Key Updates to the Employment Rights Bill
As part of the UK Government’s efforts to boost living standards and following weeks of consultation with business groups and trade unions, the Government has announced a series of proposed changes that the Employment Rights Bill (the “Bill”) plans to implement.
Here is a brief overview of the measures:
Employees will receive new “Day One” rights including being entitled to:
statutory sick pay (at present, this only applies from the third day of sickness absence);
unfair dismissal protection (removing the two-year qualifying employment requirement);
parental leave (removing the 26-weeks continuous service requirement); and
paternity leave entitlement (removing the one-year continuous service requirement).
Increasing the maximum period of the protective award for collective redundancy from 90 days to 180 days. Tribunals will be able to grant larger awards to employees for an employer’s failure to meet consultation requirements. Further guidance will be issued on this.
Abolishing the Lower Earnings Limit of £123 weekly to ensure that all employees, irrespective of pay, have access to statutory sick pay (“SSP”). People on wages below £123 weekly will receive either 80% of their average weekly earnings or statutory sick pay (which is currently £116.75), whichever is lowest.
A requirement for employers to take all reasonable steps to prevent sexual harassment and sexual harassment-related disclosures will constitute “protected disclosures”.
Flexible working is set to become the “default” for all workers from their first day with employers only able to refuse a flexible working request if it is “unreasonable” based on a lawful ground (listed in the Bill).
It will be unlawful to dismiss pregnant mothers during their pregnancy and maternity leave (subject to exceptions which are yet to be clarified).
Bereavement leave will be available for those who suffer a pregnancy loss before 24 weeks.
A Modern Framework for Industrial Relations will be created to align trade unions operations with modern work practices.
Time limits for bringing claims in the employment tribunals will be extended from three to six months following the date of the act(s) complained of.
Dismissing an employee who does not agree to a contract variation, or enabling an organisation to employ another person, or re-engaging the same employee under a varied contract to carry out substantially the same duties will be considered unfair dismissal unless the employer can show it could not have reasonably avoided making the variation.
The definition of workers will now include agency workers who should be able to access a contract which reflects the hours they regularly work. The zero-hour contract ban will extend to include agency workers.
Those working for umbrella companies will be given comparable rights and protections as they would have if they were working for a recruitment agency. Enforcement action will be able to be taken against umbrella companies if they do not comply.
The Government will no longer be including a “right to switch off” outside of working hours in the Bill which would have prevented employers contacting staff out-of-hours. However, there have been suggestions that this right may be included in an accompanying code in due course.
The Bill is set to be heard before Parliament over the next few weeks during which further amendments may be made. The Bill is expected to be introduced next Autumn.
Maya Sterrie also contributed to this article.
AI Meets HIPAA Security: Understanding HHS’s Risk Strategies and Proposed Changes
In this final blog post in the Bradley series on the HIPAA Security Rule notice of proposed rulemaking (NPRM), we examine how the U.S. Department of Health and Human Services (HHS) Office for Civil Rights interprets the application of the HIPAA Security Rule to artificial intelligence (AI) and other emerging technologies. While the HIPAA Security Rule has traditionally been technology agnostic, HHS explicitly addresses security measures for these evolving technology advances. The NPRM provides guidance to incorporate AI considerations into compliance strategies and risk assessments.
AI Risk Assessments
In the NPRM, HHS would require a comprehensive, up-to-date inventory of all technology assets that identifies AI technologies interacting with ePHI. HHS clarifies that the Security Rule governs ePHI used in both AI training data and the algorithms developed or used by regulated entities. As such, HHS emphasizes that regulated entities must incorporate AI into their risk analysis and management processes and regularly update their analysis to address changes in technology or operations. Entities must assess how the AI system interacts with ePHI considering the type and the amount of data accessed, how the AI uses or discloses ePHI, and who the recipients are of AI-generated outputs.
HHS expects entities to identify, track, and assess reasonably anticipated risks associated with AI models, including risks related to data access, processing, and output. Flowing from the proposed data mapping safeguards discussed in previous blog posts, regulated entities would document where and how the AI software interacts with or processes ePHI to support risk assessments. HHS would also require regulated entities to monitor authoritative sources for known vulnerabilities to the AI system and promptly remediate them according to their patch management program. This lifecycle approach to risk analysis aims to ensure the confidentiality, integrity, and availability of ePHI as technology evolves.
Integration of AI developers into the Security Risk Analysis
More mature entities typically have built out third-party vendor risk management diligence. If finalized, the NPRM would require all regulated entities contracting with AI developers to formally incorporate Business Associate Agreement (BAA) risk assessments into their security risk analysis. Entities also would need to evaluate BAs based on written security verifications that the AI vendor has documented security controls. Regulated entities should collaborate with their AI vendors to review technology assets, including AI software that interacts with ePHI. This partnership will allow entities to identify and track reasonably anticipated threats and vulnerabilities, evaluate their likelihood and potential impact, and document security measures and risk management.
Getting Started with Current Requirements
Clinicians are increasingly integrating AI into clinical workflows to analyze health records, identify risk factors, assist in disease detection, and draft real-time patient summaries for review as the “human in the loop.” According to the most recent HIMSS cybersecurity survey, most health care organizations permit the use of generative AI with varied approaches to AI governance and risk management. Nearly half the organizations surveyed did not have an approval process for AI, and only 31% report that they are actively monitoring AI systems. As a result, the majority of respondents are concerned about data breaches and bias in AI systems.
The NPRM enhances specificity in the risk analysis process by incorporating informal HHS guidance, security assessment tools, and frameworks for more detailed specifications. Entities need to update their procurement process to confirm that their AI vendors align with the Security Rule and industry best practices, such as the NIST AI Risk Management Framework, for managing AI-related risks, including privacy, security, unfair bias, and ethical use of ePHI.
The proposed HHS requirements are not the only concerns clinicians must consider when evaluating AI vendors. HHS also has finalized a rule under Section 1557 of the Affordable Care Act requiring covered healthcare providers to identify and mitigate discrimination risks from patient care decision support tools. Regulated entities must mitigate AI-related security risks and strengthen vendor oversight in contracts involving AI software that processes ePHI to meet these new demands.
Thank you for tuning into this series of analyzing the Security Rule updates. Please contact us if there are any questions or we can assist with any steps moving forward.
Please visit the HIPAA Security Rule NPRM and the HHS Fact Sheet for additional resources.
Industry Groups Urge Rescission of Proposed HIPAA Security Rule Updates
In February, a coalition of healthcare organizations sent a letter to President Donald J. Trump and the U.S. Department of Health and Human Services (HHS) (the Letter), urging the immediate rescission of a proposed update to the Security Rule under HIPAA. The update is aimed at strengthening safeguards for securing electronic protected health information.
According to The HIPAA Journal, the data breach trend in the healthcare industry over the past 14 years is up, not down. This is the case despite the HIPAA Security Rule having been in effect since 2005.
The HIPAA Journal goes on to provide some sobering statistics:
Between October 21, 2009, when OCR first started publishing summaries of data breach reports on its “Wall of Shame”, and and December 31, 2023, 5,887 large healthcare data breaches have been reported. On January 22, 2023, the breach portal listed 857 data breaches as still; under investigation. This time last year there were 882 breaches listed as under investigation, which shows OCR has made little progress in clearing its backlog of investigations – something that is unlikely to change given the chronic lack of funding for the department.
