On February 8, 2024, the Centers for Medicare and Medicaid Services (CMS) issued a quality standard memorandum (QSO Memo) updating and revising a memorandum it issued on January 5, 2018, to now permit the texting of patient orders among members of the patient’s health care team. CMS’s 2018 memorandum clarified CMS’s then-current position that texting of patient orders did not comply with the hospital and critical access hospital (CAH) Medicare conditions of participation (CoPs) regarding medical records. Among other things, the applicable CoPs require hospitals and CAHs to retain medical records in a manner that retains author identification information and protects the security of the records. The CoPs also require that records are promptly completed and filed. In 2018, CMS believed that few hospitals and CAHs had the technological capability to integrate text messages into a patient’s medical record in a manner compliant with the CoPs and the Health Insurance Portability and Accountability Act (HIPAA). As a result, CMS stated that orders should either be handwritten into the medical record or transmitted via computerized provider order entry (CPOE) and placed into the medical record.

In reversing its 2018 guidance, CMS now recognizes advances in technology, including encryption and interfaces between texting platforms and electronic health record systems (EHRs) can enable hospitals and CAHs to comply with the CoPs through the texting of patient orders. CMS cautions hospitals and CAHs that permit texting of orders to ensure that they use secure, encrypted platforms, maintain the integrity of author identification and comply with HIPAA, including the HIPAA security rule. Texted orders must also be promptly filed in the EHR. The CMS expects that hospitals and CAHs will regularly review the security and integrity of their texting platforms.  

While CMS still prefers the use of CPOEs when providers submit patient orders, the QSO Memo allows hospitals and CAHs additional flexibility, subject to the conditions of the QSO Memo, including HIPAA compliance.

On February 8, 2024, the U.S. Department of Health and Human Services (HHS) issued a final rule (Final Rule) updating federal “Part 2” regulations to more closely align the requirements applicable to substance use disorder (SUD) treatment records with the HIPAA privacy rule, and to make certain other changes. The regulations at 42 CFR Part 2 have long set forth strict rules governing the uses and disclosures of medical records of certain SUD treatment facilities and programs. HHS is now proposing to scale back those rules slightly, in accordance with statutory changes to federal law governing the privacy of SUD records in the 2020 “CARES Act” legislation enacted in response to COVID-19.[i] This Final Rule follows a proposed rule issued by HHS on December 2, 2022, which we previously analyzed here.

The Final Rule is anticipated to take effect on April 16, 2024 (60 days from the anticipated publication date of February 16). The compliance date by which individuals and entities must comply with the Final Rule’s requirements is February 16, 2026 (except as specifically tolled in the Final Rule).

Below we provide a high-level summary of the changes included in the Final Rule.  We will supplement this analysis in the coming days with additional detailed reviews of certain of these changes referenced below. 

The key updates in the Final Rule include:

