CMS Releases the Proposed 2027 Medicare Advantage and Part D Rules
Last week, the Centers for Medicare & Medicaid Services (CMS) released its proposed Contract Year 2027 Policy and Technical Changes to the Medicare Advantage Program, Medicare Prescription Drug Benefit Program, and Medicare Cost Plan Program (Proposed 2027 Rules).
As is common for the annual proposed rules, the Proposed 2027 Rules cover a broad range of topics. In the last few years, the agency has lost multiple legal cases challenging the validity of its rules and/or how it implements its rules – it has lost cases relating to Star Ratings, its updated marketing and communications rules that were adopted for 2025, and most recently, the risk adjustment extrapolation rule. The Proposed 2027 Rules broadly touch on all of these regulatory areas. In its very brief summary of the Proposed 2027 Rules, CMS also highlights changes to Part D drug coverage, the enrollment process, and special needs plans. The Proposed 2027 Rules also include multiple Requests for Information (RFI). Below are some initial takeaways.
Star Ratings
With the Proposed 2027 Rules, CMS explains that its aim is to simplify and refocus on the Star Ratings system. It proposes to refocus the measure set on clinical care, outcomes, and patient experience measures where plans have not topped out performance and believes that decreasing the number of measures will allow more focus on the measures that remain, including those aligned with the Make America Healthy Again initiative. Specifically, CMS is seeking to remove 12 measures: seven focused on operational and administrative performance, three focused on the process of care, and two focused on patient care experience. CMS also does not intend to move forward with the Health Equity Index rewards under the Star Ratings program. As discussed below, CMS is also seeking interested parties’ thoughts on the quality bonus payment system that is driven by Star Ratings.
Marketing and Communications
The Proposed 2027 Rules include both proposed changes to the Medicare Advantage and Part D rules addressing marketing and communications and an RFI relating to this area. For regulatory changes, CMS proposes changes to the definition of third-party marketing organizations (TPMOs) and changes to rules regarding translations, enrollment verification, and the use of testimonials, among other things. CMS requests that interested parties provide information regarding ways to modernize the agency’s marketing oversight that will help reduce the general burden, but at the same time ensure beneficiaries continue to receive accurate information. CMS is specifically interested in finding ways that it can take appropriate actions against TPMOs that are “bad actors” in a manner that does not hinder organizations that are operating appropriately.
Risk Adjustment
CMS proposed changes to the permissible uses for risk adjustment data. Historically, CMS has been limited in the ways that it can use risk adjustment data, and many of those permitted uses were adopted in regulation. The Proposed 2027 Rules propose to remove the enumerated permitted uses and instead recognize CMS’s ability to more broadly use and release the data to government entities and external parties. CMS specifically states that “CMS does not believe the statute restricts our use of risk adjustment data.” The proposed changes also allow risk adjustment data to be released prior to reconciliation, much more broadly than the current rules. CMS intends to continue to protect beneficiary confidentiality. CMS does not directly address the court decision that invalidated its extrapolation methodology.
IRA
Over 25% of the Proposed 2027 Rules address the many changes that aim to fully implement the redesign of Medicare Part D that was adopted in the Inflation Reduction Act (IRA). Similar to past years, many of the changes that CMS is proposing have been previously introduced through sub-regulatory guidance over the last few years. Some of the changes include formally sunsetting the Coverage Gap Discount Program, further implementing the Manufacturer Discount Program, clarifications regarding medical loss ratio, and changes relating to amounts that accrue towards TrOOP.
Reporting and Data Simplification
CMS is exploring ways that current Medicare reporting obligations can be simplified. Some of the referenced considerations would appear to reduce the burden on Medicare Advantage organizations and Part D plan sponsors, and others aim to reduce the burden on the agency. CMS gives examples of reporting obligations relating to provider networks, medical loss ratios, the utilization of benefits, and special needs plans’ models of care. CMS is specifically looking for ways that the reporting can be streamlined, potentially through the use of automated data sharing and different technology solutions that would make the import and use of the data less burdensome.
Very Broad RFI
The Proposed 2027 Rules include a broad RFI regarding the future direction of the Medicare Advantage program and specifically focus on risk adjustment and quality bonus payments. The agency is looking for ways to improve the program and positively impact the following areas: data transparency, beneficiaries’ ability to select the best plan for them, overall quality, enhance competition, reduce fraud, waste and abuse, and generate taxpayer savings.
A Look at Current Healthtech VC Trends
There is some good news in the healthtech space, with PitchBook’s new Emerging Tech Research showing a rebound in venture capital (VC) funding for the sector. Startups in this space raised an impressive $3.9 billion in Q3 of this year. While this was a bit lower than the previous two quarters, it was enough to move the YTD total ahead of 2024 values. According to PitchBook, this signals a strong rebound for healthtech.
Below is an overview of some key takeaways from the report and trends to watch in the healthtech sector.
Increase in Deal Volume and Size
There was a slight increase in deal volume, up 12% over the previous quarter. The analytics, operations, and telehealth segments were standouts, with each bringing in more than $800 million in funding. Even with the elevated deal count, median healthtech VC deal size still hit a record of $7.7 million, an indication that higher valuations are leading to larger deal size.
A Mixed Report on Exit Activity
While there was a sharp increase in exits in Q3 (a record of 42), the total exit value came in at $200 million. PitchBook correlates this gap between exit count and value to the significant number of acquisitions of smaller, early-stage startups. There were also no major IPOs in the sector this quarter, and their analysts are not expecting to see any other major healthtech listings as we wrap up the year. However, they are tracking several as we move into 2026.
The Continued Impact of AI
As with many other sectors, artificial intelligence (AI) continues to define healthtech. One of the areas that is quickly expanding in terms of commercial use is ambient scribes. These AI-powered tools listen to conversations between patients and providers and generate clinical notes. This is already being adopted across the healthcare space, from physicians’ offices to large health systems, demonstrating a strong demand for these kinds of AI solutions. AI-driven revenue cycle management (RCM) vendors were also a focus for investors. These tools help to reduce claim denials and improve cash flow for healthcare providers.
PitchBook notes that AI adoption for this sector is mostly on the provider side, rather than the payor side, and providers are already “realizing meaningful AI-driven revenue gains” as they deploy these tools. They do expect payors to increasingly utilize AI tools in the future as they seek to identify overpayments and make prior-authorization workflows more efficient.
