The American Hospital Association (AHA) has responded to a September 2025 request for information (RFI) from the Office of Science and Technology Policy (OSTP) on regulatory reform on artificial intelligence (AI) to promote innovation and adoption.

The Trump administration is committed to ensuring the United States achieves global dominance in AI and issued the RFI to obtain feedback from businesses and the public on current federal regulations that are hampering AI adoption and innovation. AI has tremendous potential in healthcare, from analyzing and interpreting medical images, aiding clinicians with decision-making, streamlining operations, and easing the considerable administrative burden faced by providers. While AI tools have been adopted in healthcare, the AHA says hospitals and health systems have merely scratched the surface of the potential uses to support them and the patients they serve.

In order to accelerate innovation and adoption, the AHA believes regulations need to be eased. In its response, the AHA explained that around one-quarter of healthcare spending goes on administrative tasks, amounting to around $1 trillion annually. Feedback from member hospitals and health systems indicates that regulatory administrative burdens are contributing to the financial instability of many hospitals, around 40% of which are now operating with negative margins.

The AHA has already voiced opposition against further administrative burdens and costs related to the proposed update to the HIPAA Security Rule and has welcomed the Trump administration’s recognition that overly restrictive regulations lead to higher costs, hamper competition, and stifle innovation. AHA members have voiced their concern that excessive regulation of AI is likely to severely limit adoption and innovation. Given the potential for AI to improve efficiency and enhance the quality of care, a balance needs to be struck between regulation to ensure patient safety while incorporating sufficient flexibility to support innovation.

In the letter to the OSTP, Ashley Thompson, the AHA’s senior vice president of public policy analysis and development, explained that current administrative burdens have forced many hospitals to scale back patient services or close, and that excessive regulatory and administrative burdens have added unnecessary cost and reduced patient access to care. To ensure the full potential of AI in healthcare, the AHA makes four main recommendations for AI reform: leveraging existing policy frameworks to avoid redundancy; removing regulatory barriers; ensuring AI is used safely and effectively; and providing incentives and infrastructure investment to expand the use of AI in healthcare.

Current regulatory frameworks were developed around human clinicians and discrete medical device updates, which may create challenges if the same frameworks are applied to continuously updating AI tools; however, creating a new regulatory framework for AI could result in redundancy and inefficiency.  The AHA recommends that any AI policies be synchronized with existing regulatory frameworks such as HIPAA, the HHS cybersecurity performance goals, FDA rules on premarket testing, and the CMS Medicare Advantage regulations.

The AHA recommends removing regulatory barriers that could stifle innovation, explaining that the current patchwork of state privacy laws and 42 Part 2 regulations has had a direct impact on the ability of hospitals to develop and deploy AI tools. The AHA has already responded to several problematic proposed HIPAA Security Rule update, and recommended voluntary consensus-based cybersecurity practices such as the HHS cybersecurity performance goals, rather than further regulation. The AHA suggests the Trump administration work with Congress to address HIPAA preemption, recommending the enactment of a full HIPAA preemption, as varying state laws are currently creating complications for its members. Further, the AHA supports the removal of all remaining requirements under the Part 2 regulations, which are hindering access to important health information and impacting the ability of SUD providers to leverage AI tools for care delivery.

Regarding patient safety, the AHA recommends that trained clinicians be kept in the decision loop for algorithms that may impact access to care or care delivery, for consistent privacy and security standards for third-party vendors, and to implement policies that include post-deployment standards for AI healthcare tools to ensure the ongoing integrity of those tools.

The AHA has also stressed that infrastructure needs to be improved to support the adoption of AI tools. For instance, hospitals in rural areas often lack reliable broadband and Wi-Fi access, which has proven to be a barrier to digital services and the adoption of AI tools. Incentives should be aligned to support AI adoption, as inadequate reimbursement has meant that many providers do not have the necessary resources to invest in the infrastructure to support the adoption of AI tools. The AHA also encourages cross-agency collaboration to develop training and potential grant funding opportunities to support patient educational efforts on digital health tools.

The post American Hospital Association Makes Recommendations to Support AI Adoption in Healthcare appeared first on The HIPAA Journal.

California Governor Gavin Newsom has added his signature to a bill that strengthens privacy protections for individuals seeking or receiving healthcare services from a family planning center. Prior to the update, California law prohibited a person or business from collecting, using, disclosing, or retaining the personal information of a person located at or within the geolocation of a family planning center, other than as necessary to provide the goods or services requested by that person.

