Bookmark This! Copies of All 42 CFR Part 2 Rules Published from 1974 to 2024

Bookmark This! Copies of All 42 CFR Part 2 Rules Published from 1974 to 2024

by | Sep 3, 2025 | , , ,

Ever burned valuable time chasing down what feels like endless versions of 42 CFR Part 2? No more! Bookmark this for your one-stop place to go for copies of every single Notice of Proposed Rulemaking (NPRM) and Final Rule for 42 CFR Part 2, starting with the very first proposal in 1974! Whether you’re a compliance officer, privacy lawyer, or just a regs nerd who loves immediate access to the rules you need, this list has you covered. Bookmark it, share it, and breathe easy knowing you’ll never again waste hours digging through archives. You’re welcome. 😉

read more
Regulatory Roller Coaster: District Court Judge Vacates HIPAA Reproductive Health Privacy Rule

Regulatory Roller Coaster: District Court Judge Vacates HIPAA Reproductive Health Privacy Rule

by | Jun 23, 2025 | , ,

On June 18, 2025, Judge Kacsmaryk of the U.S. District Court for the Northern District of Texas vacated key provisions of HHS’s HIPAA Privacy Rule that had imposed new federal protections for reproductive health care information. This means that HIPAA-covered entities must immediately stop requiring a HIPAA-compliant Attestation from requestors seeking PHI that includes (or is likely to include) reproductive health information. Covered entities must now also reevaluate their current processes for handling requests for PHI related to reproductive health information. However, if you operate in a state that has its own state-level reproductive privacy or provider shield law, those state protections still apply and may even require similar or stronger privacy safeguards.

read more
Impact of Executive Order 14117 and DOJ’s Final Rule on HIEs Operating as Business Associates

Impact of Executive Order 14117 and DOJ’s Final Rule on HIEs Operating as Business Associates

by | May 21, 2025 | , ,

The U.S. Department of Justice’s Final Rule titled Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons became effective on April 8, 2025, but its compliance requirements are currently stayed until July 8, 2025 to give organizations time to adjust. This sweeping rule applies to U.S. hospitals, health systems, health information exchanges (HIEs), health IT and cloud vendors, research institutions, and any other U.S. persons or entities that handle, transfer, or store large volumes of sensitive personal data. HIEs should coordinate closely with legal counsel to update their compliance programs and ensure that no aspect of their technology stack or vendor chain inadvertently creates a prohibited or restricted data transaction.

read more
NOW LIVE! The Updated 42 C.F.R. Part 2 Helper is Available!

NOW LIVE! The Updated 42 C.F.R. Part 2 Helper is Available!

by | Mar 2, 2025 | , , ,

The wait is finally over!! Our brand-new, UPDATED 42 C.F.R. Part 2 Helper compliance package is now live for current members of Legal HIE. Loaded with carefully crafted checklists, tools, sample forms, policies, and training resources, all updated for the Part 2 Final Rule, it’s just what the doctor ordered for every organization to stay miles ahead of the February 16, 2026 compliance deadline! Read our new blog post for more information about what’s included with our Part 2 Helper and to get access to a sample checklist to update your Part 2 consents!

read more
Tick Tock: The 42 CFR Part 2 Compliance Clock is Counting Down!

Tick Tock: The 42 CFR Part 2 Compliance Clock is Counting Down!

by | Feb 16, 2025 | , ,

One year. That’s all the time left before the February 16, 2026 compliance deadline for the 42 CFR Part 2 Final Rule officially arrives. If you haven’t started preparing yet, now is the perfect time to get things in motion. One of the most challenging aspects of Part 2 implementation is the new consent structure. While the new consent for treatment, payment, and health care operations (“TPO consent”) introduces opportunities for improved data sharing and alignment with HIPAA, it is also complex and requires careful implementation. To help navigate these changes, today’s post offers readers a checklist of the key elements required in Part 2 consents.

read more
Meet New Jersey’s Brand New Data Privacy Act and Its Impact on Healthcare Organizations & Others

Meet New Jersey’s Brand New Data Privacy Act and Its Impact on Healthcare Organizations & Others

by | Jan 26, 2024 | , ,

The New Jersey Data Privacy Act (NJDPA) was enacted on January 16, 2024. Although PHI collected by a HIPAA CE or BA is excluded from the NJDPA HIPAA CEs and BAs are NOT wholly excluded from compliance with the NJDPA. Also, HHS’ recent problematic interpretation that IP addresses collected by a healthcare provider’s website may be PHI adds even more complexity in interpreting the NJDPA.

read more
Minnesota Supreme Court Finds State Law Permits Health Information to be Shared Because HIPAA Authorizes It