This sector is expected to gain significant attention as we enter the new year and the adoption of AI grows increasingly prevalent. Notable advancements have the potential to reshape the industry, and investors are likely prepared to support technologies that will drive the future of healthcare.
Illinois Becomes the First State to Regulate the Use of AI Mental Health Therapy Services
In early August, Illinois enacted the Wellness and Oversight for Psychological Resources Act (HB 1806, or the “Act”), making it the first state to pass a law regulating the use of AI[1] in the delivery of therapy and psychotherapy services. The Act, which took immediate effect, imposes guardrails on the use of AI to provide decision-making therapeutic support services, but permits the use of AI for administrative and supplementary tasks, subject to certain consent requirements. This blog post summarizes the Act and addresses its potential implications for the use of agentic AI by Illinois therapy providers.
Scope of the Act
Under the Act, only licensed professionals may provide, advertise, or otherwise offer therapy or psychotherapy in Illinois.[2] A “licensed professional” includes any individual who is licensed in Illinois to provide therapy or psychotherapy, such as clinical psychologists, social workers, professional counselors, and marriage and family therapists.[3] The Act addresses three categories of AI-supported services: (i) administrative support; (ii) supplementary support; and (iii) independent therapeutic decision-making or therapeutic communication.
Permitted Uses of AI in Therapy Services
The Act allows Illinois licensed professionals to use AI to provide administrative support, such as scheduling appointments, processing insurance and billing claims, and drafting general communications related to therapy logistics that do not include therapeutic advice.[4] Additionally, such professionals may continue to use AI to provide supplementary support, such as maintaining client records including therapy notes, analyzing anonymized data to track client progress, and identifying referrals.[5] However, if a client session is recorded or transcribed, the Act requires licensed professionals to obtain written consent from clients to use AI for supplementary support.[6] The client or their legally authorized representative must be informed in writing that AI will be used and the specific purpose of the AI tool or system.[7] The written consent must be affirmative and unambiguous – a general terms of use agreement (e.g., a general consent to treatment form) incorporating information about the use of AI is insufficient to establish consent under the Act.[8]
Prohibited Uses of AI in Therapy Services
Most significantly, the Act prohibits the use of AI to: (i) make independent therapeutic decisions; (ii) directly provide therapeutic communication to clients; (iii) generate therapeutic recommendations or treatment plans without review and approval by the licensed professional; or (iv) detect emotions or mental states.[9] “Therapeutic communication” is defined broadly, to include “any verbal, non-verbal, or written interaction conducted in a clinical or professional setting that is intended to diagnose, treat, or address an individual’s mental, emotional, or behavioral health concerns.”[10] Any individual, corporation, or entity found to be in violation of the Act will be subject to a civil penalty of up to $10,000 per violation, and may be subject to an investigation by the Illinois Department of Financial and Professional Regulation.[11] The Act also specifies that therapy or psychotherapy records may not be disclosed except as required under the Mental Health and Developmental Disabilities Confidentiality Act.[12]
Implications for Agentic AI
Agentic AI – autonomous AI systems capable of performing a wide range of tasks, including providing lab results, recognizing emotions and mental health concerns, and even contacting emergency services if a user is in crisis – is being deployed in therapy and psychotherapy practices across the country. The Act’s prohibition on independent therapeutic decision-making by AI poses challenges for providers and businesses looking to use agentic AI in Illinois to recognize and act upon a user’s mental health status. Providers and businesses using this technology will need to ensure that their agentic AI’s capabilities do not fall under independent therapeutic decision-making or therapeutic communication. Moreover, businesses will need to obtain clear and affirmative written consent from clients to use these tools for supplementary support tasks. While agentic AI has immense promise for the future, providers and businesses must ensure their use falls within the bounds of Illinois’s novel restrictions.
FOOTNOTES
[1] The Act references the Illinois Human Rights Act to define “artificial intelligence”: “a machine-based system that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.” 775 Ill. Comp. Stat. 5/2-101(M).
[2] HB 1806 § 20(a).
[3] HB 1806 § 10.
[4] HB 1806 § 15(a).
[5] HB 1806 § 10.
[6] HB 1806 § 15(b).
[7] HB 1806 § 15(b).
[8] HB 1806 § 10.
[9] HB 1806 § 20(b).
[10] HB 1806 § 10.
[11] HB 1806 § 30.
[12] HB 1806 § 25.
Key Takeaways from the Life Sciences Investment Forum 2025
On November 13, 2025, the Life Sciences Investment Forum brought together more than 180 leaders in the life sciences investment community for a day of dynamic conversations and strategic insights. Top decision-makers shared emerging trends and opportunities, how they’re navigating market headwinds, and what they expect for the industry in 2026 and beyond. Below are four takeaways from the discussions.
Growth is the dominant narrative and the key valuation driver
Across biopharma, private equity (PE), and public markets, growth was repeatedly emphasized as the most important factor for valuation, fundraising, and multiple expansion.
Large-cap pharma has driven most recent market value expansion, fueled by demand for large-population therapies (e.g., GLP-1s).
Investors expect outsized returns for companies with predictable, rapid top-line growth.
“Keep your eye on the top line” emerged as the #1 message to investors heading into 2026.
Structural headwinds are mounting: Policy, pricing pressure, and healthcare costs
Regulation – not science – will be the primary gating factor in investment decisions over the next 12 to 24 months:
Healthcare spending outpacing gross domestic product (GDP) is pushing pressure for cost controls.
Most Favored Nation (MFN) pricing, drug price negotiations, and reimbursement shifts are creating real concern for biotech P&Ls, driving the need for tight forecasting and clean data.
As transitions at the US Food and Drug Administration (FDA) are affecting predictability, companies must plan for worst-case regulatory scenarios and establish multiple backup plans.
Early-stage is taking center stage – and rising costs are accelerating the shift
A scarcity of late-stage, commercial-ready assets—combined with escalating clinical and manufacturing costs—is pushing investors and strategics further upstream. This environment is driving:
Intense competition and high valuations for Phase 1 and 2 “best-in-class” assets.
Pipeline “herding,” especially in oncology, as buyers converge on similar early plays.
More programmatic mergers and acquisitions (M&A) and “shots on goal” earlier in the pipeline, particularly as Big Pharma seeks to fill looming patent-cliff gaps.
Greater reliance on structured and synthetic royalty financing as equity remains expensive and uncertain pricing environments make long-duration capital harder to commit.
