On February 8, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) finalized long-awaited modifications to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 C.F.R. Part 2, which requires individuals or entities that receive federal funding and provide SUD treatment to implement additional privacy protections and obtain specific consent before using and disclosing SUD treatment records (see 42 C.F.R. § 2.11).

U.S. Senators Angus King (I-ME) and Marco Rubio (R-FL) recently introduced a bill addressing cybersecurity protections and oversight in the healthcare industry. The Strengthening Cybersecurity in Health Care Act, introduced on February 8, 2024, aims to bolster a vulnerable and often-targeted industry against cyberattacks. The proposal follows a number of significant cyberattacks on healthcare organizations in recent years; Senator King noted that approximately 133 million people, or nearly one in three Americans, had their personal information compromised in 2023 alone.

On October 29, 2020, HHS extended the effective date of compliance for the “Information Blocking” final rule promulgated as part of the 21st Century Cures Act (Information Blocking Rule). The Information Blocking Rule, which was set to take effect on November 2, 2020, prohibits health care providers, IT developers, and health information exchanges from unreasonably interfering with the access, exchange, or use of electronic health information (EHI). We previously discussed the practice of information blocking and the eight exceptions in our blog post Information Blocking: Ready or Not, Here it Comes!.

On May 1, 2020, the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology (ONC) released its final rule (Final Rule) on “Information Blocking” as part of the 21st Century Cures Act. The Final Rule applies to the following (ONC refers to each one as an “Actor”): (i) healthcare providers, (ii) health IT developers subject to ONC’s Health IT Certification Program, (iii) health information networks (HIN) or (iv) health information exchanges (HIE). With the initial enforcement date fast approaching (November 2), we explain the rule below.