Virginia Enacts Law Protecting Reproductive and Sexual Health Data
On March 24, 2025, Virginia Governor Youngkin signed into law S.B. 754, which amends the Virginia Consumer Protection Data Act (“VCDPA”) to prohibit the collection, disclosure, sale or dissemination of consumers’ reproductive or sexual health data without consent.
The law defines “reproductive or sexual health information” as “information relating to the past, present, or future reproductive or sexual health” of a Virginia consumer, including:
Efforts to research or obtain reproductive or sexual health information services or supplies, including location information that may indicate an attempt to acquire such services or supplies;
Reproductive or sexual health conditions, status, diseases, or diagnoses, including pregnancy, menstruation, ovulation, ability to conceive a pregnancy, whether an individual is sexually active, and whether an individual is engaging in unprotected sex;
Reproductive and sexual health-related surgeries and procedures, including termination of a pregnancy;
Use or purchase of contraceptives, birth control, or other medication related to reproductive health, including abortifacients;
Bodily functions, vital signs, measurements, or symptoms related to menstruation or pregnancy, including basal temperature, cramps, bodily discharge, or hormone levels;
Any information about diagnoses or diagnostic testing, treatment, or medications, or the use of any product or service relating to the matters described above; and
Any information described above that is derived or extrapolated from non-health-related information such as proxy, derivative, inferred, emergent, or algorithmic data.
“Reproductive or sexual health information” does not include protected health information under HIPAA, health records for the purposes of Title 32.1, or patient-identifying records for the purposes of 42 U.S.C. § 290dd-2.
These amendments to the VCDPA will take effect on July 1, 2025.
McDermott+ Check-Up: March 28, 2025
THIS WEEK’S DOSE
Senate Confirms FDA, NIH Nominations, Advances CMS Nomination. The Senate confirmed US Food and Drug Administration (FDA) Commissioner Martin Makary and National Institutes of Health (NIH) Director Jayanta Bhattacharya, and the Senate Finance Committee advanced Mehmet Oz’s nomination as Centers for Medicare & Medicaid Services (CMS) administrator to the full Senate.
House Oversight Committee Discusses Government Reform Legislation. The committee advanced three bills related to government reorganization, the Federal Employees Health Benefits Program, and pandemic response.
CBO Projects US Will Reach Debt Limit in August or September 2025. The Congressional Budget Office (CBO) estimate will factor into the timing of a budget reconciliation package, as Republican leaders appear to be in agreement to include a debt limit increase in that forthcoming package.
HHS Announces Reorganization. The US Department of Health and Human Services (HHS) plans to eliminate 10,000 employees and consolidate multiple agencies.
President Trump Makes Additional Healthcare Nominations. Nominated positions include CDC director, HHS inspector general, HHS assistant secretary for health, and HHS assistant secretary for the Administration for Children and Families.
CONGRESS
Senate Confirms FDA, NIH Nominations, Advances CMS Nomination. On March 25, 2025, the Senate confirmed Martin Makary, MD, as the next FDA commissioner by a 56 – 44 vote. Sens. Durbin (D-IL), Hassan (D-NH), and Shaheen (D-NH) were the sole Democrats to vote yes, along with all Republicans. Jayanta Bhattacharya, MD, was also confirmed as the next NIH director by a 53 – 47 party line vote. The Senate Finance Committee advanced the nomination of Mehmet Oz, MD, to be CMS administrator by a 14 – 13 party line vote. Oz’s full Senate confirmation vote could be as early as next week, and he is expected to be confirmed.
House Oversight Committee Discusses Government Reform Legislation. The markup included discussion of nine bills, three of which pertained to healthcare and the federal workforce and advanced out of the committee:
H.R. 1295, the Reorganizing Government Act of 2025, would renew and extend through December 2026 the president’s authority to propose a government reorganization plan that Congress must consider via an up or down vote on a joint resolution of approval within 90 calendar days.
Passed 23 – 20 along party lines, with Republicans voting in support.
H.R. 2193, the FEHB Protection Act of 2025, would require federal agencies to verify that an employee is eligible to add a family member to their Federal Employees Health Benefits (FEHB) Program plan.
Passed 29 – 15, with support from Republicans as well as Reps. Connolly (D-VA), Lynch (D-MA), Brown (D-OH), Min (D-CA), Norton (D-DC), and Subramanyam (D-VA).
H.R. 2277, the Federal Accountability Committee for Transparency Act of 2025, would extend the Pandemic Response Accountability Committee through December 2026 and rename it the Fraud Prevention and Accountability Committee.
