The New Trump Administration’s Immigration Enforcement Policy: What Employers Must Know
On January 20, 2025, President Trump signed numerous executive orders related to his immigration policy objectives, including a declaration of a national emergency at the southern border, which will allow the use of federal funding for border security and the deployment of armed forces to the region as additional resources. President Trump will also enact a mass deportation operation of undocumented immigrants in the U.S. and has vowed to initiate “the largest domestic deportation operation in American history.”
As part of this operation, there is speculation that the U.S. Immigration and Customs Enforcement (ICE) agency, the enforcement branch of the U.S. Department of Homeland Security (DHS), is preparing to take removal actions (informally known as “ICE raids”) in targeted cities. However, the actual date of the operation is unclear. As of the date of publication of this Insight, there has been no significant increase in the number of ICE raids or arrests across the country. Nevertheless, with the new administration’s emphasis on immigration enforcement across all federal agencies, we expect to see an increase in ICE raids imminently.
On January 21, 2025, the Acting Secretary of the DHS, Benjamine Huffman, issued a directive ending the Biden administration’s policy restricting immigration enforcement in or near “protected areas.” This means that ICE agents will have the authority to enter sensitive areas, including hospitals, schools, and churches, and take enforcement actions.
What Happens During an ICE Raid?
In an ICE raid, the agency’s objective is to detain undocumented employees working for employers in the United States. ICE raids are generally targeted, meaning ICE agents may have a list of names of individuals they are looking to detain, or alternatively, the raid may be targeted towards a particular industry that is known to have a high volume of undocumented employees, such as restaurants and the hospitality, construction, cleaning, and agriculture industries.
ICE raids are not announced in advance. Rather, ICE agents are free to enter any public areas of the business, such as a lobby or parking lot. However, in order to enter non-public business premises, the agent must have a signed judicial search warrant or the employer’s consent.
It is important for employers to comply with these investigations to maintain the integrity of their overall immigration programs. However, due to the unannounced nature of ICE raids and the sensitive nature of the information about employees and the company that may be sought, employers must take care not to inadvertently violate laws or privacy protections in their efforts to comply with ICE agents’ requests.
What Can Employers Do Now to Prepare for ICE Raids?
There are several steps an employer can and should take to prepare for a potential ICE raid.
Designate a person within the Human Resources or Legal Department to be the primary point of contact in case of an ICE raid.
Establish basic protocols for the designated company representative to follow in the event of an ICE raid. Also consider providing training to designated company representatives regarding the employer’s records and retention policy, what to expect during an ICE raid, and how to respond (e.g., reviewing the scope of judicial search warrants, communicating with agents and/or affected employees, etc.).
Prepare guidelines or instructions for your front desk receptionist or whomever else is likely to be the first person an ICE agent might come across and speak to so that the person knows who to contact in case an ICE agent enters your business location, as well as what not to do or say.
Conduct an internal audit of I-9 files. In this connection:
retain a completed Form I-9 for all active employees,
make corrections to Forms I-9 as soon as an error is identified, and
also retain I-9s for the mandatory period for terminated employees.
If you are an E-Verify employer:
conduct an audit of your E-Verify cases to ensure compliance,
submit an E-Verify case for one you identify as missing, and
make sure the mandatory E-Verify poster is posted at all worksites.
Conduct an internal audit to ensure immigration petition documents are in line with personnel records, including compensation and work location information.
Conduct a review of employee personnel, I-9, and immigration files and ensure the respective files are kept in separate folders and contain only relevant documents.
Remove or relocate documents that may disclose employees’ personal or protected data and that are not otherwise required to be maintained in the file.
Be mindful, however, of any applicable state personnel file laws that dictate what must be maintained as part of a “personnel file.”
If you have contractors, leased workers, or workers from a temporary staffing agency providing services at your business location(s), review your vendor contract for language requiring the vendor to:
provide contractors who are legally authorized to work in the United States, and
be fully compliant with the I-9 laws and other relevant immigration laws.
Notify managers/supervisors that they must not provide legal advice to employees or customers who are at the business premises and may be affected by immigration enforcement measures.
Instead, employers may wish to make available pamphlets or other literature regarding immigrant rights from immigration support organizations such as the National Immigration Law Center.
In light of the potentially high-profile nature of ICE raids, employers may wish to get ahead of any potential negative press by preparing a statement to be issued to employees and/or the media following an ICE raid.
Connect with an attorney specializing in immigration law to seek guidance on establishing internal protocols and training.
What Else Should Employers Know?
The current Trump administration’s immigration enforcement efforts will likely primarily target undocumented immigrants with criminal histories as well as undocumented immigrants at the southern border. But we may also see additional executive orders affecting policy changes impacting individuals currently protected under programs such as Deferred Action for Childhood Arrivals, Temporary Protected Status, Deferred Enforced Departure, foreign students on F-1 student visas, and humanitarian parole programs established during the Biden administration. We may also see an increase in DHS site visits to employers’ business locations in order to conduct routine audits of immigration visa sponsorship files that have been filed with the immigration agency. Employers that serve members of the public, such as hospitals, schools, and religious organizations, should also be aware that they are generally under no obligation to share the immigration status (if known) of their patients, parishioners, customers, or students unless such information is specifically included in a government agent’s lawful warrant. Relatedly, however, employers should be careful not to be seen as obstructing or interfering in any way with the government’s actions.
Incoming Environmental Protection Agency (EPA) Personnel and Impact on Enforcement
To nobody’s surprise, it is already evident that President Trump’s second term will mark a significant shift in environmental regulation and policy from the Biden Administration. This article marks the first in a where we will highlight and analyze some of the Trump Administration’s early initiatives regarding environmental law and regulation as well as what can be expected going forward for and from the EPA, environmental law, and the regulated community.
Our review will be informed by the second Trump Administration’s early actions, a review of Trump’s first term, his campaign statements, the personnel he has nominated for key posts, and independent policy documents from influential Think Tanks.
During his first term the Trump Administration rolled back or retooled in a manner that effectively weakened over 100 environmental rules and regulations. While environmental policy was not a focal point of Trump’s 2024 election campaign, candidate Trump frequently stated that boosting fossil fuel production and reducing or streamlining environmental regulations in support of its stated goals of increasing economic efficiency would be key initiatives for his second administration. These goals also feature prominently in the positions of influential conservative policy papers such as Project 2025, a policy initiative first published in April 2023 by the conservative Think Tank The Heritage Foundation; and President Trump has already tapped Aaron Szabo, who helped to write the EPA chapter of Project 2025, to lead the EPA’s Office of Air and Radiation.
The initial round of executive orders issued by the second Trump Administration show a dramatic but expected change in approach to environmental regulation: the Trump Administration again withdrew the United States from the Paris Climate Agreement and rescinded many of President Biden’s executive orders on energy and climate change. Another executive order declared an “energy emergency” and prioritized the approval and generation of domestic energy resources, excluding wind and solar, and described using emergency powers to expedite environmental review and permitting processes.
Forthcoming early action items are likely to fit with the broader Trump Administration goals for the EPA to reduce the EPA’s costs and staffing, increase reliance on states for environmental enforcement and regulation by taking a more supportive role, and continuing to support fossil fuel development over renewable energy development. We can also expect actions by the EPA to identify existing rules to be stayed as well as reviewing employees and staffing objectives while looking for opportunities to downsize to further these aims.
