There’s a pattern I keep seeing in healthcare AI policy — and it’s starting to show up in my studies at law school.

AI systems get deployed in two very different roles. The first is efficiency: AI helps sort, route, organize, surface. It speeds things up. It reduces administrative burden. Nobody gets hurt when it misclassifies a scheduling request.

The second role is consequential: AI makes the call. Approve or deny. Go home or stay admitted. Treatment now or treatment after you appeal for three months.

The problem is that the insurance industry keeps sliding AI from the first role into the second one — and then acting surprised when anyone notices.

The Washington State AI Task Force just noticed.

What the Task Force Found

The Washington State AI Task Force released its Interim Report in December 2025. It’s a substantive document — eight subcommittees, covering everything from K-12 education to law enforcement AI disclosure. The healthcare prior authorization section is the one that should be keeping every healthcare law student up at night.

Here’s the core finding, in plain language:
Insurance companies are using AI “black boxes” to deny, delay, or modify medical care — and patients and providers often have no meaningful way to understand why or challenge it effectively.

The Task Force found three specific risks that deserve your attention:

• The black box problem. AI models making prior authorization decisions “function as ‘black boxes,’ making decisions based on complex algorithms that are not transparent to patients, providers, or even payors.” The insurer deploys the tool. The tool says no. Nobody can fully explain why.

• The bias problem. AI trained on historical claims data inherits the disparities embedded in that data. If certain populations were historically under-treated, the AI learns that pattern and encodes it as the baseline.

• The automation bias problem. This one is insidious. The Task Force specifically called out the risk that humans stop critically evaluating AI outputs — that clinical staff start deferring to whatever the algorithm says because it feels authoritative. The algorithm is never authoritative on clinical questions. It’s a tool. A sophisticated, expensive tool with no medical license.

The Real Problem (And It’s Not the AI)

The AI isn’t the villain here. This is important to understand, and it’s the point most coverage misses.

AI can absolutely be used in prior authorization. It should be. The administrative burden of prior authorization is genuinely broken — a 2021 study by Washington’s Office of Insurance Commissioner found that 75% of health care service codes requiring prior authorization were approved 100% of the time. Think about that. Three-quarters of the things insurers were requiring pre-approval for were never actually going to be denied. That’s pure administrative overhead that falls on clinical staff and delays care for patients.

AI that routes and approves requests faster? Great. AI that catches clear-cut approvals and processes them without human review? Makes sense.

The problem is when the same system that approves care is also empowered to deny care — without a licensed clinician actually reviewing the case.

UnitedHealth’s NaviHealth subsidiary built a tool called nH Predict. The tool predicted how many days a patient should need post-acute care, and staff allegedly were required to follow its outputs under threat of termination — regardless of what the treating physician recommended. When patients and families appealed, roughly 90% of prior authorization denials were reversed, and over 80% of preauthorization denials were overturned on appeal.

Ninety percent of the denials that got appealed were wrong. Not edge cases. Not close calls. Wrong.

This is now federal litigation. Estate of Gene B. Lokken, et al. v. UnitedHealth Group, Inc., No. 23-cv-03514 (D. Minn.), is a class action brought by the estates and families of Medicare Advantage members who were denied post-acute care coverage. Here’s where it gets legally interesting: the court didn’t let all the claims through. In February 2025, Judge Tunheim held that most state law claims — unjust enrichment, bad faith insurance — were preempted by the Medicare Act because evaluating them would require the court to second-guess coverage determinations already regulated under 42 C.F.R. §§ 422.101 and 422.566.

But two claims survived: breach of contract and breach of the implied covenant of good faith and fair dealing. The reason they survived is something worth sitting with. UnitedHealth’s own Evidence of Coverage documents told members that claim decisions would be made by “clinical services staff” and “physicians.” The court held that asking whether UHC lived up to that specific promise — without touching federal Medicare standards — is a pure contract question that state law can still reach.

The case is now in class-wide discovery, with the court denying UnitedHealth’s motion to bifurcate and limit discovery to the named plaintiffs only. As of September 2025, it’s moving forward.

The core allegation UnitedHealth denies: they ever used nH Predict at all. The plaintiffs’ counter: 90% appeal overturn rates don’t happen when licensed physicians are actually reviewing individual cases.

Cigna had its own version of this problem. The PXDX system allegedly allowed physicians to deny claims without reviewing individual patient files — 300,000 claims denied over roughly two months, at about 1.2 seconds per claim. A lawsuit in California argues this violated state physician-review laws. Cigna disputes the characterization, but the underlying question is the same: Was a licensed clinician making a medical necessity determination, or was an algorithm?

What the Task Force Recommends

The Task Force’s recommendations are clear and, honestly, more careful than I expected:

AI can approve care without human review. AI cannot deny care without human review. This asymmetry is deliberate and important. The Task Force specifically said: “AI systems may be used to facilitate approving prior authorization requests or to overturn prior denials without additional human review.” But any adverse determination — any denial, delay, or modification based on medical necessity — must be made by a licensed physician or licensed health professional working within their scope of practice.

That’s the line. AI can say yes. AI cannot say no.

Clinical criteria must match. AI systems used by payors must apply the same clinical review criteria that entity-employed licensed health professionals use. You can’t have the AI applying looser or differently weighted criteria than what a human reviewer would apply.

Mandatory impact assessments and independent auditing. Payors must conduct periodic assessments to identify and mitigate unfair disparate impacts, keep clinical guidelines current, and measure administrative burden on providers and patients. And critically — independent auditors, not the payor’s internal team, should assess transparency, accuracy, and compliance.

Plain-language explanations for denials. When AI is used to support a denial, the payor must provide clear, understandable explanations accessible to both patients and providers, referencing relevant clinical guidelines.

Where This Sits Federally (And Why It Matters That It Isn’t Settled)

Here’s the frustrating context: the federal government is not moving on this quickly.

The Improving Seniors’ Timely Access to Care Act — the PRIOR Act — has been sitting in Congress for years. The 2025 reintroduction (S. 1816) has 248 House cosponsors and 64 Senate cosponsors, which is extraordinary bipartisan support. It passed the House in a prior session. And it has still not become law, largely due to cost estimates and industry opposition.

What did pass was a January 2024 CMS final rule (CMS-0057-F) that requires electronic prior authorization APIs for Medicare Advantage, Medicaid, CHIP, and qualified health plans, with a deadline of January 1, 2027. That same rule (effective January 1, 2026) now requires specific denial reasons from a standardized list and timelines — 7 calendar days for standard decisions, 72 hours for expedited. Annual public reporting on denial rates started in 2026.

That’s meaningful progress. But CMS’s rule addresses process — speed, electronic format, denial reasons. It doesn’t directly address who makes the adverse determination or whether AI can substitute for a licensed clinician.

Washington State is attempting to fill that gap. The Task Force’s recommendations, if enacted by the legislature, would create one of the clearest state-level standards for AI in prior authorization in the country.

The Trump Administration’s federal approach is explicit deregulation. The Task Force report says it plainly: federal regulators are “emphasizing deregulation, while state regulators have explored new legislation to address specific AI risks.” This regulatory gap is exactly why Washington’s action matters — and why you’re going to see more of it from state AGs and legislatures in the next two to three years.

Why This Matters for Law Students

I spend a lot of time in this space thinking about where AI is being deployed to help humans do their jobs better versus where it’s being deployed to replace human judgment in ways that affect other people’s lives.

Prior authorization is the clearest example I know of AI crossing that line — and then the industry responding to scrutiny by arguing that the AI is just a tool, not actually making the decisions. The nH Predict lawsuit allegations suggest otherwise. The PXDX timelines suggest otherwise. The 90% appeal overturn rate suggests otherwise.

A denial that an algorithm generates and a human rubber-stamps in 1.2 seconds is not a human determination. It’s an algorithmic determination with paperwork on top.

The Lokken litigation also reveals something that matters for how future cases will be fought. The Medicare Act’s broad preemption clause — covering “any law or regulation” — swallowed most state law theories. Bad faith. Unjust enrichment. Gone, because evaluating them would require courts to revisit coverage determinations that federal law already regulates. The only way plaintiffs kept anything was by anchoring to UnitedHealth’s own contractual language: you promised decisions would be made by physicians. That’s the surviving hook.

This is why the Task Force’s legislative recommendations matter so much. When courts can’t reach these practices through existing state tort law, legislation becomes the backstop. If Washington — and other states — enact the standards the Task Force recommends, they create new legal obligations that aren’t preempted because they’re not regulating coverage standards. They’re regulating who decides — and that’s a different question.

The Task Force got this right. The question is whether the legislature acts on it — and whether other states follow.

