Think Compliance Got Easier? Think Again—DOJ’s New Era in White-Collar Enforcement
Many have speculated as to how white-collar enforcement may change during President Trump’s second term. A recent memorandum by the Head of the Department of Justice’s (“Department”) Criminal Division, Matthew R. Galeotti, sheds light on that issue. Specifically, on May 12, Galeotti issued a memorandum—“Focus, Fairness, and Efficiency in the Fight Against White-Collar Crime” (the “Galeotti Memorandum”). Galeotti covers a number of topics in the memorandum, including the “three core tenets” that the Criminal Division will follow when prosecuting white-collar matters. Those tenets are: “(1) focus; (2) fairness; and (3) efficiency.” We will cover each of those pillars in three posts this week. This post delves into the first tenet—focus.
As an initial matter, the Galeotti Memorandum affirms the Department’s commitment to “do justice, uphold the rule of law, protect the American public, and vindicate victims’ rights.” He emphasizes the “significant threat to U.S. interests” that white-collar crime poses. Galeotti explains that the Department is adopting a “targeted and efficient” approach to white collar cases that “does not allow overbroad enforcement to harm legitimate business interests.” Galeotti further cautioned that governmental overreach “punishes risk-taking and hinders innovation.”
Under the focus prong, the Galeotti Memorandum directs prosecutors to concentrate on issues that pose a “significant threat to US interests.” Galeotti first walks through the harms stemming from white-collar crime, including:
The exploitation of governmental programs, including health care fraud and defense spending fraud;
The targeting of U.S. investors or actions that otherwise undermining market integrity, such as elder fraud, investment fraud, and Ponzi schemes;
The targeting of monetary systems that compromise “economic development and innovation;”
Threats to the American economy and national security; and
The corruption of the American financial system.
In light of those harms, Galeotii identifies the following priority areas for the Criminal Division:
Health care fraud and other waste, fraud, and abuse;
Trade and customs fraud;
Elder fraud, securities fraud, and other fraud facilitated by variable interest entities;
Complex money laundering, including “Chinese Money Laundering Organizations;”
Fraud targeting “U.S. investors, individuals, and markets;”
Crimes that compromise national security;
Corporate support of “foreign terrorist organizations;”
Crimes implicating “the Controlled Substances Act and the Federal Food, Drug, and Cosmetic Act;”
Money laundering and bribery implicating “U.S. national interests,” “national security,” competition, and the benefit of “foreign corrupt officials;” and
Criminal conduct that involves “digital assets that victimize investors and consumers,” use those assets to further “other criminal conduct,” and “willful violations that facilitate significant criminal activity.”
In addition, the Department will focus on identifying and seizing the proceeds of crimes included in the list above and using those proceeds “to compensate victims.” Prosecutors will also prioritize crimes “involving senior-level personnel or other culpable actors, demonstrable loss,” and obstruction of justice.
The Department is also expanding its Corporate Whistleblower Awards Pilot Program to prioritize tips that result in forfeiture in areas such as:
Conduct involving “international cartels or transnational criminal organizations;”,
Federal immigration law violations;
Conduct “involving material support of terrorism;”
“Corporate sanctions offenses;”
Corporate conduct involving “[t]rade, tariff, and customs fraud;” and
Procurement fraud by corporations.
As noted above, we will delve into the other two prongs of the Galeotti Memorandum—fairness and efficiency—in two, follow-up posts. The first prong makes clear, however, that the Department is still focused on white collar crime—particularly in the health care industry.
DOJ Criminal Division Updates (Part 1): DOJ’s New White Collar Crime Enforcement Plan
On May 12, DOJ’s Criminal Division head, Matthew G. Galeotti, issued a memo to all Criminal Division personnel, entitled “Focus, Fairness, and Efficiency in the Fight Against White-Collar Crime,” to “outline the Criminal Division’s enforcement priorities and policies for prosecuting corporate and white-collar crimes in the new administration.” The memo highlights 10 priority areas for investigation and prosecution, calls for a revision of the Division’s Corporate Enforcement and Voluntary Self-Disclosure Policy to provide increased incentives to corporations, and previews “streamlining corporate investigations” with an emphasis on fairness and efficiency as well as a reduction in corporate monitorships.
Ten Priority Areas for Investigation and Prosecution
The memo enumerates the following ten areas of focus:
Health care fraud;
Trade and customs fraud, including tariff evasion;
Fraud perpetrated through VIEs (variable interest entities);
Fraud that victimizes U.S. investors, such as Ponzi schemes and investment fraud;
Sanctions violations or conduct that enable transactions by cartels, TCOs, hostile nation-states, and/or foreign terrorist organizations;
Provision of material support to foreign terrorist organizations;
Complex money laundering, including schemes involving illegal drugs;
Violations of the Controlled Substances Act and the FDCA (Food, Drug, and Cosmetic Act);
Bribery and money-laundering that impact U.S. national interests, undermine U.S. national security, harm the competitiveness of U.S. business, and enrich foreign corrupt officials; and
Digital asset crimes, with high priority to cases involving cartels, TCOs, drug money-laundering or sanctions evasion.
These 10 areas of focus — and the order in which they are listed — echo the priorities laid out in the Trump administration’s enforcement-related executive orders and memos published to date.[1]
More broadly, Galeotti described the priorities as DOJ’s effort to “strike an appropriate balance between the need to effectively identify, investigate, and prosecute corporate and individuals’ criminal wrongdoing while minimizing unnecessary burdens on American enterprise.” Galeotti explained that “[t]he vast majority of American business are legitimate enterprises working to deliver value for their shareholders and quality products and services for customers” and therefore “[p]rosecutors must avoid overreach that punishes risk-taking and hinders innovation.” Galeotti also makes clear that DOJ attorneys “are to be guided by three core tenets: (1) focus; (2) fairness; and (3) efficiency.” He also directed the Criminal Division’s Corporate Whistleblower Awards Pilot Program be amended to reflect these priority areas of focus.[2]
Emphasis on Individuals and Leniency Toward Corporations
Galeotti emphasized the Criminal Division’s focus on prosecuting individuals and the need to further take into account the efforts put forth by corporations to remediate the actions of individual bad actors. Galeotti promised the Criminal Division would “investigate these individual wrongdoers relentlessly to hold them accountable” and directed the revision of the Division’s Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP) to provide more opportunities for leniency where it is determined corporate criminal resolutions are necessary for companies that self-disclose and fully cooperate. These revisions include shorter terms for non-prosecution and deferred prosecution agreements, reduced corporate fines, and limited use and terms of corporate monitors.[3] Galeotti specifically has directed the review of terms of all current agreements with companies to determine whether they should be terminated early. DOJ has already begun terminating agreements it determined have been fully met.