There have been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015. The move to digital record keeping, more accurate tracking of electronic devices, and more widespread adoption of data encryption have been key in reducing these data breaches. There has also been a downward trend in improper disposal incidents and unauthorized access/disclosure incidents, but data breaches continue to increase due to a massive increase in hacking incidents and ransomware attacks. In 2023, OCR reported a 239% increase in hacking-related data breaches between January 1, 2018, and September 30, 2023, and a 278% increase in ransomware attacks over the same period. In 2019, hacking accounted for 49% of all reported breaches. In 2023, 79.7% of data breaches were due to hacking incidents.
The letter, signed by numerous healthcare organizations, outlines several key concerns regarding the proposed HIPAA Security Rule update, including:
Financial and Operational Burdens: The letter argues that the proposed regulation would impose significant financial and operational burdens on healthcare providers, particularly those in rural areas. The unfunded mandates associated with the new requirements could strain the resources of hospitals and healthcare systems, leading to higher healthcare costs for patients and reduced investment in other critical areas.
Conflict with Existing Law: The Letter points to an amendment to the Health Information Technology for Economic and Clinical Health (HITECH) Act, arguing the proposed enhancements to the Security Rule conflict with the HITECH Act amendment. However, the HITECH Act amendment sought to incentivize covered entities to adopt “recognized security practices” that might minimize (not necessarily eliminate) remedies for HIPAA Security Rule violations and the length and extent of audits and investigations.
Timeline and Feasibility: The letter highlights concerns about the timeline for implementing the proposed requirements. The depth and breadth of the new mandates, combined with an unreasonable timeline, present significant challenges for healthcare providers.
No doubt, the Trump Administration is intent on reducing regulation on business. However, it will be interesting to see whether it softens or even eliminates the proposed rule in response to the Letter, despite the clear trend of more numerous and damaging data breaches in the healthcare sector, and an increasing threat landscape facing all U.S. businesses.
What to Watch in Nevada’s 2025 Legislative Session: Key Employment-Related Bills
On February 3, 2025, the Nevada state legislature kicked off its latest legislative session, and state lawmakers are poised to consider several bills that could impact employers and employees, from last day pay provisions to paid leave and work restrictions for minors. Here is a recap from the first month in session.
Quick Hits
The Nevada state legislature commenced its latest legislative session on February 3, 2025.
State lawmakers are considering multiple bills that could impact employment law in the Nevada.
Employers may want to take note of these legislative developments, which, if passed and enacted, could result in significant changes to Chapters 608 and 613 of the Nevada Revised Statutes (NRS).
Here is a breakdown of some of the key bills in this legislative session.
SB 198: Changes to Last Day Pay Provisions
Senate Bill (SB) 198 would revise the last day pay provisions under NRS 608.030. Under existing law, employers are required to pay discharged employees their earned and unpaid wages immediately. Similarly, employees placed on nonworking status must be paid immediately, and those who resign or quit must be paid by their next regular payday or within seven days, whichever is earlier. Penalties for the failure to pay final wages and compensation do not attach for three days from the date the wages and compensation are due, which is commonly referred to as the “three day grace period.”
The new bill would expand the definition of compensation to include fringe benefits and increase penalties for noncompliance. Further, the bill would eliminate the “three day grace period.” Instead, employers would only have until 5:00 p.m. the day following the date wages and compensation are due to the employee. The bill would also increase the penalties to an amount equal to eight hours of work at 1.5 times the employee’s hourly wage for each day the payment is delayed, up to thirty days. The bill would also mandate that cannabis establishments comply with all federal and state labor laws, with violations resulting in license revocation.
AB 112: Sick Leave Policy Changes
Assembly Bill (AB) 112 would remove the exemption for employees covered by a collective bargaining agreement (CBA) from the provisions of NRS 608.01975. Under current law, employers are not required to allow employees covered by a CBA to use accrued sick leave for family medical needs. The bill would eliminate that exemption, making the requirement applicable to all employers, regardless of CBA coverage. However, the changes would not apply during the current term of any CBA entered into before October 1, 2025. Still, they would apply to any extensions, renewals, or new agreements made on or after that date.
AB 166: Work Hour Restrictions for Minors
AB 166 would extend the limitations on the number of hours workers under the age of sixteen are allowed to work to workers under the age of eighteen and reduce the number of allowable work hours from forty-eight hours in a week to forty hours in a week. The bill would maintain the daily limit of eight hours. Additionally, the bill would prohibit minors enrolled in school from working before 5:00 a.m. on school days and after 10:00 p.m. on nights preceding school days. Exceptions would remain for work as performers in motion pictures and work on farms.
AB 179: Extension of Paid Leave Statute
Nevada’s existing paid leave statute requires private employers with fifty or more employees in the state to provide at least 0.01923 hours of paid leave for each hour worked, but it does not apply to employers that provide such a paid leave policy “pursuant to a contract, policy, collective bargaining agreement or other agreement.” AB 179 would eliminate that exception to the statute. Further, the bill clarifies specific actions that would constitute unlawful “retaliation” under the statute against an employee who takes paid leave.
AB 255: Prohibiting Repayment Obligations in Employment Contracts
AB 255 would prohibit employers from requiring an employee or independent contractor to repay the employer any sums if the employee terminates employment before a specified period of time expires. This could include training expenses, relocation expenses, or sign-on bonuses with repayment obligations, which are tied to an employee or independent contractor satisfying a length of service first. AB 255 could be enforced by the labor commissioner or the attorney general, and would also create a private right of action.
SB 160: Realignment of Nevada Equal Rights Commission and Enhance Scope of Authority
SB 160 would remove the Nevada Equal Rights Commission (NERC) from the Department of Employment, Training and Rehabilitation, and move it to the Office of the Attorney General. It permits NERC to consider “historical data” related to the employer’s discriminatory practices. There is declarative language in this legislation about nondiscrimination being a public policy of the state, which could open the door to wrongful termination in violation of public policy claims based on discriminatory acts, which is not currently the law. The bill also details a penalties structure for employers that are deemed to have committed “willful” violations of the statute.
First Circuit Joins Other Circuits in Adopting Stricter Causation Standard in FCA Cases Based on Anti-Kickback Statute
On February 18, 2025, the First Circuit joined the Sixth and Eighth Circuits in adopting a “but for” causation standard in cases involving per se liability under the federal Anti-Kickback Statute (AKS) and the False Claims Act (FCA). In U.S. v. Regeneron Pharmaceuticals, the First Circuit held that for an AKS violation to automatically result in FCA liability, the government must show that the false claims would not have been submitted in the absence of the unlawful kickback scheme. The decision is the latest salvo in the battle over what it means for a false claim to “result from” a kickback, as discussed in our False Claims Act: 2024 Year in Review.
With the fight becoming increasingly one-sided — the Third Circuit remains the only circuit that has adopted a less stringent causation standard — the government may look at alternative theories to link the AKS and FCA.
Key Issues and the Parties’ Positions
As outlined in our previous posts on the issue, the legal dispute revolves around the interpretation of the 2010 amendment to the AKS, which states that claims “resulting from” a kickback constitute false or fraudulent claims under the FCA.