Passed unanimously, 44 – 0.
Links to all bills discussed during the markup can be found here.
CBO Projects US Will Reach Debt Limit in August or September 2025. The CBO “X date” projection is that the United States will default on its debt in August or September 2025 if the debt limit remains unchanged. If the government’s borrowing needs are greater than CBO projections, the debt limit could be reached as early as May or June 2025. Republicans aim to raise the debt limit as part of the reconciliation process in the coming months, but if a reconciliation package is not enacted by the X date, separate legislation may be required to raise the debt limit. Legislation outside the reconciliation process would require support from Democrats to pass. The US Department of the Treasury is expected to release its own X date estimate in May 2025.
ADMINISTRATION
HHS Announces Reorganization. In response to the executive order on the Department of Government Efficiency (DOGE) Workforce Optimization Initiative, HHS announced a “dramatic restructuring” that includes the elimination of 10,000 employees. This follows the voluntary departure of 10,000 employees that has already occurred. Taken together, these two workforce reductions will shrink HHS by 25% to 62,000 employees. The agency projects that the reorganization will save $1.8 billion and make the agency more efficient.
Major actions of the restructuring plan include:
Consolidating 28 divisions into 15, eliminating five of the 10 regional offices, and centralizing core administrative functions.
Eliminating 10,000 workers, including 3,500 employees from the FDA; 2,400 employees from the Centers for Disease Control and Prevention (CDC); 1,200 employees from the NIH; and 300 employees from CMS.
Creating a new Administration for a Healthy America subdivision, which will combine the Office of the Assistant Secretary for Health, the Health Resources and Services Administration, the Substance Abuse and Mental Health Services Administration (SAMHSA), the Agency for Toxic Substances and Disease Registry, and the National Institute for Occupational Safety and Health.
Moving programs for older adults from the Administration for Community Living to other agencies, including CMS, the Assistant Secretary for Planning and Evaluation, and the Administration for Children and Families (ACF).
Read the press release here, and the fact sheet here.
President Trump Makes Additional Healthcare Nominations. After the White House abruptly withdrew Dave Weldon’s nomination for CDC director, President Trump nominated acting CDC director Susan Monarez, PhD, to be the permanent director. She previously worked as deputy director of the Advanced Research Projects Agency for Health. Additional HHS nominations include:
HHS inspector general: Thomas March Bell, general counsel for House Republicans.
HHS assistant secretary for health: Brian Christine, MD, urologist.
HHS assistant secretary for ACF: Alex Adams, director of the Idaho Department of Health and Welfare.
QUICK HITS
Senate Finance Democrats Release Report on MA Marketing Tactics. The report found that Medicare Advantage (MA) plans are increasingly using marketing strategies to enroll beneficiaries, and includes eight recommendations to increase oversight of these actions.
Senate Democrats Hold Forum on NIH Research Cuts. The forum, hosted by Sens. Baldwin (D-WI) and Welch (D-VT), featured a panel of researchers, patients, and former NIH Director Monica Bertagnolli, MD. Discussion focused on how cuts or delays of NIH research could harm cancer and Alzheimer’s research.
HHS Cancels $12 Billion in State Infectious Disease, Substance Use Grants. Congress appropriated the now-cancelled CDC and SAMHSA state grants through September 2025 during the COVID-19 pandemic. The grants focused on infectious disease tracking, mental health services, and substance use disorder treatment. House Appropriations Committee Ranking Member DeLauro (D-CT) criticized the cancellations.
Department of Justice Launches Anticompetitive Regulations Task Force. As part of the president’s deregulatory initiative, the task force aims to eliminate anticompetitive state and federal laws and regulations, including in the healthcare sector. Public comments to support the task force’s efforts are due May 26, 2025.
BIPARTISAN LEGISLATION SPOTLIGHT
The Bipartisan Senate 340B Working Group announced the addition of Sens. Kaine (D-VA), Mullin (R-OK), and Hickenlooper (D-CO). They join Sens. Moran (R-KS), Baldwin (D-WI), and Capito (R-WV). The new additions replace former Sens. Stabenow (D-MI) and Cardin (D-MD), who retired, and Sen. Thune (R-SD), who stepped back from the working group when he became Senate majority leader. Last Congress, the working group released a conceptual discussion draft and request for information on proposed changes to the 340B program. It is now completing its review of stakeholder feedback with the intention of releasing a formal legislative draft.