Assembly Bill 45 (AB-45) strengthens privacy protections by prohibiting the collection, use, disclosure, sale, sharing, or retention of personal information of a natural person located at or within the precise geolocation of a family planning center, other than to provide goods and services to an individual, as requested. The requirements do not apply to HIPAA-regulated entities or their business associates, provided that the business associate is contractually obliged to comply with all state and federal laws.

The new law extends the scope of existing law to cover any person, including a natural person, association, proprietorship, corporation, trust, foundation, partnership, or any other organization or group of people acting in concert. The new law uses the same definitions for sale, personal information, and precise geolocation as the California Consumer Protection Act (CCPA), although the definitions apply to all persons. A family planning center is defined as a facility categorized as a family planning center by the North American Industry Classification System adopted by the United States Census Bureau, which includes, but is not limited to, clinics that provide reproductive healthcare services.

The new law makes it unlawful to geofence an entity that provides in-person healthcare services for certain purposes and prohibits the selling or sharing of information with a third party to geofence an entity that provides healthcare services. Healthcare services are defined as “any service provided to a natural person of a medical, surgical, psychiatric, therapeutic, diagnostic, mental health, behavioral health, preventative, rehabilitative, supportive, consultative, referral, or prescribing nature.”

Geofencing is specifically prohibited for the purpose of identifying or tracking an individual seeking or receiving healthcare services, collecting personal information from a person seeking, receiving, or providing healthcare services, sending notifications to a person related to their personal information or healthcare services, and sending advertisements to an individual related to their personal information or healthcare services. There are exceptions to the geofencing restrictions. The owner of the facility is permitted to geofence its own location, geofencing is permitted for research purposes that comply with federal regulations, and geofencing is permitted by labor organizations, although consent must be obtained from individuals if the geofencing results in the collection of names or personal information. Personally identifiable research records of individuals seeking healthcare services are protected and may not be released in response to a subpoena or request made pursuant to other states’ laws that interfere with a person’s rights under the California Reproductive Privacy Act.

There is a limited private cause of action in AB-45, which allows individuals and entities aggrieved by a violation of the provisions of AB-45 to sue for damages, up to a maximum of three times the actual damages, in addition to expenses, costs, and reasonable attorneys’ fees. The California Attorney General will enforce the new law and can impose penalties of up to $25,000 per violation and injunctive relief. Any collected penalties will be used to fund the California Reproductive Justice and Freedom Fund. The new law takes effect on January 1, 2026.

The post California Strengthens Privacy Protections for Individuals Visiting Family Planning Centers appeared first on The HIPAA Journal.

Individuals and businesses that do business in the state of California will soon be required to notify individuals affected by a data breach within 30 days of the discovery of the breach, and the state attorney general must be notified within 15 calendar days. State Governor Gavin Newsom added his signature to SB 446 earlier this month, with the new data breach reporting requirements taking effect on January 1, 2026.

Previously, data breach notification law in California required notifications to be issued without unreasonable delay, with no maximum timeframe stipulated for when the notifications should be issued. The new law will ensure that individuals affected by a data breach will receive prompt notification, allowing them to take timely action to protect themselves against identity theft and fraud.

There is, however, some flexibility in the new law. Data breach notifications must be issued in the most expedient time possible and without unreasonable delay, and while a 30-day limit is stipulated, the new law does allow for delays to notifications at the request of law enforcement and also to allow for any measures to be taken to determine the scope of the breach and restore the reasonable integrity of the data system.

The new law requires data breach notices to be written in plain language, they must be titled “Notice of Data Breach,” and they should follow a standard format, with the information presented under the following headings:

• What Happened?
• What Information Was Involved?
• What We Are Doing
• What You Can Do
• For More Information

There are also minimum content requirements. Data breach notices must include contact information for the individual or entity reporting the breach, the types of information reasonably believed to have been compromised, and contact information for the major credit reporting agencies if the breach involved Social Security numbers, driver’s license numbers, or California identification card numbers. If known at the time of issuing the notifications, notices should state the date of the breach, the estimated date of the breach, or the date range in which the breach occurred. Notices should also include a general description of the breach incident.

If the individual or business reporting the breach was the source of the breach, and the breach involved certain sensitive types of data, then complimentary identity theft prevention and mitigation services should be offered for a minimum of 12 months. Data types requiring those services to be offered are: Social Security number, driver’s license number, California identification card number, tax identification number, passport number, military identification number, or any other unique identification number issued on a government document commonly used to verify the identity of a specific individual.