For those of you heading toward health law, this is your practice area for the next decade. The questions that flow from AI in prior authorization touch insurance regulation, administrative law, ERISA, state healthcare law, civil rights and disparate impact, and the emerging law of algorithmic accountability. There is a lot of work to be done. We’re going to be busy.

The WA AI Task Force Interim Report is publicly available.
The PRIOR Act (S. 1816) can be tracked on congress.gov.
Estate of Gene B. Lokken, et al. v. UnitedHealth Group, Inc., No. 23-cv-03514 (D. Minn.) — the February 2025 opinion on preemption is at 766 F. Supp. 3d 835.
The Cigna PXDX litigation was filed in California. (Kisting-Leung v. CIGNA, 2:23-cv-01477-DAD-CSK (E. D. Cal.)
CMS-0057-F (the CMS Interoperability and Prior Authorization Final Rule) was issued January 17, 2024.

Hey there!

By the end of my first semester, I had everything organized. Beautiful Obsidian vault. Color-coded folders. Linked notes connecting Contracts to Torts to Civil Procedure.

And I bombed my first practice exam.

Here’s what I learned: Organization doesn’t equal retention. You can have the most elegant note-taking system in the world, but if you can’t recall Hadley v. Baxendale1 when you need it on an exam, what’s the point?

Most law students are optimizing for the wrong thing. We obsess over how to capture information. We don’t think about how to make it stick.

If you only use ONE tool for law school, it needs to solve the retention problem, not just the organization problem.

That tool is RemNote.

Let me show you why.

The problem isn’t taking notes. It’s remembering them when it matters.

Law school rewards recall, not recognition.

You can have perfect case briefs. You can highlight every important holding. You can outline for weeks.

But when you’re sitting in an exam with a blank page and a complex fact pattern, none of that matters unless you can actually remember the rule from Pennoyer v. Neff2 and apply it under pressure.

Most note-taking tools assume you’ll review your notes before the exam. The research is clear: that doesn’t work. Your brain doesn’t retain information through passive review.

You need active recall. You need spaced repetition. You need a system that forces you to retrieve information from memory repeatedly over time.

That’s not how most study systems work. That’s exactly how RemNote works.

RemNote is built on the science of memory, not the aesthetics of organization.

Here’s what makes RemNote different from every other note-taking tool:

It’s designed around spaced repetition, the scientifically-proven method for long-term retention. When you create a note in RemNote, you’re not just storing information. You’re creating a flashcard that RemNote will quiz you on at precisely calculated intervals.

The first time you see a concept, RemNote might quiz you the next day. If you remember it, maybe three days later. Then a week. Then two weeks. Then a month.

This is not optional. This is how memory works.

Your brain doesn’t retain information through exposure. It retains information through retrieval. Every time you force yourself to recall something, you strengthen that memory pathway.

RemNote automates this process. You take notes like normal. RemNote turns them into an active learning system.

You can take notes and build your flashcard deck at the same time.

Most students treat note-taking and flashcard creation as separate tasks. That is, if they create flashcards at all (I didn’t).

You sit in class. You take notes. Later, you make flashcards from your notes. Then you review the flashcards. Then you go back to your notes to study.

That’s three separate systems. Three places to maintain. Three opportunities to fall behind.

RemNote consolidates all of this into a single workflow.

When you’re reading Palsgraf v. Long Island Railroad Co., you create a note: “What is the zone of danger test?”3 You tag it as a flashcard. Done.

You’re taking notes. You’re building your spaced repetition deck. Same action. One tool.

By the time you finish your case reading for the week, you’ll have already created the review system you’ll use for the rest of the semester.

No separate flashcard app. No rewriting your notes into Quizlet. No duplication.

RemNote forces you to think in hierarchies, which is how law actually works.

Legal concepts are nested. Understanding negligence requires understanding duty, breach, causation, and damages. Understanding duty requires understanding foreseeability. Understanding foreseeability requires understanding Palsgraf and Cardozo’s majority opinion.

RemNote’s structure mirrors how law actually works: hierarchical and interconnected.

You create a top-level concept: Negligence. Underneath, you create sub-concepts: Duty, Breach, Causation, Damages. Underneath each, you add the cases, rules, and exceptions. Or you can keep it simple and just lump everything together into the **Class** folder and sort it out later (or not). Either way, you still get the benefit of spaced recognition and improved retention.

When RemNote quizzes you, it doesn’t just ask isolated facts. It tests you on the relationship between concepts. You’re not just memorizing rules. You’re building a mental model of how the law fits together.

This is what professors mean when they say “think like a lawyer.” They mean see the structure. See how concepts nest and relate.

RemNote makes that structure explicit.

It works across devices and survives without an internet connection.

You’re in the library. Your Wi-Fi dies. Your cloud-based note app becomes useless.

RemNote works offline. You can take notes, create flashcards, and review your spaced repetition queue without an internet connection. When you reconnect, everything syncs.

This matters more than you think. Law school happens in courthouses, in study rooms with bad Wi-Fi, on planes, in places where connectivity isn’t guaranteed.

Your study system shouldn’t depend on being online.

The learning curve is real, but the payoff is worth it.

I’m not going to lie to you: RemNote has a learning curve.

It’s not as flexible as Notion. It’s not as visually polished as Obsidian. The interface can feel dense when you first open it.

But here’s what I learned: the tools that are easiest to start with are often the least effective long-term.

Notion is like a turbo-charged race car, but you have to assemble it yourself. Obsidian is elegant for connecting ideas, but it won’t quiz you three days later to see if you still remember the holding from Shelley v. Kraemer4. Yes, I know that there are plug-ins that attempt to add spaced repetition to Obsidian, but they are clunky and difficult to use. Using a tool specifically designed for spaced repetition is far more effective and efficient. There are also plug-ins that link Obsidian to Anki, which is even worse.

RemNote makes you work a little harder upfront because it’s designed around how memory actually functions, not how note-taking aesthetically feels.

Give it two weeks. Learn the keyboard shortcuts. Build your first 50 flashcards. Start doing your daily reviews.

By week three, you’ll notice something: you’re actually remembering cases you studied two weeks ago. Not because you crammed. Not because you re-read your notes. Because RemNote made you retrieve that information from memory at the right intervals.

That’s when the tool clicks. That’s when you realize you’re not just taking notes anymore. You’re building long-term retention.

You don’t need six tools. You need the RIGHT one.

I tested Anki (too manual, too much friction). I tested Quizlet (too simplistic, no hierarchy). Brainscape is better than Quizlet, but still doesn’t have other question types (like multiple choice or short answer with typed-in responses). I tested Notion (beautiful, but passive). I tested Obsidian (great for linking, bad for retention). I tested more PKM systems than I can even count.

Each tool does one thing well. None of them solve the core problem: making you remember what you learn. With RemNote, you can even designate that you have a quiz on a portion of your notes, and it will reconfigure your repetition schedule to ensure that you’re ready for the quiz. There are different repetition schedules algorithms that you can use for different topics if you really get into it. As geeky as I am, even I have never gone that far.

RemNote is the only tool I’ve found that combines note-taking, spaced repetition, hierarchical structure, and active recall into one system.

If you’re going to invest time learning one tool, make it the tool that solves the most important problem: retention. When your classes end for the semester, don’t delete the RemNote folder; just flag it as “paused,” so it doesn’t keep testing you on that topic. But the information and questions are still there when the time comes for bar exam preparation, and you can return them to “active” to start practicing again as part of your bar prep.

RemNote can be free. Upgrading to a paid tier is not expensive. It is worth it.

You can use the basic, highly-capable version of RemNote for no charge.

Upgrading to the $6/month tier (paid annually at $72/year) adds many features and is well worth it.

The highest level tier is $16/month ($192/year), and that’s the one I use. The highest level tier is called “RemNote AI”, but don’t let it scare you off. This is an AI fine-tuned to help reach RemNote’s full potential. For example, if you answer a multiple-choice question incorrectly, RemNote AI will explain each possible answer and why it is correct or incorrect. For people who took Property class with me, it’s like a mini Vu-Dinh “autopsy” but without the pain of doing it yourself.

Start small. One class. One week.

You don’t need to migrate everything into RemNote today. You don’t need to rebuild your entire note system. I still keep all my primary notes in Obsidian because I love the way I can link things together. That Shelley v. Kraemer case? My case brief for that one is linked to my Property notes and my Constitutional Law notes. The NFIB v. Sebelius5 case is ubiquitous - I swear every class in the last year has referred to it at least once. Obsidian does that beautifully, so I love Obsidian for that. But the fact that NFIB v. Sebelius appears everywhere means it also pops up often in my spaced-repetition practice.

Pick one class. This week, take your case briefs in RemNote. Turn your rules into flashcards as you go. Do your daily reviews for five minutes each morning.

That’s it.

After one week, you’ll know if it works for you. You’ll know if the retention is real. You’ll know if it’s worth continuing.

