On August 26, 2025, Robert F. Kennedy Jr., Secretary of the U.S. Department of Health and Human Services (HHS), delegated the authority to administer and enforce the Confidentiality of Substance Use Disorder (SUD) Patient Records” regulations at 42 CFR part 2 (Part 2) to the HHS’ Office for Civil Rights (OCR).

OCR is the primary enforcer of the Health Insurance Portability and Accountability Act (HIPAA), which, among other things, ensures the confidentiality, integrity, and availability of personally identifiable health information collected, stored, maintained, or transmitted by HIPAA-regulated entities. The HIPAA Rules have provisions concerning data security and uses and disclosures of personally identifiable information related to past, present, and future health; however, due to the high level of sensitivity of SUD records, they are afforded greater protection under the Part 2 regulations.

The Part 2 regulations were promulgated in 1975 to ensure that patients receiving treatment for a SUD in a Part 2 Program do not face adverse consequences related to criminal proceedings and domestic proceedings such as child custody, divorce, or employment. The Part 2 regulations restrict uses and disclosures of SUD records, which are kept separate from other health records, such as those regulated by HIPAA. Generally, Part 2 Programs are prohibited from disclosing any information that could identify a person as having or having had a SUD without written consent.

While there are important reasons for greater protections for SUD records, having two sets of regulations for different types of health information creates compliance challenges. The two sets of regulations hamper care coordination, stifle information sharing, and may put patients at risk. For instance, the separation of SUD records from general health records could result in a physician making a treatment decision based on incomplete information, such as prescribing opioids to a patient recovering from opioid addiction.

There have been growing calls for the Part 2 regulations to be more closely aligned with HIPAA to improve care coordination and address some of the current compliance challenges. In March 2020, the Coronavirus Aid, Relief, and Economic Security (CARES) Act was enacted, which directed the HHS to engage in further rulemaking to better align the Part 2 regulations with HIPAA. The HHS, through the Substance Abuse and Mental Health Services Administration (SAMHSA) and OCR, issued a Final Rule in 2024 implementing changes to better align the two sets of regulations to improve care coordination, strengthen confidentiality protections through civil enforcement, and align certain requirements of the Part 2 regulations with HIPAA. The compliance deadline for the Final Rule is February 16, 2026.

Two of the changes relate to privacy violations and data breaches. The Final Rule gives individuals the right to file complaints about violations of the Part 2 regulations, and the subject of SUD records must be notified about breaches of their Part 2 records, as is the case for violations of HIPAA and breaches of HIPAA-covered data. RFK Jr. has now delegated the administration and enforcement responsibilities of the Part 2 regulations to OCR. The Director of OCR has the authority to redelegate those responsibilities.

Specifically, per the Secretary’s Statement of Delegation of Authority published in the Federal Register on August 27, 2025, OCR will be able to:

• Enter into resolution agreements, monetary settlements, and corrective action plans, or impose civil money penalties for failures to comply with the requirements of Part 2 regulations, as amended by the Final Rule
• Issue subpoenas requiring the attendance and testimony of witnesses and the production of any evidence that relates to any matter under investigation or compliance review for failure to comply with the Part 2 regulations, as amended by the Final Rule
• Make decisions regarding the interpretation, implementation, and enforcement of the Part 2 regulations, as amended by the Final Rule

The post Office for Civil Rights Authorized to Administer and Enforce the Part 2 Regulations appeared first on The HIPAA Journal.

Texas Governor Greg Abbott has signed a bill into law that provides physicians in the state with a 3-day window to review sensitive medical test results and communicate the findings to patients before they are notified electronically, and the test result is added to their electronic medical record.

Senate Bill 922, titled Relating to the disclosure of certain medical information by electronic means, was introduced by Sen. Kelly Hancock (R-North Richland Hills) and Rep. Caroline Fairly (R-Amarillo) in response to calls from physicians in the state to give them time to review sensitive test results and communicate that information to patients.

The bill was in response to a provision of the 21st Century Cures Act that required the immediate release of health information to patients’ information portals. Since the spring of 2021, test results have been sent to patients’ information portals immediately. While rapid access to health information has its benefits, there have been many cases where patients have received a cancer diagnosis via their smartphone rather than have the results explained by a physician in an informative and compassionate manner.

