Articles and Blogs

Once again, 2025 was a busy year for health care data privacy. Ensuring up-to-date and compliant data privacy and security programs and being able to assess, understand and adapt to the risk of evolving technologies will remain critically important in 2026. We continue to await updated regulations under both the Health Insurance Portability and... READ MORE

HIPAA covered entities and Part 2 Programs should be aware of two important compliance deadlines that may require prompt action. Annual HIPAA Small Breach Reporting Under the Breach Notification Rule, HIPAA covered entities are required to submit reports of certain breaches of unsecured protected health information (“PHI”) affecting fewer than 500 individuals to the... READ MORE

Effective September 1, 2025, Texas Senate Bill No. 1188 (“SB 1188”) imposes new legal obligations on health care practitioners and other covered entities regarding the privacy, security and management of electronic health records (“EHRs”) and the use of artificial intelligence (“AI”). Key provisions of the law include: A requirement that EHRs be maintained in... READ MORE

On June 24, 2024, the Department of Health and Human Services (“HHS”) released a final rule implementing disincentives for health care providers who are found by the Office of Inspector General (“OIG”) to have engaged in information blocking practices as defined under the 21st Century Cures Act. This rule establishes a framework for the... READ MORE

On Thursday, June 20, 2024, the United States District Court for the Northern District of Texas (“the Court”) issued a ruling in a case that could have significant implications for enforcement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The case, which was brought by the American Hospital Association (“AHA”), the... READ MORE

On March 18, 2024, the Office for Civil Rights (“OCR”) issued an update to its December 2022 Bulletin regarding the usage of online tracking technologies by HIPAA-regulated entities. When originally published, the Bulletin aimed to clarify when identifiable information collected by tracking technologies on a regulated entity’s website may constitute protected health information (“PHI”)... READ MORE

The cybersecurity incident recently experienced by Change Healthcare has materially disrupted the health care delivery system and created significant financial, operational and legal challenges for many health care organizations. Organizations impacted by this incident should be careful to react thoughtfully and deliberately when addressing these challenges to ensure that any steps taken do not... READ MORE

On February 8, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights and the Substance Abuse and Mental Health Services Administration (“SAMHSA”) issued a Final Rule that modified the “Confidentiality of Substance Use Disorder Patient Records” regulated by 42 CFR Part 2 (“Part 2”). The Final Rule was published... READ MORE

On October 10, 2023, Citrix released security updates for its NetScaler ADC and NetScaler Gateway appliances to remedy a vulnerability dubbed “Citrix Bleed” under CVE-2023-4966. As of October 17, Citrix and the Cybersecurity and Infrastructure Security Agency confirmed that active exploits by threat actors had been observed on unpatched systems. Additionally, cybersecurity firm Mandiant... READ MORE

The U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) recently released updated guidance in its October 2023 Cybersecurity Newsletter emphasizing the importance of sanction policies in maintaining HIPAA compliance. This guidance builds upon a threat brief previously issued in August 2022 by HHS’ Health Sector Cybersecurity Coordination Center (“HC3”).... READ MORE