AI is no longer optional, it’s becoming foundational across the value chain
Artificial intelligence (AI) brings transformational promise, but investors are demanding proof of utility and robust data infrastructure, not just “AI-enabled” labels:
AI tools have the potential to transform domains across the life sciences value chain.
For AI to succeed, the data training and retraining models needs to be highly curated and fit for purpose and investors need to carefully interrogate the adequacy of the data
Regulatory friction and clinical validation remain among the biggest development, deployment and adoption barriers.
Healthcare Preview for the Week of- December 1, 2025 [Podcast]
First Day of the Last Month
The end of the calendar year is a month away, and the continuing resolution under which Congress approved funding for most of the government ends on January 30, 2026.
We will be watching for signals of an “outbreak of cooperation,” particularly around the Affordable Care Act (ACA) enhanced premium tax credits, which are set to expire December 31, 2025. There is currently no sign of a bipartisan deal. Senate Republicans have hinted at possible alternatives to extending the tax credits, but it is unclear whether there is enough support among Republicans to initiate bipartisan negotiations. It is also unclear whether President Trump will choose to insert himself again after congressional Republicans nixed the administration’s attempt last month before it was even formally proposed.
The Senate Committee on Health, Education, Labor, and Pensions will meet Wednesday on the broad topic of healthcare affordability, which will provide another avenue to publicly discuss the pending expiration of the ACA enhanced premium tax credits. The conversation may mirror the November 19, 2025, Senate Committee on Finance hearing on the rising cost of healthcare, where committee Democrats and two of the witnesses argued that extending the tax credits this month is essential before considering potential long-term solutions.
On Monday evening, the House passed HR 4313, the Hospital Inpatient Services Modernization Act. The bill, passed under suspension of the rules (which requires the support of two-thirds of the House), would extend the Acute Hospital Care at Home program for five years. We will watch to see whether the Senate decides to take it up via unanimous consent. If not, the legislation may be included in negotiations around the January 30, 2026, expiration of the government funding package, which also includes health extenders such as the hospital at home program extension.
In the administration, the Centers for Medicare & Medicaid Services (CMS) announced the ACCESS (Advancing Chronic Care with Effective, Scalable Solutions) Model today. The model is intended to test “an outcome-aligned payment approach designed to give people with Original Medicare new options to improve their health and prevent and manage chronic disease with technology-supported care.” Many groups that have participated in the White House healthcare and technology ecosystem initiative will attend a private event with CMS on Thursday to discuss the model and any other Innovation Center models announced this week.
The Medicare Payment Advisory Committee will also meet on Thursday and Friday for the first time since missing meetings during the government shutdown.
Although we typically focus on previewing the week ahead, we wanted to draw your attention to a few rules the administration released last week that you may have missed because of the Thanksgiving holiday. On November 25, 2025, CMS issued a proposed rule that would make policy and technical changes to the Medicare Advantage and Part D programs for 2027 and beyond. CMS announced the agreed-upon maximum fair prices for 15 drugs selected for the 2027 Medicare Drug Price Negotiation Program. On November 28, 2025, the calendar year 2026 home health final rule, which forecasts plans for competitive bidding, was posted for public inspection.
Today’s Podcast
In this week’s Healthcare Preview podcast, Debbie Curtis and Rodney Whitlock join Maddie News to discuss the congressional calendar for this week and the rest of the year, including upcoming suspensions and hearings, and ongoing discussions of the enhanced Advance Premium Tax Credits.
Federal Court Holds That Button-Click Data from Public Website Can Disclose Patient Status in Violation of the ECPA
In early October, a federal court in the Northern District of Illinois refused to dismiss a privacy litigation brought against a healthcare website operator for claims under the Electronic Communications Privacy Act (ECPA). The court held that the plaintiff plausibly alleged that Defendant violated the Health Insurance Portability and Accountability Act (HIPAA) by revealing to a third party that she clicked on the login button to the healthcare provider’s patient portal, and, as a result, disclosed her individually identifiable healthcare information—even though no third-party data collection tools were installed on the patient portal itself. Hartley v. Univ. of Chi. Med. Ctr., Case No. 22-cv-5891, 2025 WL 2802317 (N.D. Ill. Oct. 1, 2025). However, at the same time, the court dismissed certain claims arising out of Plaintiff’s use of a “find-a-physician feature,” rejecting the full scope of Plaintiff’s theories. On the balance, this decision unfortunately broadens the scope of potential liability under the ECPA and will likely result in ECPA suits being brought against website operators in the healthcare sector.
ECPA and HIPAA Background
The ECPA imposes criminal and civil liability on persons who “intentionally intercept[] . . . any wire, oral, or electronic communication.” 18 U.S.C. § 2511(1)(a), (4); § 2520. A party is not liable under the ECPA unless they intercept the communication “for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State,” such as disclosing individually identifiable health information in violation of HIPAA. § 2511(2)(d). HIPAA criminalizes “knowingly . . . disclos[ing] individually identifiable health information to another person.” 42 U.S.C. § 1320d-6(a)(3). Individually identifiable health information includes “any information” that “is created or received by a health care provider” and “relates to the past, present, or future physical or mental health or condition of an individual, [or] the provision of healthcare to an individual” and “identifies the individual” or “with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.” § 1320d(6).
Plaintiff’s Allegations
Plaintiff alleges that the University of Chicago Medical Center (UCMC) disclosed her individually identifiable health information and therefore violated HIPAA, subjecting UCMC to liability under the ECPA. UCMC operates a non-profit hospital network and maintains a public website to communicate with patients. Patients can log in to UCMC’s MyChart patient portal from its public website.
In her Complaint, Plaintiff claims that UCMC deploys third-party computer code from Meta Platforms on its public website. Every time a patient clicks on a page within UCMC’s public website, the collection tools link the patient’s identity to the communication and transmit the data to Meta for commercial use. The tools capture and transmit a website visitor’s IP address, Facebook ID, cookie identifiers, device identifiers, and account numbers, among other things.
Clicks on the login button for the MyChart patient portal from the public website are captured in this button-clicking data transmitted to Meta as well. Plaintiff claims that UCMC disclosed her individually identifiable health information when it transmitted that she used UCMC’s website to log in to the MyChart patient portal, revealing her status as a patient at UCMC. Plaintiff also alleges that UCMC disclosed her individually identifiable health information by disclosing her visit to UCMC’s “find-a-physician” page and by disclosing general information about the webpages she viewed related to her medical providers, conditions, and treatments.