“As an oncologist, I’ve had many conversations with patients about their cancer-related tests. It is always a confusing and scary time for them, as the results can be life-changing. Oncologists are trained to convey this information in a timely, informative, and supportive manner so that patients understand not only what the test means but what options they have. This is an opportunity to offer hope and reassurance to the patient,” explained David Gerber, MD, on behalf of the Texas Medical Association in testimony provided to the House Public Health Committee.

Dr. Gerber testified about many horror stories, such as patients being alerted about a cancer diagnosis via a smartphone notification during a business dinner, while reading a bedtime story to a young child, and during the commute to work. Dr. Gerber estimated that as many as three in four patients received pathology test results before the physician who ordered the test had viewed them. “Although this bill places a brief pause on the electronic transfer of some test results to a patient, it allows for a physician to call a patient with the results at any time,” Dr. Gerber said. “Giving the right information, rather than just the fastest information.”

The new law will take effect on September 1, 2025, and applies to pathology and radiology reports that have a reasonable likelihood of showing a finding of a malignancy, and any test result that may reveal a genetic marker. The new law will ensure that patients continue to receive timely medical information; however, there will be a 3-day delay from the finalization of the test results before they can be disclosed to a patient or the patient’s representative by electronic means.

The post New Texas Law Gives Physicians 3 Days to Communicate Sensitive Test Results to Patients appeared first on The HIPAA Journal.

The Federal Trade Commission (FTC) has announced settlements with two healthcare companies to resolve claims that they misled consumers seeking health insurance. In both cases, the companies were alleged to have deceived consumers seeking comprehensive health insurance into purchasing plans that did not provide the claimed level of coverage. The companies will pay a total of $145 million to the FTC to resolve the two complaints.

The biggest financial penalty was imposed on Assurance IQ, LLC, a Seattle-based company that sells short-term medical (STM) plans, limited benefit indemnity (LBI) plans, and supplemental healthcare plans, including vision and dental discount plans. According to the FTC complaint, Assurance’s telemarketers overstated the coverage provided by its policies. Most of the plans were sold on behalf of Benefytt Technologies, which was a third-party distributor of healthcare products for various carriers. Assurance received over $100 million in commissions for selling the policies on behalf of Benefytt. The FTC previously filed a complaint against Benefytt alleging deceptive acts and practices, which was resolved in 2022.

Assurance generated leads through its website, offering free quotes for affordable health insurance, as well as obtaining leads from third-party lead generators, and its outbound telemarketers contacted those consumers to sell them insurance products.  The Assurance website stated that its insurance products were equivalent to comprehensive health insurance and that it worked with leading health insurers such as Aetna, Humana, and Kaiser Permanente, but it did not sell any of their insurance products, and the policies sold to consumers did not provide comprehensive insurance coverage.

Its telemarketers were alleged to have misrepresented the features of the plans, leading consumers to believe they were purchasing comprehensive health insurance, when that was not the case. Consumers were also told they had coverage for pre-existing health conditions, when that was not the case, and there were other significant coverage restrictions. Consumers were also told there were no caps on benefits, but the policies had significant restrictions. The $100 million judgment resolves claims that Assurance violated the Telemarketing Sales Rule (TSR). Assurance has been prohibited from making express and implied misrepresentations to consumers and must have competent and reliable evidence to substantiate any claims about coverage.

The second settlement resolves a complaint against Los Angeles, CA-based MediaAlpha, Inc. and its operating subsidiary QuoteLab, which uses websites and online ads claiming to provide health insurance quotes. The leads generated are sold to telemarketers. According to the FTC, MediaAplpha sold 119 million consumer leads in 2024.

The FTC alleged the company used website domains with names that implied they were associated with the government, and claimed consumers could buy low-cost, comprehensive health insurance that complies with the Affordable Care Act. The company hired actors, celebrities, and a doctor for product promotion, including a fictitious government “Health Insurance Give Back Program,” and claimed that millions of Americans qualified for a health plan that cost $1 per day.

MediaAlpha’s partners used robocalls and telemarketing calls, including to people on the Do Not Call Registry, offering comprehensive low-cost health insurance coverage, but the health care plans provided by its partners rarely included the low-cost, comprehensive health insurance plans that consumers were promised.

