Mar 25, 2025 / By

Battle of the Bots Continues…Fourth Circuit Affirms Preliminary Injunction Against PointClickCare

Continuing the saga of Real Time and PointClickCare in the battle of the bots, the U.S. 4th Circuit recently affirmed a preliminary injunction granted in favor of Real Time against PointClickCare, finding, among other things, that PointClickCare was unable to meet a burden of proof that it met its claimed Exceptions to Information Blocking. Therefore, documentation will be critical for actors who may find themselves having to defend similar claims.

Mar 9, 2025 / By

Preventing IAS from Becoming a Trojan Horse

Last week, I attended HIMSS 2025 in Las Vegas and came away with four big themes that stood out for me: the industry’s growing focus on Individual Access Services (IAS) and rock-solid identity verification, the push to expand non-treatment use cases for interoperability (like payment and healthcare operations), the urgent need for modernized consent management, and the overarching importance of trust to tie it all together. Yet of all these, for me, IAS is the real showstopper: if we don’t get identity and access right, the rest of our digital transformations—from AI-driven insights to cross-network data sharing—could quickly unravel. In today’s post, I want to zero in on IAS—where it fits into HIPAA’s right of access, where personal representatives enter the picture, and why it risks becoming a Trojan Horse for unauthorized data if we don’t take the proper safeguards.

silhouette of woman holding rectangular board

Mar 2, 2025 / By

NOW LIVE! The Updated 42 C.F.R. Part 2 Helper is Available!

The wait is finally over!! Our brand-new, UPDATED 42 C.F.R. Part 2 Helper compliance package is now live for current members of Legal HIE. Loaded with carefully crafted checklists, tools, sample forms, policies, and training resources, all updated for the Part 2 Final Rule, it’s just what the doctor ordered for every organization to stay miles ahead of the February 16, 2026 compliance deadline! Read our new blog post for more information about what’s included with our Part 2 Helper and to get access to a sample checklist to update your Part 2 consents!

How to Use the Privacy Exception to Deny an Abuser Access to EHI

How to Use the Privacy Exception to Deny an Abuser Access to EHI

When an Actor wants to potentially deny access of EHI to a person who is suspected of some type of abuse of the individual (the “Abuser”) whose EHI is being sought, the natural inclination is want to look to the Information Blocking (IB) Rule’s Preventing Harm Exception to justify such denial.  However, the IB Rule’s Privacy Exception offers additional options and, in certain ways, more flexibility for the Actor to deny a suspected Abuser’s request for EHI.  

Checklist for Info Blocking Compliance

Checklist for Info Blocking Compliance

Over the last few weeks, I have come across a number of health care provider organizations that are under the incorrect assumption or belief that their EMR vendor is “taking care of” all that needs to be done in order for the provider to comply with Information Blocking. This is false. There are operational decisions and other process issues that must be addressed and can only be implemented by the Actor. Every health health care provider that meets the definition of an “Actor” should be taking active steps towards getting their organization positioned to comply with Information Blocking by April 5, 2021. Where should you start?  I propose using a checklist as a simple starting point to begin “ticking off” your Information Blocking “to do” list . . .

Threading the HIPAA Needle through Information Blocking to Block Patient Access when Data is Corrupted

Threading the HIPAA Needle through Information Blocking to Block Patient Access when Data is Corrupted

The Information Blocking (IB) Rule is intended to work in sync with HIPAA, including the “right of access” the Privacy Rule grants to patients with regard to access to their own protected health information (PHI).  However, as I continue to analyze how to implement various standards that overlap between these two regulations, questions about how to thread the needle on seemingly conflicting standards continues to come up. Today, I take a closer look at the difference between HIPAA’s “right of access” as compared to the Preventing Harm Exception found in the IB Rule. Specifically, this post considers how a covered entity health care provider . . .

How the Preventing Harm Exception Changes HIPAA

How the Preventing Harm Exception Changes HIPAA

the “Preventing Harm Exception” under the Information Blocking Rule is not only the most challenging exception to apply, but also the most difficult to interpret – particularly where some of the standards do not exactly track HIPAA, and still other imprecise language ONC used has made its interpretation uncertain. In this post, I will attempt to distill the Preventing Harm Exception down to its basic elements, as well as point out issues in its interpretation to be aware of.

A Look Ahead to 2021

A Look Ahead to 2021

The new year has much in store for electronic health information exchange compliance!  Today’s post provides an overview of anticipated changes to the health information regulatory landscape in 2021, including increased interoperability efforts and telehealth expansion due to the coronavirus pandemic. It is not surprising that many of the topics discussed below are a direct result of the interoperability requirements created by the 21st Century Cures Act (“Cures Act”) enacted in December 2016.

Our Stockings are Stuffed with Compliance Tools

Our Stockings are Stuffed with Compliance Tools

Seasons Greetings to all of our readers!  First, we want to wish you and yours a holiday season filled with health, happiness and hope!  We also want to thank you all for continuing to make Legal HIE such a popular and highly visited blog!  It puts a smile on our face seeing so many of you enjoying our posts and returning to our site often!  