In this case, the government accused Regeneron of violating the AKS by indirectly covering Medicare copayments for its drug, Eylea, through donations to a third-party foundation. The government’s key argument relied on the Third Circuit’s Greenfield decision, the AKS’s statutory structure, and the 2010 amendment’s legislative history to argue that a stringent causation standard would defeat the amendment’s purpose. It urged the court to find that once a claim is tied to an AKS violation, it should automatically be considered false under the FCA — without the need to prove that the violation directly influenced the claim.
Regeneron, on the other hand, argued that an FCA violation only occurs if the kickback was the determining factor in the submission of the claim. Relying on the Eighth and Sixth Circuits’ decisions, prior Supreme Court precedent, and a textual reading of the amendment, Regeneron contended that the phrase “resulting from” could only mean actual causation and nothing less.
The Court’s Decision
The First Circuit sided with Regeneron. It found that, given the Supreme Court’s prior interpretation of “resulting from” phrase as requiring but-for causation, this should be the default assumption when a statute uses that language. While acknowledging that statutory context could, in some cases, suggest a different standard, the court concluded that the government failed to provide sufficient contextual justification for a departure from but-for causation.
The court rejected the government’s argument that, in the broader context of the AKS statutory scheme, it would be counterintuitive for Congress to impose a more stringent causation standard for civil AKS violations than for criminal AKS violations, which require no proof of causation. The court also dismissed the government’s legislative history argument — specifically, the claim that a but-for causation standard would undermine the impetus for the amendment.
Implication: False Certification Theories May Become More Prominent
The First Circuit was careful to distinguish between the per se liability at issue in this case and liability under a false certification theory. While the government must show but-for causation for an AKS violation to automatically give rise to FCA liability, the court said that the same is not true for false certification claims.
Any entity that submits claims for payment under federal healthcare programs certifies — either explicitly or implicitly — that it has complied with the AKS. The court noted that nothing in the 2010 amendment requires proof of but-for causation in a false certification case. The government may take this as a cue to pivot toward false certification claims as a means of linking the AKS and FCA, potentially leaving the 2010 amendment argument behind.
Final Thoughts
The First Circuit’s decision in U.S. v. Regeneron Pharmaceuticals further cements the dominance of the “but for” causation standard in linking AKS violations to FCA liability, making it increasingly difficult for the government to pursue claims under a per se liability theory. With three circuits now aligned on this interpretation and only the Third Circuit standing apart, the tide appears to be turning in favor of a stricter causation requirement.
However, as the court acknowledged, this ruling may not foreclose other avenues for FCA liability — particularly false certification claims, which at least this court has found do not require the same level of causal proof. Given this, the government may shift its focus toward alternative enforcement strategies to maintain the strength of its anti-kickback enforcement efforts. As the legal landscape continues to evolve, healthcare entities and compliance professionals should remain vigilant, as new litigation trends and regulatory responses may reshape the interplay between the AKS and FCA in the years to come.
Listen to this post
HHS Reverses Its Longstanding Policy and Limits Public Participation in Rulemaking
On March 3, 2025, the Secretary of Health and Human Services published a policy statement in the Federal Register that reverses a policy adopted over 50 years ago that was intended to expand public participation in the process of rulemaking at the Department of Health and Human Services (the “Department”). 90 Fed. Reg. 11029 (2025).
This action is at odds with the “radical transparency” that Secretary Kennedy had promised previously, and may affect many programs and financial relationships between individuals, organizations, and others that interact with Health and Human Services (“HHS”).
Regulatory agencies such as HHS and its components, including the Centers for Medicare and Medicaid Services (“CMS”), the Food and Drug Administration (“FDA”), and the National Institutes of Health (“NIH”) must follow rulemaking procedures set out in the Administrative Procedure Act (“APA”) when they formulate and publish regulations that are intended to implement a statute and have the force of law. Those procedures include offering the public an opportunity to be notified of proposed regulations and to submit comments to the agency. The APA also contains several exceptions to the notice and comment requirement, including one for matters relating to “public property, loans, grants, benefits, or contracts.” Nevertheless, HHS and several other federal departments adopted policies that voluntarily waived these exceptions.
In 1971, then-Secretary of Health, Education, and Welfare Elliot Richardson issued a policy statement announcing that the Department would voluntarily follow notice and comment procedures for regulations relating to public property, loans, grants, benefits, or contracts (the “Richardson Waiver”). That notice explained that the waiver would allow for greater participation by the public in the rulemaking process, and that the additional burden on the Department was outweighed by the public benefit. The policy also instructed that although the APA allows for rulemaking procedures to be waived when good cause exists, that exception should be used “sparingly.”
HHS’s New Policy Limiting Rulemaking and Potential Safeguards
The new HHS policy statement sweeps away the 1971 policy. Its impact may vary depending on the issue and component of HHS. For example, for research funded by the NIH or other projects funded by agencies within HHS, the new policy could allow a granting or contracting agency to amend financial terms without public participation. This exact issue is currently in the spotlight as courts actively evaluate the legality of the NIH’s recent Supplemental Guidance to the 2024 NIH Grants Policy Statement: Indirect Cost Rates (NOT-OD-25-068))(“Supplemental Guidance”), issued by the Office of the Director of the National Institutes of Health on February 7, 2025, which attempted to impose an across-the-board 15% cap on Indirect Cost (“IDC’) rates for all new grants as well as for existing grants awarded to Institutions of Higher Education. The District Court of Massachusetts has imposed a nationwide preliminary injunction (“PI”) prohibiting the Secretary and NIH from taking any steps to implement or enforce the Supplemental Guidance. Commonwealth of Massachusetts, et al. v. National Institutes of Health, et al., No. 25-CV-10338 (D. Mass. Mar. 5, 2025). The court concluded that the plaintiffs would be irreparably harmed by the Supplemental Guidance and agreed that the Supplemental Guidance was a legislative rule that failed to comply with the notice and comment requirements of the APA. It relied in part on the argument that under the Richardson Waiver, the Secretary could not change the IDC rate unilaterally. The timing of the Department’s policy reversing the Richardson Waiver might be viewed as directly responsive to this disputed point in the ongoing litigation.
In other areas, the policy statement may have little or no impact if there is a separate statutory requirement for rulemaking. In the Medicare statute, for example, Congress mandated in Section 1871(a)(2) of the Social Security Act that HHS must engage in notice and comment rulemaking for any “substantive legal standard governing the scope of benefits, the payment for services, or the eligibility of individuals, entities, or organizations to furnish or receive services or benefits . . . .” Should Congress decide to limit the scope of the new HHS policy, this statute could be a template for legislation.
The impact of the new policy on the Medicaid program is less clear. While there is no similar statutory requirement for rulemaking under the Medicaid program as there is for Medicare, the federal government also has more limited control over the direction of each individual State’s Medicaid program offering. However, there are areas where HHS has sought public comment on changes to state Medicaid program requirements in the past, such as changes proposed by States through Medicaid program waivers that the federal government has to approve. This new policy may be signaling that HHS will choose not to seek comments on those proposed changes in the future.
Returning to the IDC rate litigation, there arguably exists both statutory and regulatory grounding for applying grantees’ existing negotiated indirect cost rates, documented in the negotiated indirect cost rate agreement (“NICRA”) entered into between the government and grantee institutions. First, a provision in the annual appropriations act since 2018 has limited Congress’ ability to impose any type of across-the-board cap. See Further Consolidated Appropriations Act, 2024, P.L. 118-47, Title II, § 224. This was adopted in response to the first Trump administration’s attempt to impose an across-the-board cap of 10% in 2017. Second, in the HHS regulations applicable to IDC rates, there is an explicit requirement that the negotiated rates must be “accepted by all Federal awarding agencies.” 45 C.F.R. § 75.414(c)(1). This regulatory exception, and alleged noncompliance with the APA’s rulemaking requirement, is at the core of the ongoing IDC rate litigation. As such, there are arguably continued bases for the objection to the NIH Supplemental Guidance notwithstanding the recent reversal of the Richardson Waiver.