The FTC alleged that MediaAlpha was in violation of the FTC Act, TSR, and Impersonation Rule, and obtained a $45 million consent judgment. MediaAlpha is prohibited from making misleading and false claims about the products it offers, must hand over the misleading domains it used, must monitor its partners to ensure they comply with the law in the future, and must obtain consent from consumers before selling or disclosing their personal information.

The post Companies Ordered to Pay $145 Million for Alleged Deceptive Health Insurance Marketing appeared first on The HIPAA Journal.

Users of the Flo Period & Ovulation Tracker app (Flo App) who sued Facebook (Meta) and others over the alleged collection and interception of their sensitive data without consent have won a landmark victory after a jury ruled in their favor and found that Meta had violated the California Invasion of Privacy Act.

The Flo App, developed and owned by Flo Health, is one of the most popular health and wellness apps. According to Flo Health, the app is the #1 mobile product for women’s health. At the time the lawsuit was filed, the app had been downloaded more than 180 million times and had over 38 million active monthly users. When individuals download the Flo App, they are asked to enter personal data and answer a series of personal questions about their sexual health, gynecological health, general health and well-being, and menstruation cycles. As they continue to use the app, they are asked to provide further sensitive information, including when they have their period, if they have had sex, whether they masturbated, any health symptoms, and their mood. Flo Health uses the information provided to predict their likely ovulation date and offers tailored health and wellness advice.

Flo Health provided repeated assurances that the information provided would remain private and confidential and would not be shared with any third parties, unless the user provided explicit consent; however, that was not the case, as sensitive data was shared with third parties via software development kits (SDKs) incorporated into the Flo App.

Several class action lawsuits were filed in response to the data disclosures against Flo Health, Facebook, Google, Appflyer, and Flurry. The lawsuits were consolidated in 2021, Frasco v. Flo Health, in the U.S. District Court for the Northern District of California. The plaintiffs alleged that “Flo Health knowingly collected, transmitted, and disclosed Plaintiffs’ and Class members’ intimate health data to third parties, including the non-Flo defendants,” through SDKs incorporated into the app. Data was shared with third parties such as Facebook, and could be used to assist with targeted advertising.

Flo Health was also alleged to have incorporated non-Flo defendants’ SDKs into the app and transmitted sensitive information to those companies. According to the lawsuit, “the Non-Flo Defendants, including two of the largest digital advertisers in the world, incorporated this information into their existing data analytics and research segments to compile profiles and target users for advertisements, with the plaintiffs alleging occurred without their knowledge or consent.”

The lawsuit asserted fourteen claims for relief against Flo Health, the Flo defendants, and non-Flo defendants. Google and Flurry previously chose to settle with the plaintiffs, and Flo Halth followed suit last Thursday, settling for an undisclosed sum. Meta chose not to settle, and the trial proceeded to a jury verdict. The jury was asked to answer three questions, unanimously answering yes to the first two questions and no to the last.

• Did plaintiffs prove, by a preponderance of the evidence and in accordance with the instructions given to you, that Meta intentionally eavesdropped on and/or recorded their conversation by using an electronic device?
• Did plaintiffs prove, by a preponderance of the evidence and in accordance with the instructions given to you, that they had a reasonable expectation that the conversation was not being overheard and/or recorded?
• Did Meta have the consent of all parties to the conversation to eavesdrop on and/or record it?

The verdict could help to rein in tech firms’ collection of sensitive user data for use in targeted advertising. “Companies like Meta that covertly profit from users’ most intimate information must be held accountable,” explained the plaintiffs’ lawyers in a statement about the verdict. “Today’s outcome reinforces the fundamental right to privacy — especially when it comes to sensitive health data.”

Meta vigorously disagrees with the outcome of the trial and is exploring all legal options and will likely appeal. “The plaintiffs’ claims against Meta are simply false,” according to a statement from Meta. “User privacy is important to Meta, which is why we do not want health or other sensitive information and why our terms prohibit developers from sending any.” Meta maintains that any transmission of sensitive health data is due to a failure to comply with its terms of use.

Hundreds of class action lawsuits have been filed over the use of tracking tools on websites and health apps, and there has been a flurry of settlements in recent weeks. It is rare for these lawsuits to proceed to trial due to the risk of verdicts such as this, with most defendants opting to limit their financial exposure by settling the litigation. Many of those lawsuits have yet to be resolved, including several complaints against Meta.