Streamlining Corporate Investigations
Finally, Galeotti emphasizes the need to minimize the unnecessary cost and disruption to U.S. businesses due to DOJ’s investigations and to “maximize efficiency.”
More Efficient Investigations
While acknowledging the complexity and frequent cross-border nature of the Division’s investigations, prosecutors are instructed to “take all reasonable steps to minimize the length and collateral impact of their investigation, and to ensure that bad actors are brought to justice swiftly and resources are marshaled efficiently.” The Assistant Attorney General’s office will, along with the relevant Section, track investigations to ensure they are “swiftly concluded.”
Limitation on Corporate Monitorships
DOJ will impose compliance monitorships only when it deems them necessary and has directed that those monitorships, when imposed, should be “narrowly tailored.” Building upon a previous administration’s memorandum,[4] DOJ issued a May 12 Memorandum on Selection of Monitors in Criminal Division Matters, which provides factors for considering whether a monitorship is appropriate and guidelines to ensure a monitorship is properly tailored to address the “risk of recurrence” and “reduce unnecessary costs.” In considering the appointment of a monitor, prosecutors are to consider the:
Risk of recurrence of criminal conduct that significantly impacts U.S. interests;
Availability and efficacy of other independent government oversight;
Efficacy of the compliance program and culture of compliance at the time of the resolution; and
Maturity of the company’s controls and its ability to independently test and update its compliance program
The chief of the relevant section, as well as the Assistant Attorney General, must approve all monitorships, and the memo lays out additional details regarding the monitor’s appointment and oversight as well as the monitor selection process.
Takeaways
DOJ’s current hiring freeze and recent personnel reductions/reassignments should not be taken as a sign that white collar crime will be permitted to flourish under the current administration. Rather, Galeotti’s May 12 memo further solidifies the enforcement policies and priorities the DOJ has been previewing since day one of the Trump administration and provides more clarity on what to expect when engaging with the Criminal Division and where it will be focusing its now-more-limited resources. Companies should familiarize themselves with this memo and corresponding updates related to whistleblowers, corporate enforcement and self-disclosures, and monitorships to ensure companies are appropriately assessing their risk profile, addressing potential misconduct, and meeting government expectations.
[1] See, e.g., Executive Order 14157, Designating Cartels and Other Organizations as Foreign Terrorist
Organizations and Specially Designated Global Terrorists (Jan. 20. 2025) (Cartels Executive Order);
Memorandum from the Attorney General, Total Elimination of Cartels and Transnational Criminal
Organizations (Feb. 5, 2025) (Cartels and TCOs AG Memorandum) Executive Order 14209, Pausing Foreign Corrupt Practices Act Enforcement to Further American Economic and National Security (Feb. 10, 2025); Cartels and TCOs AG Memorandum.
2 See “DOJ Criminal Division Updates (Part 2): Department of Justice Updates its Corporate Criminal Whistleblower Awards Pilot Program”
[3] See “DOJ Criminal Division Updates (Part 3): New Reasons for Companies to Self-Disclose Criminal Conduct”
[4] March 7, 2008 Craig Morford Memorandum (addressing selection and responsibilities of a corporate monitor).
Utah Enacts AI Amendments Targeted at Mental Health Chatbots and Generative AI
Utah is one of a handful of states that has been a leader in its regulation of AI. Utah’s Artificial Intelligence Policy Act[i] (“UAIPA”) was enacted in 2024 and requires disclosures relating to consumer interaction with generative AI with heightened requirements on regulated professions, including licensed healthcare professionals.
Utah recently passed three AI laws (HB 452, SB 226 and SB 332), all of which became effective on May 7, 2025, and either amend or expand the scope of the UAIPA. The laws govern the use of mental health chatbots, revise disclosure requirements for the deployment of generative AI in connection with a consumer transaction or provision of regulated services, and extend the repeal date of the UAIPA.
HB 452
HB 452 creates disclosure requirements, advertising restrictions, and privacy protections for the use of mental health chatbots. [ii] “Mental health chatbots” refer to AI technology that (1) uses generative AI to engage in conversations with a user of the mental health chatbot, similar to communications one would have with a licensed therapist, and (2) a supplier represents, or a reasonable person would believe, can provide mental health therapy or help manage or treat mental health conditions. “Mental health chatbots” do not include AI-technology that only provides scripted output (such as guided meditations or mindfulness exercises).
Disclosure Requirements
A mental health chatbot must clearly and conspicuously disclose that the mental health chatbot is an AI technology and not human. The disclosure must be made (1) before the user accesses features of the mental health chatbot, (2) at the beginning of any interaction with the user, if the user has not accessed the mental health chatbot within the previous 7 days, and (3) if asked or prompted by the user whether AI is being used.
Personal Information Protections
Mental health chatbot suppliers may not sell or share with any third party the individually identifiable health information (“IIHI”) or user input of a user. The prohibition does not apply to IIHI that (1) a health care provider requests with the user’s consent, (2) is provided to a health plan upon the request of the user, or (3) is shared by the supplier as a covered entity to a business associate to ensure effective functionality of the mental health chatbot and in compliance with the HIPAA Privacy and Security Rules.
Advertising Restrictions
A mental health chatbot cannot be used to advertise a specific product or service to a user in a conversation between the user and the mental health chatbot, unless the mental health chatbot clearly and conspicuously (1) identifies the advertisement as an advertisement and (2) discloses any sponsorship, business affiliation or agreement with a third party to promote or advertise the product or service. Suppliers of mental health chatbots may not use a user’s input to (1) determine whether to display advertisements to the user unless the advertisement is for the mental health chatbot itself, (2) customize how advertisements are presented, or (3) determine a product, service or category to advertise to the user.
Affirmative Defense
HB 452 establishes an affirmative defense to violations of the law which requires, among other items, creating, maintaining and implementing a policy for the mental health chatbot that meets specific requirements outlined in the law and filing such policy with the Utah Division of Consumer Protection.
Penalties
Violation of the law may result in administrative fines up to $2,500 per violation and court action by the Utah Division of Consumer Protection.
