On April 24, 2024, the Department of Justice (DOJ) published a final rule to adopt the Web Content Accessibility Guidelines, version 2.1 Level AA (WCAG 2.1) as the compliance standard for web and mobile app accessibility for Title II entities under the Americans with Disabilities Act (ADA).
On April 1, 2026, Governor Bill Lee signed Senate Bill 1580 into law, making Tennessee among the first states to specifically regulate how AI can be marketed and used in the mental health space. The new law takes effect July 1, 2026.
This is the fourth in a six-part series on incentive design, deal structure, and how these issues surface in transactions and enforcement. Other relevant topics will be discussed in our upcoming presentation, Physician Owner Mindset, Compliance Guardrails: Growth Without the Gotchas, to be given at the American Alliance of Orthopaedic Executives on Tuesday, April 21.
This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.
In December 2024, the FTC announced two separate settlements against Mobilewalla, Inc. and Gravy Analytics, Inc., asserting that the two companies were unlawfully tracking and selling sensitive location data from users without consent, including data related to visits to health centers.
This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.
On March 27, 2025, the U.S. Department of Health and Human Services (HHS) announced a sweeping reorganization under the Department of Government Efficiency Workforce Optimization Initiative. The plan consolidates 28 divisions into 15, reduces the number of regional offices from 10 to 5, and introduces a new entity: the Administration for a Healthy America (AHA). This transformation aims to modernize HHS’s structure and operations, improve efficiency, and strengthen oversight across federal health programs.
This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.
Overview
On February 28, 2024, President Biden signed Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” This order, implemented through the Department of Justice (DOJ) regulations (28 C.F.R. Part 202) and Cybersecurity and Infrastructure Security Agency (CISA) requirements, creates sweeping new restrictions on the transfer of Americans’ health data to certain foreign countries and entities.
This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.
HHS Ramps Up Enforcement Against Information Blocking
2025 marks a significant turning point in federal enforcement against “information blocking” in healthcare. In a series of announcements this September, the U.S. Department of Health and Human Services (“HHS”) signaled a major crackdown on healthcare entities—especially health IT developers, health information networks, and certain providers—that restrict patient access to their electronic health information (“EHI”).
Under the direction of Secretary Robert F. Kennedy, Jr., HHS has dedicated increased resources and issued clear warnings that enforcement of information blocking rules is now a top priority. This includes the threat of substantial civil monetary penalties (“CMPs”)—up to $1 million per violation—for certain actors, as well as program-specific disincentives for providers who participate in Medicare and other federal programs.
The Tenth Circuit U.S. Court of Appeals has reaffirmed the authority of Occupational Health and Safety Administration’s (OSHA) to cite healthcare employers for workplace violence under its General Duty Clause. In a February 13, 2026 decision, Cedar Springs Hospital v. Occupational Safety and Health Review Commission (OSHRC), No. 24-9519 (10th Cir. 2026), the
This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.
The Health Insurance Portability and Accountability Act (HIPAA) has long been the cornerstone of patient privacy and data protection. Among its most patient-centric provisions is the Right of Access rule, which guarantees individuals timely access to their medical records. This right is not just a regulatory requirement—it’s a fundamental principle of patient empowerment, enabling individuals to make informed decisions about their health.
This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.
Reproductive health privacy rule vacated.
On June 18, 2025, the U.S. District Court for the Northern District of Texas vacated the HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule (Privacy Rule). As a result, the additional privacy protections that had been granted to reproductive healthcare information through President Biden’s Executive Order 14076, (“Protecting Access to Reproductive Health Care Services”), are no longer enforceable or required.