AHLA's Speaking of Health Law
The American Health Law Association (AHLA) is the largest nonprofit, nonpartisan educational organization devoted to legal issues in the health care field. AHLA's Speaking of Health Law podcasts offer thoughtful analysis and insightful commentary on the legal and policy issues affecting the American health care system.
AHLA's Speaking of Health Law
Top Ten 2026: Health Privacy and Security Developments to Watch
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Based on AHLA's annual Health Law Connections article, this special ten-part series brings together thought leaders from across the health law field to discuss the top ten issues of 2026. In the fifth episode, Jody Erdfarb, Partner, Wiggin and Dana LLP, speaks with Adam Greene, Partner, Davis Wright Tremaine LLP, about the health privacy and security developments that are taking center stage in 2026. They discuss the Part 2 and HIPAA notice of privacy practices changes (this podcast was recorded prior to the 2/16/26 deadline), the 2025 proposed amendments to the Security Rule, the 2021 proposed Privacy Rule changes, and state law developments. From AHLA’s Health Information and Technology Practice Group.
Watch this episode: https://www.youtube.com/watch?v=oLJjZ90I4Ww
Read AHLA's Top Ten 2026 article: https://www.americanhealthlaw.org/content-library/connections-magazine/article/a879dda5-35f9-46fb-ad45-1b0799343d74/Health-Law-Forecast-2026
Access all episodes in AHLA's Top Ten 2026 podcast series: https://www.americanhealthlaw.org/education-events/speaking-of-health-law-podcasts/top-ten-issues-in-health-law-podcast-series
Learn more about AHLA’s Health Information and Technology Practice Group: https://www.americanhealthlaw.org/practice-groups/practice-groups/health-information-and-technology
Learn more about the 10/29/25 AHLA webinar on Part 2: https://educate.americanhealthlaw.org/local/catalog/view/product.php?productid=1697
Essential Legal Updates, Now in Audio
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Comprehensive members. Get all your health law news from the major media outlets on this podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Stay At the Forefront of Health Legal Education
Learn more about AHLA and the educational resources available to the health law community at https://www.americanhealthlaw.org/.
Welcome to AHLA's annual top 10 series, where we discuss the major health law trends and developments of 2026. Learn more about AHLA at americanhealthlaw.org.
SPEAKER_02Hello everyone, and welcome to the AHLA Top 10 podcast on the health, privacy, and security developments to watch. My name is Jody Erdfarm. I'm a partner at Wigan and Dana, based out of the Stanford, Connecticut office and vice chair of the Health Information and Technology Practice Group, the head at PG, part of the American Health Law Association. And it's my great honor to be here today to interview Adam Green. I'm going to let him introduce himself, but he was the author of an article in the Reason and Health Law Connections publication, Health Law Forecast 2026. And Adam wrote about the topic we're going to be speaking about today, which is health, privacy, and security developments to watch in 2026. Adam, why don't you go ahead and introduce yourself?
SPEAKER_00Thanks, Jody. So I'm Adam Green. I'm a partner in the DC office of Davis Wright Germain. My practice focuses on health information, privacy, security, breach response, and information blocking. And I'm a former HIPAA regulator way back when. And I'm also the chair of the HIP practice group. So lots going on in 2026. Jody, where do you want to get started?
SPEAKER_02Right. Adam and I know we can talk about HIPAA and all the changes that are coming down the pike and coming quickly all day. We've done it before, but uh we're gonna stay focused today on the topics that Adam covered in his article. So first and time-wise, most importantly, we have the very approach approaching February 16th deadline for the part two changes and the HIPAA notice of privacy practices changes. So for those of you who are not aware, we have this upcoming deadline. It seems like it is really soon now, but back when the proposed rule came out in 2024, um, well, the final rule came out in 2024, but February 2026 seemed a lifetime away, and now it's around the corner. Um, these are special rules that have been long anticipated, right? This is the confidentiality of substance use disorder patient record rules, commonly called part two, that people have been anticipating for a very long time, specifically since the CARES Act was passed in 2020. The goal was to align Part 2 and HIPAA. So I guess first question of Adam, do you think that this rule accomplishes that goal?
SPEAKER_00So it's unclear. I mean, there's actually some language in the rule that talks about if information is received, if substance use disorder records are received by a HIPAA-regulated entity for purposes of treatment, payment, or healthcare operations, then it gets to be redisclosed under HIPAA. There's other language that says it has to be for treatment, payment, and healthcare operations. There's kind of confusion with respect to what kind of consent essentially frees substance use disorder information to become subject to HIPAA. So it's an area where I think, you know, there's some ambiguity, and that ambiguity may seem really in the weeds, but has a huge impact on really whether HIPAA-regulated entities get to treat this information as more or less PHI under HIPAA in general, or only if they have certain types of consent. So I think that's one of the big challenges. Overall, though, it's um definitely improved the reconciliation between HIPAA and part two, but there's still a whole lot of additional obligations, um, particularly on part two providers themselves, as opposed to lawful holders who subsequently received the information.
