Beltway Buzz, January 10, 2025
Welcome to the 119th Congress. Even before President-elect Donald Trump is sworn in on January 20, 2025, change has come to Washington, D.C., as the 119th Congress gaveled in late last week. Here is what the Buzz is watching as the new Congress kicks off:
A Trifecta? Yes, but … Republicans control the White House, as well as the U.S. Senate and U.S. House of Representatives, but that doesn’t mean that getting legislation to President-elect Trump’s desk is going to be easy. In the Senate, Republicans hold a 53–47 majority, with Vice President-elect J.D. Vance as the potential tiebreaking vote. This is seven votes short of a filibuster-proof majority, meaning that most partisan bills will have a hard time getting through the Senate. Moreover, in the House, Republicans hold a 219–215 majority. This razor-thin majority will get even thinner, as President-elect Trump has promised to nominate Representative Elise Stefanik (R-NY) as ambassador to the United Nations and Representative Mike Waltz (R-FL) as national security adviser. Depending on the timing of confirmations and special elections, this could mean that Republicans won’t be able to lose a single vote on any bill.
Get Ready for Reconciliation. Because Republicans are unlikely to sway at least seven Democrats to join them in voting for most bills, they will likely turn to the arcane budgetary process called reconciliation to advance their policy priorities. Ostensibly reserved for budgetary matters, the reconciliation process has the advantage of only needing a majority vote in the U.S. Senate. The drawback of the process is that because it is a budgetary tool, issues contained in such a bill must be fiscally related. Over recent years both Democrats (Affordable Care Act, American Rescue Plan Act, the Inflation Reduction Act) and Republicans (Tax Cuts and Jobs Act) have used the process to secure legislative victories. So, while this process could be used by Republicans to score wins on certain policy positions (e.g., tax cuts), they will not be able to use reconciliation to pass every legislative priority.
“Must-Pass” Legislation. As always, there are annual legislative exercises that must be addressed by Congress. Funding the federal government beyond the current March 14, 2025, deadline and lifting or suspending the debt limit will be major issues that Congress will have to address in the coming weeks and months. This could take time and attention away from other matters, such as the confirmation of political nominees.
Nominations. Speaking of nominations, the Buzz will be watching the confirmation process for putative secretary of labor nominee Lori Chavez-DeRemer. We will also be monitoring vacancies at the National Labor Relations Board and U.S. Equal Employment Opportunity Commission (as well as potential vacancies in the general counsel’s office at each of these agencies). The early rounds of confirmation hearings are usually reserved for high-profile cabinet-level positions such as secretary of state, secretary of the treasury, and attorney general.
Other Legislation. The Buzz will be watching for the reintroduction of the Dismantle DEI Act. The bill is unlikely to pass the Senate, but it could be the subject of congressional hearings.
Ports Strike Averted. This week, the International Longshoremen’s Association (ILA) and the group representing shippers and employers at East Coast and Gulf Coast ports announced a tentative agreement on a new six-year collective bargaining agreement, avoiding a potential strike. Buzz readers may recall that the parties have been negotiating over the introduction of automation technology at the ports. According to a joint statement released by the parties, the “agreement protects current ILA jobs and establishes a framework for implementing technologies that will create more jobs while modernizing East and Gulf coast ports—making them safer and more efficient, and creating the capacity they need to keep our supply chains strong.” ILA members must still vote to ratify the contract.
Fed Contracting Agency Withdraws Salary History and Transparency Rule. On January 8, 2025, the Federal Acquisition Regulatory Council (FAR Council) withdrew its January 30, 2024, proposed rule that would have prohibited federal contractors from considering an applicant or employee’s salary history when making compensation decisions. The proposal also would have required federal contractors to disclose compensation information in advertisements for job openings in connection with a federal contract. The FAR Council stated that “[i]n light of the limited time remaining in the current Administration,” it had “decided to withdraw the proposed policy and rule and focus [its] attention on other priorities, including directives in recent National Defense Authorization Acts.”
OSHA Heat Docket Wraps Up. January 14, 2025, is the deadline for stakeholders to submit comments in response to the Occupational Safety and Health Administration’s proposed heat standard. The incoming Trump administration is unlikely to move forward with the proposal, at least as currently written.
A Commanding Act. During his four years in office, President Biden, the commander in chief, signed into law the American Rescue Plan Act, the Inflation Reduction Act, and the Creating Helpful Incentives to Produce Semiconductors (CHIPS) and Science Act of 2022, among others. But for residents of Washington, D.C., President Biden’s most enduring legislative victory is probably the D.C. Robert F. Kennedy Memorial Stadium Campus Revitalization Act. The statute instructs the secretary of the interior to transfer “administrative jurisdiction over the Robert F. Kennedy Memorial Stadium Campus” to the District of Columbia for, among other purposes, “[s]tadium purposes, including training facilities, offices, and other structures necessary to support a stadium.” The act likely paves the way for the construction of a stadium in Washington, D.C., that will hold professional football games.
Building a Smarter Long-Term Care System in New York
New York State has a long-standing commitment to supporting its most vulnerable populations through Medicaid-funded services for older adults and those requiring long-term care. However, rising costs and an increasingly complex healthcare landscape have created challenges that demand innovative solutions. As New York seeks to align its healthcare system with evolving needs, the time has come to adopt integrated care models that promote sustainability, efficiency, and improved outcomes.
The Program of All-Inclusive Care for the Elderly (PACE) offers a clear path forward. This model has consistently demonstrated its ability to reduce healthcare costs while enhancing patient outcomes by integrating medical, social, and behavioral health services under one umbrella. PACE allows older adults to age in place by expanding access to home- and community-based services (HCBS). These services empower individuals to remain in their homes rather than institutional settings, which not only aligns with patient preferences but also reduces system-wide costs. Despite these clear benefits, New York has not approved a new PACE program since 2011, leaving this proven model underutilized in the state.
Integrated care models like PACE deliver significant advantages. By addressing social determinants of health—such as transportation, housing, and nutrition—these programs take a whole-person approach that improves both health outcomes and quality of life. At the same time, they streamline administrative processes, reducing bureaucracy for patients and providers alike. Nationally, PACE has shown remarkable success in reducing duplicative services, unnecessary hospitalizations, and other inefficiencies that drive up costs in fragmented care systems.
As the state considers reforms, it should prioritize integrated care models that promote collaboration, simplify care delivery, and align incentives across payers and providers. This could include a phased approach to transition eligible individuals from partial capitation and fee-for-service models to fully integrated plans, such as PACE or Medicare Advantage Plus (MAP). By setting clear benchmarks for integration and incentivizing innovation, the state can create a roadmap for meaningful progress.
