As soon as once more, 2025 was a busy yr for well being care knowledge privateness. Guaranteeing up-to-date and compliant knowledge privateness and safety packages and with the ability to assess, perceive and adapt to the danger of evolving applied sciences will stay critically essential in 2026. We proceed to await up to date rules below each the Well being Insurance coverage Portability and Accountability Act (“HIPAA”) of 1996 and the Data Blocking Rule, each of that are topic to proposed guidelines more likely to be finalized this yr, which is able to additional alter the privateness and safety regulatory panorama. Nevertheless, lots of the pressures and compliance dangers confronted by well being care suppliers in 2025 have been pushed by sufferers themselves quite than regulatory enforcement initiatives.
Affected person requests and considerations raised quite a lot of operational points and regulatory dangers in 2025. On this alert, we assess frequent areas the place sufferers are continuously questioning their rights with respect to their well being care knowledge, and their potential to acquire, modify and forestall sure makes use of and disclosures of it. As sufferers turn out to be extra and educated on their knowledge rights and protections, taking steps to proactively deal with affected person considerations, complaints or misunderstandings could also be among the finest methods for well being care suppliers to keep away from regulator involvement and scrutiny at each the state and federal ranges.
EHR Audit Logs
A recurring level of confusion in 2025 arose from ongoing misunderstandings in regards to the implementation of sure provisions below HIPAA and the Well being Data Know-how for Financial and Medical Well being (“HITECH”) Act of 2009, as to what data sufferers are entitled to request and obtain. Beneath HIPAA, sufferers have the best to entry their protected well being data (“PHI”) inside a chosen document set (“DRS”) below 45 C.F.R. § 164.524 and the best to obtain an accounting of sure disclosures of PHI below 45 C.F.R. § 164.528. The HITECH Act expanded this framework by considering enhanced transparency round digital well being document (“EHR”) associated exercise, together with a requirement for a 3‑yr accounting of sure disclosures made by an EHR system. Critically, nevertheless, the Division of Well being & Human Companies (“HHS”) by no means finalized the implementing rules essential to activate this new provision of the HITECH Act, leaving these provisions dormant and the HIPAA entry and accounting rules intact.
Towards this backdrop of dormant regulatory motion, sufferers (and different requestors on their behalf) have more and more sought EHR audit logs primarily based on perceived rights below HIPAA and/or HITECH to such data. Whether or not motivated by concern or curiosity, these requests typically search an inventory figuring out each particular person who has accessed or considered their (or their little one’s, relative’s or consumer’s) digital well being information. Nevertheless, arguably neither HIPAA nor the HITECH Act at the moment requires suppliers to supply EHR audit logs in response to a affected person proper of entry request.
The affected person’s proper of entry solely applies to PHI in a DRS, which is usually the medical information, billing information and different information utilized by the well being care supplier in making selections in regards to the affected person. System audit logs, nevertheless, are the output of a safety safeguard used internally to observe for or examine and assess acceptable system entry to information. Notably, these logs don’t comprise medical details about the affected person and bear no relation to therapy, billing or decision-making in regards to the affected person. Due to this fact, audit logs proceed to be exterior the scope of present affected person entry rights below the present HIPAA and HITECH Act rules.
Moreover, audit logs are additionally distinct from information maintained by a well being care supplier to offer a affected person with an accounting of disclosures. Usually, inner entry by workforce members will represent a “use” and never a “disclosure” of PHI as such phrases are outlined by HIPAA. Amongst different exclusions, the present accounting of disclosure rules excludes disclosures to a well being care supplier for therapy functions, which might negate inclusion of lots of the different accesses logged in an EHR system’s audit log. Whereas the eventual enactment of rules implementing the HITECH Act’s provisions relating to a affected person’s proper of entry to disclosures from an EHR (which HHS has signaled could possibly be finalized this yr) might lead to sure audit log entry rights for exterior disclosure, it nonetheless wouldn’t apply to inner use. Due to this fact, audit logs additionally proceed to be exterior the scope of present affected person accounting of disclosure rights below the HIPAA and HITECH Act rules.
Because of this, well being care suppliers would typically not be required at current to supply audit logs in response to a affected person’s request below both their entry or accounting of disclosures rights. Nonetheless, the continuing confusion has generated vital operational pressure for compliance and medical information groups as they work to deal with misunderstandings and to coach and reply appropriately to sufferers making such requests inside the time frames required below HIPAA and different relevant legal guidelines. We be aware that such logs should still should be produced the place in any other case required by regulation, corresponding to to regulators investigating an information incident or pursuant to course of requests issued in a authorized motion or continuing.
Amendments to Data
Sufferers even have sure rights below HIPAA to request corrections or amendments to their PHI maintained in a supplier’s DRS. Suppliers are required to well timed reply to such requests by both making the requested modification or notifying the person that their request has been denied, with a purpose for the denial.
As well being data has turn out to be more and more and readily accessible to sufferers, there was a rise in each the frequency and persistence of modification requests by sufferers in 2025. Many of those requests stemmed from sufferers disagreeing with how data was documented of their medical information, even when the documentation precisely mirrored the scientific historical past on the time it was created. Sufferers additionally raised considerations about references to suspected diagnoses that have been later dominated out, conflicting opinions with suppliers from whom they obtained a second opinion or irregular take a look at outcomes that have been subsequently regular, with considerations typically stemming from potential impacts on their medical health insurance protection.