SB 226
SB 226 pares back UAIPA’s disclosure requirements applicable to a supplier that uses generative AI in a consumer transaction to when (1) there is a “clear and unambiguous” request from an individual to determine whether an interaction is with AI, rather than any request, and (2) an individual interacts with generative AI in the course of receiving regulated services that constitute a “high-risk” AI interaction, instead of any generative AI interaction in the provision of regulated services.[iii]
Disclosure Requirements
If an individual asks or prompts a supplier about whether AI is being used, a supplier that uses generative AI to interact with an individual in connection with a consumer transaction must disclose that the individual is interacting with generative AI and not a human. While this requirement also existed under the UAIPA, SB 226 clarifies that disclosure is only required when the individual’s prompt or question is a “clear and unambiguous request” to determine whether an interaction is with a human or AI.
The UAIPA also requires persons who provide services of a regulated occupation to prominently disclose when a person is interacting with generative AI in the provision of regulated services, regardless of whether the person inquires if they are interacting with generative AI. Under SB 226, such disclosure is only required if the use of generative AI constitutes a “high-risk artificial intelligence interaction.” The disclosure must be provided verbally at the start of a verbal conversation and in writing before the start of a written interaction. “Regulated occupation” means an occupation that is regulated by the Utah Department of Commerce and requires a license or state certification to practice the occupation, such as nursing, medicine, and pharmacy. “High-risk AI interaction” includes an interaction with generative AI that involves (1) the collection of sensitive personal information, such as health or biometric data and (2) the provision of personalized recommendations, advice, or information that could reasonably be relied upon to make significant personal decisions, including the provision of medical or mental health advice or services.
Safe Harbor
A person is not subject to an enforcement action for violation of the required disclosure requirements if the person’s generative AI clearly and conspicuously discloses at the outset of and throughout an interaction in connection with a consumer transaction or the provision of regulated services that it is (1) generative AI, (2) not human, or (3) an AI assistant.
Penalties
Violation of the law may result in administrative fines up to $2,500 per violation and a court action by the Utah Division of Consumer Protection.
SB 332
SB 332 extended the repeal date of the UAIPA from May 1, 2025 to July 1, 2027.[iv]
Looking Forward
Companies that offer mental health chatbots or generative AI in interactions with individuals in Utah should evaluate their products and processes to ensure compliance with the law. Furthermore, the AI regulatory landscape at the state level is rapidly changing as states attempt to govern the use of AI in an increasingly deregulatory federal environment. Healthcare companies developing and deploying AI should monitor state developments.
FOOTNOTES
[i] S.B. 149 (“Utah Artificial Intelligence Policy Act”), 65th Leg., 2024 Gen. Session (Utah 2024), available here.
[ii] H.B. 452, 66th Leg., 2025 Gen. Session (Utah 2025), available here.
[iii] S.B. 226, 66th Leg., 2025 Gen. Session (Utah 2025), available here.
[iv] S.B. 332, 66th Leg., 2025 Gen. Session (Utah 2025), available here.
Listen to this article
5 Key Contracting Considerations for Digital Health Companies Working with AI Vendors
Artificial Intelligence (AI) is rapidly transforming digital health — from patient engagement to clinical decision-making, the changes are revolutionary. Contracting with AI vendors presents new legal, operational, and compliance risks. Digital health CEOs and legal teams must adapt traditional contracting playbooks to address the realities of AI systems handling sensitive and highly regulated health care data.
To assure optimal results, here are five critical areas for digital health companies to address in the contract negotiation process with potential AI vendors:
1. Define AI Capabilities, Scope, and Performance
Your contract should explicitly:
Describe what the AI tool does, its limitations, integration points, and expected outcomes.
Establish measurable performance standards and incorporate them into service-level agreements.
Include user acceptance testing and remedies, such as service credits or termination if performance standards are not met. This protects your investment in AI-driven services and aligns vendor accountability with your operational goals.
2. Clarify Data Ownership and Usage Rights
AI thrives on data, so clarity around data ownership, access, and licensing is essential. The contract should state the specific data the vendor can access and use — including whether such data includes protected health information (PHI), other personal information, or operational data — and whether it can be used to train or improve the vendor’s models. Importantly, your contract should ensure that any vendor use of data aligns with HIPAA, state privacy laws, and your internal policies, including restricting reuse of PHI or other sensitive health data for purposes other than the vendor providing the services to your company or other purposes permitted by law. There is much greater flexibility to license access for the vendor to use your de-identified data to train or develop AI models, if the company has the appetite for such data licensing.
You should also scrutinize broad data licenses. Be careful not to assume liability for how a vendor repurposes your data unless the use case is clearly authorized in the contract.
3. Demand Transparency and Explainability
Regulators and patients expect transparency in AI-driven health care decisions. Require documentation that explains how the AI model works, the logic behind outputs, and what safeguards are in place to mitigate bias and inaccuracies.
Beware of vendors reselling or embedding third-party AI tools without sufficient knowledge or flow-down obligations. The vendor should be able to audit or explain the tools it licenses from third parties if those AI tools are handling your company’s sensitive health care data.
4. Address Liability and Risk Allocation
AI-related liability, especially from errors, hallucinations, or cybersecurity incidents, can have sizable consequences. Ensure the contract includes tailored indemnities and risk allocations based on the data sensitivity and function of the AI tool.
Watch out for vendors who exclude liability for AI-generated content. This may be acceptable for internal tools but not for outputs that reach patients, payors, or regulators. Low-cost tools with high data exposure can pose a disproportionate liability risk, which is especially true if liability caps are tied only to the contract fees.
5. Plan for Regulatory Compliance and Change
With evolving rules from federal and state privacy regulators, vendors must commit to ongoing compliance with current and future requirements. Contracts should allow flexibility for future changes in law or best practices. This will better help ensure that the AI tools your company relies on will not fall behind the regulatory curve — or worse, expose your company to enforcement risk due to noncompliance or outdated model behavior.
Incorporating this AI Vendor Contracting Checklist into your vendor selection process will help CEOs systematically manage risks, compliance, and innovation opportunities when engaging with AI vendors.
AI Vendor Contracting Checklist:
Define AI scope, capabilities, and performance expectations.
Clarify data ownership, access, and privacy obligations.
Require transparency and explainability of AI processes.
Set clear liability, risk, and compliance responsibilities.
Establish terms for updates, adaptability, and exit strategy.
AI solutions in the health care space continue to rapidly evolve. Thus, digital health companies should closely monitor any new developments and continue to take necessary steps towards protecting themselves during the contracting process.
FDA and NIH Launch Joint Nutrition Regulatory Science Program
On May 9, 2025, FDA and the National Institutes of Health (NIH) announced the launch of the new Nutrition Regulatory Science Program, a joint initiative to research diet-related chronic diseases and inform food and nutrition policy.