To fully realize the potential of integrated care, New York must also address existing barriers to expanding PACE programs. Simplifying the regulatory framework and providing financial incentives for organizations willing to invest in PACE would go a long way toward increasing access, especially in underserved areas. Additionally, collaboration between managed long-term care plans and PACE could enhance the continuum of care for patients, ensuring they benefit from the strengths of both models. Nonprofit and community-based organizations, which have a history of delivering high-quality, cost-effective care, should also be given opportunities to expand their reach and impact.
Addressing misaligned incentives between Medicaid, which is state-funded, and Medicare, which is federally funded, remains a critical priority. Strengthening partnerships between state and federal entities will enable shared savings arrangements that reward innovative, high-performing care models. New York has an opportunity to lead the way in aligning these funding streams to support integrated care more effectively.
As Medicaid cost control becomes a pressing issue, piecemeal reforms that add complexity without meaningful benefits must be avoided. Instead, the state should take bold, decisive action to embrace integrated care models that deliver both financial sustainability and improved outcomes. By prioritizing proven programs like PACE, fostering collaboration among stakeholders, and removing barriers to innovation, New York can honor its commitment to aging populations and build a long-term care system that is both effective and enduring.
Listen to this post
Is the Rider or the Company Liable in a Bike Share Accident in Philadelphia?
Bike share programs have revolutionized the way people travel in cities across the country. With names like Indego in Philadelphia, these programs offer a convenient, eco-friendly alternative to other forms of public transportation. The bikes can be found at kiosks near major landmarks such as Penn Station, Rittenhouse Square, and Millennium Park, making them a practical choice for commuters, tourists, and residents alike.
But as bike share usage grows, so does the potential for accidents. And when accidents happen, the question of liability arises. Who is responsible — the rider or the bike share company?
Understanding who bears responsibility in a bike share accident is not always straightforward. Multiple factors come into play, requiring an analysis of rider responsibility, company obligations, and the circumstances that led to the accident.
What’s clear, however, is that victims of such accidents often face physical injuries, emotional challenges, and financial hardships. For these individuals, securing compensation through a personal injury claim isn’t just about the money — it’s about getting the resources they need to recover and move forward with their lives.
The Growing Popularity of Bike Share Programs
Over the past decade, bike share systems have become an integral part of urban transportation. Major cities like Philadelphia have embraced these programs to reduce traffic congestion, cut carbon emissions, and promote healthier lifestyles. Companies like Lyft and Lime operate many of these systems, and cities often partner with private entities to maintain and expand their programs.
The convenience of bike shares has made them incredibly popular, but the increase in usage has also brought to light safety concerns. Riders often find themselves navigating busy streets alongside cars, buses, and pedestrians. And while most bike share programs require riders to agree to terms and conditions before using the service, many people don’t understand the legal implications of those agreements until an accident happens.
Common Causes of Bike Share Accidents
Bike share accidents can happen for a variety of reasons, ranging from rider error to poor bike maintenance. Some of the most common causes include:
Rider Mistakes
Riders often take to the streets with the best intentions, but certain common errors can significantly increase the risk of accidents:
Failure to obey traffic laws: Riders are required to follow the same rules of the road as drivers. Running red lights, ignoring stop signs, or riding against traffic can lead to collisions.
Lack of experience: Many bike share users aren’t regular bicyclists and may lack the skills needed to safely navigate urban environments.
Distractions and negligence: Just like drivers, cyclists can become distracted by their phones, GPS, or surroundings, increasing the likelihood of an accident.
Bike Share Company Negligence
While riders rely on bike share programs for convenience and safety, lapses in company responsibilities can lead to preventable accidents:
Poor bike maintenance: Users expect bikes to be safe and in good condition, but improper maintenance can result in brake failures, tire blowouts, or other mechanical issues.
Faulty docking stations: Broken or poorly maintained docking stations can create hazards, especially in high-traffic areas.
Failure to provide adequate safety guidance: Some bike share companies don’t make it clear how to inspect a bike for issues or provide information on safe riding practices.
External Factors
Beyond rider actions and company obligations, outside conditions can also play a major role in causing bike share accidents:
Road hazards: Potholes, debris, or uneven pavement can cause accidents, particularly for inexperienced riders.
Collisions with motor vehicles: Sharing the road with cars and trucks poses a significant risk, especially when drivers fail to give riders the space they need.
Weather conditions: Rain, snow, or ice can make riding more treacherous, increasing the likelihood of slipping or loss of control.
Rider Responsibilities
When a customer rents a bike through a bike share program, they agree to a set of terms and conditions. These agreements often include clauses stating that the rider assumes responsibility for following traffic laws and riding safely. However, this doesn’t mean the rider is always at fault in the event of an accident.
For example, if a rider causes an accident by running a red light or weaving through traffic recklessly, they may be held liable for any injuries or property damage. However, if the accident was caused by a mechanical failure due to the company’s negligence, liability may shift away from the rider. It’s also worth noting that in some states, bicyclists have limited insurance coverage, leaving many riders to bear the financial burden of accidents.
Bike Share Company Obligations
Bike share companies have a duty to provide safe and functional equipment to their users. This includes regularly inspecting and maintaining their bikes, ensuring docking stations are operating properly, and addressing any safety concerns promptly. When they fail in these duties, accidents can happen.
Another consideration is the legal language in user agreements. Many bike share companies include disclaimers in their terms and conditions designed to limit their liability. While these disclaimers can make it harder to hold companies accountable, they are not always enforceable, especially if the company’s negligence can be proven.
Multi-Party Liability in Bike Share Accidents
Sometimes, liability isn’t limited to just the rider or the company. Other parties could also bear responsibility, depending on the circumstances of the accident. These parties might include:
Local governments: Poorly maintained roads or bike paths can create hazards for riders, putting some liability on local municipalities.
Motorists: Drivers who act negligently, such as failing to yield to a cyclist or driving under the influence, can be held accountable for bike share accidents.
Third-party manufacturers: If a bike fails due to a design defect or faulty part, the manufacturer may be responsible.
Each case is unique, and the specific facts of an accident will determine the parties involved in a liability claim.
Determining Liability in a Bike Share Accident
When it comes to personal injury claims, negligence serves as the foundation for determining liability. Negligence occurs when someone fails to act with the level of care that a reasonable person would exercise under similar circumstances, resulting in harm to another person. Understanding this concept is crucial in bike share accident cases, as proving negligence is often the key to securing fair compensation for injuries and damages.
To establish a successful bike share accident claim, victims must demonstrate four key elements of negligence:
Duty of Care: The first step in proving negligence is showing that the defendant owed the victim a duty of care. This means the responsible party was obligated to act in a reasonable manner to ensure the safety of others. For example, bike share companies have a duty to maintain their bicycles, while drivers must follow traffic laws to avoid endangering cyclists.