Entities that fully comply with the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule will be deemed to be compliant with the breach notice requirements of SB 446; however, HIPAA-regulated entities are not exempted from other requirements of SB 446. HIPAA-regulated entities should therefore ensure that they thoroughly check those requirements and update their policies and procedures ahead of the compliance deadline.

The post California Sets 30-Day Breach Reporting Deadline appeared first on The HIPAA Journal.

Next month, the New York State Department of Health (DOH) cybersecurity regulation for general hospitals comes into force, and all covered hospitals will be required to comply with all the new requirements. The cybersecurity regulation (10 NYCRR 405.46) took effect on October 2, 2024, and with immediate effect, general hospitals had to implement policies and procedures for reporting a material cybersecurity incident to the New York Department of Health’s Surge Operations Center (SOC) within 72 hours. Covered hospitals were given a year to implement compliance programs covering the other new requirements, and the deadline for compliance is now less than a month away. The compliance deadline is October 2, 2025.

Cybersecurity Requirements for General Hospitals

Hospitals in New York State already need to comply with the HIPAA Security Rule, but the cybersecurity regulation introduces many new requirements. Simply being HIPAA-compliant is no longer enough. Hospitals in the state, under HIPAA, are required to implement safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information; however, the cybersecurity regulation takes things further, as the requirements apply to electronic nonpublic information. The definition is broader than HIPAA, and applies to personally identifiable information (PII), which is information that could be used to identify a natural person, not just patients, as well as business-related records.

General hospitals are required to implement a cybersecurity program based on the hospital’s risk assessment. The cybersecurity regulation stipulates several required elements that go above and beyond those specified by HIPAA. The cybersecurity program must identify internal and external risks that may threaten the security or integrity of nonpublic information within the hospital’s systems and that may threaten the continuity of the hospital’s business and operations. Policies and procedures must be implemented to protect information systems and any nonpublic information stored within those systems from unauthorized access and other malicious acts. Defensive infrastructure is required, and systems must be in place for detecting and responding to cybersecurity events, which will allow the recovery of normal operations and services.

Policies and protocols must be implemented for limiting user access privileges to systems containing nonpublic information, and there must be regular reviews of access privileges. There is a new requirement for measures to mitigate the threat of email-based attacks, such as spoofing, phishing, and fraud, and regular reviews of email controls must be conducted to ensure they continue to be effective.

Security measures and controls include encryption of data at rest and in transit, and there are data minimization requirements. Policies and procedures are required for the secure disposal of nonpublic information that is no longer required. Multifactor authentication, risk-based authentication, or other compensating controls are required to protect against unauthorized access to nonpublic information.

In contrast to HIPAA, which requires regular risk analyses, hospitals are required to conduct an annual risk assessment to identify risks and vulnerabilities to nonpublic information, and the cybersecurity program must be assessed annually to ensure it remains effective. Testing is required, including annual penetration tests by a qualified internal or external party. Hospitals must have an incident response plan for dealing with cybersecurity incidents, and documentation demonstrating compliance must be maintained for six years.

Hospitals are required to appoint a Chief Information Security Officer (CISO), who must be a qualified senior or executive-level staff member with proper training, experience, and expertise, and the cybersecurity program must be managed by qualified cybersecurity personnel or a third-party service provider.

New Cybersecurity Requirements Likely to Be Rigorously Enforced

The HIPAA Journal has spoken with information governance strategist Matthew Bernstein, who has over 20 years’ experience helping organizations analyze risks, transform written policy into day-to-day practice, and make their data findable, compliant, and secure. Hospitals rely on his firm, Bernstein Data, to integrate retention schedules, discovery and classification, and defensible disposition into one operating model that meets HIPAA and state mandates while trimming storage costs and shrinking the ransomware “attack surface”.

Bernstein has warned that hospitals believing they are compliant with the new requirements because they are HIPAA compliant could be in for a shock, and any hospital waiting to implement the changes until the DOH starts enforcing the cybersecurity regulation could well end up paying a considerable financial penalty. The language of the regulation closely mirrors the NYS Department of Financial Services (DFS) requirements, and penalties for noncompliance can run from $1 million to $5 million.

“It’s clear that the NYS Dept of Health is taking a leaf from the NYS Department of Financial Services’ book, and that should be concerning to hospitals.  The DFS has been an aggressive regulator about cybersecurity shortcomings of NYS companies, including healthcare providers with a “financial services” business, such as its recent $2 million settlement with Healthplex,” explained Bernstein. “There are significant commonalities between the new DOH regulation and the infamous 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies, and these requirements present new challenges for hospitals. It’s not just about a small set of defined PHI and making sure breaches are reported; there’s an expansive set of “personal” and “business-related” information to protect, and new risk assessment and mitigation operations to be adopted.”

