Building a Smarter Long-Term Care System in New York
New York State has a long-standing commitment to supporting its most vulnerable populations through Medicaid-funded services for older adults and those requiring long-term care. However, rising costs and an increasingly complex healthcare landscape have created challenges that demand innovative solutions. As New York seeks to align its healthcare system with evolving needs, the time has come to adopt integrated care models that promote sustainability, efficiency, and improved outcomes.
The Program of All-Inclusive Care for the Elderly (PACE) offers a clear path forward. This model has consistently demonstrated its ability to reduce healthcare costs while enhancing patient outcomes by integrating medical, social, and behavioral health services under one umbrella. PACE allows older adults to age in place by expanding access to home- and community-based services (HCBS). These services empower individuals to remain in their homes rather than institutional settings, which not only aligns with patient preferences but also reduces system-wide costs. Despite these clear benefits, New York has not approved a new PACE program since 2011, leaving this proven model underutilized in the state.
Integrated care models like PACE deliver significant advantages. By addressing social determinants of health—such as transportation, housing, and nutrition—these programs take a whole-person approach that improves both health outcomes and quality of life. At the same time, they streamline administrative processes, reducing bureaucracy for patients and providers alike. Nationally, PACE has shown remarkable success in reducing duplicative services, unnecessary hospitalizations, and other inefficiencies that drive up costs in fragmented care systems.
As the state considers reforms, it should prioritize integrated care models that promote collaboration, simplify care delivery, and align incentives across payers and providers. This could include a phased approach to transition eligible individuals from partial capitation and fee-for-service models to fully integrated plans, such as PACE or Medicare Advantage Plus (MAP). By setting clear benchmarks for integration and incentivizing innovation, the state can create a roadmap for meaningful progress.
To fully realize the potential of integrated care, New York must also address existing barriers to expanding PACE programs. Simplifying the regulatory framework and providing financial incentives for organizations willing to invest in PACE would go a long way toward increasing access, especially in underserved areas. Additionally, collaboration between managed long-term care plans and PACE could enhance the continuum of care for patients, ensuring they benefit from the strengths of both models. Nonprofit and community-based organizations, which have a history of delivering high-quality, cost-effective care, should also be given opportunities to expand their reach and impact.
Addressing misaligned incentives between Medicaid, which is state-funded, and Medicare, which is federally funded, remains a critical priority. Strengthening partnerships between state and federal entities will enable shared savings arrangements that reward innovative, high-performing care models. New York has an opportunity to lead the way in aligning these funding streams to support integrated care more effectively.
As Medicaid cost control becomes a pressing issue, piecemeal reforms that add complexity without meaningful benefits must be avoided. Instead, the state should take bold, decisive action to embrace integrated care models that deliver both financial sustainability and improved outcomes. By prioritizing proven programs like PACE, fostering collaboration among stakeholders, and removing barriers to innovation, New York can honor its commitment to aging populations and build a long-term care system that is both effective and enduring.
Listen to this post
Is the Rider or the Company Liable in a Bike Share Accident in Philadelphia?
Bike share programs have revolutionized the way people travel in cities across the country. With names like Indego in Philadelphia, these programs offer a convenient, eco-friendly alternative to other forms of public transportation. The bikes can be found at kiosks near major landmarks such as Penn Station, Rittenhouse Square, and Millennium Park, making them a practical choice for commuters, tourists, and residents alike.
But as bike share usage grows, so does the potential for accidents. And when accidents happen, the question of liability arises. Who is responsible — the rider or the bike share company?
Understanding who bears responsibility in a bike share accident is not always straightforward. Multiple factors come into play, requiring an analysis of rider responsibility, company obligations, and the circumstances that led to the accident.
What’s clear, however, is that victims of such accidents often face physical injuries, emotional challenges, and financial hardships. For these individuals, securing compensation through a personal injury claim isn’t just about the money — it’s about getting the resources they need to recover and move forward with their lives.
The Growing Popularity of Bike Share Programs
Over the past decade, bike share systems have become an integral part of urban transportation. Major cities like Philadelphia have embraced these programs to reduce traffic congestion, cut carbon emissions, and promote healthier lifestyles. Companies like Lyft and Lime operate many of these systems, and cities often partner with private entities to maintain and expand their programs.
The convenience of bike shares has made them incredibly popular, but the increase in usage has also brought to light safety concerns. Riders often find themselves navigating busy streets alongside cars, buses, and pedestrians. And while most bike share programs require riders to agree to terms and conditions before using the service, many people don’t understand the legal implications of those agreements until an accident happens.
Common Causes of Bike Share Accidents
Bike share accidents can happen for a variety of reasons, ranging from rider error to poor bike maintenance. Some of the most common causes include:
Rider Mistakes
Riders often take to the streets with the best intentions, but certain common errors can significantly increase the risk of accidents:
Failure to obey traffic laws: Riders are required to follow the same rules of the road as drivers. Running red lights, ignoring stop signs, or riding against traffic can lead to collisions.
Lack of experience: Many bike share users aren’t regular bicyclists and may lack the skills needed to safely navigate urban environments.
Distractions and negligence: Just like drivers, cyclists can become distracted by their phones, GPS, or surroundings, increasing the likelihood of an accident.
Bike Share Company Negligence
While riders rely on bike share programs for convenience and safety, lapses in company responsibilities can lead to preventable accidents:
Poor bike maintenance: Users expect bikes to be safe and in good condition, but improper maintenance can result in brake failures, tire blowouts, or other mechanical issues.
Faulty docking stations: Broken or poorly maintained docking stations can create hazards, especially in high-traffic areas.
Failure to provide adequate safety guidance: Some bike share companies don’t make it clear how to inspect a bike for issues or provide information on safe riding practices.
External Factors
Beyond rider actions and company obligations, outside conditions can also play a major role in causing bike share accidents:
Road hazards: Potholes, debris, or uneven pavement can cause accidents, particularly for inexperienced riders.
Collisions with motor vehicles: Sharing the road with cars and trucks poses a significant risk, especially when drivers fail to give riders the space they need.
Weather conditions: Rain, snow, or ice can make riding more treacherous, increasing the likelihood of slipping or loss of control.
Rider Responsibilities
When a customer rents a bike through a bike share program, they agree to a set of terms and conditions. These agreements often include clauses stating that the rider assumes responsibility for following traffic laws and riding safely. However, this doesn’t mean the rider is always at fault in the event of an accident.
For example, if a rider causes an accident by running a red light or weaving through traffic recklessly, they may be held liable for any injuries or property damage. However, if the accident was caused by a mechanical failure due to the company’s negligence, liability may shift away from the rider. It’s also worth noting that in some states, bicyclists have limited insurance coverage, leaving many riders to bear the financial burden of accidents.
Bike Share Company Obligations
Bike share companies have a duty to provide safe and functional equipment to their users. This includes regularly inspecting and maintaining their bikes, ensuring docking stations are operating properly, and addressing any safety concerns promptly. When they fail in these duties, accidents can happen.
Another consideration is the legal language in user agreements. Many bike share companies include disclaimers in their terms and conditions designed to limit their liability. While these disclaimers can make it harder to hold companies accountable, they are not always enforceable, especially if the company’s negligence can be proven.
Multi-Party Liability in Bike Share Accidents
Sometimes, liability isn’t limited to just the rider or the company. Other parties could also bear responsibility, depending on the circumstances of the accident. These parties might include:
Local governments: Poorly maintained roads or bike paths can create hazards for riders, putting some liability on local municipalities.