The post Jury Rules Meta Violated California Privacy Law by Collecting Flo App Users’ Sensitive Data appeared first on The HIPAA Journal.

Users of the Flo Period & Ovulation Tracker app (Flo App) who sued Facebook (Meta) and others over the alleged collection and interception of their sensitive data without consent have won a landmark victory after a jury ruled in their favor and found that Meta had violated the California Invasion of Privacy Act.

The Flo App, developed and owned by Flo Health, is one of the most popular health and wellness apps. According to Flo Health, the app is the #1 mobile product for women’s health. At the time the lawsuit was filed, the app had been downloaded more than 180 million times and had over 38 million active monthly users. When individuals download the Flo App, they are asked to enter personal data and answer a series of personal questions about their sexual health, gynecological health, general health and well-being, and menstruation cycles. As they continue to use the app, they are asked to provide further sensitive information, including when they have their period, if they have had sex, whether they masturbated, any health symptoms, and their mood. Flo Health uses the information provided to predict their likely ovulation date and offers tailored health and wellness advice.

Flo Health provided repeated assurances that the information provided would remain private and confidential and would not be shared with any third parties, unless the user provided explicit consent; however, that was not the case, as sensitive data was shared with third parties via software development kits (SDKs) incorporated into the Flo App.

Several class action lawsuits were filed in response to the data disclosures against Flo Health, Facebook, Google, Appflyer, and Flurry. The lawsuits were consolidated in 2021, Frasco v. Flo Health, in the U.S. District Court for the Northern District of California. The plaintiffs alleged that “Flo Health knowingly collected, transmitted, and disclosed Plaintiffs’ and Class members’ intimate health data to third parties, including the non-Flo defendants,” through SDKs incorporated into the app. Data was shared with third parties such as Facebook, and could be used to assist with targeted advertising.

Flo Health was also alleged to have incorporated non-Flo defendants’ SDKs into the app and transmitted sensitive information to those companies. According to the lawsuit, “the Non-Flo Defendants, including two of the largest digital advertisers in the world, incorporated this information into their existing data analytics and research segments to compile profiles and target users for advertisements, with the plaintiffs alleging occurred without their knowledge or consent.”

The lawsuit asserted fourteen claims for relief against Flo Health, the Flo defendants, and non-Flo defendants. Google and Flurry previously chose to settle with the plaintiffs, and Flo Halth followed suit last Thursday, settling for an undisclosed sum. Meta chose not to settle, and the trial proceeded to a jury verdict. The jury was asked to answer three questions, unanimously answering yes to the first two questions and no to the last.

• Did plaintiffs prove, by a preponderance of the evidence and in accordance with the instructions given to you, that Meta intentionally eavesdropped on and/or recorded their conversation by using an electronic device?
• Did plaintiffs prove, by a preponderance of the evidence and in accordance with the instructions given to you, that they had a reasonable expectation that the conversation was not being overheard and/or recorded?
• Did Meta have the consent of all parties to the conversation to eavesdrop on and/or record it?

The verdict could help to rein in tech firms’ collection of sensitive user data for use in targeted advertising. “Companies like Meta that covertly profit from users’ most intimate information must be held accountable,” explained the plaintiffs’ lawyers in a statement about the verdict. “Today’s outcome reinforces the fundamental right to privacy — especially when it comes to sensitive health data.”

Meta vigorously disagrees with the outcome of the trial and is exploring all legal options and will likely appeal. “The plaintiffs’ claims against Meta are simply false,” according to a statement from Meta. “User privacy is important to Meta, which is why we do not want health or other sensitive information and why our terms prohibit developers from sending any.” Meta maintains that any transmission of sensitive health data is due to a failure to comply with its terms of use.

Hundreds of class action lawsuits have been filed over the use of tracking tools on websites and health apps, and there has been a flurry of settlements in recent weeks. It is rare for these lawsuits to proceed to trial due to the risk of verdicts such as this, with most defendants opting to limit their financial exposure by settling the litigation. Many of those lawsuits have yet to be resolved, including several complaints against Meta.

The post Jury Rules Meta Violated California Privacy Law by Collecting Flo App Users’ Sensitive Data appeared first on The HIPAA Journal.

