CFPB Alleges Credit Reporting Agency Conducted Sham Investigations of Errors
On January 7, 2025, the CFPB filed a lawsuit against a nationwide consumer reporting agency for violations of the Fair Credit Reporting Act. The lawsuit claims the company’s investigation of consumer disputes was inadequate, specifically criticizing their intake, processing, investigation, and customer notification processes. The lawsuit also alleges the company reinserted inaccurate information on credit reports, which the agency alleges harmed consumers’ access to credit, employment, and housing. In addition to FCRA, the Bureau alleges that the company’s faulty intake procedures and unlawful processes regarding consumer reports violated the Consumer Financial Protection Act’s (CFPA) prohibition on unfair acts or practices.
Specifically, the Bureau alleges the company:
Conducted sham investigations. The CFPB claims the company uses faulty intake procedures when handling consumer disputes, including not accurately conveying all relevant information about the disputes to the original furnisher. The company also allegedly routinely accepted furnisher responses to the disputes without an appropriate review such as when furnisher responses seemed improbable, illogical, or when the company has information that the furnisher was unreliable. The Bureau also alleged the company failed to provide consumers with investigation results and provided them ambiguous, incorrect, or internally inconsistent information.
Improperly reinserted inaccurate information on consumer reports. The CFPB alleged the company failed to use adequate matching tools, leading to reinsertion of previously deleted inaccurate information on consumer reports. Consumers who disputed the accuracy of an account and thought their consumer report had been corrected instead saw the same inaccurate information reappear on their consumer report without explanation under the name of a new furnisher.
Putting It Into Practice: This lawsuit reflects a broader trend of the CFPB’s increased regulatory scrutiny of FCRA compliance. (previously discussed here, here, and here). The CFPB has demonstrated a focus on ensuring the accuracy and integrity of consumer credit information. Consumer reporting agencies should proactively review their policies and procedures related to dispute investigation, data handling, and furnisher interaction to ensure they are in compliance with all aspects of the FCRA.
Listen to this post
CFPB Sues Mortgage Lender for Predatory Lending Practices in Manufacture Homes Loans
On January 6, 2025, the CFPB filed a lawsuit against a non-bank manufactured home financing company for violations of the Truth in Lending Act and Regulation Z. The lawsuit alleges that the mortgage lender engaged in predatory lending practices by providing manufactured home loans to borrowers it knew could not afford them.
According to the CFPB, the mortgage lender allegedly ignored “clear and obvious red flags” indicating the borrowers’ inability to afford the loans. This resulted in many families struggling to make payments, afford basic necessities, and facing fees, penalties, and even foreclosure. The Bureau alleges the lender failed to make reasonable, good-faith determinations of borrower’s ability to repay, as required by the Truth in Lending Act (TILA) and Regulation Z.
The CFPB’s lawsuit specifically claims that the lender:
Manipulated lending standards. The mortgage lender disregarded clear and obvious evidence that borrowers lacked sufficient income or assets to meet their mortgage obligations and basic living expenses. On some occasions, borrowers who were already struggling financially were approved for loans, worsening their financial situation.
Fabricated unrealistic estimates of living expenses. The company justified its determination that borrowers could afford loans by using artificially low estimates of living expenses. The estimated living expenses were about half of the average of self-reported living expenses for other, similar loan applicants.
Made loans to borrowers projected to be unable to pay. The lender approved loans despite the company’s own internal estimates indicating the borrower’s inability to pay.
Putting It Into Practice: As Chopra’s term wraps out, the Bureau is on a frantic mission to file as many lawsuits as it can for its ongoing enforcement matters. How that will impact the incoming administration remains to be seen. But it seems likely that a new CFPB Director will take a hard look at much of the active litigation and re-evaluate the Bureau’s position.
Listen to this post
Trending in Telehealth: December 18, 2024 – January 6, 2025
Trending in Telehealth highlights state legislative and regulatory developments that impact the healthcare providers, telehealth and digital health companies, pharmacists, and technology companies that deliver and facilitate the delivery of virtual care.
Trending in the past weeks:
Reimbursement parity
Provider telehealth education
A CLOSER LOOK
Proposed Legislation & Rulemaking:
In Ohio, Senate Bill 95 passed both the House and Senate chambers. This bill will allow for remote pharmacy dispensing, as current state law prohibits the dispensing of a dangerous drug by a pharmacist through telehealth or virtual means.
In Oregon, the Oregon Health Authority, Health Systems Division: Medical Assistance Programs proposed rule amendments to clarify the telehealth rule definitions, including adding cross-references to established definitions in OAR 410-120-0000.
In New York, the Department of Public Health (DPH) proposed two new amendments to the Medicaid State Plan for non-institutional services:
To comply with the 2024-2025 enacted budget, DPH proposed a clarification to the March 27, 2024, notice provision regarding provider rates for early intervention services. This clarification includes a decrease to provider rates for early intervention services delivered via telehealth, with rate decreases as high as 20% in some regions.
DPH also proposed to reimburse Federally Qualified Health Centers and Rural Health Clinics a separate payment in lieu of the prospective payment system rate for non-visit services, such as eConsults and remote patient monitoring.
Finalized Legislation & Rulemaking Activity:
In Illinois, an amendment to the Illinois Public Aid Code went into effect on January 1, 2025. Passed in June of 2024, Senate Bill 3268 provides that the Department of Human Services will pay negotiated, agreed-upon administrative fees associated with implementing telehealth services for persons with intellectual and developmental disabilities receiving Community Integrated Living Arrangement residential services.