  • Consent: A long-standing tenet of the Part 2 regulations was that SUD records could not be used or disclosed without specific patient consent, except in very narrow circumstances.  The Final Rule updates this regulation to allow a patient to give a single, broad consent that covers all future uses and disclosures of Part 2 records for treatment, payment, and health care operations purposes (as defined under the HIPAA privacy rule), subject to certain exceptions (hereinafter, “TPO Consent”). This alignment with the HIPAA privacy rule is an important development to streamline compliance with the previously incongruent consent regimens under the Part 2 and HIPAA regulations across health systems and Part 2 programs (as defined under the Part 2 regulations).
  • TPO Consent Elements: The Final Rule indicates that a valid TPO Consent must have all of the required elements of a valid HIPAA authorization.
  • Redisclosures: The Final Rule newly allows Part 2 programs, as well as HIPAA-covered entities and business associates, who have received Part 2 records in accordance with TPO Consent, to “redisclose the records as permitted by the HIPAA regulations” except in proceedings against a patient requiring a court order or specific written consent, or until the patient revokes the consent.
  • SUD Counseling Notes: The Final Rule revises the definition of “SUD counseling notes” under the Part 2 regulations “to parallel the HIPAA psychotherapy note provisions,” which are subject to heightened confidentiality restrictions under Part 2 and HIPAA, respectively.
  • Segregation/Segmentation of Part 2 Records: The Final Rule states that a Part 2 program, or HIPAA-covered entity or business associate, which receives Part 2 records based on a single TPO Consent, is “not required to segregate or segment such records.” This may be an important clarification for health systems and other entities that rely on integrated and unified electronic health records.
  • Part 2 Record Breaches: Extends applicability of breach notification requirements consistent with those under HIPAA to breaches of Part 2 records.
  • Civil and Criminal Enforcement: The Final Rule incorporates HIPAA’s criminal and civil enforcement authorities into the Part 2 regulations, allowing for imposition of civil money penalties and other sanctions available under HIPAA for Part 2 violations.
  • Accounting of Disclosures: The Final Rule grants patients a new right to request an accounting of disclosures made by a Part 2 program based on a consent, for up to 3 years prior to the date of the accounting. However, the compliance date for this provision is tolled by HHS in the Final Rule until HHS revises the HIPAA privacy rule’s accounting for disclosures regulation to address disclosures through an electronic health record.

The Final Rule represents the latest in a series of efforts by HHS to more closely align HIPAA and Part 2 requirements and processes, in recognition of industry shifts to more integrated and coordinated medical, behavioral health, and SUD care. Health care organizations will need to assess the various provisions of the Final Rule closely to determine their compliance obligations and any necessary operational changes.

We will continue to monitor and track developments related to the Part 2 requirements and implications of this Final Rule.


[i] Coronavirus Aid, Relief, and Economic Security Act, Pub. L. No 116-136, 134 Stat 281 (27 March 2020) (CARES Act) – https://www.congress.gov/116/bills/hr748/BILLS-116hr748enr.pdf (codified in pertinent part at 42 U.S.C. 290dd–2).

This post was co-authored by Blair Robinson, a member Robinson+Cole’s Artificial Intelligence Team.

Artificial Intelligence (AI) has emerged as a major player in the realm of health care, promising to completely transform­ its delivery. With AI’s remarkable ability to analyze data, learn, solve problems, and make decisions, it has the potential to enhance patient care, improve outcomes, and foster innovation in the health care industry. In this blog post, we will delve into the guidance provided by the U.S. Department of Health and Human Services (HHS) regarding the application and development of AI in the health care sector. There is more guidance than one might think.

To address this transformative power of AI and machine learning, the Office of the Chief Artificial Intelligence Officer (OCAIO) has outlined a strategic approach to prioritize the application and development of AI across various HHS mission areas. OCAIO will focus on two major themes in AI adoption:

  1. Pioneering Health and Human Services AI Innovation: HHS will prioritize the application and development of AI and machine learning. This includes regulating and overseeing the use of AI in the healthcare industry and ensuring ethical and responsible implementation. Additionally, HHS aims to fund programs, grants, and research that leverage AI-based solutions to deliver improved outcomes for patients and healthcare providers.
  2. Collaborating and Responding to AI-Driven Approaches within the Health Ecosystem: Recognizing the dynamic nature of the healthcare landscape, HHS will collaborate with external partners, including academia, the private sector, and state, local, tribal, and territorial governments. HHS also aims to identify gaps and unmet needs in health and scientific areas that would benefit from government involvement and AI application.

To ensure effective governance and execution of these initiatives, HHS has established the AI Council and AI Community of Practice. The HHS AI Council plays a pivotal role in supporting AI governance, strategy execution, and the development of strategic AI priorities across the enterprise. Its objectives include effectively communicating and championing HHS’ AI vision and ambition, as well as governing and executing the implementation of the HHS enterprise AI strategy. By aligning efforts and fostering collaboration, the AI Council aims to expand the use of AI throughout the Department.