Court Denies UCMC’s Motion to Dismiss, finding that UCMC Disclosed Individually Identifiable Health Information
The court denied Defendant’s Motion to Dismiss, holding that the plaintiff plausibly alleged that UCMC intentionally intercepted her communications with UCMC’s public website. The court held that Plaintiff’s act of clicking the login button on the public website for the MyChart patient portal sufficiently identified her as a patient. The act of clicking “login” on the public website, when combined with individual identifiers such as an IP address or a Facebook ID, can reveal patient status, qualifying as individually identifiable health information and falling within the ambit of HIPAA. Although UCMC argued that Meta’s data collection tools were not installed on the MyChart portal itself, the court found the presence of data collection tools on the public website alone were enough to identify Plaintiff as a patient.
The court limited its holding to the button-click data from the MyChart portal. In finding that Plaintiff did not plausibly allege that UCMC disclosed her individually identifiable health information through the disclosure of the “find-a-physician” click and her general browsing of webpages related to her providers and conditions, the court reasoned that the transmission of this button-click data did not convey individually identifiable health information. The court explained that general information accessed on a publicly accessible website stands in “stark contrast” to patient records, patient status, and medical histories. Plaintiff failed to allege that UCMC disclosed that she accessed information about specific doctors or conditions, breaking the connection between her sensitive medical status and the information actually disclosed. The court emphasized that “what matters is whether the information ‘provides a window into an individual’s medical history.’” Here, mere disclosure of data revealing that Plaintiff clicked and viewed non-specific webpages related to her providers, conditions, and treatments does not amount to individually identifiable health information. The court also denied UCMC’s Motion for Summary Judgment and granted UCMC’s Motion to Strike Plaintiff’s class allegations based on contractual issues.
Ultimately, given the court’s holding regarding the MyChart patient portal button-click data, this decision broadens liability under the ECPA. The disclosure of a single click on a login button on a public website can subject a website operator to ECPA liability because that click can reveal an individual’s patient status. The court also explicitly left the door open for future claims under the ECPA, warning that information collected from a webpage—like clicks related to a patient’s medical providers, conditions, and treatments—could amount to the disclosure of individually identifiable health information if more specifically pled. Although a fact-specific decision, the principles set forth in this opinion will undoubtedly guide consumer privacy litigations going forward.
OSHA Recordkeeping and Reporting Guidance for Employers, Part II: Completing OSHA Forms 301, 300, and 300A
This three-part series on OSHA recordkeeping and reporting provides tips for employers on maintaining compliance with Occupational Safety and Health Administration (OSHA) requirements.
Part I covers the foundational aspects of determining recordability, including the use of OSHA Forms 300, 301, and 300A, and the criteria for recording work-related injuries and illnesses.
Part II, which follows below, offers a step-by-step walkthrough for completing these forms accurately.
Part III details the reporting responsibilities for severe incidents such as fatalities, in-patient hospitalizations, amputations, and loss of an eye, emphasizing the importance of timely and accurate reporting.
The OSHA Form 301 Incident Report captures the who, what, where, when, and how for each recordable case. Employers typically assemble the required information from supervisor reports, employee statements, timekeeping records, medical work‑status notes, workers’ compensation first reports of injury, equipment logs, and job descriptions.
Quick Hits
The OSHA Form 301 Incident Report requires detailed documentation of each recordable case, including the sequence and mechanism of injury or illness, and must be updated if the case outcome changes.
Employers must maintain the OSHA Form 300 Log with unique case numbers, detailed descriptions, and accurate day counts, ensuring privacy for sensitive cases and maintaining separate logs for each establishment.
The OSHA Form 300A Annual Summary must be reviewed, certified by a company executive, posted from February 1 through April 30, and retained for five years, with electronic submission requirements varying by employer size and industry.
Narrative Description
Employers may want to ensure that the narrative objectively describes the sequence and mechanism of injury or illness without speculating about fault, such as noting that the employee slipped on a wet floor in the packaging area after mopping, fell onto the left wrist, and was diagnosed with a non‑displaced distal radius fracture at an urgent care clinic. Employers may also want to identify the treating provider and facility when known and classify the case according to the most severe outcome known at the time, updating if later developments, such as surgery or extended restrictions, change the outcome category or day counts. Where a workers’ compensation first report captures all required fields, it may serve as an equivalent to Form 301 if completed using OSHA’s instructions.
OSHA Form 300
The OSHA Form 300 memorializes each recordable case and relates to the corresponding 301. Each Form 300 should have a unique case number, and include the employee’s name unless it is a privacy concern case, specify the employee’s job title and department, and the date of the incident. The brief case description should mirror the objective tone of the 301 narrative and identify the location, event, and nature of the injury or illness. Employers may want to note that OSHA periodically cites employers for entries that are too vague.
Employers check only the most severe outcome column known at the time—death; days away; job transfer or restriction; or other recordable case—and enter day counts beginning the day after the incident, using calendar days and capping totals at 180 per case. If a provider recommends days away and the employee works anyway, the Log reflects the recommended days; if an employee stays out longer than medically indicated, the Log reflects only the recommended period. For multi‑establishment employers, each establishment keeps its own Log, and cases are recorded on the Log for the establishment where the employee normally works, with special attention to traveling or temporary assignments. The caveat to this guidance is that geographically close operations can be included on a single Log.
Privacy concern cases require heightened care on the Log. Employers must omit the employee’s name and enter “privacy case” in the name field, ensure the case description conveys cause and severity without disclosing identity, and maintain a separate confidential list that ties case numbers to employee names. Employers must also maintain a sharps injury log if required under the Bloodborne Pathogens Standard, 29 C.F.R. § 1910.1030, which can be satisfied by the OSHA Form 300, provided that the type and brand of device are recorded and records are maintained in a way that segregates sharps cases.
OSHA Form 300A Annual Summary
The OSHA Form 300A Annual Summary aggregates totals and must be reviewed, certified, posted, and, in many instances, electronically submitted. Employers may want to verify each Log entry is complete and accurate, total each column, and calculate the average number of employees and the total hours worked for the year using payroll and HRIS data. A company executive—an owner, a corporate officer, the highest‑ranking official at the establishment, or that official’s direct supervisor—must certify the 300A. Employers must post the certified 300A in a conspicuous location from February 1 through April 30, and they must retain all three forms for five years. During that retention period, the Log must be updated if case outcomes change; the 301 and 300A do not require updating after year‑end.
