Home  |   Subscribe  |   Resources  |   Reprints  |   Writers' Guidelines

E-News Exclusive

Health IT Updates From Capitol Hill

By Adrienne Morrell and Lori Long

HIM professionals are protectors of patient privacy and sit at the intersection of regulation and data exchange. As health privacy stakeholders work to reform the state-by-state patchwork of privacy rules and transition to national privacy policies, they have identified third-party directives as an important regulatory loophole to close. This article summarizes a recent Capitol Hill briefing regarding health information privacy regulations.

Administrative transitions frequently usher in significant national policy changes. The first half of 2025, in particular, has seen an unprecedented number of shifts in health care policies and practices. Among these pivotal adjustments are proposed revisions to our nation's health data privacy laws, directly impacting health information and compliance professionals.

The new administration is actively engaging privacy stakeholders to reevaluate existing frameworks and address processes that are no longer effective amid rapid changes and advancements in health IT. MRO participates in these national conversations, providing input on proposed changes and areas for rescission. Our recent contribution at the Healthcare Trust Institute (HTI) Capitol Hill briefing offered valuable insights into the future of patient privacy law. Here is a summary of key takeaways:

Five Insights From Capitol Hill
HTI is an alliance of health care organizations committed to effective privacy and security protections for health information. Members include companies, provider organizations, health plans, and others promoting the need for a strong national privacy standard vs the state-by-state patchwork of health data privacy laws that exist today.

The nation’s current privacy patchwork is outdated and unsustainable in today’s digital data ecosystem. Privacy and security rules, such as HIPAA and HITECH, were not designed to adequately safeguard the digital systems, electronic exchange, and technology advancements we have today. Furthermore, since states’ rules lack harmonization, health care provider organizations must implement increasingly complex and costly privacy and security compliance practices.

MRO’s (and our coalition’s) priorities during the recent Capitol Hill briefing included presenting these five realities during the event:

  • An updated federal privacy law is needed to better protect personal health information (PHI) and ensure compliance in an evolving data landscape.
  • Industry expertise is essential to inform complicated health data policy issues such as data privacy, cybersecurity, and AI.
  • Consumers lack awareness of health data risks, including those related to control, confidentiality, integrity, monetization, and technical vulnerabilities.
  • New privacy standards for managing sensitive data (eg, mental and maternal health) require additional efforts to identify and protect this information within EHRs.
  • Regulatory loopholes allowing third parties to gain unauthorized access to PHI exist and must be closed.

Getting past these challenges remains the next step in our journey toward positive changes in national privacy and security law.

What Comes Next
HTI’s work continues to focus on national and state-level privacy standards representing the entire spectrum of health care data. Intense lobbying is underway to ensure the voices of industry experts are heard. Here are a few important steps to know:

  • HHS named Thomas Keane, MD, MBA, as the new assistant secretary for technology policy/national coordinator for health IT of the Office of National Coordinator for Health Information Technology.
  • Future corrections to privacy guidance on the HHS website are being advocated for and anticipated, as the current webpage is inaccurate and inadvertently promotes unauthorized access to PHI by “bad actors.”
  • Current regulatory loopholes related to third-party directives are being reviewed and discussed.
  • There is growing support for patient access to information and the right to proper and authorized access.
  • A HIPAA refresh is anticipated. Revised rules aim to protect the original intent and rigor of HIPAA while recognizing new demands and capabilities for information access.
  • Addressing the patchwork of state-based privacy rules may mirror the administration’s approach to preventing state-based AI standards, preferring to wait until a national law is established.
  • Common agreement exists among technology stakeholders that more regulation, oversight, and standards are needed in health privacy and security.
  • Conversely, the new administration also shows inclinations toward regulatory simplification or complete deregulation.
  • While AI, cybersecurity, and privacy may become intertwined from a regulatory perspective, each component must also maintain its distinct identity, which could lead to further delays and the formation of multiple workgroups.

Patient Privacy Remains a Priority
Other Capitol Hill priorities took center stage in the first half of 2025, leading to uncertainty regarding the timeline for all health care privacy bills. However, both political parties, Congress, and the Senate continue to prioritize health data privacy and security. All stakeholders recognize the imperative for updated federal and national health data policies to address the challenges of the digital age while fostering innovation and ensuring compliance within the health care sector.

Adrienne Morrell is the vice president for government affairs at MRO Corp.

— Lori Long is the senior director for public policy and government affairs at MRO Corp.

Great Valley Publishing Company
1721 Valley Forge Road #486
Valley Forge, PA 19481
Copyright © 2025
Publisher of For The Record
All rights reserved.
Contact
 About Us
Writers' Guidelines
Privacy Policy
Terms and Conditions