2025 Picks Up Steam with Increased Scrutiny of Health Care Transactions and Corporate Structures
A new year brings about new legislation.
Given the recent trend of health care transactions coming under increased scrutiny at the state level, EBG has released its map summarizing states that already have laws regulating health care transactions. As legislatures reconvene around the country, there continues to be regulatory scrutiny of health care transactions and private equity investment in health care. Below is a brief summary of recently proposed legislation.
California
On February 12, 2025, the California Senate introduced SB 351, which is remarkably similar to AB 3129, a bill the EBG team wrote about extensively in 2024 and that Governor Gavin Newsom vetoed in September 2024. The proposed legislation has three key components: (i) it adds new defined terms, including “hedge fund” and “private equity group,” in an attempt to capture all parties involved with Management Service Organizations (“MSOs”) and Dental Service Organizations (“DSOs”); (ii) it provides a list of prohibitions for any “private equity group” or “hedge fund” that is “involved in any manner with a physician or dental practice doing business in the state; and (iii) it contains a provision that restates existing California law on restrictive covenants and California’s prohibition on restrictions barring a provider from competing with a practice in the event of termination or resignation. Whether this bill advances and is ultimately signed remains unclear. EBG is actively monitoring this legislation.
Connecticut
Connecticut is no stranger to bills targeting private equity in health care and the 2025 legislative session is no different. Below is a brief summary of the proposed bills:
SB 261 – This bill is intended to “limit the ability for private equity firms to purchase medical care facilities and further protect health care clinicians from the corporate practice of medicine.” The bill would impose restrictions on private equity firms’ ability to lease property back to a hospital after purchasing land rights and would also add restrictions that would prevent any direct or indirect interference with a clinician’s independent practice authority and the exercise of their professional judgment.
SB 469 – This bill is intended to “improve public health in the state” by restricting the acquisition of hospitals by private equity firms, prohibiting hospitals from participating in real estate investment trust and requiring physician-led ownership for medical groups and ambulatory surgical centers.
SB 567 – This bill would expand the authority of the state attorney general (“AG”) and Commissioner of Health Strategy to regulate private equity ownership of certain health care facilities and restrict self-dealing property transactions.
SB 837 – This bill is intended to “promote health care industry competition and better health care quality in the state” by amending Connecticut’s material transaction notification statute by requiring notification of any group practice’s transaction with a private equity company. It also removes the “presumption” in favor of approving certificate of needs applications for the transfer of ownership of a large group practice.
HB 6570 – This bill is aimed at preventing the consolidation of health care services by nonmedical entities and safeguarding patient access to quality health care. It would: (i) prohibit a private equity firm from acquiring ownership or control of a health care provider’s practice or health care facility, and (ii) require the administrator of each health care provider practice and health care facility to disclose the ownership structure of the provider or facility.
HB 6873 – This would strengthen the notice requirements that parties to a material change health care transaction must give to the AG, within 60 days instead of 30. The AG shall review the notice, evaluate the transaction’s compliance with antitrust laws, and, if the transaction would not otherwise require a certificate of need, consult with the Office of Health Strategy regarding the effect of the transaction on access, quality, and affordability of health care in the parties’ primary service areas.
Illinois
SB 1998 – Introduced February 6, 2025, as drafted this bill would amend the Illinois Antitrust Act, which already requires health care facilities or provider organizations to provide notice to the state AG regarding “covered transactions.” These are defined as mergers, acquisitions, or contracting affiliations between two or more health care facilities or provider organizations not previously under common ownership or contracting affiliation. Under the proposed amendment, the Illinois AG must provide written consent to a covered transaction if a private equity group or hedge fund provides any financing. Notably, under the proposed amendment, only notice is required if the transaction does not include private equity or hedge fund financing.
Indiana
In March 2024, Indiana amended its state law, effective July 1, 2024, to require written notice of health care entities’ mergers and acquisitions (see our prior post). The latest bill is HB 1666, which the Indiana House of Representatives passed on February 13, 2025, would remove the existing $10 million threshold and thereby expand reporting requirements to cover any merger or acquisition between an Indiana health care entity and another health care entity. Under the proposed amendment, the notice would be sent to a statutorily created “merger approval board,” which would retain the ability to approve or deny the proposed transaction subject to criteria detailed in HB 1666. In addition to the notice and approval obligation, HB1666 would require health care entities to file annual reports and disclose ownership information to specified state agencies. The bill is currently in the Indiana Senate and is expected to pass in some form.
New Mexico
SB 14 – As drafted this bill, would enact the Health Care Consolidation and Transparency Act, which would provide—with a number of exceptions—oversight of mergers and acquisitions and other transactions involving direct or indirect changes of control or assets of health care entities. As drafted the bill contains notice requirements; would provide for preliminary and comprehensive reviews of proposed transactions by the Office of Superintendent of Insurance; and would require approval, approval with conditions, or disapproval of proposed transactions by that office. The legislation further contains reporting requirements with respect to disclosure of health care entity ownership and control.
New York
In 2023, New York enacted N.Y. Pub. Health Law § 4550-4552 requiring health care entities to submit to the state Department of Health written notice of proposed material transactions, including: (i) the anticipated impact of the material transaction on cost, quality, access, health equity, and competition in the impacted markets; and (ii) any commitments by the health care entity to address anticipated impacts. Governor Kathy Hochul’s 2026 budget proposal (Part S) would amend Section 4552 to strengthen material transactions reporting requirements changing the notice deadline to 60 days before the closing date of the transaction (as opposed to 30).
The amended law would also require a statement as to whether any party to the transaction (including a controlling person or parent company), owns any other health care entity that within the past three years has closed operations, is in the process of closing operations, or has experienced a substantial reduction in services; and a statement as to whether a sale-leaseback agreement, mortgage or lease, or other payments associated with real estate are a component of the proposed transaction.
The department would conduct a preliminary review of all proposed transactions, which may consist of a full cost and market impact review (“CMIR”). If a CMIR is required, the department may require parties to delay the proposed transaction closing until the CMIR is completed, but in no event shall the closing be delayed more than 180 days from the date of the preliminary review of the proposed transaction. Further, parties to a material transaction would be required to notify the department annually—for a five-year period—of factors and metrics to assess the impacts of the transaction.
Notably, under the Governor’s proposed budget, the changes to N.Y. Pub. Health Law § 4550-4552 would not require Department of Health approval for any material transactions but simply notice consistent with the requirements set forth in the proposed amendment.
Oregon
SB 951 –As drafted this bill would prohibit an MSO, an individual who works as an independent contractor with an MSO, or a shareholder, director, officer or employee of an MSO from owning or controlling shares in, serving as a director or officer of, being an employee of, working as an independent contractor with, or otherwise managing, directing the management of or participating in managing a professional medical entity with which the MSO has a contract for services. The current draft of the bill specifies what conduct constitutes ownership or control of a professional medical entity; voids noncompetition agreements, nondisclosure agreements, and nondisparagement agreements between certain business entities and medical professionals, with specified exceptions, and prohibits retaliation.
Texas
HB 2747 – As drafted this bill would require certain health care entities, including providers, facilities, and provider organizations (which includes MSOs) to submit notice of material change transactions to the state AG not less than 90 days before the transaction; and grants the AG authority to conduct certain related studies on health care markets, imposing civil and administrative penalties.
Vermont
H 71 – Relating to health care entity transaction oversight and clinical decision making, as drafted this bill would require health care entities to provide notice to a board and state AG before entering into certain proposed transactions. The board, in consultation with the AG, would review, approve, approve with conditions, or disapprove the proposals. The measure would also: 1) prohibit corporations from practicing medicine or otherwise interfering with health care providers’ professional judgment and clinical decision making, and 2) require public reporting on ownership and control of certain health care entities.
Washington
HB 1881/SB 5704 – This legislation would enhance requirements regarding notice for material changes to the operations and governance structure of participants in the health care marketplace.
SB 5387 – As drafted this bill would generally prohibits the corporate practice of health care by deeming it unlawful for an individual, corporation, partnership, or other entity without a license to practice a health care profession, own a health care practice, employ licensed providers, etc. The current version of the bill sets forth requirements for licensed health care providers establishing and owning a health care practice and limits certain activities of shareholders, directors, or officers of a health care practice; and generally prohibits those without a license from interfering with/controlling the professional judgment or ultimate clinical decisions of a licensed health provider in various settings. It also sets forth conditions constituting unprofessional conduct by license holders.