Electronic submission obligations encompass three regimes that are size‑ and industry‑specific and must be checked annually. Employers with 250 or more employees that are required to keep records must submit 300A data annually by March 2. Employers with 20 to 249 employees in designated industries must also submit 300A data annually by March 2. Beginning with 2023 data due March 2, 2024, and continuing thereafter, certain establishments in designated high‑hazard industries with one hundred or more employees must submit case‑level data from Forms 300 and 301 annually in addition to the 300A. OSHA’s coverage is set by NAICS‑based lists and may be updated over time. As a practical matter, employers may want to confirm their establishments’ NAICS codes and status each January, especially after acquisitions, divestitures, or significant changes in operations.
Employers strengthen reliability and defensibility by building a disciplined internal process around the seven‑day recording window and periodic reconciliations. A practical approach includes a standard intake checklist, immediate retrieval of provider work‑status notes, monthly reconciliation of recommended restrictions and days away with the Log, and a January close process that resolves ambiguous cases before 300A certification. Employers may want to document rationales for work‑relatedness and new‑case determinations, particularly for home‑office injuries, preexisting conditions, and exception scenarios, and retain the basis for resolving conflicting medical opinions.
Key Takeaways
Recordkeeping and reporting are related but distinct obligations. A case may require rapid reporting to OSHA even before all facts are known, and reporting never replaces the duty to evaluate recordability and update the Log and 301.
The 2026 OPPS Final Rule: Hospitals Now at a Decision Point Regarding Drug Acquisition Cost Survey
The 2026 Outpatient Prospective Payment System (OPPS) final rule (the Final Rule), released by the Centers for Medicare and Medicaid Services (CMS) on 21 November 2025 places hospitals, especially 340B covered entities, in a quandary. Under OPPS, hospitals are currently paid for separately payable drugs at average sales price (ASP) plus 6%. CMS has previously sought to reduce that reimbursement, specifically targeting 340B covered entities, but the American Hospital Association (AHA) and others successfully overturned that policy at the Supreme Court (American Hospital Association v. Becerra). The Final Rule reflects CMS’s next attempt to achieve the same result. Specifically, while the Supreme Court faulted CMS’s payment cuts to 340B covered entities due to the lack of a statutorily mandated drug acquisition cost survey, CMS has now finalized plans to conduct such a survey. The question for hospitals is whether to complete that survey. CMS does not reference statutory tools that permit it to penalize hospitals that opt not to complete the survey but instead has resorted to saber-rattling, devising other ways to potentially reduce reimbursement to nonresponding hospitals not explicitly found within the statute itself. Thus, hospitals need to compare the consequences of volunteering to take the survey, on the one hand, with the probable consequences of declining to take the survey, on the other, and then decide if they will complete it or forego it.
CMS’s Policy Is Governed by the Applicable Statute
When CMS determines the rate for separately payable drugs in its annual rulemaking, the OPPS statute gives CMS two options for setting these rates:
The agency can conduct a survey of hospitals’ drug acquisition costs and set reimbursement rates taking the survey into account; for this option, reimbursement rates may vary by hospital group.
Absent a survey meeting specific statutory requirements, CMS must set reimbursement rates based on “the average price” charged by manufacturers for the drug as calculated and adjusted by CMS; for this option, reimbursement rates may not vary across different hospital groups.
If CMS chooses to conduct a drug acquisition cost survey, the statute requires the survey include “a large sample of hospitals that is sufficient to generate a statistically significant estimate of the average hospital acquisition cost for each [covered drug].” CMS may then vary reimbursement rates by hospital group based on “relevant characteristics,” upon “taking into account the hospital acquisition cost survey data.”
Reduced OPPS Reimbursement Rates for 340B Hospitals
Historically, CMS has not conducted the required OPPS survey, and, prior to 2018, CMS reimbursed all hospitals for OPPS drugs based on ASP plus 6%. On 13 November 2017 however, CMS issued the 2018 OPPS final rule, reducing the reimbursement rate for OPPS-covered drugs to ASP minus 22.5% for 340B covered entities. CMS did not conduct a survey in implementing the new 340B-specific reimbursement rates, resulting in a challenge by AHA and others. On 15 June 2022, in American Hospital Association v. Becerra, the US Supreme Court unanimously held that the 340B covered entity-specific rate was unlawful because CMS was required to conduct a valid acquisition cost survey before targeting 340B hospitals for reduced reimbursement. American Hospital Association v. Becerra, 596 U.S. 724 (2022). To remedy the unlawful cuts, CMS paid a lump sum to bring previously adjudicated claims to the lawful ASP plus 6% reimbursement rate and has reimbursed all 340B hospital claims at ASP plus 6% moving forward.
OPPS Survey Confirmed for Calendar Year 2026
The 2026 OPPS Final Rule confirms that CMS intends to vary OPPS drug reimbursement across certain hospital groups by conducting the survey mandated by statute. CMS indicates it is not limiting the survey to varying reimbursement based on 340B status alone and includes examples of other characteristics that may be used to vary reimbursement (i.e., hospital size, location, urban vs. rural status, and teaching hospital status). CMS intends for the survey to be completed in time to inform reimbursement rates for the 2027 OPPS rule.
CMS is aware that hospitals are considering whether to respond to the survey. CMS agrees that the statute itself does not mandate specific consequences on hospitals for failing to respond but nevertheless believes that the statute implicitly imposes the obligation on hospitals to complete the survey. To avoid a situation where hospitals rationally decide not to take on the burden of completing the survey, CMS resorts to what could only be described as threatening nonresponders. CMS claims that the lack of a response is still “meaningful data” that can drive payment decisions. For example, CMS might take failure to respond to the survey as confirmation that a hospital does not have meaningful additional costs, and, as such, the hospital’s drug costs should not be paid separately but rather should be packaged into the payment for the associated service. Another potential alternative CMS is considering is to attribute to such a hospital the lowest acquisition cost reported by a similarly situated hospital. CMS has also suggested that it might look at supplemental data from other sources, even though there is no provision in the statute for such an approach. Ironically, CMS’s consideration of supplemental information exclusively when setting the ASP minus 22.5% rate was a main factor considered by the Supreme Court in the American Hospital Association v. Becerra decision. CMS has suggested that it would be premature, however, to commit to a specific penalty for failure to complete the survey until the survey process is completed.