Does HHS’s New Policy Signal a Wider Use of the “Good Cause” Exception?
Another part of the new HHS policy to watch carefully involves the exception in the APA that allows agencies to dispense with notice and comment rulemaking when there is good cause that a notice and comment period is impractical or contrary to the public interest. The new HHS policy states that agencies may rely on the good cause exception “in appropriate circumstances” rather than “sparingly” but provides no further clarification.
Courts have interpreted this exception narrowly; for example, they have upheld good cause exceptions when agencies have responded to epidemics and natural disasters, but have rejected exceptions claimed by agencies due to statutory deadlines, economic concerns, or a need to implement a political goal rapidly. In addition, a 2012 report published by the General Accountability Office criticized the frequent use of the good cause exception to avoid public comments on rules. Therefore, it remains to be seen how and when HHS relies on this exception, and whether the reasons offered justify the exception or would stand up to judicial review.
OSHA Terminates COVID-19 Emergency Temporary Standard for Healthcare Workers
Is COVID-19 still a thing, and does OSHA care about it? Yes and yes. We all know that COVID-19 is still around. On the OSHA front, the agency seems to be focused less exclusively on COVID-19 and plans to take a broader approach.
Refresher on OSHA’s Work During the Pandemic
On June 21, 2021, OSHA issued an Emergency Temporary Standard (ETS) to protect healthcare workers from COVID-19. The ETS also served as a proposed rule for a permanent standard to address COVID-19 exposure in healthcare settings. OSHA submitted a draft final rule to the Office of Management and Budget in December 2022. However, the COVID-19 pandemic evolved, and the resources needed to finalize a separate COVID-19 standard grew, which resulted in a House Joint Resolution terminating the national emergency and OSHA terminating the rulemaking.
Now What?
OSHA determined that a more effective strategy would be to create a broader infectious diseases standard for healthcare workers. This new standard will cover multiple infectious diseases, including COVID-19, offering more comprehensive protections for healthcare workers. As a result, effective January 15, 2025, OSHA has decided to terminate its COVID-19 rulemaking and focus instead on this broader infectious diseases standard, rather than a disease-specific approach. On February 5, 2025, OSHA issued a memorandum that it will not enforce the COVID-19 recordkeeping and reporting requirements.
Listen to this post
This Week in 340B: February 25 – March 3, 2025
Find this week’s updates on 340B litigation to help you stay in the know on how 340B cases are developing across the country. Each week we comb through the dockets of more than 50 340B cases to provide you with a quick summary of relevant updates from the prior week in this industry-shaping body of litigation.
Issues at Stake: Antitrust; Contract Pharmacy; HRSA Audit Process; Rebate Model
In an antitrust class action case, the court granted the defendant’s motion to dismiss.
In an appealed case challenging a proposed state law governing contract pharmacy arrangements, a group of amici filed an amicus brief in support of appellees.
In an appealed case challenging a proposed state law governing contract pharmacy arrangements, defendants-appellants filed an opening brief.
In a Freedom of Information Act (FOIA) case, the plaintiff filed a reply in support of its motion to strike the government’s motion for summary judgment.
In one Health Resources and Services Administration (HRSA) audit process case, the plaintiff filed a supplemental brief in support of the plaintiff’s motion for preliminary injunction.
A group of 340B covered entities filed a complaint against a group of commercial payors, alleging that the payors were in breach of their contracts by failing to pay the proper amounts for 340B-acquired drugs.
In three cases challenging a proposed state law governing contract pharmacy arrangements in Missouri, the court denied in part and granted in part two separate motions to dismiss and denied plaintiff’s motion for a preliminary injunction in a third case.
In two cases against HRSA alleging that HRSA unlawfully refused to approve drug manufacturers’ proposed rebate models:
In one such case, a group of amici filed an amicus brief in support of defendants.
In one such case, a group of amici moved for leave to file an amicus brief in support of plaintiffs’ motion for summary judgment.
Additional Authors: Kelsey Reinhardt and Nadine Tejadilla
California’s AI Revolution: Proposed CPPA Regulations Target Automated Decision Making
On November 8, 2024, the California Privacy Protection Agency (the “Agency” or the “CPPA”) Board met to discuss and commence formal rulemaking on several regulatory subjects, including California Consumer Privacy Act (“CCPA”) updates (“CCPA Updates”) and Automated Decisionmaking Technology (ADMT).
Shortly thereafter, on November 22, 2024, the CPPA published several rulemaking documents for public review and comment that recently ended February 19, 2025. If adopted, these proposed regulations will make California the next state to regulate AI at a broad and comprehensive scale, in line with Colorado’s SB 24-205, which contains similar sweeping consumer AI protections. Upon consideration of review and comments received, the CPPA Board will decide whether to adopt or further modify the regulations at a future Board meeting. This post summarizes the proposed ADMT regulations, that businesses should review closely and be prepared to act to ensure future compliance.
Article 11 of the proposed ADMT regulations outlines actions intended to increase transparency and consumers’ rights related to the application of ADMT. The proposed rules define ADMT as “any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking.” The regulations further define ADMT as a technology that includes software or programs, uses the output of technology as a key factor in a human’s decisionmaking (including scoring or ranking), and includes profiling. ADMT does not include technologies that do not execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking (this includes web hosting, domain registration, networking, caching, website-loading, data storage, firewalls, anti-virus, anti-malware, spam and robocall-filtering, spellchecking, calculators, databases, spreadsheets, or similar technologies). The proposed ADMT regulations will require businesses to notify consumers about their use of ADMT, along with their rationale for its implementation. Businesses also would have to provide explanations on ADMT output in addition to a process for consumers to request to opt-out from such ADMT use.
It is important to note that the CCPA Updates will be applicable to organizations that meet the thresholds of California civil codes 1798.140(d)(1)(A), (B) and (C). These civil codes apply to organizations that: (A) make more than $25,000,000 in gross annual revenues; (B) alone or in combination, annually buy, sell, or share the personal information of 100,000 or more consumers or households; and (C) derive 50% or more of its annual revenues from selling or sharing a consumers’ personal information. While not exhaustive of the extensive rules and regulations described in the proposed CCPA Updates, the following are the notable changes and potential business obligations under the new ADMT regulations.
Scope of Use
Businesses that use ADMT for making significant decisions concerning consumers must comply with the requirements of Article 11. “Significant decisions” include decisions that affect financial or lending services, housing, insurance, education, employment, healthcare, essential goods services, or independent contracting. “Significant decisions” may also include ADMT used for extensive profiling (including, among others, profiling in work, education, or for behavioral advertising), and for specifically training AI systems that might affect significant decisions or involve profiling.
