[fitzrocks]

You are correct - this is not new.

It's the HHS reaffirming what the law says as written. way too many companies got loosey goosey with this stuff. The mental gymnastics we'd hear from healthcare companies "oh our legal team said it's okay to have Facebook installed here because [convoluted and totally not kosher reasoning]" was crazy when you'd review the law as written.

Startups, hospital systems, payers...doesn't matter how much resources or the company's particular compliance stance. You'd be amazed where these companies are sending data to Google and Facebook data without consent and without BAAs in place. HHS here is specifically going after larger health networks and hospital systems (typically way more compliance focused than your average healthtech startup).