Texas Governor Greg Abbot has ordered all state agencies and state-owned medical facilities to conduct an audit of patient monitoring devices to ensure that they do not have unresolved vulnerabilities that could be exploited to gain access to Texans’ sensitive health information. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the United States Food and Drug Administration (FDA) have issued warnings about vulnerabilities in patient monitoring devices manufactured in China. Devices have been found to contain a backdoor that can be used by a remote attacker to gain access to sensitive patient data.

There has been a proliferation of Chinese-manufactured medical devices within the U.S. healthcare system. The concern is that these devices have backdoors that can be exploited by state-sponsored hacking groups to obtain the private medical information of Americans. Governor Abbot wants to make sure that the private medical data of Texans cannot be obtained by China. “I will not let Communist China spy on Texans. State-owned medical facilities must ensure there are safeguards in place to protect Texans’ private medical data,” Governor Abbot said in a letter to the Texas Health and Human Services Commission (HHSC), Texas Department of State Health Services (DSHS), and the Texas Cyber Command (TXCC).

Governor Abbot has directed state agencies to take action to ensure that sensitive medical data is protected. HHSC and DSHS have been asked to review all state-owned medical facilities under their jurisdiction and attest that all new purchases of medical devices were procured in compliance with the November 19, 2024, Executive Order GA-48, which requires the hardening of cybersecurity by the state government.

HHSC, DSHS, and public systems of higher education are required to catalog all state-owned medical devices capable of transmitting data via a network, or that can be accessed remotely, and share that inventory with TXCC. Assisted by TXCC, HHSC, DSHS, and public systems of higher education, are required to review their cybersecurity policies related to the protection of personal health information at all state-owned medical facilities under their jurisdiction, and specifically include how policies address FDA and CISA-issued alerts for internet-connected medical devices.

TXCC has been instructed to review whether Contec CMS8000 and Epsimed MN-120 patient monitors, and any other devices used by HHSC, DSHS, and public systems of higher education, have been the subject of an FDA safety notice, and to ensure that any that have are placed on the prohibited technology list.

TXCC is also required to convene appropriate executives at HHSC, DSHS, and public systems of higher education and make recommendations for addressing emergent cybersecurity risks, monitoring of devices, and mitigation strategies. Governor Abbot has committed to proposing legislation in the next session to better protect Texans’ private medical data from hostile foreign actors, such as China.

The post Texas Governor Instructs State Agencies to Audit Chinese Medical Devices appeared first on The HIPAA Journal.

At a Thursday hearing, the Senate Health, Education, Labor and Pensions (HELP) Committee heard testimony from Thomas Keane, M.D., M.B.A., Assistant Secretary for Technology Policy and National Coordinator for Health Information Technology (ASTP/ONC) on the HHS’s efforts to make improvements in health and care through the access, exchange, and use of data.

“My top priority is fostering greater data liquidity in the U.S. health care system so that patients and their clinicians are in the driver’s seat. I see how modern data standards, combined with artificial intelligence (AI), can make health care more affordable, accessible, and can support improved health outcomes,” explained Keane.

It has been a decade since the 21^st Century Cures Act was enacted in 2016. Key provisions of the act have been implemented, such as the establishment of the Trusted Exchange Framework and Common Agreement (TEFCA) for nationwide health information exchange across health information networks. TEFCA Exchange began in earnest in January 2024, and 11 Qualified Health Information Networks have now signed up and been vetted to facilitate data exchange. More than 70,000 locations nationwide are connected, and the exchange of more than 400 million health records is now supported. While TEFCA has yet to reach its full potential, when that happens, a healthcare provider will be able to access a patient’s full health history, regardless of the electronic health record system where that information is stored.

