Healthcare Providers

Electronic medical record with patient data and health care information in tablet. Doctor using digital smart device to read report online. Modern technology in hospital.

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

The Health Insurance Portability and Accountability Act (HIPAA) has long been the cornerstone of patient privacy and data protection. Among its most patient-centric provisions is the Right of Access rule, which guarantees individuals timely access to their medical records. This right is not just a regulatory requirement—it’s a fundamental principle of patient empowerment, enabling individuals to make informed decisions about their health.

Healthcare_148231933-300x268.jpg

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

In 2025, eight new U.S. state privacy laws took effect and several states tightened existing regulations, significantly impacting healthcare organizations. Major changes

Doctor writing survey, insurance and claim form for medical paperwork, document and script for patient records, test result and research in a hospital. Physician hands signing and planning healthcare

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

Reproductive health privacy rule vacated.

On June 18, 2025, the U.S. District Court for the Northern District of Texas vacated the HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule (Privacy Rule). As a result, the additional privacy protections that had been granted to reproductive healthcare information through President Biden’s Executive Order 14076, (“Protecting Access to Reproductive Health Care Services”), are no longer enforceable or required.

HIPAA Regulations

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

Why Now? The Rising Cyber Threats Driving HIPAA Reform 

In December 2024, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) proposed the first significant update to the HIPAA Security Rule since 2013, prompted by a surge in cyberattacks against healthcare organizations that have compromised patient information and disrupted care. 

Doctor working on laptop computer

In my November 2025 blog post, I discussed the uncertainty surrounding the DEA’s then-pending telemedicine rule and its implications for ketamine clinics. At that time, the future of pandemic-era telehealth prescribing flexibilities was unclear, and clinics across the country were bracing for the possibility of a significant regulatory shift at the end of 2025.

CMS has extended its Provisional Period of Enhanced Oversight (PPEO) and its Expanded Prepayment Review (EPR) enforcement efforts to Georgia and Ohio. The enhanced enforcement efforts can lead to the revocation of a hospice’s Medicare billing privileges, termination of Medicare/Medicaid enrollment, and/or the prepayment review of 100% of a hospice’s claims.

The regulatory landscape for substance use disorder (SUD) treatment records is changing—and the impact will extend far beyond traditional addiction treatment programs. With treatment options for SUD limited, some providers are exploring ketamine as a potential therapy due to its effects on glutamatergic neurotransmission.[i] Additionally, psychedelic-assisted therapies involving certain Schedule I substances – such as psilocybin, ibogaine, and MDMA – are currently being studied by researchers as potential treatments for SUDs.[ii] While these investigational therapies are not yet available in clinical practice and the new federal privacy rules do not apply to research records, providers should be aware of the evolving treatment landscape as these therapies move closer to potential approval and clinical use.

On August 8, 2025, Governor Tony Evers signed Senate Bill 14, now 2025 Wisconsin Act 22, which establishes new informed consent requirements for pelvic examinations. This Act requires hospitals to obtain written informed consent from a patient prior to performing a pelvic examination solely for educational purposes while the patient is under general anesthesia or otherwise unconscious. This legislation also mandates that hospitals implement written policies and procedures for obtaining informed consent prior to performing pelvic exams on unconscious patients.

Sign at the United States Department of Justice in Washington, DC

In June 2025, the Department of Justice (DOJ) announced its 2025 National Health Care Fraud Takedown, marking the largest coordinated healthcare fraud enforcement action in DOJ history. The sweep included charges against a range of actors including alleged transnational criminal organizations, providers of allegedly fraudulent wound care, alleged prescription opioid traffickers, alleged telemedicine, and genetic testing fraudsters, among others. DOJ also introduced the creation of a Health Care Fraud Data Fusion Center, designed to enhance the detection, investigation, and prosecution of healthcare fraud.

Laboratory Testing

In June 2025, the U.S. Department of Health and Human Services Office of Inspector General (OIG) announced a new item in its Work Plan: “Medicare Payments for Clinical Diagnostic Laboratory Tests in 2024.” This annual review, mandated by the Protecting Access to Medicare Act of 2014 (PAMA), focuses on analyzing the top 25 laboratory tests by Medicare expenditures for the previous calendar year. For clinical laboratories and healthcare providers, this announcement signals the need to pay close attention to billing practices, compliance programs, and potential audit risks.