Once again, 2025 was a busy year for health care data privacy. Ensuring up-to-date and compliant data privacy and security programs and being able to assess, understand and adapt to the risk of evolving technologies will remain critically important in 2026. We continue to await updated regulations under both the Health Insurance Portability and Accountability Act (“HIPAA”) of 1996 and the Information Blocking Rule, both of which are subject to proposed rules likely to be finalized this year, which will further alter the privacy and security regulatory landscape. However, many of the pressures and compliance risks faced by health care providers in 2025 were driven by patients themselves rather than regulatory enforcement initiatives.
Patient requests and concerns raised a variety of operational issues and regulatory risks in 2025. In this alert, we assess common areas where patients are frequently questioning their rights with respect to their health care data, and their ability to obtain, modify and prevent certain uses and disclosures of it. As patients become more interested and educated on their data rights and protections, taking steps to proactively address patient concerns, complaints or misunderstandings may be one of the best ways for health care providers to avoid regulator involvement and scrutiny at both the state and federal levels.
EHR Audit Logs
A recurring point of confusion in 2025 arose from ongoing misunderstandings about the implementation of certain provisions under HIPAA and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009, as to what information patients are entitled to request and receive. Under HIPAA, patients have the right to access their protected health information (“PHI”) within a designated record set (“DRS”) under 45 C.F.R. § 164.524 and the right to receive an accounting of certain disclosures of PHI under 45 C.F.R. § 164.528. The HITECH Act expanded this framework by contemplating enhanced transparency around electronic health record (“EHR”) related activity, including a requirement for a three‑year accounting of certain disclosures made through an EHR system. Critically, however, the Department of Health & Human Services (“HHS”) never finalized the implementing regulations necessary to activate this new provision of the HITECH Act, leaving those provisions dormant and the HIPAA access and accounting regulations intact.
Against this backdrop of dormant regulatory action, patients (and other requestors on their behalf) have increasingly sought EHR audit logs based on perceived rights under HIPAA and/or HITECH to such information. Whether motivated by concern or curiosity, these requests often seek a list identifying every individual who has accessed or viewed their (or their child’s, relative’s or client’s) electronic health records. However, arguably neither HIPAA nor the HITECH Act currently requires providers to produce EHR audit logs in response to a patient right of access request.
The patient’s right of access only applies to PHI in a DRS, which is generally the medical records, billing records and other records used by the health care provider in making decisions about the patient. System audit logs, however, are the output of a security safeguard used internally to monitor for or investigate and assess appropriate system access to records. Notably, these logs do not contain medical information about the patient and bear no relation to treatment, billing or decision-making about the patient. Therefore, audit logs continue to be outside the scope of current patient access rights under the current HIPAA and HITECH Act regulations.
Additionally, audit logs are also distinct from records maintained by a health care provider to provide a patient with an accounting of disclosures. Generally, internal access by workforce members will constitute a “use” and not a “disclosure” of PHI as such terms are defined by HIPAA. Among other exclusions, the current accounting of disclosure regulations excludes disclosures to a health care provider for treatment purposes, which would negate inclusion of many of the other accesses logged in an EHR system’s audit log. While the eventual enactment of regulations implementing the HITECH Act’s provisions regarding a patient’s right of access to disclosures from an EHR (which HHS has signaled could be finalized this year) may result in certain audit log access rights for external disclosure, it still would not apply to internal use. Therefore, audit logs also continue to be outside the scope of current patient accounting of disclosure rights under the HIPAA and HITECH Act regulations.
As a result, health care providers would generally not be required at present to produce audit logs in response to a patient’s request under either their access or accounting of disclosures rights. Nonetheless, the ongoing confusion has generated significant operational strain for compliance and medical records teams as they work to address misunderstandings and to educate and respond appropriately to patients making such requests within the time frames required under HIPAA and other applicable laws. We note that such logs may still need to be produced where otherwise required by law, such as to regulators investigating a data incident or pursuant to process requests issued in a legal action or proceeding.
Amendments to Records
Patients also have certain rights under HIPAA to request corrections or amendments to their PHI maintained in a provider’s DRS. Providers are required to timely respond to such requests by either making the requested amendment or notifying the individual that their request has been denied, with a reason for the denial.
As health information has become increasingly and readily accessible to patients, there has been an increase in both the frequency and persistence of amendment requests by patients in 2025. Many of these requests stemmed from patients disagreeing with how information was documented in their medical records, even when the documentation accurately reflected the clinical history at the time it was created. Patients also raised concerns about references to suspected diagnoses that were later ruled out, conflicting opinions with providers from whom they received a second opinion or abnormal test results that were subsequently normal, with concerns often stemming from potential impacts on their health insurance coverage.