Massachusetts
HB 5159 – As EBG wrote in January 2025, Massachusetts recently passed a sweeping health care market oversight bill that takes effect April 8, 2025. Among other things, HB 5159 extends the authority of the state’s Health Policy Commission (“HPC”) regarding Notices of Material Change to indirect owners and affiliates of health care providers, such as private equity companies, significant equity investors, MSOs, and health care REITs. The law also broadens the transactions that are subject to the HPC’s Material Change requirements to include: (i) significant expansions in capacity of a provider or provider organization; (ii) transactions involving a significant equity investor resulting in a change of ownership or control of a provider or provider organization; (iii) real estate sale lease-back arrangements and other significant acquisitions, sales, or transfers of assets; and (iv) conversions of a provider or provider organization from a nonprofit to a for-profit. The HPC will be authorized to require the submission of information from significant equity investors.
Notably, legislation has been introduced in the Massachusetts General Court (SD.1910) which seeks to update the months old legislation.
The BR Privacy & Security Download: March 2025
STATE & LOCAL LAWS & REGULATIONS
Virginia Legislature Passes Bill Regulating High-risk AI: The Virginia legislature passed HB 2094, the High-Risk Artificial Intelligence Developer and Deployer Act (the “Act”). Using a similar approach to the Colorado AI Act passed in 2023 and California’s proposed regulations for automated decision-making technology, the Act defines “high-risk AI systems” as AI systems that make consequential decisions, which are decisions that have material legal or similarly significant effects on a consumer’s ability to obtain things such as housing, healthcare services, financial services, access to employment, and education. The Act would require developers to use reasonable care to prevent algorithmic discrimination and to provide detailed documentation on an AI system’s purpose, limitations, and risk mitigation measures. Deployers of AI systems would be required to implement risk management policies, conduct impact assessments before deploying high-risk AI systems, disclose AI system use to consumers, and provide opportunities for correction and appeal. The bill is currently with Virginia Governor Glenn Youngkin, and it is unclear if he will sign it.
Connecticut Introduces AI Bill: After an effort to pass AI legislation stalled last year in the Connecticut House of Representatives, another AI bill was introduced in the Connecticut Senate in February. SB-2 would establish regulations for the development, integration, and deployment of high-risk AI systems designed to prevent algorithmic discrimination and promote transparency and accountability. SB-2 would specifically regulate high-risk AI systems, defined as AI systems making consequential decisions affecting areas like employment, education, and healthcare. The bill includes similar requirements as the Connecticut AI bill considered in 2024 and would require developers to use reasonable care to prevent algorithmic discrimination and provide documentation on an AI system’s purpose, limitations, and risk mitigation measures. Deployers of high-risk AI systems would be required to implement risk management policies, conduct impact assessments before deployment of high-risk AI systems, disclose AI system use to consumers, and provide opportunities for appeal and correction.
New York Governor Signs Several Privacy Bills: New York Governor Kathy Hochul signed a series of bills expanding compliance obligations for social media platforms, debt collectors who use social media platforms, and dating applications. Senate Bill 895B—effective 180 days after becoming law—requires social media platforms operating in New York to post terms of service explaining how users may flag content they believe violates the platform’s terms. Senate Bill 5703B—effective immediately—prohibits the use of social media platforms for debt collection purposes. Senate Bill 2376B—effective 90 days after becoming law—expands the scope of New York’s identity theft protection law by including in its scope the theft of medical and health insurance information. Finally, Senate Bill 1759B—effective 60 days after becoming law—requires online dating services to notify individuals who were contacted by members who were banned for using a false identity, providing them with specific information to help users prevent being defrauded. Importantly, the New York Health Information Privacy Act, which would significantly expand the obligations of businesses that may collect broadly defined “health information” through their websites, has not yet been signed.
California Reintroduces Bill Requiring Browser-Based Opt-Out Preference Signals: For the second year in a row, the California Legislature has introduced a bill requiring browsers and mobile operating systems to provide a setting that enables a consumer to send an opt-out preference signal to businesses with which the consumer interacts through the browser or mobile operating system. The California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), provides California residents with the ability to opt out of the sale or sharing of their personal data, including through an opt-out preference signal. AB 566 would amend the CCPA to ensure that consumers have the ability to do so. AB 566 requires the opt-out preference signal setting to be easy for a reasonable person to locate and configure. The bill further gives the California Privacy Protection Agency (“CPPA”), the agency charged with enforcing the CCPA, the authority to adopt regulations to implement and administer the bill. The CPPA has sponsored AB 566.
Virginia Senate Passes Amendments to Virginia Consumer Protection Act: Virginia’s Senate Bill 1023 (“SB 1023”) amends the Virginia Consumer Data Protection Act by banning the sale of precise geolocation data. The bill defines precise location data as anything that can locate a person within 1,750 feet. Introduced by Democratic State Senator Russet Perry, the bill has garnered bipartisan support in the Virginia Senate, passing with a 35-5 vote on February 4, 2025. Perry stated that the type of data the bill intends to ban has been used to target people in domestic violence and stalking cases, as well as for scams.
Task Force Publishes Recommendations for Improvement of Colorado AI Act: The Colorado Artificial Intelligence Impact Task Force published its Report of Recommendations for Improvement of the Colorado AI Act. The Act, which was signed into law in May 2024, has faced significant pushback from a broad range of interest groups regarding ambiguity in its definitions, scope, and obligations. The Report is designed to help lawmakers identify and implement amendments to the Act prior to its February 1, 2026, effective date. The Report does not provide substantive recommendations regarding content but instead categorizes topics of potential changes based on how likely they are to receive consensus. The report identified four topics in which consensus “appears achievable with additional time,” four topics where “achieving consensus likely depends on whether and how to implement changes to multiple interconnected sections,” and seven topics facing “firm disagreement on approach where creativity will be needed.” These topics range from key definitions under the Act to the scope of its application and exemptions.
AI Legislation on Kids Privacy and Bias Introduced in California: California Assembly Member Bauer-Kahan introduced yet another California bill targeting Artificial Intelligence (“AI”). The Leading Ethical AI Development for Kids Act (“LEAD Act”) would establish the LEAD for Kids Standards Board in the Government Operations Agency. The Board would then be required to adopt regulations governing—among other things—the criteria for conducting risk assessments for “covered products.” Covered products include an artificial intelligence system that is intended to, or highly likely to, be used by children. The Act would also require covered developers to conduct and submit risk assessments to the board. Finally, the Act would authorize a private right of action for parents and guardians of children to recover actual damages resulting from breaches of the law.
FEDERAL LAWS & REGULATIONS
House Committee Working Group Organized to Discuss Federal Privacy Law: Congressman Brett Guthrie, Chairman of the House Committee on Energy and Commerce (the “Committee”), and Congressman John Joyce, M.D., Vice Chairman of the Committee, announced the establishment of a working group to explore comprehensive data privacy legislation. The working group is made up entirely of Republican members and is the first action in this new Congressional session on comprehensive data privacy legislation.
Kids Off Social Media Act Advances to Senate Floor: The Senate Commerce Committee advanced the Kids Off Social Media Act. The Act would prohibit social media platforms from allowing children under 13 to create accounts, prohibit platforms from algorithmically recommending content to teens under 17, and require schools to limit social media use on their networks as a condition of receiving certain funding. The Act is facing significant pushback from digital rights groups, including the Electronic Frontier Foundation and the American Civil Liberties Union, which claim that the Act would violate the First Amendment.
Business Groups Oppose Proposed Updates to HIPAA Security Rule: As previously reported, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) issued a Notice of Proposed Rulemaking (“NPRM”) to amend the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule to strengthen cybersecurity protections for electronic protected health information (“ePHI”). See Blank Rome’s Client Alert on the proposed rule. A coalition of business groups, including the College of Healthcare Information Management Executives, America’s Essential Hospitals, American Health Care Association, Association of American Medical Colleges, Federation of American Hospitals, Health Innovation Alliance, Medical Group Management Association and National Center for Assisted Living, have written to President Trump and HHS Secretary Robert F. Kennedy, Jr. opposing the proposed rule. The business groups argue that the proposed rule imposes great financial burdens on the healthcare sector, including on rural hospitals, which would divert attention and funds away from other critical areas. The business groups also argue that the proposed rule contradicts Public Law 116-321, which explicitly requires HHS to consider a regulated entity’s adoption of recognized security practices when enforcing the HIPAA Security Rule, by not addressing or incorporating this legal requirement.
National Artificial Intelligence Advisory Committee Adopts List of 10 AI Priorities: The National Artificial Intelligence Advisory Committee (“NAIC”), which was established under the 2020 National Artificial Intelligence Initiative Act, approved a draft report for the Trump administration with 10 recommendations to address AI policy issues. The recommendations cover AI issues in employment, AI awareness and literacy, and AI in education, science, health, government, and law enforcement, as well as recommendations for empowering small businesses and AI governance and supporting AI innovation in a way that would benefit Americans.
