Time is Up! OCR Complaint Intake & Breach Reporting Go Live for 42 CFR Part 2

Time is Up! OCR Complaint Intake & Breach Reporting Go Live for 42 CFR Part 2

by | Feb 16, 2026 | ,

Time is up, and the enforcement infrastructure is now live. OCR’s complaint portal is open to 42 CFR Part 2, and Part 2 breach reporting is no longer a future workflow. A live portal changes behavior: it lowers the friction to file, increases complaint volume, and accelerates how quickly organizations receive the familiar “we have received a complaint, please explain” letter. If you are a Part 2 program, a QSO, or a lawful holder (including many HIPAA covered entities and business associates), this is the moment Part 2 stops being a policy project and becomes immediate operational exposure.

read more
HTI-5 and Information Blocking: Your Bots Are Covered, and Your Excuses Are Getting Smaller

HTI-5 and Information Blocking: Your Bots Are Covered, and Your Excuses Are Getting Smaller

by | Jan 2, 2026 | , , , ,

HTI-5 is calling out two things the market already knows: EHI is increasingly accessed through automation and AI, and “infeasible” has been doing suspiciously heavy lifting in some corners of the ecosystem. If you are an HIE/HIN, a developer of certified health IT, or a provider, these proposed information blocking changes tighten the exception playbook, put contract gating on notice, and make it harder to hide a “no” behind nicer paperwork.

read more
ONC Quietly Dropped Four (4) New Information Blocking FAQs

ONC Quietly Dropped Four (4) New Information Blocking FAQs

by | Dec 22, 2025 | , , ,

ONC just dropped four new Information Blocking FAQs on December 19, 2025, and they go straight to the real pressure points: revenue-sharing dressed up as fees, “alternative manner” gamesmanship, and whether automation counts as access. These clarifications matter most where policy meets operations. If you build, sell, operate, or rely on interoperability, this is the set to read.

read more
Are You Blocking? The Coming Crackdown on Information Blocking: What It Means for HIE/HINs, Developers of Certified HIT, & Health Care Providers

Are You Blocking? The Coming Crackdown on Information Blocking: What It Means for HIE/HINs, Developers of Certified HIT, & Health Care Providers

by | Sep 10, 2025 | ,

HHS has declared that the “warning period” for information blocking is over, putting HIEs, HINs, developers, and providers squarely in the path of active enforcement. With OIG empowered to levy million-dollar penalties, ONC able to strip certifications, and CMS now finalizing monetary disincentives for certain providers, the consequences are real and far-reaching. At the same time, long-standing practices, such as conservative privacy policies or restrictive BAAs, may suddenly collide with federal interoperability mandates. This article examines the new enforcement posture, the risks and dilemmas it creates, and what health information networks and their provider members must do to prepare.

read more
Bookmark This! Copies of All 42 CFR Part 2 Rules Published from 1974 to 2024

Bookmark This! Copies of All 42 CFR Part 2 Rules Published from 1974 to 2024

by | Sep 3, 2025 | , , ,

Ever burned valuable time chasing down what feels like endless versions of 42 CFR Part 2? No more! Bookmark this for your one-stop place to go for copies of every single Notice of Proposed Rulemaking (NPRM) and Final Rule for 42 CFR Part 2, starting with the very first proposal in 1974! Whether you’re a compliance officer, privacy lawyer, or just a regs nerd who loves immediate access to the rules you need, this list has you covered. Bookmark it, share it, and breathe easy knowing you’ll never again waste hours digging through archives. You’re welcome. 😉

read more
Beware! New Breach Reporting Obligations Under 42 CFR Part 2 — Even When HIPAA Wouldn’t Require It

Beware! New Breach Reporting Obligations Under 42 CFR Part 2 — Even When HIPAA Wouldn’t Require It

by | Aug 28, 2025 | , ,

Until now, Part 2 programs had no duty to report breaches under Part 2—even if disclosures clearly violated the rule. That “free pass” ends in February 2026, when HIPAA’s breach reporting framework will officially be grafted onto Part 2. What does this mean for programs? A new world of reporting obligations, OCR enforcement, and tougher compliance decisions.

read more
From Dragging Feet to Dragged Along: The Uneven March Into TEFCA

From Dragging Feet to Dragged Along: The Uneven March Into TEFCA

by | Aug 8, 2025 | , , , ,

On August 6, 2025, ONC unveiled the first public TEFCA Organizational Map, a tool that makes it possible to see which health systems are stepping into the national interoperability framework—and which are not. For some, this marks a milestone in transparency and progress; for others, it raises questions about strategy, governance, and whether more national data sharing is always a good thing. The uneven pace of adoption, particularly among Epic’s vast customer base, shows just how complicated the march into TEFCA has become.

read more
Audacious Inquiry Sues CRISP: A Patent Showdown with National Interoperability Implications

Audacious Inquiry Sues CRISP: A Patent Showdown with National Interoperability Implications

by | Jul 15, 2025 | , , ,

Audacious Inquiry has filed a patent infringement suit against CRISP, Maryland’s state-designated HIE. At issue are core encounter notification and care coordination tools that providers nationwide rely on daily. With high-stakes infrastructure and TEFCA participation on the line, the outcome could reshape how HIEs balance public good with private innovation.

