Hospitals & Health Systems

Close up of doctor working on computer in doctor's office. Physician doing paperwork and administration.

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

On March 27, 2025, the U.S. Department of Health and Human Services (HHS) announced a sweeping reorganization under the Department of Government Efficiency Workforce Optimization Initiative. The plan consolidates 28 divisions into 15, reduces the number of regional offices from 10 to 5, and introduces a new entity: the Administration for a Healthy America (AHA). This transformation aims to modernize HHS’s structure and operations, improve efficiency, and strengthen oversight across federal health programs.

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

HHS Ramps Up Enforcement Against Information Blocking

2025 marks a significant turning point in federal enforcement against “information blocking” in healthcare. In a series of announcements this September, the U.S. Department of Health and Human Services (“HHS”) signaled a major crackdown on healthcare entities—especially health IT developers, health information networks, and certain providers—that restrict patient access to their electronic health information (“EHI”).

Under the direction of Secretary Robert F. Kennedy, Jr., HHS has dedicated increased resources and issued clear warnings that enforcement of information blocking rules is now a top priority. This includes the threat of substantial civil monetary penalties (“CMPs”)—up to $1 million per violation—for certain actors, as well as program-specific disincentives for providers who participate in Medicare and other federal programs. 

dataLocks148650499

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

The healthcare sector continues to grapple with an unrelenting wave of cyberattacks, with a notable shift in 2024 and 2025 toward targeting third-party vendors and business associates entrusted with sensitive protected health information (“PHI”). This trend has led to a surge in data breaches, affecting tens of millions of Americans and prompted heightened regulatory scrutiny over how healthcare providers manage and oversee their vendor relationships. 

The Tenth Circuit U.S. Court of Appeals has reaffirmed the authority of Occupational Health and Safety Administration’s (OSHA) to cite healthcare employers for workplace violence under its General Duty Clause. In a February 13, 2026 decision, Cedar Springs Hospital v. Occupational Safety and Health Review Commission (OSHRC), No. 24-9519 (10th Cir. 2026), the

A new law, the Consolidated Appropriations Act, went into effect on February 3, 2026, issuing new Medicare reimbursement guidelines for off-campus provider-based hospital outpatient departments (HOPDs). As of January 1, 2028, hospitals will be required to make certain operational changes to maintain OPPS reimbursement eligibility for their off-campus provider-based locations. These include such measures as

Electronic medical record with patient data and health care information in tablet. Doctor using digital smart device to read report online. Modern technology in hospital.

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

The Health Insurance Portability and Accountability Act (HIPAA) has long been the cornerstone of patient privacy and data protection. Among its most patient-centric provisions is the Right of Access rule, which guarantees individuals timely access to their medical records. This right is not just a regulatory requirement—it’s a fundamental principle of patient empowerment, enabling individuals to make informed decisions about their health.

The Colorado General Assembly is back in session and has introduced legislation (SB26-041) that, if enacted, would create new notification requirements and antitrust review processes for healthcare transactions. While Colorado already requires state-level notification of transactions that trigger federal notifications under the Hart-Scott-Rodino Act and notification of certain hospital transactions under the Hospital Transfer Act (“HTA”) of 2023, the proposed bill would create new notification requirements for a broader set of healthcare transactions, and would authorize the Colorado attorney general (“COAG”) to block or delay closing of transactions. The proposed bill also expands the scope of hospital transactions that must be reported under the HTA.

Judge's gavel on table in office

A federal judge has issued a preliminary injunction halting the Department of Health and Human Services’ (HHS) 340B Rebate Model Pilot Program, which was scheduled to take effect on January 1, 2026. The December 29, 2025 ruling temporarily prevents implementation of the rebate program that would have fundamentally changed how safety-net hospitals and clinics purchase discounted drugs under the 340B Drug Pricing Program.

Judge's gavel on table in office

The Wyoming Supreme Court began the year 2026 with a landmark decision in State v. Johnson, 2026 WY 1, delivering a ruling with implications that extend far beyond its immediate outcome. While headlines will focus on the Court’s decision to strike down Wyoming’s comprehensive abortion restrictions—the Life is a Human Right Act (“Life Act”)[1] and the Medication Ban[2]—as unconstitutional, the true significance lies elsewhere. The Court held that Wyoming’s constitutional amendment guaranteeing adults the right to make their own healthcare decisions is a fundamental right protected by the highest level of judicial scrutiny.

This holding may ultimately have more far-reaching consequences, setting the stage for future challenges to a wide range of healthcare regulations across Wyoming.

Recently, Attorney General Pam Bondi purportedly issued an internal memorandum in response to Executive Order 14187 (“Protecting Children from Chemical and Surgical Mutilation”) concerning the treatment of transgender minors by medical practitioners, hospitals, clinics, and pharmaceutical companies. The memo set forth guidance for all Department of Justice (DOJ) employees to investigate individuals and entities who provide gender-affirming care to minor patients. To be clear, the memorandum—which has been posted in various locations on the internet and widely reported on by various media outlets but has not been verified as authentic by Husch Blackwell—is an internal policy statement directed to DOJ personnel and is not law. While it purports to issue “guidelines” pursuant to an executive order from the President, that executive order is itself under scrutiny (and has been partially enjoined).