Legal Health Information Exchange

Latest from Legal Health Information Exchange

On January 3, 2025, a significant lawsuit (Morris v. Rhode Island Quality Institute) was filed against a state health information exchange (HIE). The case was brought by a former employee and whistleblower who alleges that Rhode Island’s HIE, the Rhode Island Quality Institute (RIQI), permitted the unauthorized use of protected health information (PHI)

The landscape of health IT regulation just took another major leap forward. In the final days of 2024, federal regulators dropped two game-changing rules—HIT-2 and HTI-3—adding to the foundation set by HTI-1. Together, these regulations are reshaping how healthcare organizations approach interoperability, data sharing, and compliance in an era of rapidly evolving technology.Specifically,  HHS, through

OCR recently concluded three investigations, which resulted in settlement payments relating to ransomware incidents. The agency noted that there has been a 264% uptick in large ransomware breaches since 2018.The first settlement was reached with Cascade Skin and Eye Centers in Washington state, which experienced a ransomware attack that affected nearly 300,000 files containing ePHI.

A federal district judge has granted preliminary injunctive relief to Real Time Medical Systems, Inc. (“Real Time”) barring the defendant, PointClickCare (“PCC”), from deploying unsolvable CAPTCHAs that interfered with Real Time’s ability to access the data of its skilled nursing facility customers that utilized PCC.  As Judge Xinis wrote in the opinion,“No evidence supports that

June 25, 2024 has arrived! This means that the Final Rule for HIPAA Privacy to Support Reproductive Health Care Privacy is officially in effect, and HIPAA covered entities and business associates may now begin implementing its new requirements! The deadline to comply with almost all of the new regulatory requirements pertaining to requests for PHI

On May 31, 2024, the Office of Civil Rights (OCR) released “updates” to its HIPAA FAQs regarding the Change Healthcare cybersecurity incident. In its Press Release, OCR pointed out that it updated its FAQs to specifically address questions it has been receiving concerning who is responsible for performing breach notification to HHS, affected individuals, and (where applicable)

  • The New Jersey Data Privacy Act (NJDPA) was enacted on January 16, 2024 and will affect individuals, or legal entities that process personal data, and entities that process data on their behalf.
  • Although “protected health information” (“PHI”) collected by a covered entity or business associate (as defined by HIPAA) is excluded from this new law,