Motorists: Drivers who act negligently, such as failing to yield to a cyclist or driving under the influence, can be held accountable for bike share accidents.
Third-party manufacturers: If a bike fails due to a design defect or faulty part, the manufacturer may be responsible.
Each case is unique, and the specific facts of an accident will determine the parties involved in a liability claim.
Determining Liability in a Bike Share Accident
When it comes to personal injury claims, negligence serves as the foundation for determining liability. Negligence occurs when someone fails to act with the level of care that a reasonable person would exercise under similar circumstances, resulting in harm to another person. Understanding this concept is crucial in bike share accident cases, as proving negligence is often the key to securing fair compensation for injuries and damages.
To establish a successful bike share accident claim, victims must demonstrate four key elements of negligence:
Duty of Care: The first step in proving negligence is showing that the defendant owed the victim a duty of care. This means the responsible party was obligated to act in a reasonable manner to ensure the safety of others. For example, bike share companies have a duty to maintain their bicycles, while drivers must follow traffic laws to avoid endangering cyclists.
Breach of Duty: Next, it must be shown that the defendant breached their duty of care. This could involve a bike share company failing to properly maintain its fleet, leading to faulty brakes, or a motorist texting while driving and colliding with a cyclist. A breach occurs when someone’s actions—or inaction—fall below the level of reasonable care expected in that situation.
Causation: Once a breach of duty is established, the victim must prove that this breach directly caused their injuries. For instance, if a rider is injured because of a defective bike, they need to demonstrate that the bike’s malfunction—not some unrelated factor—directly led to the accident.
Damages: Finally, the victim must provide evidence of actual damages, whether physical, emotional, or financial. This includes medical bills, lost wages, pain and suffering, or even the cost of replacing damaged personal items.
Negligence, with its intricate components, is at the heart of bike share accident claims. Proving these four elements requires a careful gathering of evidence and a strategic approach to presenting the case. By successfully demonstrating negligence, victims increase their chances of obtaining the compensation they need to recover and move forward.
Steps to Take After a Bike Share Accident
If you’re involved in a bike share accident, knowing what to do immediately afterward can make a significant difference in protecting your rights and securing compensation. Here are some steps you should take:
Seek medical attention: Your health and safety should always be the top priority. Even if you feel fine, get checked out by a healthcare professional to rule out serious injuries.
Report the accident: Notify the bike share company and, if necessary, file a police report. This helps document the accident and establish an official record.
Gather evidence: Take photos of the accident scene, your injuries, and any damaged equipment. Collect contact information from witnesses and other parties involved.
Preserve the bike: If possible, see if you can keep the bike in its post-accident condition. This can be crucial in proving mechanical failure or company negligence.
Consult an attorney: Bicycle accidents can involve complex legal issues, and an experienced attorney can guide you through the process of determining liability and pursuing compensation.
Compensation for Bike Share Accident Victims
Seeking compensation is an essential step in helping victims rebuild their lives, not just by covering their expenses but by restoring their sense of stability and security. Here’s a closer look at the different types of compensation available.
Medical Expenses
The cost of medical care can be a significant burden after a bike share accident. Compensation for medical expenses typically covers everything from emergency treatments, such as ambulance rides and ER visits, to long-term care, like physical therapy or specialized rehabilitation. It may also include the costs of necessary medical equipment, prescription medications, and future treatments required to address ongoing health issues.
Lost Income
Bike share accidents can disrupt a victim’s ability to work, often resulting in the loss of wages. Compensation for lost income accounts for the time away from work during recovery. If the injuries have long-term effects that reduce the victim’s ability to earn, they may also seek damages for diminished earning capacity.
Pain and Suffering
The physical pain and emotional distress caused by a bike share accident often extend far beyond the initial impact. Victims may experience ongoing discomfort, limited mobility, and chronic pain, all of which take a significant toll on their quality of life. Emotional and psychological effects like anxiety, depression, and post-traumatic stress disorder (PTSD) are also common, especially after a particularly traumatic accident.
Property Damage
While personal safety is the top priority, accidents involving bike shares often lead to damaged personal property as well. Smartphones, laptops, clothing, or other items that were damaged or destroyed in the accident can create additional financial strain for victims.
Wrongful Death
The loss of a loved one in a bike share accident is a devastating experience, and no amount of compensation can truly replace their presence in your life. However, wrongful death claims can provide financial support to the families left behind. Wrongful death compensation often covers expenses such as funeral and burial costs, medical bills incurred prior to the victim’s passing, and the loss of future financial contributions from the deceased. Additionally, it can address the emotional toll by compensating for the loss of companionship, guidance, and emotional support that the family relied upon.
Although compensation might initially seem like just a financial transaction, its purpose goes much deeper. It’s not simply about the dollar amount awarded; it’s about giving victims the resources to put their lives back together.
Second Circuit Adopts “At Least One Purpose” Rule for False Claims Act Cases Premised on Anti-Kickback Statute Violations
On December 27, 2024, the U.S. Court of Appeals for the Second Circuit held in U.S. ex rel. Camburn v. Novartis Pharmaceuticals Corporation that a relator adequately pleads a False Claims Act (“FCA”) cause of action premised on violation of the Anti-Kickback Statute (“AKS”) by alleging, with sufficient particularity under Federal Rule of Civil Procedure 9(b) (“Rule 9(b)”), that at least one purpose (rather than the sole or primary purpose) of the alleged kickback scheme was to induce the purchase of federally reimbursable health care products or services.[1]
In doing so, the Second Circuit joins seven other Circuit Courts—the First, Third, Fourth, Fifth, Seventh, Ninth, and Tenth Circuits—in adopting the “at least one purpose” rule. This ruling lowers the bar in the Second Circuit for relators pleading AKS-based FCA claims.
Interplay Between FCA and AKS Violations
Under the AKS, “a claim that includes items or services resulting from a violation [of the AKS] … constitutes a false or fraudulent claim” under the FCA.[2]
The AKS prohibits persons from, among other things, “knowingly and willfully” soliciting or receiving “any remuneration (including any kickback, bribe, or rebate) directly or indirectly, overtly or covertly, in cash or in kind—
in return for referring an individual to a person for the furnishing or arranging for the furnishing of any item or service for which payment may be made in whole or in part under a federal health care program, or
in return for purchasing, leasing, ordering, or arranging for or recommending purchasing, leasing, or ordering any good, facility, service, or item for which payment may be made in whole or in part under a Federal health care program[.]”[3]
Alleged “Sham” Speaker Events & Excessive Compensation
In U.S. ex rel. Camburn, the relator, a former Novartis sales representative, filed a qui tam action in the U.S. District Court for the Southern District of New York alleging violations of the FCA premised on violations of the AKS. The relator alleged that Novartis operated a kickback scheme with the intent of bribing providers to prescribe Gilenya, a multiple sclerosis drug. Specifically, the relator alleged that Novartis operated a sham peer-to-peer speaker program that served as a mechanism for the company to offer remuneration to physicians in exchange for prescribing Gilenya. The relator alleged that the payments made to providers under the guise of this speaker program “caused pharmacies and physicians to submit false claims to the government and to the states for healthcare reimbursement under programs including Medicare Part D, Medicaid, and TRICARE.”[4]
U.S. District Court’s Dismissal with Prejudice
The federal government, as well as 29 states and the District of Columbia, among other parties, declined to intervene in the lawsuit. After granting the relator multiple opportunities to amend his complaint to plead factual allegations with sufficient particularity required by Rule 9(b), the district court held that the relator still failed to adequately plead the existence of a kickback scheme. Because the relator’s FCA claim was based on violations of the AKS, the district court dismissed the relator’s Third Amended Complaint with prejudice and did not address whether the relator sufficiently pled the remaining elements of his FCA claim.