It is also likely that from the outset Trump’s EPA will look to reassess many of the EPA’s and DOJ’s current environmental enforcement cases. A report by the Environmental Integrity Project tracking the EPA’s enforcement actions since 2001 predicts that the expected drop in funding and staffing at the EPA, coupled with the new administration’s stated policy goals, will lead to a significant reduction in the EPA’s enforcement. This is consistent with the trajectory from Trump’s first term, where the EPA continued a trend of reducing the EPA’s enforcement actions. It is likely that Trump’s EPA will seek to prioritize cooperation with the regulated community and focus on compliance rather than enforcement, which was the strategy adopted during President Trump’s first term and outlined to be taken up again in Project 2025. Taken together, there are strong indicators that the incoming Trump Administration will look to stay ongoing enforcement cases, delay others, and limit future federal enforcement efforts.
AB 238 Mortgage Deferment Act for California Wildfire: Mortgage Forbearance Relief
AB 238, also referred to as the Mortgage Deferment Act, to add Title 19.1§ 3273.20 et seq. (the “Mortgage Deferment Act” or the “Act”), was introduced in the California legislature on January 13, 2025 to provide essential financial relief to the victims of the Los Angeles County wildfires (including the Palisades and Eaton fires) that continue to burn in multiple locations throughout Southern California. The Mortgage Deferment Act may be heard in committee on February 13, 2025. If implemented, the Act is intended to provide financial relief to those who have lost their homes or livelihood to wildfires by allowing borrowers to request mortgage payment forbearance for up to 360 days, in two increments of 180 days each.
The Mortgage Deferment Act is modeled after the CARES Act, which provided similar forbearance relief to those experiencing financial hardship during the COVID-19 pandemic. To effectuate a request under the Act as currently drafted, the borrower[1] must submit a request for forbearance to the borrower’s mortgage loan servicer and affirm that the borrower is experiencing a financial hardship due to the wildfire disaster. Id. at § 3273.22(a). No additional documentation is required for a request for forbearance, other than the borrower’s attestation to a financial hardship caused by the wildfire disaster. Id. at § 3273.23(a).
Upon receipt of such a request, the mortgage servicer must provide the borrower a forbearance for up to 180 days, which may be extended for an additional period of up to 180 days at the request of the borrower. Id. at § 3273.22(b). Additionally, the mortgage servicer must communicate with the borrower to whom a forbearance has been granted to ensure that the borrower understands that the missed mortgage payments must be repaid, although they may be paid back over time. Id. at § 3273.23(a)-(b).
The proposed legislation prohibits the assessment of additional fees, penalties, or interest beyond scheduled amounts. It also requires an immediate stay of foreclosure efforts, and extends to all aspects of the foreclosure process, including foreclosure-related eviction. Moreover, during the forbearance period, the Mortgage Deferment Act prohibits a mortgage servicer from initiating any judicial or nonjudicial foreclosure process, moving for a foreclosure judgment or order of sale, or executing a foreclosure-related eviction or foreclosure sale. Id. at § 3273.24.
If the Mortgage Deferment Act is implemented, it will be of the utmost importance for mortgage servicers to work closely with borrowers who may have been impacted by the wildfire disaster in California. Servicers should also ensure that borrowers requesting forbearance are properly informed that any missed mortgage payments pursuant to the borrower’s forbearance request ultimately will be required to be repaid to the mortgage servicer. Further, upon implementation, any failure to properly adhere to the Mortgage Deferment Act by mortgage servicers could have significant negative consequences, which could include litigation and/or compliance issues. Servicers should monitor the status of the Act, to ensure that they are prepared to fully comply with its terms, should the Act become law.
[1] The Mortgage Deferment Act, as currently drafted, includes various proposed definitions. “Borrower” is defined as a natural person who is a mortgagor or trustor or a confirmed successor in interest, or a person who holds a power of attorney for a mortgagor or trustor or a confirmed successor in interest. Mortgage Deferment Act § 3273.21(a). “Mortgage loan” is defined as a loan that is secured by a mortgage and is made for financing, including refinancing of existing mortgage obligations, to create or preserve the long-term affordability of a residential structure in the state, or a buy-down mortgage loan secured by a mortgage, of an owner-occupied unit in this state. Id. at § 3273.21(b). “Mortgage servicer” means a person or entity who directly services a loan or who is responsible for interacting with the borrower, managing the loan account on a daily basis, including collecting and crediting periodic loan payments, managing any escrow account, or enforcing the note and security instrument, either as the current owner of the promissory note or as the current owner’s authorized agent. Id. at § 3273.21(c). “Wildfire disaster” means the conditions described in the proclamation of a state of emergency issued by California Governor Gavin Newsom on January 7, 2025. Id. at § 3273.21(d).
Navigating Executive Orders: Insights and What Lies Ahead
On January 20, 2025, a new administration took control of the Executive Branch of the federal government, and it has signaled that it will make aggressive use of executive orders.
This would be a good time to review the scope of executive orders and how they may affect employers and health care organizations.
Executive orders are not mentioned in the Constitution, but they have been around since the time of George Washington. Executive orders are signed, written, and published orders from the President of the United States that manage and direct the Executive Branch and are binding on Executive Branch agencies. Executive orders can be used to implement or clarify existing federal law or policies and can direct and manage the way federal agencies interact with private entities. However, executive orders are not a substitute for either statutes or regulations.
The current procedure for implementing executive orders was set out in a 1962 executive order that requires that all such orders must be published in the Federal Register, the same publication where executive agencies publish proposed and final rules. Once published, any executive order can be revoked or modified simply by issuing a new executive order. In addition, Congress can ratify an existing executive order in cases where the authority may be ambiguous.
Although the President has extensive powers under Article II of the Constitution, that does not necessarily mean that executive orders can be issued and enforced on a whim. Over time, federal courts have reviewed executive orders and typically base their decisions on three questions: (1) has Congress delegated any authority to the President to act through an executive order?; (2) if so, what is the scope of any delegation?; and (3) did the President act within the scope of that delegation?
In a seminal case, Youngstown Sheet & Tube Co. v. Sawyer, 343 U.S. 579 (1952), the Supreme Court reviewed an executive order signed by President Truman directing the Secretary of Commerce to take possession of and operate most of the nation’s steel mills to prevent a strike from disrupting steel production during the Korean War. On appeal, the Court ruled that the executive order was not authorized under the Constitution or any statute, and that the President lacked any legislative power. It also rejected the argument that the President had an implied authority to issue the executive order under the military powers delegated to the President, as that did not extend to labor disputes.
More recently, during the COVID-19 pandemic, an executive order used the authority delegated in the Defense Production Act to address potential national defense and food supply disruptions. Nevertheless, deference to an executive order should not be presumed. Even at the height of the pandemic, the Sixth Circuit ruled that the President lacked the authority to issue an executive order mandating that federal contractors be vaccinated against the COVID virus. In Kentucky v. Biden, 23 F.4th 585 (6th Cir. 2022), the Sixth Circuit ruled that the President’s reliance on the Federal Property and Administrative Services Act of 1949 (“FPASA”) was misplaced and did not authorize issuing an executive order binding on federal contractors; it determined that the act’s goal of improving economy and efficiency in federal procurement of property and services applied to the government itself and did not extend to issuing directives that may “improve the efficiency of contractors and subcontractors.”
The question of a delegation of authority to a President is not necessarily solved with an executive order directing an agency to issue regulations. For example, President Biden signed an executive order directing the Secretary of Labor to publish regulations setting a minimum wage of $15 per hour for federal contractors, based on his reading of FPASA. The regulations were challenged, and two Courts of Appeal reached opposite conclusions. In Bradford v. U.S. Dep’t of Labor, 101 F.4th 707 (10th Cir. 2024) the Tenth Circuit ruled that Congress had delegated broad authority under FPASA to the President in the language setting out the act’s purpose, and that he was justified in determining that a $15 minimum wage was consistent with the act’s goals. Nevertheless, in State of Nebraska v. Su, 121 F.4th 1 (9th Cir. 2024), the Ninth Circuit determined that the minimum wage mandate did exceed the authority granted to the President and the Department of Labor. That decision relied on a narrow reading of FPASA, and concluded that the intent of the statute was limited to ensuring that the federal government received value in contracts with private entities, and that setting a minimum wage for the employees of those contractors fell outside the reach of FPASA. Although there was a clear split among the circuits, the Supreme Court declined to resolve the matter. For now, disputes involving executive orders may have to be resolved on a case-by-case basis.