FDA and NIH touted the program as “a key element in fulfilling U.S. Department of Health and Human Services Secretary Robert F. Kennedy, Jr.’s commitment to Make America Healthy Again.” The Agencies stated that the program will allow them to “invest in gold standard science, prioritize a better understanding of the root causes to end the diet-related chronic disease crisis and safeguard the health of America’s children.”
The program is intended to answer (arguably leading) questions related to diet-related chronic disease such as:
How and why can ultra-processed foods harm people’s health?
How might certain food additives affect metabolic health and possibly contribute to chronic disease?
What is the role of maternal and infant dietary exposures on health outcomes across the lifespan, including autoimmune diseases?
FDA will contribute regulatory science expertise to the program, while NIH will provide infrastructure for scientific research, with experts in chronic disease, nutrition, toxicology, risk analysis, behavioral science, and chemistry contributing to the program. The Agencies said that they will work together to develop a research agenda and ensure that all research is fair, independent, and free of conflicts of interest.
Keller and Heckman will continue to report on developments related to the new program.
National Science Foundation (NSF) Imposes 15% Indirect Cost Rate Cap: What to Know
On May 2, 2025, the National Science Foundation (“NSF”) issued a “Policy Notice: Implementation of Standard 15% Indirect Cost Rate” (NSF 25-034) (hereinafter “Policy Notice”) adopting a uniform 15% Indirect Cost Rate (“IDC”) for all new NSF grants and cooperative agreements awarded to Institutions of Higher Education (“IHEs”).
The Policy Notice, which became effective May 5, 2025, sets forth a new policy by which NSF will now apply a single, standard IDC “not to exceed 15%” to all future grants and cooperative agreements awarded to IHEs for allowable indirect costs. Currently, IHEs have reported IDCs ranging from 50% to 65%. The Policy Notice allows the awardee organization to “determine the appropriate rate up to this [15%] limit.”
Rationale for the New Policy
Indirect costs, also referred to as “facilities” and “administrative” costs (“F&A”), encompass costs not directly assignable to a specific project or activity but necessary to support the overall research infrastructure of the recipient organization. Historically, awardees seeking to recover indirect costs related to NSF awards have negotiated IDCs on an institution-by-institution basis. These rates were included in Negotiated Indirect Cost Rate Agreements (“NICRAs”), binding upon the institution and the agency, and applied against the Modified Total Direct Costs (“MTDC”) for the project. In contrast to the new uniform 15% rate, NICRAs represent a formally negotiated rate based on an exchange of information with NSF concerning the institution’s general costs and expenditures, including historical cost information, and regularly updated by the institution, often annually.
The Policy Notice asserts that the shift to using a single 15% IDC rate supports NSF’s commitment to efficiency, consistency, and effectiveness, and is designed to enable awardees to “focus more on scientific progress and less on administrative overhead by aligning with common federal benchmarks.” The Policy Notice also emphasizes that the adoption of a single, standard IDC “improves government efficiency by eliminating the need for individualized indirect cost negotiations.”
Regulatory Framework
As a reminder, the National Institutes of Health (“NIH”) issued a similar policy to cap indirect costs for NIH awardees at 15% on February 7, 2025 (“NIH Notice”), which has been permanently stayed per court order in the wake of three consolidated lawsuits challenging the act, though subject to a pending appeal. Shortly after, on April 11, 2025, the Department of Energy (“DOE”) announced an almost identical rate cap of 15% on recovery of indirect rate costs by IHEs awardees, discontinuing the use of negotiated indirect cost rates for DOE grants (“DOE Notice”). The DOE Notice was promptly challenged in federal court and temporarily restrained nationally by a federal judge. Notably and likely in response to the legal challenges to the prior rate capping notices, the NSF Policy Notice includes language supporting NSF’s legal authority for implementing this almost-immediate change.
First, the Policy Notice provides that it “serves as public notification of the policies, procedures and general decision-making criteria that NSF has used to justify deviation from negotiated rates for all awards in accordance with 2 CFR 200.414(c) for the class of NSF financial assistance awarded to IHEs.” Notably, § 200.414(c)(1) requires that all federal agencies accept negotiated indirect cost rates, and that an agency “may use a rate different from the negotiated rate for either a class of Federal awards or a single Federal award only when required by Federal statute or regulation, or when approved by the awarding Federal agency in accordance with paragraph (c)(3).” In turn, § 200.414(c)(3) – the analogue to 45 C.F.R. § 75.414(c)(1) in the Department of Health and Human Services regulations – requires that the agency “must implement, and make publicly available, the policies, procedures and general decision-making criteria that their programs will follow to seek and justify deviations from negotiated rates.”
The referenced regulations mirror the regulatory framework relied upon by NIH in the NIH Notice. However, where the NIH Notice was silent as to how it made its decision-making criteria public, including prior to issuance, the NSF Policy Notice leaves no room for doubt given its express statement incorporating the regulatory language, indicating the Notice serves as the required public notification of NSF’s policies, procedures, and criteria justifying deviation from negotiated rates.
Second, the Policy Notice makes clear that it takes “precedence over inconsistent policies and procedures set forth in the NSF Proposal & Award Policies & Procedures Guide [(“PAPPG”)] for all financial assistance issued after the effective date,” thus attempting to preempt legal challenges relying on the negotiated rate procedures set forth in the PAPPG.
Impact on Current and Pending NSF Grants
The Policy Notice explicitly states the new 15% rate will not apply retroactively to awards issued prior to the effective date. Further, award supplements and continuing grant increments made or awarded under an original grant in existence on or before the May 5, 2025, effective date are not subject to the new policy. Similarly, IHEs are not required to revise budgets for awards issued before May 5, 2025, or repay reimbursed indirect costs.
However, NSF awardees should still be aware of other avenues through which the federal government may alter, and even reduce, their IDCs on existing grants. Specifically, as set forth on NSF’s website, the United States Office of Management and Budget (“OMB”) has authorized all federal agencies to, at their discretion, renegotiate existing NICRAs (i.e., issue amended agreements presumably with new rates), “to reflect the new MTDC base.” NSF has publicly announced it will consider modification requests on a case-by-case basis.
Note that on its face, the new NSF IDC rate does not apply to non-IHEs but given the widespread partnership between institutes of higher education and academic medical centers/research institutions, there may be broad downstream impacts on planned research partnerships across the academic research community.