While the technology exists to support the seamless exchange of health data, information does not always flow unimpeded. At the hearing, HELP Committee members expressed frustration that health data is being blocked by healthcare providers, developers of certified health IT, and health information networks and exchanges. The 21^st Century Cures Act prohibited information blocking; however, it took until 2023 to finalize the financial penalties for developers of health IT, and another year to finalize the financial penalties for healthcare providers, and penalties have yet to be imposed for information blocking.

At the hearing, Keane confirmed that the federal government is taking action against entities engaged in information blocking. Since the HHS launched its information blocking complaint portal, more than 1,500 complaints have been filed alleging information blocking, the majority of which were filed by patients. Keane confirmed that ASTP/ONC has started actively enforcing its information blocking rules. A major enforcement initiative was launched in September 2025, targeting noncompliance, which allocated additional resources to support investigations and hold entities accountable for blocking the sharing of electronic health information. In the Fall of last year, the HHS warned developers, providers, and health information exchanges that it announced that it would start cracking down on information blocking.

Since then, ASTP/ONC has been working closely with the HHS Office of Inspector General to ensure that bad actors face meaningful consequences for information blocking, and in February this year, ASTP/ONC sent notices to developers of certified health IT about potential non-conformity under the ONC Health IT Certification Program, requesting information and explanations about non-conformity issues. Should information blocking be confirmed, health IT developers could face penalties of up to $1 million per violation, while providers could be prevented from receiving Medicare payments.

Keane explained that ASTP/ONC is collaborating with the Federal Trade Commission (FTC), Department of Justice (DoJ), and state governments to identify potential anti-competitive business practices and other practices that are preventing the seamless exchange of health information. ASTP/ONC is also continuing to work with providers, health information networks, and health IT developers to improve understanding of what constitutes information blocking and the steps they must take to ensure compliance with the law.

“In [the] not-so-distant future, an individual with multiple chronic conditions can keep all their health information in one secure digital place and share it instantly with a new provider, a caregiver, or a trusted app—no matter where they live or where they receive care,” Keane said.

The post HHS Confirms Active Enforcement of Information Blocking Rules appeared first on The HIPAA Journal.

The U.S. Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) plans to use artificial intelligence (AI) tools to identify fraudulent claims before they are paid.

While estimates of total losses from healthcare fraud vary, around $60 billion is thought to be lost to Medicare fraud each year. In 2023, the HHS Office of Inspector General (HHS-OIG), the primary agency responsible for tackling Medicare and Medicaid fraud, identified more than $100 billion in improper payments across the Medicare and Medicaid programs. Estimates suggest that between 3% and 10% of total healthcare spending is being lost to fraud. While HHS-OIG, in conjunction with the Department of Justice and the CMS, investigates fraud and prosecutes fraudsters, only a fraction of fraudulently paid funds is recovered.

In a February 25, 2026, press release, Vice President J.D. Vance, Secretary of Health and Human Services (HHS) Robert F. Kennedy, Jr., and CMS Administrator Dr. Mehmet Oz announced some of the new steps that are being taken to crack down on healthcare fraud as part of a broader effort by the Trump to improve affordability, protect patients, and reduce the burden on taxpayers, who ultimately foot the bill for healthcare fraud.

“For decades, Medicare fraud has drained billions from American taxpayers—that ends now,” said Secretary Kennedy. “We are replacing the old ‘pay and chase’ model with a real-time ‘detect and deploy’ strategy, using advanced AI tools to identify fraud instantly and stop improper payments before they go out the door.”

In the press release, the HHS confirmed that one of the actions is deferring $259.5 million of quarterly federal Medicaid funding in Minnesota while further investigations are conducted into fraudulent or unsupported claims, along with a nationwide moratorium on Medicare enrollment for certain Durable Medical Equipment, Prosthetics, Orthotics and Supplies (DMEPOS), which has historically been an area of major healthcare fraud.  The HHS has also issued a call to action for Americans to support fraud prevention, including seeking stakeholder input on ways the CMS can expand and strengthen its fraud prevention efforts.