In the future, employers and health care organizations that supply goods or services to federal agencies or federally-funded programs should be concerned that if there are executive orders that affect their business, those orders should be examined carefully to evaluate not only the content of those orders, but whether they are authorized by law. EBG intends to monitor these developments along with any relevant rulemaking by federal agencies.
First Days: Initial Executive Orders on Immigration and Border Security
Highlights
On Jan. 20, President Trump issued several executive orders that have a wide-ranging impact on U.S. immigration and border security
These executive orders, which attempt to reshape the definition of American citizenship, have resulted in immediate litigation
They also could result in new travel restrictions and additional delays for travelers seeking visas at U.S. Consulates abroad
Nationals of certain countries admitted to the U.S. since Jan. 20, 2021, could be at risk of removal proceedings
Shortly after his inauguration on Jan. 20, President Donald Trump issued several significant executive orders (EOs). While these EOs covered several areas of American society, a very significant number focus on immigration and border security. This alert summarizes several of these EOs with a particular focus on their prospective effect on employers and the foreign nationals they employ.
Executive Order on Birthright Citizenship Titled Protecting the Meaning and Value of American Citizenship
On Jan. 20, the EO on Protecting the Meaning and Value of American Citizenship was issued. This EO seeks to limit birthright citizenship to children of U.S. citizens or lawful permanent residents and sets forth the policy of limiting the scope of individuals to be recognized as American citizens.
As background, the 14th Amendment’s citizenship clause grants citizenship to almost all children born in the U.S. (children of foreign diplomats are not conferred U.S. citizenship). It states, “All persons born or naturalized in the United States, and subject to the jurisdiction thereof, are citizens of the United States and of the State wherein they reside.” In essence, if you’re born here, you’re an American. The principle of birthright citizenship is long-standing and has been confirmed in multiple U.S. Supreme Court rulings.
This EO is not retroactive but would apply to all children born in the U.S. on or after Feb. 19, 2025, who do not have at least one U.S. citizen or lawful permanent resident parent.
Multiple states and civil rights organizations have jointly filed a lawsuit challenging the constitutionality of the EO. As of Jan. 23, a federal court in Washington has granted a 14-day injunction on enforcement of the order, calling it “blatantly unconstitutional.” During this 14-day period, the court will determine whether to issue a permanent injunction. It is likely this matter will be litigated all the way to the Supreme Court.
Importantly, an EO titled Protecting the United States From Foreign Terrorists and Other National Security and Public Safety Threats directs relevant federal agencies to identify countries that may warrant restrictions affecting the ability of foreign nationals to travel to the U.S. or gain an immigration benefit while in the U.S. The agencies have 60 days to review current status and then recommend to President Trump the countries that should have a travel ban imposed.
For employers and their foreign national employees this likely means:
a) In-person interviews of all visa applicants at consulates abroad, prolonging wait times for appointment and processing.
b) In-person interviews for all “green card” applicants, further prolonging final approval for employment-based cases.
c) Restrictions on international travel for employees of countries under a travel ban.
d) Increased delays at all levels of the process.
We recommend employers consider notifying any employees from a designated country who were admitted on a visa or granted residency after Jan. 20, 2021, of possible issues.
Other important orders issued covering immigration and border security are:
Executive orders declaring a national emergency at the southern border and a separate executive order to the military prioritizing U.S. border security titled Clarifying the Military’s Role in Protecting the Territorial Integrity of the United States
An executive order instructing the U.S. Department of Homeland Security (DHS) to restore the full scope of expedited removal and rescind guidance limiting the scope of expedited removal issued by the Biden administration. Anybody encountered anywhere in the U.S. within two years of their entry is now subject to expedited removal.
Executive order titled Designating Cartels and Other Organizations As Foreign Terrorist Organizations and Specially Designated Global Terrorists, which could affect individuals seeking admission to the U.S. who’ve had any prior contact with drug cartels.
Executive order titled Realigning the United States Refugee Admissions Program, which suspends the admission of any new refugees and directs greater state and local involvement in refugee placement decisions once the program resumes.
Biden Orders Reversed: Initial Rescissions of Harmful Executive Orders and Actions
President Trump also issued an EO titled Initial Rescissions of Harmful Executive Orders and Actions, which rescinds a number of EOs on various topics, including many on immigration issued by President Biden. One of the Executive Orders issued by President Biden aimed to ensure that immigrant communities feel welcomed, valued, and fully integrated into U.S. society. However, as a result of these rescissions, certain public charge and naturalization processes may be affected, potentially introducing more restrictive requirements.
Asylum: EO Titled Protecting the American People Against Invasion
This EO, also issued on Jan. 20, revokes many of the Biden administration’s EOs related to asylum seekers and family reunification. It also enhances the civil and criminal enforcement priorities of DHS and the agencies and departments under it. This EO directs the Attorney General and the secretary of DHS to establish enforcement task forces and to coordinate with state and local law enforcement.
Importantly for employers, there is direction to prioritize human smuggling with a focus on children and to use “all available law enforcement tools” in this effort. This likely means increased worksite raids and investigations – including those involving both Homeland Security and the Department of Labor (responsible for enforcement of child labor laws).
Additional key provisions that could affect employers include direction to:
a) Relevant agencies to consider withholding federal funds from “sanctuary jurisdictions” that will not cooperate in the increased enforcement efforts. Employers at organizations supporting “sanctuary” processes may be at risk.
b) The agencies to assess and consider limiting the length and scope of Employment Authorization Documents (EAD)s and the suspension of parole programs, which would result in the loss of employment authorization for workers with EADs pursuant to such parole.
c) Ensure all grants of Temporary Protected Status (TPS) are “consistent” with the statute, which could result in the revocation of TPS for some countries, which would then result in the loss of employment authorization for workers from those countries.
d) Review and audit all agreements pursuant to which non-governmental organizations supporting or providing services – directly or indirectly – to “removable” people in the country illegally do not promote or violate immigration laws. Nonprofit services organizations, universities and colleges, and hospitals could all be at risk under this provision to audits and possibly loss of federal funding.
The sections of the EO mandating that U.S. Immigration and Customs Enforcement (ICE), Customs and Border Patrol, and U.S. Citizenship and Immigration Services prioritize the enforcement of immigration laws and prosecution of offenses related to individuals’ unauthorized entry or presence in the U.S. are likely to result in a significant increase in worksite enforcement actions. This could include I-9 enforcement, wage and hour audits of employers that hire H-1B workers, and potential reverse discrimination claims by the DOJ’s Civil Rights Division.
Of note for employers, President Trump also has ordered DHS to ensure the assessment and collection of fines and penalties authorized under the law for ICE enforcement efforts against people unlawfully present in the U.S. and from those who facilitate their presence. This could have significant implications for employers found to have knowingly hired unauthorized workers or situations involving constructive knowledge.
Takeaways
Cumulatively, these EOs intend to reshape immigration law and are likely to result in significant additional changes across federal agencies such as the Department of Homeland Security, the Department of State, the Department of Labor, and the Department of Justice, among others. Some are also likely to be the subject of litigation.
Update: California State Assembly Passes AB 3129 Requiring State Approval of Private Equity Healthcare Deals
California’s AB 3129, which would require private equity firms and hedge funds to obtain prior approval to consummate certain healthcare-related transactions, is now one step closer to becoming law following the State Assembly’s May 22, 2024 passage of the pending legislation. The legislation is now being considered by the California State Senate, where approval must be obtained prior to the end of the legislative session in August if it is to be enacted into law this year.