Recent Legal Challenges to the NSF Policy Notice
On May 6, 2025, the NSF Policy Notice was challenged in a lawsuit filed by the Association of American Universities (“AAU”) along with American Council on Education (“ACE”), Association of Public and Land-Grant Universities (“APLU”), Brown University, California Institute of Technology, University of California, Carnegie Mellon University, University of Chicago, University of Illinois, Massachusetts Institute of Technology, University of Michigan, University of Minnesota, University of Pennsylvania, Princeton University, AAU, et. al. v. National Science Foundation, Case #1:25-cv-11231, alleging NSF’s 15% rate cap on IDCs is unlawful because the change, among other things, violated NSF’s governing statutes, Office of Management and Budget (“OMB”) regulations, and, notably, the Administrative Procedure Act (“APA”), which has served as the basis for several pending lawsuits challenging unilateral IDC rate cuts and other administrative actions taken by NIH under the new federal administration. Specifically, the complaint alleges (1) the indirect rate change is arbitrary and capricious, (2) the rate change violates NSF’s authorizing statutes by supplanting the individually negotiated rates with a one-size-fits-all cap, and (3) NSF failed to comply with applicable OMB regulations for recovery of indirect cost rates. Plaintiffs filed a combined motion for preliminary injunction and request for expedited summary judgment based on their view that the matter can be decided on an expedited basis on the existing record. Plaintiffs have asked the court to declare the Rate Cap Policy illegal and to enter a preliminary and permanent injunction against NSF, prohibiting NSF and anyone acting on NSF’s behalf from applying the 15% rate cap in any form or otherwise modifying the existing negotiated indirect costs rates except as permitted by statute and regulation.
EBG will continue to follow developments in NSF’s IDC policy, including any updates to NSF’s grant policy documents, FAQs, or other guidance.
Beyond the Headlines: Key Medicaid and Health Policy Changes You May Have Missed
On May 11, the House Energy and Commerce Committee released a detailed legislative text and a section-by-section summary of a broad health package affecting Medicaid, the Children’s Health Insurance Program (CHIP), ACA marketplace plans, and Medicare pharmacy benefit manager (PBM) oversight.
While high-profile elements related to Medicaid — such as proposed changes to provider taxes, noncitizen coverage, and Medicaid expansion populations — are drawing significant media attention, the legislation also contains several under-the-radar but consequential policies.
Program Integrity:
The legislation includes multiple provisions aimed at improving data accuracy and curbing waste, fraud, and abuse in Medicaid. These measures target administrative loopholes that have led to inefficiencies and duplicate spending. While these baseline oversight functions existed in different formats, they will now be uniform and codified:
Dual Enrollment Prevention: Requires a system that prevent individuals from being enrolled in more than one state’s Medicaid program at the same time.
Quarterly Death File Checks for Providers and Enrollees: States must conduct quarterly checks of both beneficiary and provider records against the Social Security Administration’s Death Master File. While many states already run monthly enrollee checks — particularly in managed care programs — this provision adds providers to the review process, helping further prevent erroneous payments.
Monthly Termination Checks: States must perform monthly cross-checks to identify providers who have been terminated by HHS or other states. Those flagged will be automatically disenrolled from Medicaid. Although the ACA required disenrollment of terminated providers, this new monthly verification requirement strengthens enforcement.
Regulatory Delays:
The legislative package includes targeted rollbacks or delays of rules introduced under the Biden administration:
Staffing Standards Moratorium for LTC Facilities: Implementation of federal staffing mandates for long-term care facilities will be delayed until January 1, 2035.
Delay in Streamlining Medicaid & MSP Eligibility: Proposed changes to streamline eligibility determinations for Medicaid and the Medicare Savings Program (MSP) will be delayed until January 1, 2035.
Medicaid Enrollment Rule Delay: Delays implementation of the federal rule aimed at streamlining eligibility and enrollment processes for Medicaid, CHIP, and the Basic Health Program until January 1, 2035.
Importantly, despite these delays, the Medicaid access-to-care rules remain intact, signaling continued federal emphasis on strengthening access and equity in care delivery.
Out-of-State Provider Enrollment
A standout provision for providers is the requirement that states create a streamlined enrollment process for out-of-state pediatric providers in Medicaid and CHIP. This change eliminates duplicative screening processes and lowers administrative barriers, making it easier for qualified providers to serve children across state lines.
This is a notable win for pediatric specialists and facilities that frequently treat children referred from other states, especially those with rare or complex conditions, and a step forward in improving continuity of care for medically vulnerable children.
Medicaid DSH Cuts Postponed
The bill postpones the scheduled $8 billion in annual Medicaid Disproportionate Share Hospital (DSH) cuts, originally set to begin in FY 2026, to FY 2029. This extension offers critical financial relief for safety-net hospitals and allows states more time to prepare budget adjustments.
Additionally, Tennessee’s DSH funding — previously set to expire at the end of FY 2025 — is extended through FY 2028, ensuring continued support for the state’s uncompensated care system.
As the legislative process moves forward, stakeholders should monitor implementation timelines, particularly around the program integrity provisions, and begin preparing systems and staff for compliance with new federal mandates.
Twenty States Sue the Trump Administration for HHS Program Eliminations and Staff Layoffs
Nineteen states plus the District of Columbia filed a federal Complaint in U.S. District Court for the District of Rhode Island on May 5, 2025 alleging that the Trump Administration’s recent activities to downsize and restructure the Department of Health and Human Services (HHS) are unlawful under both the U.S. Constitution and the Administrative Procedure Act (APA). The coalition of states, led by New York, is asking the judicial branch for declaratory and injunctive relief “to prevent the unconstitutional and illegal dismantling of the Department.” In addition to New York and the District of Columbia, states joining the lawsuit comprise Arizona, California, Colorado, Connecticut, Delaware, Hawai’i, Illinois, Maine, Maryland, Michigan, Minnesota, New Jersey, New Mexico, Oregon, Rhode Island, Vermont, Washington, and Wisconsin (together, the Plaintiff States). This is but one among multiple legal challenges to the ongoing programmatic and research cuts within HHS and its sub-agencies, such as the National Institutes of Health, Food and Drug Administration, and Centers for Medicare and Medicaid Services.
In their Complaint, the Plaintiff States emphasize that the department was both created by Congress via statutory enactments and that many of its mandates are congressionally directed, with significant federal appropriations allocated to HHS every year. They point out that “[i]ncapacitating one of the most sophisticated departments in the federal government implicates hundreds of statutes, regulations, and programs.” The plaintiffs allege, therefore, that the restructuring and reduction in force (RIF) actions taken by HHS Secretary Kennedy and the other named defendants, which ignore those statutory mandates and refuse the spend funds appropriated to HHS for designated purposes, violate the U.S. Constitution’s appropriations clause as well as separation of powers principles.