With the compliance deadline fast approaching, hospitals need to ensure they have the policies, procedures, and protocols in place to comply with the new requirements. “New York hospitals don’t need to solve everything overnight, but they do need to demonstrate governance and intent,” Bernstein said. “Drafting a preliminary compliance roadmap with specific roles, accountability structures, and implementation priorities can go a long way in signaling good faith to regulators, board members, and insurers. Think of it as the scaffolding on which everything else will be built.”

The post NYS DOH Cybersecurity Regulation Deadline Fast Approaching appeared first on The HIPAA Journal.

The Department of Health and Human Services (HHS) has announced it will start cracking down on healthcare entities that engage in information blocking. On September 3, 2025, HHS Secretary Robert F. Kennedy Jr. directed the HHS to increase resources dedicated to the enforcement of the health data information blocking provisions of the 21st Century Cures Act. The 21st Century Cures Act of 2016 established penalties, termed disincentives, for healthcare entities that engage in information blocking practices, which is “any practice that interferes with, prevents, or materially discourages access, exchange, or use of electronic health information.”

The disincentive for information blocking by developers of certified health IT, Health Information Exchanges (HIEs), and Health Information Networks (HINs) is a civil monetary penalty of up to $1 million, which took effect on September 1, 2023. Developers with products certified under the ONC Health IT Certification Program could have their certifications terminated and be banned from the Certification Program.

In 2023, the HHS proposed a rule that established a range of disincentives for healthcare providers determined by the HHS Office of Inspector General (HHS-OIG) to have engaged in information blocking practices. Those disincentives took effect on July 31, 2024, with the exception of the penalties for ACO participants, which became effective on January 1, 2025.

Those disincentives include:

• The denial of eligibility to hospitals or critical access hospitals (CAHs) as meaningful electronic health record (EHR) users in an applicable EHR reporting period, resulting in the loss of 75 percent of the annual market basket increase, and a reduction in Medicare payments to CAHs to 100 percent of reasonable costs rather than 101 percent. The amount of the disincentive would be dependent on a hospital’s Medicare payments. The HHS previously calculated the median disincentive amount to be $394,353.
• Information blocking by eligible clinicians would result in them losing eligibility as meaningful users of certified EHR technology in a performance period, resulting in a zero score under Medicare’s Merit-based Incentive Payment System (MIPS) payments to physicians.
• Providers or suppliers that are Accountable Care Organization (ACO) participants would be ineligible to participate in the Medicare Shared Savings Program for a period of at least one year.

In a September 3, 2025, press release, the HHS said it will be cracking down on information blocking, whereby patients’ engagements in their care are restricted by the blocking of access, exchange, and use of electronic health information. The HHS said information blocking was not a priority for the Biden administration, but it is a priority under President Trump and Secretary Kennedy.

“Patients must have unfettered access to their health information as guaranteed by law. Providers and certain health IT entities have a legal duty to ensure that information flows where and when it’s needed,” said Acting Inspector General Juliet T. Hodgkins. “HHS-OIG will deploy all available authorities to investigate and hold violators accountable. We are committed to enforcing the law and protecting patients’ access to health information.”

Empowering individuals to take control of their health is a key element of Secretary Kennedy’s Make America Healthy Again promise, which requires them to have easy access to their electronic health information, either through zero-cost access through their healthcare providers or their chosen health apps. Access to health information allows patients to monitor chronic conditions, adhere to treatment plans, track progress in wellness and disease management plans, and find errors in their health records.

“We have already begun reviewing reports of information blocking against developers of certified health IT under the ONC Health IT Certification Program and are providing technical assistance to our colleagues at OIG for investigations,” said Tom Keane, MD, Assistant Secretary for Technology Policy and National Coordinator for Health Information Technology. The HHS is encouraging patients and innovators who have experienced or observed information blocking to report it through the ASTP/ONC Report Information Blocking Portal.

The post HHS Announces Crackdown on Information Blocking in Healthcare appeared first on The HIPAA Journal.

Healthcare providers in Florida could have new data breach reporting requirements if a recently proposed Florida Administrative Code Regulation Rule is adopted. The rule was proposed by the Agency for Health Care Administration (AHCA) to improve healthcare data breach transparency and preparedness for security incidents. If adopted, healthcare providers will be required to have a contingency plan for information technology incidents, to ensure that critical operations and patient care services can continue during an interruption to normal operations.

