Compliance Perspective: What's New in Healthcare Privacy
42 CFR Part 2: What Changed, Why It Matters, and What to Do Now - On November, 7, 2025, I spoke to the Massachusetts Health Information Management Association about the federal government’s sweeping updates to 42 CFR Part...more
On September 30, 2025, the Office for Civil Rights of the Department of Health and Human Services (OCR) announced a settlement with Cadia Healthcare Facilities, a provider of rehabilitation, skilled nursing and long-term care...more
On September 30th, 2025, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Cadia Healthcare Facilities for potential violations of the HIPAA Privacy and Breach...more
Whenever the topic of health and medical data comes up, there is often a prevailing assumption that this information is subject to the federal Health Insurance Portability and Accountability Act (HIPAA) just by virtue of...more
In November 2016, an employee of a California neuropsychiatric hospital used their personal cell phone to photograph a patient’s medical information. After redacting the patient’s information, the employee posted the photo on...more
The compliance deadline for the recent amendments to 42 CFR Part 2 is February 16, 2026. The clock is ticking for healthcare organizations that provide substance use disorder (SUD) services to review their privacy practices...more
On August 26, 2025, the U.S. Department of Health and Human Services (“HHS”) displayed in the Federal Register a delegation of authority from Secretary Robert F. Kennedy, Jr., to the Office for Civil Rights (“OCR”) to...more
Entities regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), including employer-sponsored health plans, have until February 16, 2026, to comply with additional privacy protections for patient...more
The U.S. Department of Health and Human Services (HHS) on Aug. 27, 2025, published a Statement of Delegation of Authority (Statement) in the Federal Register. HHS Secretary Robert F. Kennedy Jr. delegated authority to the HHS...more
On August 18, 2025, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement with BST & Co. CPAs, LLP (BST). The announcement continues OCR’s escalating enforcement of the HIPAA...more
In the past several weeks, the U.S. Department of Health and Human Services ("HHS"), Office for Civil Rights ("OCR") has announced settlements with three health care organizations — Comstar, LLC ("Comstar"); Guam Memorial...more
Regulatory action and class action lawsuits related to pixels and other website technologies continued to surge in 2023 and 2024, particularly in the healthcare industry....more
Ransomware attacks are a growing threat in the health care sector due to the value of personal health information (PHI). In addition to being expensive, these attacks can cripple health care operations, delay patient care,...more
The Federal Trade Commission’s (FTC) years-long effort to modernize its Health Breach Notification Rule (HBNR) in the midst of a swiftly changing technological landscape appears to be coming to an end. On Thursday, May 30,...more
Holland & Knight Health Dose is an in-depth weekly dose of legislative and regulatory insights to keep stakeholders abreast of happenings in Washington, D.C., impacting the health sector....more
In light of the ongoing investigation of Change Healthcare’s ransomware attack that resulted in the improper disclosure of thousands of individuals’ PHI, now seems like a perfect time to discuss HIPAA’s requirements...more
A recently announced settlement with online alcohol addiction treatment service Monument Inc. demonstrates the Federal Trade Commission’s (FTC) continued focus on the use and disclosure of health data. The proposed settlement...more
In March of this year, The Office for Civil Rights of the Department of Health and Human Services issued a letter addressing the recent cybersecurity incident impacting many health care entities, primarily Change Healthcare,...more
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) recently published an executive summary (Report) outlining key enforcement activities of the Health Insurance Portability and...more
Late on March 27, Change Healthcare (CHC)’s parent company, UnitedHealth Group (UHG), provided an update on its analysis of the extent of “impacted data” involved in the CHC incident....more
On Feb. 16, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published its 2022 Annual Report to Congress. ...more
The rules will take effect on April 16. For years, health systems and health care providers have struggled to make sense of the rules that govern the use and disclosure of substance use disorder (SUD) treatment records. In...more
On February 8, 2024, the U.S. Department of Health & Human Services (HHS) released a final rule modifying 42 CFR Part 2 (Part 2) provisions regarding the confidentiality of Substance Use Disorder (SUD) Patient Records. The...more
On February 8, 2024, the U.S. Department of Health & Human Services, through the Substance Abuse and Mental Health Services Administration and the Office for Civil Rights (collectively, HHS), issued a Final Rule that amends...more