NEXT WEEK’S DIAGNOSIS
The House and Senate are both in session next week. Republicans will continue conversations on a reconciliation strategy, as they aim to strike a deal on a unified budget resolution before the Easter recess in mid-April. A Senate vote on a unified budget resolution could occur as early as next week, and Senate nomination hearings and confirmation votes are expected to continue. The Senate Judiciary Committee will discuss drug patent legislation. The House Energy and Commerce Committee has a busy week with a Health Subcommittee hearing on over-the-counter monograph drugs, an Oversight and Investigations Subcommittee hearing on cybersecurity vulnerabilities in legacy medical devices, and an expected full committee markup. Both the Inpatient Prospective Payment System (IPPS) proposed rule and the final rate notice for MA and Part D plans are expected in early April 2025. Read our previews for the IPPS proposed rule here and the final rate notice here.
Are the Days of OSHA’s Rulemaking and Reliance on Consensus Standards Numbered?
Since Representative Andy Biggs (R-AZ) first introduced the “Nullify the Occupational Safety and Health Administration Act” or “NOSHA Act” (H.R. 86), there has been immense speculation about the future of the Occupational Safety and Health Administration (OSHA). The inauguration of President Donald Trump served to increase scrutiny of the agency, and actions by the Department of Government Efficiency (DOGE) have caused speculation to run rampant.
The focus on the NOSHA Act, what the administration might do, and how DOGE might impact OSHA may be distractions from a bigger threat facing OSHA and the way it regulates workplace health and safety.
Quick Hits
The introduction of the “Nullify the Occupational Safety and Health Administration Act” bill by Representative Biggs (R-AZ) has sparked significant speculation about the future of OSHA, especially under the Trump administration.
Justice Thomas’s dissent to the denial of certiorari in Allstates Refractory Contractors, LLC hinted at a potential Supreme Court shift regarding the constitutionality of delegations of rulemaking authority.
On March 26, 2025, the Supreme Court heard arguments in consolidated cases challenging the Telecommunications Act of 1996’s delegation of authority to the FCC and USAC that could have broader implications for how administrative agencies such as OSHA operate.
Justice Clarence Thomas’s dissent to the denial of certiorari in Allstates Refractory Contractors, LLC, v. Su at the end of the 2023–2024 term of the Supreme Court of the United States portended a potential change to the manner that the delegation of rulemaking authority might be addressed by the Court. Specifically, Justice Thomas was concerned about whether this broad grant of rulemaking authority violated Article I, Section 1 of the U.S. Constitution, which states:
All legislative Powers herein granted shall be vested in a Congress of the United States, which shall consist of a Senate and House of Representatives.
This term, the Court has taken up a pair of cases relating to the Telecommunications Act of 1996, the Universal Service Fund (USF), and the Universal Service Administrative Company (USAC), which is focused on whether the legislation violates Article I, Section 1 of the Constitution.
The Telecommunications Act of 1996 was the first substantive revision of the Communications Act of 1934 post–deregulation and modernization of American telecommunications markets and technologies. Local markets were opened to competition, and though there always had been funding for universal services, it developed a new system for funding those universal services. The revisions, per the Federal Communications Commission (FCC), set forth five principles:
“Promote the availability of quality services at just, reasonable and affordable rates for all consumers”
“Increase nationwide access to advanced telecommunications services”
“Advance the availability of such services to all consumers, including those in low income, rural, insular, and high cost areas, at rates that are reasonably comparable to those charged in urban areas”
“Increase access to telecommunications and advanced services in schools, libraries and rural health care facilities”
“Provide equitable and non-discriminatory contributions from all providers of telecommunications services for the fund supporting universal service programs”
In addition, the Telecommunications Act of 1996 directed the FCC to formalize what services must be provided to receive support from the USF, expanded the number of companies required to pay into the fund, and created USAC. USAC is described by the FCC as “an independent, not-for-profit corporation designated as the administrator of the federal Universal Service Fund by the FCC.”
The Supreme Court, on March 26, 2025, heard argument in Federal Communications Commission v. Consumers’ Research, No. 24-354, and Schools, Health & Libraries Broadband Coalition v. Consumers’ Research, No. 24-422. Both cases relate to the Fifth Circuit Court of Appeals’ en banc decision in Consumers’ Research v. Federal Communications Commission that “the combination of Congress’s sweeping delegation to FCC and FCC’s unauthorized subdelegation to USAC violates the [Constitution].”
More specifically, the Fifth Circuit Court of Appeals stated:
American telecommunications consumers are subject to a multibillion-dollar tax nobody voted for. The size of that tax is de facto determined by a trade group staffed by industry insiders with no semblance of accountability to the public. And the trade group in turn relies on projections made by its private, for-profit constituent companies, all of which stand to profit from every single tax increase. This combination of delegations, subdelegations, and obfuscations of the USF Tax mechanism offends Article I, § 1 of the Constitution.