Some may find it hard to square CMS’s proposed penalties with the text of the statute. The statute requires CMS to “tak[e] into account the hospital acquisition cost survey data” when setting the payment rate for separately payable drugs. When CMS discerns “relevant characteristics” in data that help explain correlations, CMS can vary reimbursement for a specific group. A nonresponding hospital, in contrast, demonstrates the absence of data, from which no pattern can be discerned. Arguably, opting not to respond is more properly viewed as an “action” and not a “characteristic.” Many hospitals may conclude that, just as with American Hospital Association v. Becerra, CMS is likewise interpreting the statute to reach an outcome, rather than adhering to the statute’s plain meaning. Yet hospitals must also keep in mind that nothing prevents CMS from implementing a policy that is ultimately unlawful, resulting in the imposition of penalties for some period of time until a court overturns any policy that exceeds CMS’s statutory authority.
Hospitals Face a Difficult Choice
Notwithstanding all of CMS’s protestations to the contrary, completing the survey will require significant effort. A lot of the work required cannot be automated and will be manual, given the pervasive nature of lagged discounts, and will require intricate calculations. For 340B covered entities, there is additionally the fear that the data will be used to cut much-needed reimbursement. A rational hospital might opt not to participate if it did not believe that there would be significant negative consequences. The issue a hospital will face is determining what its peers will do. If the response rate is below what is statistically necessary, then the plain meaning of the statute does not allow CMS to use the data to revise its payment policies. However, each hospital will need to decide if it individually is willing to risk the potential consequences CMS set forth in the Final Rule for not responding. In other words, CMS has created a “prisoner’s dilemma.” Each hospital will need to decide whether to minimize its own exposure to the proposed negative consequences by responding or take a chance that the survey is invalidated by an industrywide inadequate response rate.
Some actions available to hospitals will be:
Respond fully;
Disregard the survey; or
Respond to the survey only to state that the hospitals’ costs are not minimal, but that the hardships in responding preclude the full response CMS is seeking. By doing so, the hospital could thwart CMS’s objective of attributing zero cost to a nonresponding hospital.
Of course, most hospitals will not consider this to be an easy decision. Hospitals, especially 340B covered entities, should consult with their advisors and peers to make the decision that is most appropriate for them.
Trump’s Executive Order on AI and Pediatric Cancer Creates New EB-2 NIW Opportunities
On September 30, 2025, President Donald J. Trump signed the Executive Order “Unlocking Cures for Pediatric Cancer with Artificial Intelligence,” establishing AI-driven pediatric cancer research as a national priority. The Order directs federal agencies and private partners to accelerate research and empower clinicians and researchers with the tools to translate data into improved diagnoses, treatment, and cures.
In the context of U.S. immigration policy, this development opens new opportunities for professionals seeking classification under the EB-2 National Interest Waiver (NIW) and other employment-based categories. By affirming the national importance of work in AI, medical research, data science, and biotechnology, the Order provides strong policy support for applicants seeking to demonstrate eligibility under the EB-2 NIW.
Understanding the Executive Order
Pediatric cancer remains the leading cause of disease-related death among children in the United States, with incidences increasing significantly over the past four decades. Traditional treatment has seen limited progress, highlighting the need for new and innovative approaches.
To address this, the Executive Order calls for the use of artificial intelligence to drive advancements in pediatric cancer care. It builds on federal efforts, such as the Childhood Cancer Data Initiative (CCDI), which collects and integrates pediatric cancer data to accelerate breakthroughs, and it encourages greater collaboration between public and private sectors.
The Order mobilizes agencies, including the Department of Health and Human Services (HHS), National Institutes of Health (NIH), and the Make America Healthy Again (MAHA) Commission to accelerate AI-driven medical research and infrastructure.
Key Provisions of the Executive Order
The Order directs federal agencies to:
Invest in AI-Driven Biomedical Innovation: Enhance research infrastructure and accelerate AI integration in cancer data analysis.
Fund Research with National Cancer Institute (NCI)-Designated Centers: Prioritize projects involving predictive analytics, multi-omics research, and therapeutic optimization.
Advance Data Sharing and Interoperability: Improve access to privacy-protected clinical datasets to support research and clinical trial recruitment.
Promote Public-Private Collaboration: Encourage biotechnology firms, digital health companies, and AI startups to contribute tools and solutions.
Strengthen U.S. Leadership in Health Technology: Position the United States as a global center for AI-enabled medical discovery.
How the Executive Order Supports EB-2 NIW Petitions
The EB-2 NIW allows foreign nationals with advanced degrees or exceptional ability to self-petition for permanent residency without requiring an employer sponsor or labor certification. Petitioners must demonstrate that their work serves the national interest of the United States. In recent years, the “national importance” element has become the area USCIS most consistently challenges in these petitions, requiring substantial documentation and strategic argumentation to overcome increased scrutiny.
The new Executive Order provides a new, powerful avenue to define the national importance of the work of professionals in AI, Data Science, Oncology Research, Biotechnology, and other related fields. It establishes clear and direct policy evidence that:
AI research and applications in healthcare are strategic national priorities.
Pediatric cancer innovation is a public health objective of the United States.
AI and data science professionals, not only medical doctors, contribute to national healthcare goals.
There is a national interest in attracting and retaining advanced researchers and AI innovators.
Fields Strengthened by the Executive Order
The Executive Order has implications across numerous professional fields, offering a powerful pathway to articulate and align their work with the national policy priority.
Field
Examples
Artificial Intelligence
Machine learning researchers, AI engineers building healthcare tools
Biomedical Research
Cancer biologists, immunotherapy and drug discovery scientists.
Health Data Analytics
Bioinformaticians, clinical data scientists, data architects.
Medical Innovation
Digital diagnostics developers, AI-enabled imaging specialists.
Clinical Practice
Pediatric oncologists, hematology researchers.
Computational Sciences
Predictive modeling experts, cloud computing in healthcare.
Biotechnology
Translational researchers, precision medicine developers.
Professionals in these fields can align their EB-2 NIW petitions with the Executive Order by demonstrating how their work can contribute to advancing AI innovation and data science to improve pediatric oncology diagnostic, treatment and cure in line with the goal of the Order.