Breach of Duty: Next, it must be shown that the defendant breached their duty of care. This could involve a bike share company failing to properly maintain its fleet, leading to faulty brakes, or a motorist texting while driving and colliding with a cyclist. A breach occurs when someone’s actions—or inaction—fall below the level of reasonable care expected in that situation.
Causation: Once a breach of duty is established, the victim must prove that this breach directly caused their injuries. For instance, if a rider is injured because of a defective bike, they need to demonstrate that the bike’s malfunction—not some unrelated factor—directly led to the accident.
Damages: Finally, the victim must provide evidence of actual damages, whether physical, emotional, or financial. This includes medical bills, lost wages, pain and suffering, or even the cost of replacing damaged personal items.
Negligence, with its intricate components, is at the heart of bike share accident claims. Proving these four elements requires a careful gathering of evidence and a strategic approach to presenting the case. By successfully demonstrating negligence, victims increase their chances of obtaining the compensation they need to recover and move forward.
Steps to Take After a Bike Share Accident
If you’re involved in a bike share accident, knowing what to do immediately afterward can make a significant difference in protecting your rights and securing compensation. Here are some steps you should take:
Seek medical attention: Your health and safety should always be the top priority. Even if you feel fine, get checked out by a healthcare professional to rule out serious injuries.
Report the accident: Notify the bike share company and, if necessary, file a police report. This helps document the accident and establish an official record.
Gather evidence: Take photos of the accident scene, your injuries, and any damaged equipment. Collect contact information from witnesses and other parties involved.
Preserve the bike: If possible, see if you can keep the bike in its post-accident condition. This can be crucial in proving mechanical failure or company negligence.
Consult an attorney: Bicycle accidents can involve complex legal issues, and an experienced attorney can guide you through the process of determining liability and pursuing compensation.
Compensation for Bike Share Accident Victims
Seeking compensation is an essential step in helping victims rebuild their lives, not just by covering their expenses but by restoring their sense of stability and security. Here’s a closer look at the different types of compensation available.
Medical Expenses
The cost of medical care can be a significant burden after a bike share accident. Compensation for medical expenses typically covers everything from emergency treatments, such as ambulance rides and ER visits, to long-term care, like physical therapy or specialized rehabilitation. It may also include the costs of necessary medical equipment, prescription medications, and future treatments required to address ongoing health issues.
Lost Income
Bike share accidents can disrupt a victim’s ability to work, often resulting in the loss of wages. Compensation for lost income accounts for the time away from work during recovery. If the injuries have long-term effects that reduce the victim’s ability to earn, they may also seek damages for diminished earning capacity.
Pain and Suffering
The physical pain and emotional distress caused by a bike share accident often extend far beyond the initial impact. Victims may experience ongoing discomfort, limited mobility, and chronic pain, all of which take a significant toll on their quality of life. Emotional and psychological effects like anxiety, depression, and post-traumatic stress disorder (PTSD) are also common, especially after a particularly traumatic accident.
Property Damage
While personal safety is the top priority, accidents involving bike shares often lead to damaged personal property as well. Smartphones, laptops, clothing, or other items that were damaged or destroyed in the accident can create additional financial strain for victims.
Wrongful Death
The loss of a loved one in a bike share accident is a devastating experience, and no amount of compensation can truly replace their presence in your life. However, wrongful death claims can provide financial support to the families left behind. Wrongful death compensation often covers expenses such as funeral and burial costs, medical bills incurred prior to the victim’s passing, and the loss of future financial contributions from the deceased. Additionally, it can address the emotional toll by compensating for the loss of companionship, guidance, and emotional support that the family relied upon.
Although compensation might initially seem like just a financial transaction, its purpose goes much deeper. It’s not simply about the dollar amount awarded; it’s about giving victims the resources to put their lives back together.
Second Circuit Adopts “At Least One Purpose” Rule for False Claims Act Cases Premised on Anti-Kickback Statute Violations
On December 27, 2024, the U.S. Court of Appeals for the Second Circuit held in U.S. ex rel. Camburn v. Novartis Pharmaceuticals Corporation that a relator adequately pleads a False Claims Act (“FCA”) cause of action premised on violation of the Anti-Kickback Statute (“AKS”) by alleging, with sufficient particularity under Federal Rule of Civil Procedure 9(b) (“Rule 9(b)”), that at least one purpose (rather than the sole or primary purpose) of the alleged kickback scheme was to induce the purchase of federally reimbursable health care products or services.[1]
In doing so, the Second Circuit joins seven other Circuit Courts—the First, Third, Fourth, Fifth, Seventh, Ninth, and Tenth Circuits—in adopting the “at least one purpose” rule. This ruling lowers the bar in the Second Circuit for relators pleading AKS-based FCA claims.
Interplay Between FCA and AKS Violations
Under the AKS, “a claim that includes items or services resulting from a violation [of the AKS] … constitutes a false or fraudulent claim” under the FCA.[2]
The AKS prohibits persons from, among other things, “knowingly and willfully” soliciting or receiving “any remuneration (including any kickback, bribe, or rebate) directly or indirectly, overtly or covertly, in cash or in kind—
in return for referring an individual to a person for the furnishing or arranging for the furnishing of any item or service for which payment may be made in whole or in part under a federal health care program, or
in return for purchasing, leasing, ordering, or arranging for or recommending purchasing, leasing, or ordering any good, facility, service, or item for which payment may be made in whole or in part under a Federal health care program[.]”[3]
Alleged “Sham” Speaker Events & Excessive Compensation
In U.S. ex rel. Camburn, the relator, a former Novartis sales representative, filed a qui tam action in the U.S. District Court for the Southern District of New York alleging violations of the FCA premised on violations of the AKS. The relator alleged that Novartis operated a kickback scheme with the intent of bribing providers to prescribe Gilenya, a multiple sclerosis drug. Specifically, the relator alleged that Novartis operated a sham peer-to-peer speaker program that served as a mechanism for the company to offer remuneration to physicians in exchange for prescribing Gilenya. The relator alleged that the payments made to providers under the guise of this speaker program “caused pharmacies and physicians to submit false claims to the government and to the states for healthcare reimbursement under programs including Medicare Part D, Medicaid, and TRICARE.”[4]
U.S. District Court’s Dismissal with Prejudice
The federal government, as well as 29 states and the District of Columbia, among other parties, declined to intervene in the lawsuit. After granting the relator multiple opportunities to amend his complaint to plead factual allegations with sufficient particularity required by Rule 9(b), the district court held that the relator still failed to adequately plead the existence of a kickback scheme. Because the relator’s FCA claim was based on violations of the AKS, the district court dismissed the relator’s Third Amended Complaint with prejudice and did not address whether the relator sufficiently pled the remaining elements of his FCA claim.