“CMS is done trying to catch fraudsters with their hands in the cookie jar—instead, we’re padlocking the jar and letting them starve,” said Administrator Oz. “This proactive approach will help us crush fraud, protect taxpayer dollars, and make sure the vulnerable Americans who depend on our programs get the care they need.”

As part of the healthcare fraud prevention drive, the HHS and CMS issued a Request for Information (RFI) seeking input from a broad range of stakeholders on ways to strengthen the ability of the CMS to prevent, detect, and respond to fraud, waste, and abuse in Medicare, Medicaid, The Children’s Health Insurance Program (CHIP), and the Health Insurance Marketplace. That includes input on analytics, methodologies, data-driven approaches, and AI tools that would be most effective at identifying indicators of potential healthcare fraud, waste, or abuse.

The feedback will inform future rulemaking, including a potential “Comprehensive Regulations to Uncover Suspicious Healthcare (CRUSH) proposed rule, and other programmatic changes for tackling healthcare fraud. While the CMS and the HHS-OIG have long been using predictive modelling and data analytics to identify fraud and waste, the HHS recognizes the potential of AI tools for identifying fraud before claims are paid.

The CMS has asked for suggestions on how AI can be incorporated into Medicare Advantage coding oversight and hospital billing. Specifically, the types of AI solutions, including off-the-shelf products, that are most effective and efficient for assisting human coders with large volumes of records.

The CMS has asked stakeholders to share information on the key features and learning capabilities required in AI solutions to improve accuracy and prevent errors, the lessons learned when implementing AI solutions, how AI could be used to improve efficiency and accuracy of hospital billing, solutions that could help address coding issues related to overpayments, underpayments, and suggestions on how AI solutions can be used for compliance oversight.

While there is tremendous potential for AI tools to be used in fraud prevention and detection, they must not come at the expense of the privacy of Medicare and Medicaid beneficiaries. There will also need to be robust safeguards and oversight to ensure that legitimate and necessary medical care for law-abiding Americans is not put at risk.

The post HHS Issues RFI Seeking Input on AI Tools and Methodologies for Healthcare Fraud Prevention appeared first on The HIPAA Journal.

An audit of the Utah Department of Health and Human Services (DHHS) by the Office of the Utah State Auditor has identified privacy and security weaknesses that are putting the health information privacy of state residents at risk, especially children.

The audit was conducted in response to a complaint by a DHHS whistleblower employee who alleged that the DHHS had not implemented adequate incident response procedures and had insufficient monitoring mechanisms for detecting and managing privacy incidents. According to the complainant, the deficiencies have resulted in under-reporting of incidents and unmitigated exposure of sensitive data, especially the data of children.

The audit was led by Tina M. Cannon, State Auditor; Nora Kurzova, State Privacy Auditor; and Mark Meyer, Assistant State Privacy Auditor, and involved a review of applicable laws related to incident response and data protection, a privacy risk assessment of the most significant data processing activities as they relate to children, an evaluation of incident response documentation and internal privacy and cybersecurity monitoring controls, and interviews with certain DHHS employees, including members of its Information Privacy and Security (IPS) team.

The audit was limited in scope and focused on two systems. SAFE and eChart. SAFE is the Comprehensive Child Welfare Information System (CCWIS) for the State of Utah, Division of Child and Family Services (DCFS), which is used to support child welfare case management, including child abuse and neglect cases. Currently, the system contains around 6 million records relating to more than 2 million individuals. eChart is the central repository of records related to patients with mental health needs. The system is maintained by the Utah State Hospital (USH) and currently includes records relating to more than 10,500 individuals.

The audit uncovered several privacy and security weaknesses, including weaknesses in oversight, awareness, and internal controls, which allow privacy violations to go undetected and unaddressed for extended periods. The auditors identified systemic issues in both the SAFE and eChart systems related to access controls, records dissemination, and monitoring across systems and teams handling sensitive records, including mental health and child welfare.