Minnesota Supreme Court Finds State Law Permits Health Information to be Shared Because HIPAA Authorizes It

by | Oct 11, 2023 | , , , ,

The Minnesota Supreme Court held that HIPAA “authorizes” disclosures for purposes of state law and consent was not required for a hospital to disclose PHI to its institutionally related foundation for fundraising purposes. Other states might take a similar stance. The Information Blocking Rule (IBR) prohibits health care providers from interfering with the access and exchange of EHI in an unreasonable manner. State with laws containing similar “as authorized by federal law” exceptions to consent must be carefully considered when claiming the IBR’s Privacy Exception to “block” EHI.  

read more
FTC Finds that Ovulation Tracking App Violated the Health Breach Notification Rule

FTC Finds that Ovulation Tracking App Violated the Health Breach Notification Rule

by | May 18, 2023 | , , ,

The FTC releases its second enforcement action under the Health Breach Notification Rule in just over 3 months. This time, the FTC found that a fertility app called Premom shared sensitive fertility information with third parties for unauthorized purposes. While Premom told its users that it would not share their health information with third parties without users’ consent, it used third-party automated tracking tools known as software development kits (SDKs) which shared highly sensitive health information (e.g., data about an individual user’s sexual & reproductive health, pregnancy status etc.) for advertising and marketing purposes.

read more
ONC Publishes New FAQs on Information Blocking focused on the Privacy Exception.

ONC Publishes New FAQs on Information Blocking focused on the Privacy Exception.

by | Apr 2, 2023 | , ,

The Office of National Coordinator says it receives a lot of questions regarding how the Information Blocking Rule is supposed to work in tandem with the HIPAA Privacy Rule and other federal and state laws governing privacy and confidentiality. Their new FAQs aim to help clarify when actors can choose to not respond to a request for access, exchange, or use of electronic health information.

read more
FTC Orders BetterHelp Health App to Pay $7.8M for Sending User Data to Facebook & Snapchat

FTC Orders BetterHelp Health App to Pay $7.8M for Sending User Data to Facebook & Snapchat

by | Mar 2, 2023 | , , ,

The FTC issued a proposed order requiring BetterHelp to pay $7.8 million to consumers to settle charges that it shared consumers’ health data with Facebook, Pinterest, Snapchat, and Criteo after promising to keep such data private and claiming it is “certified” as “HIPAA compliant.” The real juice of this case is in the FTC compliant — and HIPAA-covered providers, facilities & organizations can learn a lot about what to watch out for with health data Apps as we continue to march towards the FHIR.

read more
Is Your Organization Ready for an OCR HIPAA Compliance Review re: Use of Online Tracking Technology?

Is Your Organization Ready for an OCR HIPAA Compliance Review re: Use of Online Tracking Technology?

by | Jan 5, 2023 | , , ,

On December 1, 2022, OCR released a “guidance” Bulletin re: “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” From it, we learned (among other things) that OCR believes that an individual’s IP addresses and geo location, collected by a regulated entity’s website, is protected by HIPAA. Now, we have come to learn that HIPAA compliance investigations by OCR are already underway concerning this topic. Are you ready?

read more
CMS Releases Hospital COP Event Notification FAQs; Interpretive Guidance

CMS Releases Hospital COP Event Notification FAQs; Interpretive Guidance

by | May 13, 2021 | , , , ,

On May 1, modifications to the Medicare Conditions of Participation (“CoPs”) went into effect, requiring certain electronic event notifications for admissions, discharges and transfers (“ADTs”) to and from hospitals, critical access hospitals and psychiatric hospitals. To provide guidance to hospitals and state surveyors, CMS released several FAQs as well as interpretive guidance last week to be published in the State Operations Manual.

Hospitals are required to make a “reasonable effort” to ensure that notifications are sent to post-acute care services providers and suppliers, and other practitioners and entities, which need such notifications for treatment, care coordination or quality improvement. Under the new CoP, ADT notifications must be sent for all emergency department and inpatient patients where the hospital, critical access hospital or psychiatric hospital maintains an electronic medical record or administrative system.

read more
Info Blocking Rules have you STRESSED?!! Join Helen O. for Two Not-to-Miss Workshops for Help!

Info Blocking Rules have you STRESSED?!! Join Helen O. for Two Not-to-Miss Workshops for Help!

by | Sep 23, 2020 | , , , ,

Join me for a pair of 1.5hr Information Blocking Workshops designed to work thorough the nitty-gritty details of the Information Blocking Rule.  The first Workshop will take place WEDNESDAY (9/30) so don’t delay! Workshops will include use cases and scenarios aimed at real challenges faced by health care providers looking to comply with these new regulatory standards for access and sharing of electronic health information. Registrants will receive 2 sample P&Ps, and much more!

read more

Archives