While Justice Thomas, in Allstates Refractory, certainly suggested that a majority of the Court was of a like mind with respect to the delegation of rulemaking authority granted to administrative agencies, like OSHA, he did not address the delegation of rulemaking to “nonprofits,” such as the American National Standards Institute (ANSI), the American Society of Mechanical Engineers (ASME), and other organizations that publish the consensus standards cited by OSHA in its regulations and when applying the Occupational Safety and Health (OSH) Act’s “General Duty Clause.”
Given his description of the rulemaking authority contained within the OSH Act as being among the broadest to any administrative agency, it is conceivable that a ruling that confirms the Fifth Circuit’s decision in Federal Communications Commission v. Consumers’ Research, would compel Congress to act and actually legislate the workplace health and safety regulations OSHA would enforce. Arguably, reliance on “national standards,” which is built into the OSH Act, would have to be replaced with rules contained within legislation, thereby compelling Congress to have a much more active role with respect to workplace health and safety.
Joint Bulletin Warns Health Sector of Potential Coordinated Multi-City Attack
On March 20, 2025, the American Hospital Association (AHA) and the Health-ISAC issued an alert to the health care sector warning of a social media post that posed a potential threat “related to the active planning of a coordinated, multi-city terrorist attack on hospitals in the coming weeks.” The post targets “mid-tier cities with low-security facilities.”
The alert recommends “that teams review security and emergency management plans and heighten staff awareness of the threat,” including physical security protocols and practices, such as “having a publicly visible security presence.”
The alert, updated on March 26, 2025, indicates that the FBI has not identified a “specific credible threat targeted against hospitals in any U.S. city.” Nonetheless, the threat is concerning, and the recommendations of the AHA and Health-ISAC are worth noting.
Pennsylvania Teacher’s Union Faces Class Action over Data Breach
The Pennsylvania State Education Association (PSEA) faces a class action resulting from a July 2024 data breach. The proposed class consists of current and former members of the union as well as PSEA employees and their family members. The lawsuit alleges that the union was negligent and breached its fiduciary duty when it suffered a data breach that affected Social Security numbers and medical information. The complaint further alleges that the PSEA failed to implement and maintain appropriate safeguards to protect and secure the plaintiffs’ data.
The union sent notification letters in February 2025 informing members that the data acquired by the unauthorized actor contained some personal information within the network files. The letter also stated, “We took steps, to the best of our ability and knowledge, to ensure that the data taken by the unauthorized actor was deleted [. . .] We want to make the impacted individuals aware of the incident and provide them with steps they can take to further protect their information.” The union also informed affected individuals that they did not have any indication that the information was used fraudulently.
The complaint alleges “actual damages” suffered by the plaintiff related to monitoring financial accounts and an increased risk of fraud and identity theft. Further, the complaint states that “the breach of security was reasonably foreseeable given the known high frequency of cyberattacks and data breaches involving health information.”
In addition to a claim of negligence, the class alleges that the breach violates the Federal Trade Commission Act and the Health Insurance Portability and Accountability Act. The class is demanding 10 years of credit monitoring services, punitive, actual, compensatory, and statutory damages, as well as attorneys’ fees.
THE WHITE COAT DIDN’T BETRAY YOU—THE PIXEL DID: Judge Keeps Florida Wiretap Case Against Hospital Alive
Greetings CIPAWorld!
Your search history reveals more about you than you might realize. If you’ve ever noticed suspiciously specific medical ads appearing after researching health concerns online, you’re not just being paranoid; you’re witnessing sophisticated tracking technologies at work.
A federal court in Florida handed down a decision that should make us pause before typing that symptom into a healthcare website’s search bar. Here, this case involves a patient who claimed her medical searches on Orlando Health’s website allegedly led to targeted Facebook ads for her specific medical conditions. See W.W. v. Orlando Health, Inc., No. 6:24-cv-1068-JSS-RMN, 2025 U.S. Dist. LEXIS 40038 (M.D. Fla. Mar. 6, 2025).
Judge Julie S. Sneed’s ruling in W.W. v. Orlando Health, Inc. denied most of the healthcare provider’s attempts to dismiss the lawsuit, potentially opening the door for closer scrutiny of how medical websites track and share our sensitive health information. As someone who has researched medical information online in the past (who doesn’t these days?), I wondered exactly what happens when I click that “search” button on my insurance carrier’s website.