CFPB Acting Director Instructs Agency Staff to Stop Work: Consumer Financial Protection Bureau (“CFPB”) Acting Director Russel Vought instructed agency staff to “stand down” and refrain from doing any work. The communication to CFPB employees followed an instruction to suspend regulatory activities and halt CFPB rulemaking. Vought also suspended CFPB’s supervision and examination activities. This freeze would impact the CFPB’s rule on its oversight of digital payment apps as well as the CFPB’s privacy rule that created a right of data portability for customers of financial institutions.
U.S. LITIGATION
First Washington My Health My Data Lawsuit Filed: Amazon is facing a class action lawsuit alleging violations of Washington’s My Health My Data Act (“MHMDA”), along with federal wiretap laws and state privacy laws. The suit is the first one brought under MHMDA’s private right of action and centers on Amazon’s software development kit (“SDK”) embedded in third-party mobile apps. The plaintiff’s complaint alleges Amazon collected location data of users without their consent for targeted advertising. The complaint also alleges that the SDK collected time-stamped location data, mobile advertising IDs, and other information that could reveal sensitive health details. According to the lawsuit, this data could expose insights into a user’s health status, such as visits to healthcare facilities or health behaviors, without users knowing Amazon was also obtaining and monetizing this data. The lawsuit seeks injunctive relief, damages, and disgorgement of profits related to the alleged unlawful behavior. The outcome could clarify how broadly courts interpret “consumer health data” under the MHMDA.
NetChoice Files Lawsuit to Challenge Maryland Age-Appropriate Design Act: NetChoice—a tech industry group—filed a complaint in federal court in Maryland challenging the Maryland Age-Appropriate Design Code Act as violating the First Amendment. The Act was signed into law in May and became effective in October 2024. It requires online services that are likely to be accessed by children under the age of 18 to provide enhanced safeguards for, and limit the collection of data from, minors. In its Complaint, NetChoice alleges that the Act will not meaningfully improve online safety and will burden online platforms with the “impossible choice” of either proactively censoring categories of constitutionally protected speech or implementing privacy-invasive age verification systems that create serious cybersecurity risks. NetChoice has been active in challenging similar Acts across the country, including in California, where it has successfully delayed the implementation of the eponymous California Age-Appropriate Design Code Act.
Kochava Settles Privacy Class Action; Unable to Dismiss FTC Lawsuit: Kochava Inc. (“Kochava”), a mobile app analytics provider and data broker, has settled the class action lawsuits alleging Kochava collected and sold precise geolocation data of consumers that originated from mobile applications. The settlement requires Kochava to pay damages of up to $17,500 for the lead plaintiffs and attorneys’ fees of up to $1.5 million. Among other changes to its privacy practices Kochava must make, the settlement requires Kochava to implement a feature aimed at blocking the sharing or use of raw location data associated with health care facilities, schools, jails, and other sensitive venues. Relatedly, U.S. District Judge B. Lynn Winmill of the District of Idaho denied Kochava’s motion to dismiss the lawsuit brought by the Federal Trade Commission (“FTC”) for Kochava’s alleged violations of Section 5 of the FTC Act. The FTC alleges that Kochava’s data practices are unfair and deceptive under Section 5 of the FTC Act, as it sells the sensitive personal information collected through its Mobile Advertising ID system (“MAIDs”) to its customers, providing customers a “360-degree perspective” on consumers’ behavior through subscriptions to its data feeds, without the consumer’s knowledge or consent. In the order denying Kochava’s motion to dismiss, Winmill rejected Kochava’s argument that Section 5 of the FTC Act is limited to tangible injuries and wrote that the “FTC has plausibly pled that Kochava’s practices are unfair within the meaning of the FTC Act.”
Texas District Court Blocks Enforcement of Texas SCOPE Act: The U.S. District Court for the Western District of Texas (“Texas District Court”) granted a preliminary injunction blocking enforcement of Texas’ Securing Children Online through Parental Empowerment Act (“SCOPE Act”). The SCOPE Act requires digital service providers to protect children under 18 from harmful content and data collection practices. In Students Engaged in Advancing Texas v. Paxton, plaintiffs sued the Texas Attorney General to block enforcement of the SCOPE Act, arguing the law is an unconstitutional restriction of free speech. The Texas District Court ruled that the SCOPE Act is a content-based statute subject to strict scrutiny, and that with respect to certain of the SCOPE Act’s monitoring-and-filtering, targeted advertising and content monitoring and age-verification requirements, the law’s restrictions on speech failed strict scrutiny and should be facially invalidated. Accordingly, the Texas District Court issued a preliminary injunction halting the enforcement of such provisions. The remaining provisions of the law remain in effect.
California Attorney General Agrees to Narrowing of Its Social Media Law: The California Attorney General has agreed to not enforce certain parts of AB 587, now codified in the Business & Professions Code, sections 22675-22681, which set forth content moderation requirements for social media platforms (the “Social Media Law”). X Corp. (“X”) filed suit against the California Attorney General, alleging that the Social Media Law was unconstitutional, censoring speech based on what the state sees as objectionable. While the U.S. District Court for the Eastern District of California (“California District Court”) initially denied X’s request for a preliminary injunction to block the California Attorney General from enforcing the Social Media Law, the Ninth Circuit overturned that decision, holding that certain provisions of the law regarding extreme content failed the strict-scrutiny test for content-based restrictions on speech, violating the First Amendment. X and the California Attorney General have asked the California District Court to enter a final judgment based on the Ninth Circuit decision. The California Attorney General has also agreed to pay $345,576 in attorney fees and costs.
U.S. ENFORCEMENT
Arkansas Attorney General Sues Automaker over Data Privacy Practices: Arkansas Attorney General Tim Griffin announced that his office filed a lawsuit against General Motors (“GM”) and its subsidiary OnStar for allegedly deceiving Arkansans and selling data collected through OnStar from more than 100,000 Arkansas drivers’ vehicles to third parties, who then sold the data to insurance companies that used the data to deny insurance coverage and increase rates. The lawsuit alleges that GM advertised OnStar as offering the benefits of better driving, safety, and operability of its vehicles, but violated the Arkansas Deceptive Trade Practices Act by misleading consumers about how driving data was used. The lawsuit was filed in the Circuit Court of Phillips County, Arkansas.
Healthcare Companies Settle FCA Claims over Cybersecurity Requirements: Health Net and its parent company, Centene Corp. (collectively, “Health Net”), have settled with the United States Department of Justice (“DOJ”) for allegations that Health Net falsely certified compliance with cybersecurity requirements under a U.S. Department of Defense contract. Health Net had contracted with the Defense Health Agency of the U.S. Department of Defense (“DHA”) to provide managed healthcare support services for DHA’s TRICARE health benefits program. The DOJ alleged that Health Net failed to comply with its contractual obligations to implement and maintain certain federal cybersecurity and privacy controls. The DOJ alleged that Health Net violated the False Claims Act by falsely stating its compliance in related annual certifications to the DHA. The DOJ further alleged that Health Net ignored reports from internal and third-party auditors about cybersecurity risks on its systems and networks. Under the settlement, Health Net must pay the DOJ and DHA $11.25 million.
Eyewear Provider Fined $1.5M for HIPAA Violations: The U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) imposed a $1,500,000 civil money penalty against Warby Parker for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule. The penalty resulted from a cyberattack involving unauthorized access to customer accounts, affecting nearly 200,000 individuals. An OCR investigation resulted from a 2018 security incident. Between September 25, 2018, and November 30, 2018, third parties accessed customer accounts using usernames and passwords obtained from breaches of other websites, a method known as “credential stuffing.” The compromised data included names, addresses, email addresses, payment card information, and eyewear prescriptions. OCR found that Warby Parker failed to conduct an accurate risk analysis, implement sufficient security measures, and regularly review information system activity.
CPPA Finalizes Sixth Data Broker Registration Enforcement Action: The California Privacy Protection Agency announced that it is seeking a $46,000 penalty against Jerico Pictures, Inc., d/b/a National Public Data, a Florida-based data broker, for allegedly failing to register and pay an annual fee as required by the California Delete Act. The Delete Act requires data brokers to register and pay an annual fee that funds the California Data Broker Registry. This action comes following a 2024 data breach in which National Public Data reportedly exposed 2.9 billion records, including names and Social Security Numbers. This is the sixth action taken by the CPPA against data brokers, with the first five actions resulting in settlements.
INTERNATIONAL LAWS & REGULATIONS
First EU AI Act Provisions Become Effective; Guidelines on Prohibited AI Adopted: The first EU AI Act (the “Act”) provisions to become effective came into force on February 2, 2025. The Act’s provisions prohibiting certain types of AI systems deemed to pose an unacceptable risk and rules on AI literacy are now applicable in the EU. Prohibited AI systems are those that present unacceptable risks to the fundamental rights and freedoms of individuals and include social scoring for public and private purposes, exploitation of vulnerable individuals with subliminal techniques, biometric categorization of natural persons based on biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs or sexual orientation, and emotion recognition in the workplace and education institutions, unless for medical or safety reasons, among other uses. The new AI literacy obligations will require organizations to put in place robust AI training programs to ensure a sufficient level of AI literacy for their staff and other persons working with AI systems. Certain obligations related to general-purpose AI models will become effective August 2, 2025. Most other obligations under the Act will become effective August 2, 2026.
