February Deadline Approaching to Revise HIPAA Notices of Privacy Practices

January 20, 2026January 21, 2026 Wyatt Data Privacy & Security, HIPAA, HITECH Law HHS deadline, HIPAA, Part 2 Programs, substance use disorder (SUD)

Written by Margaret Young Levi

The February 16, 2026 deadline is fast approaching for HIPAA covered entities to revise their HIPAA Notice of Privacy Practices to address substance use disorder (SUD) records.

In 2024, the U.S. Department of Health & Human Services (HHS) issued a Final Rule modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (“Part 2”). This Final Rule was designed to better align Part 2 record protections with HIPAA.

Although the Final Rule primarily applies to Part 2 programs, all HIPAA covered entities that receive SUD records from Part 2 programs will need to update their Notice of Privacy Practices by February 16, 2026. This requirement applies to not only health care providers but also health plans, including health insurance companies, health maintenance organizations (HMOs), as well as employer-sponsored health plans.

For additional information about this Final Rule, please check out the HHS Fact Sheet.

Looking for assistance in this area? We regularly work with our clients regarding their policies and procedures related to compliance with HIPAA and other data privacy and security laws and regulations. If you are looking for assistance in this area, contact Kathie McDonald-McClure at (502) 562-7526 or Margaret Young Levi at (859) 288-7469. Effective January 1, 2026, Wyatt, Tarrant & Combs, LLP merged with Bricker Graydon, LLP, to become Bricker Graydon Wyatt, LLP (“Bricker“). Until we have the new Bricker website up and running, you can learn more about our health care, data privacy and cyber security practices by visiting the following: Data Privacy & Cybersecurity, Health Care, Privacy & Data Protection, and Health Care.

HHS Adds New Teeth to Information Blocking Law for Health Care Providers

July 3, 2024October 17, 2024 Kathie McDonald-McClure Cures Act and Program Interoperability, Electronic Health Records, Health Information Technology, HITECH Law, Meaningful Use Accountable Care Organizations, ACOs, civil penalties, Critical Access Hospitals, eligible hospitals, health information blocking, Health Information Technology, meaningful use of certified EHR, Medicare, Merit-based Incentive Payment System, MIPS, MSSP, ONC, Promoting Interoperability Program, Shared Savings Program

by Margaret Young Levi, Kathie McDonald-McClure, and Drayden Burton (Wyatt Summer Associate)

On July 1, 2024, the U.S. Department of Health and Human Services (HHS) published a final rule entitled “21st Century Cures Act: Establishment of Disincentives for Health Care Providers That Have Committed Information Blocking,” 89 Fed. Reg. 54662 (Final Rule) establishing “disincentives” for health care providers who commit information blocking. Importantly, the 21^st Century Cares Act explicitly delegated the authority to HHS to establish “appropriate disincentives” for information blocking through notice and comment rulemaking. 42 U.S. Code § 300jj–52(b)(2)(B). Previously, on October 23, 2023, HHS published its proposed rule seeking comments on the proposed appropriate disincentives (Proposed Rule).

In general, “information blocking” means knowingly and unreasonably interfering with, preventing, or materially discouraging the access, exchange, or use of “electronic health information” (EHI) unless such blocking is required by law or permitted by regulatory exceptions. To learn more about information blocking and the permitted exceptions, see our article “Information Blocking Rule Effective April 5, 2021: Are Providers Ready?,” which provides an overview of the Rule’s key elements and requirements. The prohibition on information blocking went into effect on April 5, 2021, but until now did not contain any penalties for health care providers who engage in information blocking. Previously, on June 27, 2023, the HHS Office of Inspector General (HHS-OIG) established civil monetary penalties of up to $1 million per information blocking violation by developers of certified health information technology and for health information networks (HINs) and health information exchanges (HIEs). (88 Federal Register 42820).