Also in Illinois, an amendment to the Illinois Physical Therapy Act went into effect January 1, 2025. Passed in August of 2024, House Bill 5087 significantly limits the ability of physical therapists to provide telehealth services to patients in the state. For more information on the effects of this bill, please read our article discussing its implications.
In Kentucky, Senate Bill 111 went into effect January 1, 2025. This bill requires health benefit plans, limited health service benefit plans, Medicaid and state health plans to provide coverage for speech therapy provided via telehealth.
Missouri’s emergency rule amendments for virtual visit coverage under the Missouri Consolidated Health Care Plan took effect as of January 1, 2025. For more information on this bill, please see our related article from last month.
In New Jersey, Assembly Bill 3853 was signed into law by the governor. The legislation extends certain pay parity regarding telemedicine and telehealth until July 1, 2026, meaning that New Jersey health plans shall reimburse telehealth and telemedicine services at the same rate as in-person services.
In New York, Assembly Bill 6799, was signed into law by the governor. The legislation establishes a drug-induced movement disorder screening education program and specifically includes services provided via telehealth.
In Vermont, House Bill 861 went into effect January 1, 2025. This bill requires health insurers to reimburse telemedicine and audio-only telephone services the same as in-person visits. However, there is an exception for value-based contracts for services delivered by audio-only telephone.
Why it matters:
States are taking action to ensure reimbursement parity for telehealth services. While there is still debate surrounding reimbursement parity for telehealth services (e., mandating reimbursement at the same rate as equivalent in-person services), several states are making strides toward ensuring equal reimbursement rates for both in-person and telehealth services. Bills requiring reimbursement parity in Illinois, Kentucky, and Vermont have taken effect in 2025. Additionally, New Jersey’s decision to extend the reimbursement parity mandate for telemedicine and telehealth services until mid-2026 illustrates the push towards reimbursing healthcare services at the same rate, regardless of the delivery medium.
States are taking measures to not only recognize telehealth, but also to educate providers on telehealth as an effective care delivery method. New York’s decision to include healthcare provider educational materials for providing telehealth services for drug-induced movement disorders underscores the growing trend and importance of educating providers on the appropriate manner for providing such treatment services.
CFPB Finalizes Rule Removing Medical Bills from Credit Reports
On January 7, 2025, the CFPB announced the finalization of a rule amending Regulation V, which implements the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq., to prohibit the inclusion of medical bills on credit reports used by lenders and prevent lenders from using medical information in lending decisions. According to the Bureau, the final rule (previously discussed here) will remove an estimated $49 billion in medical bills from the credit reports of about 15 million Americans.
The Bureau noted that medical debts are not effective predictors of whether a borrower will repay a debt. Consumers frequently report that they receive inaccurate bills or are asked to pay bills that should have been covered by insurance. The CFPB estimates that this rule will result in the approval of approximately 22,000 additional mortgages each year and increase credit scores for those with medical debt by an average of 20 points.
This rule follows changes by three nationwide credit reporting companies and two major credit scoring companies to reduce the impact of medical debt on credit reports and scores. Specifically, the final rule will:
Prohibit lenders from considering medical information. The rule will amend Regulation V and prohibit creditors from using certain medical information and data when making lending decisions, including information about medical devices that could be used as collateral for a loan.
Ban medical bills on credit reports. The rule prohibits consumer reporting agencies from including medical debt information on credit reports and credit scores sent to lenders. The Bureau seeks to prevent debt collectors from using the credit reporting system to pressure consumers to pay medical bills, regardless of their accuracy.
The rule is effective 60 days after publication in the Federal Register.
Putting It Into Practice: The final rule is another example of the CFPB’s increased focus on regulating the credit reporting industry. (previously discussed here). However, immediately after the Bureau finalized the rule, it was hit with two separate lawsuits by trade associations challenging the rule.
Listen to this post
EPA Further Extends Review Period for CBI Claims for the Identity of Chemicals on the TSCA Inventory
On January 6, 2025, the U.S. Environmental Protection Agency (EPA) announced the extension of the review period for confidential business information (CBI) claims for specific identities of all active chemical substances listed on the confidential portion of the Toxic Substances Control Act (TSCA) Inventory submitted to EPA under TSCA. 90 Fed. Reg. 645. As reported in our February 7, 2024, blog item, EPA previously extended the review period by one year, to February 19, 2025. According to EPA, several issues and factors caused delays that prevented EPA from completing its review within the five-year period and are going to prevent completion within the previous one-year extension. These issues include “a large universe of claims to review (more than 4,805 chemical substances in 5,787 often-complex submissions) and concurrent activities to update the public portion of the TSCA Inventory,” consistent with the requirements of TSCA Sections 8(b) and 14. EPA notes that adapting and maintaining its information technology (IT) systems to complete these reviews “has continued to contribute to delays in reviewing these CBI claims.” EPA states that the very large file size and other features of certain submissions caused IT difficulties that halted the CBI review process for about nine months while available resources were prioritized to address more critical IT needs. A lack of requested appropriated funds in fiscal years 2024 and 2025 resulted in insufficient contract resources to address IT system issues in addition to not allowing EPA to maintain the necessary staffing to make progress on these reviews. EPA was delayed in commencing Review Plan reviews for approximately six months to a year as a result of the decision of the U.S. Court of Appeals for the District of Columbia Circuit in Environmental Defense Fund v. EPA, 922 F.3d 446 (D.C. Cir. 2019), which resulted in a need for additional rulemaking activity to add a reporting requirement. According to EPA, the additional reporting requirement “created confusion among some reporting entities, further slowing the review process.” The review period is now extended to February 19, 2026.