As previewed in our prior blog post, if enacted, AB 3129 would require private equity firms and hedge funds to file an application with the state Attorney General at least 90 days in advance of a transaction involving the acquisition or change of control of healthcare facilities and provider groups and in most cases, await approval to close the transaction. Furthermore, the bill would place significant restrictions on the ability of private equity and other investors to implement “friendly PC-MSO” and similar arrangements, which are widely used today by stakeholders as an investment structure to avoid violating California’s prohibition on the corporate practice of medicine.
While the bill has not yet been enacted into law, the State Assembly’s passage of the bill does represent positive momentum for proponents of the legislation, and stakeholders should be aware of the legislation’s broad implications on the structuring and consummation of healthcare-related transactions in the state.
President Trump’s Executive Order Steering Digital Assets Policy
As promised during his campaign, President Trump has taken significant steps to support the digital asset industry during his first week in office. On 23 January 2025, he signed an executive order initiating digital asset regulatory rollbacks and a new federal framework governing cryptocurrencies, stablecoins, and other digital assets (the Order).
On the same day, the Securities and Exchange Commission (SEC) rescinded the controversial Staff Accounting Bulletin 121, which required crypto custodians and banks to reflect digital assets in their custody as both an asset and a liability on their balance sheets. Earlier in the week, the SEC established Crypto 2.0, a crypto task force designed to provide paths for registration and reasonable disclosure frameworks, and to allocate enforcement resources “judiciously.”
The Order recognizes the role the digital asset industry serves in our economy and aims to support the responsible growth and use of digital assets by promoting dollar-backed stablecoins and providing regulatory clarity. The Order lays the groundwork for a regulatory shift furthering digital assets policy, focusing on the creation of “technology-neutral regulations” tailored to digital assets.
In addition to prohibiting agencies from facilitating any central bank digital currencies, the Order establishes a working group comprised of the heads of various agencies (the Working Group) and sets three deadlines:
22 February 2025: Federal agencies must report to the Special Advisor for AI and Crypto with the regulations or other agency guidance that affect the digital asset sector.
24 March 2025: Federal agencies must submit recommendations on whether to rescind or modify these regulations and guidance.
22 July 2025: The Working Group must submit a report to the President on regulatory and legislative proposals to advance digital assets policy. This report must include a proposed Federal framework for the issuance and operation of digital assets, including stablecoins, and evaluate whether establishing a national digital assets stockpile is possible.
McDermott+ Check-Up: January 24, 2025
THIS WEEK’S DOSE
Senate Committees Continue Nomination Hearings. Senate-wide votes have begun as the confirmation process progresses.
House VA Committee Holds Oversight Hearing on Community Care. Members of the House Veterans’ Affairs (VA) Committee examined Congress’ role in improving veterans’ healthcare.
White House Revokes Biden-Era Healthcare EOs. The rescinded executive orders (EOs) relate to health equity, prescription drug costs, and artificial intelligence (AI).
Trump Pauses Regulatory Activity. The pause includes external communications for all agencies.
CONGRESS
Senate Committees Continue Nomination Hearings. The Senate VA Committee held a hearing for VA secretary nominee Doug Collins and subsequently voted for his confirmation with broad bipartisan support. His confirmation vote will now be scheduled for consideration by the full Senate. Russell Vought’s nomination for Office of Management and Budget (OMB) director advanced out of the Senate Homeland Security and Governmental Affairs Committee in an 8 – 7 vote along party lines earlier this week. The Budget Committee held another hearing for Vought’s nomination, where Democrats expressed concerns about potential cuts to Medicaid, especially for low-income and elderly individuals. Republicans focused on the importance of reducing waste, fraud, and abuse in healthcare and advocated against providing care to undocumented immigrants. The Senate Budget Committee will vote on Vought’s confirmation in the coming days, after which his confirmation should be scheduled for consideration by the full Senate.
House VA Committee Holds Oversight Hearing on Community Care. In the hearing, members agreed that Congress has a role to play in improving care for veterans and supporting community care, and expressed concern about the lack of access to VA facilities across the country. Many Democratic members emphasized the need for more hearings on this issue, particularly with witnesses from the VA and third-party VA administrators.
ADMINISTRATION
White House Revokes Biden-Era Healthcare EOs. President Trump was inaugurated on January 20, 2025, and he spent his first day issuing new EOs and revoking others signed into law by former President Biden, 12 of which were healthcare-related. Revoking these EOs has little immediate impact, because additional steps would be necessary to effectuate changes to current policy. The revocations may be indicative of future policymaking, however. Below is a summary of a few key rescinded EOs:
Strengthening Medicaid and the ACA. This EO directed the US Department of Health and Human Services (HHS) to consider creating a special enrollment period for the health insurance marketplace in response to COVID-19. It also directed HHS and the US Departments of Labor and the Treasury to examine and consider suspending or rescinding policies or practices that may undermine Medicaid, Affordable Care Act (ACA) coverage, or the Health Insurance Marketplace. The EO also revoked two first-term Trump Administration EOs: Minimizing the Economic Burden of the Patient Protection and ACA Pending Repeal, and Promoting Healthcare Choice and Competition Across the United States.
Lowering Prescription Drug Costs for Americans. This EO directed the Centers for Medicare & Medicaid Innovation Center to consider models that would lower drug costs and promote access to innovative drug therapies for beneficiaries enrolled in the Medicare and Medicaid programs, including models that may lead to lower cost-sharing for commonly used drugs and support value-based payment that promotes high-quality care.
Safe, Secure, and Trustworthy Development and Use of AI. This EO set forth principles that executive agencies should follow when utilizing AI, including requirements that AI be safe, secure, responsible, and equitable. The EO also established the White House AI Council, which consisted of the assistant to the president and deputy chief of staff for policy, and representatives from various agencies and departments, including HHS.
Through another EO, President Trump started the process of withdrawing the United States from the World Health Organization (WHO), citing mishandling of the COVID-19 pandemic and an inability to demonstrate independence from the political influence of WHO member states. The EO directs OMB and the US Department of State to pause transfer of funds to the WHO and recall any personnel working in any capacity at the WHO.
Trump Pauses Regulatory Activity. As part of the transition, the new Trump Administration issued an EO that paused regulatory activity, including issuance of new proposed rules unless an exemption is provided. While this is typical of a new Administration, memos from department heads have placed more restrictions on third-party and formal communications, even outside of the rulemaking process. For HHS, the “freeze” in regulatory activity is set to run until February 1, 2025.
QUICK HITS
MACPAC Holds January 2025 Meeting. The Medicaid and CHIP Payment and Access Commission (MACPAC) meeting included discussion related to home- and community-based services, opioid-use disorder treatment, residential services access for children and youth, external quality review for managed care organizations, the transition from pediatric to adult healthcare, and the All-Inclusive Care for the Elderly model.
President Trump Announces Investment in AI Infrastructure. The president announced the Stargate Project, which is a multibillion-dollar investment by private technology companies. The project’s goal is to create AI infrastructure in the United States and includes a focus on curing diseases.
NEXT WEEK’S DIAGNOSIS
We expect the new Administration to continue to release EOs and take additional actions on healthcare in the coming week. The House will be in recess next week, and the Senate will be in session, with confirmations expected to continue in committees and on the floor. HHS secretary nominee RFK Jr. will appear before the Senate Finance and Health, Education, Labor, & Pensions Committees next week. Other hearings include a Senate VA Committee hearing on the VA’s community care program, and a Senate Aging Committee hearing on fiscal policies related to seniors.