UK Introduces AI Cyber Code of Practice: The UK government has introduced a voluntary Code of Practice to address cybersecurity risks in AI systems, with the aim of establishing a global standard via the European Telecommunications Standards Institute (“ETSI”). This code is deemed necessary due to the unique security risks associated with AI, such as data poisoning and prompt injection. It offers baseline security requirements for stakeholders in the AI supply chain, emphasizing secure design, development, deployment, maintenance, and end-of-life. The Code of Practice is intended as an addendum to the Software Code of Practice. It provides guidelines for developers, system operators, data custodians, end-users, and affected entities involved in AI systems. Principles within the code include raising awareness of AI security threats, designing AI systems for security, evaluating and managing risks, and enabling human responsibility for AI systems. The code also emphasizes the importance of documenting data, models, and prompts, as well as conducting appropriate testing and evaluation.
CJEU Issues Opinion on Pseudonymized Data: The Court of Justice of the European Union (“CJEU”) issued a decision in a case involving an appeal by the European Data Protection Supervisor (“EDPS”) against a General Court decision that annulled the EDPS’s decision regarding the processing of personal data by the Single Resolution Board (“SRB”) during the resolution of Banco Popular Español SA during insolvency proceedings. The case reviewed whether data transmitted by the SRB to Deloitte constituted personal data. Personal data consisted of comments from parties interested in the proceedings that had been pseudonymized by assigning a random alphanumeric code, as well as aggregated and filtered, so that individual comments could not be distinguished within specific commentary themes. Deloitte did not have access to the codes or the original database. The court held that the data was personal data in the hands of the SRB. However, the court ruled that the EDPS was incorrect in determining that the pseudonymized data was personal data to Deloitte without analyzing whether it was reasonably possible that Deloitte could identify individuals from the data. As a takeaway, the CJEU left open the possibility that pseudonymized data could be organized and protected in such a way as to remove any reasonable possibility of re-identification with respect to a particular party, resulting in the data not constituting personal data under the GDPR.
European Commission Withdraws AI Liability Directive from Consideration; European Parliament Committee Votes to Press On: The European Commission announced it plans to withdraw the proposed EU AI Liability Directive, a draft legislation for addressing harms caused by artificial intelligence. The decision was announced in the Commission’s 2025 Work Program stating that there is no foreseeable agreement on the legislation. However, the proposed legislation has not yet been officially withdrawn. Despite the announcement, members of the European Parliament on the body’s Internal Market and Consumer Protection Committee voted to keep working on liability rules for artificial intelligence products. It remains to be seen whether the European Parliament and the EU Council can make continued progress in negotiating the proposal in the coming year.
Additional Authors: Daniel R. Saeedi, Rachel L. Schaller, Gabrielle N. Ganze, Ana Tagvoryan, P. Gavin Eastgate, Timothy W. Dickens, Jason C. Hirsch, Adam J. Landy, Amanda M. Noonan and Karen H. Shin.
Warby Parker Settles Data Breach Case with OCR for $1.5M
Eyeglass manufacturer and retailer Warby Parker recently settled a 2018 data breach investigation by the Office for Civil Rights (OCR) for $1.5 million. According to OCR’s press release, Warby Parker self-reported that between September and November of 2018, unauthorized third parties had access to customer accounts following a credential stuffing attack. The names, mailing and email addresses, payment card information, and prescription information of 197,986 patients was compromised.
Following the OCR’s investigation, it alleged three violations of the HIPAA Security Rule, “including a failure to conduct an accurate and thorough risk analysis to identify the potential risks and vulnerabilities to ePHI in Warby Parker’s systems, a failure to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level, and a failure to implement procedures to regularly review records of information system activity.” The settlement reiterates the importance of conducting an annual security risk assessment and implementing a risk management program.
First Circuit Adopts But-For Causation Standard for Kickback-Premised False Claims Act Actions
On 18 February 2025, the First Circuit Court of Appeals issued its decision in United States v. Regeneron Pharmaceuticals, Inc., determining that “but-for” causation is the proper standard for False Claims Act (FCA) actions premised on kickback and referral schemes under the Anti-Kickback Statute (AKS). This issue has divided circuits in recent years, with the Third Circuit requiring merely some causal connection, and the Sixth Circuit and Eighth Circuit requiring the more defendant-friendly proof of but-for causation between an alleged kickback and a claim submitted to the government for payment.
This issue has major implications for healthcare providers, pharmaceutical manufacturers, and other entities operating in the healthcare environment. Both the government and qui tam relators have frequently brought FCA actions premised on alleged kickback schemes, and these actions pose significant potential liability. A higher but-for standard for proving causation represents a key tool for FCA defendants to defend against such actions. There is a good chance that the government petitions the US Supreme Court to review the First Circuit’s decision, and, given the growing split, there is certainly a possibility that this becomes the next issue in FCA jurisprudence that finds itself before the high court.
Background on AKS-Premised FCA Actions and the Growing Circuit Split
To establish falsity in an AKS-premised FCA action, a plaintiff has historically needed to show that the defendant (1) knowingly and willfully, (2) offered or paid remuneration, (3) to induce the purchase or ordering of products or items for which payment may be made under a federal healthcare program. In 2010, Congress added the following language to the AKS at 42 U.S.C. § 1320a-7b(g): “a claim that includes items or services resulting from a violation of [the AKS] constitutes a false or fraudulent claim for purposes of [the FCA].” (Emphasis added). Courts have generally agreed that the AKS, therefore, imposes an additional causation requirement for FCA claims premised on AKS violations. However, courts have been divided on how to define “resulting from” and the applicable standard for proving causation.
In 2018, the Third Circuit was faced with this issue and explicitly declined to adopt a but-for causation standard. Relying on the legislative history, the Third Circuit determined that a defendant must demonstrate “some connection” between a kickback and a subsequent reimbursement claim to prove causation.
Four years later, the Eighth Circuit declined to follow the Third Circuit and instead adopted a heightened but-for standard based on its interpretation of the statute. The court noted that the US Supreme Court had previously interpreted the nearly identical phrase “results from” in the Controlled Substances Act to require but-for causation. In April 2023, the Sixth Circuit joined the circuit split, siding with the Eighth Circuit and adopting a but-for causation standard.
Eyes Turn Toward the First Circuit
In mid-2023, two judges in the US District Court for the District of Massachusetts ruled on this causation issue as it related to two different co-pay arrangements, landing on opposite sides of the split. In the first decision, United States v. Teva Pharmaceuticals USA, Inc., the district court adopted the Third Circuit’s “some connection” standard. The court indicated it was following a prior First Circuit decision—Guilfoile v. Shields—though Guilfoile had only addressed the question of whether a plaintiff had adequately pled an FCA retaliation claim, as opposed to an FCA violation. In the second decision, Regeneron, the district court declined to follow Guilfoile (given Guilfoile dealt with the requirements for pleading an FCA retaliation claim); instead, the district court in Regeneron followed the Sixth Circuit and Eighth Circuit in applying a but-for standard. These dueling decisions set the stage for the First Circuit to weigh in on the circuit split.
First Circuit Adopts But-For Standard
On 18 February 2025, the First Circuit issued its opinion in Regeneron, affirming the district court’s decision and following the Sixth Circuit and Eighth Circuit in adopting a but-for standard. The court first determined that Guilfoile neither guided nor controlled the meaning of the phrase “resulting from” under the AKS. Turning to an interpretation of the statute, the First Circuit noted that “resulting from” will generally require but-for causation, but the court may deviate from that general rule if the statute provides “textual or contextual indications” for doing so. After a thorough analysis of the textual language and its legislative history, the First Circuit concluded that nothing warranted deviation from interpreting “resulting from” to require but-for causation. The court also rejected the government’s contention that requiring proof of but-for causation would be such a burden to FCA plaintiffs that the 2010 amendments to the AKS would have no practical effect.
Notably, the First Circuit made clear that its decision was limited to FCA actions premised on AKS violations under the 2010 amendments to the AKS. The court distinguished such actions from FCA actions premised on false certifications, where a plaintiff asserts that an FCA defendant has falsely represented its AKS compliance in certifications submitted to the government.
Takeaways
The growing confusion and disagreement among district and circuit courts over this issue, coupled with the issue’s import to FCA jurisprudence, creates the potential that this could be the next FCA issue decided by the US Supreme Court.
Until this split is resolved, FCA practitioners must pay close attention to the choice of venue for AKS-premised FCA actions.
