Mar 25, 2025 / By

Battle of the Bots Continues…Fourth Circuit Affirms Preliminary Injunction Against PointClickCare

Continuing the saga of Real Time and PointClickCare in the battle of the bots, the U.S. 4th Circuit recently affirmed a preliminary injunction granted in favor of Real Time against PointClickCare, finding, among other things, that PointClickCare was unable to meet a burden of proof that it met its claimed Exceptions to Information Blocking. Therefore, documentation will be critical for actors who may find themselves having to defend similar claims.

Mar 9, 2025 / By

Preventing IAS from Becoming a Trojan Horse

Last week, I attended HIMSS 2025 in Las Vegas and came away with four big themes that stood out for me: the industry’s growing focus on Individual Access Services (IAS) and rock-solid identity verification, the push to expand non-treatment use cases for interoperability (like payment and healthcare operations), the urgent need for modernized consent management, and the overarching importance of trust to tie it all together. Yet of all these, for me, IAS is the real showstopper: if we don’t get identity and access right, the rest of our digital transformations—from AI-driven insights to cross-network data sharing—could quickly unravel. In today’s post, I want to zero in on IAS—where it fits into HIPAA’s right of access, where personal representatives enter the picture, and why it risks becoming a Trojan Horse for unauthorized data if we don’t take the proper safeguards.

silhouette of woman holding rectangular board

Mar 2, 2025 / By

NOW LIVE! The Updated 42 C.F.R. Part 2 Helper is Available!

The wait is finally over!! Our brand-new, UPDATED 42 C.F.R. Part 2 Helper compliance package is now live for current members of Legal HIE. Loaded with carefully crafted checklists, tools, sample forms, policies, and training resources, all updated for the Part 2 Final Rule, it’s just what the doctor ordered for every organization to stay miles ahead of the February 16, 2026 compliance deadline! Read our new blog post for more information about what’s included with our Part 2 Helper and to get access to a sample checklist to update your Part 2 consents!

ONC Releases Answers to Frequently Asked Questions to Information Blocking

ONC Releases Answers to Frequently Asked Questions to Information Blocking

On Monday, ONC posted a new Information Blocking Frequently Asked Questions resource!  Here are a few of the highlights from all of the FAQs responded to by ONC:

Q:  Are health plans or other payers subject to the information blocking regulation?

Q: For the period of time when Information Blocking is limited to USCDI data, how is an Actor expected to fulfill a request for USCDI data if they do not yet have certified health IT in place that includes an API with the USCDI standard?

Q: Is an Actor required to fulfill a request for access, exchange or use of EHI with all the EHI they have for a patient or should the amount of EHI be based on the details of the request?

Halloween Treat!  HHS Delays Information Blocking Compliance Deadline to  April 5, 2021!

Halloween Treat! HHS Delays Information Blocking Compliance Deadline to April 5, 2021!

Interim Final Rule with Comment Period Responds to COVID-19 Pandemic. Responding to public health threats posed by the coronavirus pandemic, today the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health IT (ONC) released an interim final rule with comment period that extends the compliance dates and timeframes necessary to meet certain requirements related to information blocking and Conditions and Maintenance of Certification (CoC/MoC) requirements.

Who is on the “Hook” for Information Blocking?

Who is on the “Hook” for Information Blocking?

ONC’s final rule on Information Blocking implements the 21st Century Cures Act and fleshes out what is and is not a prohibited information blocking practice.  However, not all health care organizations and their vendors are on the hook for complying with this new regulation. In my post today, I want to drill down on the scope of health care providers that must comply with the Information Blocking Rule.

Per ONC, Lab Results Generally Cannot be Delayed to “Prevent Harm” (unless threat to life & physical safety)

Per ONC, Lab Results Generally Cannot be Delayed to “Prevent Harm” (unless threat to life & physical safety)

As the November 2nd deadline for compliance with ONC’s Information Blocking Rule nears, many health care providers – which are “Actors” subject to the Rule – are scrambling to reexamine their default settings for sharing various types of data, including lab results. In ONC’s Final Rule preamble, several commenters indicated that providers’ current organizational policies call for practices that delay the release of laboratory results so that the patient’s clinician has an opportunity to review the results before potentially needing to respond to patient questions, or has an opportunity to communicate the results to the patient in a way that builds the clinician-patient relationship.

Info Blocking Rules have you STRESSED?!!  Join Helen O. for Two Not-to-Miss Workshops for Help!

Info Blocking Rules have you STRESSED?!! Join Helen O. for Two Not-to-Miss Workshops for Help!