California SB 923: New Trans-Inclusive Healthcare Requirements for Health Plans
Beginning in the first quarter of 2025, California healthcare service plans, health insurers, Medi-Cal managed care plans, and PACE organizations must ensure that staff who have direct enrollee contact receive evidence-based cultural competency training focused on transgender-inclusive healthcare. This requirement arises from Senate Bill No. 923 (SB 923), a law passed by the California legislature in 2022. Provider directories must also be updated by March 1, 2025, to identify which in-network providers have previously offered gender-affirming services.
SB 923 is part of a broader effort by the California legislature to require healthcare entities to improve access to culturally competent gender-affirming care for transgender, gender diverse, and intersex (TGI) individuals. This legislation builds on prior mandates requiring physicians and surgeons to complete continuing medical education (CME) courses addressing cultural and linguistic competency. The legislation expanded existing cultural competency training requirements to now require CME programs to address TGI-related health needs, thus laying a foundation for the broader system-wide changes that SB 923 compels.
While the statute sets “no later than March 1, 2025,” as the outer deadline for compliance, the California Department of Managed Health Care (DMHC) All Plan Letter (APL) 24-018 imposes an earlier deadline – February 14, 2025 – for all full-service (and certain specialized) healthcare service plans under DMHC jurisdiction to complete the required training.
Below we outline the key requirements, summarize the CME obligations already in effect, consider initial feedback from early implementation, and offer steps to help affected entities prepare for upcoming deadlines.
In Depth
NEW REQUIREMENTS FOR HEALTH PLANS, INSURERS, AND MEDI-CAL MANAGED CARE ENTITIES
SB 923 requires healthcare service plans, health insurers, Medi-Cal managed care plans, and PACE organizations to engage in workforce cultural competency training. Key training elements include:
Adopting inclusive communication techniques by using TGI-inclusive terminology and ensuring respectful, affirming interactions with TGI patients.
Addressing health disparities by explaining how family and community acceptance influence TGI patient health outcomes and integrating this understanding into care practices.
Conducting refresher course training whenever a complaint is filed and upheld against a staff member for failing to provide TGI-inclusive care and administering additional courses more frequently if needed.
Training must be provided to staff who directly interact with enrollees. This includes frontline personnel such as call center representatives, nurses, and other staff members who have contact with patients. Exempt from this training requirement are specialized healthcare service plans providing only dental or vision services and Medicare Advantage plans. Currently, SB 923 does not include any exemptions or opt-outs for staff or providers based on religious, moral, or rights of conscience objections grounds.
While SB 923’s statutory language sets an outer compliance deadline of no later than March 1, 2025, DMHC’s APL 24-018 specifies that all full-service healthcare service plans, regardless of size (and certain specialized plans other than dental or vision-only plans), must ensure that staff complete the required training by February 14, 2025. For health insurers regulated by the Department of Insurance or Medi-Cal managed care plans overseen by the Department of Health Care Services (DHCS), the statutory deadline remains March 1, 2025, unless their respective regulators issue further guidance.
In addition to initial training, DMHC’s APL requires that training be completed every two years thereafter, ensuring ongoing competency. Newly hired staff with direct enrollee contact must complete the training within 45 days of commencing employment. Health plans should also note that regulators may impose sanctions or penalties for noncompliance, reinforcing the importance of meeting these requirements.
UPDATED PROVIDER DIRECTORIES FOR GENDER-AFFIRMING SERVICES
By March 1, 2025, health plans, insurers, and Medi-Cal managed care plans must update their provider directories (as well as call center information) to identify which in-network providers have affirmed and previously provided gender-affirming services. These services might include hormone therapy, gender-confirming surgeries, gender-affirming gynecological care, or voice therapy.
ALREADY-IN-EFFECT CME REQUIREMENTS
Since 2006, curricula for CME courses in California have been required to include cultural and linguistic competency in the practice of medicine. Since 2022, CME course curricula also have been required to include the understanding of implicit bias. SB 923 amended the cultural competency portion of California’s Business and Professions Code Section 2190.1 to require that CME also include TGI health needs. The updated CME curricula should address:
Using correct names, pronouns, and gender-neutral language.
Avoiding assumptions about gender or sexual orientation.
Understanding the discrimination and barriers that TGI patients face, and how implicit bias may influence clinical decisions.
Implementing administrative changes, such as more inclusive intake forms, to create a welcoming care environment.
Cultural competency, including TGI-specific elements, and implicit bias training are not necessary for CME courses offered outside of California to California-licensed physicians and surgeons or as part of CME courses dedicated solely to research or other non-clinical issues lacking a direct patient care component.
IMPLEMENTATION STATUS OF SB 923 CME REQUIREMENTS
Since the TGI-focused CME requirements took effect in 2023, some larger health systems have begun integrating targeted training modules while smaller practices have struggled to find suitable specialized resources. According to the California Association of Health Plans, questions remain about how these training standards will align and be enforced across various health plans and delegated entities. Despite these uncertainties, incremental progress continues. As more healthcare organizations develop approved training resources and toolkits, accessibility and overall cultural competency likely will improve.
PRACTICAL STEPS FOR COMPLIANCE
For Healthcare Providers: Integrate the updated CME modules into existing physician education, revise administrative materials (intake forms, electronic medical records) to reflect inclusive language, and ensure all frontline staff are trained in respectful, TGI-inclusive communication.
For Health Plans and Insurers: Implement TGI-focused training as specified by DMHC: for full-service healthcare service plans, by February 14, 2025, and for other regulated entities, by the statutory deadline. Update provider directories to highlight gender-affirming providers by March 1, 2025, and establish effective complaint and grievance tracking to ensure accountability. With respect to ERISA-governed self-insured group health plans, SB 923 does not provide an express exception. However, ERISA typically preempts state laws that attempt to regulate employee benefit plans, although fully insured plans are generally subject to state insurance laws and would likely need to comply with SB 923. A plan that is not fully insured or regulated by the California DMHC would generally not need to comply. As of the publication date, we are unaware of any ERISA preemption challenges to SB 923. Some group health plan sponsors may wish to proceed with compliance and continue to watch for any updates.
For Medi-Cal Managed Care Plans and PACE Organizations: Follow guidance issued by regulators, such as the DHCS Policy Letter 24-03, to implement required training, keep provider directories current with gender-affirming providers, and report TGI-related complaints. In addition, remain alert for further instructions from regulators and prepare to incorporate the required standards.
LOOKING AHEAD
When SB 923 was initially debated, some stakeholders opposed the legislation based on religious liberty and rights of conscience grounds, arguing that SB 923’s training mandates amount to unconstitutional compelled speech. However, a recent decision by the US District Court for the Central District of California in Khatibi v. Hawkins suggests that courts may uphold SB 923 as a form of government speech. The case involved a challenge to the implicit bias training requirement because some CME lecturers felt that their First Amendment rights were being violated. The court observed that “[s]tate-mandated curriculum requirements for CME courses necessary for state licensure constitutes government speech because when physicians . . . choose to teach CME courses for credit, they ‘speak for the state.’” (Khatibi v. Hawkins, No. 2:23-cv-06195-MRA-E, 2024 WL 3802523 (May 2, 2024)). The matter is currently under appeal to the US Court of Appeals for the Ninth Circuit.
CONCLUSION
SB 923 represents continued efforts by California toward ensuring that TGI patients receive respectful, informed, and affirming healthcare. With CME requirements already in effect and a range of new mandates, including system-wide training for health plans, updated provider directories, complaint tracking, and eventual quality standards, entities face a multifaceted compliance landscape. DHCS Policy Letter 24-03 and DMHC APL 24-018 provide clarity and actionable guidance, and both reflect the recommendations issued by the Transgender, Gender Diverse, or Intersex Working Group convened under SB 923’s mandate. Formal regulations under SB 923 will be adopted by July 1, 2027, but as the February and March 2025 deadlines approach, stakeholders should proactively implement training, update administrative practices, maintain transparent patient engagement, and follow the newly issued DHCS and DMHC directives.