SPEAKER_02Yeah, and I think as health law practitioners in this area, when we first read the rule, there was a lot of excitement, like, wow, they're making things so much easier. And then when you start reading it more and more closely, you're scratching your head, like, is this easier or is this harder? You know, the rule itself talks about that we don't have to that um part two programs no longer have to segregate part two information. But when you actually read the rules, it seems impossible not to have to segregate the segregate the information if you're intending to comply with the more stringent rules that apply to the redisclosure of part two information. So one of the things you mentioned in your article, um which we've been hearing from so many of our clients, is this technology gap, right? The technology doesn't allow the providers in most cases to segregate the information in the way that the regulations seem to anticipate providers would be able to. Um, how are you advising your clients to deal with that gap?
SPEAKER_00It's tough. I mean, we um HLA, we actually had a um webinar uh a couple of months ago on part two, and we had someone from the EHR Association uh talking about things from their side. And you know, I think EHRs do have a lot of great capabilities that can be used here. But at the end of the day, I don't think a single EHR system that I'm aware of has a part two button that allows you to essentially, you know, lock down part two records in a way that fully complies with the part two requirements. So for example, you can mark something as confidential, it can lock it down to a fair degree, but medication lists and things like that, you might still have information that identifies that someone has a substance use disorder kind of flowing through. And you know, sometimes you may have to use consents to essentially offset the limitations of your technology. So if your technology can't stop, for example, a medication from going to the primary care physician that would identify a substance use disorder, then you may want to think about whether you have to kind of require a consent that says that that's gonna happen. Um, otherwise, you just have to accept the risk there.
SPEAKER_02Yeah, so lots of challenges for those part two programs, but pivoting to a minute to everyone who breathed a sigh of relief because they're not a part two program, but then realize they have to worry about being lawful holders and changing their notice of privacy practices. Um, and that's a big lift because the notice of privacy practices is, you know, provided to lots of patients every single day, few of whom actually read it except for the health lawyers that like to redline it and give it back to their doctors in the waiting room. Um, but what do you think the biggest challenge is going to be with the revisions of these notice of privacy practices and who's required to actually revise their notices?
SPEAKER_00So February 16th, we have not one, but two notice of privacy practice updates required. So one of them is under part two, and that notice is only required for part two programs. So, in short, kind of certain specialty programs that hold themselves out as providing substance use disorder services. Um and so if you're a part two program, if you have a part two program, you really have to completely overhaul the notice that is specific to that part two program. Um now the second notice is the good old-fashioned HIPANOSA privacy practices that everyone's familiar with. And so while we had some a 2024 HIPAA rule that was 99% vacated by the Northern District of Texas, um, the one part that wasn't vacated was changes to the HIPA NOSA privacy practices related to substance use disorder records. And if you have a part two program, you'll definitely need to update your HIPAA notice to reflect the more stringent requirements. But if you actually don't have a Part 2 program, you still arguably have to update your HIPAA notice if you ever become subject to part two as a quote lawful holder, which would be if, for example, a patient consents to their substance use disorder records going from a part two program to you, um, and you receive not just the substance use disorder records, but also a notice that accompanies those records indicating their subject part two. So general providers might receive substance use disorder records under this and become a lawful holder if they receive the appropriate notice. Health plans might, and so they would have to update their notice. And so, you know, some of the big challenges would be one, am I a lawful holder? Can I, you know, maybe I haven't received these records in the past, but there's a possibility I might in the future. Do I want to take the risk and not update my HIPAA notice because I don't think I'll ever receive substance use disorder records subject to part two? Or do I err in the side of any day I could potentially receive those records, even though that's not a normal typical part of my practice? So, you know, you can have you know dentists, you can have psychiatrists that um you can have a range of practitioners who may not be focused on substance use disorder, but still could receive, for example, medication information that, you know, is subject to part two. So, you know, that's one general challenge. And then another challenge is the rule talks about describing every use and disclosure that's permitted under HEPA and identifying if there are more stringent laws, including part two. So that kind of suggests that you have to sprinkle part two all over, like in every single description of a use or disclosure. But in practice, what I've been hearing a lot of uh attorneys doing instead is just doing kind of a singular section on part two. Um there's a you know question as to whether that's consistent with the exact letter of the regulations, but you know the risk probably is pretty low as long as you're thoroughly addressing part two and that it's you know much more limited than HIPAA.