The AI Council will focus on four key areas to drive the adoption and innovation of AI within the healthcare sector:

  1. Cultivate an AI-ready workforce and foster an AI culture: HHS recognizes the importance of equipping healthcare professionals with the necessary skills to effectively leverage AI. By fostering a robust and responsible AI culture, HHS aims to create an environment that embraces technological advancements and encourages the integration of AI into healthcare practices.
  2. Promote health AI innovation and research and development (R&D): HHS is dedicated to promoting innovation in the healthcare industry through AI. By encouraging R&D, HHS aims to drive advancements in AI technology and its application in healthcare settings.
  3. Democratize foundational AI tools and resources: HHS aims to make foundational AI tools and resources accessible to all stakeholders in the healthcare ecosystem. By democratizing these tools, HHS seeks to empower healthcare providers, researchers, and other stakeholders to leverage AI for improved patient care and outcomes.
  4. Foster trustworthy AI use and development: Trustworthiness is a critical aspect of AI implementation in healthcare. HHS has committed to promoting the responsible and ethical use of AI, ensuring patient privacy, data security, and transparency.

HHS has also published a useful online portal collecting AI Regulations and Executive Orders. Subsequent blog posts will explore the AI Regulations and Executive Orders.

The HHS guidance underscores the significant role of AI in the health care industry and its unwavering commitment to harnessing its potential. By prioritizing the application and development of AI, collaborating with external stakeholders, and establishing effective governance structures, HHS aims to drive innovation, improve patient care, and enhance health outcomes. As AI continues to evolve, its integration into the vast and complex health care ecosystem holds immense promise for the future of health care. Health care organizations, including hospital systems, physician groups, laboratories, and other organizations in the health care industry, should consider following HHS’s guidance to embrace AI in a responsible, ethical, and legal manner.

Click here to learn more about the HHS AI approach. 

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

The World Health Organization (WHO) recently published “Ethics and Governance of Artificial Intelligence for Health: Guidance on large multi-modal models” (LMMs), which is designed to provide “guidance to assist Member States in mapping the benefits and challenges associated with the use of for health and in developing policies and practices for appropriate development, provision and use. The guidance includes recommendations for governance within companies, by governments, and through international collaboration, aligned with the guiding principles. The principles and recommendations, which account for the unique ways in which humans can use generative AI for health, are the basis of this guidance.”

The guidance focused on one type of generative AI, large multi-modal models (LMMs), “which can accept one or more type of data input and generate diverse outputs that are not limited to the type of data fed into the algorithm.” According to the report, LMMs have “been adopted faster than any consumer application in history.” The report outlines the benefits and risks of LLMs, particularly the risk of using LLMs in the healthcare sector.

The report proposes solutions to address the risks of using LMMs in health care during development, provision, and deployment of LMMs and ethics and governance of LLMs, “what can be done, and by who.”

In the ever-changing world of AI, this is one report that is timely and provides steps and solutions to follow to tackle the risk of using LMMs.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

Below is an excerpt of an article, co-authored with Antitrust and Trade Regulation Team lawyer Jen Driscoll and Internal Investigations and Corporate Compliance chair Ed Heath, published in the American Health Law Association’s Health Law Weekly newsletter on January 19, 2024.

Mergers and acquisitions in health care markets are viewed with heightened scrutiny by the Federal Trade Commission (FTC) and U.S. Department of Justice, Antitrust Division (Division) (collectively, the Agencies). These transactions may require further investigation to determine whether there will be anticompetitive effects, such as higher prices, in the affected market. As part of these investigations, the Agencies may issue civil investigative demands (CIDs) for documents and statements from third parties that do not have direct involvement in the transaction. The CID process can become a protracted and expensive undertaking if it is not properly managed from the outset by experienced counsel. This article provides an overview of current antitrust scrutiny of health care markets, and then offers guidance on how to effectively respond to CIDs in connection with the antitrust enforcement process. Read the full article.