My guess? By week two, you’ll be moving your other classes into RemNote.

Because once you experience actually remembering what you studied three weeks ago without cramming, you won’t want to go back.

Here’s my personal invitation link to RemNote. Yes, if you sign up for a paid subscription, I will get some extra, free time added to my paid subscription, but the choice is yours. If compensated links bother you, I understand, but don’t let that stop you from trying out a genuinely useful study aid. Just sign up at the main RemNote website, try it on your own, and if you like it (and I think you will), just give me a thumbs-up here on Substack.

I’d love to hear what you think after you try it.

How the Supreme Court’s Loper Bright Decision Turns Health IT Deregulation Into a Compliance Nightmare

Two simultaneous changes are about to collide in healthcare IT.

In June 2024, the Supreme Court eliminated Chevron deference in Loper Bright v. Raimondo. This fundamentally changed how courts interpret federal regulations.

Now, HHS, through the Office of the National Coordinator for Health Information Technology (ONC), is proposing to remove specific health IT security requirements under HTI-5, claiming “HIPAA covers it.”

Here’s the collision: Without Chevron deference, “HIPAA covers it” is legally meaningless. HTI-5’s reliance on ambiguous statutory authority creates compliance chaos in a post-Loper Bright world.

What Loper Bright Changed

For forty years, courts followed a doctrine called Chevron deference. When a statute was ambiguous, courts deferred to the agency’s interpretation. If HHS said “HIPAA requires X,” courts accepted that interpretation as authoritative.

The old world worked like this:

• The statute said that “appropriate safeguards” for user security would be included (in a health IT system)

• HHS interprets this to require multi-factor login authentication

• When HHS was challenged on the regulation that HHS created in response to the statute, the Court would defer to HHS’ expertise

• The industry had clear guidance on what was or was not required

The new world works like this:

• The statute said that “appropriate safeguards” for user security would be included (in a health IT system)

• HHS interprets this to require multi-factor authentication

• Defendant argues the statute just requires “authentication”—not *multi-factor*

• Without the Chevron deference to the agency’s expertise, the Court will interpret the statute independently, relying on their own knowledge and experience

• Outcome uncertain

This matters enormously for health IT because HIPAA’s Security Rule is deliberately principle-based. Terms like “appropriate,” “reasonable,” and “addressable” have no precise statutory definition. Without Chevron deference, there’s no authoritative interpretation of what these terms mean.

Every requirement becomes potential litigation.

The Specific Ambiguities HTI-5 Creates

Here’s what HTI-5 proposes to remove from certification requirements:

• Multi-factor authentication (MFA)

• Specific audit logging requirements

• Encryption standards (in transit and at rest)

• Automatic access timeout

• Emergency access procedures

• Tamper-resistance for audit logs

The ONC’s position: “HIPAA already covers these.”

But look at what HIPAA actually says:

On authentication: § 164.312(a)(2)(i) requires “a unique name and/or number for identifying and tracking user identity.” Does this require MFA? The statute says “identifying,” not “authenticating.” Arguably, a username alone satisfies this. The statute doesn’t even require a password.

On audit logs: § 164.312(b) requires “hardware, software, and/or procedural mechanisms that record and examine activity.” What must be logged? Could it be just user login/logout, or does every change to electronic protected health information (ePHI) have to record a “before” and “after” snapshot. For how long? In what format? None of that is specified in the statute.

On encryption: § 164.312(e)(1) requires “technical security measures to guard against unauthorized access to ePHI being transmitted over an electronic communications network.” Must this be encryption? Could be a VPN. Could be physical security. Could be policy. And encryption is explicitly listed as an “addressable” element in the statute. It can be “addressed” by the health care entity, stating that it is not “feasible” to implement in their environment. An addressable element is not required; the entity needs only to show that it ‘addressed’ the issue in their planning and implementation.

On access timeout: § 164.312(a)(2)(iii) requires terminating “an electronic session after a predetermined time of inactivity.” How long? The statute doesn’t say. Also addressable, not required.

Without certification, who decides what these terms mean?

Pre-Loper Bright, HHS guidance was authoritative. Post-Loper Bright, courts interpret the statute from scratch. Each vendor and each hospital makes an independent legal judgment. Inconsistent interpretations proliferate. The only resolution is expensive litigation.

The Vendor Catch-22

Consider the impossible position this creates for health IT vendors:

Option 1: Implement expensive security features (MFA, encryption, comprehensive logging)

• Risk: Your competitor doesn’t. They undercut your price. They win the contract.

• Your legal team says: “The statute doesn’t explicitly require this.”

Option 2: Skip expensive features, implement minimal compliance

• Risk: Customer suffers breach. OCR enforcement action follows.

• Your legal team says: “We have met the statutory requirements”, but there is still a long and expensive legal process (or an expensive out-of-court settlement).

But what does “minimal compliance” even mean without authoritative agency guidance?

There’s no safe harbor. No clear standards. No predictability.

The Coming Litigation Explosion

Every breach becomes a statutory interpretation case

Hospital gets breached via credential stuffing—an attack that MFA would have prevented. OCR fines the hospital for inadequate authentication. Hospital argues: “HIPAA doesn’t require MFA. We had passwords. That satisfies ‘identifying and tracking user identity.’”

The court must interpret the statute without deferring to HHS. A tech-savvy district court judge may say that “MFA has been around for many years and is a reasonable expectation requirement.” Whether that holds up at the appellate level is unclear and may depend (again) on the judges’ level of technical sophistication. Outcome: uncertain.

It is not reasonable to expect judges to be experts in every field of study. Judges are already being forced to rule on cases that hinge on areas that only specialists have studied. Judges should focus on the law, not on whether a specific user authentication technique is sufficiently strong to satisfy a vague statutory requirement. Or even worse, whether or not the entity properly “addressed” a technical requirement in that same vague statutory requirement.

Circuit splits are likely

Different federal circuits will interpret HIPAA requirements differently. The Second Circuit might say encryption is required; the Ninth Circuit might say “addressable” means optional. Vendors operating nationally face varying requirements across jurisdictions.

Only the Supreme Court can resolve circuit splits. That takes years. If it even accepted by the Court. Everyone in the industry has been in limbo for years.

Insurance implications

Cyber insurers can’t assess risk without clear compliance standards. How do you underwrite “reasonable security” when no one knows what reasonable means? Premiums increase to cover legal uncertainty. Coverage disputes multiply over whether “appropriate safeguards” were put in place.

The chilling effect

Vendors can’t plan product roadmaps without knowing requirements. Risk-averse vendors over-comply, driving up costs. Risk-tolerant vendors under-comply, creating danger. Small vendors exit the market entirely—they can’t afford the legal uncertainty.

If ONC believes certification is burdensome, post-Loper Bright requires clearer rules, not vaguer ones.

Options they could pursue:

• Seek specific statutory requirements through Congressional legislation

• Issue detailed regulatory text with precise definitions, not ambiguous principles

• Create safe harbor provisions for specific implementations

What they’re actually doing: Removing specific requirements and pointing to an ambiguous statute.

This is exactly backwards in a post-Loper Bright world.

What This Looks Like in Practice

A small EHR vendor launches a product without MFA—it saves $200,000 in development costs. They sell to 30 rural hospitals over two years. Three years after the product is introduced to the market, a breach occurs at Hospital A due to credential theft.

Now the legal questions begin:

• Did HIPAA require MFA? No clear answer.

• Is the vendor liable? They’re not a covered entity under HIPAA.

• Is the hospital liable? The vendor told them the product was “compliant.”

• Will the court agree with OCR’s interpretation? No deference required.

Thirty hospitals. One defective product. No clarity on who’s responsible or what the law actually required.

What Needs to Happen

Loper Bright plus HTI-5 equals compliance chaos

Removing specific certification requirements at the exact moment agencies lost interpretation authority is regulatory malpractice. Healthcare deserves clarity, not ambiguity. Patients deserve protection, not legal uncertainty.

ONC must maintain clear, specific certification requirements. In a post-Loper Bright world, specificity isn’t a bureaucratic burden—it’s the only path to compliance certainty.

Next in the series: The Oversight Vacuum—how HTI-5 creates gaps that no existing agency is positioned to fill.

“Before” versus “After” (FYI, “Before” is better)

Medical devices must be FDA-approved *before* they can harm patients. Cars must meet safety standards *before* they can crash. Pharmaceuticals must pass clinical trials *before* they reach your medicine cabinet.

But under HTI-5, health IT systems won’t need to prove security *before* they’re breached.

ONC proposes eliminating pre-market certification requirements for health IT security. The rationale? “These requirements are covered by other regulations.”

Here’s the problem: Post-incident enforcement is not equivalent to pre-market assurance. This shift puts patient data at unacceptable risk.