SPEAKER_02And um, any comment on on all those uncertainties in regard to the part two implementation and in regard to whether you have to update your MPPA, how it needs to be updated, and the recent transfer of enforcement authority for part two compliance to OCR? How does that up the stakes?
SPEAKER_00Yeah, big picture. There the part two final rule from 2024 does some great things, you know, some very helpful things. It you know, allows you know the use of broader consents, it allows it it aligns the authorization requirements much closer to HIPAA, but in some respects, I think it's uh wolf in sheep's clothing. You know, everyone was asking for kind of you know changes to part two to better bring it more aligned with HIPAA, but part of that ended up being aligning it with HIPAA penalties um and HIPAA breach notification. And so starting February 16th of this year, I think there is a higher risk under part two. Because we've had this program, part two's been around for over 50 years now, and to my knowledge, there hasn't been a single enforcement action. But that's because really it was limited to criminal enforcement by U.S. attorneys who probably have never even heard of the statute, versus you know, going forward, the Office for Civil Rights can you know find out about things through new breach notification obligations with respect to part two, and then can impose HIPAA penalties, something that they're very comfortable with. So I don't think we're gonna see like a sudden, you know, hundreds of part two penalties being you know handed down all of a sudden. But I do think we're gonna start seeing part two penalties for the first time.
SPEAKER_02So lots of ambiguity, more enforcement, a looming deadline, um, lots of scary stuff. But pivoting away from that to something that isn't finalized yet, but maybe is even scarier for our covered entity on business associate clients, the amendments to the security rule, right in line with the theme of be careful what you wish for, right? People have been advocating for changes to part two, and now we get what they're stuck with, and people have also been advocating for changes to the security rule. You know, the original security rule, the hallmarks, right? The cornerstones of those regulations were flexibility and scalability. So a solo practitioner, you know, operating out of a medical center is required to comply with. So, how significantly is that changed given the new amendments that have been proposed?
SPEAKER_00So the security rule, I remember when I was at HHS and I could give a presentation, and I uh one person came up to me once at a presentation afterwards and said, you know, I love the security rule. It's you know, I love that it recognizes that you know a small provider like mine is not the same as a you know giant health plan, and it provides that level of flexibility. And then another person came up to me, not the same presentation, but you know, said, Oh, I hate the security rule. Just tell me what I need to do so I can do it. So there's always been this friction between that the positive and negative there. Um, in practice, I think that what we've seen is one, all the flexibility has led to potentially less information security, especially amongst less sophisticated covered entities and business associates who may not really know what they need to do with respect with all the discretion they've been granted. Um, it makes it more difficult to enforce because if the security rule says regulated entity, you have a lot of flexibility with respect to how you're gonna do encryption or how you're gonna do authentication, it becomes very difficult for the government to come in and say, nope, you did it patently wrong. Um and so yeah, I think those are some of the drivers that have led to this, but I think the proposed rule overshot the mark with respect to um getting far too granular, far too detailed, and as a result, we got a whole lot of industry feedback. So I think some people started to think it was dead on arrival with the new administration that um, especially with kind of the anti-regulatory, you know, less regulation is better themes of the current administration, that we weren't gonna see anything going forward with the security rule. But the most recent regulatory agenda does indicate this year potentially, although not a guarantee that we'll get a final rule. I'd be surprised, wouldn't be the first time, but I'd be surprised if the final rule looks completely like the proposed rule. I expect that a lot there was so much pushback. I'm expecting that maybe the final rule will be a lot slimmed down from the proposed rule and maybe just some of the less controversial. So maybe to throw out an idea, maybe multi-factor authentication, I think that's less controversial. Um, you know, I could see things like that getting finalized. Um, maybe more detailed encryption requirements, although even there, you know, encryption can be more complicated than you think because you think, oh, PHI should be encrypted in transit all the time, of course. But what about a message, a text message that says, oh, you've got a secure message waiting for you? You know, this is your doctor office, you know, log into the portal. That text message itself is not encrypted and realistically couldn't be encrypted. So, you know, there I think there were some additional exceptions that might be needed that I hope would get included in a final rule.
SPEAKER_02Yeah, and Adam, just as, again, as health lawyers, looking at this rule, I mean, you mentioned the MFA requirement, the encryption at rest and in transit requirement. There are so many other really technical nitty-gritty requirements like network, you know, segmentation where you have to have physical and virtual separation of networks to prevent laterally moving through a system if you're a hacker, right? Or like this vulnerability scan that has to happen every six months according to the proposed rule, or mandatory removal of like software that's extraneous from your systems. What's the role of lawyers like us or like me? I don't want to put you in my category, who love this kind of law and practice in HIPAA and information technology, but are not expert technologists?