But-for causation presents an important tool for FCA defendants in AKS-premised FCA actions. But-for causation may allow a defendant to argue that even if it had acted with an intent to induce referrals, no actual referrals resulted from the conduct, which would allow a defendant to avoid FCA liability altogether. Alternatively, but-for causation may allow a defendant to argue that FCA damages are lower than the total referrals made where the plaintiff is unable to prove all referrals “resulted from” the improper arrangement.
While this is a significant win for FCA defendants, its impact may be somewhat limited for FCA actions that are not premised on AKS violations. It also remains to be seen whether the government and relators will begin bringing FCA actions premised on alleged false certifications of compliance with the AKS (rather than solely relying on an alleged AKS violation itself).
The firm’s Federal, State, and Local False Claims Act practice group practitioners will continue to closely monitor developments on this issue, and we are able to assist entities operating in the healthcare environment that are dealing with AKS-premised FCA actions.
Nonprofit Health Care Mergers – Introduction: With Complexity Comes Opportunity
In the evolving health care landscape, mergers between nonprofit health care organizations are becoming increasingly common. Mergers are often driven by a combination of economic factors, the need to improve quality and efficiency of care, and the desire to create value for patients and communities. As the first post in our nonprofit merger series, we will explore why nonprofit health care entities may consider a merger, analyze the economic pressures influencing such decisions, and discuss the structures of nonprofit transactions, including the differences between member substitutions and true mergers. Forthcoming posts in this series will examine the unique due diligence concerns, regulatory approvals, and financing arrangements involved in nonprofit health care mergers.
The Economic Drivers of Nonprofit Health Care Mergers
1. Cost Efficiency and Scale Economies
It is not unusual to find multiple nonprofit health care organizations serving the same or similar patient community in a given market or region. Although competition within a for-profit industry may be seen as beneficial for consumers, most nonprofit health care organizations are competing for the same sources of government funding and/or charitable donations for their capital needs, which can weaken or inhibit the impact of their work both individually and in the aggregate.
As a result, overlapping nonprofits may realize significant economies of scale and make a substantially greater impact by joining forces and centralizing their efforts through a merger. By combining their operations, two organizations can reduce duplicative costs in areas such as administration, technology, and supply chain management. For example, by consolidating back-office functions such as human resources, billing, and procurement, a merged entity can lower its operational expenses and redirect those savings into improving patient care and expanding services. For smaller entities in particular, the cost of implementing advanced medical technology or transitioning to new electronic health record (EHR) systems can be prohibitive. By merging, organizations may be better equipped to absorb these costs and ensure their long-term financial sustainability.
2. Increased Bargaining Power with Payers and Third Parties
Another economic factor is the increased leverage that a larger health care organization has when negotiating with insurance companies and other payors. Together, a merged organization can exercise more market power and negotiate better reimbursement rates than any of the parties could on their own. Higher reimbursement can significantly improve the financial outlook for a nonprofit health care organization, which must carefully balance its mission with its financial health. Before proceeding with a merger, the parties will often engage a third-party consultant to analyze their current payor arrangements and identify opportunities for improvement.
3. Access to Capital
Nonprofit health care organizations, unlike their for-profit counterparts, do not have access to equity markets to raise capital. Mergers can offer a solution to this challenge. By merging, two organizations can improve their creditworthiness, making it easier to obtain loans and other forms of debt financing for future expansion, facility improvements, or technology upgrades. This is particularly important as health care organizations seek to invest in value-based care models that require significant upfront investment in care coordination, population health management, and IT infrastructure. Lending arrangements for nonprofits are typically quite challenging due to concerns about maintaining tax status, use of funds, and restrictions associated with both. It is not uncommon for organizations to restructure their lending arrangements and partners during a merger process or immediately thereafter.
Improving Delivery of Care
1. Enhancing Quality of Care
One of the key motivations for a nonprofit merger is to improve quality and continuity of care. Smaller health care organizations, particularly those in rural areas, may struggle to provide specialized services or maintain high clinical practice standards due to more limited resources. A merger allows the parties to pool their resources and share best practices to build a more efficient and effective care delivery system, thereby improving patient outcomes and practitioner recruitment efforts.
Additionally, mergers can help organizations streamline care pathways. For instance, a health care system with multiple facilities may create better-integrated care models, improving coordination between primary care, specialty care, and hospital services. This enhances patient outcomes by reducing duplication of services, minimizing delays in care, and ensuring that patients receive the appropriate care in the most efficient setting.
2. Expanding Access to Care
For many nonprofit health care organizations, expanding access to care — especially for underserved populations — is a central part of their mission. Mergers can help organizations achieve this goal by expanding their geographic reach and the range of services that they can provide. For example, a small community hospital may merge with a larger regional health system to provide its patients with access to specialized services that were previously unavailable locally, such as oncology or cardiology.
Furthermore, mergers may enable organizations to better address social determinants of health, which is increasingly recognized as critical to improving population health. For example, a Federally Qualified Health Center (FQHC) with a strong primary care practice may consider merging with a nonprofit community-based behavior health clinic to create an integrated preventative care network specific to the medical and behavioral health needs of its community. The larger, more financially stable merged organization may then be able to invest additional resources in community health initiatives, such as housing support and food security programs.
3. Investing in Innovation
Health care providers, and particularly nonprofits, may find it difficult to keep up with the rapid pace of innovation in the health care sector. Merged organizations are often better positioned to invest in these innovations, particularly in areas like telemedicine, data analytics, precision medicine, and value-based care models. By combining resources and patient base data, nonprofit health care organizations can become more responsive to the health care needs of their patient community, contributing to improved clinical outcomes and, in turn, a more financially stable future.
Value Creation Beyond Economics and Care Delivery
1. Mission Alignment
Nonprofit health care organizations are mission-driven, with the goal of serving their communities and improving health outcomes. When two nonprofit organizations merge, they typically seek to align their missions and values. This alignment is essential for ensuring the new entity remains focused on its core objective — whether that is serving a particular patient population, improving community health, or promoting medical research and education.
This often creates a situation where the two parties to the proposed merger are forced to negotiate a revised set of bylaws better suited for the combined entity post-closing. Important in this negotiation is understanding the terms around board structure, committees, executive officers, and general governance post-closing. It is not uncommon to see an expanded board or some combination of the two boards along with a realignment in officer positions. This is often an area of significant negotiation during the merger process.
2. Organizational Culture and Leadership Stability
In the nonprofit health care sector, where mission and values are paramount, ensuring that the two organizations’ cultures are compatible is essential. A well-executed merger offers a unique opportunity to bring fresh perspectives into leadership while preserving and building upon the parties’ existing strengths. By integrating their boards and leadership teams, merged organizations may foster the environment for more innovative and effective strategies for fulfilling a unified mission.
Structures of Nonprofit Health Care Transactions
Nonprofit health care mergers utilize unique transaction structures, primarily because they do not have shareholders and are organized for charitable purposes. Two common structures for combining nonprofit health care organizations include a member substitution and a true merger per state law.
1. Member Substitution
In a member substitution transaction, one nonprofit organization becomes the controlling member of another nonprofit without the two organizations dissolving or fully integrating into a single entity. The sole member (usually the parent organization) gains the authority to appoint the board members of the other organization and effectively controls its governance and operations. Note that a member substitution may not be viable in some states where nonprofit entities are not required or permitted to have members.
Benefits: Member substitution is often viewed as a less disruptive approach compared to a true merger. With a member substitution, the controlled entity retains its legal identity, which can help preserve relationships with donors, the community, and key stakeholders. This structure can also be advantageous for organizations wanting to maintain some degree of autonomy, particularly if they have a strong local presence or identity. Also important is that this structure still maintains separation of liabilities between each entity, i.e., liabilities of the nonprofit relinquishing control do not become the liabilities of the controlling member. A merger between a large health system and a smaller, local hospital may elect this structure in order to minimize disruption to the controlled entity’s local operations.
Challenges: The drawback of a member substitution is that it may not achieve the full benefits of integration, such as cost savings or streamlined operations. There may also be governance challenges if the controlled entity’s leadership or board resists the level of oversight imposed by the parent organization. Administratively, a member substitution can also be challenging because of the multiple levels of board governance.
2. True Merger
In a true merger, two or more nonprofit health care organizations combine into a single legal entity. The merged organization typically has a unified governance structure, leadership team, and operational model. This type of merger represents full integration and can provide the most significant opportunities for cost savings, operational efficiencies, and strategic growth.
Benefits: A true merger allows for complete consolidation of assets, liabilities, and operations. The merged organization can realize the maximum potential for economies of scale, enhanced bargaining power, and operational integration. Additionally, a true merger simplifies governance by creating a single board of directors and a unified executive leadership team.
Challenges: A true merger is more complex and may require regulatory approvals, including from the state attorney general or other regulatory bodies overseeing nonprofit or health care entities. The process can be time-consuming and may involve significant costs associated with legal, financial, and operational integration. A true merger also means that the surviving entity inherits the liabilities of the merged entity, which can result in unforeseen liability and risks for the surviving entity.