Second Circuit’s Adoption of “At Least One Purpose” Rule
On appeal, the Second Circuit adopted the “at least one purpose” rule and found that, to survive dismissal, the relator “needed only to allege that at least one purpose of the remuneration was to induce prescriptions, without alleging a cause-and-effect relationship (a quid pro quo) between the payments and the physicians’ prescribing habits.”[5] Applying this standard, the Second Circuit concluded that the relator adequately pleaded an AKS violation with respect to the following three categories of allegations: (1) holding “sham” speaker events with no legitimate attendees, (2) excessively compensating physician speakers for canceled events, and (3) deliberately selecting and retaining certain speakers to induce a higher volume of prescriptions of Gilenya.
Specifically, the Second Circuit found that the relator’s “illustrative examples” of physician-speakers presenting solely to other Novartis speakers or to members of their own practice over lavish restaurant meals supported a strong inference that at least one purpose of the speaker program was to provide kickbacks to prescribers. The panel also found that the relator’s allegations that the compensation paid to physician speakers for canceled events ($20,000 to $22,500 to each speaker) over a two-year period in comparison to the dollar value of the allegedly fraudulent claims submitted to the government for reimbursement (between to $1 to $1.7 million) during that same period gave rise “to a strong inference that the payments constituted, at least in part, unlawful remuneration.”[6] Likewise, the relator’s inclusion of testimony from two Novartis sales representatives regarding the company’s alleged practice of offering speaking engagements to physicians to incentivize them to prescribe Gilenya suggested that these engagements were organized to induce providers to prescribe the drug.
The Second Circuit held that these allegations, accepted as true for purposes of the motion to dismiss, “plausibly and ‘strongly’ suggest Novartis operated its speaker program at least in part to remunerate certain physicians to prescribe Gilenya.”[7] Accordingly, the Second Circuit remanded the case to the district court to determine whether the relator sufficiently pleaded the remaining elements of his FCA claim and to weigh the adequacy of the claims under state and municipal law.
The Second Circuit affirmed, however, the district court’s conclusion that the relator “failed to link Novartis’s DVD initiative, ‘entertainment rooms,’ visual aids for billing codes, and one-on-one physician dinners with a strong inference that Novartis used these tools, at least in part, to induce higher prescription-writing,” with the caveat that another FCA claim predicated on an AKS violation may in fact survive dismissal if similar facts were pleaded with greater particularity.[8]
Practical Takeaways
This case highlights the importance of drug manufacturers and other regulated entities’ duty to implement robust and ongoing health care compliance programs in order to continuously and thoroughly evaluate enforcement and whistleblower risk relative to marketing and other business activities.
This decision’s adoption of the “at least one purpose” rule lowers the bar for relators in the Second Circuit to plead FCA violations premised on noncompliance with the AKS. Indeed, the Second Circuit rejected arguments that remuneration is unlawful under the AKS only if the “sole purpose” or “primary purpose” of the payment is to induce health care purchases. As eight circuits across the country have now held, allegations involving a single improper purpose can allow a case to survive dismissal. In these circuits, a relator merely needs to allege that at least one purpose of the remuneration was to induce the purchase of federally reimbursable health care products or services.
The heightened Rule 9(b) pleading standard fully applies in FCA cases premised on AKS violations. While the “at least one purpose” rule broadens liability, the district court and Second Circuit made clear that FCA allegations will be scrutinized to ensure they comport with the heightened Rule 9(b) pleading requirements.
Epstein Becker Green Attorney Ann W. Parks contributed to the preparation of this post.
ENDNOTES
[1] 2024 WL 5230128 (2d Cir. Dec. 27, 2024).
[2] 42 U.S.C. § 1320a-7b(g).
[3] Id. at § 1320a-7b.
[4] Camburn, 2024 WL 5230128, at *2.
[5] Id. at *4.
[6] Id. at *6.
[7] Id. at *6 (cleaned up) (quoting Hart, 96 F.4th 145, 153 (2d Cir. 2024)).
[8] Id. at *19.
Ethiopia Opens Its Banking Sector to Foreign Banks and Investors After Half a Century of Protectionism
Introduction
With a rapidly growing population of 120 million people, Ethiopia is the fifth-largest economy in Africa by GDP, making it an attractive destination for foreign investment in the banking sector. On December 17, 2024, the Ethiopian Parliament approved the new Banking Business law, which allows foreign banks and foreigners to rejoin the Ethiopian market after an absence of half a century. This proclamation provides various avenues for foreigners to enter the Ethiopia market, marking a significant step in opening one of the last remaining sectors in the country to foreign investment. This move signals a shift from a protectionist to a more liberal policy approach by the government.
Overview of Ethiopia’s Investment Climate
In 2020, Ethiopia introduced a new investment law to expand opportunities for foreign investment. Previously, only specifically identified sectors were open to foreigners. The new law restricted only a few sectors to domestic investors, while all other sectors are available for foreign investment. In 2024, the Ethiopian Investment Board issued a directive further permitting foreign investment in industries that were previously restricted to domestic investment, including export, import, wholesale, and retail trade,.
Additionally, the Ethiopian government has liberalized sectors that were previously monopolized by the state, such as telecommunications and logistics. This initiative has expanded foreign investment opportunities across multiple industries. Investors now have the option to acquire shares, enter joint ventures, or invest through the Ethiopian Investment Holdings (EIH), which functions as the strategic investment arm of the Ethiopian government.
These reforms indicate Ethiopia’s move towards economic liberalization by attracting foreign direct investment, including the recent significant shift in opening the financial sector to foreign investment.
The New Banking Business Proclamation
The recent 2024 proclamation aims to enhance the banking industry’s competitiveness and efficiency by allowing foreign investment.
The proclamation allows foreign banks to enter the Ethiopian market by establishing subsidiaries, opening branches or representative offices, or acquiring shares in domestic banks. It also permits foreign nationals to buy shares in Ethiopian banks.
A foreign bank or strategic investor can acquire up to 40% of shares in a domestic bank, while foreign individuals can hold up to 7%, and entities can hold up to 10%. The total foreign investment is capped at 49%.
Foreign banks entering Ethiopia must invest as foreign direct investment (FDI) using foreign currency, with the capital fully paid in cash up front. Additionally, Ethiopian organizations partially owned by foreign nationals must invest through FDI based on their foreign ownership percentage, also in foreign currency.
Potential Benefits and Challenges
Enabling foreign investment in Ethiopia’s financial sector is projected to bring numerous benefits and challenges. One potential advantage is the increased competition and efficiency. The entry of foreign banks is expected to encourage competition, leading local banks to improve their efficiency, service delivery, and technological advancements. Additionally, the introduction of diverse financial products by foreign banks, such as derivatives, trade finance, and specialized credit facilities, can diversify the local financial market.