Second Circuit’s Adoption of “At Least One Purpose” Rule
On appeal, the Second Circuit adopted the “at least one purpose” rule and found that, to survive dismissal, the relator “needed only to allege that at least one purpose of the remuneration was to induce prescriptions, without alleging a cause-and-effect relationship (a quid pro quo) between the payments and the physicians’ prescribing habits.”[5] Applying this standard, the Second Circuit concluded that the relator adequately pleaded an AKS violation with respect to the following three categories of allegations: (1) holding “sham” speaker events with no legitimate attendees, (2) excessively compensating physician speakers for canceled events, and (3) deliberately selecting and retaining certain speakers to induce a higher volume of prescriptions of Gilenya.
Specifically, the Second Circuit found that the relator’s “illustrative examples” of physician-speakers presenting solely to other Novartis speakers or to members of their own practice over lavish restaurant meals supported a strong inference that at least one purpose of the speaker program was to provide kickbacks to prescribers. The panel also found that the relator’s allegations that the compensation paid to physician speakers for canceled events ($20,000 to $22,500 to each speaker) over a two-year period in comparison to the dollar value of the allegedly fraudulent claims submitted to the government for reimbursement (between to $1 to $1.7 million) during that same period gave rise “to a strong inference that the payments constituted, at least in part, unlawful remuneration.”[6] Likewise, the relator’s inclusion of testimony from two Novartis sales representatives regarding the company’s alleged practice of offering speaking engagements to physicians to incentivize them to prescribe Gilenya suggested that these engagements were organized to induce providers to prescribe the drug.
The Second Circuit held that these allegations, accepted as true for purposes of the motion to dismiss, “plausibly and ‘strongly’ suggest Novartis operated its speaker program at least in part to remunerate certain physicians to prescribe Gilenya.”[7] Accordingly, the Second Circuit remanded the case to the district court to determine whether the relator sufficiently pleaded the remaining elements of his FCA claim and to weigh the adequacy of the claims under state and municipal law.
The Second Circuit affirmed, however, the district court’s conclusion that the relator “failed to link Novartis’s DVD initiative, ‘entertainment rooms,’ visual aids for billing codes, and one-on-one physician dinners with a strong inference that Novartis used these tools, at least in part, to induce higher prescription-writing,” with the caveat that another FCA claim predicated on an AKS violation may in fact survive dismissal if similar facts were pleaded with greater particularity.[8]
Practical Takeaways
This case highlights the importance of drug manufacturers and other regulated entities’ duty to implement robust and ongoing health care compliance programs in order to continuously and thoroughly evaluate enforcement and whistleblower risk relative to marketing and other business activities.
This decision’s adoption of the “at least one purpose” rule lowers the bar for relators in the Second Circuit to plead FCA violations premised on noncompliance with the AKS. Indeed, the Second Circuit rejected arguments that remuneration is unlawful under the AKS only if the “sole purpose” or “primary purpose” of the payment is to induce health care purchases. As eight circuits across the country have now held, allegations involving a single improper purpose can allow a case to survive dismissal. In these circuits, a relator merely needs to allege that at least one purpose of the remuneration was to induce the purchase of federally reimbursable health care products or services.
The heightened Rule 9(b) pleading standard fully applies in FCA cases premised on AKS violations. While the “at least one purpose” rule broadens liability, the district court and Second Circuit made clear that FCA allegations will be scrutinized to ensure they comport with the heightened Rule 9(b) pleading requirements.
Epstein Becker Green Attorney Ann W. Parks contributed to the preparation of this post.
ENDNOTES
[1] 2024 WL 5230128 (2d Cir. Dec. 27, 2024).
[2] 42 U.S.C. § 1320a-7b(g).
[3] Id. at § 1320a-7b.
[4] Camburn, 2024 WL 5230128, at *2.
[5] Id. at *4.
[6] Id. at *6.
[7] Id. at *6 (cleaned up) (quoting Hart, 96 F.4th 145, 153 (2d Cir. 2024)).
[8] Id. at *19.
Ethiopia Opens Its Banking Sector to Foreign Banks and Investors After Half a Century of Protectionism
Introduction
With a rapidly growing population of 120 million people, Ethiopia is the fifth-largest economy in Africa by GDP, making it an attractive destination for foreign investment in the banking sector. On December 17, 2024, the Ethiopian Parliament approved the new Banking Business law, which allows foreign banks and foreigners to rejoin the Ethiopian market after an absence of half a century. This proclamation provides various avenues for foreigners to enter the Ethiopia market, marking a significant step in opening one of the last remaining sectors in the country to foreign investment. This move signals a shift from a protectionist to a more liberal policy approach by the government.
Overview of Ethiopia’s Investment Climate
In 2020, Ethiopia introduced a new investment law to expand opportunities for foreign investment. Previously, only specifically identified sectors were open to foreigners. The new law restricted only a few sectors to domestic investors, while all other sectors are available for foreign investment. In 2024, the Ethiopian Investment Board issued a directive further permitting foreign investment in industries that were previously restricted to domestic investment, including export, import, wholesale, and retail trade,.
Additionally, the Ethiopian government has liberalized sectors that were previously monopolized by the state, such as telecommunications and logistics. This initiative has expanded foreign investment opportunities across multiple industries. Investors now have the option to acquire shares, enter joint ventures, or invest through the Ethiopian Investment Holdings (EIH), which functions as the strategic investment arm of the Ethiopian government.
These reforms indicate Ethiopia’s move towards economic liberalization by attracting foreign direct investment, including the recent significant shift in opening the financial sector to foreign investment.
The New Banking Business Proclamation
The recent 2024 proclamation aims to enhance the banking industry’s competitiveness and efficiency by allowing foreign investment.
The proclamation allows foreign banks to enter the Ethiopian market by establishing subsidiaries, opening branches or representative offices, or acquiring shares in domestic banks. It also permits foreign nationals to buy shares in Ethiopian banks.
A foreign bank or strategic investor can acquire up to 40% of shares in a domestic bank, while foreign individuals can hold up to 7%, and entities can hold up to 10%. The total foreign investment is capped at 49%.
Foreign banks entering Ethiopia must invest as foreign direct investment (FDI) using foreign currency, with the capital fully paid in cash up front. Additionally, Ethiopian organizations partially owned by foreign nationals must invest through FDI based on their foreign ownership percentage, also in foreign currency.
Potential Benefits and Challenges
Enabling foreign investment in Ethiopia’s financial sector is projected to bring numerous benefits and challenges. One potential advantage is the increased competition and efficiency. The entry of foreign banks is expected to encourage competition, leading local banks to improve their efficiency, service delivery, and technological advancements. Additionally, the introduction of diverse financial products by foreign banks, such as derivatives, trade finance, and specialized credit facilities, can diversify the local financial market.
Another benefit is the transfer of knowledge and skills. The involvement of foreign banks introduces professionals and practices to the Ethiopian financial sector. This exposure to international banking standards, risk management frameworks, and digital technologies can enhance the financial ecosystem. Additionally, foreign banks can support the inflow of FDI by connecting with global financial markets, integrating Ethiopia’s economy into the international financial system.