Data Privacy: Insights from the Recent FAQs on New Jersey Data Privacy Law
As organizations prepare for compliance with the New Jersey Data Privacy Law (NJDPL), set to take effect on January 15, 2025, the Division of Consumer Affairs (DCA) has released a set of 24 Frequently Asked Questions (FAQs) that provide important insights and guidance on complying with New Jersey’s robust regulatory framework. The FAQs are not binding and should not be considered a legal document or a complete explanation of the law. Rather, they are useful as a reference for persons within the entities covered by NJDPL that have a role in privacy compliance.
The FAQs specifically focus on sensitive data, children’s data, opt-out or revocation of consent from sale of personal data (including via universal opt-out signals), contracts with data processors, and data protection assessments, indicating the New Jersey DCA’s focus areas for the enforcement of the incoming law. This article explores the key takeaways from the FAQs, particularly concerning the treatment of sensitive data.
Understanding the New FAQsThe recent FAQs were published for the convenience of businesses (although the FAQs use the term “businesses,” NJDPL also applies to nonprofits). The FAQs distill and clarify several key definitions contained in the NJDPL, summarize consumer rights, define business obligations, and provide additional guidance regarding processing of sensitive data and data of minors.
Specifically, NJDPL governs the use of personal data, which the law defines as any information that is linked or reasonably linkable to an identified or identifiable person. The FAQs clarify this definition as “any information that is not publicly available and can be used to identify a specific individual.” The key difference between these definitions is in the “reasonably linkable” criteria in the statute, whereas the FAQs seem to focus on specific identifiability. Practically speaking, there are categories of data that may be linkable to an individual through context (for example, email metadata, or de-identified data combined with external data that permits reidentification, such as a fitness tracker ID combined with gym membership data) that would be within NJDPL’s scope. Differences such as these highlight that the covered entities must not rely solely on the FAQs’ definitions when building their NJDPL compliance program.
The FAQs also clarify the definitions of the key actors in the data privacy lifecycle under NJDPL:
Consumer: A New Jersey resident acting in a personal or household context
Controller: Any individual or entity that decides how and why consumers’ personal data is processed
Processor: An individual or entity that processes personal data on behalf of the controller. A processor is different than a controller because it does not have decision-making authority over personal data. A processor can only process personal data at the request and under the direction of a controller.
The FAQ clarifies that NJDPL applies to any controller that:
(1) Does business in New Jersey or produces products or services targeted to New Jersey residents and(2) During a calendar year either (a) controls or processes the personal data of at least 100,000 consumers or (b) controls or processes the personal data of at least 25,000 consumers and makes money from the sale of personal data.
The FAQs detail some of the obligations of the controllers, including to prepare a written privacy notice accurately disclosing data practices, to honor consumer rights, to enter into written contracts with vendors receiving personal data from controllers (vendors generally will be processors, see below), to conduct data protection assessments, and to process certain categories of data only with consumers’ express consent.
With respect to processors, the FAQs highlight that among other requirements, a processor must:
Follow the controller’s instructions
Help the controller meet its obligations under NJDPL
Keep personal data confidential
Enter into a contract with the controller that contains processing instructions; identifies the data that will be processed and for how long it will be processed; and requires the processor to return or delete the personal data once processing is complete.
For consumers, the FAQs summarize their rights as follows:
Confirm whether a controller processes the consumer’s data
Correct inaccuracies in the consumer’s personal data
Delete the consumer’s personal data
Say “no” (opt out) to a controller selling the consumer’s personal data or using the consumer’s personal data for targeted advertising and some types of profiling (for example, profiling to determine whether a consumer should receive a loan or mortgage, a job offer, or an insurance policy).
Controllers must provide clear and accessible mechanisms for consumers to exercise these rights. Additionally, by July 15, 2025, businesses must comply with universal opt-out signals, such as those from Global Privacy Control (users enable privacy preferences within their web browsers). A universal opt-out signal is a mechanism that allows individuals to communicate their preference to opt out of certain data processing activities, such as targeted advertising or sale of data, across multiple websites or platforms in a standardized way. It eliminates the need for consumers to manually opt out on each site individually.
Again, the FAQs do not repeat NJDPL’s definitions, criteria, and recitations of rights word by word, but rather aim to give organizations a general sense of what these key concepts mean. While at first blush the distinctions between the FAQ and NJDPL definitions may not seem significant in practice, as the saying goes, the devil lurks in the details. Note, for example, that personal data processed solely for the purpose of completing a payment transaction is exempted from the 100,000 consumers’ data threshold, and that receiving a discount on a price of any goods or services counts toward the “making money from personal data” threshold.
Update on Anticipated Regulations and Enforcement DeadlinesNew Jersey is one of three states to date that provide rulemaking authority under their data privacy law to the state agency; here, the DCA. The FAQs are not such regulations, but they expressly state that the DCA will be issuing regulations under NJDPL in 2025. This is a new development, as NJDPL does not provide a deadline for promulgation of rules.
While the formal regulations under NJDPL are not yet available, the FAQs expressly state that the entities obligated under NJDPL are required to comply starting on January 15, 2025. A limited opportunity to cure violations may be available until July 1, 2026: If the DCA identifies a potential violation that the controller can remedy, the DCA will send a notice to the controller to give them the chance to fix the problem within 30 days of the notice. If the violation is not remedied, the DCA can proceed with an enforcement action. While this provision is certainly beneficial for covered entities, it should not be interpreted as a license to avoid carefully thinking through and implementing the entity’s compliance obligations before the January 15, 2025, deadline. At most, this grace period should be used to remedy inadvertent mistakes in compliance.