SPEAKER_00Yeah. You know, there's good information security and there's good HIPAA security role compliance. And the two can be completely different things. I've seen entities that have great information security but fail OCR audits because they don't have the sort of documentation that OCR is looking for and the regulations arguably require. And the flip side, if you're an entity that starting from scratch, entirely builds your information security around just complying with the security rule and nothing else, that's not going to necessarily lead to great information security. The security rule is not as robust as NIST or ISO or frameworks like that. So I view that our role is helping to bridge that divide. So, you know, coming in, you know, maybe it's a less mature information security program and helping them understand, you know, under this final rule, whatever form it may take, you now have to do X, Y, and Z. As to how you implement that, maybe a consultant gets involved in helping to implement that. Maybe it's a more mature program that frankly looks at everything and says, oh yeah, we're doing all that. Our role might be, okay, well, let's look at what documentation you need to get the appropriate credit. Um, you know, do your policies and procedures actually reflect that you're doing this? Do you have all the substantiating documentation that's needed? So I really like to try to help bridge that divide between good security and good compliance.
SPEAKER_02Yeah, and do you anticipate a lot of the providers, especially the smaller ones, just contracting this out? I mean, I gotta imagine that these IT consultants are salivating, you know, when it comes to this rule, because boy, will there be a lot of work for them to do here.
SPEAKER_00I I think yes, it's gonna be, you know, a good day for the consultants. I also, you know, there's a lot of small providers who just don't have the resources, whether it be the technical know-how or the funding to potentially, you know, to do really prioritize security. And so I think there's a lot of small providers who are not compliant with the security rule today under the current program, not because they don't want to, but because they don't have the resources in a variety of ways to do so. Moving the needle, I don't think is necessarily going to lead to them to suddenly become compliant with much more stringent requirements. So I think we're going to see continue to see a great divide between those who have the resources and you know, both technical and funding to comply with greater and greater security requirements, and those who just, you know, are trying to make ends meet as a you know smaller healthcare provider and just don't have the ability to comply with some of these requirements.
SPEAKER_02I mean, the sticker shock, right? When you read the for those of you who have made it through the 200 plus pages of three-columned Federal Register, you know, um, but the sticker shock, I think that they said that it was going to be$9 billion for first-year implementation with an additional$6.8 billion in annual recurring cost. I mean, everybody knows that when you read these, the government's estimates of time and money, it's usually very underestimated. Um, and that's technology investments, right? But also the administrative costs. There are new policies that have to be written, there's new rules that have to be beefed up in terms of oversight. Um, one of those being business associate oversight. You know, we've we health lawyers have long been telling our clients how important it is to get their arms around their business associates, make sure those business associates are documented, inventory, they all have compliant BAAs right in place. But when it comes to smaller providers, especially, we talk about that's where it stops, right? We don't have to get into the weeds of the business associate technologies. If you can and you have the resources to do so, amazing. Risk mitigation points, right? And that's the best thing to do. Prevention is worth an ounce of cure, but if you can't, you can't, and the law doesn't require you to do that. Does the amendment do the amendments change that calculus in terms of business associate oversight?
SPEAKER_00So back in 1999, the proposed privacy rule would have proposed to require covered entities to kind of monitor their business associates, and there was a lot of pushback. And in December, when they finalized the rule, they said, okay, we're not going to require you to monitor, you just have to take action if you learn of a violation of the BAA. What was proposed, whether it'll be finalized, who knows? But what was proposed for the amendments to the security rule would be an annual certification by the business associate that they are complying with at a minimum, having deployed the technical safeguards. I don't know that that does much more than a lot of paper pushing, to be perfectly frank. I mean, I don't think it changes the monitoring requirement, other than instead of just now getting a business associate agreement at the beginning, you also have to chase down a certification each year. But you don't have to then, I think, go beyond that certification and look under the hood and see if they Are actually doing it. You just have to take action. Um, what I would love to have seen, and I know I know many commented on, is you know, does it really make sense for a business associate to have to send out thousands of certifications rather than just post a certification on their website that says we're doing this? Um, so I think I understand where they're going, but I think there could have been a you know, paper reduction, if you will, um a lot less paper um or electronic equivalent of paper um, you know, destroyed with respect to, you know, just have an annual posting or something like that rather than everyone having to hunt down these certifications that were proposed.
