Photo of Wendy Keegan

Wendy Keegan

Wendy helps hospitals and other healthcare clients navigate complex issues and day-to-day operational and compliance matters. These matters most often relate to fraud and abuse considerations, physician referrals, licensing and certification requirements, the Health Insurance Portability and Accountability Act (HIPAA), Medicare/Medicaid reimbursement, contracted services, physician peer review, and hospital governance. She also assists clients with the negotiation and drafting of supply chain and vendor contracts and professional services agreements between physician groups and hospitals.

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

The Health Insurance Portability and Accountability Act (HIPAA) has long been the cornerstone of patient privacy and data protection. Among its most patient-centric provisions is the Right of Access rule, which guarantees individuals timely access to their medical records. This right is not just a regulatory requirement—it’s a fundamental principle of patient empowerment, enabling individuals to make informed decisions about their health.

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

Reproductive health privacy rule vacated.

On June 18, 2025, the U.S. District Court for the Northern District of Texas vacated the HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule (Privacy Rule). As a result, the additional privacy protections that had been granted to reproductive healthcare information through President Biden’s Executive Order 14076, (“Protecting Access to Reproductive Health Care Services”), are no longer enforceable or required.

Beginning January 1, 2022, California licensed residential substance abuse treatment facilities will be required to disclose certain licensing information to the public.  SB 541 adds Health and Safety Code section 11831.12, which requires residential alcohol or drug abuse treatment facilities to undertake the following:

On August 17, 2020, Tennessee Governor Bill Lee signed the Tennessee COVID-19 Recovery Act into law.  The Act provides expansive protection to individuals and businesses from claims arising from COVID-19 unless there is clear and convincing evidence of gross negligence or willful misconduct.  Health care professionals and facilities, businesses, non-profits, religious organizations, public institutions of higher learning, and all other individuals and legal entities are protected from liability under the Act.

The California Attorney General recently published an opinion  (No. 15-301) clarifying when a report under California Business and Professions Code section 805 must be filed.  Section 805 requires hospitals and other entities to file a report with the relevant state healing arts agency “within 15 days after the effective date” of certain adverse actions taken

During the recently concluded 2013 regular session, the Texas Legislature enacted Senate Bill 1191, which established new requirements for hospitals treating victims of sexual assault. The bill is primarily aimed at improving access to forensic examinations for survivors of sexual assault by ensuring that every Texas hospital with an emergency department has personnel who have basic training in forensic examinations. The changes are effective beginning Sept. 1, 2013.

SB 1191 sets out three new requirements for hospitals:

1. Any person who performs a forensic examination on a sexual assault survivor must have basic sexual assault forensic evidence collection training. Training approved or recognized by the appropriate licensing board satisfies this requirement.

2. Texas hospitals that have emergency departments, but which are not designated by a communitywide plan as the primary healthcare facility in the community for treating sexual assault providers, must:

a. Inform sexual assault survivors that the hospital is not a designated facility.

b. Provide sexual assault survivors with the name and location of a designated facility.

c. Inform survivors that they may choose to be transferred to a designated facility for care or receive care at the nondesignated facility.

d. If survivors choose to be transferred to the designated facility for care, stabilize and transfer the survivors to the designated facility after obtaining written, signed consent to do so.