EB-2 NIW Strategy: Building a Strong Legal Case
While the Executive Order sets the policy context, working in the implicated fields alone does not automatically establish the requisite national importance. Petitioners must still establish eligibility under the three-prong framework set forth in Matter of Dhanasar: (1) the proposed endeavor has substantial merit and national importance, (2) the petitioner is well positioned to advance the endeavor, and (3) it would benefit the United States to waive the job offer and labor certification requirements.
While the Executive Order provides a favorable policy backdrop for demonstrating national importance of the work related to advancing pediatric oncology care through AI, it is still crucial to present clear and detailed plans and strategies for implementing this work.
Defining a Clear, Specific and Innovative Proposed Endeavor
USCIS frequently denies NIW cases when the proposed endeavor is broad or vague. Under this Executive Order, general statements like “I will use AI to improve cancer research” are not enough. The petitioner must describe a specific, credible plan of work that aligns with the U.S. priorities. Examples include:
Developing AI tools to improve early diagnosis of pediatric brain tumors
Designing predictive analytics to optimize pediatric chemotherapy dosing
Building data platforms facilitating nationwide pediatric cancer trials
Developing machine learning tools for rare childhood cancer genomics
Petitioners should be able to describe what they will do, how they will do it, and why it represents an advancement in a field recognized as a U.S. national priority in a detailed yet concise manner.
Demonstrating Record of Success with a Broad Impact
Recent USCIS trends place increasing emphasis on whether the petitioner has a demonstrated record of success that has contributed to the broader advancement of their field. While the list below does not represent rigid requirements, strong evidence of broad impact may include:
Published, peer-reviewed research demonstrating impact on the field
Adoption or replication of Proven AI or data science models by others in the healthcare field
Roles held in collaborative or interdisciplinary initiatives related to pediatric oncology or AI in healthcare
Presentations or invited talks at conferences
Letters from recognized experts in AI, oncology, or medical research attesting to the influence and the widespread dissemination of the work
Presenting Concrete Plans for Advancing the Proposed Endeavor in the U.S.
USCIS has increasingly focused on the feasibility and scalability of the proposed endeavor. Petitioners must present credible, detailed plans showing how their work will be implemented and scaled within the United States. Examples of strong evidence of concrete plans include:
A clear, step-by-step plan for collaborating with U.S.-based institutions and organizations in the field of developing AI or data solutions to advance oncology research
Letters from institutions and organizations in the field expressing interest in collaborating with you to develop AI solutions that advance oncology research
Specific mechanisms for broad dissemination of your work such as professional presentations and open-source initiatives
Resource support from institutions and organizations demonstrating the feasibility of expanding the work
Recognition by U.S. experts or professional organizations through letters validating your ability to contribute to the advancement of the fields in the United States
Key Takeaways
The Executive Order has explicitly recognized AI-driven innovation and health data modernization as national priorities. In the immigration context, the Order establishes a powerful policy backdrop that opens a new strategic pathway for EB-2 NIW petitioners working at the intersection of medical research, AI and data science by providing a clear framework for demonstrating national importance in these fields.
As the United States advances its leadership in medical innovation, it will increasingly rely on researchers, engineers, physicians, bioinformaticians and technologies capable of delivering measurable impact. The Order’s integration of AI, health data, and biomedical research makes interdisciplinary expertise a strategic advantage, positioning such candidates as valuable to U.S. national interests.
Those developing AI solutions that improve patient outcomes, accelerate cancer discovery, or advance the integration of health data can now benefit from both a national mission and policy environment that recognize the significance of their work.
Employer Protection Against the Safety Responsibilities of Workers with Overseas Activities—Part 2
Tools for Companies to Implement Preventive Measures, Ensuring Compliance With Protection Obligations and Related Responsibilities
The need for worker protection has as reference figures the Head of the Prevention and Protection Service, the occupational health company doctor (OHCD), and the corporate functions that manage the company’s work activity abroad, also making use of qualified external support on the subject of risk assessment, personal safety, or medical emergencies with the need for medical repatriation to Italy.
The ”Travel Risk Management-Guide for Organizations” (ISO 31030:2021), is a key reference for companies operating globally. This standard provides a structured framework for identifying, assessing, and mitigating risks associated with business travel, enabling organizations to take proactive preventive measures and ensure timely action in the event of an incident or emergency.
ISO 31030 is the essential guide outlining the critical factors to be considered in both risk analysis and the planning and implementation of prevention and management strategies.
This configures in travel risk management (TRM), a process resulting from a clear and detailed understanding of the factors that can influence the dynamics of risk management, broadly divided into two categories: so-called “external” risks and “internal” risks.
“External” risks include: the political, socioeconomic, religious, and legal environment of the destination country; the level of crime; the quality and reliability of transportation and communications; environmental factors; potential health risks; and the quality of the healthcare and housing system. “Internal” risks include: types of business travel; technical and human resources available for risk management; internal processes; corporate governance; organizational structure, roles, and responsibilities.
The path indicated by TRM enables companies to have detailed policies to define corporate strategies for (i) TRM and adoption of procedures for risk prevention and mitigation; (ii) definition of roles and responsibilities, as well as staff training programs. In this way, a clear corporate system of reference is built, enabling the company to protect the health and safety of its employees during missions abroad.
In these activities, the company profiles that manage safety and health protection, provided for by Legislative Decree 81/08—RSPP, OHCD, dedicated company functions—can avail themselves of consulting support from public or private facilities of proven competence and professionalism, which assist them in the assessment and management of risks related to working abroad.
A further application tool is represented by the September 2024 Guidelines of the Italian Society of Occupational Medicine (SIML), which focus on the articulated and specific aspects of health protection of Italian workers abroad and the mention of application tools that enable companies to fulfill their regulatory obligations punctually.
The “Professional Orientation Document for the Competent Physician: Practical-Management Aspects for Workers Abroad” represents a milestone in harmonizing scientific knowledge and experience and makes available indications on the health protocols to be adopted, consistent with international best practices and the company’s protection needs.
The document provides the health contribution to the process of risk assessment for work activity in critical geographical areas, highlighting the relevance of factors that can determine damage to the health of the worker working in that context and absent in the national territory (climate, infection vectors, general hygienic conditions). This is the aspect that requires the employer to extend its position of guarantee even regarding the “specific” risks of working abroad and, ultimately, to integrate the prevention measures adopted in the national territory of Italy.
The perimeter outlined by ISO 31030 and the SIML Guidelines makes available to employers and safety professionals the compliance parameters to be followed to structure an effective TRM policy aimed at minimizing travel-related health and safety risks for workers. These parameters are now commonly recognized internationally and represent a solid reference for the company to assess liability in case of litigation.