Providing a Pre-Use Notice
Businesses that use ADMT must provide consumers with a pre-use notice that informs consumers about the use of ADMT, including its purpose, how ADMT works, and their CCPA consumer rights. The notice must be easy-to-read, available in languages the business customarily provides documentation to consumers, and accessible to those with disabilities. Business must also clearly present the notice to the consumer in the way which the business primarily interacts with the consumer, and they must do so before they use any ADMT to process the consumer’s personal information. Exceptions to these requirements will apply to ADMT used for security, fraud prevention, or safety, where businesses may omit certain details.
According to Section 7220 of the CCPA Updates, pre-use notice must contain:
A plain language explanation of the business’s purpose for using ADMT.
A description of the consumer’s right to opt-out of ADMT, as well as directions for submitting an opt-out request.
A description of the consumer’s right to access ADMT, including information on how the consumer can request access the business’ ADMT.
A notice that the business may not retaliate against a consumer who exercises their rights under the CPPA.
Any additional information (via a hyperlink or other simple method), in plain language, that discusses how the ADMT works.
Consumer Opt-Out Rights
Consumers must be able to opt-out of ADMT use for significant decisions, extensive profiling, or training purposes. Exceptions to opt-out rights include where businesses use ADMT for safety, security, or fraud prevention or for admission, acceptance, or hiring decisions, so long as it is necessary, and its efficacy has been evaluated to ensure it works as intended. Businesses must provide consumers at least two methods of opting out, one of which should reflect the way the business mainly interacts with consumers (e.g., email, internet hyperlink etc.). Any opt-out method must be easy to execute and should require minimal steps that do not involve creating accounts or providing unnecessary info. Businesses must process opt-out requests within 15 business days, and they may not retaliate against consumers for opting out. Businesses must wait at least 12 months before asking consumers who have opted out of ADMT to consent again for its use.
Providing Information on the ADMT’s Output
Consumers have the right to access information about the output of a business’s ADMT. The CPPA regulations do not define “output,” but the term likely includes outcomes produced by ADMT and the key factors influencing them.
When consumers request access to ADMT, businesses must provide information on how they use the output concerning the consumer and any key parameters affecting it. If they use the output to make significant decisions about the consumer, the business must disclose the role of the output and any human involvement. For profiling, businesses must explain the output’s role in the evaluation.
Output information includes predictions, content, recommendations, and aggregate statistics. Depending on the ADMT’s purpose, intended results, and the consumer’s request, the information provided can vary. Businesses must carefully consider these nuances to avoid over-disclosure.
Human Appeal Exception
The CPPA proposes a “human appeal exception,” by which consumers may appeal a decision to a human reviewer who has the authority to overturn the ADMT decision. Business can choose to offer a human appeal exception in lieu of providing the ability to opt out when using ADMT to make a significant decision concerning access to, denial, or provision of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or independent contracting opportunities or compensation, healthcare services, or essential goods or services.
To take advantage of the human appeal exception, the business must designate a human reviewer who is able to understand the significant decision the consumer is appealing and the effects of the decision on the consumer. The human reviewer must consider the relevant information provided by the consumer in their appeal and may also consider any other relevant source of information. The business must design a method of appeal that is easy for consumers to execute, requiring minimal steps, and that it clearly describes to the consumer. Communications and disclosures with appealing consumers must be easy to read and understand, written in the applicable language, and reasonably accessible.
Risk Assessments
Under the CPPA’s proposed rules, every business that processes consumer personal information must conduct a risk assessment before initiating that processing, especially if the business is using ADMT to make significant decisions concerning a consumer or for extensive profiling. Businesses must conduct risk assessments to determine whether the risks to consumers’ privacy outweigh the benefits to consumers, the business, and other stakeholders.
When conducting a risk assessment, businesses must identify and document: the categories of personal information to be processed and whether they include sensitive personal information; the operational elements of its ADMT processing (e.g., collection methods, length of collection, number of consumers affected, parties who can access this information, etc.); the benefits that this processing provides to the business, its consumers, other stakeholders, and the public at large; the negative impacts to consumers’ privacy; the safeguards that it plans to implement to address said negative impacts; information on the risk assessment itself and those who conducted it; and whether the business will initiate the use of ADMT despite the identified risks.
A business will have 24 months from the effective date of these new regulations to submit the results of their risk assessment conducted from the effective date of these regulations to the date of submission. After completing its first submission, a business must submit subsequent risk assessments every calendar year. In addition, a business must review and update risk assessments to ensure accuracy at least once every three years, and it should convey updates through the required annual submission. If there is any material change to a business’ processing activity, it must immediately conduct a risk assessment. A business should retain all information collected of a business’ risk assessments for as long as the processing continues, or for five years after the completion of the assessment, whichever is later.
What Businesses Should Do Now
The CPPA’s proposed ADMT regulations under the CCPA emphasize the importance of transparency and consumer rights. By requiring businesses to disclose how they use ADMT outputs and the factors influencing the outputs, the regulations aim to ensure that consumers are well-informed, and safeguards exist to protect against discrimination. As businesses incorporate ADMT, including AI tools, for employment decision making, they should follow the proposed regulations’ directive to conduct adequate risk assessments. Regardless of the form in which these regulations go into effect, preparing a suitable AI governance program and risk assessment plan will protect the business’s interests and foster employee trust.
Please note that the information provided in the above summary is only a portion of the rules and regulations proposed by the CCPA Updates. Now that the comment period closed, the CPPA will deliberate and finalize the CCPA Updates within the year. Evidently, these proposed regulations will require more action by businesses to remain compliant. While waiting for the CPPA’s finalized update, it is important to use this time to plan and prepare for these regulations in advance.
Raw Milk: State Legislative Updates and Challenges
Several states have recently introduced or passed legislation related to raw milk, reflecting a growing interest in unpasteurized milk despite the fact that raw milk can carry harmful bacteria such as Salmonella, E.coli, and Listeria, posing serious health risks. The U.S. Food and Drug Administration (FDA) and the Centers for Disease Control (CDC) strongly advise against consuming raw milk due to these dangers and have implemented regulations to limit its sale.
Despite the long-standing position at both agencies, the new Secretary of the Department of Health and Human Services (HHS) Robert F. Kennedy Jr., has been a vocal advocate for raw milk promoting its benefits and criticizing regulatory restrictions. His support has brought renewed attention to the raw milk movement, influencing legislative efforts.
Arkansas Bill HB 1048: This bill would allow the sale of raw goat milk, sheep milk, and whole milk directly to consumers at the farm, at farmer’s markets, or via delivery by the farm.
Utah Bill HB414: This bill has passed the House and is now before the Senate. This bill establishes enforcement steps for raw milk suspected in foodborne illness outbreaks, aiming to protect consumers.
Other states’ Legislation: States including Iowa, Minnesota, West Virginia, Maryland, Rhode Island, Oklahoma, New York, Missouri, and Hawaii have introduced various raw milk-related bills with efforts ranging from expanding sales to implementing stricter safety regulations.
Proposed HIPAA Security Rule Updates May Significantly Impact Covered Entities and Business Associates
As we noted in our previous blog here, on January 6, 2025, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) published a Notice of Proposed Rulemaking (NPRM) proposing substantial revisions to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (45 C.F.R. Parts 160 and 164) (the “Security Rule”).