Conclusion
Mergers among nonprofit health care organizations are driven by a combination of economic pressures, the need to improve care delivery, and the desire to create long-term value for patients and communities. Whether through a member substitution or a true merger, these transactions can help organizations achieve financial stability, enhance quality of care, and expand access to services. However, nonprofit mergers require careful planning, particularly around governance, cultural integration, and mission alignment, to ensure that the merged organization remains focused on its charitable objectives and continues to serve its community effectively.
For nonprofit health care organizations considering a merger, it is essential to weigh both the financial and operational benefits, as well as the impact on the mission, before moving forward. With the right strategic approach, a merger can both strengthen the financial position of the parties and enhance their ability to serve their patients and communities.
How PPM Health Plans Can Solve the MEWA Problem
While a physician practice management (PPM) structure allows for compliance with corporate practice of medicine laws and ease of administration, it often creates inadvertent health plan issues that should be navigated carefully to avoid compliance issues and/or difficulties with selling PPM entities.
In Depth
MEWA PROBLEM
The PPM structure helpfully allows physicians to focus on the clinical practice of medicine through a physician practice professional corporation (PC), while outsourcing the business of the practice of medicine to a management services organization (MSO, which, together with the PC, is referred to as the PPM). Ideally, employees of the MSO and employees of each PC associated with the PPM structure could be combined and covered under a single group health plan to allow for experience rating of a larger group of employees, which leads to cost savings for the PPM structure and all employees, and simplifies the offering of healthcare coverage administration.
Because the MSO and the PC under the PPM structure typically do not have adequate common ownership – purposefully so to ensure the PPM structure complies with the corporate practice of medicine rules – allowing the PC and MSO entities to participate in the same health plan can create health plan compliance concerns, such as a multiple employer welfare arrangement (MEWA). It is preferable to avoid creation of a MEWA, as MEWA requirements can be burdensome and prohibitive, including exposure to state laws (some of which outlaw self-funded MEWAs) and extensive reporting requirements to certain states and the US Department of Labor. As a result, having a MEWA can result in state and/or federal penalties and the structure presents significant complications when it comes to selling the PPM to a third party.
MEWA ALTERNATIVES
All, however, is not lost. Rather than separately purchasing commercially available group health insurance (e.g., in the small group market, which is expensive and lacking in transparency), MSOs and PCs have several other options to provide group health plan coverage and avoid or accommodate being a MEWA. These include the following:
The MSO and PCs establish “mirror plans,” where each entity maintains a self-funded group health plan but stop-loss insurance may be pooled among entities. Alternatively, the MSO and PCs may use a group captive medical stop-loss structure to manage risk associated with stop-loss insurance for self-funded plans.
The MSO and PCs establish separate “level-funded” plans, where the MSO and PCs establish and maintain their own self-funded group health plans.
The MSO and PCs purchase fully insured group health coverage that is underwritten as a single, large group through a professional employer organization (PEO). While this usually in fact creates a MEWA, MEWA compliance is the responsibility of the PEO provider not the PPM structure.
Key Updates to the Employment Rights Bill
As part of the UK Government’s efforts to boost living standards and following weeks of consultation with business groups and trade unions, the Government has announced a series of proposed changes that the Employment Rights Bill (the “Bill”) plans to implement.
Here is a brief overview of the measures:
Employees will receive new “Day One” rights including being entitled to:
statutory sick pay (at present, this only applies from the third day of sickness absence);
unfair dismissal protection (removing the two-year qualifying employment requirement);
parental leave (removing the 26-weeks continuous service requirement); and
paternity leave entitlement (removing the one-year continuous service requirement).
Increasing the maximum period of the protective award for collective redundancy from 90 days to 180 days. Tribunals will be able to grant larger awards to employees for an employer’s failure to meet consultation requirements. Further guidance will be issued on this.
Abolishing the Lower Earnings Limit of £123 weekly to ensure that all employees, irrespective of pay, have access to statutory sick pay (“SSP”). People on wages below £123 weekly will receive either 80% of their average weekly earnings or statutory sick pay (which is currently £116.75), whichever is lowest.
A requirement for employers to take all reasonable steps to prevent sexual harassment and sexual harassment-related disclosures will constitute “protected disclosures”.
Flexible working is set to become the “default” for all workers from their first day with employers only able to refuse a flexible working request if it is “unreasonable” based on a lawful ground (listed in the Bill).
It will be unlawful to dismiss pregnant mothers during their pregnancy and maternity leave (subject to exceptions which are yet to be clarified).
Bereavement leave will be available for those who suffer a pregnancy loss before 24 weeks.
A Modern Framework for Industrial Relations will be created to align trade unions operations with modern work practices.
Time limits for bringing claims in the employment tribunals will be extended from three to six months following the date of the act(s) complained of.
Dismissing an employee who does not agree to a contract variation, or enabling an organisation to employ another person, or re-engaging the same employee under a varied contract to carry out substantially the same duties will be considered unfair dismissal unless the employer can show it could not have reasonably avoided making the variation.
The definition of workers will now include agency workers who should be able to access a contract which reflects the hours they regularly work. The zero-hour contract ban will extend to include agency workers.
Those working for umbrella companies will be given comparable rights and protections as they would have if they were working for a recruitment agency. Enforcement action will be able to be taken against umbrella companies if they do not comply.
The Government will no longer be including a “right to switch off” outside of working hours in the Bill which would have prevented employers contacting staff out-of-hours. However, there have been suggestions that this right may be included in an accompanying code in due course.
The Bill is set to be heard before Parliament over the next few weeks during which further amendments may be made. The Bill is expected to be introduced next Autumn.
Maya Sterrie also contributed to this article.
AI Meets HIPAA Security: Understanding HHS’s Risk Strategies and Proposed Changes
In this final blog post in the Bradley series on the HIPAA Security Rule notice of proposed rulemaking (NPRM), we examine how the U.S. Department of Health and Human Services (HHS) Office for Civil Rights interprets the application of the HIPAA Security Rule to artificial intelligence (AI) and other emerging technologies. While the HIPAA Security Rule has traditionally been technology agnostic, HHS explicitly addresses security measures for these evolving technology advances. The NPRM provides guidance to incorporate AI considerations into compliance strategies and risk assessments.
AI Risk Assessments
In the NPRM, HHS would require a comprehensive, up-to-date inventory of all technology assets that identifies AI technologies interacting with ePHI. HHS clarifies that the Security Rule governs ePHI used in both AI training data and the algorithms developed or used by regulated entities. As such, HHS emphasizes that regulated entities must incorporate AI into their risk analysis and management processes and regularly update their analysis to address changes in technology or operations. Entities must assess how the AI system interacts with ePHI considering the type and the amount of data accessed, how the AI uses or discloses ePHI, and who the recipients are of AI-generated outputs.
HHS expects entities to identify, track, and assess reasonably anticipated risks associated with AI models, including risks related to data access, processing, and output. Flowing from the proposed data mapping safeguards discussed in previous blog posts, regulated entities would document where and how the AI software interacts with or processes ePHI to support risk assessments. HHS would also require regulated entities to monitor authoritative sources for known vulnerabilities to the AI system and promptly remediate them according to their patch management program. This lifecycle approach to risk analysis aims to ensure the confidentiality, integrity, and availability of ePHI as technology evolves.
Integration of AI developers into the Security Risk Analysis
More mature entities typically have built out third-party vendor risk management diligence. If finalized, the NPRM would require all regulated entities contracting with AI developers to formally incorporate Business Associate Agreement (BAA) risk assessments into their security risk analysis. Entities also would need to evaluate BAs based on written security verifications that the AI vendor has documented security controls. Regulated entities should collaborate with their AI vendors to review technology assets, including AI software that interacts with ePHI. This partnership will allow entities to identify and track reasonably anticipated threats and vulnerabilities, evaluate their likelihood and potential impact, and document security measures and risk management.
Getting Started with Current Requirements
Clinicians are increasingly integrating AI into clinical workflows to analyze health records, identify risk factors, assist in disease detection, and draft real-time patient summaries for review as the “human in the loop.” According to the most recent HIMSS cybersecurity survey, most health care organizations permit the use of generative AI with varied approaches to AI governance and risk management. Nearly half the organizations surveyed did not have an approval process for AI, and only 31% report that they are actively monitoring AI systems. As a result, the majority of respondents are concerned about data breaches and bias in AI systems.
The NPRM enhances specificity in the risk analysis process by incorporating informal HHS guidance, security assessment tools, and frameworks for more detailed specifications. Entities need to update their procurement process to confirm that their AI vendors align with the Security Rule and industry best practices, such as the NIST AI Risk Management Framework, for managing AI-related risks, including privacy, security, unfair bias, and ethical use of ePHI.
