On January 3, 2025, a significant lawsuit (Morris v. Rhode Island Quality Institute) was filed against a state health information exchange (HIE). The case was brought by a former employee and whistleblower who alleges that Rhode Island’s HIE, the Rhode Island Quality Institute (RIQI), permitted the unauthorized use of protected health information (PHI)
Legal Health Information Exchange
Blog Authors
Latest from Legal Health Information Exchange
TEFCA Anticipated to Grow in 2025
The Trusted Exchange Framework and Common Agreement™ (TEFCA) was created to connect Health Information Networks (HIN) that operate disparately across the United States to support the nationwide sharing of health data. TEFCA seeks to streamline the digital flow of health data between providers and patients.Since TEFCA went live in December 2023, eight (8) organizations have…
Health Data, Technology, and Interoperability Rules, HTI-1, 2, & 3
The landscape of health IT regulation just took another major leap forward. In the final days of 2024, federal regulators dropped two game-changing rules—HIT-2 and HTI-3—adding to the foundation set by HTI-1. Together, these regulations are reshaping how healthcare organizations approach interoperability, data sharing, and compliance in an era of rapidly evolving technology.Specifically, HHS, through…
OCR Sees Uptick in Ransomware Incidents
OCR recently concluded three investigations, which resulted in settlement payments relating to ransomware incidents. The agency noted that there has been a 264% uptick in large ransomware breaches since 2018.The first settlement was reached with Cascade Skin and Eye Centers in Washington state, which experienced a ransomware attack that affected nearly 300,000 files containing ePHI.…
Texas Sues to Block new HIPAA Reproductive Health Care Rule
In June 2024, HHS promulgated a final rule which amended the HIPAA Privacy Rule to strengthen privacy protections for information in health records related to reproductive health care. The new rule is facing its first legal challenge from the Texas Attorney General, Ken Paxton.In the suit filed September 4, 2024, the state alleges that the…
Lessons Learned from Real Time vs. PointClickCare: Mind your Information Blocking Ps and Qs
A federal district judge has granted preliminary injunctive relief to Real Time Medical Systems, Inc. (“Real Time”) barring the defendant, PointClickCare (“PCC”), from deploying unsolvable CAPTCHAs that interfered with Real Time’s ability to access the data of its skilled nursing facility customers that utilized PCC. As Judge Xinis wrote in the opinion,“No evidence supports that…
HIPAA Reproductive Health Care Privacy – Attestation Template, Policy Samples, updated HIPAA policies, a HIPAA-New Jersey Reproductive Health Care Law crosswalk, and more!
June 25, 2024 has arrived! This means that the Final Rule for HIPAA Privacy to Support Reproductive Health Care Privacy is officially in effect, and HIPAA covered entities and business associates may now begin implementing its new requirements! The deadline to comply with almost all of the new regulatory requirements pertaining to requests for PHI…
Who’s On First? Confusion Continues About Who Should be Reporting the Change Healthcare PHI Breaches

On May 31, 2024, the Office of Civil Rights (OCR) released “updates” to its HIPAA FAQs regarding the Change Healthcare cybersecurity incident. In its Press Release, OCR pointed out that it updated its FAQs to specifically address questions it has been receiving concerning who is responsible for performing breach notification to HHS, affected individuals, and (where applicable)…
42 C.F.R. Part 2 Final Rule Amending Privacy of Substance Use Disorder Records Released.
- The Final Rule amending 42 CFR Part 2 finalizes changes that will align uses and disclosures of Part 2 information with HIPAA for treatment, payment and health care operations.
- Part 2 providers and others who must comply with Part 2 and this Final Rule have two (2) years to get into compliance.
- An unofficial copy
…
Meet New Jersey’s Brand New Data Privacy Act and Its Impact on Healthcare Organizations & Others
- The New Jersey Data Privacy Act (NJDPA) was enacted on January 16, 2024 and will affect individuals, or legal entities that process personal data, and entities that process data on their behalf.
- Although “protected health information” (“PHI”) collected by a covered entity or business associate (as defined by HIPAA) is excluded from this new law,
…