On February 13, 2026, the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) announced its civil enforcement program to implement the updates to the Substance Use Disorder (“SUD”) confidentiality provisions of the regulation at 42 CFR Part 2 (“Part 2”).1 The new enforcement program became effective February 16, 2026, in accordance with the deadline set by the 2024 Final Rule modifying Part 2 (“2024 Final Rule”).Continue Reading HHS OCR Announces Civil Enforcement Program for Confidentiality of Substance Use Disorder Patient Records
New York’s Health Information Privacy Act Aims to Strictly Regulate Consumer Health Data
On January 22, 2025, the New York State Assembly and Senate rapidly passed the wide-ranging New York Health Information Privacy Act. If not vetoed by Governor Kathy Hochul, NY HIPA would be the fourth enacted state consumer health data privacy law, following the Washington My Health My Data Act, Nevada SB 370 and the
Biden Administration Finalizes Its Last Changes To Health Data Interoperability and Information Blocking Regulations
In December 2024, the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (“ASTP/ONC”) within the U.S. Department of Health and Human Services (“HHS”) published two final rules that establish health data interoperability and information blocking regulations (the “New HTI Final Rules”).
The New HTI Final Rules will affect Trusted Exchange
A Flurry of Healthcare Sector Cybersecurity Regulatory Developments in 2024
2024 was a record year for cyberattacks in the healthcare sector. According to the Breach Portal maintained by the U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”), to date this year, there have been more than 530 breaches of protected health information (“PHI”) affecting 500 or more individuals. 2024 also the saw the largest known breach of PHI at a HIPAA-regulated entity: Russia-linked cybercrime organization, BlackCat/ALPHV executed a ransomware attack on Change Healthcare, Inc., the payment processor owned by UnitedHealth, which affected the records of more than 100 million individuals.Continue Reading A Flurry of Healthcare Sector Cybersecurity Regulatory Developments in 2024
New York State Adopts New Cybersecurity Program and Incident Reporting Requirements for Hospitals
On October 2, 2024, the New York State Department of Health (“NYSDOH”) finalized and adopted new hospital cybersecurity regulations. Effective immediately, hospitals in New York State are required to report to NYSDOH as promptly as possible, but not later than 72 hours after, determining that a cybersecurity incident has occurred. A cybersecurity incident is an
Final Issuance of Federal Guidelines for Security in Scientific Research: Impact on Universities, Academic Medical Centers and Other Research Institutions
On July 9, 2024, the White House Office of Science and Technology Policy (“OSTP”) issued highly anticipated final guidelines setting forth a framework under which academic research institutions must establish and operate formal research security programs (the “Final Guidelines”).1 These final guidelines will be critically important to research operations at universities, academic medical centers
Change Healthcare Cyberattack: HHS OCR Publishes Early Guidance on Breach and UnitedHealth Group Provides Critical Status Update
On March 13, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that it had opened an investigation into the monumental cyberattack on Change Healthcare (“Change”), a unit of UnitedHealth Group (“UHG”). The attack is one of the largest assaults against the U.S. health care system, with far-reaching