Until now, Part 2 programs had no duty to report breaches under Part 2—even if disclosures clearly violated the rule. That “free pass” ends in February 2026, when HIPAA’s breach reporting framework will officially be grafted onto Part 2. What does this mean for programs? A new world of reporting obligations, OCR enforcement, and tougher compliance decisions.
On August 6, 2025, ONC unveiled the first public TEFCA Organizational Map, a tool that makes it possible to see which health systems are stepping into the national interoperability framework—and which are not. For some, this marks a milestone in transparency and progress; for others, it raises questions about strategy, governance, and whether more national data sharing is always a good thing. The uneven pace of adoption, particularly among Epic’s vast customer base, shows just how complicated the march into TEFCA has become.
On June 18, 2025, Judge Kacsmaryk of the U.S. District Court for the Northern District of Texas vacated key provisions of HHS’s HIPAA Privacy Rule that had imposed new federal protections for reproductive health care information. This means that HIPAA-covered entities must immediately stop requiring a HIPAA-compliant Attestation from requestors seeking PHI that includes (or is likely to include) reproductive health information. Covered entities must now also reevaluate their current processes for handling requests for PHI related to reproductive health information. However, if you operate in a state that has its own state-level reproductive privacy or provider shield law, those state protections still apply and may even require similar or stronger privacy safeguards.
HHS has opened the door to one of the biggest questions in health information law: should the TEFCA exception to the information blocking rules stay or go? The May 16, 2025 RFI asks whether this carve-out encourages participation in TEFCA or instead creates confusion and double standards for networks like Carequality, which already impose requirements stricter than HIPAA. With comments due June 16, stakeholders have just days to weigh in on a decision that could reshape the balance between nationwide interoperability and local control.
Carequality’s new Version 3 Framework Policies add stricter requirements than HIPAA and could expose participants to Information Blocking risks. At the same time, TEFCA alignment creates a paradox: practices permitted under the new TEFCA Exception may still be questioned outside of TEFCA. This article unpacks the double standard—and what it means for HINs, HIEs, and nationwide interoperability.
Continuing the saga of Real Time and PointClickCare in the battle of the bots, the U.S. 4th Circuit recently affirmed a preliminary injunction granted in favor of Real Time against PointClickCare, finding, among other things, that PointClickCare was unable to meet a burden of proof that it met its claimed Exceptions to Information Blocking. Therefore, documentation will be critical for actors who may find themselves having to defend similar claims.
Last week, I attended HIMSS 2025 in Las Vegas and came away with four big themes that stood out for me: the industry’s growing focus on Individual Access Services (IAS) and rock-solid identity verification, the push to expand non-treatment use cases for interoperability (like payment and healthcare operations), the urgent need for modernized consent management, and the overarching importance of trust to tie it all together. Yet of all these, for me, IAS is the real showstopper: if we don’t get identity and access right, the rest of our digital transformations—from AI-driven insights to cross-network data sharing—could quickly unravel. In today’s post, I want to zero in on IAS—where it fits into HIPAA’s right of access, where personal representatives enter the picture, and why it risks becoming a Trojan Horse for unauthorized data if we don’t take the proper safeguards.
On December 27, 2024, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) decided it was time to give the HIPAA Security Rule a much-needed cybersecurity makeover—and let’s just say, it’s not just a light touch-up. These proposed changes mean stricter security rules, fewer loopholes, and a whole lot more paperwork for covered entities, business associates, and especially Health Information Exchanges (HIEs) and Health Information Networks (HINs).
Calendar year 2024 brought a range of high-impact HIPAA enforcement actions from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). By the year’s end, OCR had collected over $9 million through various settlements and final determinations. Interestingly, 2024 stands out for having the most final determinations (i.e., definitive impositions of a Civil Money Penalty) in OCR’s HIPAA enforcement history. However, it remains the case that most matters are resolved cooperatively through settlement agreements. Across hospitals, nursing facilities, EMS providers, physician offices (including dental and specialty practices), and even a health care clearinghouse, OCR’s actions highlighted the ongoing importance of thorough risk analyses, timely patient access to records, comprehensive workforce training, and secure system configurations.
During the Fall 2024, the HHS OCR concluded 3 investigations resulting in settlement payments relating to ransomware incidents. In all three instances, OCR found that the entities that encountered the cybersecurity incidents had not conducted a compliant risk analysis and did not sufficiently monitor their health information systems’ activity. there has been a 264% uptick in large ransomware breaches since 2018.
In a decision that will have lasting implications for interoperability and health information exchange, earlier this month Carequality issued its Final Resolution in the dispute between Epic and Particle Health. This follows months of deliberation, multiple rounds of evidence submission, and deep scrutiny of the rules governing data sharing. This latest resolution delivers much-needed clarity on several key concerns—but it also introduces fresh questions around enforcement, reciprocity, and how trusted exchange will continue to evolve.
Texas Attorney General, Ken Paxton, has sued HHS alleging that the HIPAA Reproductive Health Care Privacy Rule amendments infringe on the state’s investigative authority and that the HIPAA statute does not grant sufficient authority to HHS to promulgate such a rule. Texas is seeking an injunction against enforcement of the final rule.
What should covered entity healthcare providers be considering and doing, especially where Change Healthcare has yet to take any affirmative breach notification actions? In this post, I take a deeper dive into key issues and share suggestions on steps covered entities may wish to take in order to manage ongoing uncertainties and risks that continue to simmer as a result of the Change Healthcare incident.
The FTC has finalized significant changes to the Health Breach Notification Rule (HBNR), a regulation originally designed to ensure that personal health records (PHRs) and similar digital health platforms notify consumers in the event of a data breach. These updates clarify the rule’s applicability to technologies outside the scope of HIPAA and impose stricter notification and transparency requirements on companies handling sensitive health data. The amendments also carry broad implications for HIEs and HINs, which are at the forefront of data interoperability and patient information sharing.
When it comes to health data access, there’s often a fine line between compliance and controversy. That line became the battleground in the dispute between Epic Systems and Particle Health, a clash that boiled down to a fundamental question: What is “treatment”?