Oklahoma has enacted a bill that amends its data breach notification statute. The definition of personal information warranting notifications has been broadened, and the state Attorney General must be notified about any breach of the personal information of 500 or more state residents, or 1,000 or more residents for a breach of credit bureau systems.

Individual notifications must be issued without unreasonable delay, and the state Attorney General must be notified within 60 days of individual notifications being mailed. The Attorney General must be informed of the date of the breach, the date it was determined that a data breach had occurred, the nature of the breach, the type(s) of information exposed or stolen, the number of state residents affected, any reasonable safeguards that the entity has implemented, and the estimated monetary impact of the breach, if it can be determined.

Entities that are compliant with the Health Insurance Portability and Accountability Act (HIPAA), the Oklahoma Hospital Cybersecurity Protection Act, and/or the Gramm-Leach-Bliley Act (GBLA) will be deemed to be compliant with the new data breach notification requirements provided that notify the state Attorney General about any breach of personal information within 60 days of issuing individual notifications.

Notifications are required when there has been a breach of unencrypted computerized personal information, which is an individual’s first name or first initial and last name in combination with one or more of the following: Social Security number, driver’s license number, other unique identification number created or collected by a government entity, financial information (financial account or debit/credit card number when combined with an expiration date, security code, access code, or password that would permit access).

The update adds the following other types of information to the list:

• Unique electronic identifier or routing code plus a required security code, access code, or password that permits access to a financial account.
• Unique biometric data (e.g., fingerprint, retina or iris image, or other unique physical or digital representation of biometric data to authenticate a specific individual).

If the cost of notification exceeds $50,000, or if sufficient contact information is not held to allow notifications to be issued, then a substitute notice is acceptable, which can be an email notice (if email addresses are held), a conspicuous posting on the breached entity’s website (if a website is owned), and a notice to statewide media. Two of those three options are required to meet the substitute notice requirements.

Entities will be shielded from civil monetary penalties, which are up to $150,000 per breach, if they employ “reasonable safeguards” and issue breach notifications. Reasonable safeguards are defined as “policies and practices that ensure personal information is secure, taking into consideration an entity’s size and the type and amount of personal information.” These can include risk assessments, technical and physical layered defenses, employee training on secure data handling, and having an incident response plan. The new law, as implemented by Senate Bill 626, will take effect on January 1, 2026.

The post New Data Breach Notification Requirements in Oklahoma appeared first on The HIPAA Journal.

The Federal Trade Commission (FTC) has proposed a $1.9 million settlement to resolve claims that Evoke Wellness, a Florida-based substance use disorder treatment clinic, engaged in deceptive business practices and deliberately misled consumers who were seeking substance use disorder treatment by pretending to be other clinics.

According to the January 2025 complaint, Evoke Wellness, LLC, Evoke Health Care Management, and their officers, Jonathan Mosley and James Hull, conducted a deceptive Google Ads campaign targeting consumers conducting online searches for substance use disorder treatment clinics. According to the FTC, the campaign used the specific names of other clinics as keywords to ensure Evoke’s ads appeared when searches were made for those clinics. The ads prominently displayed the names of the impersonated clinics, misleading consumers into calling the telephone number for Evoke’s telemarketing call center.

When the number was called, the Evoke telemarketers would explain that they had reached a centralized admissions office or an addiction treatment hotline, rather than an Evoke call center. Even when the caller maintained that they wanted to deal with the specific clinic they were trying to reach, the telemarketers continued with the deception, falsely claiming they had a relationship with that clinic.

In the complaint, the FTC alleged that the campaign ran over 2 years from 2021 through 2023 and involved at least 68,510 misleading Google search ads. The campaign is alleged to have generated at least 3,500 calls from individuals seeking treatment for substance use disorder. The FTC alleges that Evoke’s conduct violated the FTC Act and the Opioid Addiction Recovery Fraud Prevention Act of 2018.

The consent order imposes a $7 million civil monetary penalty on the defendants to resolve the FTC’s claims; however, only $1.9 million is payable due to the defendants’ financial position. The consent order prohibits Evoke from impersonating other businesses and substance use disorder clinics, and engaging in deceptive advertising practices such as using competitors’ names in search engine advertisements and making misrepresentations related to their substance use disorder services. Evoke is also required to establish a compliance program that must include monitoring its call centers for misrepresentations and taking corrective action against any agent who violates the consent order.