Another benefit is the transfer of knowledge and skills. The involvement of foreign banks introduces professionals and practices to the Ethiopian financial sector. This exposure to international banking standards, risk management frameworks, and digital technologies can enhance the financial ecosystem. Additionally, foreign banks can support the inflow of FDI by connecting with global financial markets, integrating Ethiopia’s economy into the international financial system.
However, the entry of foreign banks also poses several challenges. One significant concern is the risk of market domination. Foreign banks, with their substantial resources, advanced systems, and international networks, could potentially overshadow local banks, leading to market imbalances and reduced competition in the long term. This dominance may stifle domestic financial institutions, hindering their growth and development.
Economic risks are another challenge, as increased foreign bank participation exposes Ethiopia’s economy to external risks such as exchange rate volatility and potential capital flight. The resource disparity between foreign and local banks is also a concern. Foreign banks’ access to sophisticated technologies and funding could widen the gap, restricting domestic banks’ ability to compete effectively and exacerbating financial service inequalities.
Lastly, the integration of foreign banks necessitates robust regulatory frameworks and institutional capacity to monitor and mitigate associated risks. Addressing these regulatory challenges is crucial to ensure the stability and sustainability of Ethiopia’s financial sector.
The enactment of the banking business represents a significant milestone in Ethiopia’s investment landscape, opening the financial sector to foreign investment after half century of protectionist policy. By allowing foreign banks to enter its financial sector, Ethiopia aims to enhance competitiveness, diversify financial services, and integrate its economy into the global financial system.
Rule 37 in Action – Case Dismissed
As stated in my previous blog, “A Rule 37 Refresher – As Applied to a Ransomware Attack,” Federal Rule of Civil Procedure 37(e) (“Rule 37”) was completely rewritten in 2015 to provide more clarity and guidance to the sanction process under the Rule.
In Jones v. Riot Hospitality Group, LLC, the Ninth Circuit makes very clear that, when the court faces a sanctions analysis based upon evidence that there is data that should have been preserved, that was lost because of failure to preserve, and that can’t be replicated, then the court has two additional decisions to make: (1) was there prejudice to another party from the loss or (2) was there an intent to deprive another party of the information. If the former, the court may only impose measures “no greater than necessary” to cure the prejudice. If the latter, the court may take a variety of extreme measures, including dismissal of the action. An important distinction was created in Rule 37 between negligence and intention.
Rule 37(e)(2) is clear that the court may impose a variety of extreme measures, including dismissal of a case if there is a violation of Rule 37 with an intent to deprive another party of the relevant information. The Jones case demonstrates this rule in action. The Jones case involves Alyssa Jones, a former waitress at a Scottsdale bar, who sued the bar’s owner-operator, Ryan Hibbert, and his company, Riot Hospitality Group, alleging Title VII violations and common law tort claims. During discovery, upon noticing an unusual pattern of time gaps in the text messages that Jones produced in discovery, along with deposition testimony that demonstrated that particular people had indeed texted with her during those gaps, the court ordered the parties to jointly retain a third-party forensic search specialist to review the phones of Jones and certain witnesses.
The court ultimately found that Jones intentionally deleted relevant text messages with co-workers from 2017 and 2018 and coordinated with her witnesses to delete messages from 2019 and 2020. The court used “reasonable inferences” to determine that it was done with the intent to deprive Riot of use of the messages in the lawsuit. The district court dismissed the case, using the five-factor test for terminating sanctions articulated in Anheuser-Busch, Inc. v. Nat. Beverage Distrib., 69 F.3d 337, 348 (9th Cir. 1995).
The 9th Circuit found that the use of the Anheuser-Busch test was not necessary and that, to dismiss a case under Rule 37(e (2), a district court need only find that:
Rule 37(e) prerequisites are met,
the spoliating party acted with the intent required under Rule 37(e)(2), and
lesser sanctions are insufficient to address the loss of the ESI.
Takeaways:
1. If you are in a spoliation dispute, make sure you have the experts and evidence to prove or defend your case.
2. When you are trying to prove spoliation, know the test. If intent to deprive is proven (with direct or circumstantial evidence), then proving prejudice is not a prerequisite to sanctions.
3. Be aware of, plan for, and enforce data preservation protocols early in your case.
Data Privacy: Insights from the Recent FAQs on New Jersey Data Privacy Law
As organizations prepare for compliance with the New Jersey Data Privacy Law (NJDPL), set to take effect on January 15, 2025, the Division of Consumer Affairs (DCA) has released a set of 24 Frequently Asked Questions (FAQs) that provide important insights and guidance on complying with New Jersey’s robust regulatory framework. The FAQs are not binding and should not be considered a legal document or a complete explanation of the law. Rather, they are useful as a reference for persons within the entities covered by NJDPL that have a role in privacy compliance.
The FAQs specifically focus on sensitive data, children’s data, opt-out or revocation of consent from sale of personal data (including via universal opt-out signals), contracts with data processors, and data protection assessments, indicating the New Jersey DCA’s focus areas for the enforcement of the incoming law. This article explores the key takeaways from the FAQs, particularly concerning the treatment of sensitive data.
Understanding the New FAQsThe recent FAQs were published for the convenience of businesses (although the FAQs use the term “businesses,” NJDPL also applies to nonprofits). The FAQs distill and clarify several key definitions contained in the NJDPL, summarize consumer rights, define business obligations, and provide additional guidance regarding processing of sensitive data and data of minors.
Specifically, NJDPL governs the use of personal data, which the law defines as any information that is linked or reasonably linkable to an identified or identifiable person. The FAQs clarify this definition as “any information that is not publicly available and can be used to identify a specific individual.” The key difference between these definitions is in the “reasonably linkable” criteria in the statute, whereas the FAQs seem to focus on specific identifiability. Practically speaking, there are categories of data that may be linkable to an individual through context (for example, email metadata, or de-identified data combined with external data that permits reidentification, such as a fitness tracker ID combined with gym membership data) that would be within NJDPL’s scope. Differences such as these highlight that the covered entities must not rely solely on the FAQs’ definitions when building their NJDPL compliance program.
The FAQs also clarify the definitions of the key actors in the data privacy lifecycle under NJDPL:
Consumer: A New Jersey resident acting in a personal or household context
Controller: Any individual or entity that decides how and why consumers’ personal data is processed
Processor: An individual or entity that processes personal data on behalf of the controller. A processor is different than a controller because it does not have decision-making authority over personal data. A processor can only process personal data at the request and under the direction of a controller.
The FAQ clarifies that NJDPL applies to any controller that:
(1) Does business in New Jersey or produces products or services targeted to New Jersey residents and(2) During a calendar year either (a) controls or processes the personal data of at least 100,000 consumers or (b) controls or processes the personal data of at least 25,000 consumers and makes money from the sale of personal data.