The contingency plan must consist of a written policy containing procedures and information regarding the maintenance of critical operations and essential patient care; a procedure for ensuring regular, secure, redundant on-site and off-site data backups (within the continental United States) and verification of the restorability of backed-up data.

An information technology incident is defined as “an observable occurrence or data disruption or loss in an information technology system or network that permits or is caused by unauthorized access of data in electronic form.” The definition covers cyberattacks and insider breaches, including good-faith authorized access by an employee if the data accessed by the employee is used in an unauthorized manner or for an unauthorized purpose.

The new rule will require all covered providers to report an information technology incident to AHCA within 24 hours of the provider determining that an information technology incident has occurred. While not required to be provided in the information technology incident report to AHCA, on request, providers must give AHCA a copy of the police report, incident report, computer forensics report, policies regarding information technology incidents, a list of the information disclosed, the steps taken in response to the incident, and a copy of the contingency plan.

Since healthcare providers are likely also HIPAA-covered entities, these new requirements will be in addition to any requirements under HIPAA. The AHCA will be holding a rule development workshop on September 17, 2025, about the proposed rule.

The post Florida Considers Rule to Improve Healthcare Data Breach Transparency appeared first on The HIPAA Journal.

On August 26, 2025, Robert F. Kennedy Jr., Secretary of the U.S. Department of Health and Human Services (HHS), delegated the authority to administer and enforce the Confidentiality of Substance Use Disorder (SUD) Patient Records” regulations at 42 CFR part 2 (Part 2) to the HHS’ Office for Civil Rights (OCR).

OCR is the primary enforcer of the Health Insurance Portability and Accountability Act (HIPAA), which, among other things, ensures the confidentiality, integrity, and availability of personally identifiable health information collected, stored, maintained, or transmitted by HIPAA-regulated entities. The HIPAA Rules have provisions concerning data security and uses and disclosures of personally identifiable information related to past, present, and future health; however, due to the high level of sensitivity of SUD records, they are afforded greater protection under the Part 2 regulations.

The Part 2 regulations were promulgated in 1975 to ensure that patients receiving treatment for a SUD in a Part 2 Program do not face adverse consequences related to criminal proceedings and domestic proceedings such as child custody, divorce, or employment. The Part 2 regulations restrict uses and disclosures of SUD records, which are kept separate from other health records, such as those regulated by HIPAA. Generally, Part 2 Programs are prohibited from disclosing any information that could identify a person as having or having had a SUD without written consent.

While there are important reasons for greater protections for SUD records, having two sets of regulations for different types of health information creates compliance challenges. The two sets of regulations hamper care coordination, stifle information sharing, and may put patients at risk. For instance, the separation of SUD records from general health records could result in a physician making a treatment decision based on incomplete information, such as prescribing opioids to a patient recovering from opioid addiction.

There have been growing calls for the Part 2 regulations to be more closely aligned with HIPAA to improve care coordination and address some of the current compliance challenges. In March 2020, the Coronavirus Aid, Relief, and Economic Security (CARES) Act was enacted, which directed the HHS to engage in further rulemaking to better align the Part 2 regulations with HIPAA. The HHS, through the Substance Abuse and Mental Health Services Administration (SAMHSA) and OCR, issued a Final Rule in 2024 implementing changes to better align the two sets of regulations to improve care coordination, strengthen confidentiality protections through civil enforcement, and align certain requirements of the Part 2 regulations with HIPAA. The compliance deadline for the Final Rule is February 16, 2026.

Two of the changes relate to privacy violations and data breaches. The Final Rule gives individuals the right to file complaints about violations of the Part 2 regulations, and the subject of SUD records must be notified about breaches of their Part 2 records, as is the case for violations of HIPAA and breaches of HIPAA-covered data. RFK Jr. has now delegated the administration and enforcement responsibilities of the Part 2 regulations to OCR. The Director of OCR has the authority to redelegate those responsibilities.

Specifically, per the Secretary’s Statement of Delegation of Authority published in the Federal Register on August 27, 2025, OCR will be able to:

• Enter into resolution agreements, monetary settlements, and corrective action plans, or impose civil money penalties for failures to comply with the requirements of Part 2 regulations, as amended by the Final Rule
• Issue subpoenas requiring the attendance and testimony of witnesses and the production of any evidence that relates to any matter under investigation or compliance review for failure to comply with the Part 2 regulations, as amended by the Final Rule
• Make decisions regarding the interpretation, implementation, and enforcement of the Part 2 regulations, as amended by the Final Rule

The post Office for Civil Rights Authorized to Administer and Enforce the Part 2 Regulations appeared first on The HIPAA Journal.