However, the entry of foreign banks also poses several challenges. One significant concern is the risk of market domination. Foreign banks, with their substantial resources, advanced systems, and international networks, could potentially overshadow local banks, leading to market imbalances and reduced competition in the long term. This dominance may stifle domestic financial institutions, hindering their growth and development.
Economic risks are another challenge, as increased foreign bank participation exposes Ethiopia’s economy to external risks such as exchange rate volatility and potential capital flight. The resource disparity between foreign and local banks is also a concern. Foreign banks’ access to sophisticated technologies and funding could widen the gap, restricting domestic banks’ ability to compete effectively and exacerbating financial service inequalities.
Lastly, the integration of foreign banks necessitates robust regulatory frameworks and institutional capacity to monitor and mitigate associated risks. Addressing these regulatory challenges is crucial to ensure the stability and sustainability of Ethiopia’s financial sector.
The enactment of the banking business represents a significant milestone in Ethiopia’s investment landscape, opening the financial sector to foreign investment after half century of protectionist policy. By allowing foreign banks to enter its financial sector, Ethiopia aims to enhance competitiveness, diversify financial services, and integrate its economy into the global financial system.
Rule 37 in Action – Case Dismissed
As stated in my previous blog, “A Rule 37 Refresher – As Applied to a Ransomware Attack,” Federal Rule of Civil Procedure 37(e) (“Rule 37”) was completely rewritten in 2015 to provide more clarity and guidance to the sanction process under the Rule.
In Jones v. Riot Hospitality Group, LLC, the Ninth Circuit makes very clear that, when the court faces a sanctions analysis based upon evidence that there is data that should have been preserved, that was lost because of failure to preserve, and that can’t be replicated, then the court has two additional decisions to make: (1) was there prejudice to another party from the loss or (2) was there an intent to deprive another party of the information. If the former, the court may only impose measures “no greater than necessary” to cure the prejudice. If the latter, the court may take a variety of extreme measures, including dismissal of the action. An important distinction was created in Rule 37 between negligence and intention.
Rule 37(e)(2) is clear that the court may impose a variety of extreme measures, including dismissal of a case if there is a violation of Rule 37 with an intent to deprive another party of the relevant information. The Jones case demonstrates this rule in action. The Jones case involves Alyssa Jones, a former waitress at a Scottsdale bar, who sued the bar’s owner-operator, Ryan Hibbert, and his company, Riot Hospitality Group, alleging Title VII violations and common law tort claims. During discovery, upon noticing an unusual pattern of time gaps in the text messages that Jones produced in discovery, along with deposition testimony that demonstrated that particular people had indeed texted with her during those gaps, the court ordered the parties to jointly retain a third-party forensic search specialist to review the phones of Jones and certain witnesses.
The court ultimately found that Jones intentionally deleted relevant text messages with co-workers from 2017 and 2018 and coordinated with her witnesses to delete messages from 2019 and 2020. The court used “reasonable inferences” to determine that it was done with the intent to deprive Riot of use of the messages in the lawsuit. The district court dismissed the case, using the five-factor test for terminating sanctions articulated in Anheuser-Busch, Inc. v. Nat. Beverage Distrib., 69 F.3d 337, 348 (9th Cir. 1995).
The 9th Circuit found that the use of the Anheuser-Busch test was not necessary and that, to dismiss a case under Rule 37(e (2), a district court need only find that:
Rule 37(e) prerequisites are met,
the spoliating party acted with the intent required under Rule 37(e)(2), and
lesser sanctions are insufficient to address the loss of the ESI.
Takeaways:
1. If you are in a spoliation dispute, make sure you have the experts and evidence to prove or defend your case.
2. When you are trying to prove spoliation, know the test. If intent to deprive is proven (with direct or circumstantial evidence), then proving prejudice is not a prerequisite to sanctions.
3. Be aware of, plan for, and enforce data preservation protocols early in your case.
2024 Title IX Regulations Vacated Nationwide
On January 9, 2025, the Sixth Circuit Court of Appeals decided the case of Tennessee v. Cardona, vacating the 2024 Title IX regulations nationwide. The court ruled that the issuance of the 2024 regulations exceeded the Department of Education’s authority and was unconstitutional on multiple grounds.
The ruling may be appealed, but for now, institutions covered by Title IX should revert to compliance with their policies in effect under the 2020 Title IX regulations.
The 2024 Title IX regulations, which took effect on August 1, 2024, had faced several challenges that led to injunctions with varying geographic scopes. As a result, prior to the Cardona decision, the Title IX regulations were only effective in about half of the states across the U.S.
Data Privacy: Insights from the Recent FAQs on New Jersey Data Privacy Law
As organizations prepare for compliance with the New Jersey Data Privacy Law (NJDPL), set to take effect on January 15, 2025, the Division of Consumer Affairs (DCA) has released a set of 24 Frequently Asked Questions (FAQs) that provide important insights and guidance on complying with New Jersey’s robust regulatory framework. The FAQs are not binding and should not be considered a legal document or a complete explanation of the law. Rather, they are useful as a reference for persons within the entities covered by NJDPL that have a role in privacy compliance.
The FAQs specifically focus on sensitive data, children’s data, opt-out or revocation of consent from sale of personal data (including via universal opt-out signals), contracts with data processors, and data protection assessments, indicating the New Jersey DCA’s focus areas for the enforcement of the incoming law. This article explores the key takeaways from the FAQs, particularly concerning the treatment of sensitive data.
Understanding the New FAQsThe recent FAQs were published for the convenience of businesses (although the FAQs use the term “businesses,” NJDPL also applies to nonprofits). The FAQs distill and clarify several key definitions contained in the NJDPL, summarize consumer rights, define business obligations, and provide additional guidance regarding processing of sensitive data and data of minors.
Specifically, NJDPL governs the use of personal data, which the law defines as any information that is linked or reasonably linkable to an identified or identifiable person. The FAQs clarify this definition as “any information that is not publicly available and can be used to identify a specific individual.” The key difference between these definitions is in the “reasonably linkable” criteria in the statute, whereas the FAQs seem to focus on specific identifiability. Practically speaking, there are categories of data that may be linkable to an individual through context (for example, email metadata, or de-identified data combined with external data that permits reidentification, such as a fitness tracker ID combined with gym membership data) that would be within NJDPL’s scope. Differences such as these highlight that the covered entities must not rely solely on the FAQs’ definitions when building their NJDPL compliance program.
The FAQs also clarify the definitions of the key actors in the data privacy lifecycle under NJDPL:
Consumer: A New Jersey resident acting in a personal or household context
Controller: Any individual or entity that decides how and why consumers’ personal data is processed
Processor: An individual or entity that processes personal data on behalf of the controller. A processor is different than a controller because it does not have decision-making authority over personal data. A processor can only process personal data at the request and under the direction of a controller.
The FAQ clarifies that NJDPL applies to any controller that:
(1) Does business in New Jersey or produces products or services targeted to New Jersey residents and(2) During a calendar year either (a) controls or processes the personal data of at least 100,000 consumers or (b) controls or processes the personal data of at least 25,000 consumers and makes money from the sale of personal data.
The FAQs detail some of the obligations of the controllers, including to prepare a written privacy notice accurately disclosing data practices, to honor consumer rights, to enter into written contracts with vendors receiving personal data from controllers (vendors generally will be processors, see below), to conduct data protection assessments, and to process certain categories of data only with consumers’ express consent.