The Plaintiff alleged she used Orlando Health’s website to research conditions, including ileostomy, heart problems, and fatty liver disease. She later noticed Facebook advertisements popping up for products related to these exact conditions—ileostomy bags, heart failure treatments, and services from Orlando Health neurologists. Coincidence? Plaintiff didn’t think so, and Judge Sneed found her claims plausible enough to proceed.
However, the medical context elevates this case beyond another privacy suit. The Court noted that Orlando Health operates over 100 medical facilities. It encourages patients to use its website to communicate medical symptoms, conditions, and treatments via the search bar and related webpages, including access to appointment booking and the MyChart patient portal. As such, this wasn’t a casual browsing session but an online extension of the doctor-patient relationship.
What makes this case particularly concerning is the nature of the tracking technology itself. Plaintiff alleges that Orlando Health employed tracking tools that operate largely invisibly to users. Judge Sneed acknowledged this reality, noting these technologies are hidden from users’ view and difficult to avoid, even for the particularly tech-savvy user. This creates a troubling power imbalance—patients have no meaningful way to opt out of tracking that they don’t even know is happening.
Even more fascinating is how the court analyzed the claims of the Florida Security of Communications Act (“FSCA”). I think it’s important I highlight the FSCA… after all, I am a Floridian. The FSCA prohibits the intentional interception of electronic communications, and Orlando Health argued that what was being tracked was merely metadata, not the actual content of communications. But Judge Sneed distinguished this case from previous decisions involving commercial websites.
The key difference? Medical searches reveal something fundamentally private about us. For instance, if I decide to search “cardiologist for heart palpitations,” I’m not just clicking links—I’m communicating sensitive information about my health condition. The Court recognized this distinction, noting that information about a user’s medical conditions and healthcare searches constitutes ‘contents’ protected under these statutes.
To break this down further, the FSCA defines “contents” as “any information concerning the substance, purport, or meaning of that communication.” Fla. Stat. § 934.02(7). The Court emphasized that URLs and search queries on a medical website reflect the message Plaintiff sought to convey to Defendant through its website, thus satisfying the statutory standard. Judge Sneed’s approach relied on Black’s Law Dictionary to define “substance,” “purport,” and “meaning,” grounding her interpretation in long-standing legal usage.
As a result, Judge Sneed determined that W.W. successfully alleged all three required elements for an FSCA claim: (1) that Orlando Health intentionally intercepted her electronic communications, (2) that these interceptions captured protected “contents” under the statute, and (3) that she had not consented to this interception. The Court emphasized that Plaintiff has adequately alleged that the electronic communications she claims were intercepted were ‘contents’ as defined by the FSCA.
Orlando Health relied heavily on a Florida case, Jacome v. Spirit Airlines, Inc., No. 2021-000947-CA-01, 2021 WL 3087860, at *1 (Fla. Cir. Ct. June 17, 2021), which involved “session replay” technology tracking users’ movements on a commercial airline website. But Judge Sneed pointed out three crucial differences: first, Jacome involved different tracking technology in a non-healthcare context; second, the very case Orlando Health relied on actually supported W.W.’s position by acknowledging that medical records deserve protection; and third, other courts facing similar healthcare tracking cases have reached conclusions favorable to patients. The Court held that Plaintiff’s claims are predicated on the tracking tools’ interception of her communications… not on the simple fact that her movements on Defendant’s website were tracked.
Moreover, the Court analyzed multiple cases where similar tracking tools on healthcare websites were found potentially liable under wiretap laws. In A.D. v. Aspen Dental Mgmt., Inc., No. 24 C 1404, 2024 WL 4119153, at *5-7 (N.D. Ill. Sept. 9, 2024), the Northern District of Illinois denied a motion to dismiss, finding that URLs containing search terms about medical conditions constituted protected content. Similarly, in R.C. v. Walgreen Co., 733 F. Supp. 3d 876, 885, 903 (C.D. Cal. 2024), the Court found that when tracking technologies shared information about “sensitive healthcare products” with Meta and Google, resulting in targeted ads, this information “reveal[ed] a substantive message about [the p]laintiffs’ health concerns.”
As such, the ruling on the FSCA claim is principally significant because, as Judge Sneed noted, “the FSCA was modeled after the Wiretap Act, [and] Florida courts construe the FSCA’s provisions in accord with the meaning given to analogous provisions of the Wiretap Act.” W.W., 2025 U.S. Dist. LEXIS 40038, at *7. This means the Court’s interpretation of what constitutes “contents” under the FSCA directly influenced its analysis of the federal Wiretap Act claim.