Should Evoke be later found to have violated the terms of the consent order, the suspended portion of the civil monetary penalty will become immediately payable. The proposed consent order was filed in the U.S. District Court for the Southern District of Florida and now awaits approval from the District Court Judge. “Opioids have ravaged American communities, killing well over one hundred Americans per day and ruining the lives of countless others,” said FTC Chairman Andrew N. Ferguson. “Today’s settlement helps consumers affected by opioid addiction navigate their path to recovery by preventing fraudsters from leading them astray.”

The post FTC Imposes $1.9 Million Penalty on Evoke Wellness for Deceptive Marketing Campaign appeared first on The HIPAA Journal.

Companion bills have recently been introduced in the House of Representatives and the Senate that seek to make violent attacks on employees of hospitals and healthcare organizations a federal crime. Data released by the U.S. Bureau of Labor Statistics in 2018 revealed that healthcare workers are five times more likely to experience violence in the workplace than workers in other industries. In 2018, healthcare workers accounted for 73% of all nonfatal workplace injuries and illnesses due to violence, and there was an increase in violent incidents during the COVID-19 pandemic.

In January 2024, a poll conducted by the American College of Emergency Physicians revealed that 91% of respondents had either personally experienced violence in the workplace or were aware of a colleague who was a victim of violence in the past year. 40% of respondents said they knew of an attack on a healthcare worker in a trauma center that resulted in moderate to severe disability or death. Last year, the American College of Surgeons reported an increase in violence against surgeons. Jay J. Doucet, MD, MSc, FRCSC, FACS, director of the trauma division at the University of California (UC) San Diego Health, said, “We’ve had six surgeons killed in the last few years.”

While many incidents are perpetrated by patients in emergency rooms and psychiatric units, healthcare workers are also assaulted in other settings, including home health, doctor’s surgeries, maternity units, and elsewhere, and not just by patients. There have been reports of violent behavior from visitors, intimate partners, outsiders, and coworkers.

Violence in the workplace is contributing to an increase in work-related stress, burnout, and job dissatisfaction, and has led many workers to quit the profession. The risk of violence is also making recruitment more difficult. A 2024 National Nurses United Report warned that high and rising rates of workplace violence and employer failure to implement effective prevention strategies are contributing to the current staffing crisis. A 2023 survey revealed that almost half of nurses (45.5%) reported an increase in workplace violence in the past year, and six in 10 nurses reported having either changed or left their job or profession or considered doing so due to workplace violence.

The increase in violence against healthcare workers has prompted bipartisan legislation to make attacks on healthcare workers a federal crime. The bipartisan Save Healthcare Workers Act was introduced last month in the Senate (S.1600) by Sens. Cindy Hyde-Smith (R-MI) and Angus King (I-ME), and the companion House bill (H.R. 3178) by Reps. Mariannette Miller-Meeks (R-IA) and Madeleine Dean (D-PA).  The proposed legislation would give healthcare workers similar protections as workers in the airline industry.

There have been previous attempts to introduce similar legislation, such as the Safety from Violence for Healthcare Employees (SAVE) Act in 2023, but none have been successful. While around thirty states have introduced laws that make attacks on healthcare workers a felony, federal legislation is required to discourage attacks and ensure the perpetrators face appropriate justice.

“State and local authorities are now and will continue to be responsible for prosecuting the overwhelming majority of violent crimes in the United States, including assault and intimidation against hospital employees,” according to the bill. “These authorities can address the problem of assault and intimidation against hospital employees more effectively with greater Federal law enforcement involvement… existing Federal law is inadequate to address the problem.”

The legislation calls for federal prison sentences of up to 10 years for attacks on healthcare workers, and enhanced penalties for acts of violence against healthcare workers involving a deadly or dangerous weapon or inflicting bodily injury. Those more serious attacks, as well as violent acts committed during emergency declarations, would be punishable with a jail term of up to 20 years. The legislation has exemptions from prosecution for individuals with intellectual or physical disabilities.

“I believe the federal government can help deter violence and keep our healthcare workers safe by establishing stronger penalties for those who assault hospital employees,” Hyde-Smith said. “Our legislation will protect these workers and, importantly, the people who rely on their care.”

The post Legislation Introduced to Make Violence Against Healthcare Workers a Federal Crime appeared first on The HIPAA Journal.