We have previously blogged about HHS’s recent restructuring and RIF actions, as well as the Trump administration’s plans for reducing the overall HHS discretionary budget. In its factual allegations, the Plaintiff States’ Complaint sets out a detailed timeline of actions taken by the Trump administration to dismantle the department, beginning on January 21, 2025 immediately after the presidential inauguration. It also points to the White House Office of Management and Budget (OMB) fiscal 2026 internal HHS budget document, dated April 10 and leaked on April 16 (which we discussed here), as evidence that the administration’s plan from day one of its tenure was to eviscerate the department.
The Plaintiff States further argue that the Trump administration’s actions in this area have been arbitrary and capricious under the APA’s legal standard “because the department’s stated reasons for the layoffs and reorganization – to promote ‘efficiency’ and ‘accountability’ – are pretext for Secretary Kennedy’s stated goal of attacking science and public health.” In support of this contention, the Plaintiff States summarize Secretary Kennedy’s long history of public statements criticizing HHS and various of its public health functions using vitriolic language and baseless claims about global conspiracies.
The Complaint also highlights specific examples of injuries that have already occurred to the Plaintiff States and their citizens as a result of the March 27, 2025 HHS reorganization announcement and the subsequent actions since then to terminate employees, programs, and offices. Among other things, it notes that “employees who remain at HHS have been prevented from collecting and reviewing new applications; designing, distributing, and implementing new policies and guidance; collecting and distributing scientific data; issuing obligated funds to the Plaintiff States and others; investigating for program integrity; and responding to any manner of public inquiry.” One specific example cited in the Complaint relates to the closure of infectious disease laboratories run by the Centers for Disease Control & Prevention (CDC). Without those specialized CDC testing labs, state public health laboratories throughout the country are being directed via CDC’s webpage to send their patient samples to New York State’s Wadsworth Center, which has “elite capabilities” and can test for rare and complex diseases “that cannot be done anywhere else in the country except for the CDC before April 1,” the Plaintiff States explain. However, they point out that the New York lab “was not built to replace the CDC and it simply could never fill that hole.” With a halt to so much testing by CDC, including for widespread public health needs such as foodborne pathogens and tuberculosis, our public health infrastructure is undoubtedly being damaged, and outbreaks will become more frequent. The terminations also are directly at odds with Congress’s legislative directives to CDC to protect the public health.
Throughout U.S. history to date (as we approach the country’s 249-year birthday this coming Independence Day), and as envisioned by the authors of our constitution, the three branches of the federal government are treated as “co-equals,” with due respect accorded to one another and the critical roles each one plays in the delicate balance that is our tri-partite system of federal governance. So, although the federal courts should be an effective way to curtail perceived lawlessness by the executive branch, the current administration has demonstrated a willingness to ignore injunctions and other judicial orders (for example, see here). We will monitor the outcome of this important legal challenge in the Rhode Island District Court, as well as any future appeals. However, it is very possible that the Plaintiff States will not get the relief they are requesting, even if the federal courts agree with them regarding the nature of the executive’s actions to dismantle much of HHS without prior notice to Congress or a chance to ensure that mandatory public health functions can continue.
This very real potential outcome of the federal court litigation strongly suggests that Congress must get involved to exert effective oversight and some form of a “check” on the executive branch if we are to retain many of our nation’s critical health and human services functions. These include critical HIV prevention, environmental health, and tobacco control functions that have been substantially damaged (although ending such programs is seemingly incompatible with much of Secretary Kennedy’s Make America Healthy Again agenda that seeks to reduce the burden of chronic diseases). Health care and life sciences stakeholders can contact their congressional representatives and can also submit comments to any open HHS or OMB docket that affects their interests, rather than relying solely on the outcome of judicial processes, given the extraordinary political times we are experiencing in 2025.
This Week in 340B: May 6 – 12, 2025
Find this week’s updates on 340B litigation to help you stay in the know on how 340B cases are developing across the country. Each week we comb through the dockets of more than 50 340B cases to provide you with a quick summary of relevant updates from the prior week in this industry-shaping body of litigation. Get more details on these 340B cases and all other material 340B cases pending in federal and state courts with the 340B Litigation Tracker.
Issues at Stake: Contract Pharmacy; GPO Prohibition; Anti-Trust; Other
A group of commonly-owned drug manufacturers filed a complaint against the Tennessee attorney general to challenge a state law governing contract pharmacy arrangements.
In a case challenging a Nebraska state law governing contract pharmacy arrangements, a group of amici filed an amici curiae brief in support of the defendant’s motion to dismiss.
In a case challenging the Health Resources and Services Administration’s (HRSA) policy limiting the circumstances in which covered entities can use their group purchasing arrangements to purchase non-340B drugs, the defendant filed a cross motion for summary judgment and opposition to plaintiff’s motion for summary judgment.
In an appealed case challenging a Louisiana law governing contract pharmacy arrangements, the intervenor-defendant filed a motion for leave to file a sur-reply to appellant’s reply brief.
In an anti-trust class action case, the defendant filed a motion to dismiss plaintiff’s amended complaint.
In a case challenging a Missouri state law governing contract pharmacy arrangements, the defendants filed a supplemental brief in support of their motion to dismiss. In the same case, the plaintiffs filed a supplemental brief in opposition of the defendant’s motion to dismiss.
In a case by a covered entity against HRSA, HRSA filed a response to the covered entity’s supplemental brief in support of its motion for preliminary injunction, a group of drug manufacturers filed a motion for leave to file an amicus brief in support of HRSA, and the covered entity filed a supplemental brief requested by the court.
New DOJ White Collar Priorities Focus on Health Care Fraud
On May 12, 2025, the U.S. Department of Justice’s Criminal Division released a new guidance memo on white-collar enforcement priorities in the Trump Administration entitled “Focus, Fairness, and Efficiency in the Fight Against White-Collar Crime.”
In this memo, and the accompanying speech by Matthew R. Galeotti, the Trump Administration’s appointed Head of the Criminal Division, the DOJ reiterated its previously stated commitment to prosecuting illegal immigration, drug cartels, and transnational criminal organizations. For the first time in the new Administration, however, the DOJ clearly articulated new white-collar enforcement priorities, directing Criminal Division white-collar prosecutors to follow three core tenets: focus, fairness, and efficiency. As detailed below, the new memo sets forth the following three priorities:
1. Focus on High-Impact Waste, Fraud, and Abuse Harming Vulnerable Taxpayers
It should be no surprise that the administration is targeting actors that profit through “waste, fraud, and abuse.” The memo sets clear priorities for its prosecutors to investigate, listing as the #1 priority health care fraud and federal program and procurement fraud. The memo goes on to provide a top 10 list of “high-impact areas”, with “trade and customs fraud, including tariff evasion” as #2. Heavy focus is given to fraud perpetrated by foreign actors and conduct threatening U.S. national security. Also listed is fraud victimizing U.S. investors, including elder fraud and Ponzi schemes. Appearing as #8 on the list is violations of the Controlled Substances Act and the Federal Food, Drug and Cosmetic Act, including the creation of counterfeit pills laced with fentanyl and the “unlawful distribution of opioids by medical professionals and companies.”