This NPRM is one of several recent actions taken on the federal level to improve health data security. A redline showing the NPRM’s proposed revisions to the existing Security Rule language is available here. Comments on this NPRM must be submitted to OCR by March 7, 2025. Over 2,800 comments have been submitted thus far. These comments include opposition from several large industry groups raising concerns about the costs of compliance, asserting that the NPRM would impose an undue financial burden without a clear need for such changes to the existing framework. Some commentators expressed concerns regarding the burden on smaller or solo practitioners, while other commentators wrote in support of the effort to improve cybersecurity and commented on suggested alterations to particular elements of the rulemaking. Although the Trump administration has not apparently publicly commented on the NPRM and the final outcome of the rulemaking remains unclear, this Insight details important changes in the NPRM and potential widespread impacts on both covered entities and business associates (collectively, “Regulated Entities”).
The NPRM, if finalized as drafted, establishes new prescriptive cybersecurity and documentation requirements. This represents a significant change for a rule whose hallmark has historically been a flexible approach based upon cybersecurity risk, considering the size and complexity of an organization’s operations. Notably, the background to the NPRM is that the Security Rule already applies to Regulated Entities, including health-related information technology (IT) and artificial intelligence (AI) organizations that process health data on behalf of covered entities. The overall impact of the proposed changes may vary because certain Regulated Entities may already have in place the more robust safeguards prescribed by the NPRM. However, for those Regulated Entities that have not previously taken all such steps, including complying with the enhanced documentation requirements, the burden of the new compliance requirements may be significant.
OCR pointed to several justifications for the proposed revisions to the Security Rule, including:
the need for strong security standards in the health care industry to improve the efficiency and effectiveness of the health care system;
the continuous evolution of technology since the Security Rule was last updated in 2013;
inconsistent and inadequate compliance with the Security Rule among Regulated Entities; and
the need to strengthen the Security Rule to address changes in the health care environment, including the increasing number of cybersecurity incidents resulting from a proliferation of evolving cyber threats.
Although not discussed in detail by OCR, the growing number of state privacy and data protection laws, risk management frameworks related to data protection, and court decisions have also contributed to the impetus for greater specificity in the Security Rule with its focus on protecting identifiable patient health information.
Notably, many of the substantive requirements in the NPRM are already incorporated in various guidelines and safeguards for protecting sensitive information, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework and HHS’s cybersecurity performance goals (CPGs). Voluntary compliance with these recognized guidelines has been incentivized pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act’s 2021 amendment because a Regulated Entity that adopts “recognized security practices” is entitled to have its adoption considered by OCR in determining fines and other consequences if the agency conducts a review of the Regulated Entity’s HIPAA compliance. Accordingly, OCR noted that these standards and other similar guidelines were considered in the development of the NPRM requirements. Moreover, even if they have already implemented these practices, Regulated Entities will be faced with significantly increased administrative requirements, such as regular review and enhanced documentation requirements.
Key Proposed Changes
The NPRM includes the following key revisions:
New/Updated Definitions Clarify Electronic Systems Within the Rule’s Protections
The NPRM includes 10 new definitions and 15 changed definitions. Some of the new definitions address basic concepts that OCR had not defined previously, including “risk,” “threat,” and “vulnerability.” These definitions are not groundbreaking but will help guide Regulated Entities in establishing a more uniform standard for what they should be evaluating when considering data security.
Another change to the definitions section involves OCR’s proposed updates to defining “information systems” as well as new definitions for “electronic information system” and “relevant electronic information system.” Throughout the NPRM, OCR clarifies when all electronic information systems must abide by a rule versus only the relevant electronic information systems. In effect, each definition narrows the preceding definition, with “relevant information electronic systems” encompassing the smallest group of systems.
The NPRM defines an “electronic information system” as an “interconnected set of electronic information resources under the same direct management control that shares common functionality” and “generally includes technology assets such as hardware, software, electronic media, information and data.” Conversely, “relevant electronic information systems” are only those electronic information systems that create, receive, maintain, or transmit electronic protected health information (ePHI) or that otherwise affect the confidentiality, integrity, or availability of ePHI. The catchall phrasing broadens the definition significantly, requiring Regulated Entities to consider electronic systems they rely on that do not contain any ePHI but may affect access to and/or the confidentiality or integrity of ePHI.
“Addressable” Security Implementation Specifications Would Become “Required”
The Security Rule sets forth three categories of safeguards an organization must address: (1) physical safeguards, (2) technical safeguards, and (3) administrative safeguards. Each set of safeguards comprises a number of standards, and, beyond that, each standard consists of a number of implementation specifications, which is an additional detailed instruction for implementing a particular standard.
Currently, the Security Rule categorizes implementation specifications as either “addressable” (i.e., which give Regulated Entities flexibility in how to approach them) or “required” (i.e., they must be implemented by Regulated Entities). In meeting standards that contain addressable implementation specifications, a Regulated Entity currently has the option to (1) implement the addressable implementation specifications, (2) implement one or more alternative security measures to accomplish the same purpose, or (3) not implement either an addressable implementation specification or an alternative. In any event, the Regulated Entity’s choice and rationale must be documented.
According to the NPRM, OCR has become concerned that Regulated Entities view addressable implementation specifications as optional, thereby reducing the ultimate effectiveness of the Security Rule. The NPRM proposes to remove the distinction between “addressable” and “required” specifications, making all implementation specifications required, except for a few narrow exemptions.
Technology Asset Inventories and Information System Maps Are Required
The current Security Rule requires Regulated Entities to assess threats, vulnerabilities, and risks but stops short of prescribing particular methods or means of doing so. Certain recognized security practices generally include assessing technology assets and reviewing the movement of ePHI through technological systems to ensure there are no blatant vulnerabilities or overlooked risks.
The NPRM proposes to turn these practices into explicit requirements to create a technology asset inventory and a network map. The technology asset inventory would require written documentation identifying all technology assets, including location, the person accountable for such assets, and the version of each asset. The network map must illustrate the movement of ePHI through electronic information systems, including how ePHI enters, exits, and is accessed from outside systems. Additionally, the network map must account for the technology assets used by business associates to create, receive, maintain, or transmit ePHI. Both the technology asset inventory and network map would need to be reviewed and updated at least once every 12 months.
More Specific Risk Analysis Elements and Frequency Requirements Are Imposed
The Security Rule currently requires Regulated Entities to conduct a risk analysis assessing the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by such entities. As mentioned above, the Security Rule itself does not actually define “risk,” leaving some latitude for Regulated Entities to determine what should be included and considered in their risk analyses. While NIST (e.g., SP 800-30), the CPGs, and other authoritative sources have, over time, developed practices for conducting risk analyses, the current Security Rule (last updated in 2013) does not reflect what many now consider to be “best practices,” nor does it provide a specific methodology for Regulated Entities to consider in analyzing risks.
The NPRM imposes specific requirements that must be included in a risk analysis and its documentation, including:
a review of the aforementioned technology asset inventory and network map;
identification of all reasonably anticipated threats to the ePHI created, received, maintained, or transmitted by the Regulated Entity;
identification of potential vulnerabilities to the relevant electronic information systems of the Regulated Entity;
an assessment and documentation of the security measures the Regulated Entity uses to ensure that the measures protect the confidentiality, integrity, and availability of the ePHI;
a reasonable determination of the likelihood that “each” of the identified threats will exploit the identified vulnerabilities; and
if applicable, a reasonable determination of the potential impact of such exploitation and the risk level of each threat.