Inadequate access controls meant sensitive records in both systems could be accessed without enforcing or adequately monitoring role-based and least privileged access. Records could be accessed for individuals outside a user’s workload, without requiring any justification for the access. Broad access to records had been given to individuals other than DHHS social workers, including the Utah Office of Guardian ad Litem, Utah Psychotropic Oversight Panel (UPOP), and the office of the Attorney General. In the eChart system, there were similar access control issues. For instance, users of the eChart system are expected to determine for themselves what range of viewing access is appropriate, and there were no restrictions on accessing the records of individuals outside a user’s caseload. The lack of protection was given a critical risk rating.

While logs are created of user access, there was no automated system for monitoring those logs. Each month, the division’s privacy officer reviewed access logs through a manual sampling process. There was no system in place for providing real-time alerts about suspicious medical record access. Data retention periods were unnecessarily long, creating an accumulating long-term exposure risk. For instance, some records in the SAFE system had a retention period of 100 years, when the typical retention period is only 7-10 years.

There have been documented cases of intentional breaches occurring, as well as staff members accessing and disclosing records to the wrong person. There were reports of individuals posting sensitive data online, and staff members capturing unauthorized photos of patients or facilities. From the interviews, the auditors discovered that there was no well-known or secure mechanism to support anonymous reports of inappropriate access to medical records. As a result, staff and stakeholders could not raise concerns about potential wrongdoing or privacy and security issues without fear of retaliation from agency leadership or coworkers.

The auditors pointed out that a single compromised account could expose an entire data repository, putting individuals at risk of identity theft and fraud. Since children’s data is highly valuable to cybercriminals, and identity theft using children’s data can go undetected for years, robust access controls are vital. The privacy of minors, patients, and other vulnerable groups at risk was put at risk due to the lack of authentication and access controls; there was under-detection of privacy incidents and breaches due to inadequate monitoring; overretention of data created an unnecessary risk; and broad, unchecked access heightens the threat of identity
theft.

While privacy and security weaknesses were identified, no evidence was found to suggest any successful hacking incidents involving either the SAFE or eChart systems. The Office of the State Auditor made several recommendations for improving privacy and security, and the DHHS is in various stages of implementing those recommendations.

The post Audit of Utah Department of Health and Human Services Identifies Critical Privacy & Security Weaknesses appeared first on The HIPAA Journal.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has established a civil enforcement program for the 42 CFR Part 2 – Confidentiality of Substance Use Disorder Patient Records (Part 2) regulations.

The Coronavirus Aid, Relief, and Economic Security (CARES) Act, an economic stimulus bill signed into law on March 27, 2020, included a section (Section 3221) related to the confidentiality and disclosure of substance use disorder (SUD) records. The CARES Act directed the HHS to implement changes to align the Part 2 regulations more closely with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, to enhance protections and improve patient rights, while allowing a more flexible approach to the sharing of SUD records with patient consent to improve care coordination.

In February 2024, the HHS issued a final rule that modified the Part 2 regulations by implementing the changes mandated by Section 3221 of the CARES Act. The final rule improves coordination among providers treating patients for SUD, aligns certain Part 2 requirements with the HIPAA Privacy Rule and HIPAA Breach Notification Rule, and enhances integration of behavioral health information with other medical records to improve patient health outcomes.

The final rule also implemented a new penalty structure, mirroring that of HIPAA, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. OCR has been granted authority to enforce compliance, and if violations are identified, they will be subject to the same range of enforcement mechanisms as HIPAA. Violations of the Part 2 regulations can be resolved with civil monetary penalties, resolution agreements, monetary settlements, and corrective action plans to address areas of noncompliance.

The enforcement program uses newly established mechanisms of civil enforcement to protect the confidentiality of SUD records by covered SUD programs. “At President Trump’s direction, HHS is aggressively enforcing federal safeguards to protect substance use disorder patient records as part of the Great American Recovery Initiative,” said HHS Secretary Robert F. Kennedy, Jr. “Americans seeking treatment for substance use disorder deserve comprehensive care without sacrificing their privacy or legal protections.”