Under the HIPAA regulations, providers maintain the discretion to amend a patient’s medical record. Any amendment must accurately reflect the provider’s clinical judgment and the services provided at the time the documentation was created, and it should not be altered based on future information not known to the provider at the time it was prepared. Providers may deny an amendment request for a variety of reasons, including where they determine that the record is accurate and complete or where the provider did not create the record and the originator is still available to assess and act on the patient’s request. Where an amendment request is denied, a patient may provide a statement of disagreement to be included with the record, in response to which the provider is permitted to include a statement of rebuttal. However, even when a provider agrees to amend a medical record, generally that is done through adding additional information and clarification to the existing record, not removing historical information in the medical record, in order to preserve the integrity of the record. Patients may not understand that “amendment” does not necessarily include the entire and permanent removal of information in their health records.
To avoid patient confusion and complaints, it may be helpful for providers to understand what is driving the patient’s request for an amendment so that a response ultimately denying such a request can educate the patient on the medical record documentation process, how the right of amendment applies and offer additional information that could allay or address the patient’s concerns.
Artificial Intelligence
As the artificial intelligence (“AI”) boom in health care continued in 2025, we saw increased patient interest in transparency and consent rights regarding the use and disclosure of their data with respect to such technologies. Recently, a major health care system in California faced scrutiny and a proposed class action suit regarding its use of AI transcription technology in exam rooms without patient consent. This dispute underscores a broader, growing question regarding how and when providers must disclose the use of AI in clinical interactions or obtain the patient’s consent.
While the use of modern technologies, such as ambient AI, may not be readily apparent to patients, providers must understand the applicable regulatory landscape and whether any specific consent or disclaimers are required prior to the use of AI in health care. The regulatory landscape is evolving, and providers will need to stay on top of any new requirements at the state or federal level that impact their use of AI or opinion from regulators and agencies regarding how current laws and regulations apply in the AI context. This includes understanding applicable recording, notification or consent requirements, whether the patient must be provided with the opportunity and ability to opt out and whether biometric laws, data breach laws or other regulatory frameworks apply to the data being stored, processed and maintained based on its nature and use case. Vendor may also contractually require providers to provide certain notices or obtain certain consents before permitting PHI to be processed through their software.
Providers must also take care to understand the AI systems they are using and how data is processed through them to ensure regulatory compliance. AI is ultimately software, so many of the similar considerations applicable to software vendors apply to AI technologies. Providers should be prepared to assess system safeguards related to data maintenance, destruction and security; evaluate any aggregation or de-identification of data within the system or by the vendor; and determine whether the vendor will create, transmit, receive or maintain PHI as a business associate. Additionally, providers will want to understand whether the data they provide will be used to further train and adjust the AI model and assess what rights or protections they may want to reserve to themselves.
Patient satisfaction and trust are also key to the provider-patient relationship. While some patients may embrace the use of AI and other advanced technologies by their practitioners, others may be skeptical or have strong feelings against their data being processed through such technologies. As patient awareness increases, providers should be ready to respond to patient questions regarding the use of AI. With “transparency” being a key component of many AI implementation models and industry guidance, providers should be equipped with the knowledge and tools to address patient concerns and describe the benefits that can arise from the use of AI.
Practical Takeaways
As health care technology advances and patients become more empowered and knowledgeable about their rights regarding their health data and how their data is being used by health care providers, legal risk continues to expand beyond regulatory scrutiny to include patient-driven activity and expectations. When patient concerns are not adequately addressed, providers face an increased risk of complaints to regulatory agencies or claims and lawsuits, placing added strain on the time, resources and finances of health care organizations.
Therefore, health care organizations should consider proactively taking steps to assess and align operations with the evolving landscape and position themselves to quickly and efficiently educate and address concerns when responding to patients. This includes the following steps:
- Assess existing Notices of Privacy Practices to ensure that they clearly and accurately describe (1) the rights of individuals under HIPAA, how such rights may be exercised and how the covered entity will process such requests; and (2) the uses and disclosures of PHI that may occur with respect to innovative technologies and AI;
- Implement or review AI governance processes to ensure technologies are properly evaluated under applicable state and federal frameworks, aligned with existing policies and procedures for adopting new software and designed to identify and address relevant data privacy and security risks;
- Review and update any processes or forms used in responding to patients’ rights requests to help educate patients regarding the scope of their rights and allay concerns regarding the response they are receiving;
- Consider whether to create or include in other patient-facing documentation or forms language addressing the use of AI and any other legally required or provider preferred notices, disclaimers, consents or opt-out provisions; and
- Educate relevant members of the workforce on these issues and provide them with the tools necessary to communicate effectively with patients regarding their concerns.
For questions about these developments or assistance navigating these growing risks, including AI implementation, consent practices, and privacy workflows, please contact:
- Stephane Fabus at (414) 721-0904 or sfabus@hallrender.com;
- Emily Beukema at (248) 457-7882 or ebeukema@hallrender.com;
- Zachary Renier at (414) 721-0929 or zrenier@hallrender.com; or
- Your primary Hall Render contact.
Special thanks to Summer Associate Wyatt Poer for his assistance with this alert.
Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot—outside of an attorney-client relationship—answer specific questions that would be legal advice.