OCR notes in its preamble that there is still flexibility in determining risk based on the specific type of Regulated Entity and that entity’s specific circumstances. A high or critical risk to one Regulated Entity might be low or moderate to another. OCR is attempting to draw a fine line between telling Regulated Entities more explicitly what they should consider as risks (and what classification of risk should be assigned) while staying true to the hallmark flexibility of the Security Rule in allowing Regulated Entities to determine criticality.
The NPRM requires that risk analyses be reviewed, verified, and updated at least once every 12 months or in response to environmental or operational changes impacting ePHI. In addition to the risk analysis, the NPRM also proposes a separate evaluation standard wherein the Regulated Entity must create a written evaluation to determine whether any and all proposed changes in environment or operations would affect the confidentiality, integrity, or availability of ePHI prior to making that change.
Patch Management Is Now Subject to Mandated Timing Requirements
The NPRM proposes a new patch management standard that requires Regulated Entities to implement policies and procedures for identifying, prioritizing, and applying software patches throughout their relevant electronic information systems. The NPRM proposes specific timing requirements for patching, updating, or upgrading relevant electronic information systems based on the criticality of the patch in question:
15 calendar days for a critical risk patch,
30 calendar days for a high-risk patch, and
a reasonable and appropriate period of time based on the Regulated Entity’s policies and procedures for all other patches.
The NPRM contains limited exceptions for patch requirements where a patch is not available or would adversely impact the confidentiality, integrity, or availability of ePHI. Regulated Entities must document if/when they rely on such an exception, and they must also implement reasonable and appropriate compensating controls to address the risk until an appropriate patch becomes available.
Workforce Controls Are Tightened, Including Training and Terminating Access
The Security Rule currently has general workforce management requirements, including procedures for reviewing system activity, policies for ensuring workforce members have appropriate access, and required security awareness training. Although Regulated Entities are currently required to identify the security official responsible for the development and implementation of the security policies and technical controls, the NPRM would require the identification to be in writing.
Despite the current rules relative to workforce security, OCR noted that many Regulated Entities are not in full compliance with such requirements. OCR cited to an investigation involving unauthorized access by a former employee of a Regulated Entity as an example of Regulated Entities not tightly controlling and securing access to their systems. The NPRM addresses that issue by outlining more explicit requirements for workforce control policies, which must be written and reviewed at least once every 12 months.
In addition, the NPRM proposes strict timing requirements for workforce access and training:
Terminated employees’ access to systems must end no later than one hour after termination.
Other Regulated Entities must be notified after a change in or termination of a workforce member’s authorization to access ePHI of those other Regulated Entities no later than 24 hours after the change or termination.
New employees must receive training within 30 days of establishing access and at least once every 12 months thereafter.
Verifying Business Associate Compliance Is Required to Protect Against Supply Chain Risks
The NPRM also includes a new requirement for verifying business associate technical safeguards. Under the NPRM, Regulated Entities must obtain written verification of the technical safeguards used by business associates/subcontractors that create, maintain, or transmit ePHI on their behalf at least every 12 months. Such verification must be written by a person with appropriate knowledge of, and experience with, generally accepted cybersecurity principles and methods, which the HHS website refers to as a “subject matter expert.”
Multi-Factor Authentication and Other Technical Controls Are Mandatory
While the Security Rule has significant overlap with the NIST Cybersecurity Framework and CPGs, the NPRM would further align the Security Rule with these frameworks relative to technical controls. For example, the NPRM would require Regulated Entities to implement minimum password strength requirements that are consistent with NIST. Additionally, the NPRM proposes multi-factor authentication requirements that are consistent with the CPGs, which identify multi-factor authentication as an “essential goal” to address common cybersecurity vulnerabilities. Under the NPRM, multi-factor authentication will require verification through at least two of the following categories:
Information known by the user, such as a password or personal identification number (PIN);
Items possessed by the user, including a token or a smart identification card; and
Personal characteristics of the user, such as a fingerprint, facial recognition, gait, typing cadence, or other biometric or behavioral characteristics.
The NPRM permits limited exceptions from multifactor authentication where (1) current technology assets do not support multi-factor authentication, and the Regulated Entity implements a plan to migrate to a technology asset that does; (2) an emergency or other occurrence makes multi-factor authentication infeasible; or (3) the technology asset is a device approved by the U.S. Food and Drug Administration.
Other proposed minimum technical safeguards in the NPRM include:
segregation of roles by increased privileges,
automatic logoff,
log-in attempt controls,
network segmentation,
encryption at rest and in transit,
anti-malware protection,
standard configuration for OS and software,
disable network ports,
audit trails and logging,
vulnerability scanning every six months, and
penetration testing every 12 months.
Contingency/Disaster Planning Is Required to Ensure Resiliency
The Security Rule requires contingency planning for responding to emergencies or occurrences that damage systems containing ePHI, including periodic testing and revision of those plans.
The NPRM outlines more concrete obligations relative to contingency planning, including requirements to identify critical electronic information systems. The NPRM proposes relatively short timing requirements, requiring the implementation of procedures to restore critical electronic information systems and data within 72 hours of a loss and requiring business associates to notify covered entities upon activation of their contingency plans within 24 hours after activation.
Regulated Entities are granted the ability to define what these critical electronic information systems are in conducting their criticality analysis and should consider the quick turnaround time for restoring access when making these determinations.
Impact of the Proposed Changes
Regardless of what security framework, controls, and processes Regulated Entities may already have in place, there are three areas where all organizations can expect to see a significant impact in terms of planning and implementation: (1) increased documentation burden; (2) increased compliance obligations; and (3) business associate agreements (BAAs) compliance. The compliance burden will certainly be significant (as many of the commentators have pointed out), but given the breadth of the NPRM, the full extent of the compliance burden will need to await a final resolution of the rulemaking process.
Increased Documentation Burden
While the Security Rule already requires that Regulated Entities develop and maintain security policies and procedures, the NPRM would expressly require that those policies and procedures, as well as proposed additional plans (e.g., security incident response plans), be documented in writing. As a result, if/when OCR is assessing a Regulated Entity’s compliance with the Security Rule, it will likely have a longer checklist of written policies and procedures it expects to see. In addition, the technology asset inventory, network map, written verification of technical safeguards used by business associates, and all of the analyses and evaluations required by the NPRM would need to be memorialized in writing. Many of these documents would require review at least once per year. Many Regulated Entities may find the new documentation requirements impose an increased administrative burden. Further, with respect to Regulated Entities that do not have sufficient internal expertise or resources to tackle the implementation of these proposed requirements, it is likely that Regulated Entities will need to engage third-party legal and IT experts to meet these requirements.
Increased Compliance Obligations
With the additional written policies and procedures come additional obligations to test and review those procedures. Policies cannot be established and stored away until OCR asks to review them; rather, security policies must be revisited and reviewed at least every 12 months. The NPRM also requires that some of these policies be put to the test to determine the adequacy of the procedures in place at least once every 12 months. This will require dedication of additional time and resources on an ongoing basis. Again, to meet these requirements, Regulated Entities may need to engage third-party legal and IT experts to support these efforts.
The NPRM also contains some new timing requirements that may necessitate the development and implementation of new processes to meet these tight deadlines:
A former employee’s access must end within one hour of the termination of the individual’s employment.
Business associates must report to covered entities within 24 hours of activating contingency plans.
Disaster plans must restore critical electronic information systems and data within 72 hours of a loss.
Critical and high-risk patches not exempted from the rule must be deployed within 15 and 30 days, respectively.