The FAQs detail some of the obligations of the controllers, including to prepare a written privacy notice accurately disclosing data practices, to honor consumer rights, to enter into written contracts with vendors receiving personal data from controllers (vendors generally will be processors, see below), to conduct data protection assessments, and to process certain categories of data only with consumers’ express consent.
With respect to processors, the FAQs highlight that among other requirements, a processor must:
Follow the controller’s instructions
Help the controller meet its obligations under NJDPL
Keep personal data confidential
Enter into a contract with the controller that contains processing instructions; identifies the data that will be processed and for how long it will be processed; and requires the processor to return or delete the personal data once processing is complete.
For consumers, the FAQs summarize their rights as follows:
Confirm whether a controller processes the consumer’s data
Correct inaccuracies in the consumer’s personal data
Delete the consumer’s personal data
Say “no” (opt out) to a controller selling the consumer’s personal data or using the consumer’s personal data for targeted advertising and some types of profiling (for example, profiling to determine whether a consumer should receive a loan or mortgage, a job offer, or an insurance policy).
Controllers must provide clear and accessible mechanisms for consumers to exercise these rights. Additionally, by July 15, 2025, businesses must comply with universal opt-out signals, such as those from Global Privacy Control (users enable privacy preferences within their web browsers). A universal opt-out signal is a mechanism that allows individuals to communicate their preference to opt out of certain data processing activities, such as targeted advertising or sale of data, across multiple websites or platforms in a standardized way. It eliminates the need for consumers to manually opt out on each site individually.
Again, the FAQs do not repeat NJDPL’s definitions, criteria, and recitations of rights word by word, but rather aim to give organizations a general sense of what these key concepts mean. While at first blush the distinctions between the FAQ and NJDPL definitions may not seem significant in practice, as the saying goes, the devil lurks in the details. Note, for example, that personal data processed solely for the purpose of completing a payment transaction is exempted from the 100,000 consumers’ data threshold, and that receiving a discount on a price of any goods or services counts toward the “making money from personal data” threshold.
Update on Anticipated Regulations and Enforcement DeadlinesNew Jersey is one of three states to date that provide rulemaking authority under their data privacy law to the state agency; here, the DCA. The FAQs are not such regulations, but they expressly state that the DCA will be issuing regulations under NJDPL in 2025. This is a new development, as NJDPL does not provide a deadline for promulgation of rules.
While the formal regulations under NJDPL are not yet available, the FAQs expressly state that the entities obligated under NJDPL are required to comply starting on January 15, 2025. A limited opportunity to cure violations may be available until July 1, 2026: If the DCA identifies a potential violation that the controller can remedy, the DCA will send a notice to the controller to give them the chance to fix the problem within 30 days of the notice. If the violation is not remedied, the DCA can proceed with an enforcement action. While this provision is certainly beneficial for covered entities, it should not be interpreted as a license to avoid carefully thinking through and implementing the entity’s compliance obligations before the January 15, 2025, deadline. At most, this grace period should be used to remedy inadvertent mistakes in compliance.
Treatment of Sensitive DataThe FAQs explain that sensitive data is a subset of personal data that reveals a consumer’s racial or ethnic origin, religious beliefs, health condition, financial information, sexual activity or sexual orientation, immigration or citizenship status, status as transgender or non-binary, genetic or biometric data, or precise geolocation data. It also includes personal data collected from a known child. This restatement loosely tracks NJDPL’s definition. Most of the data considered sensitive in New Jersey also is recognized as sensitive under most U.S. state privacy laws. However, New Jersey includes additional types of data as sensitive, including status as transgender or non-binary and financial information, which only a handful of other states recognize as sensitive.
The sensitive financial information in New Jersey includes “a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.” Thus, not every piece of financial data will be deemed sensitive; however, NJDPL’s definition is open-ended and types of financial data not presently listed in the statute may be included in the future.
For entities operating in more than one state that are required to comply with several state data privacy laws, it is important to correctly classify data as sensitive or not sensitive to ensure compliance with each such applicable law. Each U.S. state privacy law recognizes sensitive information and imposes heightened compliance requirements for its processing. Some states require a valid consent to be obtained before collection and processing of personal data, as well as a data protection assessment. Others follow an opt-out model, giving consumers the right to limit the use of their sensitive data.
The FAQs highlight that New Jersey requires consent before sensitive data is processed and that a data protection impact assessment must be conducted. NJDPL specifies that a valid consent must be “a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer.” Such consent may include a written statement, including by electronic means, or any other unambiguous affirmative action. Notably, acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information will not constitute a valid consent. As such, organizations should not rely on statements such as “if you visit our website, you consent to our privacy policy” as evidence of consent to processing of sensitive information. Furthermore, hovering over, muting, pausing, or closing a given piece of content will not be considered sufficient evidence of consent.
Treatment of Children’s DataNJDPL requires businesses to obtain explicit consent for processing personal data of children under the age of 13, treating such data as sensitive. Consent also is required for processing of data of minors that are at least 13 and are younger than 17, if such processing is done for the purposes of targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effect on the consumer. With this latter provision, New Jersey’s law extends protections beyond federal standards under the Children’s Online Privacy Protection Act (COPPA), which only safeguards the data obtained online from children under 13.
The FAQs state that when a controller knows or should know that a consumer is between the ages of 13 and 16 (note, NJDPL uses the term “younger than 17” but the FAQ is using the 13–16 range), the controller must get the consumer’s consent before processing the consumer’s personal data. This is interesting as this statement is broader than NJDPL. First, the FAQs use the term “should know” whereas the statute requires actual knowledge or willful disregard. Second, the FAQs claim that consent is necessary for any processing of the data of minors ages 13–16, and not only when sale of data, targeted advertising, or profiling is occurring.
Businesses processing children’s data should take note and consider building a more stringent compliance regime: even where FAQs are non-binding, this is an enforcement focus area for the New Jersey regulator (and for the regulators in other states and on the federal level).
Considerations for ComplianceWith the enforcement deadline looming, organizations within the scope of NJDPL should consider the following workflow to align their compliance with the incoming law:
Review/Update Privacy Policies: Update privacy notices to clearly outline data processing activities, purposes of processing, consumer rights, and opt-out procedures, among other mandatory disclosures, to track NJDPL’s requirements.
Implement Consent Management Systems: Adopt technologies that facilitate obtaining, managing, and documenting consumer consent for sensitive data processing.
Conduct Data Protection Assessments: Regularly evaluate data handling practices to identify risks and benefits of processing activity that presents heightened risk of harm to the consumers to ensure alignment with New Jersey’s law.
