Health Law Advisor

On January 29, 2026, the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (“ASTP/ONC”) released the Draft United States Core Data for Interoperability Version 7 (“USCDI v7”) for public comment through Standards Bulletin 2026-1. The very next day, ASTP/ONC also issued a Request for Information (“RFI”) seeking public input on the potential adoption of diagnostic imaging interoperability standards and certification criteria under the ONC Health IT Certification Program.

New from the Diagnosing Health Care Podcast: Value-based enterprises depend on timely, accurate data, yet the rules that govern how that data moves between the Centers for Medicare & Medicaid Services (CMS), accountable care organizations, payors, and providers remain complex and often inconsistent.

On this episode, Epstein Becker Green attorneys Kevin Malone and Karen Mandelbaum unpack the regulatory frameworks shaping data exchange in value-based care.

They outline how federal privacy laws, CMS rules, the Health Insurance Portability and Accountability Act (HIPAA), and state requirements intersect; why CMS-sourced data operates under a different regime than Medicare Advantage; and where organizations face the biggest operational hurdles when using, sharing, and governing data across large networks.

New from the Diagnosing Health Care Podcast: By early 2026, substance use disorder (SUD) providers, health plans, clinicians, health information exchanges (HIEs), and vendors must meet new federal privacy standards for SUD treatment records or face Health Insurance Portability and Accountability Act (HIPAA)-level enforcement and penalties.

On this episode, Epstein Becker Green attorneys Lisa Pierce Reisz, David Shillcutt, and Laura DePonio join Nichole Sweeney, General Counsel and Chief Privacy Officer at CRISP, to break down the 42 CFR Part 2 final rule: what’s changing, what’s staying the same, and what organizations often miss.

The group explains how the final rule aligns with (but does not replace) HIPAA, why patient consent remains central, and what new operational risks are emerging.

Tune in to learn about the changes that matter most and the risks you can’t ignore.

[Update: New York Governor Kathy Hochul vetoed S. 929 on December 19, 2025.]

New York State appears poised to become the fourth state to explicitly regulate consumer health data not covered by the federal Health Insurance Portability and Accountability Act (HIPAA). In May of 2023, Washington State enacted the My Health My Data Act; in June of 2023, Connecticut amended its Data Privacy Act; and in March of 2024, Nevada passed Senate Bill 370. In many respects, NY HIPA is broader in scope and effect than its three predecessors.

New York’s S929 (Health Information Privacy Act or NY HIPA), sponsored by state Senator Liz Krueger (D), establishes requirements for communications to individuals regarding the disposition of their health information; and requires written consent or a designated necessary purpose for the processing of such health information. NY HIPA addresses vulnerabilities unaddressed by HIPAA because it applies to a broader range of private companies and protects health information at risk of disclosure through the commercialization of health data.

From our Thought Leaders in Health Law video series: The U.S. Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization to eliminate the federal constitutional right to abortion continues to alter the legal landscape across the country.

On April 26, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights published a final rule entitled the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” (the “Final Rule”).

The Final Rule—amending the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009—strengthens privacy protections related to the use and disclosure of reproductive health care information. HIPAA’s Privacy Rule limits the disclosure of protected health information (PHI) and is part of HHS’s efforts to ensure that patients will not be afraid to seek health care from, or share important information with, health care providers.

What are the key takeaways from the Final Rule?

In this episode of the Diagnosing Health Care Podcast:  The vaccine passport has been a major topic of discussion as businesses and governments consider how to balance privacy and safety through the rollout of the COVID-19 vaccine. Epstein Becker Green attorneys Patricia Wagner, Alaap Shah, and Jessika Tuazon discuss the privacy and security concerns companies must weigh as they consider developing or implementing vaccine passports, such as the collection and use of an individual's personal health information. As state governments and the private sector take the ...

One well-recognized way to protect patient privacy is to de-identify health data.  However, trends around increases in publicly-available personal data, data linking and aggregation, big data analytics, and computing power are challenging traditional de-identification models.  While traditional de-identification techniques may mitigate privacy risk, the possibility remains that such data may be coupled with other information to reveal the identity of the individual.

Last month, a JAMA article demonstrated that an artificial intelligence algorithm could re-identify ...