Business Associate Agreements Compliance
As business associates are directly regulated under the Security Rule, they will also be beholden to the enhanced requirements of the NPRM. In addition, as a result of many of the NPRM’s proposed changes, covered entities and business associates will owe one another new obligations.
As a result, it is likely that these new requirements under the NPRM will impact what is memorialized in BAAs. For example, Regulated Entities must obtain written verification from their business associates that they have implemented the required technical safeguards not only upon contracting but at least once a year thereafter. Regulated Entities should also consider revising their existing BAAs to make more explicit the security safeguard requirements that the NPRM imposes, such as multi-factor authentication and patch management. Further, in light of the potential significant changes to security obligations under the NPRM, parties may also wish to reconsider other provisions in their BAAs regarding risk allocation and indemnification rights, audit rights, third-party certification obligations, offshoring, and reporting triggers and timelines, among others. Depending on the volume of BAAs a Regulated Entity maintains, this renegotiation of BAAs could become a costly and time-consuming endeavor.
Recognition of New/Emerging Technologies
Finally, OCR acknowledged the constantly evolving nature of technology, including quantum computing, AI, and virtual and augmented reality. OCR reiterated its position that the Security Rule, as written, is meant to be technology-neutral; therefore, Regulated Entities should comply with the rule regardless of whether they are using new and emerging technologies. Nevertheless, OCR discussed how the Security Rule may apply in the case of quantum computing, AI, or virtual and augmented reality use and has included a request for information from industry stakeholders and others regarding:
whether HHS’s understanding of how the Security Rule applies to new technologies involving ePHI is not comprehensive and, if so, what issues should also be considered;
whether there are technologies that currently or in the future may harm the security and privacy of ePHI in ways that the Security Rule could not mitigate without modification, and, if so, what modifications would be required; and
whether there are additional policy or technical tools that HHS may use to address the security of ePHI in new technologies.
* * * * *
The future of the NPRM remains uncertain as to whether it will be finalized under the second Trump administration. While efforts to strengthen cybersecurity protections across the health care sector have gained bipartisan support, including under the first Trump administration, the estimated cost of compliance and heightened regulatory obligations under the NPRM may face challenges in light of the second Trump administration’s stated position against increased federal regulation.
Alaap B. Shah also contributed to this article.
Litigation Minute: Emerging Contaminants: What’s on the Horizon?
What You Need to Know in a Minute or Less
Emerging contaminants are synthetic or natural chemicals that have not been fully assessed from a health or risk perspective and are reportedly finding their way into consumer products and the environment. These include chemicals that have been widely used throughout society for decades but are now being targeted due to scientific developments and public scrutiny regarding their uses. Across industries, we are seeing increased regulation of consumer products, manufacturing processes, and industrial emissions, as well as new waves of litigation against unsuspecting businesses, putting their operations and financial stability at risk.
The first edition in this three-part series underscores the impact of the regulatory regime on the legal landscape and forecasts what lies ahead with a new regime and the substances likely in line for increased scrutiny, particularly ethylene oxide (EO) and perfluoroalkyl or polyfluoroalkyl substances (PFAS), as well as other chemicals.
In a minute or less, here is what you need to know about what is on the horizon for emerging contaminants litigation and regulation.
Regulation Drives Litigation
EO is a versatile compound used to make ethylene glycol and numerous consumer products, including household cleaners and personal care items. Also used to sterilize medical equipment and other plastics sensitive to heat or steam, its uptick in litigation was largely driven by regulators’ positions surrounding EO’s alleged carcinogenic risk.
In 2016, the US Environmental Protection Agency (EPA) released its Integrated Risk Information System (IRIS) Assessment, finding that EO was 60 times more toxic than previous estimates and “carcinogenic to humans.”1 Widespread litigation soon followed, despite:
the EPA recognizing that its assessment included several uncertainties;2
state agencies, such as the Texas Commission on Environmental Quality, concluding that the EPA significantly overestimated EO’s carcinogenic risks;3 and
state agencies, such as the Tennessee Department of Health, finding no evidence for the clustering of high numbers of cancers near facilities that emit EO.4
The takeaway: A lack of robust science does not minimize litigation risk. Immature and incomplete scientific information will drive early litigation, particularly when it receives regulatory attention and is widely publicized on social media and the popular press.
Where Federal Efforts Slow, States Pick Up the Slack
With Republicans taking control of the Senate, House of Representatives, and White House in November, expect that some legislation and regulation concerning emerging contaminants will be scaled back or unlikely to gain traction. This includes the EPA’s regulation of EO under the Clean Air Act and requirements for the use of EO as a pesticide, as well as bills introduced in Congress to phase out certain uses of PFAS, which are used in firefighting foams, personal care products, food packaging, and other consumer product applications.
But where federal legislation and regulation slow, expect state-level efforts and private litigation such as citizen suits to increase. For example, more than 20 states identified PFAS as an immediate, mid-, or long-term focus for 2025, and President Donald Trump’s first term saw a significant increase in environmental citizen suits.
The takeaway: Do not expect that the new administration will result in a lack of focus on emerging contaminants nationwide. Companies with products or intermediaries that become the focus of emerging contaminant legislation or regulation should consider whether it is appropriate to participate in legislative meetings, hearings, stakeholder sessions, and opportunities to comment and testify; meet with regulators and representatives in critical states; or contribute to the development of model legislation for use in various states.
Other Chemicals “Emerging” as Emerging Contaminants
With increased scientific scrutiny and regulatory activity acting as catalysts for litigation involving emerging contaminants, many other ubiquitous chemical substances may get caught up in the next waves of regulation and litigation—including, for example, microplastics, formaldehyde, and phthalates.
Microplastics
Microplastics can come from several sources, such as cosmetics, glitter, clothing, or larger plastic items breaking down over time. While a definitive correlation between microplastic exposure and adverse health effects has not yet been established, and the EPA states that “[m]icroplastics have been found in every ecosystem on the planet, from the Antarctic tundra to tropical coral reefs, and have been found in food, beverages, and human and animal tissue,” recent petitions to the EPA have called for increased monitoring of microplastics in drinking water. Examples of early litigation involving microplastics include consumer fraud and greenwashing claims.
Formaldehyde
Used in the production of construction materials, insulation, and adhesives, and as a preservative in cosmetics and personal care products, formaldehyde has seen an uptick in the filing of personal-injury claims and class actions alleging harm due to alleged exposure. These cases draw on the EPA’s August 2024 IRIS Toxicological Review of Formaldehyde and December 2024 final risk evaluation for formaldehyde under the Toxic Substances Control Act, despite high-profile challenges to the EPA’s assessments that have highlighted concerns with its scientific shortcomings.
Phthalates
The use of ortho-phthalate plasticizers in industrial applications and consumer products such as cosmetics, plastics, and food packaging has recently diminished. However, the listing of numerous phthalates as alleged reproductive toxicants and carcinogens under California’s Proposition 65, combined with Consumer Product Safety Commission restrictions on the use of phthalates in children’s toys and articles and the US Food and Drug Administration’s removal of 25 ortho-phthalate plasticizers from the Food Additive Regulations, are keeping phthalates in the spotlight. Recent phthalate litigation includes mislabeling and false advertising claims for food and childcare products containing trace phthalate residues.
The takeaway: Although litigation and regulatory developments related to EO and PFAS continue to capture headlines, more is on the horizon. Again, immature science can drive early litigation.