This is the first time that mechanisms have been established and will help to ensure that the privacy of Americans seeking treatment for substance use disorder is protected. “OCR’s civil enforcement program will instill confidence in patients and encourage them to seek SUD treatment from covered SUD providers. At the same time, compliance with the updated Part 2 regulation will improve care coordination and reduce administrative burdens,” said OCR Director Paula M. Stannard. “OCR is uniquely positioned to enforce patient rights and the regulated community’s obligations given our extensive experience administering compliance and enforcement programs for health information privacy, security, and breach notification under HIPAA.”

OCR must be notified about any breach of SUD records, and the agency will investigate breaches to determine if they were the result of noncompliance. On February 16, 2026, OCR started accepting complaints about potential violations of the Part 2 regulations, including civil rights and breach notifications related to SUD records.

Complaints about potential Part 2 violations should be submitted via the OCR breach portal. Individuals are encouraged to file a complaint if they believe that their civil rights or health information privacy have been violated, but also if they suspect that the civil rights or health information privacy of other individuals have been violated. Complaints will be investigated, and if substantiated, violations will be resolved through the newly established enforcement mechanisms.

The OCR breach portal has been updated to show entities and individuals that have experienced breaches of Part 2 records. As with the section of the OCR breach portal for HIPAA breach reports, a summary of each breach of Part 2-covered records is listed. The listings include basic information about the breach – The name of the Part 2 Program, state, individuals affected, breach submission date, type of breach, and the location of breached information. When OCR has completed its investigation of the breach, the complaints will be moved to the archive, with brief notes added from OCR’s investigation. The breach portal only includes large breaches of SUD records – those affecting 500 or more individuals. Smaller breaches are not made public, although the breach reporting requirements are the same, irrespective of the size of the breach.

The post HHS Office for Civil Rights Establishes Part 2 Enforcement Program appeared first on The HIPAA Journal.

The risk of sending unwanted marketing communications to consumers has been highlighted by a $10.5 million settlement with Kaiser Foundation Health Plan, which is alleged to have continued sending marketing text messages to individuals who opted out of receiving marketing communications.

Legal action was taken against Kaiser Foundation Health Plan, doing business as Kaiser Permanente, by Jonathan Fried, who alleged that the defendant violated federal and Florida state law by continuing to send marketing text messages after he had submitted an opt-out request to stop receiving the communications.

The lawsuit, Jonathan Fried v. Kaiser Foundation Health Plan, Inc., d/b/a Kaiser Permanente, was filed individually and on behalf of similarly situated individuals over the alleged sending of unwanted text messages marketing Kaiser Permanente’s products and services. According to the lawsuit, the defendant sent or failed to stop further messages from being sent after consumers replied with the word STOP or performed a similar opt-out instruction. According to the lawsuit, the failure to honor the opt-out requests violated the federal Telephone Consumer Protection Act (TCPA) and the Florida Telephone Solicitation Act (FTSA). The violations are alleged to have occurred between January 21, 2021, and August 20, 2025.

Kaiser maintains there was no wrongdoing and denies and continues to deny the allegations in the lawsuit; however, a settlement was agreed to bring the litigation to an end to avoid the cost of a trial and related appeals, and the risks and uncertainties for both sides from continuing with the litigation. Kaiser has agreed to pay up to $10,500,000 to settle the litigation. The settlement fund will cover attorneys’ fees and expenses, a service award for the class representative, settlement administration costs, and cash payments for the class members.

There are two settlement classes, one applying to all individuals in the United States who were sent more than one text message regarding the defendant’s goods or services in any 12-month period between January 21, 2021, and August 20, 2025, after replying to a message with STOP or performing a similar opt-out instruction. The Florida FTSA class includes all persons who resided in Florida and received more than one text message between the same dates about the defendant’s goods or services at least 15 days after opting not to receive the communications.

