On December 29, 2025, the U.S. Department of Health and Human Services (“HHS”), through the Assistant Secretary for Technology Policy (“ASTP”)/Office of the National Coordinator for Health Information Technology (“ONC”) (collectively, “ASTP/ONC”), issued a proposed rule to update its Health Data, Technology, and Interoperability (“HTI”) regulations, as well as a notice to withdraw prior proposals issued as part of the HTI-2 proposed rule. Continue Reading HHS Proposes Changes to the Health IT Certification Program and Information Blocking Regulations in HTI-5 Proposed Rule
5 Developments Digital Health Innovators Should Watch in 2026
With 2026 underway, signs point to another year focused on enhancing health IT and digital health innovation. From new payment models to deregulatory efforts, these developments show that digital health continues to be increasingly central to the healthcare and life sciences sectors. Below are five key developments to watch unfold
Continue Reading 5 Developments Digital Health Innovators Should Watch in 2026What Life Sciences and Digital Health Companies Need to Know About CMS’s New Health Technology Ecosystem Initiative
On July 30, 2025, the U.S. Department of Health and Human Services (HHS) Centers for Medicare & Medicaid Services (CMS) announced a new Health Technology Ecosystem Initiative—a collaborative effort between government and industry to unlock innovation by modernizing healthcare data flows among patients, providers, payers, and technology platforms. The new initiative does not contemplate any new regulations; instead, it is a CMS-led effort intended to empower and accelerate innovation by the private sector through (i) the development of public digital infrastructure and data standards and (ii) voluntary commitments from industry to deliver new technology solutions based on a common data-sharing framework.
It is too early to predict how successful the Health Technology Ecosystem will be—the stubborn prevalence of data silos, lack of interoperability between systems, and challenges with using data for secondary purposes have long been a hurdle to innovation—yet, with 60 organizations, including leading tech firms, already pledging support for the new initiative, the broader industry may see this as an occasion for renewed focus and expanded efforts to bring health technology solutions to market at scale. For life sciences and digital health companies, this new initiative may present a strategic opportunity to better serve patients, empower providers, improve real-world evidence generation, and support innovation leading to better healthcare outcomes. Continue Reading What Life Sciences and Digital Health Companies Need to Know About CMS’s New Health Technology Ecosystem Initiative
HHS Issues Notice of Proposed Rulemaking to Update the HIPAA Security Rule
On January 6, 2025, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued a notice of proposed rulemaking (the “proposed rule”), which proposes a number of significant updates to the HIPAA Security Rule. According to OCR’s announcement, the proposed rule seeks to “improve cybersecurity and better protect the U.S. health care system from a growing number of cyberattacks” and “better align the Security Rule with modern best practices in cybersecurity.” The preamble states that the proposed rule seeks to address common areas of non-compliance with the Security Rule identified by OCR in its recent investigations, as well as build on recommendations from the National Committee on Vital Health Statistics and guidelines and best practices recommended by other parts of the government, such as the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST).