The memo also prioritizes efforts to identify and seize assets that are the proceeds of offenses harming vulnerable victims by amending the DOJ Criminal Division’s Corporate Whistleblower Awards Pilot Program to reflect priority areas where whistleblower tips lead to forfeitures. These areas include criminal violations related to international criminal organizations, corporations violating federal immigration laws, corporate sanctions, and trade offenses, and other areas consistent with the Administration’s previously stated priorities.
2. Fairness in Prosecuting Corporations and Individuals
Consistent with the outlook of prior administrations, the DOJ clearly stated that its first priority is to prosecute individuals as opposed to corporations. The memo notes that individuals commit crimes often at the expense of corporate shareholders, employees, investors, and American consumers. The memo also states that “the Division’s policies must strike an appropriate balance between the need to effectively identify, investigate, and prosecute corporate and individuals’ criminal wrongdoing while minimizing unnecessary burdens on American enterprise.” The memo cautions that not all corporate misconduct warrants federal criminal prosecution and directs prosecutors to consider additional factors when determining whether to bring criminal charges against corporations, including whether the company reported its conduct to the DOJ; the company’s willingness to cooperate with the government investigation; and remedial actions taken by the company. The memo also states that “prosecutors should prioritize schemes involving senior-level personnel or other culpable actors, demonstrable loss, and efforts to obstruct justice.”
3. Conduct Efficient Investigations That Do Not Linger
The memo acknowledges that federal investigations into alleged corporate wrongdoing can be costly and intrusive for businesses, investors, and others, and where individuals impacted by a lengthy investigation often had no knowledge of or involvement in the conduct at issue. The memo also concedes that corporate investigations can disrupt a business’s day-to-day operations and cause reputational harm. To decrease the impact on business and commerce, prosecutors are now required to minimize the length and collateral impact of their investigations by working expeditiously to investigate cases and make charging decisions.
In addition, the DOJ is implementing policy changes that could be seen as more business friendly, such as stating that potentially costly corporate monitorships are disfavored and only to be imposed in limited circumstances and ordering a review of existing monitorships and agreements with companies. The memo also limits existing corporate resolutions to three years, except in exceedingly rare cases, with guidance to regularly assesses these agreements to determine if early termination is appropriate.
Although many of these changes have been anticipated in the months since the change of administration, the memo provides clarity and concrete priority areas for prosecution – as well as areas where DOJ will pull back federal oversight, such as monitorships.
Our next blog will discuss the newly revised Justice Manual provision 9-47.120 – Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy, which provides that “additional benefits are now available to companies that self-disclose and cooperate, including potential shorter terms” of deferred or non-prosecution agreements.
We will be monitoring additional developments in this area as the Administration continues to implement policy changes.
Data Transactions: DOJ’s Final Rule’s Implications for Academic Medical Centers with Clinical Research Programs
The Department of Justice (DOJ) published its Final Rule to implement Executive Order 14117 on January 8, 2025, with a correcting amendment issued April 18, 2025. Executive Order 14117, issued on February 28, 2024, titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern,” instructed the Attorney General to create regulations that ban or limit U.S. persons from participating in transactions involving property in which a foreign country or its nationals have an interest. Transactions are banned or limited if they involve U.S. government-related data or bulk sensitive personal data (as defined by the final implementing rules), fall into categories deemed by the Attorney General to pose a national security risk (with such security risk arising from potential access to data by identified countries of concern or related individuals), and meet additional criteria outlined in the Executive Order.
The Final Rule outlines categories of transactions that are either banned or limited; designates specific countries and types of individuals or entities with whom transactions involving government-related or bulk U.S. sensitive personal data are restricted; creates a system for granting, modifying, or revoking licenses for otherwise restricted activities and for issuing advisory opinions; and sets requirements for transaction recordkeeping and reporting requirements to support the DOJ’s investigations, enforcement, and regulatory actions in relation to the Executive Order.
Academic Medical Centers (AMCs) and similar entities engaged in clinical research and international collaborations need to be aware of and determine the applicability of the regulatory requirements imposed by the Final Rule. Research partnerships involving biometric identifiers, personal health information, or genomic data may be deemed restricted or prohibited transactions if the partnerships include entities from designated countries of concern.
Summary
The Final Rule is aimed at preventing certain U.S. foreign adversaries — including China, Russia, Iran, North Korea, Cuba, and Venezuela — from accessing sensitive U.S. personal data and government-related information.
Key Definitions. The Final Rule authorizes the DOJ to regulate and enforce restrictions on data transactions with designated “Countries of Concern” and “Covered Persons.”
“Country of Concern” is defined to mean:
any foreign government that, as determined by the Attorney General with the concurrence of the Secretary of State and the Secretary of Commerce, (1) has engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons, and (2) poses a significant risk of exploiting government-related data or bulk U.S. sensitive personal data to the detriment of the national security of the United States or security and safety of U.S. persons.
“Covered Person” is defined to include: (1) foreign entities that (a) are fifty percent or more owned, directly or indirectly, by countries of concern or another covered persons; or (b) are organized under the law of, or have their principal place of business in, a Country of Concern; (2) foreign entities that are fifty percent or more owned, directly or indirectly, by Covered Persons, either individuals or entities; (3) foreign individuals who are non-U.S. residents working as employees or contractors of a Country of Concern; (4) foreign individuals primarily residing in Countries of Concern; and (5) other entities or individuals as reasonably determined by the Attorney General based on certain criteria.
Categories of Covered Data. The Final Rule targets eight categories of “Covered Data,” including biometric identifiers, genomic data, health and financial data, precise geolocation information, and personal identifiers that can be linked to other sensitive data. It also includes certain government-related information, such as data tied to U.S. government personnel or the geolocation of sensitive facilities. Notably, the regulations apply regardless of data processing volume when government-related information is involved.