UK Government Publishes Consultation on Proposals to Reduce the Threat of Ransomware Attacks
On January 14, 2025, the UK government opened a consultation seeking views on three proposals aimed at reducing the threat of ransomware attacks. The government intends to introduce legislation to counter ransomware attacks focusing on three key proposals:
Proposal 1: A targeted ban on ransomware payments for all public sector bodies, including local government, and for owners and operators of Critical National Infrastructure, that are regulated, or that have competent authorities. Critical National Infrastructure in the UK is comprised of 13 sectors including chemicals, defense, energy, finance, food, health and water. The UK government believes that breaking the cycle of paying ransomware demands is “essential to disrupting the ransomware business model.”
Proposal 2: A ransomware payment prevention regime that would require any victim of ransomware (that is not subject to the prohibition of payment under Proposal 1) to engage with the authorities and report their intention to make a ransomware payment before paying threat actors. Authorities would provide guidance and support to the victim, including with respect to potential non-payment resolution options. Information provided through reports and/or further engagement could be used to further intelligence supporting operational activity and contributing to major investigations.
Proposal 3: A ransomware incident reporting regime for suspected victims of ransomware, which would apply irrespective of any intention to pay the ransom. Through the consultation process, the UK government is considering whether this obligation should be subject to a threshold.
The consultation closes on April 8, 2025.
Massachusetts Expands Oversight of Private Equity Investment in Healthcare: Key Takeaways from House Bill 5159 Signed into Law by Governor Healey
On January 8, 2025, Massachusetts Governor Maura Healey signed House Bill 5159 (“H.5159”) into law, marking a notable expansion of the regulation of private equity investments within the Massachusetts healthcare sector. The legislation, set to take effect on April 8, 2025, introduces new measures to enhance transparency and accountability in healthcare transactions, focusing specifically on private equity firms, real estate investment trusts (“REITs”), and management services organizations (“MSOs”). This development also reflects a broader trend across the nation of increasing scrutiny of healthcare transactions and investments by private equity firms and other investors, as highlighted in our previous blog series on California’s Assembly Bill 3129.[i]
Key Provisions of H.5159
The enactment into law of H.5159 increases oversight of healthcare transactions in Massachusetts in several ways:
1. Expanded Definition of Material Changes Requiring Notice to the Massachusetts Health Policy Commission and Potential for Further Delays to Closing
Pre-existing Massachusetts law mandates that healthcare providers and provider organizations, including physician practices, healthcare facilities, independent practice associations, accountable care organizations, and any other entities that contract with carriers for the payment of healthcare services, with more than $25 million in Net Patient Service Revenue[ii] in the preceding fiscal year must submit a Material Change Notice (“MCN”) to the Massachusetts Health Policy Commission (“HPC”), Center for Health Information and Analysis (“CHIA”), and Office of the Attorney General at least 60 days prior to a proposed “material change” involving such entity.
Before H.5159 was enacted, the definition of “material change” already encompassed several types of transactions involving healthcare providers and provider organizations with more that $25 million in Net Patient Service Revenue, requiring them to submit an MCN to the Massachusetts HPC, CHIA, and Office of the Attorney General. These include:
A merger, acquisition, or affiliation between a healthcare Provider and an insurance carrier;
A merger, acquisition, or affiliation involving a hospital or hospital system;
Any acquisition, merger, or affiliation that results in an increase of $10 million or more in annual net patient service revenue, or grants the Provider or Provider Organization near-majority market share in a specific service or geographic area;
Clinical affiliations between two or more Providers or Provider Organizations with annual net patient service revenue of $25 million or more, excluding affiliations solely for clinical trials or medical education purposes; and
The formation of new entities such as joint ventures, MSOs, or accountable care organizations that contract with insurers or other administrators on behalf of healthcare Providers.
H.5159 notably broadens the definition of “material change” to include also:
Transactions involving a Significant Equity Investor that result in a change of ownership or control of a Provider or Provider Organization;
“Significant” acquisitions, sales, or transfers of assets, including, but not limited to, real estate sale-leaseback arrangements;
“Significant expansions” in a Provider or Provider Organization’s capacity;
Conversion of nonprofit Providers or Provider Organizations to for-profit entities; and
Mergers or acquisitions of Provider Organizations that will result in the Provider Organization having a dominant market share in a service or region.
The term “Significant Equity Investor” is broadly defined to include: (i) any private equity firm holding a financial interest in a Provider, Provider Organization, or MSO; and (ii) any investor, group of investors, or entity with ownership of 10% or more in such organizations. The definition specifically excludes venture capital firms solely funding startups and other early-stage businesses.
While the law expands the definition of “material change” to encompass the categories listed above, it does not explicitly define what constitutes a “significant acquisition,” “significant expansion,” or “change of ownership or control.” As of now, these terms are left to be clarified by the HPC through further regulation and guidance. Stakeholders should monitor future regulatory updates from the HPC to understand the specific thresholds for these types of transactions.
If the HPC determines within 30 days of receiving a complete MCN that a “material change” may significantly affect Massachusetts’ ability to meet healthcare cost growth benchmarks or impact market competition, the HPC can initiate a Cost and Market Impact Review (“CMIR”). This process requires detailed submissions from transaction parties and significantly extends the transaction timeline to close a deal.
The amended law also enhances the HPC’s information-gathering capabilities, authorizing the HPC to request detailed data on Significant Equity Investors, including financial data and capital structure information. Additionally, the HPC can now monitor and collect information on post-transaction impacts for up to five years following a material change. While nonpublic information submitted to the HPC remains confidential, the filed MCN and the completed CMIR report will be publicly available on the HPC’s website.
Although the HPC cannot directly prohibit a transaction or impose conditions, it can refer its CMIR findings to the Massachusetts Attorney General, Massachusetts Department of Public Health (“DPH”), or other state agencies for further action.
2. Investors May be Called as Witnesses at Annual Public Hearings
H.5159 authorizes the HPC to assess the impact of Significant Equity Investors, healthcare REITs, and MSOs on healthcare costs, prices, and cost trends. HPC is empowered to call a representative sample of these investors to testify at its annual public hearings under oath. The Attorney General may intervene in these hearings, ensuring rigorous oversight and accountability.
3. Annual Financial Reporting Requirements
Certain Provider Organizations are already required to register with the HPC (“Registered Provider Organizations”) and submit annual reports to the CHIA. To be subject to the registration requirement, a provider organization must meet at least one of the following criteria: (a) annual net patient service revenue from private carriers or third-party administrators of at least $25 million in the prior fiscal year; (b) a patient panel of more than 15,000 over the past 36 months; or (c) classification as a risk-bearing provider organization, regardless of revenue or panel size. This includes, but is not limited to, physician organizations, independent practice associations, accountable care organizations, and provider networks.
H.5159 expands reporting obligations for Registered Provider Organizations to include detailed information about the Registered Provider Organization’s Significant Equity Investors, healthcare REITs, and MSOs. It also clarifies that Registered Provider Organization financial statements must cover parent entities’ out-of-state operations and corporate affiliates. Additionally, the amended law authorizes the state to require quarterly submissions from Registered Provider Organizations with private equity involvement. These submissions may include audited financial statements, structure charts, margins, investments, and relationships with investor groups. Organizations must also report on costs, annual receipts, realized capital gains and losses, accumulated surplus, and reserves. The HPC will monitor prior transactions and investments for up to five years and notify organizations of future reporting deadlines as needed.