Treatment of Sensitive DataThe FAQs explain that sensitive data is a subset of personal data that reveals a consumer’s racial or ethnic origin, religious beliefs, health condition, financial information, sexual activity or sexual orientation, immigration or citizenship status, status as transgender or non-binary, genetic or biometric data, or precise geolocation data. It also includes personal data collected from a known child. This restatement loosely tracks NJDPL’s definition. Most of the data considered sensitive in New Jersey also is recognized as sensitive under most U.S. state privacy laws. However, New Jersey includes additional types of data as sensitive, including status as transgender or non-binary and financial information, which only a handful of other states recognize as sensitive.
The sensitive financial information in New Jersey includes “a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.” Thus, not every piece of financial data will be deemed sensitive; however, NJDPL’s definition is open-ended and types of financial data not presently listed in the statute may be included in the future.
For entities operating in more than one state that are required to comply with several state data privacy laws, it is important to correctly classify data as sensitive or not sensitive to ensure compliance with each such applicable law. Each U.S. state privacy law recognizes sensitive information and imposes heightened compliance requirements for its processing. Some states require a valid consent to be obtained before collection and processing of personal data, as well as a data protection assessment. Others follow an opt-out model, giving consumers the right to limit the use of their sensitive data.
The FAQs highlight that New Jersey requires consent before sensitive data is processed and that a data protection impact assessment must be conducted. NJDPL specifies that a valid consent must be “a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer.” Such consent may include a written statement, including by electronic means, or any other unambiguous affirmative action. Notably, acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information will not constitute a valid consent. As such, organizations should not rely on statements such as “if you visit our website, you consent to our privacy policy” as evidence of consent to processing of sensitive information. Furthermore, hovering over, muting, pausing, or closing a given piece of content will not be considered sufficient evidence of consent.
Treatment of Children’s DataNJDPL requires businesses to obtain explicit consent for processing personal data of children under the age of 13, treating such data as sensitive. Consent also is required for processing of data of minors that are at least 13 and are younger than 17, if such processing is done for the purposes of targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effect on the consumer. With this latter provision, New Jersey’s law extends protections beyond federal standards under the Children’s Online Privacy Protection Act (COPPA), which only safeguards the data obtained online from children under 13.
The FAQs state that when a controller knows or should know that a consumer is between the ages of 13 and 16 (note, NJDPL uses the term “younger than 17” but the FAQ is using the 13–16 range), the controller must get the consumer’s consent before processing the consumer’s personal data. This is interesting as this statement is broader than NJDPL. First, the FAQs use the term “should know” whereas the statute requires actual knowledge or willful disregard. Second, the FAQs claim that consent is necessary for any processing of the data of minors ages 13–16, and not only when sale of data, targeted advertising, or profiling is occurring.
Businesses processing children’s data should take note and consider building a more stringent compliance regime: even where FAQs are non-binding, this is an enforcement focus area for the New Jersey regulator (and for the regulators in other states and on the federal level).
Considerations for ComplianceWith the enforcement deadline looming, organizations within the scope of NJDPL should consider the following workflow to align their compliance with the incoming law:
Review/Update Privacy Policies: Update privacy notices to clearly outline data processing activities, purposes of processing, consumer rights, and opt-out procedures, among other mandatory disclosures, to track NJDPL’s requirements.
Implement Consent Management Systems: Adopt technologies that facilitate obtaining, managing, and documenting consumer consent for sensitive data processing.
Conduct Data Protection Assessments: Regularly evaluate data handling practices to identify risks and benefits of processing activity that presents heightened risk of harm to the consumers to ensure alignment with New Jersey’s law.
Enhance Training Programs: Educate employees with data privacy responsibility in different departments (including IT, Marketing, and Customer Service, not just Legal) about NJDPL’s provisions and the importance of safeguarding consumer data and respecting consumer choices regarding their data.
Stay Informed of the Regulatory Changes: Be aware of evolving privacy regulations to anticipate and address new compliance obligations. Aside from New Jersey’s anticipated regulations, other states are poised to adopt new privacy laws or amend existing ones, promising that 2025 will be a busy year for data privacy. While the FAQs serve as an important resource for understanding the law’s practical application, highlighting the importance of explicit consent and enhanced protections for sensitive data, organizations should consider following the more precise requirements of NJDPL and the incoming regulations in aligning their practices with New Jersey’s requirements. As compliance with the NJDPL becomes mandatory, legal experts can provide tailored advice to navigate the intricacies of the law and ensure that data practices align with both state and federal regulations.
HHS Proposed Rule Would Increase Cybersecurity Requirements for Electronic Health Data
The U.S. Department of Health and Human Services (HHS) recently released a proposed rule to better protect electronic health data from cybersecurity threats. The proposed rule would apply to health plans, healthcare providers, healthcare clearinghouses, and their business associates, such as billing companies, third-party administrators, and pharmacy benefit managers.
Quick Hits
HHS has proposed a rule to shore up cybersecurity protections for electronic health records under the Health Insurance Portability and Accountability Act (HIPAA).
The new rules would apply to HIPAA-regulated entities, such as healthcare providers, hospitals, and others that handle electronic medical data.