Below, we provide a brief summary of the proposed changes. The proposed rule is open for comment until March 7, 2025.Continue Reading HHS Issues Notice of Proposed Rulemaking to Update the HIPAA Security Rule
FTC Issues Final Rule to Expand Scope of the Health Breach Notification Rule
On Friday, April 26, 2024, the Federal Trade Commission (“FTC”) voted 3-2 to issue a final rule (the “final rule”) that expands the scope of the Health Breach Notification Rule (“HBNR”) to apply to health apps and similar technologies and broadens what constitutes a breach of security, among other updates. We previously covered the proposed rule, which was issued on May 18, 2023.Continue Reading FTC Issues Final Rule to Expand Scope of the Health Breach Notification Rule
Senator Cassidy Issues White Paper with Proposals to Update Health Data Privacy Framework – Part 2: Safeguarding Health Data Not Covered by HIPAA
Senator Bill Cassidy (R-LA), the Ranking Member of the U.S. Senate Health, Education, Labor, and Pensions (“HELP”) Committee, published on February 21, 2024, a white paper with various proposals to update privacy protections for health data. In Part 1 of this blog series (see here), we discussed the first section of Senator Cassidy’s February 21, 2024, white paper. Specifically, we summarized Senator Cassidy’s proposals on how to update the existing framework of the Health Insurance Portability and Accountability Act, as amended, and its implementing regulations (collectively, “HIPAA”) without disrupting decades of case law and precedent. In this blog post, we discuss the other sections of the white paper, namely proposals to protect other sources of health data not currently covered by HIPAA.Continue Reading Senator Cassidy Issues White Paper with Proposals to Update Health Data Privacy Framework – Part 2: Safeguarding Health Data Not Covered by HIPAA
Senator Cassidy Issues White Paper with Proposals to Update Health Data Privacy Framework – Part 1: Updates to the HIPAA Framework
On February 21, 2024, Senator Bill Cassidy (R-LA), the Ranking Member of the U.S. Senate Health, Education, Labor, and Pensions (“HELP”) Committee, issued a white paper, “Strengthening Health Data Privacy for Americans: Addressing the Challenges of the Modern Era,” which proposes several updates to the privacy protections for health data. This follows Senator Cassidy’s September 2023 request for information from stakeholders about how to enhance health data privacy protections covered by the Health Insurance Portability and Accountability Act (“HIPAA”) framework and to consider privacy protections for other sources of health data not currently covered by HIPAA. The white paper notes that several entities, including trade associations, hospitals, health technology companies, and think tanks, responded to the RFI.Continue Reading Senator Cassidy Issues White Paper with Proposals to Update Health Data Privacy Framework – Part 1: Updates to the HIPAA Framework
HHS Publishes Final Rule to Align Part 2 and HIPAA
On February 16, 2024, the U.S. Department of Health and Human Services (“HHS”) published a final rule to amend the Confidentiality of Substance Use Disorder (“SUD”) Patient Records regulations (“Part 2”) to more closely align Part 2 with the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”) as required by Section 3221 of the 2020 Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”). We previously covered the proposed rule (hereinafter, “the NPRM”), which was issued on December 2, 2022.
The final rule, issued through the Office for Civil Rights (“OCR”) and the Substance Abuse and Mental Health Services Administration (“SAMHSA”), increases alignment between certain Part 2 requirements and HIPAA and it clarifies certain existing Part 2 permissions and restrictions to improve the ability of entities to use and disclose Part 2 records. According to HHS, this final rule will decrease burdens on patients and providers, improve coordination of care and access to care and treatment, and protect the confidentiality of treatment records.Continue Reading HHS Publishes Final Rule to Align Part 2 and HIPAA
California Enacts Amendments to the CMIA
On September 27, 2023, Governor Newsom signed AB 254 and AB 352, which both amend the California Confidentiality of Medical Information Act (“CMIA”). Specifically, AB 254 expands the scope of the CMIA to expressly cover reproductive or sexual health services that are delivered through digital health solutions and the associated health information generated from these services. AB 352 imposes new requirements on how electronic health record (“EHR”) systems must store medical information related to gender affirming care, abortion and related services, and contraception and the ability of providers of health care, health care service plans, contractors, or employers to disclose such information.Continue Reading California Enacts Amendments to the CMIA
HHS Proposes Rule to Improve Standards for Electronic Prior Authorizations and Other Transactions with Health Care Attachments
On December 19, 2022, the U.S. Department of Health and Human Services (“HHS”) through the Centers for Medicare & Medicaid Services (“CMS”) issued a proposed rule to adopt standards for certain electronic health transactions. Specifically, the proposed rule would adopt standards for health care attachment transactions (e.g., medical charts, x-rays, provider notes) and electronic signatures to be used in conjunction with health care attachments, and modify the standard for referral certification and authorization transaction. The proposed rule would apply to entities regulated by the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”), and would implement certain requirements of the Administrative Simplification subtitle of HIPAA and the Patient Protection and Affordable Care Act (“ACA”) that require the Secretary of HHS to adopt and update standards for electronic health transactions, code sets, unique identifiers, as well as the electronic exchange for health information.Continue Reading HHS Proposes Rule to Improve Standards for Electronic Prior Authorizations and Other Transactions with Health Care Attachments