Join me for a pair of 1.5hr Information Blocking Workshops designed to work thorough the nitty-gritty details of the Information Blocking Rule.  The first Workshop will take place WEDNESDAY (9/30) so don’t delay! Workshops will include use cases and scenarios aimed at real challenges faced by health care providers looking to comply with these new regulatory standards for access and sharing of electronic health information. Registrants will receive 2 sample P&Ps, and much more!

CMS Extends Publication Deadline for Stark Law Changes

CMS Extends Publication Deadline for Stark Law Changes

At the last hour, CMS extended the deadline for publishing much anticipated changes to the Stark Law. Originally expected for publication this past August, CMS extended the deadline to August 2021, noting that “… we are still working through the complexity of the issues raised by comments received on the proposed rule and therefore we are not able to meet the announced publication target date.” Together with the OIG’s counterpart rule, the proposed rules contain the potential for significant modernization of the Stark Law and Anti-kickback Statute as part of the “Regulatory Spring to Coordinated Care” as well as increased alignment and coordination between the two sets of laws.

Join Seton Hall Law & Helen Oscislawski & Other Esteemed Speakers on September 17th for Panel Discussions on Balancing Privacy and Public Health in a COVID-19 World

Join Seton Hall Law & Helen Oscislawski & Other Esteemed Speakers on September 17th for Panel Discussions on Balancing Privacy and Public Health in a COVID-19 World

Seton Hall Law’s Institute for Privacy Protection and Gibbons Institute of Law, Science & Technology is hosting a Virtual Event on September 17th with legal academics, practitioners, and government officials who will evaluate the impact of the COVID-19 pandemic on privacy and intellectual property. Panel One speakers will discuss balancing privacy & public health; Panel Two will discuss Intellectual Property – incentives to access to vaccines & treatments.

OCR Puts the Summer HIPAA Heat on Two Organizations with New Resolution Agreements

OCR Puts the Summer HIPAA Heat on Two Organizations with New Resolution Agreements

After over almost four months of no new HIPAA Resolution Agreements or Civil Money Penalties, OCR quietly posted two new HIPAA settlement agreements at the end of July.  At first glance, both appear to be “run-of-the-mill” cases with nothing much new to learn with the first one resulting in OCR finding that the covered entity failed to even complete a basic Security Risk Analysis and training of workforce, and the other involving – yes, yet again – a stolen unencrypted laptop.  However, the second case in particular deserves closer examination where it has embedded in it more complex corporate structure and liability issues where it actually involved two legally separate covered entities that elected to designated themselves as a single covered entity for purposes of HIPAA.  Let’s look at each case separately.

Don’t Wait to Understand How “FHIR” Will Transform Health Information Exchange, or You’ll Feel the Heat When it Ignites!

Don’t Wait to Understand How “FHIR” Will Transform Health Information Exchange, or You’ll Feel the Heat When it Ignites!

CMS & ONC have promulgated their Final Rules to implement the 21st Century Cures Act. A main goal is to accelerate the access, exchange and use of electronic health information (EHI).  One way this is being accomplished is to require certain entities and actors to provide Application Programming Interfaces (APIs) that use a new standard for data access and exchange called Fast Healthcare Interoperability Resources (aka “FHIR”).  These new standards for adopting FHIR for information exchange is expected to exponentially accelerate individuals ability to access and share EHI through mobile apps, as well as allow any third-party adopting such FHIR standards to obtain access to such EHI. Especially for HIPAA Privacy Officers, Security Officers, Compliance Officers and attorneys who have for years focused on ensuring that their organizations do not make the mistake of releasing protected health information to a third-party in violation of federal or state privacy and security laws, I feel your pain on FHIR! 

You Should Know Your Affirmative Defenses if OCR Investigates You for HIPAA Violations

You Should Know Your Affirmative Defenses if OCR Investigates You for HIPAA Violations

The HIPAA Enforcement Rule prevents the Secretary/OCR from assessing civil monetary penalties (CMP) against a covered entity or business associate if an Affirmative Defense can be established. A HIPAA violation that is corrected within 30 days of discovery can potentially insulate an organization from CMPs, provided certain requirements are met. But an organization has to make sure that it fits squarely within the requirements of these regulatory defenses to be fully insulated.

Don’t Miss CMS’s Engagement Calls for Ongoing COVID-19 Developments

Don’t Miss CMS’s Engagement Calls for Ongoing COVID-19 Developments

Need access to current information about COVID-19 and Medicare? CMS is holding stakeholder engagement calls to provide an opportunity for hospitals, health systems, and providers. The Webcast sessions are intended to provide updates, share best practices among peers, and offer attendees an opportunity to ask questions of CMS and other subject matter experts.

