On June 2, 2026, Connecticut Governor Ned Lamont signed Senate Bill 5 into law, designated as Public Act 26-15 and also known as the Connecticut Artificial Intelligence Responsibility and Transparency Act (the “CART Act” or “Act”).1 The CART Act is among the most comprehensive state AI laws enacted to date, creating distinct obligations for employment-related automated decision tools, consumer chatbots, frontier-model developers, generative-AI provenance, and online platforms used by minors, while also addressing AI applications in healthcare through targeted carveouts and innovation initiatives.
Continue Reading Connecticut Enacts Sweeping AI Law Covering Employment, Healthcare, and Online Safety
HHS OCR Announces Civil Enforcement Program for Confidentiality of Substance Use Disorder Patient Records
On February 13, 2026, the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) announced its civil enforcement program to implement the updates to the Substance Use Disorder (“SUD”) confidentiality provisions of the regulation at 42 CFR Part 2 (“Part 2”).1 The new enforcement program became effective February 16, 2026, in accordance with the deadline set by the 2024 Final Rule modifying Part 2 (“2024 Final Rule”).
Continue Reading HHS OCR Announces Civil Enforcement Program for Confidentiality of Substance Use Disorder Patient RecordsNew York’s Health Information Privacy Act Aims to Strictly Regulate Consumer Health Data
On January 22, 2025, the New York State Assembly and Senate rapidly passed the wide-ranging New York Health Information Privacy Act. If not vetoed by Governor Kathy Hochul, NY HIPA would be the fourth enacted state consumer health data privacy law, following the Washington My Health My Data Act, Nevada SB 370 and the
New Year, New Data Breach Notification Requirements in New York: Impactful Changes for Life Sciences and Consumer Health Care Companies
In December 2024, New York Governor Kathy Hochul signed into law two bills (A8872A and S2376B; collectively, the “Bills”) that amend New York’s Data Breach Notification Law.1 The Bills introduce a maximum thirty-day timeframe for notifying affected New York residents of a reportable “breach of the security of the system”2 under
Biden Administration Finalizes Its Last Changes To Health Data Interoperability and Information Blocking Regulations
In December 2024, the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (“ASTP/ONC”) within the U.S. Department of Health and Human Services (“HHS”) published two final rules that establish health data interoperability and information blocking regulations (the “New HTI Final Rules”).
The New HTI Final Rules will affect Trusted Exchange
New York State Adopts New Cybersecurity Program and Incident Reporting Requirements for Hospitals
On October 2, 2024, the New York State Department of Health (“NYSDOH”) finalized and adopted new hospital cybersecurity regulations. Effective immediately, hospitals in New York State are required to report to NYSDOH as promptly as possible, but not later than 72 hours after, determining that a cybersecurity incident has occurred. A cybersecurity incident is an
New York State Revises Proposed Cybersecurity Program and Incident Reporting Requirements for Hospitals
On May 15, 2024, the New York State Department of Health (“NYSDOH”) published revisions to the proposed hospital cybersecurity regulations that it first released in November 2023. Most of the requirements of the initially proposed regulations have been retained in the revised version, subject to a few modifications. The revised proposed regulations are subject to
Change Healthcare Cyberattack: HHS OCR Publishes Early Guidance on Breach and UnitedHealth Group Provides Critical Status Update
On March 13, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that it had opened an investigation into the monumental cyberattack on Change Healthcare (“Change”), a unit of UnitedHealth Group (“UHG”). The attack is one of the largest assaults against the U.S. health care system, with far-reaching
In Bloomberg Law Article, Attorneys Analyze Washington State’s New Privacy Law That Safeguards Consumer Health Data
In a Bloomberg Law article, attorneys examined Washington State’s comprehensive new privacy law, the My Health My Data Act, the first state law that specifically safeguards consumer health data.
The article discusses the new law’s scope, applicability, and ensuing company obligations. The Act will apply to many life sciences companies, pharmaceutical and device
New Executive Order Would Restrict Transfer of Certain Bulk Sensitive Personal Data and United States Government-Related Data to China and Other Countries of Concern
On February 28, 2024, President Biden announced an Executive Order directing the Department of Justice to promulgate regulations that restrict or prohibit transactions involving certain bulk sensitive personal data or United States Government-related data and countries of concern or covered persons. The DOJ’s initially identified countries are China (including Hong Kong and Macau), Russia, Iran