The public can submit comments on the proposed rule until March 7, 2025.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule has not undergone a major overhaul since 2013. However, in response to rising cybersecurity threats across the healthcare industry, on January 6, 2025, HHS published a proposed rule that would update and bolster cybersecurity protections for personal health information that’s collected by healthcare providers, hospitals, insurers, and other companies. The public has until March 7, 2025, to submit comments on the proposal.
If finalized, these changes would apply to all HIPAA-covered entities and their business associates, imposing stricter requirements around risk assessments, data encryption, multifactor authentication, and more. Importantly, the proposed rule would eliminate the distinction between “required” and “addressable” implementation specifications, making all implementation specifications required. This shift would remove much of the discretion that HIPAA-regulated entities presently have in determining whether to implement “addressable” measures, instead introducing more granular, prescriptive requirements to ensure compliance with all security standards.
The proposed rule also would require:
written documentation of policies, procedures, plans, and analyses related to complying with the HIPAA Security Rule;
covered entities to develop and update a technology asset inventory and a network map that illustrates the movement of electronic health information throughout the electronic information system;
covered entities to conduct a more robust risk analysis than under the current rule, including incorporation of the entity’s technology asset inventory and network map; identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of electronic health information; and an assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each threat will exploit vulnerabilities;
encryption of electronic health information at rest and in transit;
the use of multifactor authentication;
covered entities to use anti-malware protections and remove extraneous software from electronic information systems;
an audit at least once per year to confirm compliance with the HIPAA Security Rule;
covered entities at least once per year to obtain written certification from business associates that they have deployed the technical safeguards required by the HIPAA Security Rule;
covered entities to review and test the effectiveness of certain security measures at least once every twelve months;
vulnerability scanning at least every six months and penetration testing at least once every twelve months;
network segmentation and separate technical controls for backup and recovery of electronic health information and electronic information systems;
covered entities to establish written procedures to restore the loss of certain electronic information systems and data within seventy-two hours, and document how employees should report security incidents and how the regulated entity will respond to security incidents. Business associates would have to notify covered entities upon activating their security contingency plans no later than twenty-four hours after activation;
covered entities to cut off a former employee’s access to personal health information no later than one hour after the employment has been terminated; and
group health plans to include in their plan documents requirements for their plan sponsors to comply with the administrative, physical, and technical safeguards of the HIPAA Security Rule.
Next Steps
Employers and the public have until March 7, 2025, to submit comments about the proposed rule. The final rule would take effect sixty days after being published in the Federal Register. The existing HIPAA Security Rule remains in effect while the rulemaking is underway.
HIPAA-covered entities (and employers that sponsor them) may wish to review their cybersecurity practices and policies as they relate to electronic health information and evaluate gaps between existing practices and documentation and the rules as proposed. While some of the proposed changes reflect common security measures already implemented by many HIPAA-covered entities, if the proposed rule takes effect, employers can expect to incur extra costs to align their practices with those outlined by the proposed rules. This is especially true for large employers that offer self-insured health plans to their workers, since employers are generally responsible for HIPAA compliance for the self-insured health plans they sponsor.
U.S. Cyber Trust Mark Program at Hand After White House Launch Announcement
The Biden Administration has announced the rollout of the “cybersecurity label for interconnected devices, known as the U.S. Cyber Trust Mark.” The voluntary program, which will allow providers of certain such devices to label their products with the Mark, comes after the Federal Communications Commission (FCC) approved final rules and implementing framework that will govern the procedures for obtaining and using the Mark’s distinctive shield logo.
What’s In Program Scope – Per the FCC, the program applies to consumer wireless Internet of Things (IoT) products – radio frequency devices clearly within its jurisdiction under Section 302 of the Communications Act. Examples of eligible products include internet-connected home security cameras, voice-activated shopping devices, smart appliances, fitness trackers, garage door openers, and baby monitors.
What Is Not – On the other hand, the program does not include items outside the FCC’s regulatory jurisdiction, such as medical devices regulated by the Food and Drug Administration and motor vehicles and equipment regulated by the National Highway Traffic Safety Administration. Also excluded are wired devices; products primarily used for manufacturing, industrial control or enterprise applications; equipment on the FCC’s Covered List and equipment produced by an entity on the covered list; IoT products from a company on other lists addressing national security; and IoT products produced by entities banned from Federal procurement.
Process And Standards – Products must be tested at an FCC-recognized accredited laboratory (CyberLAB) for evaluation against the program’s cybersecurity criteria. Those criteria are based on standards developed by the National Institute of Standards and Technology (NIST) and other expert guidance intended to ensure that certified devices have robust cybersecurity protections, including, for example, implementation of strong encryption protocols and requirements for user authentication before granting access to device settings or data.
Program Management and Compliance Enforcement – The FCC will manage the program but also rely on Cybersecurity Labeling Administrators (CLA), who will evaluate the post-testing applications for approval to use the Mark; the FCC has already approved a number of these CLAs.
Among other things, CLAs will be responsible for ensuring that users comply with applicable FCC rules. In adopting the regulatory framework for the program, the agency decided that it would “rely on a combination of administrative remedies and civil litigation to address non-compliance.” The FCC “direct[ed] the CLAs to conduct post-market surveillance…to ensure that the integrity of the Cyber Trust Mark is maintained.”
Further, “random audits” will be coupled with such surveillance. Identified products that fail to comply with applicable technical regulations for that product could be stripped of approval to display the Mark.
In the interest of the integrity of the Mark, the Commission also made clear that it will “pursue all available means to prosecute entities who improperly or fraudulently use the FCC IoT Label, which may include, but are not limited to, enforcement actions, legal claims of deceptive practices prosecuted through the FTC, and legal claims for trademark infringement or breach of contract.”