The Shift Being Proposed

The current model is prevention. ONC certification requires vendors to demonstrate security capabilities before deployment. Independent testing validates that features work as claimed. Hospitals can rely on certification when purchasing systems. Problems get caught in the lab—not in production with real patient data.

The proposed model is punishment. No pre-market verification of security capabilities. The entire system relies on HIPAA enforcement *after* breaches occur. OCR investigates and fines healthcare organizations post-incident. Vendors face no pre-market scrutiny.

This is a fundamental shift in how we approach health IT security. And it’s the wrong direction.

Why Pre-Market Certification Matters

It catches problems before patient harm

Software vulnerabilities found in a testing environment can be fixed before deployment to thousands of hospitals. Consider: certification testing discovers that encryption isn’t implemented correctly. The vendor fixes it before go-live. Without certification? That flaw is discovered only after a breach exposes millions of records.

It creates clear minimum standards

Vendors know exactly what’s required for certification. This reduces ambiguity and compliance risk. It enables apples-to-apples comparison during procurement. Most importantly, it establishes a market baseline that prevents a race to the bottom.

It shifts liability appropriately

With certification, the vendor proves the software has security features. Without certification, the hospital must verify vendor claims—and most hospitals lack the expertise or resources to do this effectively.

Here’s a real scenario: A hospital procurement team evaluates five EHR vendors. All claim to have “robust security.” How does the hospital verify those claims? Hire penetration testers for each vendor? That’s cost-prohibitive. With certification, independent verification is already done.

It enables innovation within guardrails

Clear requirements let vendors innovate in *how* they meet standards. This removes regulatory uncertainty that actually stifles development. Compare to FDA: device makers innovate constantly within a defined safety framework. The framework doesn’t prevent innovation—it channels it.

Post-Incident Enforcement Doesn’t Work for Software

The enforcement gap

HIPAA violations are investigated after breaches—it’s inherently reactive. The average time from breach to detection is 207 days. The average OCR investigation takes 18-24 months. Penalties are applied years after the vulnerability was introduced.

The wrong defendant problem

HIPAA fines healthcare organizations, not software vendors. The hospital gets penalized for using software that couldn’t meet requirements. Meanwhile, the vendor has already sold that same product to hundreds of other hospitals. There’s no mechanism to recall or fix defective software across the market.

Inadequate deterrence

OCR has limited resources: roughly 30 settlements per year versus thousands of covered entities. Low probability of enforcement means weak deterrence. Contrast with certification: 100% of products are tested before market entry.

The industry outlier

Look at how other industries handle this:

The perverse incentive

Without pre-market certification, the cheapest compliant strategy is: skip security features, pay the fine if caught.

Expected cost = (probability of enforcement) × (fine amount).

For many vendors, that’s less than the cost of implementing security properly. This makes non-compliance economically rational.

Real-World Consequences

Scenario 1: The new entrant

A startup builds an EHR without multi-factor authentication—it saves development cost. They market to small rural hospitals (the most price-sensitive buyers). Fifty hospitals adopt it over two years. Year three: massive breach due to credential stuffing attack. OCR investigates hospital #1 that reported the breach. The other 49 hospitals remain vulnerable with the same defective software.

Scenario 2: The race to the bottom

An incumbent vendor maintains security features, which increases their cost. A competitor removes “optional” security to undercut on price. The incumbent loses market share. They must either match (remove security) or exit the market. Result: industry-wide degradation of security standards.

The patient impact

Beyond the corporate dynamics, there are real people affected: financial fraud from stolen PHI. Identity theft. Erosion of trust in the healthcare system. Reduced willingness to share sensitive information with providers—which directly impacts care quality.

The “Trust the Market” Fallacy

ONC implies that market forces will maintain security standards. But this ignores basic information economics.

Information asymmetry means hospitals can’t effectively evaluate security claims. Split incentives mean the vendor profits from the sale while the hospital bears breach costs. This is a well-documented market failure in information security.

The market won’t fix this. That’s exactly why certification exists.

What Needs to Happen

Prevention is better than punishment—in medicine and in cybersecurity. Pre-market certification is not “duplication.” It’s the essential first line of defense.

If you work in healthcare IT, if you’re a patient who cares about your data, if you believe in evidence-based regulation: submit a comment to ONC opposing the removal of these requirements.

The comment period is open. Use it.

Next in the series: How Loper Bright changes the regulatory landscape for healthcare IT—and why that makes strong pre-market requirements more important, not less.

Other articles in this series

HHS proposes removing the thirteen security certification requirements (§ 170.315(d)(1)-(d)(13)) for health IT systems in the HTI-5 proposed rule. The justification: “HIPAA already covers security.” This logic fundamentally misunderstands what HIPAA regulates and creates a dangerous gap in healthcare cybersecurity.

I. The Proposed HTI-5 Rule Changes Eliminate the Entire Existing Security Certification Requirements

HHS, in the HTI-5 proposal, states that its existing certification requirements do not fully meet a covered entity’s HIPAA privacy and security requirements, and that is true. However, the answer is not “let’s remove what we have,” but rather “let’s leave our health IT certification security requirements in place because they remain sound policy regardless of HIPAA.”

The HTI-5 proposal removes all of the security standards currently required for certification (§ 170.315(d)(1)-(d)(13)). Among the thirteen requirements (all important), four should be components of any decent health IT system. They are the requirements for multi-factor authentication, audit logging, encryption, and automatic access timeout. The current standards do not require a specific technical solution; they only specify a result that should be the bare minimum for any IT system handling private health information. The ONC argues that they are “duplicative” of the HIPAA requirements. But are they duplicative, or do they meet part of the HIPAA requirements while maintaining the essential data security any system needs?

II. What HIPAA Actually Regulates

HIPAA regulates entities—healthcare providers, payers, clearinghouses, and their business associates. It does not directly regulate technology products, software vendors, or IT systems. This distinction is critical: HIPAA tells covered entities “you must have appropriate security,” but it doesn’t verify that the software you purchase *can* provide that security.

HIPAA is based on principles that must be met and does not set prescriptive requirements. HIPAA sets performance targets but does not specify how a covered entity or business associate meets them. If the ONC’s intent is to foster innovation while setting reasonable requirements, the existing rules achieve that with the flexibility software vendors need to help their clients (covered entities and business associates) reach that goal. It sets a reasonable minimum set of standards.

For example, HIPAA treats encryption as “addressable”—not truly optional, but requiring a risk assessment and documented decision if not implemented. In practice, encryption is the only reasonable and appropriate safeguard for most scenarios, but HIPAA doesn’t mandate the specific technical implementation. Similarly, if the data comes to “rest” on an end-user system, it needs to be encrypted under the current ONC regulations. But if the data is not stored on the end-user system, it does not need to be encrypted.

III. The Enforcement Gap

HIPAA enforcement targets healthcare organizations AFTER breaches, not before. It doesn’t verify software capabilities before deployment. Software vendors are not regulated by HIPAA (unless they are also business associates). Meeting the existing ONC certification requirements can help a healthcare organization or business associate satisfy HIPAA security requirements. As mentioned earlier, it does not cover all the HIPAA requirements but it is a solid starting point for HIPAA compliance.

IV. The Certification Gap

ONC certification ensures that the software must demonstrate (in advance, before deployment) that it has the required security features. HIPAA requires healthcare organizations to implement security measures. ONC certification helps the organization know in advance that many HIPAA requirements are in place and have been tested. Without certification, there is no verification that the software meets the requirements.

The ONC certification is a preventive verification that helps protect the entity from the consequences of a HIPAA violation. Removing that certification shifts all the burden to the covered entity or business associate. Using multi-factor authentication as an example: if a hospital purchases a new electronic health record system without pre-market ONC certification, assumes the software is compliant, and a breach occurs, the hospital bears all liability and enforcement actions, while the vendor faces no consequences.

A Real-World Scenario

Consider a hospital purchasing a new patient portal from a startup vendor:

• With ONC certification: The hospital knows the software has MFA, encryption at rest, audit logging, and automatic timeout before deployment.

• Without ONC certification: The hospital must independently verify these capabilities, negotiate requirements, conduct security testing, and bear all liability if the vendor’s claims prove false.

Now multiply this scenario across thousands of healthcare organizations and dozens of competing vendors. The administrative burden shifts entirely to providers while eliminating any market incentive for vendors to maintain security standards.

V. The Loper Bright Complication

The Supreme Court’s Loper Bright decision eliminated Chevron deference—courts no longer defer to agency interpretations of ambiguous statutes. This fundamentally changes the HIPAA landscape:

HIPAA doesn’t explicitly require specific security implementations like MFA or encryption. Pre-Loper Bright, HHS could authoritatively interpret what HIPAA’s “appropriate and reasonable” security measures meant. Post-Loper Bright, HHS cannot impose those interpretations—courts will decide, case-by-case, through litigation.