Enhance Training Programs: Educate employees with data privacy responsibility in different departments (including IT, Marketing, and Customer Service, not just Legal) about NJDPL’s provisions and the importance of safeguarding consumer data and respecting consumer choices regarding their data.
Stay Informed of the Regulatory Changes: Be aware of evolving privacy regulations to anticipate and address new compliance obligations. Aside from New Jersey’s anticipated regulations, other states are poised to adopt new privacy laws or amend existing ones, promising that 2025 will be a busy year for data privacy. While the FAQs serve as an important resource for understanding the law’s practical application, highlighting the importance of explicit consent and enhanced protections for sensitive data, organizations should consider following the more precise requirements of NJDPL and the incoming regulations in aligning their practices with New Jersey’s requirements. As compliance with the NJDPL becomes mandatory, legal experts can provide tailored advice to navigate the intricacies of the law and ensure that data practices align with both state and federal regulations.
What Employers Need to Know About the Recent EEOC Guidance to Health Care Providers on the Pregnant Workers Fairness Act
On June 27, 2023, the Pregnant Workers Fairness Act (PWFA), a federal law enforced by the US Equal Employment Opportunity Commission (EEOC), went into effect. The PWFA mandates that employers with at least 15 employees, along with other covered entities, provide reasonable accommodations for employees with known limitations related to, affected by, or arising out of pregnancy, childbirth, or related medical conditions.
On December 18, 2024, the EEOC published guidance to health care providers on how they can help patients seeking childbirth and pregnancy-related workplace accommodations from their employers under the PWFA.
What Employers Need to Know
Requirement and Purpose
Employers must offer reasonable accommodations for pregnant employees. A reasonable accommodation is described as a change in the work environment or in the way things are usually done that enables an applicant or employee to apply for a job, perform their job, or enjoy access to the same benefits and privileges of employment as other employees. The guidance explains that health care providers can request accommodations for employees under the PWFA.
Covered Individuals
Employees or applicants are qualified if they can perform essential job functions with or without accommodation, or if they are temporarily unable to perform these functions but can do so in the near future with reasonable accommodations. Limitations are considered “known” when communicated by the employee or their representative.
Requesting Accommodations
Employees and applicants do not need to use specific language to request accommodations and the interactive process starts once a request is made. Employers cannot require the employee to be examined by a health care provider selected by the employer but may require documentation in certain situations.
Documentation
The EEOC’s recent guidance highlights health care providers’ role in documenting and communicating the need for workplace accommodations and informing patients about their rights under the PWFA.
Please note that if an employer uses an Americans with Disabilities Act (ADA) or Family and Medical Leave Act (FMLA) medical questionnaire for PWFA purposes, the employer should instruct the employee that only the applicable questions need to be answered.
Some employees may be entitled to accommodations under the PWFA if their condition does not meet the definition of disability specified in the ADA and even if they do not qualify for leave under the FMLA.
While the physical or mental conditions an employee faces may overlap with disabilities under the ADA or serious health conditions under the FMLA, not all questions on ADA or FMLA forms will be relevant to PWFA requests. However, if an employee is also seeking accommodations under the ADA or leave under the FMLA, the information may be relevant.
Employers may require that the documentation from a health care provider include the following:
Confirm the physical or mental condition with a simple statement, no diagnosis is needed. The problem or impairment may be serious, minor, moderate, or episodic such as fatigue, vomiting, or swelling. It could also be the need to attend medical appointments.
Confirm the condition is related to pregnancy, childbirth, or related medical conditions. Pregnancy, childbirth, or related medical conditions do not need to be the sole, original, or substantial cause of the physical or mental condition.
Describe the needed workplace adjustment and its expected duration (e.g., change in work schedule, telework, light duty, flexible or longer break to use the restroom, leave for medical appointment, or to recover from childbirth). If the accommodation involves temporarily suspending a main or essential job duty, the documentation should specify that it is temporary and provide an estimate of when the duty can be resumed post-pregnancy or soon after.
Include a brief statement of the provider’s qualifications.
Non-Discrimination
The PWFA prohibits discrimination based on pregnancy or related conditions, preventing adverse actions like firing or demotion.
Alternative Solutions and Undue Hardship
While the exact accommodation the employee requests does not have to be provided, employers must collaborate with employees to provide an effective alternative that doesn’t cause undue hardship to the employer.
Confidentiality
Under the PWFA, employers must keep all medical information related to an accommodation request confidential.
Risks of Noncompliance and Next Steps
Noncompliance with the PWFA can lead to significant legal and financial consequences for employers, including lawsuits, penalties, and reputational damage. To mitigate these risks, employers should:
Review and Update Policies: Ensure workplace policies align with the PWFA, covering reasonable accommodations, nondiscrimination, and documentation requirements.
Training and Communication: Train managers and clearly communicate employees’ rights under the PWFA using the employer’s typical communication methods (e.g., handbooks, intranet, or email).
Prevent Discrimination and Retaliation: Follow the EEOC’s guidance to avoid discrimination or retaliation against employees requesting reasonable accommodations under the PWFA.
Understand Related Laws: Understand obligations under similar state laws and federal laws such as the ADA, FMLA, and the Pregnancy Discrimination Act (PDA) as well as avoid imposing greater requirements than necessary on employees requesting accommodations under the PWFA.
For more information about the PWFA, visit More Resources About the PWFA | EEOC.
2024 Title IX Regulations Vacated Nationwide
On January 9, 2025, the Sixth Circuit Court of Appeals decided the case of Tennessee v. Cardona, vacating the 2024 Title IX regulations nationwide. The court ruled that the issuance of the 2024 regulations exceeded the Department of Education’s authority and was unconstitutional on multiple grounds.
The ruling may be appealed, but for now, institutions covered by Title IX should revert to compliance with their policies in effect under the 2020 Title IX regulations.
The 2024 Title IX regulations, which took effect on August 1, 2024, had faced several challenges that led to injunctions with varying geographic scopes. As a result, prior to the Cardona decision, the Title IX regulations were only effective in about half of the states across the U.S.
U.S. Cyber Trust Mark Program at Hand After White House Launch Announcement
The Biden Administration has announced the rollout of the “cybersecurity label for interconnected devices, known as the U.S. Cyber Trust Mark.” The voluntary program, which will allow providers of certain such devices to label their products with the Mark, comes after the Federal Communications Commission (FCC) approved final rules and implementing framework that will govern the procedures for obtaining and using the Mark’s distinctive shield logo.
What’s In Program Scope – Per the FCC, the program applies to consumer wireless Internet of Things (IoT) products – radio frequency devices clearly within its jurisdiction under Section 302 of the Communications Act. Examples of eligible products include internet-connected home security cameras, voice-activated shopping devices, smart appliances, fitness trackers, garage door openers, and baby monitors.