Primary Types of Restricted Transactions. The DOJ identifies three primary types of restricted transactions: employment, investment, and vendor agreements. U.S. businesses must ensure foreign employees, investors, and service providers — especially those linked to Countries of Concern — do not gain access to Covered Data unless strict security protocols are met. This affects a wide range of commercial activities, from hiring and corporate deals to cloud services and software subscriptions, and likely impacts AMCs engaging in clinical research when data is shared with certain employees. Research sponsors, investors and service providers. Prohibitions and restrictions of the Final Rule, however, only apply to Covered Data Transactions with a Country of Concern or Covered Person that involve access by a Country of Concern or Covered Person to government-related data or bulk U.S. sensitive personal data. The Final Rule does not regulate transactions that do not implicate access to government-related data or bulk U.S. sensitive personal data by a Country of Concern or a Covered Person.
Prohibited Transactions. Notably, under the Final Rule certain transactions are absolutely prohibited, such as those involving the sale or licensing of Covered Data to foreign entities in data brokerage arrangements, or those involving biometric data or biospecimens.
Penalties for Non-Compliance. Violations of the Final Rule carry significant fines and penalties. Civil fines can reach the greater of US$368,136 or twice the transaction amount. Willful violations may result in criminal penalties of up to US$1 million and up to 20 years in prison.
The Bottom Line for Clinical Research. To comply with the Final Rule, AMCs must engage in rigorous and thorough diligence on proposed, and existing research activities, collaborations and operations, including on their partners, clients, employees/contractors, and data recipients, to determine if a proposed or existing transaction falls within the ambit of the Final Rule. The scope and penalties for violations of and non-compliance with the Final Rule are a clear indicator that a process to determine and ensure compliance with the Final Rule will be critical for AMCs, and businesses across industries, that engage in activities and transactions involving personal or government-related data.
Implications for Academic Medical Centers with Clinical Research Programs
The Final Rule adds a new layer of regulatory compliance complexity for AMCs and similar entities engaged in clinical research and international collaborations.
Research studies and activities, including research collaborations and partnerships involving biometric identifiers, personal health information or genomic data, may be deemed restricted or prohibited transactions if the partnerships include entities from designated Countries of Concern and/or Covered Persons.
Existing and proposed multi-national studies and data-sharing initiatives must be reviewed to determine if the Final Rule is applicable to the study or activity, and if so, to ensure compliance.
Additionally, AMCs must also ensure that vendors, including cloud and AI service providers, are not affiliated with Countries of Concern and that all data processing activities meet stringent new security and compliance standards. As noted above, ensuring compliance with the Final Rule will necessitate a thorough review of the AMC’s vendor contracts.
Further, the Final Rule necessitates a reassessment by AMCs, of their data-sharing policies and multi-site protocols, and will likely require the incorporation of national security-focused compliance clauses in certain data sharing agreements (such as data use agreements) and the enhancement of institutional data governance frameworks, which frameworks should be designed to avoid and mitigate any legal and regulatory exposure, and ensure that the institution is able to maintain eligibility for receipt of federal funding.
Next Steps
This Final Rule prescribes significant categorical rules that prevent U.S. persons from providing government-related data or U.S. citizens’ bulk, sensitive personal data, including through commercial data-brokerage transactions, to Countries of Concern or Covered Persons. Compliance with the Final Rule specifically necessitates that AMCs and institution implement security measures when engaging in investment transactions, employment agreements, and vendor contracts, that involve either government-related data or large-scale collections of sensitive personal data — such as health records, biometric identifiers, or financial information.
The requirements of the Final Rule are intended to prevent foreign adversaries from indirectly accessing this data through commercial relationships. By identifying these specific transaction types, the Final Rule seeks to address perceived national security gaps and provides clear, enforceable standards that define when and how data-related dealings with foreign actors are restricted.
Failure to comply with these new requirements could result in fines and penalties, regulatory scrutiny, loss of federal funding, and enforcement actions, making compliance with the Final Rule, when and as applicable to a transaction and activity, a critical compliance priority for AMCs and institutions handling large volumes of sensitive personal data.
Have You Done Your Part to Comply with Part 2 Changes?
Important changes are coming to 42 CFR Part 2 (Part 2), which deals with the confidentiality of patients’ substance use disorder (SUD) records. On April 16, 2024, the US Department of Health and Human Services (HHS) published a new final rule to update Part 2 (New Rule) in an effort to align the requirements of Part 2 with those found in the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
Part 2 will now allow patients to sign a single consent for future uses and disclosures of Part 2 records, as opposed to patients previously having to sign individualized consents prior to each disclosure. Following such consent from the patient, a HIPAA-regulated recipient of the Part 2 records may further use and disclose those records as permitted under HIPAA, except for civil, criminal, administrative or legislative proceedings against the individual who is the subject of the Part 2 records. Additionally, breaches of Part 2 information now must be addressed in the same manner as other breaches involving unsecured protected health information (for instance, by requiring certain notifications be made within no more than 60 calendar days from the discovery of the breach). Finally, civil penalties for violations of Part 2 have been added, thus making the penalties consistent with those available under HIPAA. Any entities or providers who are subject to Part 2 must comply with the New Rule by February 16, 2026, or risk incurring significant penalties under the new Part 2 regime.
One of the most notable changes under the New Rule is that Part 2 violation penalties and HIPAA violation penalties are now aligned. Previously, Part 2 violations were only subject to criminal penalties. The disciplinary framework under the New Rule allows for both civil and criminal penalties for a Part 2 violation. On the civil side, penalty fines can be up to $1.5 million per calendar year, depending on the severity of the violation. On the criminal side, penalty fines can be up to $250,000, with imprisonment from one to 10 years, depending on the severity of the violation.
Given the significant changes to Part 2 and the approaching date for compliance, entities and providers subject to Part 2 should, at a minimum, review and update their materials and procedures related to:
Patient consent;
Disclosure of patient information;
Medical records/documentation;
Patient rights;
Breach notification;
Patient notices (i.e., Notice of Privacy Practices); and
Data storage and segregation.
Some next steps are purely internal but will require collaboration to ensure that the technical and administrative aspects align. Other steps are patient-facing and will require updates to documentation, combined with operationalizing communications to patients. In addition, internal training materials should be updated to account for the various Part 2 changes, and staff should be educated about the updated requirements and the severity of consequences that could result from willful or inadvertent non-compliance.
The New Rule’s updated penalties represent a distinct shift towards stricter and more punitive enforcement regarding the confidentiality of SUD records and compliance with Part 2 generally. Entities and providers subject to Part 2 should begin reviewing and revising their policies and procedures now to ensure compliance with the New Rule by 2026 in light of the expected more punitive enforcement landscape.