The result:

• Litigation will determine requirements through a slow, expensive, inconsistent process

• Vendors will choose the least-costly interpretation to minimize legal risk

• A race to the bottom on security features as ambiguity favors minimalism

• Innovation paralyzed by legal uncertainty rather than enabled by clear standards

• Hospitals can’t rely on compliance guidance without risking judicial reversal

The ONC certification standards provided clarity that *Loper Bright* has now made impossible through HIPAA alone. Removing certification in this post-Chevron environment doesn’t eliminate duplication—it eliminates certainty.

VI. Why “Already Implemented” Doesn’t Hold Up

Today’s health IT vendors already have the ONC security features in place, but new entrants into the market will not be required to meet that part of the certification. These new vendors may skip the security features to save money, leading to another “race to the bottom” by competing vendors who will eliminate their security features to remain competitive. Without the certification, there is no mechanism to verify or enforce. Market dynamics favor cost-cutting over security when the regulations disappear.

VII. The Path Forward: The Current Standards Must Remain

HIPAA and ONC certifications serve complementary purposes:

• HIPAA: Requires entities to implement appropriate security

• ONC certification: Verifies that health IT products can provide security

They are not duplicative—they address different parts of the security ecosystem. Removing the ONC security certification doesn’t eliminate duplication; it eliminates the only pre-market verification mechanism that ensures health IT products meet at least part of the HIPAA requirements.

The comment period opens December 29th. Submit comments at opposing the removal of § 170.315(d)(1)-(d)(13) security requirements. Healthcare cybersecurity deserves better than regulatory shell games that shift all risk to providers while eliminating vendor accountability.

Want to submit a comment but not sure what to say? Consider including:

• Your role in healthcare/health IT

• Specific security requirements you rely on (MFA, encryption, audit logs, timeout)

• The Loper Bright concern about interpretive authority

• Opposition to removing § 170.315(d)(1)-(d)(13)

“My name is John.”

My legal first name is Earl, and I go by John. I was born on my father’s 39th birthday and was named after him. So we shared both a name and a birthday (and our birthday was just one day after my oldest brother). My mother used to joke, although I am not sure she was joking, that the first sentence I spoke was “My name is John.” That is the first thing that people learn about me.

Next month, I will visit my primary care physician for a routine annual checkup. He knows my name. Most of the office staff know my name and use it. But occasionally, I’ll be in the waiting room when a staff member comes to take me for the standard health screening at the start of the visit. I know if they are a new staff member by what they call me. The staff who have been there a while will come in and confidently call out, “John? We’re ready for you.” A new staff member will come into the waiting room and say, “Earl? Earl? OH! John!” as they glance down at the record, which clearly states that I prefer to be called “John”.

I know it is not true, but every time that happens, I feel discarded. It is as if that person didn’t even bother to do the bare minimum to learn about me before coming to retrieve me. It says, very clearly, that “I don’t know you; I haven’t prepared for this; you are just another slot on the appointment list.”

The federal Department of Health and Human Services (HHS), Office of the National Coordinator (ONC) has a Health IT Certification program. They have just published the fifth iteration of their Health Data, Technology and Interoperability proposed rules (HTI-5). It will not be officially published until Monday, December 29th, but the documents have been available for a few days from the HHS website. It is a nightmare for anyone that cares about quality medical care, patient safety, patient data protection and privacy.

Here, I am discussing one relatively small change in the HTI rules that affects me personally, but I have identified (so far) at least nine different areas in the proposed rule changes that are very problematic. This small example is indicative of the flagrant disregard for patient engagement, safety, and respect that runs throughout the proposed rule changes.

What’s Being Removed

The proposed HTI-5 rule change removes the requirement that health care information systems include a “Name to Use” field (§170.315(a)(5)(i)(G)). In different systems, this may be called the “chosen name,” “preferred name,” or “name in use.” It may be different from the legal name required for billing or insurance. It is the name that the patient (like me) actually uses in their daily life.

ONC’s rationale for removing this requirement is that “name to use” is an observation, not a demographic, and therefore not essential patient information. There is no acknowledgement of the clinical, patient safety, or engagement implications.

The proposed deletion of this field reveals a fundamental misunderstanding of patient-centered health care. It treats patients as if they were just a billable unit rather than a human being deserving of respect. It emphasizes “technology first, rather than “human-first.”

Who Needs the “Name to Use” Field - It’s Not Just Transgender Patients

It appears that the proposed rules assume the “Name to Use” applies only to transgender people. It is lumped in with other fields like sexual orientation, gender identity, sex, and pronouns. While there is a lot of say about those field removals as well, that is a topic for another article.

Many people use a name different than their legal one, like me. Here are some categories and examples, but it is far from complete.

People Who Use Middle Names (Like Me)

This is extremely common, especially in certain cultures. When I lived in the southern US, I would run into it all the time. You tell James McCartney or William Bradley Pitt that they must be addressed by their first name. Or Christopher Ashton Kutcher and Walter Bruce Willis. Even people who use a shortened form of their first name appreciate being called by their preferred name, like Bill Murray or Al Pacino.

People With Anglicized Names or Eastern Name Order

People with a strong cultural connection to their ancestry (or who were born overseas) often have a legal name that differs from their first name. I mean, you may have never heard of Hosato Takei, but you have heard of George Takei. Choo Kheng Yeoh is unknown to you, but Michelle Yeoh is a famous actress. Her case is even more complex because, at birth, she was named using the standard Eastern name order (surname first, middle), so her original name was Yeoh Choo Kheng. All of these are “real names” that these people have for different purposes (legal versus daily use)

Transgender People

This is the obvious one and the group that appears to have been targeted by this rule change. They may not have legally changed their name yet because it is expensive and requires a court appearance. Or they may have changed it, but it is not updated everywhere. Being called by their wrong name (deadnaming) causes psychological harm and is associated with higher depression, anxiety, and suicide

These are just a few categories of people who may use a name that differs from their legal name. The point is that it affects a substantial percentage of patients, not a small minority.

The Patient Engagement Implications

First Impressions Matter in Healthcare

As I described at the start, being called by my legal name (rather than the “real” name that I use every day) is disrespectful and disconcerting. I feel disrespected and ignored, even if the care is excellent.

The Therapeutic Alliance Research

The “therapeutic alliance” is an idea that originated in psychotherapy but is increasingly accepted in general medicine. Essentially, it states that a strong, trusting, and collaborative relationship between a patient and their healthcare provider is crucial for effective healing. That relationship is built on mutual respect, shared goals, and agreement on treatment tasks, leading to better engagement, adherence, and positive outcomes. That relationship begins by showing the patient enough respect to call them by their preferred name.

The Disclosure Problem

For a patient to disclose sensitive information, they must trust the provider. Would you disclose potentially embarrassing (but vital) information to someone who didn’t bother learn your name?

Patient Satisfaction and Healthcare Consumerism

Patients choose providers that respect them, and that begins with knowing their name. A few bad online reviews that mention “they never even bothered to learn my name” can put a provider out of business.

The Patient Safety Implications

The Joint Commission identifies patient identification as a critical safety issue. You may think this will not occur, but I can assure you that it does. As I mentioned earlier, I had the same name and birth date as my father. When I was young, I had a serious illness, and the doctors ordered many tests to figure out the cause. My care and treatment were seriously delayed by my test results ending up in my father’s medical record. Would that have been prevented by having a “preferred name” on the records? I don’t know, but every small move to avoid a medical error is a good move.

The Trauma-Informed Care Dimension

Trauma-informed care is a standard of practice. Patients deserve for their health care providers to recognize the prevalence of trauma and avoid re-traumatization. Survivors of abuse, whether it be childhood abuse, domestic violence, sexual trauma, or LGBTQI+ people who escaped negative family situations, hearing their legal name (especially their full legal name) can be exceptionally traumatizing. A medical office should be a safe place where a person is acknowledged and respected.

The Implementation Reality – This Is Not Difficult

Most electronic health record systems already have this capability. They may have added it to meet HTI-1 through HTI-4 standards, but I prefer to believe they have it because it is so fundamental to patient-centered care. It is a one-time data-entry requirement with ongoing benefits at no additional cost. The patient feels more valued and supported. There is no downside to keeping the “Name to Use” field.

The Broader Signal This Sends

However, removing the “Name to Use” field requirement sends a message to vendors that this isn’t important and can be removed. For health systems, it says patient preferences are optional and focuses on billing rather than the patient experience. Of course, as has been said many times, it tells the patient that they don’t matter.