As stockings are being hung by chimneys with care, we want to make sure you know that Legal HIE’s stockings are absolutely stuffed to the brim with tremendous tools, sample forms, polices and turn-key solutions that can help your organization stay on top of the most pressing compliance challenges, and ever-changing healthcare regulatory landscape. 2021 promises to be a year with many new and final regulations going into effect, and being released. The Legal HIE compliance library was created specifically for this purpose – to help busy and overwhelmed compliance officers and attorneys keep up with these changes by offering turn-key samples and solutions as a solid starting point.

OCR Publishes New Guidance on Sharing PHI through HIEs for Public Health Purposes

OCR Publishes New Guidance on Sharing PHI through HIEs for Public Health Purposes

Last Friday, the Office for Civil Rights (OCR) issued new Guidance on how HIPAA permits covered entities and their business associates to use health information exchanges (HIEs) to disclose PHI for the public health activities of a Public Health Authority (PHA).  Specifically, it provides examples relevant to the COVID-19 public health emergency. OCR Director, Roger Severino, specifically notes that the Guidance was issued:

“to highlight how HIPAA supports the use of health information exchanges in sharing health data to improve the public’s health, particularly during the COVID-19 public health emergency.”.

Although much of the Guidance document simply reiterates the controlling HIPAA Privacy Rule provisions and definitions which have always afforded a mechanism through which covered entities (CE) and their contracted business associates (BA) can share ePHI with a public health authority for public health purposes, there are a few notable new take-away nuggets.

A “Double-Double” Set of Proposed Rules from CMS & OCR Affecting Data Sharing & HIPAA

A “Double-Double” Set of Proposed Rules from CMS & OCR Affecting Data Sharing & HIPAA

Late last week, two new proposed rules were released which will affect the exchange of health information and HIPAA, among other things.  The CMS and OCR proposed rules come in at over 347 and 357 pages respectively – so that’s a lot of meat to digest!  At a high level, the CMS Proposed Rule aims to “improve the electronic exchange of health care data among payers, providers, and patients,” and “streamline processes related to prior authorization to reduce burden on providers and patients.” The OCR proposed changes to HIPAA take a bite out of patient access, minimum necessary, the HIPAA NPP and more . . .

Per ONC, Lab Results Generally Cannot be Delayed to “Prevent Harm” (unless threat to life & physical safety)

Per ONC, Lab Results Generally Cannot be Delayed to “Prevent Harm” (unless threat to life & physical safety)

As the November 2nd deadline for compliance with ONC’s Information Blocking Rule nears, many health care providers – which are “Actors” subject to the Rule – are scrambling to reexamine their default settings for sharing various types of data, including lab results. In ONC’s Final Rule preamble, several commenters indicated that providers’ current organizational policies call for practices that delay the release of laboratory results so that the patient’s clinician has an opportunity to review the results before potentially needing to respond to patient questions, or has an opportunity to communicate the results to the patient in a way that builds the clinician-patient relationship.

Info Blocking Rules have you STRESSED?!!  Join Helen O. for Two Not-to-Miss Workshops for Help!

Info Blocking Rules have you STRESSED?!! Join Helen O. for Two Not-to-Miss Workshops for Help!

Join me for a pair of 1.5hr Information Blocking Workshops designed to work thorough the nitty-gritty details of the Information Blocking Rule.  The first Workshop will take place WEDNESDAY (9/30) so don’t delay! Workshops will include use cases and scenarios aimed at real challenges faced by health care providers looking to comply with these new regulatory standards for access and sharing of electronic health information. Registrants will receive 2 sample P&Ps, and much more!

CMS Extends Publication Deadline for Stark Law Changes

CMS Extends Publication Deadline for Stark Law Changes

At the last hour, CMS extended the deadline for publishing much anticipated changes to the Stark Law. Originally expected for publication this past August, CMS extended the deadline to August 2021, noting that “… we are still working through the complexity of the issues raised by comments received on the proposed rule and therefore we are not able to meet the announced publication target date.” Together with the OIG’s counterpart rule, the proposed rules contain the potential for significant modernization of the Stark Law and Anti-kickback Statute as part of the “Regulatory Spring to Coordinated Care” as well as increased alignment and coordination between the two sets of laws.

Join Seton Hall Law & Helen Oscislawski & Other Esteemed Speakers on September 17th for Panel Discussions on Balancing Privacy and Public Health in a COVID-19 World

Join Seton Hall Law & Helen Oscislawski & Other Esteemed Speakers on September 17th for Panel Discussions on Balancing Privacy and Public Health in a COVID-19 World

Seton Hall Law’s Institute for Privacy Protection and Gibbons Institute of Law, Science & Technology is hosting a Virtual Event on September 17th with legal academics, practitioners, and government officials who will evaluate the impact of the COVID-19 pandemic on privacy and intellectual property. Panel One speakers will discuss balancing privacy & public health; Panel Two will discuss Intellectual Property – incentives to access to vaccines & treatments.

