U.S. Department of Health & Human Services

Close up of doctor working on computer in doctor's office. Physician doing paperwork and administration.

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

On March 27, 2025, the U.S. Department of Health and Human Services (HHS) announced a sweeping reorganization under the Department of Government Efficiency Workforce Optimization Initiative. The plan consolidates 28 divisions into 15, reduces the number of regional offices from 10 to 5, and introduces a new entity: the Administration for a Healthy America (AHA). This transformation aims to modernize HHS’s structure and operations, improve efficiency, and strengthen oversight across federal health programs.

Department of Justice Bulk Sensitive Personal Data Transfer Rule (28 CFR Part 202) 

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

Overview 

On February 28, 2024, President Biden signed Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” This order, implemented through the Department of Justice (DOJ) regulations (28 C.F.R. Part 202) and Cybersecurity and Infrastructure Security Agency (CISA) requirements, creates sweeping new restrictions on the transfer of Americans’ health data to certain foreign countries and entities. 

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

HHS Ramps Up Enforcement Against Information Blocking

2025 marks a significant turning point in federal enforcement against “information blocking” in healthcare. In a series of announcements this September, the U.S. Department of Health and Human Services (“HHS”) signaled a major crackdown on healthcare entities—especially health IT developers, health information networks, and certain providers—that restrict patient access to their electronic health information (“EHI”).

Under the direction of Secretary Robert F. Kennedy, Jr., HHS has dedicated increased resources and issued clear warnings that enforcement of information blocking rules is now a top priority. This includes the threat of substantial civil monetary penalties (“CMPs”)—up to $1 million per violation—for certain actors, as well as program-specific disincentives for providers who participate in Medicare and other federal programs. 

AdobeStock_1539387488

On May 9, 2024, the Department of Health and Human Services (“HHS”) published a Final Rule (“the Rule”) updating Section 504 of the Rehabilitation Act of 1973 (“Section 504”) regulations. As part of the Rule, every facility, program, or activity with 15 or more employees and receiving HHS funding will need to comply with new digital accessibility guidelines by May 11, 2026. Those with fewer than 15 employees will need to comply by May 10, 2027.

Electronic medical record with patient data and health care information in tablet. Doctor using digital smart device to read report online. Modern technology in hospital.

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

The Health Insurance Portability and Accountability Act (HIPAA) has long been the cornerstone of patient privacy and data protection. Among its most patient-centric provisions is the Right of Access rule, which guarantees individuals timely access to their medical records. This right is not just a regulatory requirement—it’s a fundamental principle of patient empowerment, enabling individuals to make informed decisions about their health.

Doctor writing survey, insurance and claim form for medical paperwork, document and script for patient records, test result and research in a hospital. Physician hands signing and planning healthcare

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

Reproductive health privacy rule vacated.

On June 18, 2025, the U.S. District Court for the Northern District of Texas vacated the HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule (Privacy Rule). As a result, the additional privacy protections that had been granted to reproductive healthcare information through President Biden’s Executive Order 14076, (“Protecting Access to Reproductive Health Care Services”), are no longer enforceable or required.

Judge's gavel on table in office

A federal judge has issued a preliminary injunction halting the Department of Health and Human Services’ (HHS) 340B Rebate Model Pilot Program, which was scheduled to take effect on January 1, 2026. The December 29, 2025 ruling temporarily prevents implementation of the rebate program that would have fundamentally changed how safety-net hospitals and clinics purchase discounted drugs under the 340B Drug Pricing Program.

Doctor working on laptop computer

In my November 2025 blog post, I discussed the uncertainty surrounding the DEA’s then-pending telemedicine rule and its implications for ketamine clinics. At that time, the future of pandemic-era telehealth prescribing flexibilities was unclear, and clinics across the country were bracing for the possibility of a significant regulatory shift at the end of 2025.

CMS has extended its Provisional Period of Enhanced Oversight (PPEO) and its Expanded Prepayment Review (EPR) enforcement efforts to Georgia and Ohio. The enhanced enforcement efforts can lead to the revocation of a hospice’s Medicare billing privileges, termination of Medicare/Medicaid enrollment, and/or the prepayment review of 100% of a hospice’s claims.

The regulatory landscape for substance use disorder (SUD) treatment records is changing—and the impact will extend far beyond traditional addiction treatment programs. With treatment options for SUD limited, some providers are exploring ketamine as a potential therapy due to its effects on glutamatergic neurotransmission.[i] Additionally, psychedelic-assisted therapies involving certain Schedule I substances – such as psilocybin, ibogaine, and MDMA – are currently being studied by researchers as potential treatments for SUDs.[ii] While these investigational therapies are not yet available in clinical practice and the new federal privacy rules do not apply to research records, providers should be aware of the evolving treatment landscape as these therapies move closer to potential approval and clinical use.