With respect to processors, the FAQs highlight that among other requirements, a processor must:
Follow the controller’s instructions
Help the controller meet its obligations under NJDPL
Keep personal data confidential
Enter into a contract with the controller that contains processing instructions; identifies the data that will be processed and for how long it will be processed; and requires the processor to return or delete the personal data once processing is complete.
For consumers, the FAQs summarize their rights as follows:
Confirm whether a controller processes the consumer’s data
Correct inaccuracies in the consumer’s personal data
Delete the consumer’s personal data
Say “no” (opt out) to a controller selling the consumer’s personal data or using the consumer’s personal data for targeted advertising and some types of profiling (for example, profiling to determine whether a consumer should receive a loan or mortgage, a job offer, or an insurance policy).
Controllers must provide clear and accessible mechanisms for consumers to exercise these rights. Additionally, by July 15, 2025, businesses must comply with universal opt-out signals, such as those from Global Privacy Control (users enable privacy preferences within their web browsers). A universal opt-out signal is a mechanism that allows individuals to communicate their preference to opt out of certain data processing activities, such as targeted advertising or sale of data, across multiple websites or platforms in a standardized way. It eliminates the need for consumers to manually opt out on each site individually.
Again, the FAQs do not repeat NJDPL’s definitions, criteria, and recitations of rights word by word, but rather aim to give organizations a general sense of what these key concepts mean. While at first blush the distinctions between the FAQ and NJDPL definitions may not seem significant in practice, as the saying goes, the devil lurks in the details. Note, for example, that personal data processed solely for the purpose of completing a payment transaction is exempted from the 100,000 consumers’ data threshold, and that receiving a discount on a price of any goods or services counts toward the “making money from personal data” threshold.
Update on Anticipated Regulations and Enforcement DeadlinesNew Jersey is one of three states to date that provide rulemaking authority under their data privacy law to the state agency; here, the DCA. The FAQs are not such regulations, but they expressly state that the DCA will be issuing regulations under NJDPL in 2025. This is a new development, as NJDPL does not provide a deadline for promulgation of rules.
While the formal regulations under NJDPL are not yet available, the FAQs expressly state that the entities obligated under NJDPL are required to comply starting on January 15, 2025. A limited opportunity to cure violations may be available until July 1, 2026: If the DCA identifies a potential violation that the controller can remedy, the DCA will send a notice to the controller to give them the chance to fix the problem within 30 days of the notice. If the violation is not remedied, the DCA can proceed with an enforcement action. While this provision is certainly beneficial for covered entities, it should not be interpreted as a license to avoid carefully thinking through and implementing the entity’s compliance obligations before the January 15, 2025, deadline. At most, this grace period should be used to remedy inadvertent mistakes in compliance.
Treatment of Sensitive DataThe FAQs explain that sensitive data is a subset of personal data that reveals a consumer’s racial or ethnic origin, religious beliefs, health condition, financial information, sexual activity or sexual orientation, immigration or citizenship status, status as transgender or non-binary, genetic or biometric data, or precise geolocation data. It also includes personal data collected from a known child. This restatement loosely tracks NJDPL’s definition. Most of the data considered sensitive in New Jersey also is recognized as sensitive under most U.S. state privacy laws. However, New Jersey includes additional types of data as sensitive, including status as transgender or non-binary and financial information, which only a handful of other states recognize as sensitive.
The sensitive financial information in New Jersey includes “a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.” Thus, not every piece of financial data will be deemed sensitive; however, NJDPL’s definition is open-ended and types of financial data not presently listed in the statute may be included in the future.
For entities operating in more than one state that are required to comply with several state data privacy laws, it is important to correctly classify data as sensitive or not sensitive to ensure compliance with each such applicable law. Each U.S. state privacy law recognizes sensitive information and imposes heightened compliance requirements for its processing. Some states require a valid consent to be obtained before collection and processing of personal data, as well as a data protection assessment. Others follow an opt-out model, giving consumers the right to limit the use of their sensitive data.
The FAQs highlight that New Jersey requires consent before sensitive data is processed and that a data protection impact assessment must be conducted. NJDPL specifies that a valid consent must be “a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer.” Such consent may include a written statement, including by electronic means, or any other unambiguous affirmative action. Notably, acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information will not constitute a valid consent. As such, organizations should not rely on statements such as “if you visit our website, you consent to our privacy policy” as evidence of consent to processing of sensitive information. Furthermore, hovering over, muting, pausing, or closing a given piece of content will not be considered sufficient evidence of consent.
Treatment of Children’s DataNJDPL requires businesses to obtain explicit consent for processing personal data of children under the age of 13, treating such data as sensitive. Consent also is required for processing of data of minors that are at least 13 and are younger than 17, if such processing is done for the purposes of targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effect on the consumer. With this latter provision, New Jersey’s law extends protections beyond federal standards under the Children’s Online Privacy Protection Act (COPPA), which only safeguards the data obtained online from children under 13.
The FAQs state that when a controller knows or should know that a consumer is between the ages of 13 and 16 (note, NJDPL uses the term “younger than 17” but the FAQ is using the 13–16 range), the controller must get the consumer’s consent before processing the consumer’s personal data. This is interesting as this statement is broader than NJDPL. First, the FAQs use the term “should know” whereas the statute requires actual knowledge or willful disregard. Second, the FAQs claim that consent is necessary for any processing of the data of minors ages 13–16, and not only when sale of data, targeted advertising, or profiling is occurring.
Businesses processing children’s data should take note and consider building a more stringent compliance regime: even where FAQs are non-binding, this is an enforcement focus area for the New Jersey regulator (and for the regulators in other states and on the federal level).
Considerations for ComplianceWith the enforcement deadline looming, organizations within the scope of NJDPL should consider the following workflow to align their compliance with the incoming law:
Review/Update Privacy Policies: Update privacy notices to clearly outline data processing activities, purposes of processing, consumer rights, and opt-out procedures, among other mandatory disclosures, to track NJDPL’s requirements.
Implement Consent Management Systems: Adopt technologies that facilitate obtaining, managing, and documenting consumer consent for sensitive data processing.
Conduct Data Protection Assessments: Regularly evaluate data handling practices to identify risks and benefits of processing activity that presents heightened risk of harm to the consumers to ensure alignment with New Jersey’s law.
Enhance Training Programs: Educate employees with data privacy responsibility in different departments (including IT, Marketing, and Customer Service, not just Legal) about NJDPL’s provisions and the importance of safeguarding consumer data and respecting consumer choices regarding their data.
Stay Informed of the Regulatory Changes: Be aware of evolving privacy regulations to anticipate and address new compliance obligations. Aside from New Jersey’s anticipated regulations, other states are poised to adopt new privacy laws or amend existing ones, promising that 2025 will be a busy year for data privacy. While the FAQs serve as an important resource for understanding the law’s practical application, highlighting the importance of explicit consent and enhanced protections for sensitive data, organizations should consider following the more precise requirements of NJDPL and the incoming regulations in aligning their practices with New Jersey’s requirements. As compliance with the NJDPL becomes mandatory, legal experts can provide tailored advice to navigate the intricacies of the law and ensure that data practices align with both state and federal regulations.
What Employers Need to Know About the Recent EEOC Guidance to Health Care Providers on the Pregnant Workers Fairness Act
On June 27, 2023, the Pregnant Workers Fairness Act (PWFA), a federal law enforced by the US Equal Employment Opportunity Commission (EEOC), went into effect. The PWFA mandates that employers with at least 15 employees, along with other covered entities, provide reasonable accommodations for employees with known limitations related to, affected by, or arising out of pregnancy, childbirth, or related medical conditions.