Further Notice of Proposed Rulemaking: National Security – In an ongoing effort to address potential hidden national security threats, the FCC’s Further Notice of Proposed Rulemaking focuses on such threats contained in consumer products bearing the IoT Label. To that end, the FCC seeks comments on “additional declarations intended to provide consumers with assurances that the products bearing the IoT Label do not contain hidden vulnerabilities from high risk countries [e.g., China], that data collected by the product does not sit within or transit high-risk countries and that products cannot be remotely controlled by servers located within high-risk countries.”
Incoming Chairman Carr, who has voiced a strong interest in addressing national security concerns, is sure to support these initiatives on an ongoing basis.
McDermott+ Check-Up: January 10, 2025
THIS WEEK’S DOSE
119th Congress Begins. The new Congress began with key membership announcements for relevant healthcare committees.
Cures 2.1 White Paper Published. The document outlines the 21st Century Cures 2.1 legislative proposal, focusing on advancing healthcare technologies and fostering innovation.
Senate Budget Committee Members Release Report on Private Equity. The report, released by the committee’s chair and ranking member from the 118th Congress, includes findings from an investigation into private equity’s role in healthcare.
HHS OCR Proposes Significant Updates to HIPAA Security Rule. The US Department of Health & Human Services (HHS) Office for Civil Rights (OCR) seeks to address current cybersecurity concerns.
HHS Releases AI Strategic Plan. The plan outlines how HHS will prioritize resources and coordinate efforts related to artificial intelligence (AI).
CFPB Removes Medical Debt from Consumer Credit Reports. The Consumer Financial Protection Bureau (CFPB) finalized its 2024 proposal largely as proposed.
President Biden Signs Several Public Health Bills into Law. The legislation includes the reauthorization and creation of public health programs related to cardiomyopathy, autism, and emergency medical services for children.
CONGRESS
119th Congress Begins. The 119th Congress began on January 3, 2025. Lawmakers reelected Speaker Johnson in the first round of votes and adopted the House rules package. The first full week in session was slow-moving due to a winter storm in Washington, DC; funeral proceedings for President Jimmy Carter; and the certification of electoral college votes. Committees are still getting organized, and additions to key health committees include:
House Energy & Commerce: Reps. Bentz (R-OR), Houchin (R-IN), Fry (R-SC), Lee (R-FL), Langworthy (R-NY), Kean (R-NJ), Rulli (R-OH), Evans (R-CO), Goldman (R-TX), Fedorchak (R-ND), Ocasio-Cortez (D-NY), Mullin (D-CA), Carter (D-LA), McClellan (D-VA), Landsman (D-OH), Auchincloss (D-MA), and Menendez (D-NJ).
House Ways & Means: Reps. Moran (R-TX), Yakym (R-IN), Miller (R-OH), Bean (R-FL), Boyle (D-PA), Plaskett (D-VI), and Suozzi (D-NY).
Senate Finance: Sens. Marshall (R-KS), Sanders (I-VT), Smith (D-MN), Ray Luján (D-NM), Warnick (D-GA), and Welch (D-VT).
Senate Health, Education, Labor & Pensions: Sens. Scott (R-SC), Hawley (R-MO), Banks (R-IN), Crapo (R-ID), Blackburn (R-TN), Kim (D-NJ), Blunt Rochester (D-DE), and Alsobrooks (D-MD).
Congress has a busy year ahead. The continuing resolution (CR) enacted in December 2024 included several short-term extensions of health provisions (and excluded many others that had been included in an earlier proposed bipartisan health package), and these extensions will expire on March 14, 2025. Congress will need to complete action on fiscal year (FY) 2025 appropriations by this date, whether by passing another CR through the end of the FY, or by passing a full FY 2025 appropriations package. The short-term health extenders included in the December CR could be further extended in the next appropriations bill, and Congress also has the opportunity to revisit the bipartisan, bicameral healthcare package that was unveiled in December but ultimately left out of the CR because of pushback from Republicans about the overall bill’s size.
The 119th Congress will also be focused in the coming weeks on advancing key priorities – including immigration reform, energy policy, extending the 2017 tax cuts, and raising the debt limit – through the budget reconciliation process. This procedural maneuver allows the Senate to advance legislation with a simple majority, rather than the 60 votes needed to overcome the threat of a filibuster. Discussions are underway about the scope of this package and the logistics (will there be one reconciliation bill or two?), and we expect to learn more in the days and weeks ahead. It is possible that healthcare provisions could become a part of such a reconciliation package.
Cures 2.1 White Paper Published. Rep. Diana DeGette (D-CO) and former Rep. Larry Bucshon (R-IN) released a white paper on December 24, 2024, outlining potential provisions of the 21st Century Cures 2.1 legislative proposal expected to be introduced later this year. This white paper and the anticipated legislation are informed by responses to a 2024 request for information. The white paper is broad, discussing potential Medicare reforms relating to gene therapy access, coverage determinations, and fostering innovation. With Rep. Bucshon’s retirement, all eyes are focused on who will be the Republican lead on this effort.
Senate Budget Committee Members Release Report on Private Equity. The report contains findings from an investigation into private equity’s role in healthcare led by the leaders of the committee in the 118th Congress, then-Chair Whitehouse (D-RI) and then-Ranking Member Grassley (R-IA). The report includes two case studies and states that private equity firms have become increasingly involved in US hospitals. They write that this trend impacts quality of care, patient safety, and financial stability at hospitals across the United States, and the report calls for greater oversight, transparency, and reforms of private equity’s role in healthcare. A press release that includes more documents related to the case studies can be found here.