The “Just Update Your Legal Name” Fallacy”

Some people might argue: “Just legally change your name if you want to be called something else.” Here are a few reasons:

1. It’s expensive ($200-$500 just for the name change - not including costs of all the other documents)

2. It’s time-consuming - court appearance, months of processing

3. Massive bureaucratic burden - need to update dozens of documents, from driver’s license to passports, bank accounts, credit cards, etc.

4. It is not always the desired choice. People may wish to keep their legal name as it is for family or cultural reasons.

In short, why should the patient be punished for the inflexibility of the computer system? Why should the person who should be the center of the system have to make an expensive and time-consuming change to match a computer system? That is an absurd burden to place on a person when the problem can be solved by adding a simple data field. The real solution is simple: the electronic record has two different name fields for two distinct purposes (one for patient interaction and one for administrative needs like billing)

Comparison to Other Industries

I fly a lot because my law school is in a different state from my home. My airline tickets have a legal name (and match all of my official documentation). My airline records (frequent flyer program) have my preferred name. I can log in to Alaska Airlines (shout-out to Alaska Airlines) and be identified as John. But when I go into my trip records to check in, add baggage, etc, everything there shows my legal name. This is as it should be. Airlines can do it. American Express (which I sometimes use to buy my plane tickets) calls me John, but still accurately lists my legal name on the ticket. How is this different than my doctor’s office knowing to call me John when I’m in the office, but also learning to use Earl when they bill my insurance company? It’s not different. That’s the point.

The Interoperability Excuse

Last potential ONC argument - “different names confuse data exchange”. That is blatantly false.

The current standard for data exchange in healthcare (and the one mandated by the Centers for Medicare and Medicaid Services, among others) is known as HL7 FHIR (Health Level 7 Fast Healthcare Interoperability Resources). HL7 FHIR already supports multiple names (although it calls them “Official Name” and “Usual Name”). It also has additional fields for “nickname” and “maiden name”.

The potential “workarounds” are worse than simply keeping the existing field. You could have staff write the preferred name on patient notes, but that is not standardized and does not transfer to other systems. They could put an “AKA” online in the patient notes. Again, not transferable, not searchable, and easy to either miss or lose. The standardized fields are logically and clearly the better solution.

There is no rational reason to remove the “Name to Use” field from the HHS certification requirements.

Conclusion

Using a patient’s correct name is foundational to respectful, safe, professional healthcare. It affects patient engagement and clinical outcomes. It is not a significant change (in fact, it already exists in most health information systems), but it positively affects a large number of patients. Rather than removing the requirement and seeing health information systems slowly “obsolete” the field, HHS should signal that patient preferences matter. Healthcare should be patient-first (for all patients, not just those who fit into a predefined bubble). I ask everyone to please comment on the ONC after the official notice of the rule change is published in the Federal Register.

I. Opening: The Problem (Validation)

Opening: The Problem

By week 3 of my 1L year, I had 47 Word documents scattered across three folders.1 I couldn’t find last week’s Contracts notes when I needed them for this week’s assignment. I had files named “Torts Notes.docx,” “Torts Notes 2.docx,” “Torts ACTUAL notes.docx,” and my personal favorite, “Torts notes FINAL for real this time.docx.”

The breaking point came during my first round of midterm prep. I spent two hours—two hours I didn’t have—just finding and opening files, trying to remember whether we covered assault in week 3 or week 4 of Torts. My “system” (if you can call random Word documents a system) had devolved into full-text search of my entire Documents folder, hoping the right phrase would surface the right file.

I knew there had to be a better way. I’d seen classmates with color-coded notebooks that seemed to magically produce the right case brief at the right moment. I’d heard whispers about apps with names like “second brain” and “networked thought.” But here’s the problem: I didn’t have time to become a productivity expert while drowning in casework, reading assignments, and the general chaos of 1L year.

As an uber-geek, this was embarrassing. I _should_ have had this figured out. I’m the person who experiments with technology so others don’t have to reinvent the wheel (that’s literally why I write this newsletter). However, there’s a difference between knowing better systems exist and actually having the time and mental bandwidth to implement one when you’re buried under three case readings due tomorrow.

So I did what any reasonable law student would do: I tested everything I could find during fall break when I had exactly 48 hours before the chaos resumed.

Here’s what I tested, why most systems failed for law school specifically, and the simple setup that actually works. More importantly, I’ll show you how to implement it in 30 minutes this weekend—not “when you have time” (you never will), not “after you migrate all your old notes” (you don’t need to), but right now, starting with one class, so you can stop the Word document chaos before finals.

The answer, for me, was Obsidian. Not because it’s perfect. Not because it has every feature. Because it was simple enough to start immediately, powerful enough to handle connections across classes, and free enough for a student budget.

Let me show you how I got there.

II. What I Tried (And Why Each Failed)

A. Word Documents (Where I Started)

What it was:

This is where most of us start - just saving notes as .docx files. My system (if you can call it that) was a mix of approaches that evolved messily over time. I started with folders by class, which seemed logical. Then I’d have files like “Week 3 Notes.docx” inside the Torts folder. But then I’d also create “Consideration.docx” because that concept came up multiple times. And sometimes I’d just name a file by date: “9-15 Crim Law.docx.”

The inconsistency wasn’t intentional - it was survival. I was creating whatever file structure let me get to the next class.

Why it failed:

The fundamental problem: Word documents can’t talk to each other.

I had “Torts Week 3.docx” but when the professor mentioned assault in week 7, I couldn’t remember if we covered that in week 3 or week 4. I’d have to open files sequentially, scanning for the concept. There was no way to see how last week’s discussion of intent connected to this week’s discussion of battery. No way to link when the concept of “reasonable person” appeared in both Torts and Criminal Law.

Documents just piled up. By mid-semester I had separate files for “Intent - Torts.docx” and “Intent - Crim Law.docx” but no way to see them side-by-side or understand how they related.

The breaking point:

Studying for my first Torts midterm. The professor asked us to “synthesize the semester’s cases around the concept of intent.”

I spent 2 hours just finding and opening files, copying relevant passages into a new “Midterm Study Guide.docx” document. Then I had to manually re-read everything to see the connections because the structure of separate files had obscured the relationships between concepts.

As an uber-geek, this felt like failure. I knew computers were supposed to make organization easier, not harder.

B. OneNote (The Obvious Next Step)

Why I tried it:

OneNote came free with my Office 365 student subscription, which meant it cost me nothing but time to try. I saw other students using it - in the library, you’d see those distinctive OneNote notebooks on screens everywhere. It promised organization with notebooks, sections, and pages. A hierarchy. Structure. Exactly what my Word document chaos lacked.

What I tested:

I created a notebook for each class: “Criminal Law,” “Torts,” “Civil Procedure.” Inside each notebook, I made sections for “Class Notes,” “Case Briefs,” and “Concepts.” Inside each section, pages for individual days or cases.

On paper, this made perfect sense. This should have worked.

Why it didn’t stick:

Two problems killed it for me.

First: the interface felt cluttered and overwhelming. There were tabs everywhere, a ribbon full of formatting options I didn’t need, and the infinite canvas approach meant I was constantly fighting with page layout instead of just writing notes. I’d click to take notes and end up accidentally drawing or moving text boxes. It felt like I was fighting the system instead of the system working for me.

Second - and this was the real killer: I still couldn’t link concepts effectively across notebooks. When I wanted to connect the concept of “intent” from my Criminal Law notebook to the same concept in my Torts notebook, there was no easy way to do it. OneNote has linking features, but they’re buried and clunky. The notebook/section/page hierarchy actively discouraged the cross-connections I needed.

I was still stuck in separate containers. Just prettier ones.

Time invested: About a week before I gave up and went back to Word documents (which at least didn’t pretend to be connected when they weren’t).

C. Logseq (The Outliner Approach)

Why I tried it:

By this point, I’d started reading productivity blogs during study breaks (procrastination disguised as optimization - classic law student move). I kept seeing mentions of “networked thought” and “bidirectional linking.” Logseq came up repeatedly.

Three things attracted me: the outliner structure seemed perfect for case briefing (facts, issue, holding, reasoning - all discrete bullets), it was free and open-source (student budget), and unlike OneNote, it was explicitly designed for linking concepts together.

What I liked:

The linking concept made complete sense. Type `[[Intent]]` and you create a connection. Every note could reference every other note. The graph view showed how everything connected - exactly what I needed for seeing relationships between cases and concepts across classes.

The outliner format worked beautifully for some tasks. Case briefs as nested bullets felt natural: main case name, then indented facts, issue, holding.

Why it ultimately failed for law school:

Two problems I didn’t anticipate.

First: Logseq’s daily notes approach didn’t fit law school organization. Logseq wants you to start each day with a daily note, then link from there. But I didn’t think in days - I thought in classes and concepts. I needed “Criminal Law - September 15” not “September 15” with a bullet for each class. Fighting against the daily-first paradigm added friction every time I opened the app.