CMS Issues Telehealth Encounter Guidance for Quality Reporting Programs

CMS Issues Telehealth Encounter Guidance for Quality Reporting Programs

New telehealth encounter guidance is available for the Promoting Interoperability Programs and Quality Payment Program. There are 42 telehealth codes eligible for inclusion within the eligible professional/eligible clinician eCQMs for the 2020 performance period. For the 2021 performance period, 39 telehealth codes would be eligible, however, there are also additional eCQMs identified as not eligible for telehealth encounters.

Why Privacy & Consent Will Remain a Central Hurdle to Health Info Exchange Despite the Info Blocking Rule

Why Privacy & Consent Will Remain a Central Hurdle to Health Info Exchange Despite the Info Blocking Rule

Under the Privacy Exception, an Actor is permitted to not fulfill a request received to access, exchange, or use EHI to protect an individual’s privacy. The sub-exception for a “precondition-not-satisfied” will continue to put state laws governing privacy and consent at the center of decisions about whether EHI will be shared with third parties. Healthcare providers and HIEs/HINs especially will need to ensure that they have identified and analyzed each legal precondition to the release of EHI that is applicable to the particular type of entity and type of information that is implicated.

Is Your Organization Ready to Send Patient Information to Apps by November?

Is Your Organization Ready to Send Patient Information to Apps by November?

Becker’s Hospital Review reported that 70% of CIOs are “concerned” about meeting the upcoming November 2nd deadline for complying with the Final Rules prohibiting information blocking practices. This is according to a survey conducted by CHIME, which included responses from executives at academic medical centers, critical access hospitals, multi-hospital systems and specialty hospitals.  Although the survey did not appear to identify specifically what concerns CIOs about complying with information blocking rules by this fall, one possibility is fully understanding how ONC’s information blocking rules will apply to releasing patients’ EHI to third-party apps.

WEBINAR:  Learn Which HIPAA Policies to Revise for ONC’s New Information Blocking Rule, Plus More!

WEBINAR: Learn Which HIPAA Policies to Revise for ONC’s New Information Blocking Rule, Plus More!

Join the NJ Chapter of HIMSS and Helen Oscislawski for this Webinar to get a lean and focused overview of what you need to do to comply with ONC’s and CMS’s final rules implementing the 21st Century Cures Act. On April 24, 2020, the OIG also released its Proposed Rule on CMPs to be imposed against Actors who engage in prohibited “Information Blocking.” These new rules turn on their heads certain HIPAA policies and procedures.

New HHS Guidance on Laboratory COVID-19 Data Reporting Recognizes Valuable Role of HIEs

New HHS Guidance on Laboratory COVID-19 Data Reporting Recognizes Valuable Role of HIEs

Late last week, HHS published new Guidance that specifies what additional data must be reported by laboratories along with COVID-19 test results.  Reporting of certain data elements by laboratories are legally required, while reporting of other identifiable demographic data is encouraged but not mandatory. The Guidance notes that state and local privacy standards apply to the collection of identifiable demographic data. Importantly, HHS expressly supports health information exchanges (HIEs) being leveraged to facilitate required data collection and reporting.

5 Reasons Why Your Training is Not Preventing HIPAA Violations by Employees

5 Reasons Why Your Training is Not Preventing HIPAA Violations by Employees

A State Court of Appeals recently reinstated a patient’s claim that an Indiana hospital is vicariously liable for the actions of its employee who shared the patient’s confidential information with an unauthorized third party.  Although the lower court originally dismissed the case, the appellate court found that there is a “genuine issue of fact” and remanded the case for further proceedings.  Now a potential monetary settlement teeters on the edge as the hospital’s potential liability for this employee’s HIPAA non-compliance rests in the hands of further proceedings in the lower court – so, you might want to ask why did this happen in the first place?

* HIPAA Training that is too basic and not focused on specific risk areas and organizational policies is not only non-compliant, but also largely ineffective. 

* HIPAA covered entities should have clear policies and training that address specific employee behaviors that are “high risk” for HIPAA violations. 

* Organizations must make sure they are training EVERYONE, and implementing effective Security Reminders.

“To Block, or Not to Block,” that is the question…

“To Block, or Not to Block,” that is the question…

Deciding whether “to block, or not to block” health information based on an exception laid out in ONC’s Final Rule can quickly turn into a Shakespearean tragedy unless Actors understand in advance the specific criteria that must be met in order to satisfy any such applicable exception.

Subscribe & Survive the onslaught of new healthcare regulations requiring updates to affected compliance programs.

Get access to exclusive subscription-only access to resources, tools, industry analysis and other valuable solutions.