ADMINISTRATION
HHS OCR Proposes Significant Updates to HIPAA Security Rule. HHS OCR released a proposed rule, HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information (ePHI). HHS OCR proposes minimum cybersecurity standards that would apply to health plans, healthcare clearinghouses, most healthcare providers (including hospitals), and their business associates. Key proposals include:
Removing the distinction between “required” and “addressable” implementation specifications and making all implementation specifications required with specific, limited exceptions.
Requiring written documentation of all Security Rule policies, procedures, plans, and analyses.
Updating definitions and revising implementation specifications to reflect changes in technology and terminology.
Adding specific compliance time periods for many existing requirements.
Requiring the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
Requiring notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
Strengthening requirements for planning for contingencies and responding to security incidents.
Requiring regulated entities to conduct an audit at least once every 12 months to ensure their compliance with the Security Rule requirements.
The HHS OCR fact sheet is available here. Comments are due on March 7, 2025. Because this is a proposed rule, the incoming Administration will determine the content and next steps for the final rule.
HHS Releases AI Strategic Plan. In response to President Biden’s Executive Order on AI, HHS unveiled its AI strategic plan. The plan is organized into five primary domains:
Medical research and discovery
Medical product development, safety and effectiveness
Healthcare delivery
Human services delivery
Public health
Within each of these chapters, HHS discusses in-depth the context of AI, stakeholders engaged in the domain’s AI value chain, opportunities for the application of AI in the domain, trends in AI for the domain, potential use-cases and risks, and an action plan.
The report also highlights efforts related to cybersecurity and internal operations. Lastly, the plan outlines responsibility for AI efforts within HHS’s Office of the Chief Artificial Intelligence Officer.
CFPB Removes Medical Debt from Consumer Credit Reports. The final rule removes $49 billion in unpaid medical bills from the credit reports of 15 million Americans, building on the Biden-Harris Administration’s work with states and localities. The White House fact sheet can be found here. Whether the incoming Administration will intervene in this rulemaking remains an open question.
President Biden Signs Several Public Health Bills into Law. These bills from the 118th Congress include:
H.R. 6829, the HEARTS Act of 2024, which mandates that the HHS Secretary work with the Centers for Disease Control and Prevention, patient advocacy groups, and health professional organizations to develop and distribute educational materials on cardiomyopathy.
H.R. 6960, the Emergency Medical Services for Children Reauthorization Act of 2024, which reauthorizes through FY 2029 the Emergency Medical Services for Children State Partnership Program.
H.R. 7213, the Autism CARES Act of 2024, which reauthorizes, through FY 2029, the Developmental Disabilities Surveillance and Research Program and the Interagency Autism Coordinating Committee in HHS, among other HHS programs to support autism education, early detection, and intervention.
QUICK HITS
ACIMM Hosts Public Meeting. The HHS Advisory Committee on Infant and Maternal Mortality (ACIMM) January meeting included discussion and voting on draft recommendations related to preconception/interconception health, systems issues in rural health, and social drivers of health. The agenda can be found here.
CBO Releases Report on Gene Therapy Treatment for Sickle Cell Disease. The Congressional Budget Office (CBO) report did not estimate the federal budgetary effects of any policy, but instead discussed how CBO would assess related policies in the future.
CMS Reports Marketplace 2025 Open Enrollment Data. As of January 4, 2025, 23.6 million consumers had selected a plan for coverage in 2025, including more than three million new consumers. Read the fact sheet here.
CMS Updates Hospital Price Transparency Guidance. The agency posted updated frequently asked questions (FAQs) on hospital price transparency compliance requirements. Some of the FAQs are related to new requirements that took effect January 1, 2025, as finalized in the Calendar Year 2024 Outpatient Prospective Payment System/Ambulatory Services Center Final Rule, and others are modifications to existing requirements as detailed in previous FAQs.
GAO Releases Reports on Older Americans Act-Funded Services, ARPA-H Workforce. The US Government Accountability Office (GAO) report recommended that the Administration for Community Living develop a written plan for its work with the Interagency Coordinating Committee on Healthy Aging and Age-Friendly Communities to improve services funded under the Older Americans Act. In another report, the GAO recommended that the Advanced Research Projects Agency for Health (ARPA-H) develop a workforce planning process and assess scientific personnel data.
VA Expands Cancers Covered by PACT Act. The US Department of Veterans Affairs (VA) will add several new cancers to the list of those presumed to be related to burn pit exposure, lowering the burden of proof for veterans to receive disability benefits. Read the press release here.
HHS Announces $10M in Awards for Maternal Health. The $10 million in grants from the Substance Abuse and Mental Health Services Administration (SAMHSA) will go to a new community-based maternal behavioral health services grant program. Read the press release here.
Surgeon General Issues Advisory on Link Between Alcohol and Cancer Risk. The advisory includes a series of recommendations to increase awareness of the connection between alcohol consumption and cancer risk and update the existing Surgeon General’s health warning label on alcohol-containing beverages. Read the press release here.
SAMHSA Awards CCBHC Medicaid Demonstration Planning Grants. The grants will go to 14 states and Washington, DC, to plan a Certified Community Behavioral Health Clinic (CCBHC). Read the press release here.
HHS Announces Membership of Parkinson’s Advisory Council. The Advisory Council on Parkinson’s Research, Care, and Services will be co-chaired by Walter J. Koroshetz, MD, Director of the National Institutes of Health’s National Institute of Neurological Disorders and Stroke, and David Goldstein, MS, Associate Deputy Director for the Office of Science and Medicine for HHS’s Office of the Assistant Secretary for Health. Read the press release here.