Class members who submit a valid claim will receive a payment of up to $75 per qualifying text message they received. If the number of claims exceeds the funds in the settlement, then claims will be paid pro rata. Should any funds remain in the settlement fund after all claims have been paid, then they will be refunded to Kaiser.

The settlement has received preliminary approval from the court, and claims must be submitted by February 12, 2026. The deadline for opting out and exclusion from the settlement is December 29, 2025. The final approval hearing has been scheduled for January 28, 2026.

The post Kaiser Foundation Health Plan Settles Unwanted Text Message Lawsuit appeared first on The HIPAA Journal.

The American Hospital Association (AHA) has responded to a September 2025 request for information (RFI) from the Office of Science and Technology Policy (OSTP) on regulatory reform on artificial intelligence (AI) to promote innovation and adoption.

The Trump administration is committed to ensuring the United States achieves global dominance in AI and issued the RFI to obtain feedback from businesses and the public on current federal regulations that are hampering AI adoption and innovation. AI has tremendous potential in healthcare, from analyzing and interpreting medical images, aiding clinicians with decision-making, streamlining operations, and easing the considerable administrative burden faced by providers. While AI tools have been adopted in healthcare, the AHA says hospitals and health systems have merely scratched the surface of the potential uses to support them and the patients they serve.

In order to accelerate innovation and adoption, the AHA believes regulations need to be eased. In its response, the AHA explained that around one-quarter of healthcare spending goes on administrative tasks, amounting to around $1 trillion annually. Feedback from member hospitals and health systems indicates that regulatory administrative burdens are contributing to the financial instability of many hospitals, around 40% of which are now operating with negative margins.

The AHA has already voiced opposition against further administrative burdens and costs related to the proposed update to the HIPAA Security Rule and has welcomed the Trump administration’s recognition that overly restrictive regulations lead to higher costs, hamper competition, and stifle innovation. AHA members have voiced their concern that excessive regulation of AI is likely to severely limit adoption and innovation. Given the potential for AI to improve efficiency and enhance the quality of care, a balance needs to be struck between regulation to ensure patient safety while incorporating sufficient flexibility to support innovation.

In the letter to the OSTP, Ashley Thompson, the AHA’s senior vice president of public policy analysis and development, explained that current administrative burdens have forced many hospitals to scale back patient services or close, and that excessive regulatory and administrative burdens have added unnecessary cost and reduced patient access to care. To ensure the full potential of AI in healthcare, the AHA makes four main recommendations for AI reform: leveraging existing policy frameworks to avoid redundancy; removing regulatory barriers; ensuring AI is used safely and effectively; and providing incentives and infrastructure investment to expand the use of AI in healthcare.

Current regulatory frameworks were developed around human clinicians and discrete medical device updates, which may create challenges if the same frameworks are applied to continuously updating AI tools; however, creating a new regulatory framework for AI could result in redundancy and inefficiency.  The AHA recommends that any AI policies be synchronized with existing regulatory frameworks such as HIPAA, the HHS cybersecurity performance goals, FDA rules on premarket testing, and the CMS Medicare Advantage regulations.

The AHA recommends removing regulatory barriers that could stifle innovation, explaining that the current patchwork of state privacy laws and 42 Part 2 regulations has had a direct impact on the ability of hospitals to develop and deploy AI tools. The AHA has already responded to several problematic proposed HIPAA Security Rule update, and recommended voluntary consensus-based cybersecurity practices such as the HHS cybersecurity performance goals, rather than further regulation. The AHA suggests the Trump administration work with Congress to address HIPAA preemption, recommending the enactment of a full HIPAA preemption, as varying state laws are currently creating complications for its members. Further, the AHA supports the removal of all remaining requirements under the Part 2 regulations, which are hindering access to important health information and impacting the ability of SUD providers to leverage AI tools for care delivery.