Second: the very structure that worked for case briefs became difficult when I wanted to write longer-form synthesis notes or explanations. Everything was bullets. Nested bullets within bullets within bullets. When I tried to write a synthesis of “how intent works across Torts and Criminal Law,” the outliner format felt constraining.

The barrier to entry was too high when I had three readings due tomorrow. I spent more time structuring bullets than capturing ideas.

Key insight:

This taught me I needed something with a lower learning curve but still allowed connections. I needed “Word document simplicity” plus “Logseq linking power” without the outliner orthodoxy or daily-notes-first philosophy.

III. Why Obsidian Won

After three failed attempts, I’d learned something valuable: I knew what I actually needed (even if I didn’t know where to find it).

The decision criteria I learned from failing:

1. Must be simple to start - can’t spend hours learning the system

2. Must allow connections - need to link concepts across classes

3. Must be searchable - find notes without remembering filenames

4. Must work with my brain*- write in simple markdown, not fight an interface

5. Must be free - student budget (this is non-negotiable)

When I found Obsidian, I was skeptical. Another productivity tool? But I gave it one evening to prove itself against these five criteria.

How Obsidian met each criterion:

1. Simple to start

You can literally just start typing. It’s markdown files.

When you first open Obsidian, you create a “vault” (which is just a fancy word for “folder where your notes live”). Then you create a note. Then you type. That’s it. No tutorial required. No forced structure about how to organize notebooks or pages or sections. You organize as you go - or don’t organize at all at first.

I was taking actual class notes in it within 5 minutes of downloading it.

After the OneNote interface clutter and the Logseq outliner learning curve, this felt like opening Word - except without Word’s limitations.

2. Connections that actually work

This is where Obsidian does what Logseq promised but with less friction.

Double bracket linking: type `[[Case Name]]` anywhere and you’ve created a link to that case (or created a new note for it if it doesn’t exist yet). Want to link to a concept? Type `[[intent]]`. Want to see everywhere you’ve mentioned a concept? Click that link.

The graph view shows you how concepts connect visually. When I typed `[[intent]]` in my Torts notes, I could see it linked back to my Criminal Law notes. When I linked cases that dealt with similar issues, the graph showed me the relationships I’d been trying to track manually in Word.

Unlike OneNote’s buried linking features, this is the primary way you work in Obsidian. The tool actively encourages the connections I needed.

3. Actually searchable

Search finds text across all notes instantly. Not just titles - the actual content of every note.

I can search by tags: `#consideration` finds every place I used that tag. I can search for exact phrases. I can search for “intent AND battery” to find notes that discuss both concepts.

Instead of remembering “which file was that in?” or “what did I name that note?”, I just search the concept. The search is fast enough that I use it constantly - it’s become my primary navigation method.

4. Works with how I think

Obsidian uses plain text markdown. Markdown is just text with simple formatting: `**bold**` for bold, `# Heading` for headings, `- bullet` for bullets. You can learn the basics in 5 minutes and ignore the advanced features.

This matters more than it seems. I’m not fighting a proprietary structure. I’m not constrained to an outliner format. I can write case briefs as structured text, class notes as flowing paragraphs, and synthesis notes as whatever format makes sense for that content.

If Obsidian disappeared tomorrow, I’d still have readable text files I could open in any text editor. They’re not locked in some proprietary format. (This matters when you’re building a knowledge base you’ll need for bar prep years from now.)

5. Free

Core features are completely free. Everything I’ve described - linking, search, graph view, markdown files - costs nothing.

There’s paid sync ($8/month) if you want to sync between devices using Obsidian’s servers. But you don’t need it - you can put your vault folder in OneDrive or Google Drive for free automatic sync. (That’s what I do.)

For a student budget, free isn’t just nice - it’s non-negotiable. This tool would need to save me dozens of hours to justify even a small subscription cost, and I wasn’t willing to bet on that up front.

The combination is what made it work: simple enough to start immediately, powerful enough to grow with my needs, and free enough that trying it cost me nothing but an evening.

IV. My Simple Setup (The 30-Minute Version)

Before we start: You don’t need to set this up perfectly. You don’t need plugins (yet). You don’t need to migrate all your old notes or create an elaborate tagging taxonomy or design the perfect folder structure.

You need to start taking notes in a system that connects concepts. That’s it.

You can refine this later. For now, let’s just stop the Word document chaos.

Step 1: Download and Install (5 minutes)

Go to [obsidian.md](https://obsidian.md) and download the app. It’s available for Windows, Mac, and Linux.

When you first open Obsidian, it’ll ask you to create a “vault.” Don’t let the fancy terminology intimidate you—a vault is just a folder where your notes live. That’s it. It’s not encrypted by default (despite the name), it’s not locked away somewhere mysterious. It’s literally just a folder on your computer.

**Important decision:** Create your vault inside OneDrive, Google Drive, or Dropbox. This gives you automatic backup and sync across devices for free. I put mine at `OneDrive/Law School Notes/` so it’s always backed up and available on both my laptop and desktop.

Create the vault. You now have Obsidian installed. Told you this was quick.

Step 2: Create Your Folder Structure (5 minutes)

Inside your vault, create these four folders:

```
Law School/
├── Classes/
├── Cases/
├── Concepts/
└── Weekly Reviews/
```

You can do this in Obsidian’s file explorer (on the left side) or just create them as regular folders in File Explorer/Finder—remember, these are just normal folders.

**Why this structure:**

- **Classes folder:** This is where daily notes from each class go. Inside here, I have subfolders for “Criminal Law,” “Torts,” “Civil Procedure,” etc. Each class gets its own subfolder.

- **Cases folder:** Individual case briefs that you’ll link to from your class notes.

- **Concepts folder:** Cross-cutting ideas that appear in multiple classes (jurisdiction, negligence, consideration, intent).

- **Weekly Reviews folder:** End-of-week synthesis notes where you connect dots across classes. (We’ll talk about this workflow in a future article, but create the folder now.)

That’s your structure. Simple, expandable, not overthought.

Step 3: Start With One Class (10 minutes)

Pick one class—whichever one you have next. We’re going to create one note using a simple template.

Create a new note in your Criminal Law subfolder (or whatever class you picked). Name it something like “Criminal Law - September 22” (use today’s date).

Here’s the template I use for class notes:

```markdown
# Criminal Law - September 22
## Topics Covered
-
## Key Cases
- [[Case Name]] - one-line holding
## Concepts
- #intent/criminal
- #premeditation
## Questions for Office Hours
-
## Connections
- This relates to [[previous note]] because...
```

What’s happening here:

- The `[[Case Name]]` syntax creates a link. When you type `[[` Obsidian will show you existing notes to link to, or you can just type a new name and it’ll create the link anyway (the note doesn’t have to exist yet).

- The `#tags` make concepts searchable. I use a hierarchy: `#intent/criminal` and `#intent/torts` so I can search broadly (`#intent`) or specifically (`#intent/criminal`).

- The Questions section is my favorite part—I always think of questions during class but forget them by office hours. Now I just search `#questions` later.

Save this as a template (we’ll set up the Templates plugin in Section VI so you can insert it with a hotkey, but for now, just copy-paste it when you create a new class note).

Step 4: Create One Case Brief (5 minutes)

In your Cases folder, create a note for one case. Any case. One you’re reading today is perfect.

Here’s my case brief template:

```markdown
# Garratt v. Dailey
**Course:** [[Torts]]
**Date:** February 3, 1955
**Tags:** #case-brief #intent/torts #battery
## Facts
[What happened - keep it brief]
## Issue
[The legal question the court had to answer]
## Holding
[The court’s answer - the rule]
\\## Reasoning
[Why the court ruled this way]
## Notes
- Connects to [[another case]] because...
- Professor emphasized [whatever they emphasized in class]
- This is the leading case on [concept]
```

Notice what we’re doing:

- The course is a `[[link]]` so you can click it and see all cases from Torts.

- Tags make this searchable: `#case-brief` finds all your case briefs. `#intent/torts` finds all cases about intent in Torts.

- The Notes section is where you add connections to other cases or concepts—this is where the magic happens.

Step 5: Use Minimal Tags (3 minutes)

Here’s my entire tagging system:

Structural tags:

• `#case-brief` - for all case briefs

• `#concept-note` - for synthesis/concept notes

• `#class-notes` - for daily class notes

Content tags (examples):

• `#consideration`

• `#hearsay`

• `#jurisdiction`

• `#intent/criminal`

• `#intent/torts`

That’s it. I don’t have an elaborate taxonomy. I don’t have tags for priority or status or reading difficulty or anything else. Just structural tags to filter by note type, and content tags to find concepts.