On December 18, 2024, the EEOC published guidance to health care providers on how they can help patients seeking childbirth and pregnancy-related workplace accommodations from their employers under the PWFA.
What Employers Need to Know
Requirement and Purpose
Employers must offer reasonable accommodations for pregnant employees. A reasonable accommodation is described as a change in the work environment or in the way things are usually done that enables an applicant or employee to apply for a job, perform their job, or enjoy access to the same benefits and privileges of employment as other employees. The guidance explains that health care providers can request accommodations for employees under the PWFA.
Covered Individuals
Employees or applicants are qualified if they can perform essential job functions with or without accommodation, or if they are temporarily unable to perform these functions but can do so in the near future with reasonable accommodations. Limitations are considered “known” when communicated by the employee or their representative.
Requesting Accommodations
Employees and applicants do not need to use specific language to request accommodations and the interactive process starts once a request is made. Employers cannot require the employee to be examined by a health care provider selected by the employer but may require documentation in certain situations.
Documentation
The EEOC’s recent guidance highlights health care providers’ role in documenting and communicating the need for workplace accommodations and informing patients about their rights under the PWFA.
Please note that if an employer uses an Americans with Disabilities Act (ADA) or Family and Medical Leave Act (FMLA) medical questionnaire for PWFA purposes, the employer should instruct the employee that only the applicable questions need to be answered.
Some employees may be entitled to accommodations under the PWFA if their condition does not meet the definition of disability specified in the ADA and even if they do not qualify for leave under the FMLA.
While the physical or mental conditions an employee faces may overlap with disabilities under the ADA or serious health conditions under the FMLA, not all questions on ADA or FMLA forms will be relevant to PWFA requests. However, if an employee is also seeking accommodations under the ADA or leave under the FMLA, the information may be relevant.
Employers may require that the documentation from a health care provider include the following:
Confirm the physical or mental condition with a simple statement, no diagnosis is needed. The problem or impairment may be serious, minor, moderate, or episodic such as fatigue, vomiting, or swelling. It could also be the need to attend medical appointments.
Confirm the condition is related to pregnancy, childbirth, or related medical conditions. Pregnancy, childbirth, or related medical conditions do not need to be the sole, original, or substantial cause of the physical or mental condition.
Describe the needed workplace adjustment and its expected duration (e.g., change in work schedule, telework, light duty, flexible or longer break to use the restroom, leave for medical appointment, or to recover from childbirth). If the accommodation involves temporarily suspending a main or essential job duty, the documentation should specify that it is temporary and provide an estimate of when the duty can be resumed post-pregnancy or soon after.
Include a brief statement of the provider’s qualifications.
Non-Discrimination
The PWFA prohibits discrimination based on pregnancy or related conditions, preventing adverse actions like firing or demotion.
Alternative Solutions and Undue Hardship
While the exact accommodation the employee requests does not have to be provided, employers must collaborate with employees to provide an effective alternative that doesn’t cause undue hardship to the employer.
Confidentiality
Under the PWFA, employers must keep all medical information related to an accommodation request confidential.
Risks of Noncompliance and Next Steps
Noncompliance with the PWFA can lead to significant legal and financial consequences for employers, including lawsuits, penalties, and reputational damage. To mitigate these risks, employers should:
Review and Update Policies: Ensure workplace policies align with the PWFA, covering reasonable accommodations, nondiscrimination, and documentation requirements.
Training and Communication: Train managers and clearly communicate employees’ rights under the PWFA using the employer’s typical communication methods (e.g., handbooks, intranet, or email).
Prevent Discrimination and Retaliation: Follow the EEOC’s guidance to avoid discrimination or retaliation against employees requesting reasonable accommodations under the PWFA.
Understand Related Laws: Understand obligations under similar state laws and federal laws such as the ADA, FMLA, and the Pregnancy Discrimination Act (PDA) as well as avoid imposing greater requirements than necessary on employees requesting accommodations under the PWFA.
For more information about the PWFA, visit More Resources About the PWFA | EEOC.
HHS Proposed Rule Would Increase Cybersecurity Requirements for Electronic Health Data
The U.S. Department of Health and Human Services (HHS) recently released a proposed rule to better protect electronic health data from cybersecurity threats. The proposed rule would apply to health plans, healthcare providers, healthcare clearinghouses, and their business associates, such as billing companies, third-party administrators, and pharmacy benefit managers.
Quick Hits
HHS has proposed a rule to shore up cybersecurity protections for electronic health records under the Health Insurance Portability and Accountability Act (HIPAA).
The new rules would apply to HIPAA-regulated entities, such as healthcare providers, hospitals, and others that handle electronic medical data.
The public can submit comments on the proposed rule until March 7, 2025.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule has not undergone a major overhaul since 2013. However, in response to rising cybersecurity threats across the healthcare industry, on January 6, 2025, HHS published a proposed rule that would update and bolster cybersecurity protections for personal health information that’s collected by healthcare providers, hospitals, insurers, and other companies. The public has until March 7, 2025, to submit comments on the proposal.
If finalized, these changes would apply to all HIPAA-covered entities and their business associates, imposing stricter requirements around risk assessments, data encryption, multifactor authentication, and more. Importantly, the proposed rule would eliminate the distinction between “required” and “addressable” implementation specifications, making all implementation specifications required. This shift would remove much of the discretion that HIPAA-regulated entities presently have in determining whether to implement “addressable” measures, instead introducing more granular, prescriptive requirements to ensure compliance with all security standards.
The proposed rule also would require:
written documentation of policies, procedures, plans, and analyses related to complying with the HIPAA Security Rule;
covered entities to develop and update a technology asset inventory and a network map that illustrates the movement of electronic health information throughout the electronic information system;
covered entities to conduct a more robust risk analysis than under the current rule, including incorporation of the entity’s technology asset inventory and network map; identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of electronic health information; and an assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each threat will exploit vulnerabilities;
encryption of electronic health information at rest and in transit;
the use of multifactor authentication;
covered entities to use anti-malware protections and remove extraneous software from electronic information systems;
an audit at least once per year to confirm compliance with the HIPAA Security Rule;
covered entities at least once per year to obtain written certification from business associates that they have deployed the technical safeguards required by the HIPAA Security Rule;
covered entities to review and test the effectiveness of certain security measures at least once every twelve months;
vulnerability scanning at least every six months and penetration testing at least once every twelve months;
network segmentation and separate technical controls for backup and recovery of electronic health information and electronic information systems;
covered entities to establish written procedures to restore the loss of certain electronic information systems and data within seventy-two hours, and document how employees should report security incidents and how the regulated entity will respond to security incidents. Business associates would have to notify covered entities upon activating their security contingency plans no later than twenty-four hours after activation;
covered entities to cut off a former employee’s access to personal health information no later than one hour after the employment has been terminated; and
group health plans to include in their plan documents requirements for their plan sponsors to comply with the administrative, physical, and technical safeguards of the HIPAA Security Rule.
Next Steps
Employers and the public have until March 7, 2025, to submit comments about the proposed rule. The final rule would take effect sixty days after being published in the Federal Register. The existing HIPAA Security Rule remains in effect while the rulemaking is underway.