This Final Rule adds some teeth, aiming to ensure that individuals and their health care providers always have access to the individual’s health information. Some of the comments that HHS had received to its Proposed Rule supported disincentives that incentivize an exchange of EHI across care settings on the basis that this will lead to better patient outcomes. In issuing its Final Rule HHS stated, “When health information can be appropriately accessed and exchanged, care is more coordinated and efficient, allowing the health care system to better serve patients.”

The “Disincentives”

The Final Rule establishes certain “disincentives” for several categories of health care providers that HHS-OIG finds to have engaged in activities that interfere with or prevent access to EHI that constitute information blocking. These disincentives are as follows:

A Supreme Development in Employer Computer Protection

June 28, 2021July 15, 2021 WyattLLP Data Privacy & Security, Health Information Technology, HITECH Law CFFA, Computer Protection

By: Courtney Samford, contributing author Blake Sims, Wyatt Summer Associate

This image has an empty alt attribute; its file name is pexels-mikhail-nilov-6930431-1024x617.jpg

Employers commonly supply computer and work devices to employees and state that the electronics may only be used for business related purposes, and employers have always had the ability to discipline employees who violate computer use policies through improper use. In some Federal Court of Appeals Circuits, employers may have been able to rely on threats of criminal and civil liabilities under 18 U.S.C. § 1030 to further deter improper use. On June 3, 2021, however, an evenly split conservative-liberal majority of the Supreme Court reversed the Eleventh Circuit Court of Appeals in Van Buren v. United States, holding that an individual only violates the Section 1030 of Computer Fraud and Abuse Act “when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.” Van Buren v. United States, No. 19-783 (Sup. Ct. June 3, 2021).

Continue reading →

HITECH Act Amendment: Using “Recognized Security Practices” May Lead to More Favorable HHS Review and Reduced Fines After Data Breach

February 5, 2021July 15, 2021 Kathie McDonald-McClure Data Privacy & Security, HIPAA, HITECH Law "recognized security practices", 21st Century Cures Act, administrative physical technical safeguards, cyber attack, data breach, HIPAA Security Rule

by Margaret Young Levi and Kathie McDonald-McClure

Congress amended the Health Information Technology for Economic and Clinical Health Act (HITECH Act) on January 5, 2021. This Amendment requires the U.S. Department of Health and Human Services (HHS) to favorably consider whether covered entities and business associates have implemented specific security measures when making decisions regarding penalties and audits under the Health Insurance Portability and Accountability Act (HIPAA).

Specifically, the Amendment mandates HHS to “consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place” when HHS is making decisions to (1) decrease fines, (2) decrease the length and extent of an audit or terminate an audit, and (3) mitigate other remedies with respect to resolving potential violations of the HIPAA Security Rule.

Continue reading →

CMS Proposed Rule on Hospital EHR “Electronic Patient Event Notifications”

April 9, 2019May 14, 2019 Kathie McDonald-McClure Cures Act and Program Interoperability, Data Privacy & Security, EHR Certification Standards, Electronic Health Records, Health Information Technology, HIPAA, HITECH Law Care coordination, CMS EHR Program Interoperability, Electronic Health Records, HHS CMS Proposed Rule, Hospital Conditions of Participation (CoPs), PAC providers

By Kathie McDonald-McClure and Margaret Young Levi

Summary: CMS proposes new Medicare Conditions of Participation (CoPs) for hospitals that will require the hospital EHR to send electronic event notifications to post-acute care providers when a patient has been admitted, discharged, or transferred. What must hospitals do, and how much time is needed, to operationalize the new CoPs, considering a process will need to be developed that identifies providers who should and can receive these event notices? What will be required, and how much time is needed, to reconfigure EHRs to send the notifications and demonstrate compliance with the multiple facets of the CoP? Will PAC providers be obligated to operationalize the receipt and use of these notifications under the IMPACT Act? CMS is seeking stakeholder input on its proposal, including a reasonable time frame for implementation. Comments are due June 3, 2019.* Continue reading →