The proposed HHS requirements are not the only concerns clinicians must consider when evaluating AI vendors. HHS also has finalized a rule under Section 1557 of the Affordable Care Act requiring covered healthcare providers to identify and mitigate discrimination risks from patient care decision support tools. Regulated entities must mitigate AI-related security risks and strengthen vendor oversight in contracts involving AI software that processes ePHI to meet these new demands.
Thank you for tuning into this series of analyzing the Security Rule updates. Please contact us if there are any questions or we can assist with any steps moving forward.
Please visit the HIPAA Security Rule NPRM and the HHS Fact Sheet for additional resources.
Industry Groups Urge Rescission of Proposed HIPAA Security Rule Updates
In February, a coalition of healthcare organizations sent a letter to President Donald J. Trump and the U.S. Department of Health and Human Services (HHS) (the Letter), urging the immediate rescission of a proposed update to the Security Rule under HIPAA. The update is aimed at strengthening safeguards for securing electronic protected health information.
According to The HIPAA Journal, the data breach trend in the healthcare industry over the past 14 years is up, not down. This is the case despite the HIPAA Security Rule having been in effect since 2005.
The HIPAA Journal goes on to provide some sobering statistics:
Between October 21, 2009, when OCR first started publishing summaries of data breach reports on its “Wall of Shame”, and and December 31, 2023, 5,887 large healthcare data breaches have been reported. On January 22, 2023, the breach portal listed 857 data breaches as still; under investigation. This time last year there were 882 breaches listed as under investigation, which shows OCR has made little progress in clearing its backlog of investigations – something that is unlikely to change given the chronic lack of funding for the department.
There have been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015. The move to digital record keeping, more accurate tracking of electronic devices, and more widespread adoption of data encryption have been key in reducing these data breaches. There has also been a downward trend in improper disposal incidents and unauthorized access/disclosure incidents, but data breaches continue to increase due to a massive increase in hacking incidents and ransomware attacks. In 2023, OCR reported a 239% increase in hacking-related data breaches between January 1, 2018, and September 30, 2023, and a 278% increase in ransomware attacks over the same period. In 2019, hacking accounted for 49% of all reported breaches. In 2023, 79.7% of data breaches were due to hacking incidents.
The letter, signed by numerous healthcare organizations, outlines several key concerns regarding the proposed HIPAA Security Rule update, including:
Financial and Operational Burdens: The letter argues that the proposed regulation would impose significant financial and operational burdens on healthcare providers, particularly those in rural areas. The unfunded mandates associated with the new requirements could strain the resources of hospitals and healthcare systems, leading to higher healthcare costs for patients and reduced investment in other critical areas.
Conflict with Existing Law: The Letter points to an amendment to the Health Information Technology for Economic and Clinical Health (HITECH) Act, arguing the proposed enhancements to the Security Rule conflict with the HITECH Act amendment. However, the HITECH Act amendment sought to incentivize covered entities to adopt “recognized security practices” that might minimize (not necessarily eliminate) remedies for HIPAA Security Rule violations and the length and extent of audits and investigations.
Timeline and Feasibility: The letter highlights concerns about the timeline for implementing the proposed requirements. The depth and breadth of the new mandates, combined with an unreasonable timeline, present significant challenges for healthcare providers.
No doubt, the Trump Administration is intent on reducing regulation on business. However, it will be interesting to see whether it softens or even eliminates the proposed rule in response to the Letter, despite the clear trend of more numerous and damaging data breaches in the healthcare sector, and an increasing threat landscape facing all U.S. businesses.
What to Watch in Nevada’s 2025 Legislative Session: Key Employment-Related Bills
On February 3, 2025, the Nevada state legislature kicked off its latest legislative session, and state lawmakers are poised to consider several bills that could impact employers and employees, from last day pay provisions to paid leave and work restrictions for minors. Here is a recap from the first month in session.
Quick Hits
The Nevada state legislature commenced its latest legislative session on February 3, 2025.
State lawmakers are considering multiple bills that could impact employment law in the Nevada.
Employers may want to take note of these legislative developments, which, if passed and enacted, could result in significant changes to Chapters 608 and 613 of the Nevada Revised Statutes (NRS).
Here is a breakdown of some of the key bills in this legislative session.
SB 198: Changes to Last Day Pay Provisions
Senate Bill (SB) 198 would revise the last day pay provisions under NRS 608.030. Under existing law, employers are required to pay discharged employees their earned and unpaid wages immediately. Similarly, employees placed on nonworking status must be paid immediately, and those who resign or quit must be paid by their next regular payday or within seven days, whichever is earlier. Penalties for the failure to pay final wages and compensation do not attach for three days from the date the wages and compensation are due, which is commonly referred to as the “three day grace period.”
The new bill would expand the definition of compensation to include fringe benefits and increase penalties for noncompliance. Further, the bill would eliminate the “three day grace period.” Instead, employers would only have until 5:00 p.m. the day following the date wages and compensation are due to the employee. The bill would also increase the penalties to an amount equal to eight hours of work at 1.5 times the employee’s hourly wage for each day the payment is delayed, up to thirty days. The bill would also mandate that cannabis establishments comply with all federal and state labor laws, with violations resulting in license revocation.
AB 112: Sick Leave Policy Changes
Assembly Bill (AB) 112 would remove the exemption for employees covered by a collective bargaining agreement (CBA) from the provisions of NRS 608.01975. Under current law, employers are not required to allow employees covered by a CBA to use accrued sick leave for family medical needs. The bill would eliminate that exemption, making the requirement applicable to all employers, regardless of CBA coverage. However, the changes would not apply during the current term of any CBA entered into before October 1, 2025. Still, they would apply to any extensions, renewals, or new agreements made on or after that date.
AB 166: Work Hour Restrictions for Minors
AB 166 would extend the limitations on the number of hours workers under the age of sixteen are allowed to work to workers under the age of eighteen and reduce the number of allowable work hours from forty-eight hours in a week to forty hours in a week. The bill would maintain the daily limit of eight hours. Additionally, the bill would prohibit minors enrolled in school from working before 5:00 a.m. on school days and after 10:00 p.m. on nights preceding school days. Exceptions would remain for work as performers in motion pictures and work on farms.
AB 179: Extension of Paid Leave Statute
Nevada’s existing paid leave statute requires private employers with fifty or more employees in the state to provide at least 0.01923 hours of paid leave for each hour worked, but it does not apply to employers that provide such a paid leave policy “pursuant to a contract, policy, collective bargaining agreement or other agreement.” AB 179 would eliminate that exception to the statute. Further, the bill clarifies specific actions that would constitute unlawful “retaliation” under the statute against an employee who takes paid leave.
AB 255: Prohibiting Repayment Obligations in Employment Contracts
AB 255 would prohibit employers from requiring an employee or independent contractor to repay the employer any sums if the employee terminates employment before a specified period of time expires. This could include training expenses, relocation expenses, or sign-on bonuses with repayment obligations, which are tied to an employee or independent contractor satisfying a length of service first. AB 255 could be enforced by the labor commissioner or the attorney general, and would also create a private right of action.
SB 160: Realignment of Nevada Equal Rights Commission and Enhance Scope of Authority
SB 160 would remove the Nevada Equal Rights Commission (NERC) from the Department of Employment, Training and Rehabilitation, and move it to the Office of the Attorney General. It permits NERC to consider “historical data” related to the employer’s discriminatory practices. There is declarative language in this legislation about nondiscrimination being a public policy of the state, which could open the door to wrongful termination in violation of public policy claims based on discriminatory acts, which is not currently the law. The bill also details a penalties structure for employers that are deemed to have committed “willful” violations of the statute.
First Circuit Joins Other Circuits in Adopting Stricter Causation Standard in FCA Cases Based on Anti-Kickback Statute
On February 18, 2025, the First Circuit joined the Sixth and Eighth Circuits in adopting a “but for” causation standard in cases involving per se liability under the federal Anti-Kickback Statute (AKS) and the False Claims Act (FCA). In U.S. v. Regeneron Pharmaceuticals, the First Circuit held that for an AKS violation to automatically result in FCA liability, the government must show that the false claims would not have been submitted in the absence of the unlawful kickback scheme. The decision is the latest salvo in the battle over what it means for a false claim to “result from” a kickback, as discussed in our False Claims Act: 2024 Year in Review.
With the fight becoming increasingly one-sided — the Third Circuit remains the only circuit that has adopted a less stringent causation standard — the government may look at alternative theories to link the AKS and FCA.
Key Issues and the Parties’ Positions
As outlined in our previous posts on the issue, the legal dispute revolves around the interpretation of the 2010 amendment to the AKS, which states that claims “resulting from” a kickback constitute false or fraudulent claims under the FCA.