read more
Regulatory Roller Coaster: District Court Judge Vacates HIPAA Reproductive Health Privacy Rule

Regulatory Roller Coaster: District Court Judge Vacates HIPAA Reproductive Health Privacy Rule

by | Jun 23, 2025 | , ,

On June 18, 2025, Judge Kacsmaryk of the U.S. District Court for the Northern District of Texas vacated key provisions of HHS’s HIPAA Privacy Rule that had imposed new federal protections for reproductive health care information. This means that HIPAA-covered entities must immediately stop requiring a HIPAA-compliant Attestation from requestors seeking PHI that includes (or is likely to include) reproductive health information. Covered entities must now also reevaluate their current processes for handling requests for PHI related to reproductive health information. However, if you operate in a state that has its own state-level reproductive privacy or provider shield law, those state protections still apply and may even require similar or stronger privacy safeguards.

read more
Does the TEFCA Exception Hinder Participation?

Does the TEFCA Exception Hinder Participation?

by | Jun 9, 2025 | , , , , ,

HHS has opened the door to one of the biggest questions in health information law: should the TEFCA exception to the information blocking rules stay or go? The May 16, 2025 RFI asks whether this carve-out encourages participation in TEFCA or instead creates confusion and double standards for networks like Carequality, which already impose requirements stricter than HIPAA. With comments due June 16, stakeholders have just days to weigh in on a decision that could reshape the balance between nationwide interoperability and local control.

read more
Impact of Executive Order 14117 and DOJ’s Final Rule on HIEs Operating as Business Associates

Impact of Executive Order 14117 and DOJ’s Final Rule on HIEs Operating as Business Associates

by | May 21, 2025 | , ,

The U.S. Department of Justice’s Final Rule titled Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons became effective on April 8, 2025, but its compliance requirements are currently stayed until July 8, 2025 to give organizations time to adjust. This sweeping rule applies to U.S. hospitals, health systems, health information exchanges (HIEs), health IT and cloud vendors, research institutions, and any other U.S. persons or entities that handle, transfer, or store large volumes of sensitive personal data. HIEs should coordinate closely with legal counsel to update their compliance programs and ensure that no aspect of their technology stack or vendor chain inadvertently creates a prohibited or restricted data transaction.

read more
Do Recent Changes to the Carequality Framework Policies Implicate Information Blocking For Some?

Do Recent Changes to the Carequality Framework Policies Implicate Information Blocking For Some?

by | May 14, 2025 | , , , ,

Carequality’s new Version 3 Framework Policies add stricter requirements than HIPAA and could expose participants to Information Blocking risks. At the same time, TEFCA alignment creates a paradox: practices permitted under the new TEFCA Exception may still be questioned outside of TEFCA. This article unpacks the double standard—and what it means for HINs, HIEs, and nationwide interoperability.

read more
Join Us June 11th for a Free Q&A Panel on 42 CFR Part 2!

Join Us June 11th for a Free Q&A Panel on 42 CFR Part 2!

by | Apr 4, 2025 | , ,

Join us for a 1-hour Q&A session addressing some of the most pressing questions that Part 2 Providers and HIE/HINs are asking about the Final Rule for 42 CFR Part 2. The session will cover: Compliance obligations & enforcement risks for Part 2 Providers, QSOs,& “Lawful Holders”; the NEW Part 2 “TPO Consent” and its application in an HIE-networked environment; sharing Part 2 information for Public Health & Scientific Research; QSO language; sharing Part 2 Information through HIE/HINs, and much more!

read more
Preventing IAS from Becoming a Trojan Horse

Preventing IAS from Becoming a Trojan Horse

by | Mar 9, 2025 | , ,

Last week, I attended HIMSS 2025 in Las Vegas and came away with four big themes that stood out for me: the industry’s growing focus on Individual Access Services (IAS) and rock-solid identity verification, the push to expand non-treatment use cases for interoperability (like payment and healthcare operations), the urgent need for modernized consent management, and the overarching importance of trust to tie it all together. Yet of all these, for me, IAS is the real showstopper: if we don’t get identity and access right, the rest of our digital transformations—from AI-driven insights to cross-network data sharing—could quickly unravel. In today’s post, I want to zero in on IAS—where it fits into HIPAA’s right of access, where personal representatives enter the picture, and why it risks becoming a Trojan Horse for unauthorized data if we don’t take the proper safeguards.

read more
NOW LIVE! The Updated 42 C.F.R. Part 2 Helper is Available!

NOW LIVE! The Updated 42 C.F.R. Part 2 Helper is Available!

by | Mar 2, 2025 | , , ,

The wait is finally over!! Our brand-new, UPDATED 42 C.F.R. Part 2 Helper compliance package is now live for current members of Legal HIE. Loaded with carefully crafted checklists, tools, sample forms, policies, and training resources, all updated for the Part 2 Final Rule, it’s just what the doctor ordered for every organization to stay miles ahead of the February 16, 2026 compliance deadline! Read our new blog post for more information about what’s included with our Part 2 Helper and to get access to a sample checklist to update your Part 2 consents!

read more

Archives