $7.8M for Sending User Data to Facebook & Snapchat

The FTC issued a proposed order requiring BetterHelp to pay $7.8 million to consumers to settle charges that it shared consumers’ health data with Facebook, Pinterest, Snapchat, and Criteo after promising to keep such data private and claiming it is “certified” as “HIPAA compliant.” The real juice of this case is in the FTC compliant — and HIPAA-covered providers, facilities & organizations can learn a lot about what to watch out for with health data Apps as we continue to march towards the FHIR.

Is Your Organization Ready for an OCR HIPAA Compliance Review re: Use of Online Tracking Technology?

Is Your Organization Ready for an OCR HIPAA Compliance Review re: Use of Online Tracking Technology?

On December 1, 2022, OCR released a “guidance” Bulletin re: “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” From it, we learned (among other things) that OCR believes that an individual’s IP addresses and geo location, collected by a regulated entity’s website, is protected by HIPAA. Now, we have come to learn that HIPAA compliance investigations by OCR are already underway concerning this topic. Are you ready?

Is Your Organization Ready for an OCR HIPAA Compliance Review re: Use of Online Tracking Technology?

Is Your Organization Ready for an OCR HIPAA Compliance Review re: Use of Online Tracking Technology?

On December 1, 2022, OCR released a “guidance” Bulletin re: “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” From it, we learned (among other things) that OCR believes that an individual’s IP addresses and geo location, collected by a regulated entity’s website, is protected by HIPAA. Now, we have come to learn that HIPAA compliance investigations by OCR are already underway concerning this topic. Are you ready?

HAPPY NEW YEAR!  A LOT will be happening in 2023!

HAPPY NEW YEAR! A LOT will be happening in 2023!

The New Year is finally here, and I believe that there will be a LOT going on in 2023!  Here are just a few of the things that Legal HIE is looking to stay on top of for our readers this year . . .

Are We Getting Closer to Alignment of 42 CFR Part 2 & HIPAA?

Are We Getting Closer to Alignment of 42 CFR Part 2 & HIPAA?

SAMHSA finally fulfilled its duty under the CARES Act & releases a Proposed Rule “Confidentiality of Substance Use Disorder (SUD) Patient Records” amending the Part 2 rules in line with the CARES Act’s requirements. This is the 4th overhaul of the Part 2 Rule in 5 years…

Information Blocking is No Longer Limited to USCDI

Information Blocking is No Longer Limited to USCDI

Today, the Information Blocking spigot has officially opened. The Content & Manner Exception no longer applies; now, all electronic health information (EHI) cannot “blocked” if requested (unless another exception applies).

Summary List Update of COVID19-related Federal Actions Relevant to Healthcare

Summary List Update of COVID19-related Federal Actions Relevant to Healthcare

As efforts at the federal and individual states level evolve every day at almost a breakneck pace to address challenges and needs related to the COVID-19 outbreak, here is a updated running list of some of the top actions taken at the federal level that we thought would be helpful to the healthcare industry (Caveat, this is not an exhaustive list): 

CMS Releases Hospital COP Event Notification FAQs; Interpretive Guidance

CMS Releases Hospital COP Event Notification FAQs; Interpretive Guidance

On May 1, modifications to the Medicare Conditions of Participation (“CoPs”) went into effect, requiring certain electronic event notifications for admissions, discharges and transfers (“ADTs”) to and from hospitals, critical access hospitals and psychiatric hospitals. To provide guidance to hospitals and state surveyors, CMS released several FAQs as well as interpretive guidance last week to be published in the State Operations Manual.

Hospitals are required to make a “reasonable effort” to ensure that notifications are sent to post-acute care services providers and suppliers, and other practitioners and entities, which need such notifications for treatment, care coordination or quality improvement. Under the new CoP, ADT notifications must be sent for all emergency department and inpatient patients where the hospital, critical access hospital or psychiatric hospital maintains an electronic medical record or administrative system.

When Does a Health Care Provider Wear an HIE/HIN Hat for Purposes of the Info Blocking Rule?

When Does a Health Care Provider Wear an HIE/HIN Hat for Purposes of the Info Blocking Rule?

Under the Information Blocking Rule (IBR), a health information network (HIN) or health information exchange (HIE) type actor is one that “determines,” “controls,” or has the “discretion to administer” access, exchange or use of EHI between two or more unaffiliated entities. ONC has said that a separate entity is not necessary to trigger the IBR HIN/HIE definition of an Actor. Additionally, ONC has specifically pointed out that a health care system, for example, could wear two IBR actor hats: (1) as a health care provider, and (2) as a HIN/HIE.

What Information Must be Made Available on Patient Portals?

What Information Must be Made Available on Patient Portals?

Well folks, the Information Blocking Rule (IBR) April 5th compliance deadline is behind us at this point.  However, I know that many of you are continuing to work through your top IBR challenges and questions one at a time.  At this point, I have worked through many thorny IBR issues with numerous health care providers and health information exchanges (HIE), so I thought it might be interesting for me to share what is the main topic that I see Actors are focused on. And the winner is …..

Information Blocking Compliance — So What Happens on April 5th?

Information Blocking Compliance — So What Happens on April 5th?

The deadline for compliance with the Information Blocking Rule is just 12 days away!  I am certain that all the Actors are working feverishly and diligently to come into compliance with these new requirements by this fast-approaching date.  On the bright side, I suppose that we can all be relieved that ONC did not stick with its original deadline date of November 2, 2020.  However, even with the extra time Actors may still be scrambling to get all of their ducks in a row by April 5, 2021. So, what are the actual consequences if everything is not “buttoned-up” in time?

NEW ONC FAQ:  Prior Agreements or Contracts CAN Implicate Information Blocking as of April 5th!

NEW ONC FAQ: Prior Agreements or Contracts CAN Implicate Information Blocking as of April 5th!

On and after April 5, 2021, any actor’s agreements, arrangements, or contracts are subject to and may implicate the Information Blocking Rule. The Communications Condition of Certification (CCOC) requirements must be revised to remove or void the contractual provision that contravenes the CCOC requirements whenever the contract is next modified for any reason. A Business Associate Agreement should generally not prohibit or limit the access, exchange, or use of the EHI for treatment.

Subscribe & Survive the onslaught of new healthcare regulations requiring updates to affected compliance programs.

Get access to exclusive subscription-only access to resources, tools, industry analysis and other valuable solutions.