Data Privacy & Security/HIPAA/HITECH

The regulatory landscape for substance use disorder (SUD) treatment records is changing—and the impact will extend far beyond traditional addiction treatment programs. With treatment options for SUD limited, some providers are exploring ketamine as a potential therapy due to its effects on glutamatergic neurotransmission.[i] Additionally, psychedelic-assisted therapies involving certain Schedule I substances – such as psilocybin, ibogaine, and MDMA – are currently being studied by researchers as potential treatments for SUDs.[ii] While these investigational therapies are not yet available in clinical practice and the new federal privacy rules do not apply to research records, providers should be aware of the evolving treatment landscape as these therapies move closer to potential approval and clinical use.

Artificial intelligence (AI) continues to dominate headlines—not just for its technological leaps, but also for the policies shaping its future. In a major development, a new Republican-backed tax bill, released by the House Energy and Commerce Committee on May 11, 2025, seeks to preempt states from regulating AI models for the next decade. If passed, this bill would prevent state laws governing AI systems, allowing only limited exceptions for measures that simply facilitate or streamline AI development and deployment. Laws attempting to regulate artificial intelligence models, artificial intelligence systems, or automated decisions systems would be disallowed during the 10 year period.

This proposed federal approach aligns with the current administration’s emphasis on AI innovation over regulation, reflecting a belief that a unified, national policy will spur American competitiveness in this rapidly evolving field.

Healthcare-Data-HIPAA

On December 27, 2024, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued proposed changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule (the Proposed Rule) to strengthen the cybersecurity protections that HIPAA-regulated entities are required to maintain for electronic protected health information (ePHI).

Close up of doctor working on computer in doctor's office. Physician doing paperwork and administration.

Keypoint: With the increased frequency and severity of cyberattacks against healthcare systems, state and federal agencies strive to improve cybersecurity controls with varied success.

In November 2023, New York Governor Kathy Hochul announced proposed regulations that would be the first state regulations for hospitals in New York. The governor described the proposed regulation as a “nation-leading blueprint” that would complement the federal Health Insurance Portability and Accountability Act (HIPAA) Security Rule enforced by the U.S. Department of Health and Human Services (HHS).

What Are the Changes?

On April 26, 2024, the U.S. Department of Health and Human Services (“HHS”) issued a final rule (the “Final Rule”) along with guidance updating the Health Insurance Portability and Accountability Act (“HIPAA”) regulations at 45 C.F.R. Parts 160 and 164 (the “Privacy Rule”). The Final Rule prohibits the use or disclosure of protected health information (“PHI”) for the purpose of (1) conducting criminal, civil, or administrative investigations into, or (2) imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is legal when provided. The Final Rule also prohibits the use or disclosure of PHI in order to (3) identify any person for any of those purposes (the “Prohibition”).[1]

On February 8, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) finalized long-awaited modifications to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 C.F.R. Part 2, which requires individuals or entities that receive federal funding and provide SUD treatment to implement additional privacy protections and obtain specific consent before using and disclosing SUD treatment records (see 42 C.F.R. § 2.11).

U.S. Senators Angus King (I-ME) and Marco Rubio (R-FL) recently introduced a bill addressing cybersecurity protections and oversight in the healthcare industry. The Strengthening Cybersecurity in Health Care Act, introduced on February 8, 2024, aims to bolster a vulnerable and often-targeted industry against cyberattacks. The proposal follows a number of significant cyberattacks on healthcare organizations in recent years; Senator King noted that approximately 133 million people, or nearly one in three Americans, had their personal information compromised in 2023 alone.

DEA waivers regarding the Ryan Haight Act could play a major role in telehealth’s future.

In the first decade of the 21st century, deaths attributable to overdoses of prescription drugs saw an alarming spike in volume, led higher by a tripling of deaths due to opioid use. Amid this surge, Congress enacted the Ryan Haight Online Pharmacy Consumer Protection Act in 2008 as part of an attempt to rein in the burgeoning online marketplace for prescription drugs—particularly those involving controlled substances—which had largely evaded prior enforcement actions.