From Country Risk Assessment to Workers Health Surveillance: Implementation of the TRM Plan and Application Model
The risk assessment for working abroad, supported by the methodological indications of the SIML guidelines and ISO 31030, considers the geographical area and the country of destination with all its variables (climate, infection vectors, level of health care, geopolitical stability) and thus defines the so-called “country risk.” It follows with a progressive pathway for the health surveillance of personnel i.e., periodic medical checks according to country- or destination-specific health protocols, based on the parameters identified by the risk assessment.
It is necessary to identify within the company, with the support of the OHCD, functions of reference for the management of expatriate workers, which allow to manage the organization of the “TRM prevention system”, as suggested by the International Labor Office back in 1985.
Footnotes
ISO 31030:2021 guidelines;
Italian Society of Occupational Medicine Guideline: “Professional Orientation Document for the Competent Physician: Practical-Management Aspects for Workers Abroad” – 2024;
Proceedings of the 86th National Congress of Occupational Medicine – Pisa 2024, Italian Journal of Occupational Medicine and Ergonomics (GIMLE) 253–254.
Dr. Vincenzo Nicosia and Professor Paolo Bianco contributed to this article
The CCPA and Automated Decision-Making Technologies (ADMT)
As artificial intelligence (AI), particularly generative AI, becomes increasingly woven into our professional and personal lives—from personalized travel itineraries to reviewing resumes to summarizing investigation notes and reports—questions about who or what controls our data and how it’s used are ever present. AI systems survive and thrive on information and that intersection of AI and privacy elevates the need for data protection.
Recent regulations issued by the California Privacy Protection Agency (CPPA) under the California Consumer Privacy Act (CCPA) begin to erect those protections. Among its various provisions, the CCPA now specifically addresses automated decision-making technologies (ADMT), attempting to bring transparency and consumer rights to, among other things, push back on algorithms making significant decisions about them.
As a starting point, it is important to define ADMT. Under the CCPA, it means any technology that processes personal information and uses computation to replace human decision-making or substantially replace human decision-making. For this purpose, “replace” means to make decision without human involvement. To be considered human involvement, a human must:
know how to interpret and use the technology’s output to make the decision;
review and analyze the output of the technology, and any other information that is relevant to make or change the decision; and
have the authority to make or change the decision based on their analysis in (B).
CCPA-covered businesses that use ADMT to make “significant decisions” about consumers have several new compliance obligations to navigate. A “significant decision” is defined as a decision that has important consequences for a consumer’s life, opportunities, or access to essential services. CCPA regulations define these decisions as those that result in the provision or denial of:
Financial or lending services (e.g., credit approval, loan eligibility)
Housing (e.g., rental applications, mortgage decisions)
Education enrollment or opportunities (e.g., admissions decisions)
Employment or independent contracting opportunities or compensation (e.g., hiring, promotions, work assignments)
Healthcare services (e.g., treatment eligibility, insurance coverage)
These decisions are considered “significant” because they directly affect a consumer’s economic, health, or personal well-being.
When such businesses use ADMT to make significant decisions, they generally must do the following:
Provide an opt-out right for consumers.
Provide a pre-use notice that clearly explains the business’s use of ADMT, in plain language.
Provide consumers with the ability to request information about the business’s use of ADMT.
Businesses using ADMT for significant decisions before January 1, 2027, must comply by January 1, 2027. Businesses that begin using ADMT after January 1, 2027, must comply immediately when the use begins.
Businesses will need to examine these new requirements carefully, including how they fit into the existing CCPA compliance framework, along with exceptions that may apply. For example, in the case of a consumer’s right to opt-out of ADMT, a business may not be required to make that right available.
If a business provides consumers with a method to appeal the ADMT decision to a human reviewer who has the authority to overturn the decision, opt-out is not required. Additionally, the right to opt-out of ADMT in connection with certain admission, acceptance, or hiring decisions, is not required if the following are satisfied:
the business uses ADMT solely for the business’s assessment of the consumer’s ability to perform at work or in an educational program to determine whether to admit, accept, or hire them; and
the ADMT works as intended for the business’s proposed use and does not unlawfully discriminate based upon protected characteristics.
Likewise, the right to opt-out of ADMT is not required for certain allocation/assignment of work and compensation decisions, if the business:
uses the ADMT solely for the business’s allocation/assignment of work or compensation; and
the ADMT works for the business’s purpose and does not unlawfully discriminate based upon protected characteristics.
As many businesses are realizing, successfully deploying AI requires a coordinated approach to achieve more than getting the desired output. It includes understanding a complex regulatory environment of which data privacy and security is a significant part.
DOJ Subpoena for Patient Records from Children’s Hospital of Philadelphia Blocked by Federal Court
On November 21, 2025, in a lengthy decision, U.S. District Judge for the Eastern District of Pennsylvania Mark A. Kearney quashed a subpoena issued by the U.S. Department of Justice (DOJ) to Children’s Hospital of Pennsylvania’s Gender and Sexuality Development Program (CHOP) seeking documents:
(1) identifying the names, addresses, and social security numbers of its child patients prescribed puberty blockers and hormone therapy and their families’ identifying information; (2) the child’s medical treatment records including diagnoses; and, (3) describing each child’s informed consent, patient intake, parent or guardian authorization, and use of medicine not approved by the Food and Drug Administration.
CHOP objected to producing “child-patients’ confidential medical records” and moved to quash the subpoena’s request for these three categories of records
The court found that the DOJ:
Offers no basis to compel the Hospital to identify the children (and their families), their treatment records, and disclosures made to them. We further find, even if the information responsive to these three requests is relevant (and thus authorized by Congress for a subpoena), the children’s and their families’ privacy interests in their highly sensitive and confidential medical and psychological treatment in an charged political environment which considers their medical treatment to a radicalized warped ideology far outweigh the Department of Justice’s shifting need for the information specifically identified in the three challenged requests. We grant the Hospital’s motion in part striking the three challenged requests and all information contained in responses to other requests disclosing the same information.
This decision comes on the heels of the actions of other federal judges quashing identical DOJ subpoenas identical to the one issued to Boston Children’s Hospital, and telehealth provider QueerDoc in September and October 2025 respectively. The DOJ has appealed from the Boston Children’s Hospital order but has not yet appealed the QueerDoc order.