What Is Not – On the other hand, the program does not include items outside the FCC’s regulatory jurisdiction, such as medical devices regulated by the Food and Drug Administration and motor vehicles and equipment regulated by the National Highway Traffic Safety Administration. Also excluded are wired devices; products primarily used for manufacturing, industrial control or enterprise applications; equipment on the FCC’s Covered List and equipment produced by an entity on the covered list; IoT products from a company on other lists addressing national security; and IoT products produced by entities banned from Federal procurement.
Process And Standards – Products must be tested at an FCC-recognized accredited laboratory (CyberLAB) for evaluation against the program’s cybersecurity criteria. Those criteria are based on standards developed by the National Institute of Standards and Technology (NIST) and other expert guidance intended to ensure that certified devices have robust cybersecurity protections, including, for example, implementation of strong encryption protocols and requirements for user authentication before granting access to device settings or data.
Program Management and Compliance Enforcement – The FCC will manage the program but also rely on Cybersecurity Labeling Administrators (CLA), who will evaluate the post-testing applications for approval to use the Mark; the FCC has already approved a number of these CLAs.
Among other things, CLAs will be responsible for ensuring that users comply with applicable FCC rules. In adopting the regulatory framework for the program, the agency decided that it would “rely on a combination of administrative remedies and civil litigation to address non-compliance.” The FCC “direct[ed] the CLAs to conduct post-market surveillance…to ensure that the integrity of the Cyber Trust Mark is maintained.”
Further, “random audits” will be coupled with such surveillance. Identified products that fail to comply with applicable technical regulations for that product could be stripped of approval to display the Mark.
In the interest of the integrity of the Mark, the Commission also made clear that it will “pursue all available means to prosecute entities who improperly or fraudulently use the FCC IoT Label, which may include, but are not limited to, enforcement actions, legal claims of deceptive practices prosecuted through the FTC, and legal claims for trademark infringement or breach of contract.”
Further Notice of Proposed Rulemaking: National Security – In an ongoing effort to address potential hidden national security threats, the FCC’s Further Notice of Proposed Rulemaking focuses on such threats contained in consumer products bearing the IoT Label. To that end, the FCC seeks comments on “additional declarations intended to provide consumers with assurances that the products bearing the IoT Label do not contain hidden vulnerabilities from high risk countries [e.g., China], that data collected by the product does not sit within or transit high-risk countries and that products cannot be remotely controlled by servers located within high-risk countries.”
Incoming Chairman Carr, who has voiced a strong interest in addressing national security concerns, is sure to support these initiatives on an ongoing basis.
HHS Proposed Rule Would Increase Cybersecurity Requirements for Electronic Health Data
The U.S. Department of Health and Human Services (HHS) recently released a proposed rule to better protect electronic health data from cybersecurity threats. The proposed rule would apply to health plans, healthcare providers, healthcare clearinghouses, and their business associates, such as billing companies, third-party administrators, and pharmacy benefit managers.
Quick Hits
HHS has proposed a rule to shore up cybersecurity protections for electronic health records under the Health Insurance Portability and Accountability Act (HIPAA).
The new rules would apply to HIPAA-regulated entities, such as healthcare providers, hospitals, and others that handle electronic medical data.
The public can submit comments on the proposed rule until March 7, 2025.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule has not undergone a major overhaul since 2013. However, in response to rising cybersecurity threats across the healthcare industry, on January 6, 2025, HHS published a proposed rule that would update and bolster cybersecurity protections for personal health information that’s collected by healthcare providers, hospitals, insurers, and other companies. The public has until March 7, 2025, to submit comments on the proposal.
If finalized, these changes would apply to all HIPAA-covered entities and their business associates, imposing stricter requirements around risk assessments, data encryption, multifactor authentication, and more. Importantly, the proposed rule would eliminate the distinction between “required” and “addressable” implementation specifications, making all implementation specifications required. This shift would remove much of the discretion that HIPAA-regulated entities presently have in determining whether to implement “addressable” measures, instead introducing more granular, prescriptive requirements to ensure compliance with all security standards.
The proposed rule also would require:
written documentation of policies, procedures, plans, and analyses related to complying with the HIPAA Security Rule;
covered entities to develop and update a technology asset inventory and a network map that illustrates the movement of electronic health information throughout the electronic information system;
covered entities to conduct a more robust risk analysis than under the current rule, including incorporation of the entity’s technology asset inventory and network map; identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of electronic health information; and an assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each threat will exploit vulnerabilities;
encryption of electronic health information at rest and in transit;
the use of multifactor authentication;
covered entities to use anti-malware protections and remove extraneous software from electronic information systems;
an audit at least once per year to confirm compliance with the HIPAA Security Rule;
covered entities at least once per year to obtain written certification from business associates that they have deployed the technical safeguards required by the HIPAA Security Rule;
covered entities to review and test the effectiveness of certain security measures at least once every twelve months;
vulnerability scanning at least every six months and penetration testing at least once every twelve months;
network segmentation and separate technical controls for backup and recovery of electronic health information and electronic information systems;
covered entities to establish written procedures to restore the loss of certain electronic information systems and data within seventy-two hours, and document how employees should report security incidents and how the regulated entity will respond to security incidents. Business associates would have to notify covered entities upon activating their security contingency plans no later than twenty-four hours after activation;
covered entities to cut off a former employee’s access to personal health information no later than one hour after the employment has been terminated; and
group health plans to include in their plan documents requirements for their plan sponsors to comply with the administrative, physical, and technical safeguards of the HIPAA Security Rule.
Next Steps
Employers and the public have until March 7, 2025, to submit comments about the proposed rule. The final rule would take effect sixty days after being published in the Federal Register. The existing HIPAA Security Rule remains in effect while the rulemaking is underway.
HIPAA-covered entities (and employers that sponsor them) may wish to review their cybersecurity practices and policies as they relate to electronic health information and evaluate gaps between existing practices and documentation and the rules as proposed. While some of the proposed changes reflect common security measures already implemented by many HIPAA-covered entities, if the proposed rule takes effect, employers can expect to incur extra costs to align their practices with those outlined by the proposed rules. This is especially true for large employers that offer self-insured health plans to their workers, since employers are generally responsible for HIPAA compliance for the self-insured health plans they sponsor.
Black Box Issues [Podcast]
In part three of our series on potential pitfalls in the use of artificial intelligence (or AI) when it comes to employment decisions, partner Guy Brenner and senior counsel Jonathan Slowik dive into the concept of “black box” systems—AI tools whose internal decision-making processes are not transparent. The internal workings of such systems may not be well understood, even by the developers who create them. We explore the challenges this poses for employers seeking to ensure that their use of AI in employment decisions does not inadvertently introduce bias into the process. Be sure to tune in for a closer look at the complexities of this conundrum and what it means for employers.