4. Penalties for Noncompliance with Reporting Requirements
H.5159 imposes stricter penalties for failing to submit required financial reports. Entities missing reporting deadlines may face fines of up to $25,000 per week after a two-week grace period, with no annual penalty cap. This is a substantial increase from prior penalties, which were capped at $50,000 annually.
5. Expanded Authority for the Attorney General
The Massachusetts Attorney General is authorized to review and analyze any information submitted to CHIA by a provider, provider organization, Significant Equity Investor, health care REIT, MSO or payer. The Attorney General may compel such entities to produce documents, answer interrogatories, or provide testimony under oath concerning healthcare costs, cost trends, and the relationship between provider costs and payer premiums.
The Attorney General may disclose such information during HPC annual public hearings, rate hearings before the Division of Insurance, and legal proceedings because the law deems such information to be in the public interest.
6. Expanded Massachusetts False Claims Act Liability
H.5159 amends the Massachusetts False Claims Act (the “MA FCA”), which is broader in scope than the Federal False Claims Act, to expand liability to entities holding an “ownership or investment interest” in a person or entity violating the MA FCA. Specifically, private equity owners and other investors who are aware of a violation and fail to report and remedy it within 60 days of discovery may be held liable. The law codifies this expanded accountability, explicitly including investor groups among those who can be held responsible for untimely reporting violations. Additionally, the amendments clarify the Attorney General’s authority to issue civil investigative demands to healthcare entities and investor groups.
Notable Exclusions from Earlier Proposals
H.5159 reflects several compromises that were made during the legislative process, resulting in a more moderate version compared to earlier proposals. The process began in May 2024 with the introduction of House Bill 4653, followed by Senate Bill 2871 in July 2024.[iii] Senate Bill 2871 included stricter requirements than those in House Bill 4653, but lawmakers struggled to reconcile the differences before the legislative session deadline on July 31, 2024. This stalemate led to renewed efforts in December 2024, which ultimately resulted in the passage of H.5159.
While H.5159 carries forward many of the provisions from the earlier bills, it also removes certain measures that stakeholders had identified as too burdensome, as outlined below. These exclusions include:
Restrictions on Practice Ownership and Clinical Decision Making: provisions explicitly codifying restrictions on healthcare practice ownership and prohibiting MSOs or other healthcare entities from exerting control over clinical decisions were omitted.
Boundaries Between MSOs and Physician Practices: H.5159 also excludes specific boundaries that were previously proposed to regulate the relationship between physician practices and MSOs, including restrictions on MSOs exerting ultimate control over the finances of healthcare practices and limitations on stockholders’ ability to transfer, alienate, or exercise discretion over their ownership interests in the practices.
Maximum Debt-to-EBITDA: A provision that would have allowed the Massachusetts HPC to set a maximum debt-to-EBITDA ratio for provider organizations with private equity investors was removed from the final bill that was signed into law.
Bond Requirements for Private Equity Firms: H.5159 does not include the previously proposed requirement that private equity firms deposit a bond with the DPH when submitting an MCN, including when acquiring a provider organization.
Conclusion
The passage of H.5159 represents a pivotal moment in Massachusetts’ efforts to regulate investment in health care. It also reflects, however, a compromise that did not impose even more stringent requirements that were set to impact providers, provider organizations, and investors.
Investors, including private equity firms, and healthcare providers and provider organizations, will need to adapt to the enhanced oversight mechanisms and implement more thorough due diligence practices to ensure transparency and avoid penalties for non-compliance. Pre-transaction, this includes ensuring thorough documentation and proactive engagement with regulatory authorities. Post-transaction, entities must implement systems to track and report required financial and operational data accurately and on time.
As H.5159 takes effect, we will continue to monitor and report on any further regulatory updates, particularly those concerning the HPC’s development of regulations to implement this law.
FOOTNOTES
[i] Update: Governor Newsom Vetoes California’s AB 3129 Targeting Healthcare Private Equity Deals | Healthcare Law Blog (sheppardhealthlaw.com), published October 2, 2024, Update: AB 3129 Passes in California Senate and Nears Finish Line | Healthcare Law Blog (sheppardhealthlaw.com), published September 6, 2024, California’s AB 3129: A New Hurdle for Private Equity Health Care Transactions on the Horizon? | Healthcare Law Blog (sheppardhealthlaw.com), published April 18, 2024, and Update: California State Assembly Passes AB 3129 Requiring State Approval of Private Equity Healthcare Deals | Healthcare Law Blog (sheppardhealthlaw.com), published May 30, 2024.
[ii] Net Patient Service Revenue refers to revenue received for patient care from third-party payers, net of contractual adjustments, with distinctions depending on the type of Provider or Provider Organization. For hospitals, it must comply with Massachusetts General Laws Chapter 12C, Section 8, requiring standardized reporting of gross and net revenues, including inpatient and outpatient charges, private sector charges, payer mix adjustments, and revenue from additional services. For other providers and provider organizations, it includes all revenue from third-party payers, prior-year settlements, and premium revenue (per-member-per-month payments for comprehensive healthcare services). 950 CMIR 7.00.
[iii] See our prior blog for background on Senate Bill 2871: Massachusetts Senate Passes Bill to Increase Oversight of Private Equity Healthcare Transactions | Healthcare Law Blog
Listen to this post
Cybersecurity Executive Order—Key Implications for the Manufacturing Industry
On January 16, 2025, President Joe Biden issued the “Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity,” a comprehensive directive designed to address the growing complexity and sophistication of cyber threats targeting the United States. The Executive Order aims to establish a cohesive national strategy for improving cybersecurity across federal agencies, private businesses, and critical infrastructure sectors. The Executive Order governs a wide-array of critical issues, including new cybersecurity standards for federal contractors, enhanced public-private information sharing, the promotion of advanced technologies like quantum-resistant cryptography and artificial intelligence (AI), and the imposition of sanctions on foreign cyber actors. The Executive Order’s initiatives demonstrate a commitment to strengthening the nation’s cybersecurity defenses in a rapidly evolving digital landscape and incorporate approaches generally understood as best practices to enhance cybersecurity.
To further advance the initiatives outlined in the order, the Cybersecurity and Infrastructure Security Agency (CISA), a key federal entity responsible for coordinating national efforts to safeguard critical infrastructure, expanded on the directive with detailed implementation frameworks and additional guidance. CISA’s involvement underscores its crucial role in operationalizing the Executive Order and transforming its policy directives into actionable strategies. Through collaboration with industry leaders, technology innovators, and government stakeholders, CISA has addressed specific challenges, including adopting quantum-resistant cryptography, deploying artificial intelligence in cybersecurity defenses, and improving public-private information-sharing mechanisms. These efforts emphasize fostering innovation, enhancing resilience, and protecting the nation’s digital ecosystem from emerging threats. By building on the Executive Order, CISA seeks to bridge the gap between policy objectives and on-the-ground cybersecurity practices, ensuring that the nation’s cybersecurity posture evolves in tandem with the rapidly changing threat landscape.
The transition of the presidency to President Donald Trump on January 20, 2025, has led to questions about the future of the Biden Executive Order. Historically, President Trump has favored deregulation and, during his first term, had repealed several executive orders issued by previous administrations. The possibility of modification or repeal to the Executive Order is particularly significant for the manufacturing sector, which is both a critical component of the U.S. economy and a frequent target of cyberattacks.
The purpose of this guide is three-fold. First, it examines the key elements of the existing Executive Order. Next, it explores the potential modifications that the Trump administration may implement. Finally, it provides guidance tailored to manufacturing companies for navigating this evolving regulatory and threat environment, building on previous related resources published by Foley & Lardner and the Cybersecurity Manufacturing Innovation Institute (CyManII), which are referenced at the end of this alert.