HIPAA-covered entities (and employers that sponsor them) may wish to review their cybersecurity practices and policies as they relate to electronic health information and evaluate gaps between existing practices and documentation and the rules as proposed. While some of the proposed changes reflect common security measures already implemented by many HIPAA-covered entities, if the proposed rule takes effect, employers can expect to incur extra costs to align their practices with those outlined by the proposed rules. This is especially true for large employers that offer self-insured health plans to their workers, since employers are generally responsible for HIPAA compliance for the self-insured health plans they sponsor.
U.S. Cyber Trust Mark Program at Hand After White House Launch Announcement
The Biden Administration has announced the rollout of the “cybersecurity label for interconnected devices, known as the U.S. Cyber Trust Mark.” The voluntary program, which will allow providers of certain such devices to label their products with the Mark, comes after the Federal Communications Commission (FCC) approved final rules and implementing framework that will govern the procedures for obtaining and using the Mark’s distinctive shield logo.
What’s In Program Scope – Per the FCC, the program applies to consumer wireless Internet of Things (IoT) products – radio frequency devices clearly within its jurisdiction under Section 302 of the Communications Act. Examples of eligible products include internet-connected home security cameras, voice-activated shopping devices, smart appliances, fitness trackers, garage door openers, and baby monitors.
What Is Not – On the other hand, the program does not include items outside the FCC’s regulatory jurisdiction, such as medical devices regulated by the Food and Drug Administration and motor vehicles and equipment regulated by the National Highway Traffic Safety Administration. Also excluded are wired devices; products primarily used for manufacturing, industrial control or enterprise applications; equipment on the FCC’s Covered List and equipment produced by an entity on the covered list; IoT products from a company on other lists addressing national security; and IoT products produced by entities banned from Federal procurement.
Process And Standards – Products must be tested at an FCC-recognized accredited laboratory (CyberLAB) for evaluation against the program’s cybersecurity criteria. Those criteria are based on standards developed by the National Institute of Standards and Technology (NIST) and other expert guidance intended to ensure that certified devices have robust cybersecurity protections, including, for example, implementation of strong encryption protocols and requirements for user authentication before granting access to device settings or data.
Program Management and Compliance Enforcement – The FCC will manage the program but also rely on Cybersecurity Labeling Administrators (CLA), who will evaluate the post-testing applications for approval to use the Mark; the FCC has already approved a number of these CLAs.
Among other things, CLAs will be responsible for ensuring that users comply with applicable FCC rules. In adopting the regulatory framework for the program, the agency decided that it would “rely on a combination of administrative remedies and civil litigation to address non-compliance.” The FCC “direct[ed] the CLAs to conduct post-market surveillance…to ensure that the integrity of the Cyber Trust Mark is maintained.”
Further, “random audits” will be coupled with such surveillance. Identified products that fail to comply with applicable technical regulations for that product could be stripped of approval to display the Mark.
In the interest of the integrity of the Mark, the Commission also made clear that it will “pursue all available means to prosecute entities who improperly or fraudulently use the FCC IoT Label, which may include, but are not limited to, enforcement actions, legal claims of deceptive practices prosecuted through the FTC, and legal claims for trademark infringement or breach of contract.”
Further Notice of Proposed Rulemaking: National Security – In an ongoing effort to address potential hidden national security threats, the FCC’s Further Notice of Proposed Rulemaking focuses on such threats contained in consumer products bearing the IoT Label. To that end, the FCC seeks comments on “additional declarations intended to provide consumers with assurances that the products bearing the IoT Label do not contain hidden vulnerabilities from high risk countries [e.g., China], that data collected by the product does not sit within or transit high-risk countries and that products cannot be remotely controlled by servers located within high-risk countries.”
Incoming Chairman Carr, who has voiced a strong interest in addressing national security concerns, is sure to support these initiatives on an ongoing basis.
Black Box Issues [Podcast]
In part three of our series on potential pitfalls in the use of artificial intelligence (or AI) when it comes to employment decisions, partner Guy Brenner and senior counsel Jonathan Slowik dive into the concept of “black box” systems—AI tools whose internal decision-making processes are not transparent. The internal workings of such systems may not be well understood, even by the developers who create them. We explore the challenges this poses for employers seeking to ensure that their use of AI in employment decisions does not inadvertently introduce bias into the process. Be sure to tune in for a closer look at the complexities of this conundrum and what it means for employers.
McDermott+ Check-Up: January 10, 2025
THIS WEEK’S DOSE
119th Congress Begins. The new Congress began with key membership announcements for relevant healthcare committees.
Cures 2.1 White Paper Published. The document outlines the 21st Century Cures 2.1 legislative proposal, focusing on advancing healthcare technologies and fostering innovation.
Senate Budget Committee Members Release Report on Private Equity. The report, released by the committee’s chair and ranking member from the 118th Congress, includes findings from an investigation into private equity’s role in healthcare.
HHS OCR Proposes Significant Updates to HIPAA Security Rule. The US Department of Health & Human Services (HHS) Office for Civil Rights (OCR) seeks to address current cybersecurity concerns.
HHS Releases AI Strategic Plan. The plan outlines how HHS will prioritize resources and coordinate efforts related to artificial intelligence (AI).
CFPB Removes Medical Debt from Consumer Credit Reports. The Consumer Financial Protection Bureau (CFPB) finalized its 2024 proposal largely as proposed.
President Biden Signs Several Public Health Bills into Law. The legislation includes the reauthorization and creation of public health programs related to cardiomyopathy, autism, and emergency medical services for children.
CONGRESS
119th Congress Begins. The 119th Congress began on January 3, 2025. Lawmakers reelected Speaker Johnson in the first round of votes and adopted the House rules package. The first full week in session was slow-moving due to a winter storm in Washington, DC; funeral proceedings for President Jimmy Carter; and the certification of electoral college votes. Committees are still getting organized, and additions to key health committees include:
House Energy & Commerce: Reps. Bentz (R-OR), Houchin (R-IN), Fry (R-SC), Lee (R-FL), Langworthy (R-NY), Kean (R-NJ), Rulli (R-OH), Evans (R-CO), Goldman (R-TX), Fedorchak (R-ND), Ocasio-Cortez (D-NY), Mullin (D-CA), Carter (D-LA), McClellan (D-VA), Landsman (D-OH), Auchincloss (D-MA), and Menendez (D-NJ).
House Ways & Means: Reps. Moran (R-TX), Yakym (R-IN), Miller (R-OH), Bean (R-FL), Boyle (D-PA), Plaskett (D-VI), and Suozzi (D-NY).
Senate Finance: Sens. Marshall (R-KS), Sanders (I-VT), Smith (D-MN), Ray Luján (D-NM), Warnick (D-GA), and Welch (D-VT).
Senate Health, Education, Labor & Pensions: Sens. Scott (R-SC), Hawley (R-MO), Banks (R-IN), Crapo (R-ID), Blackburn (R-TN), Kim (D-NJ), Blunt Rochester (D-DE), and Alsobrooks (D-MD).
Congress has a busy year ahead. The continuing resolution (CR) enacted in December 2024 included several short-term extensions of health provisions (and excluded many others that had been included in an earlier proposed bipartisan health package), and these extensions will expire on March 14, 2025. Congress will need to complete action on fiscal year (FY) 2025 appropriations by this date, whether by passing another CR through the end of the FY, or by passing a full FY 2025 appropriations package. The short-term health extenders included in the December CR could be further extended in the next appropriations bill, and Congress also has the opportunity to revisit the bipartisan, bicameral healthcare package that was unveiled in December but ultimately left out of the CR because of pushback from Republicans about the overall bill’s size.