SPEAKER_02Yeah, more paperwork to certify what they've already certified in the BAA, but now we have to make sure we're getting that certification every year from vendors that could number in the thousands, depending on the size, seems very, very important that everybody do that. But we know that there was, like you mentioned, that um tremendous industry pushback, both in the technological and the administrative, the cost, I mean all these different factors, right? The AMA, the College of Healthcare Information Management Executives, Chime also against it. So when the rubber hits the road, what are we telling our clients? Are we telling them to wait, see what happens? We know there may be an enforcement deadline and the rule is gigantic, um, and that might happen in 2026. Are we waiting or are we telling them jump in and start now?
SPEAKER_00I mean, I think it's worth reviewing the proposed rule because it gives you a great view into how more or less OCR interprets the current security rule. Like this is what they'd like to see under the current security rule. So if nothing else, you're getting that. Um I would certainly not spend huge amounts of money implementing based on the proposed rule, unless you want to do it not because it's required or you know, but because you think these are, you know, this is money well spent to improve your information security program. Um so on the most part, I think it's a wait and see. Um look to your budget, be prepared that you may only have 240 days to spend a lot of money upgrading your securities. So, you know, budget accordingly. Um, and if you want to do a gap assessment to at least understand what may be around the corner, that's certainly not a bad idea, you know, as a best practice, but not required.
SPEAKER_02Yeah, and the amendments to those that security rule was proposed in 2025, and they're looking at an enforcement date, potentially they're indicating in 2026. But we still have the 2021 proposed privacy rule changes sitting out there. And there's also indication that that enforcement date may come um this year. So what is that a burden if that gets finalized this year with an enforcement date in 2026? How burdensome is that going to be, Adam?
SPEAKER_00Um I think a lot less so. Uh so this was an example of back under the first Trump administration, I think someone told the secretary um of HHS HIPAA interferes with care coordination. And so the secretary went down to OCR and said, fix HIPAA and care coordination. I think there's a pretty good argument that HIPAA the regulations themselves don't actually interfere much with care coordination, but rather misconceptions or the excuse of HIPAA sometimes interferes with care coordination. So I think a lot of that 2021 rule is really things that um more are clarifications than anything else. There are changes with respect to access, um proposed, you know, changing the period of time for access. I thought that covered entities were going to have great concerns about that. But what I heard from a number of clients was, oh, no, we're pretty comfortable that we can handle that. Some state laws already require that sort of, you know, 15 days, for example, anyway. So, you know, I'm a lot less worried about the 2021 rule. I mean, there'll be needed changes to policies and procedures, but nothing earth shattering. And I do expect that it's gonna probably come behind the security rule. I don't think it's as much of a priority. So it might get pushed back to 2027 or even beyond.
SPEAKER_02And so you mentioned state laws. So as our last question here, Adam, you know, we practice and we talk about HIPAA and part two and what headaches they are and the ambiguities and how to comply. But the reality is for those of us health lawyers who practice in this area, that's the easy part, right? Where it gets really complicated is when we have to start taking into account many different state laws as well and incorporate all of that. So, what are you seeing on the state law front?
SPEAKER_00I mean, it's just an increasingly complicated tapestry. I mean, you've got your old-fashioned medical privacy laws that are still around. You've got your sensitive condition laws, which were historically things like HIV, but now we're getting a lot more with respect to reproductive health care and gender-affirming care. You've got your consumer privacy laws, either general consumer privacy laws that may have more stringent requirements for sensitive information like um health data or consumer health data laws like My Health, My Data Act. These generally won't apply where HIPAA applies, but if you're outside of HIPAA, these have a huge impact. And we're seeing more of those laws all the time. Um, and now we're even seeing like California put out a law, SB81, I think it was, um, with respect to immigration enforcement and medical information privacy, um, putting in place new requirements with respect to limiting disclosures of medical information for immigration enforcement purposes. And so I think we're gonna continue to see in 2026 a lot of state action, um, especially reproductive health care, gender-affirming care, and potentially immigration to watch out for.
SPEAKER_02Thanks, Adam. So lots to look forward to or dread in 2026. So the technology keeps evolving, the laws keep evolving, um, but that's why we love it, because it's challenging work. And um look forward to a lot more updates from our practice group this year, then. Thanks, everyone.
SPEAKER_00Thanks, Judy.
SPEAKER_01If you enjoyed this episode, be sure to subscribe to AHLA Speaking of Health Law wherever you get your podcasts. For more information about AHLA and the educational resources available to the health law community, visit Americanhealthlaw.org and stay updated on breaking healthcare industry news from the major media outlets with AHLA's Health Law Daily Podcast, exclusively for AHLA comprehensive members. To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org slash daily podcast.