Beneath the HIPAA rules, suppliers preserve the discretion to amend a affected person’s medical document. Any modification should precisely replicate the supplier’s scientific judgment and the companies supplied on the time the documentation was created, and it shouldn’t be altered primarily based on future data not identified to the supplier on the time it was ready. Suppliers might deny an modification request for quite a lot of causes, together with the place they decide that the document is correct and full or the place the supplier didn’t create the document and the originator continues to be out there to evaluate and act on the affected person’s request. The place an modification request is denied, a affected person might present an announcement of disagreement to be included with the document, in response to which the supplier is permitted to incorporate an announcement of rebuttal. Nevertheless, even when a supplier agrees to amend a medical document, typically that’s achieved by including further data and clarification to the prevailing document, not eradicating historic data within the medical document, to be able to protect the integrity of the document. Sufferers might not perceive that “modification” doesn’t essentially embody all the and everlasting removing of knowledge of their well being information.
To keep away from affected person confusion and complaints, it might be useful for suppliers to grasp what’s driving the affected person’s request for an modification so {that a} response finally denying such a request can educate the affected person on the medical document documentation course of, how the best of modification applies and supply further data that would allay or deal with the affected person’s considerations.
Synthetic Intelligence
As the substitute intelligence (“AI”) increase in well being care continued in 2025, we noticed elevated affected person curiosity in transparency and consent rights relating to the use and disclosure of their knowledge with respect to such applied sciences. Just lately, a significant well being care system in California confronted scrutiny and a proposed class motion swimsuit relating to its use of AI transcription know-how in examination rooms with out affected person consent. This dispute underscores a broader, rising query relating to how and when suppliers should disclose using AI in scientific interactions or acquire the affected person’s consent.
Whereas using trendy applied sciences, corresponding to ambient AI, will not be readily obvious to sufferers, suppliers should perceive the relevant regulatory panorama and whether or not any particular consent or disclaimers are required previous to using AI in well being care. The regulatory panorama is evolving, and suppliers might want to keep on high of any new necessities on the state or federal degree that impression their use of AI or opinion from regulators and companies relating to how present legal guidelines and rules apply within the AI context. This consists of understanding relevant recording, notification or consent necessities, whether or not the affected person should be supplied with the chance and skill to choose out and whether or not biometric legal guidelines, knowledge breach legal guidelines or different regulatory frameworks apply to the information being saved, processed and maintained primarily based on its nature and use case. Vendor can also contractually require suppliers to offer sure notices or acquire sure consents earlier than allowing PHI to be processed by their software program.
Suppliers should additionally take care to grasp the AI techniques they’re utilizing and the way knowledge is processed by them to make sure regulatory compliance. AI is finally software program, so lots of the comparable concerns relevant to software program distributors apply to AI applied sciences. Suppliers needs to be ready to evaluate system safeguards associated to knowledge upkeep, destruction and safety; consider any aggregation or de-identification of information inside the system or by the seller; and decide whether or not the seller will create, transmit, obtain or preserve PHI as a enterprise affiliate. Moreover, suppliers will wish to perceive whether or not the information they supply will probably be used to additional practice and modify the AI mannequin and assess what rights or protections they might wish to reserve to themselves.
Affected person satisfaction and belief are additionally key to the provider-patient relationship. Whereas some sufferers might embrace using AI and different superior applied sciences by their practitioners, others could also be skeptical or have robust emotions towards their knowledge being processed by such applied sciences. As affected person consciousness will increase, suppliers needs to be prepared to reply to affected person questions relating to using AI. With “transparency” being a key element of many AI implementation fashions and trade steerage, suppliers needs to be outfitted with the data and instruments to deal with affected person considerations and describe the advantages that may come up from using AI.
Sensible Takeaways
As well being care know-how advances and sufferers turn out to be extra empowered and educated about their rights relating to their well being knowledge and the way their knowledge is being utilized by well being care suppliers, authorized danger continues to broaden past regulatory scrutiny to incorporate patient-driven exercise and expectations. When affected person considerations aren’t adequately addressed, suppliers face an elevated danger of complaints to regulatory companies or claims and lawsuits, putting added pressure on the time, assets and funds of well being care organizations.
Due to this fact, well being care organizations ought to think about proactively taking steps to evaluate and align operations with the evolving panorama and place themselves to shortly and effectively educate and deal with considerations when responding to sufferers. This consists of the next steps:
- Assess current Notices of Privateness Practices to make sure that they clearly and precisely describe (1) the rights of people below HIPAA, how such rights could also be exercised and the way the lined entity will course of such requests; and (2) the makes use of and disclosures of PHI that will happen with respect to modern applied sciences and AI;
- Implement or evaluate AI governance processes to make sure applied sciences are correctly evaluated below relevant state and federal frameworks, aligned with current insurance policies and procedures for adopting new software program and designed to establish and deal with related knowledge privateness and safety dangers;
- Evaluate and replace any processes or varieties utilized in responding to sufferers’ rights requests to assist educate sufferers relating to the scope of their rights and allay considerations relating to the response they’re receiving;
- Take into account whether or not to create or embody in different patient-facing documentation or varieties language addressing using AI and some other legally required or supplier most popular notices, disclaimers, consents or opt-out provisions; and
- Educate related members of the workforce on these points and supply them with the instruments essential to speak successfully with sufferers relating to their considerations.
For questions on these developments or help navigating these rising dangers, together with AI implementation, consent practices, and privateness workflows, please contact:
Particular because of Summer time Affiliate Wyatt Poer for his help with this alert.
Corridor Render weblog posts and articles are supposed for informational functions solely. For moral causes, Corridor Render attorneys can’t—exterior of an attorney-client relationship—reply particular questions that might be authorized recommendation.