AHLA’s Speaking of Health Law | Sponsored by Clearwater
Health information exchanges are the connective tissue of a high-functioning healthcare system — and the expansion of telehealth and digital health across state lines has made that tissue harder to maintain. Digital health organizations entering HIE networks today inherit a fractured regulatory landscape: a patchwork of state consent laws, federal interoperability mandates, sensitive data protections, and bidirectional data obligations that do not always speak to one another. The organizations that get this right will build more trusted products. The ones that don’t face legal exposure, operational friction, and the quiet erosion of patient confidence that comes from getting the data story wrong.
In this episode of AHLA Speaking of Health Law, sponsored by Clearwater, Hal Porter, Director of Consulting Services at Clearwater, speaks with Sarah Chasson, General Counsel, Chief Legal Officer, and Chief Privacy Officer at Particle Health, and Jennifer Geetter, Partner at McDermott Will & Emery, about how evolving federal frameworks, state-level variation, and practical implementation challenges are shaping the future of HIE participation for digital health organizations.
What This Episode Covers
Porter, Chasson, and Geetter move past the introductory overview and into the operational realities that digital health organizations, legal teams, and compliance leaders are navigating right now:
- Why HIEs are foundational infrastructure for digital health — and why the expansion of virtual care across state lines has made HIE participation both more valuable and more legally complex
- The federal interoperability framework: information blocking under the 21st Century Cures Act, TEFCA and the QHIN model, and what the current administration’s enforcement posture signals for data flow
- State-by-state consent variation — opt-in versus opt-out frameworks, sensitive data categories including mental health, reproductive health, and genetic information, and why harmonization remains elusive
- Practical challenges for digital health companies entering HIE networks: bidirectionality requirements, data obligations, BAA analysis, and the critical product-legal-compliance alignment that must happen before any connection goes live
- Patient trust as a business differentiator — how organizations that invest in clear, plain-language consent workflows will build stickier products and stronger provider-patient relationships
- Data tagging as foundational architecture: why it is easier and far less costly to build in from day one than to retrofit across a live dataset — and how BAA obligations upstream and downstream shape what you are actually permitted to do with the data you receive
Why Digital Health Organizations Need to Act Now
HIE participation is no longer optional for digital health companies that want to compete at scale. The federal government’s information blocking rules have shifted the default: healthcare organizations generally cannot refuse to share electronic health information for legitimate treatment purposes. TEFCA is creating standardized on-ramps to nationwide data exchange — and the organizations that join early will have a structural advantage over those that try to retrofit their consent infrastructure, data governance, and technical architecture later. The regulatory environment is not waiting. Enforcement activity around information blocking is intensifying, state AI and privacy laws are adding new layers of obligation, and the post-Dobbs landscape has introduced heightened sensitivity around reproductive health data that cuts across every state where digital health organizations operate.
For legal and compliance teams, the timing of engagement matters as much as the content. As Chasson notes, the organizations that will get this right are the ones that bring legal, compliance, and product together early — before the HIE connection goes live, not after a problem surfaces. Geetter frames it in terms of infrastructure: consent by design is not a compliance exercise, it is a business architecture decision. The consent platform you build today to handle HIE participation will also carry the weight of AI scribe consents, mental health data protections, and whatever the next wave of digital health regulation introduces. Organizations that treat it as a checklist will spend years catching up to the ones that treated it as a foundation.
| “Compliance is just a floor. You should be earning your patients’ trust through your consent framework — both from a business perspective and because it’s the right thing to do.” — Sarah Chasson, General Counsel, Chief Legal Officer & Chief Privacy Officer, Particle Health |
About the Speakers
Hal Porter
Hal Porter is Director of Consulting Services at Clearwater, where he advises healthcare organizations on privacy, security, compliance, and interoperability strategy. He works with hospitals, health systems, and digital health clients to translate complex regulatory requirements — including those arising from information blocking, HIPAA, and evolving state frameworks — into practical, defensible programs. Porter brings extensive experience helping organizations navigate the legal and operational dimensions of healthcare data exchange.
Sarah Chasson
Sarah Chasson is General Counsel, Chief Legal Officer, and Chief Privacy Officer at Particle Health, a healthcare data interoperability platform. She leads Particle’s legal, regulatory, compliance, and privacy functions and specializes in getting patient information into the hands of treating providers efficiently and lawfully. Chasson is a recognized voice on consent design, TEFCA participation, and the practical challenges of operating at the intersection of digital health and HIE infrastructure.
Jennifer Geetter
Jennifer Geetter is a Partner at McDermott Will & Emery, where she focuses on issues at the intersection of computing and healthcare, including AI, HIEs, privacy, and genetic information. She counsels a wide range of healthcare stakeholders on interoperability strategy, data governance, and the state-by-state regulatory variation that shapes how health information can be exchanged. Geetter is widely regarded as one of a small community of practitioners who find HIEs genuinely fascinating — and whose depth of knowledge in the space reflects it.
Put Clearwater’s Digital Health Expertise to Work
Clearwater is a healthcare-specialized cybersecurity and compliance firm that helps digital health companies build the privacy programs, HIPAA compliance frameworks, and data governance infrastructure required to participate in HIE networks and scale across state lines. Services include privacy risk assessments, consent program development, HIPAA risk analysis, HITRUST and SOC 2 certification, and ClearAdvantage — a managed cybersecurity and compliance program built specifically for digital health organizations. With more than 650 healthcare clients and two decades of regulatory experience, Clearwater is a recognized leader in helping digital health companies turn compliance into a competitive advantage.