What I found particularly striking was the Court’s reference to the Ninth Circuit’s decision in In re Zynga Priv. Litig., 750 F.3d 1098 (9th Cir. 2014). While that case found that basic website header information wasn’t protected content, it explicitly stated that “a user’s request to a search engine for specific information could constitute a communication such that divulging a URL containing that search term to a third party could amount to disclosure of the contents of a communication.” This distinction has become crucial in healthcare privacy cases, with courts like the Northern District of California in Doe v. Meta Platforms, Inc., 690 F. Supp. 3d 1064, 1076 (N.D. Cal. 2023), recognizing that “a URL disclosing a ‘search term or similar communication made by the user’ ‘could constitute a communication’ under the [Wiretap Act].”
Next, the Court also looked at similar cases in other jurisdictions. In In re Grp. Health Plan Litig., 709 F. Supp. 3d 707, 712, 718, 720 (D. Minn. 2023), a Minnesota Court determined that technology that “surreptitiously track[ed] users’ interactions on the [defendant’s w]ebsites and transmit those interactions to [Meta]” was actionable under the Wiretap Act. Similarly, in Doe v. Microsoft Corp., No. C23-0718-JCC, 2023 WL 8780879, at *9 (W.D. Wash. Dec. 19, 2023), a Washington Court found similar allegations sufficient under California’s Invasion of Privacy Act (“CIPA”).
The Court’s analysis demonstrated a sophisticated understanding of how modern tracking tools actually function. Judge Sneed described how the Facebook Pixel works, explaining that it causes the user’s web browser to instantaneously duplicate the contents of the communication with the website and send the duplicate from the user’s browser directly to Facebook’s server. In a sense, it’s like having a third person secretly photocopy your private medical forms as you fill them out—except it happens digitally, all without your knowledge. That’s a scary thought.
One crucial legal issue the Court had to address was whether Orlando Health could be liable under the Wiretap Act as a party to the communications. Normally, a party to communications can’t “intercept” them under the law. But Judge Sneed found that the “crime-tort exception” might apply, which creates liability when a party intercepts communications “for the purpose of committing any criminal or tortious act.” 18 U.S.C. § 2511(2)(d). This exception has created a split among federal courts, with some like B.K. v. Eisenhower Med. Ctr., 721 F. Supp. 3d 1056, 1065 (C.D. Cal. 2024) rejecting its application, while others like Cooper v. Mount Sinai Health Sys., Inc., 742 F. Supp. 3d 369, 380 (S.D.N.Y. 2024) have held that “A defendant’s criminal or tortious purpose of knowingly disclosing individually identifiable health information to another person in violation of HIPAA may satisfy the crime-tort exception.”
Let’s just think about this for a moment. When you visit your healthcare provider’s website and search for information about a medical condition, you’re effectively having a private conversation about your health. This is a conversation you reasonably expect to stay between you and your provider. Plaintiff alleges that Orlando Health allowed Facebook and Google to listen to this conversation without her knowledge or consent and then use what they heard to sell her things. That’s not just invasive—it’s monetizing vulnerability. The Complaint even describes Meta Pixel and Google’s APIs duplicating real-time communications and sending them to third-party servers without user awareness.
I remember searching for allergy specialists on my insurance provider’s website, only to suddenly see my social media feeds filled with ads for allergy medications. It felt like someone had been reading over my shoulder—because in a digital sense, they had been. This is a troubling loophole in our digital privacy framework. While HIPAA strictly regulates how healthcare providers handle patient information in traditional contexts, the rules often become murky in digital environments. The law hasn’t caught up to the technology, and it’s essential that case law helps close that gap.
The Court recognized other claims as well, including breach of confidence. Judge Sneed emphasized the profoundly personal nature of health information, quoting Norman-Bloodsaw v. Lawrence Berkeley Lab., 135 F.3d 1260, 1269 (9th Cir. 1998): “One can think of few subject areas more personal and more likely to implicate privacy interests than that of one’s health.” Additionally, the Court also allowed unjust enrichment and breach of implied contract claims to proceed, acknowledging that private health information has economic value that healthcare providers shouldn’t be able to exploit without consent. Judge Sneed agreed that Defendant obtained enhanced advertising services and more cost-efficient marketing from the data disclosures, which plausibly conferred a benefit on Orlando Health without Plaintiff’s consent.