OCR Puts the Summer HIPAA Heat on Two Organizations with New Resolution Agreements

OCR Puts the Summer HIPAA Heat on Two Organizations with New Resolution Agreements

After over almost four months of no new HIPAA Resolution Agreements or Civil Money Penalties, OCR quietly posted two new HIPAA settlement agreements at the end of July.  At first glance, both appear to be “run-of-the-mill” cases with nothing much new to learn with the first one resulting in OCR finding that the covered entity failed to even complete a basic Security Risk Analysis and training of workforce, and the other involving – yes, yet again – a stolen unencrypted laptop.  However, the second case in particular deserves closer examination where it has embedded in it more complex corporate structure and liability issues where it actually involved two legally separate covered entities that elected to designated themselves as a single covered entity for purposes of HIPAA.  Let’s look at each case separately.

Big Changes to Big Breaches of Data and Notification Requirements Coming Soon!

Big Changes to Big Breaches of Data and Notification Requirements Coming Soon!

Yesterday, the period for public comment on the FTC’s Health Breach Notification Rule closed.  The FTC’s Health Breach Notification Rule requires vendors of PHRs and PHR-related entities to notify the FTC if they experience a breach of security involving unsecured health information. Another area of change to Breach Notification is arising out of the CARES Act which was was enacted into law on March 27, 2020 and is making significant changes 42 C.F.R. Part 2.  Among other changes that the CARES Act is introducing, it creates an entirely new obligation on Part 2 providers to notify SAMHSA of uses and disclosures of Part 2 data in any manner not authorized under Part 2!  To date, 42 CFR Part 2 did NOT include an independent obligation to report or notify any agency (i.e., SAMHSA or HHS) of any use or disclosure of Part 2 information which was in violation of 42 CFR  Part 2.

ONC Just Announced a New HIE Funding Opportunity for HIE Services Benefiting Public Health & COVID-19

ONC Just Announced a New HIE Funding Opportunity for HIE Services Benefiting Public Health & COVID-19

The award will allocate $2.5M to fund up to 5 awards (in the amount of up to $500K EACH) with a period of performance of up to 2 years in the form of cooperative agreements with funding contingent upon availability of funds, satisfactory completion of milestones, and a determination that continued funding is in the best interest of the federal government and the public. SHORT TURN AROUND! Deadline is September 1, 2020 to get Applications in.

Moving Forward after Privacy Shield’s Invalidation

Moving Forward after Privacy Shield’s Invalidation

On July 16, the Court of Justice of the European Union (“CJEU”) invalidated the Privacy Shield, one of the primary mechanisms used by companies to lawfully transfer personal data outside of the European Union under the GDPR. Despite a prior adequacy determination in 2016, the CJEU found that shortcomings in the Privacy Shield, particularly U.S. security and surveillance laws and an ineffective Ombudsperson program, resulted in a failure to provide essentially equivalent protections to those afforded to individuals within the European Union.

Looks Like the FTC Is Ramping up for Enforcement of Health Apps

Looks Like the FTC Is Ramping up for Enforcement of Health Apps

This past Tuesday the FTC hosted its 5th annual PrivacyCon. It was a GREAT event!  The full-day event covered a wide-range of cutting edge and titillating issues concerning the privacy of data in this day and age of rapidly accelerating technology.  However, it was the morning session which covered Health Apps that interested me the most. In his opening remarks, the Director of FTC’s Bureau of Consumer Protection, Andrew Smith, came out-of-the-gate pointing out that earlier this year HHS issued rules that will make it easier for consumers to access their medical records through the app of their choice, and while this expanded access to health information can be an enormous benefit to consumers – wherever data flow opportunities increase, the opportunities for data compromise increase as well. Director Smith concluded his opening remarks by stating “We at the FTC will not hesitate to take action when companies misrepresent what they are doing with consumers’ health information or otherwise put health data at undue risk . . .” Here is what I learned from the four-person panel of experts who discussed the ins-and-outs of Health Apps and potential direction of the FTC will take with enforcement.

Mind your Breach Insurance and Vendor Contracts

Mind your Breach Insurance and Vendor Contracts

A preliminary class action data breach settlement involving UnityPoint Health should prompt health care organizations to take a second look at their breach insurance coverage as well as their contracts with vendors who process data on their behalf. Adequate cyber and breach insurance coverage is paramount and should be commensurate with the health care organization’s size, operations. Additionally, health care organizations should pay close attention to their vendor contracts, particularly limitation of liability clauses, hold harmless provisions and indemnification provisions in health IT and other contracts.

Subscribe & Survive the onslaught of new healthcare regulations requiring updates to affected compliance programs.

Get access to exclusive subscription-only access to resources, tools, industry analysis and other valuable solutions.