NEXT WEEK’S DIAGNOSIS
The House and Senate are in session next week and will continue to organize for the 119th Congress. Confirmation hearings are expected to begin in the Senate for President-elect Trump’s nominees, although none in the healthcare space have been announced yet. On the regulatory front, CMS will publish the Medicare Advantage rate notice.
5 Trends to Watch: 2025 EU Data Privacy & Cybersecurity
Full Steam Ahead: The European Union’s (EU) Artificial Intelligence (AI) Act in Action — As the EU’s landmark AI Act officially takes effect, 2025 will be a year of implementation challenges and enforcement. Companies deploying AI across the EU will likely navigate strict rules on data usage, transparency, and risk management, especially for high-risk AI systems. Privacy regulators are expected to play a key role in monitoring how personal data is used in AI model training, with potential penalties for noncompliance. The interplay between the AI Act and the General Data Protection Regulation (GDPR) may add complexity, particularly for multinational organizations.
Network and Information Security Directive (NIS2) Matures: A New Era of Cybersecurity Regulation — The EU’s NIS2 Directive will enter its enforcement phase, expanding cybersecurity obligations for critical infrastructure and key sectors. Companies must adapt to stricter breach notification rules, risk management requirements, and supply-chain security mandates. Regulators are expected to focus on cross-border coordination in response to major incidents, with early cases likely setting important precedents. Organizations will likely face increasing scrutiny of their cybersecurity disclosures and incident response protocols.
The Evolution of Data Transfers: Toward a Unified Framework — After years of turbulence, 2025 may mark a turning point for transatlantic and global data flows. The EU-U.S. Data Privacy Framework will face ongoing reviews by the European Data Protection Board (EDPB) and potential legal challenges, but it offers a clearer path forward. Meanwhile, the EU may continue striking adequacy agreements with key trading partners, setting the stage for a harmonized approach to cross-border data transfers. Companies will need robust mechanisms, such as Standard Contractual Clauses and emerging Transfer Impact Assessments (TIAs), to maintain compliance.
Consumer Rights Expand Under the GDPR’s Influence — The GDPR continues to set the global benchmark for privacy laws, and 2025 will see the ripple effect of its influence as EU member states refine their own data protection frameworks. Enhanced consumer rights, such as the right to explanation in algorithmic decision-making and stricter opt-in requirements for data use, are anticipated. Regulators are also likely to target dark patterns and deceptive consent mechanisms, driving companies toward greater transparency in their user interfaces and data practices.
Digital Markets Act Meets GDPR: Privacy in the Platform Economy — The Digital Markets Act (DMA), fully enforceable in 2025, will bring sweeping changes to large online platforms, or “gatekeepers.” Interoperability mandates, restrictions on data combination across services, and limits on targeted advertising will intersect with GDPR compliance. The overlap between DMA and GDPR enforcement will challenge platforms to adapt their practices while balancing privacy obligations. This regulatory synergy may reshape data monetization strategies and set a precedent for digital market governance worldwide.
New Jersey Division of Consumer Affairs Publishes Privacy Law FAQs
On January 6, 2025, the New Jersey Division of Consumer Affairs Cyber Fraud Unit published a set of frequently asked questions and answers (“FAQs”) on the New Jersey Data Privacy Law (“NJDPL”). The FAQs are intended for the convenience of business that may be subject to the law and cover topics such as “What is ‘personal data’?” and “What rights does the NJDPL protect?”. The FAQs reiterate that small businesses and non-profits are subject to the NJDPL if they meet the law’s applicability thresholds. The FAQs also state that the Division of Consumer Affairs will issue regulations in 2025. The NJDPL becomes effective January 15, 2025.
Illinois Warehouse Worker Bill Brings New Challenges for Employers with Quotas
Illinois employers with warehouse worker production quotas should be aware of a bill that has now passed both legislative houses as of Jan. 7, 2025. The Warehouse Worker Protection Act would affect employers with (1) 100 or more employees at a single warehouse in Illinois or (2) 1,000 or more employees across warehouses in Illinois.
The highlights of the bill include:
Employers that use production quotas for warehouse employees must provide those employees with a written description of the quota and any potential adverse action that could result from failure to meet the quota. This written description must be provided within 30 days of the bill’s passage and upon hire for employees hired thereafter. Subsequently, if an employee requests a written description of each applicable quota, it must be provided.
If an employee receives discipline based on failure to meet a quota, the employee is entitled to a written explanation of their failure to meet the quota within three days of an employee request for such an explanation.
Employers will be required to preserve three years of all records regarding warehouse quotas and employee work speed data.
A current or former employee who believes they were disciplined for failure to meet a quota has the right to request: (1) a written description of each applicable quota, (2) the most recent 90 days of their work speed data, and (3) a copy of the aggregated work speed data for similar employees during the same time period.
There is a rebuttable presumption of unlawful retaliation if an employee is subject to an adverse employment action within 90 days of requesting information under the act or making a complaint under the act.
The Illinois Department of Labor may seek monetary damages and civil penalties. Additionally, there is a private right of action to seek injunctive relief. Although monetary damages cannot result from an employee’s private action, the employee can recover attorney’s fees and costs if they prevail.
While the act has not yet been signed into law, Illinois employers that use production quotas should consider preparing for compliance, including drafting written descriptions of applicable quotas and penalties for failure to meet quotas and completing data preservation of all quotas and employee work speed data.