The rule: Don’t overthink tags. You can always add more later. If you accidentally type `#considersation` instead of `#consideration`, search will still find it. This is a notes system, not a filing system—it’s okay to be messy as long as it’s searchable.

Step 6: Try It for One Week (2 minutes to commit)

Here’s your commitment: Use this setup for ONE class for ONE week.

Not all your classes. Not all your old notes. Just one class, starting with the next lecture, for seven days.

Don’t migrate your old notes yet. Don’t reorganize everything. Don’t try to perfectly tag everything. Just take notes the way I’ve shown you for one week.

After one week, you’ll know if this works for your brain. If it does, expand to more classes. If it doesn’t, you’ve lost one week of notes (which you can still read—they’re just markdown text files).

But I’m betting that by day three, you’ll start seeing why linking concepts changes everything.

V. What You’ll Notice After Week 1

After one week of using this system, here’s what will actually be different—and what won’t be perfect yet. Let’s be realistic.

What will be better:

You’ll be able to find this week’s notes. This sounds obvious, but it’s not trivial. When your professor says “remember what we discussed on Tuesday about proximate cause,” you won’t have to mentally scan through file names or open three different documents. You’ll just search “proximate cause” and find it instantly, with context.

When the professor mentions a case from two weeks ago, you can type `[[Case Name]]` in today’s notes and instantly create a connection. Click that link later and you’re reading the original case brief you wrote. No more “where did I write about that case?”

Search actually works across everything. Type “consideration” in the search bar and you’ll see every mention across all your notes—class notes, case briefs, concept notes. You can see at a glance which classes have covered it and what contexts it appeared in.

You’ll start seeing connections in the graph view. This one surprises people. After a week of linking cases and concepts, open the graph view (there’s an icon on the left sidebar). You’ll see a visual web of how your notes connect. Cases that discuss similar concepts cluster together. Concepts that appear across multiple classes show up as connection hubs. It’s not just cool to look at—it actually reveals patterns you might have missed. (Though fair warning: don’t spend an hour staring at the graph when you should be reading for class. I’ve done this. It’s productive procrastination at its finest.)

What won’t be perfect yet:

Your old notes are still in Word. That’s completely fine. Don’t migrate them unless you actually need them. If you need a specific old note, migrate it then. Otherwise, let it sit. You’re building forward, not backward.

You won’t have every concept perfectly tagged. You’ll tag some things `#intent` and other things `#intent/torts` and occasionally forget to tag something altogether. This is fine. Search still works. Tags are helpful, not mandatory.

You’ll forget to use double brackets sometimes. You’ll write “see Garratt case” instead of `[[Garratt v. Dailey]]` and then realize later you missed an opportunity to link. That’s okay. You can add links retroactively if it matters, or just remember for next time.

Your folder structure might feel slightly wrong. Maybe you want a “Outlines” folder you didn’t create. Maybe “Concepts” should actually be called “Themes.” Adjust it. These are just folders. Move things around. The beauty of plain text files is they’re flexible.

The point:

You’re building a system incrementally, not rebuilding everything at once.

After one week, you won’t have a perfect knowledge base. You’ll have one week of organized, connected, searchable notes instead of scattered Word files. That’s the progress that matters.

By finals, you’ll have an entire semester of connected notes. By the end of 1L year, you’ll have a knowledge base that links concepts across all your classes—exactly the kind of cross-cutting synthesis law school exams actually test.

Future you, studying for the bar exam, will thank present you for starting now.

VI. The Two Plugins I Actually Use

I said minimal plugins at the beginning. I meant it. The Obsidian community has created hundreds of plugins that do everything from tracking your daily habits to generating AI summaries to turning your notes into a personal website. Ignore all of them for now.

These are the only two plugins worth adding in your first month:

1. Calendar Plugin (Community Plugin)

**What it does:** Adds a visual calendar to your sidebar. Click any date and it opens (or creates) a note for that day.

**Why it helps:** Quick navigation to daily class notes. When you think “what did we cover last Tuesday?” you click Tuesday on the calendar instead of scrolling through file names. It’s a small quality-of-life improvement that compounds when you’re taking daily notes across multiple classes.

How to install:

1. Go to Settings (gear icon in the bottom left)

2. Click “Community plugins” in the left sidebar

3. Click “Browse” next to “Community plugins”

4. Search for “Calendar”

5. Click “Install,” then “Enable”

A calendar will appear in your right sidebar. That’s it. No configuration needed (though you can customize it if you want—I don’t).

2. Templater Plugin (Community Plugin)

What it does: Lets you insert pre-written templates into notes with a hotkey or command.

**Why it helps:** Remember those class note and case brief templates from Section IV? Instead of copying and pasting them every time, you can insert them instantly. This removes friction—when you sit down to take notes, you’re typing content within 5 seconds instead of setting up structure.

How to set up:

1. Create a new folder in your vault called “Templates”

2. Create a note called “Class Note Template” and paste the class note template from Section IV

3. Create a note called “Case Brief Template” and paste the case brief template from Section IV

4. Go to Settings → Core plugins → Enable “Templates”

5. Go to Settings → Templates → Set “Template folder location” to your Templates folder

6. (Optional) Set a hotkey: Settings → Hotkeys → Search “Templates: Insert template” → Set to whatever you want (I use Ctrl+T)

Now when you create a new note and want to insert a template, either use your hotkey or open the command palette (Ctrl+P on Windows, Cmd+P on Mac) and type “insert template.”

Everything else:

There are plugins for graph analysis, for daily notes automation, for Zettelkasten workflows, for spaced repetition flashcards, for syncing with external services. Some of them are genuinely useful.

None of them matter until you have the basic habit working.

If you find yourself thinking “I wish Obsidian could...” after a month of using it, then search for a plugin. But don’t start there. Plugin hunting is a form of productive procrastination—you feel like you’re optimizing your system when you’re actually avoiding the work of building notes.

Get the note-taking habit working first. Optimize later.

VII. Closing: What This Actually Solves

Remember those 47 Word documents from the opening? The two hours spent hunting for notes during midterm prep? The feeling that computers were supposed to make organization easier, not harder?

Here’s what you’ll have after one semester with this system:

Organized notes you can actually find. Not filed away in some perfect taxonomy you’ll never maintain. Just searchable, linked notes that surface when you need them. Type a concept, find every mention. Click a case name, see all the notes that reference it. This is the baseline functionality that Word documents failed to provide.

Connections between concepts across classes. Law school isn’t organized the way legal thinking works. Classes are siloed—Torts on Tuesday, Criminal Law on Thursday—but concepts like intent and causation appear everywhere. Your notes can reflect the actual structure of legal reasoning, not just the structure of your class schedule. When you study for an exam that asks you to “synthesize” (which they all do), you’ll have a web of connections already built instead of having to construct them under time pressure.

A searchable knowledge base for bar prep. This is the long game, but it matters. Three years from now, when you’re studying for the bar, you won’t be starting from scratch. You’ll have three years of notes, already connected, already searchable. Your 1L understanding of intent will link to your 2L understanding of mens rea will link to your 3L criminal procedure notes. Future you will thank present you.

A system that works with your brain instead of against it. You’re not fighting with page layouts or outliner orthodoxy or proprietary file formats. You’re writing in plain text with simple links. The system gets out of your way and lets you think.

What this doesn’t solve:

This won’t make law school easy. Nothing will. The readings are still dense. The concepts are still difficult. The Socratic method is still stressful (at least it was for me).

You still have to do the work—read the cases, understand the concepts, engage with the material. Obsidian doesn’t think for you. It just gets out of your way so you can think more clearly.

You’ll still have moments where you can’t find something, where you forgot to tag a note, where you wish you’d linked two concepts together but didn’t. This system reduces friction; it doesn’t eliminate it.

But here’s what changes:

You’ll spend less time hunting for notes and more time actually learning. You’ll spend less time fighting with software and more time engaging with ideas. You’ll build a knowledge base that grows more valuable every week instead of a pile of documents that grows more chaotic.

That’s what made it worth it for me.

Try it for one week with one class.

You don’t have to migrate everything. You don’t have to be perfect. You don’t have to become a productivity expert.

Just stop drowning in Word documents.

Download Obsidian this weekend. Set up the basic structure. Take notes for one class for one week. See if linking concepts changes how you think about the material.

If it works, you’ll know by day three. If it doesn’t, you’ve lost a week and gained some perspective on what you actually need.

But I’m betting that seven days from now, you’ll be linking your second class into the system.

What’s next: In the next article, I’ll walk through my weekly review process—how I use that “Weekly Reviews” folder we created to synthesize concepts across classes and actually prepare for exams instead of cramming. We may have a couple of new plugins to try out and some tips on working with PDF files.

Questions? Reply to this email or drop a comment. I read everything, and I’ll answer questions about setup, workflows, or anything else about making Obsidian work for law school.