In an interesting development for data privacy attorneys, the Court expressly recognized the economic value of personal health information. As Judge Sneed noted, courts should not “ignore what common sense compels it to acknowledge—the value that personal identifying information has in our increasingly digital economy…. Consumers too recognize the value of their personal information and offer it in exchange for goods and services.” W.W., 2025 U.S. Dist. LEXIS 40038, at *32-33 (quoting In re Marriott Int’l, Inc., 440 F. Supp. 3d 447, 462 (D. Md. 2020)).
Interestingly, the Court did dismiss one claim—invasion of privacy by intrusion upon seclusion—finding that Florida law requires an intrusion into a private “place” rather than merely a private activity. As Pet Supermarket, Inc. v. Eldridge, 360 So. 3d 1201, 1207 (Fla. Dist. Ct. App. 2023) specified, “Florida law explicitly requires an intrusion into a private place and not merely into a private activity.” This reveals a gap in privacy law that has not yet adjusted to the digital age, where violations occur in virtual rather than physical spaces.
The irony here is palpable. Healthcare providers are bound by HIPAA and other regulations that severely restrict how they can share our health information in traditional contexts. Yet some providers may allow tech companies to access this information through their websites with far less oversight.
Judge Sneed’s decision aligns with similar rulings in cases like D.S. v. Tallahassee Mem’l HealthCare, No. 4:23cv540-MW/MAF, 2024 WL 2318621, at *1 (N.D. Fla. May 22, 2024), and Cyr v. Orlando Health, Inc., No. 8:23-cv-588-WFJ-CPT (M.D. Fla. July 5, 2023). In Tallahassee Memorial, the Court denied dismissal of identical claims where a healthcare provider allegedly disclosed patient information to Meta and Google through website tracking. Similarly, in Cyr—another case against Orlando Health itself—the Court found the plaintiff’s claims plausible and worthy of proceeding past the pleading stage. This suggests that Courts are increasingly receptive to these digital privacy concerns in the healthcare context.
All in all, healthcare marketers may need to rethink their digital strategies, and patients might finally gain transparency into how their online health searches are being monetized. The next time you search for symptoms online or book a medical appointment through a website, remember that a seemingly private digital conversation might have more participants than you realize.
Behavioral Health Law Ledger | March 2025
Welcome to the Ledger
The March 2025 issue of Greenberg Traurig’s quarterly Behavioral Health Law ledger explores two behavioral health legal developments: proposed legislation in several states that would affect behavioral and mental health operations, including reimbursement for mental health services and enforcement of fraud and abuse laws for substance use disorder facilities; and a rise in hospital closures, including psychiatric hospitals.
Pending Legislation Review: State Legislation that May Impact Behavioral Health
Multiple states have introduced legislation with may affect behavioral and mental health operations on a state level.
Legislation on Behavioral Health Operations
Colorado
Colorado Senate Bill 25-042 proposes to empower Colorado’s Behavioral Health Administration to address reimbursement shortages for behavioral health services and to fill in gaps in Colorado’s continuum of care for behavioral health crises. On an operational level, this would increase the number of reimbursable days for inpatient mental health services from 15 days to 60 days. In addition, this bill proposes to amend how involuntary mental health holds are handled and would change the discharge requirements for patients admitted on involuntary mental health holds.
Possible effects: Should this bill pass, we anticipate changes relating to reimbursement for mental health services in Colorado, which may improve accessibility gaps that persist. Nevertheless, even if the bill does not pass, this legislation demonstrates Colorado legislators’ focus on behavioral health in the state and continues the trend of improving access to, and reimbursement for, behavioral health services state-wide.
California
California Senate Bill 35 proposes to revise existing enforcement and increase scrutiny on substance use disorder (SUD) recovery facilities within California. Operationally, this bill would authorize the suspension and/or revocation of SUD facilities’ licenses for facilities who engaged in patient brokering and other kickback schemes. This bill would also empower city and district attorneys to enforce these measures, thereby potentially increasing local enforcement and scrutiny.
Possible effects: This is the second bill on scrutiny into SUD recovery facilities to be introduced since the passage of California’s Ethical Treatment for Persons with Substance Use Disorder Act (Cal. Health & Safety Code § 11857 et seq.) in 2022. Should this bill pass, it would strengthen enforcement of fraud and abuse laws for SUD facilities. However, even if the bill does not pass, this proposed legislation demonstrates a continued focus on and prioritization of SUD facility compliance within California.
Legislation on Mental Health Services and Education
Eighteen states have proposed legislation regarding education around maternal mental health. These states are Alabama, Arizona, California, Connecticut, Georgia, Maryland, Massachusetts, Minnesota, Mississippi, New Hampshire, New Jersey, New Mexico, Oklahoma, Tennessee, Virginia, and West Virginia.