The 119th Congress will also be focused in the coming weeks on advancing key priorities – including immigration reform, energy policy, extending the 2017 tax cuts, and raising the debt limit – through the budget reconciliation process. This procedural maneuver allows the Senate to advance legislation with a simple majority, rather than the 60 votes needed to overcome the threat of a filibuster. Discussions are underway about the scope of this package and the logistics (will there be one reconciliation bill or two?), and we expect to learn more in the days and weeks ahead. It is possible that healthcare provisions could become a part of such a reconciliation package.
Cures 2.1 White Paper Published. Rep. Diana DeGette (D-CO) and former Rep. Larry Bucshon (R-IN) released a white paper on December 24, 2024, outlining potential provisions of the 21st Century Cures 2.1 legislative proposal expected to be introduced later this year. This white paper and the anticipated legislation are informed by responses to a 2024 request for information. The white paper is broad, discussing potential Medicare reforms relating to gene therapy access, coverage determinations, and fostering innovation. With Rep. Bucshon’s retirement, all eyes are focused on who will be the Republican lead on this effort.
Senate Budget Committee Members Release Report on Private Equity. The report contains findings from an investigation into private equity’s role in healthcare led by the leaders of the committee in the 118th Congress, then-Chair Whitehouse (D-RI) and then-Ranking Member Grassley (R-IA). The report includes two case studies and states that private equity firms have become increasingly involved in US hospitals. They write that this trend impacts quality of care, patient safety, and financial stability at hospitals across the United States, and the report calls for greater oversight, transparency, and reforms of private equity’s role in healthcare. A press release that includes more documents related to the case studies can be found here.
ADMINISTRATION
HHS OCR Proposes Significant Updates to HIPAA Security Rule. HHS OCR released a proposed rule, HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information (ePHI). HHS OCR proposes minimum cybersecurity standards that would apply to health plans, healthcare clearinghouses, most healthcare providers (including hospitals), and their business associates. Key proposals include:
Removing the distinction between “required” and “addressable” implementation specifications and making all implementation specifications required with specific, limited exceptions.
Requiring written documentation of all Security Rule policies, procedures, plans, and analyses.
Updating definitions and revising implementation specifications to reflect changes in technology and terminology.
Adding specific compliance time periods for many existing requirements.
Requiring the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
Requiring notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
Strengthening requirements for planning for contingencies and responding to security incidents.
Requiring regulated entities to conduct an audit at least once every 12 months to ensure their compliance with the Security Rule requirements.
The HHS OCR fact sheet is available here. Comments are due on March 7, 2025. Because this is a proposed rule, the incoming Administration will determine the content and next steps for the final rule.
HHS Releases AI Strategic Plan. In response to President Biden’s Executive Order on AI, HHS unveiled its AI strategic plan. The plan is organized into five primary domains:
Medical research and discovery
Medical product development, safety and effectiveness
Healthcare delivery
Human services delivery
Public health
Within each of these chapters, HHS discusses in-depth the context of AI, stakeholders engaged in the domain’s AI value chain, opportunities for the application of AI in the domain, trends in AI for the domain, potential use-cases and risks, and an action plan.
The report also highlights efforts related to cybersecurity and internal operations. Lastly, the plan outlines responsibility for AI efforts within HHS’s Office of the Chief Artificial Intelligence Officer.
CFPB Removes Medical Debt from Consumer Credit Reports. The final rule removes $49 billion in unpaid medical bills from the credit reports of 15 million Americans, building on the Biden-Harris Administration’s work with states and localities. The White House fact sheet can be found here. Whether the incoming Administration will intervene in this rulemaking remains an open question.
President Biden Signs Several Public Health Bills into Law. These bills from the 118th Congress include:
H.R. 6829, the HEARTS Act of 2024, which mandates that the HHS Secretary work with the Centers for Disease Control and Prevention, patient advocacy groups, and health professional organizations to develop and distribute educational materials on cardiomyopathy.
H.R. 6960, the Emergency Medical Services for Children Reauthorization Act of 2024, which reauthorizes through FY 2029 the Emergency Medical Services for Children State Partnership Program.
H.R. 7213, the Autism CARES Act of 2024, which reauthorizes, through FY 2029, the Developmental Disabilities Surveillance and Research Program and the Interagency Autism Coordinating Committee in HHS, among other HHS programs to support autism education, early detection, and intervention.
QUICK HITS
ACIMM Hosts Public Meeting. The HHS Advisory Committee on Infant and Maternal Mortality (ACIMM) January meeting included discussion and voting on draft recommendations related to preconception/interconception health, systems issues in rural health, and social drivers of health. The agenda can be found here.
CBO Releases Report on Gene Therapy Treatment for Sickle Cell Disease. The Congressional Budget Office (CBO) report did not estimate the federal budgetary effects of any policy, but instead discussed how CBO would assess related policies in the future.
CMS Reports Marketplace 2025 Open Enrollment Data. As of January 4, 2025, 23.6 million consumers had selected a plan for coverage in 2025, including more than three million new consumers. Read the fact sheet here.
CMS Updates Hospital Price Transparency Guidance. The agency posted updated frequently asked questions (FAQs) on hospital price transparency compliance requirements. Some of the FAQs are related to new requirements that took effect January 1, 2025, as finalized in the Calendar Year 2024 Outpatient Prospective Payment System/Ambulatory Services Center Final Rule, and others are modifications to existing requirements as detailed in previous FAQs.
GAO Releases Reports on Older Americans Act-Funded Services, ARPA-H Workforce. The US Government Accountability Office (GAO) report recommended that the Administration for Community Living develop a written plan for its work with the Interagency Coordinating Committee on Healthy Aging and Age-Friendly Communities to improve services funded under the Older Americans Act. In another report, the GAO recommended that the Advanced Research Projects Agency for Health (ARPA-H) develop a workforce planning process and assess scientific personnel data.
VA Expands Cancers Covered by PACT Act. The US Department of Veterans Affairs (VA) will add several new cancers to the list of those presumed to be related to burn pit exposure, lowering the burden of proof for veterans to receive disability benefits. Read the press release here.
HHS Announces $10M in Awards for Maternal Health. The $10 million in grants from the Substance Abuse and Mental Health Services Administration (SAMHSA) will go to a new community-based maternal behavioral health services grant program. Read the press release here.
Surgeon General Issues Advisory on Link Between Alcohol and Cancer Risk. The advisory includes a series of recommendations to increase awareness of the connection between alcohol consumption and cancer risk and update the existing Surgeon General’s health warning label on alcohol-containing beverages. Read the press release here.
SAMHSA Awards CCBHC Medicaid Demonstration Planning Grants. The grants will go to 14 states and Washington, DC, to plan a Certified Community Behavioral Health Clinic (CCBHC). Read the press release here.
HHS Announces Membership of Parkinson’s Advisory Council. The Advisory Council on Parkinson’s Research, Care, and Services will be co-chaired by Walter J. Koroshetz, MD, Director of the National Institutes of Health’s National Institute of Neurological Disorders and Stroke, and David Goldstein, MS, Associate Deputy Director for the Office of Science and Medicine for HHS’s Office of the Assistant Secretary for Health. Read the press release here.
NEXT WEEK’S DIAGNOSIS
The House and Senate are in session next week and will continue to organize for the 119th Congress. Confirmation hearings are expected to begin in the Senate for President-elect Trump’s nominees, although none in the healthcare space have been announced yet. On the regulatory front, CMS will publish the Medicare Advantage rate notice.