In this case, the government accused Regeneron of violating the AKS by indirectly covering Medicare copayments for its drug, Eylea, through donations to a third-party foundation. The government’s key argument relied on the Third Circuit’s Greenfield decision, the AKS’s statutory structure, and the 2010 amendment’s legislative history to argue that a stringent causation standard would defeat the amendment’s purpose. It urged the court to find that once a claim is tied to an AKS violation, it should automatically be considered false under the FCA — without the need to prove that the violation directly influenced the claim.
Regeneron, on the other hand, argued that an FCA violation only occurs if the kickback was the determining factor in the submission of the claim. Relying on the Eighth and Sixth Circuits’ decisions, prior Supreme Court precedent, and a textual reading of the amendment, Regeneron contended that the phrase “resulting from” could only mean actual causation and nothing less.
The Court’s Decision
The First Circuit sided with Regeneron. It found that, given the Supreme Court’s prior interpretation of “resulting from” phrase as requiring but-for causation, this should be the default assumption when a statute uses that language. While acknowledging that statutory context could, in some cases, suggest a different standard, the court concluded that the government failed to provide sufficient contextual justification for a departure from but-for causation.
The court rejected the government’s argument that, in the broader context of the AKS statutory scheme, it would be counterintuitive for Congress to impose a more stringent causation standard for civil AKS violations than for criminal AKS violations, which require no proof of causation. The court also dismissed the government’s legislative history argument — specifically, the claim that a but-for causation standard would undermine the impetus for the amendment.
Implication: False Certification Theories May Become More Prominent
The First Circuit was careful to distinguish between the per se liability at issue in this case and liability under a false certification theory. While the government must show but-for causation for an AKS violation to automatically give rise to FCA liability, the court said that the same is not true for false certification claims.
Any entity that submits claims for payment under federal healthcare programs certifies — either explicitly or implicitly — that it has complied with the AKS. The court noted that nothing in the 2010 amendment requires proof of but-for causation in a false certification case. The government may take this as a cue to pivot toward false certification claims as a means of linking the AKS and FCA, potentially leaving the 2010 amendment argument behind.
Final Thoughts
The First Circuit’s decision in U.S. v. Regeneron Pharmaceuticals further cements the dominance of the “but for” causation standard in linking AKS violations to FCA liability, making it increasingly difficult for the government to pursue claims under a per se liability theory. With three circuits now aligned on this interpretation and only the Third Circuit standing apart, the tide appears to be turning in favor of a stricter causation requirement.
However, as the court acknowledged, this ruling may not foreclose other avenues for FCA liability — particularly false certification claims, which at least this court has found do not require the same level of causal proof. Given this, the government may shift its focus toward alternative enforcement strategies to maintain the strength of its anti-kickback enforcement efforts. As the legal landscape continues to evolve, healthcare entities and compliance professionals should remain vigilant, as new litigation trends and regulatory responses may reshape the interplay between the AKS and FCA in the years to come.
Listen to this post
HHS Reverses Its Longstanding Policy and Limits Public Participation in Rulemaking
On March 3, 2025, the Secretary of Health and Human Services published a policy statement in the Federal Register that reverses a policy adopted over 50 years ago that was intended to expand public participation in the process of rulemaking at the Department of Health and Human Services (the “Department”). 90 Fed. Reg. 11029 (2025).
This action is at odds with the “radical transparency” that Secretary Kennedy had promised previously, and may affect many programs and financial relationships between individuals, organizations, and others that interact with Health and Human Services (“HHS”).
Regulatory agencies such as HHS and its components, including the Centers for Medicare and Medicaid Services (“CMS”), the Food and Drug Administration (“FDA”), and the National Institutes of Health (“NIH”) must follow rulemaking procedures set out in the Administrative Procedure Act (“APA”) when they formulate and publish regulations that are intended to implement a statute and have the force of law. Those procedures include offering the public an opportunity to be notified of proposed regulations and to submit comments to the agency. The APA also contains several exceptions to the notice and comment requirement, including one for matters relating to “public property, loans, grants, benefits, or contracts.” Nevertheless, HHS and several other federal departments adopted policies that voluntarily waived these exceptions.
In 1971, then-Secretary of Health, Education, and Welfare Elliot Richardson issued a policy statement announcing that the Department would voluntarily follow notice and comment procedures for regulations relating to public property, loans, grants, benefits, or contracts (the “Richardson Waiver”). That notice explained that the waiver would allow for greater participation by the public in the rulemaking process, and that the additional burden on the Department was outweighed by the public benefit. The policy also instructed that although the APA allows for rulemaking procedures to be waived when good cause exists, that exception should be used “sparingly.”
HHS’s New Policy Limiting Rulemaking and Potential Safeguards
The new HHS policy statement sweeps away the 1971 policy. Its impact may vary depending on the issue and component of HHS. For example, for research funded by the NIH or other projects funded by agencies within HHS, the new policy could allow a granting or contracting agency to amend financial terms without public participation. This exact issue is currently in the spotlight as courts actively evaluate the legality of the NIH’s recent Supplemental Guidance to the 2024 NIH Grants Policy Statement: Indirect Cost Rates (NOT-OD-25-068))(“Supplemental Guidance”), issued by the Office of the Director of the National Institutes of Health on February 7, 2025, which attempted to impose an across-the-board 15% cap on Indirect Cost (“IDC’) rates for all new grants as well as for existing grants awarded to Institutions of Higher Education. The District Court of Massachusetts has imposed a nationwide preliminary injunction (“PI”) prohibiting the Secretary and NIH from taking any steps to implement or enforce the Supplemental Guidance. Commonwealth of Massachusetts, et al. v. National Institutes of Health, et al., No. 25-CV-10338 (D. Mass. Mar. 5, 2025). The court concluded that the plaintiffs would be irreparably harmed by the Supplemental Guidance and agreed that the Supplemental Guidance was a legislative rule that failed to comply with the notice and comment requirements of the APA. It relied in part on the argument that under the Richardson Waiver, the Secretary could not change the IDC rate unilaterally. The timing of the Department’s policy reversing the Richardson Waiver might be viewed as directly responsive to this disputed point in the ongoing litigation.
In other areas, the policy statement may have little or no impact if there is a separate statutory requirement for rulemaking. In the Medicare statute, for example, Congress mandated in Section 1871(a)(2) of the Social Security Act that HHS must engage in notice and comment rulemaking for any “substantive legal standard governing the scope of benefits, the payment for services, or the eligibility of individuals, entities, or organizations to furnish or receive services or benefits . . . .” Should Congress decide to limit the scope of the new HHS policy, this statute could be a template for legislation.
The impact of the new policy on the Medicaid program is less clear. While there is no similar statutory requirement for rulemaking under the Medicaid program as there is for Medicare, the federal government also has more limited control over the direction of each individual State’s Medicaid program offering. However, there are areas where HHS has sought public comment on changes to state Medicaid program requirements in the past, such as changes proposed by States through Medicaid program waivers that the federal government has to approve. This new policy may be signaling that HHS will choose not to seek comments on those proposed changes in the future.
Returning to the IDC rate litigation, there arguably exists both statutory and regulatory grounding for applying grantees’ existing negotiated indirect cost rates, documented in the negotiated indirect cost rate agreement (“NICRA”) entered into between the government and grantee institutions. First, a provision in the annual appropriations act since 2018 has limited Congress’ ability to impose any type of across-the-board cap. See Further Consolidated Appropriations Act, 2024, P.L. 118-47, Title II, § 224. This was adopted in response to the first Trump administration’s attempt to impose an across-the-board cap of 10% in 2017. Second, in the HHS regulations applicable to IDC rates, there is an explicit requirement that the negotiated rates must be “accepted by all Federal awarding agencies.” 45 C.F.R. § 75.414(c)(1). This regulatory exception, and alleged noncompliance with the APA’s rulemaking requirement, is at the core of the ongoing IDC rate litigation. As such, there are arguably continued bases for the objection to the NIH Supplemental Guidance notwithstanding the recent reversal of the Richardson Waiver.
Does HHS’s New Policy Signal a Wider Use of the “Good Cause” Exception?
Another part of the new HHS policy to watch carefully involves the exception in the APA that allows agencies to dispense with notice and comment rulemaking when there is good cause that a notice and comment period is impractical or contrary to the public interest. The new HHS policy states that agencies may rely on the good cause exception “in appropriate circumstances” rather than “sparingly” but provides no further clarification.
Courts have interpreted this exception narrowly; for example, they have upheld good cause exceptions when agencies have responded to epidemics and natural disasters, but have rejected exceptions claimed by agencies due to statutory deadlines, economic concerns, or a need to implement a political goal rapidly. In addition, a 2012 report published by the General Accountability Office criticized the frequent use of the good cause exception to avoid public comments on rules. Therefore, it remains to be seen how and when HHS relies on this exception, and whether the reasons offered justify the exception or would stand up to judicial review.