Key Provisions of the Executive Order and their Impact on Manufacturing
Minimum Cybersecurity Standards for Federal Contractors
A central provision of the Executive Order mandates baseline cybersecurity measures for federal contractors. These include securing access to critical systems and data using Multi-factor authentication (MFA), incorporating endpoint detection and response (EDR) tools to monitor, detect, and respond to cybersecurity threats, and using encryption to protect sensitive data both during transit and at rest.
Manufacturers supplying goods or services to the federal government must adhere to these cybersecurity standards to maintain their eligibility for governmental contracts. For many companies, this may require substantial investments in upgrading systems, adopting new technologies, and training personnel. Non-compliance could lead to the loss of profitable federal contracts and potential reputational damage.
Enhanced Public-Private Information Sharing
The Executive Order directs federal agencies to enhance mechanisms for sharing threat intelligence with private-sector entities. This collaboration aims to provide timely and actionable insights to help businesses defend against emerging cyber threats.
This initiative benefits the manufacturing sector as it is a primary target for ransomware attacks and intellectual property theft. Access to real-time threat intelligence allows manufacturers to identify vulnerabilities, respond swiftly to incidents, and mitigate risks more effectively. A ransomware incident plan focused on manufacturing can be found here: Ransomware Playbook.
Transition to Quantum-Resistant Cryptography
The Executive Order highlights the urgent need to adopt quantum-resistant cryptographic algorithms to tackle the long-term threat arising from advancements in quantum computing. As manufacturing increasingly incorporates digital technologies and interconnected systems, safeguarding proprietary designs, supply chain data, and other sensitive information is essential to business. Early adoption of quantum-resistant encryption may provide a competitive advantage and safeguard critical assets against existing and future threats. Guidelines for approaching quantum-resistant cryptography are available from NIST and the first post-quantum encryption standards are found here.
Leveraging AI for Cybersecurity
The Executive Order promotes the use of AI-driven cybersecurity tools to identify and counter advanced cyber threats in real time. AI is potentially transformative for the manufacturing sector because it can automate threat detection and response strategies. AI is also a proven tool for minimizing operational disruptions, protecting intellectual property, and ensuring the integrity of production lines. The pilot programs outlined in the Executive Order could serve as a model for broader adoption across the industry. AI may significantly accelerate the detection and mitigation of cyber-attacks, an area under development by CyManII.
Sanctions on Foreign Cyber Actors
The Executive Order grants the federal government the authority to impose sanctions on individuals and entities responsible for cyberattacks targeting U.S. organizations. Sanctions serve as a deterrent against state-sponsored cyberattacks and industrial espionage. For manufacturers, this provision provides an extra layer of protection and highlights the government’s commitment to safeguarding critical industries.
Potential Changes Under the Trump Administration
Deregulation of Cybersecurity Standards
President Trump’s emphasis on minimizing regulatory burdens may result in a rollback of the cybersecurity requirements in the Executive Order. This could shift the responsibility for implementing robust cybersecurity measures from the federal government to individual companies.
Focus on Supply Chain Resiliency
Based on the criticality of U.S. manufacturing and its role in global competitiveness and economic stability, we anticipate President Trump will issue guidance on securing supply chain resiliency to enhance the productivity of U.S. manufacturers. We will monitor these anticipated changes and publish future alerts as applicable.
Reprioritization of Cybersecurity Initiatives
While the current Executive Order emphasizes quantum-resistant cryptography and AI, the Trump administration might focus first on immediate cybersecurity challenges and delay longer-term solutions that require significant investment.
Reduced Emphasis on Public-Private Collaboration
Changes to information-sharing initiatives could decrease government support for private-sector cybersecurity efforts, which may compel manufacturers to seek alternative sources of threat intelligence.
Selective Sanctions Enforcement
A more selective approach to sanctions could change the deterrent effect on foreign cyber actors, potentially raising the risk of targeted attacks on U.S. manufacturing companies.
Guidance for Manufacturing Companies
Given the uncertainty surrounding the future of the Executive Order, manufacturers must adopt a proactive approach to cybersecurity. Below are actionable steps to enhance resilience:
Strengthen Core Cybersecurity Measures
Adopt Industry Best Practices: Ensure the deployment of MFA, EDR, and encryption on all critical systems.
Secure Operational Technology (OT): Safeguard industrial control systems (ICS) and other OT components essential to manufacturing operations.
Conduct Regular Assessments: Regular audits can help identify vulnerabilities and prioritize remediation efforts.
Invest in Employee Training: Over 80% of ransomware and other cyber-attacks can be traced to the “human in the loop.” Thus, cybersecurity training is a solid investment to protect your company and its operations.
Monitor Regulatory Developments
Stay Informed: Stay informed about updates to the Executive Order and other relevant cybersecurity policies.
Engage Legal Counsel: Consult legal and compliance experts to assess the potential impact of policy changes on your business operations.
Invest in Advanced Cybersecurity Technologies
Explore AI Solutions: Leverage AI tools for predicting threats, identifying anomalies, and automating incident responses.
Transition to Quantum-Resistant Cryptography: Start planning cryptographic upgrades to protect sensitive data from emerging threats.
Collaborate with Industry Peers: Participate in forums and consortia to exchange best practices and establish standardized cybersecurity protocols.
Secure the Supply Chain
Evaluate Vendor Risks: Perform comprehensive cybersecurity assessments of suppliers and third-party partners.
Develop Redundancy Plans: Identify critical supply chain dependencies and develop contingency plans to mitigate potential disruptions.
Encrypt Communications: Safeguard data transfers throughout the supply chain to minimize the risk of interception.
Build Robust Incident Response Plans
Establish Comprehensive Protocols: Develop incident response plans tailored to manufacturing-specific threats, such as ransomware attacks on production systems. An example of industry guidance and template is available in CyManII’s Ransomware Preparation Guide: Prevention, Mitigation, and Recovery for Manufacturers.
Train Employees: Provide ongoing cybersecurity training to improve awareness and minimize human error.
Test and Refine Plans: Perform regular simulations to assess the effectiveness of response strategies and implement necessary adjustments.
Final Thoughts
The “Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity” highlights the urgent need for robust cybersecurity measures, particularly within the manufacturing sector, vital to national security, economic stability, and global competitiveness. This sector faces an increasing number of sophisticated threats, including ransomware attacks, vulnerabilities in the supply chain, and intellectual property theft. While the future of the Executive Order under the Trump administration is uncertain, manufacturers cannot afford to delay action. Cyber-attacks on manufacturers will continue to rise in volume and sophistication over the coming years. Proactive measures such as implementing advanced security technologies, strengthening supply chain defenses, and keeping abreast of regulatory changes are essential for mitigating risks and ensuring operational continuity.
Furthermore, adhering to strict cybersecurity standards allows manufacturers to secure federal contracts, establish trust with stakeholders, and gain a competitive edge in the market. As potential changes to the Executive Order could lead to a fragmented regulatory landscape—spanning federal, state, and international levels—manufacturers must prepare for diverse compliance requirements. By prioritizing cybersecurity, the manufacturing sector not only safeguards its critical assets and processes but also reinforces its vital role in driving economic growth and technological innovation.
About CyManII
Launched in 2020 by the U.S. Department of Energy, CyManII works across the manufacturing industry, research and academic institutions, and federal government agencies to develop technologies that enable the security and growth of the U.S. manufacturing sector.
Additional information on cybersecurity risks faced by manufacturers can be found in prior articles authored by Foley & Larder and CyManII, including:
Recommendations for Managing Cybersecurity Threats in the Manufacturing Sector
So, You Think of Cybersecurity Only as a Cost Center? Think Again.
CyManII also contributed to this article.