Regarding patient safety, the AHA recommends that trained clinicians be kept in the decision loop for algorithms that may impact access to care or care delivery, for consistent privacy and security standards for third-party vendors, and to implement policies that include post-deployment standards for AI healthcare tools to ensure the ongoing integrity of those tools.

The AHA has also stressed that infrastructure needs to be improved to support the adoption of AI tools. For instance, hospitals in rural areas often lack reliable broadband and Wi-Fi access, which has proven to be a barrier to digital services and the adoption of AI tools. Incentives should be aligned to support AI adoption, as inadequate reimbursement has meant that many providers do not have the necessary resources to invest in the infrastructure to support the adoption of AI tools. The AHA also encourages cross-agency collaboration to develop training and potential grant funding opportunities to support patient educational efforts on digital health tools.

The post American Hospital Association Makes Recommendations to Support AI Adoption in Healthcare appeared first on The HIPAA Journal.

California Governor Gavin Newsom has added his signature to a bill that strengthens privacy protections for individuals seeking or receiving healthcare services from a family planning center. Prior to the update, California law prohibited a person or business from collecting, using, disclosing, or retaining the personal information of a person located at or within the geolocation of a family planning center, other than as necessary to provide the goods or services requested by that person.

Assembly Bill 45 (AB-45) strengthens privacy protections by prohibiting the collection, use, disclosure, sale, sharing, or retention of personal information of a natural person located at or within the precise geolocation of a family planning center, other than to provide goods and services to an individual, as requested. The requirements do not apply to HIPAA-regulated entities or their business associates, provided that the business associate is contractually obliged to comply with all state and federal laws.

The new law extends the scope of existing law to cover any person, including a natural person, association, proprietorship, corporation, trust, foundation, partnership, or any other organization or group of people acting in concert. The new law uses the same definitions for sale, personal information, and precise geolocation as the California Consumer Protection Act (CCPA), although the definitions apply to all persons. A family planning center is defined as a facility categorized as a family planning center by the North American Industry Classification System adopted by the United States Census Bureau, which includes, but is not limited to, clinics that provide reproductive healthcare services.

The new law makes it unlawful to geofence an entity that provides in-person healthcare services for certain purposes and prohibits the selling or sharing of information with a third party to geofence an entity that provides healthcare services. Healthcare services are defined as “any service provided to a natural person of a medical, surgical, psychiatric, therapeutic, diagnostic, mental health, behavioral health, preventative, rehabilitative, supportive, consultative, referral, or prescribing nature.”

Geofencing is specifically prohibited for the purpose of identifying or tracking an individual seeking or receiving healthcare services, collecting personal information from a person seeking, receiving, or providing healthcare services, sending notifications to a person related to their personal information or healthcare services, and sending advertisements to an individual related to their personal information or healthcare services. There are exceptions to the geofencing restrictions. The owner of the facility is permitted to geofence its own location, geofencing is permitted for research purposes that comply with federal regulations, and geofencing is permitted by labor organizations, although consent must be obtained from individuals if the geofencing results in the collection of names or personal information. Personally identifiable research records of individuals seeking healthcare services are protected and may not be released in response to a subpoena or request made pursuant to other states’ laws that interfere with a person’s rights under the California Reproductive Privacy Act.

There is a limited private cause of action in AB-45, which allows individuals and entities aggrieved by a violation of the provisions of AB-45 to sue for damages, up to a maximum of three times the actual damages, in addition to expenses, costs, and reasonable attorneys’ fees. The California Attorney General will enforce the new law and can impose penalties of up to $25,000 per violation and injunctive relief. Any collected penalties will be used to fund the California Reproductive Justice and Freedom Fund. The new law takes effect on January 1, 2026.

The post California Strengthens Privacy Protections for Individuals Visiting Family Planning Centers appeared first on The HIPAA Journal.