On December 13, 2023, the Office of the National Coordinator for Health Information Technology (ONC) issued its final rule entitled “Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing” and known as “HTI-1” (Final Rule). Among other issues addressed in the Final Rule, ONC revised the information blocking rules to add clarity and to create a new information blocking exception. We outline these changes in further detail below. The information blocking provisions of the Final Rule will be effective 30 days after it is published in the Federal Register.

Continue Reading ONC’s HTI-1 Final Rule Updates Information Blocking Regulations

On November 15, 2023, the U.S Department of Justice (DOJ) announced a $45.6 million consent judgment (Settlement) with six skilled nursing facilities (SNFs), as well as the owner of the SNFs and its management company which managed the SNFs, to resolve alleged violations of the False Claims Act (FCA) tied to medical director arrangements violating the Anti-Kickback Statute (AKS). The Settlement is notable for its inclusion of the owner and the management company in addition to the SNFs, which indicates DOJ’s interest in scrutinizing the actions of individuals and management entities in connection with problematic arrangements under federal fraud and abuse laws.

Continue Reading DOJ Settlement Targets Owner and Management Company in Addition to Post-Acute Care Facilities

On October 31, 2023, the Office for Civil Rights (OCR) issued a press release announcing that it has settled with Doctors’ Management Services for $100,000 following a ransomware attack that compromised the protected health information of 206,695 individuals.

According to the press release, “this marks the first ransomware agreement OCR has reached.”  The facts underlying the settlement include that Doctors’ Management Services was infected with GandCrab ransomware in April of 2017, but the intrusion was not detected until December of 2018. Doctors’ Management Services filed a breach report in April of 2019.

The OCR says that it found evidence that Doctors’ Management Services failed to implement a risk analyses to detect risks and vulnerabilities to protect health information including insufficient monitoring or its systems to protect against a cyber attack and a failure to implement requirements of HIPAA to protect the data.

In addition to the $100,000 settlement, Doctors’ Management Services is required to implement a corrective action plan.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

On June 22, 2023, New York State Public Health Law § 2802-b, added a Health Equity Impact Assessment (HEIA) to the Certificate of Need (CON) process for certain health care facilities. The new requirement comes as part of larger legislative changes to the Public Health Laws passed in 2021. The new HEIA requirement applies to any CON applications submitted on or after June 22, 2023, except there is a partial carve out for Diagnostic and Treatment Centers whose patient population is 50 percent or more Medicaid eligible or uninsured. The Department of Health also issued regulations on June 29, 2023 (10 NYCRR 400.26). The purpose of the HEIA is to understand the health equity impact on a specific project, the impact it may have on medically underserved groups and to ensure community input and assessment are considered. The Department of Health has expressed that their vision is “to have health equity considerations meaningfully impact the planning and execution of health care facility projects.” (NYSDOH, Health Equity Impact Assessment, Webinar Series: Program Documents, September 14, 2023.)

Continue Reading New York Implements Health Equity Impact Assessment as New Requirement for Certificate of Need Process

On Wednesday, November 1, the Center for Medicare & Medicaid Services (CMS) released its Home Health Prospective Payment System Rate Update final rule for CY 2024 (the Final Rule). The Rule estimates that the aggregate increase to Medicare home health payments for 2024 will be 0.8 percent, or $140 million. This 0.8 percent increase results from the combined effects of three forecasted rate changes: (1) a 3.0 percent increase to home health payments, (2) a 2.6 percent decrease based on the permanent behavior assumption adjustment, and (3) a 0.4 percent increase resulting from an update to the fixed-dollar loss ratio, which is used to determine outlier payments. The 0.8 percent increase is a departure from the Proposed Rule, which estimated a cut in payments of up to 3 percent.

Continue Reading CMS Announces 0.8 Percent Aggregate Home Health Payment Increase in 2024