These proposed bills include legislation to provide coverage for perinatal and post-partum depression screening, extending delivery and post-natal care to fee-for-service models to improve care outcomes, improving patient and practitioner education on maternal mental health, and legislation commissioning studies on SUDs and behavioral health concerns within maternal mental health.
Together, these bills represent a continued state-level shift towards prioritizing mental health on a populational level. Should these bills pass, we anticipate potential changes in reimbursement and covered services on a state level, as well as further research into this field.
Rise in Hospital Closures May Reduce Accessibility of Behavioral Health Services
In 2025, there has been a large increase in closures of hospitals, including psychiatric hospitals. To date in 2025, at least 13 hospitals have closed their doors or announced imminent closures. In almost every case, the hospital administrators have stated that the decision to cease operations was caused by financial and operational considerations, including reimbursement challenges and ongoing labor shortages.1 At least one other hospital has shuttered its inpatient psychiatric wing following ongoing concerns regarding its patient census and reimbursement.2
Of the 13 hospitals to have closed or announced imminent closure, two are in Colorado, where an additional hospital-based behavioral health provider is also closing (or at least reorganizing and relocating its operations elsewhere). On March 1, 2025, Johnstown Heights Behavioral Health ceased operations. West Springs Hospital closed effective March 10, 2025. Each of these hospitals cited ongoing financial and operational struggles that influenced these closures. Finally, West Pines Behavioral Health, a hospital-based behavioral health provider, has announced it will close its Lutheran Hospital campus operations effective March 31, 2025.3 Much of its staff and operations appear to have been relocated to the new West Pines Behavioral Hospital, which is a fairly new adult (with adolescent and senior inpatient services coming in the near future) psychiatric hospital in Westminster through the partnership of Acadia Healthcare and Intermountain Health that was initially licensed as a psychiatric hospital in December 2024.4 Including the new addition of West Pines Behavioral Hospital, there are now eight psychiatric hospitals in Colorado, two of which are run by the state of Colorado, and all eight of which are on the front range urban corridor of Colorado.
These closures come on the heels of the Center for Healthcare Quality and Payment Reform’s February 2025 Report stating that “[m]ore than 700 rural hospitals—one-third of all rural hospitals in the country—are at risk of closing because of the serious financial problems they are experiencing. Over 300 of these rural hospitals are at immediate risk of closing because of the severity of their financial problems.” In light of ongoing nationwide financial struggles of health care providers, including psychiatric hospitals and those serving rural populations, behavioral health patients may face reduced accessibility for behavioral and mental health care, especially on Colorado’s western slope, despite increasing need for such service access in recent years.
1 See 10 hospital closures in 2025 – Becker’s Hospital Review | Healthcare News & Analysis.
2 See Endeavor cuts jobs amid service reductions – Becker’s Hospital Review | Healthcare News & Analysis.
3 See generally Nearly 500 behavioral health workers in Colorado have been laid off in the past 3 months | The Colorado Sun.
4 See Colorado to get more mental health bed options, new hospital amid “near crisis” | the Colorado Sun.
Massachusetts: Expansion of Oversight Authority — New Notice of Material Change Form for Health Care Transactions
The Massachusetts Health Policy Commission (the HPC), an independent state agency that works to improve affordability of health care for residents of the Commonwealth, released Advance Guidance (before finalization of new regulations) for “Providers” and “Provider Organizations” considering transactions subject to the HPC’s updated Notice of Material Change (MCN) process. This Advance Guidance was issued on March 20, 2025, in anticipation of the April 8, 2025 effective date of amendments to M.G.L. c. 6D, § 13 pursuant to Chapter 343 of the Acts of 2024. The Advance Guidance alerts providers to upcoming changes in requirements for certain types of transactions, including an expanded regulatory definition of “Material Change”, an increased authority to issue requests for information, and certain logistics to the form required when filing an MCN.
Background
As discussed in our prior blog, “Massachusetts: New Year, New Law — Governor Signs “An Act enhancing the market review process” (House Bill No. 5159),” Governor Maura Healey signed into law Chapter 343 of the Acts of 2024 on January 8, 2025. The legislation aims to increase oversight and regulation over a variety of health care transactions taking place in the Commonwealth. This includes enhancing scrutiny by entities such as the HPC, the Center for Health Information and Analysis (CHIA), the Office of the Attorney General, and the Division of Insurance, specifically regarding private equity investors and management service organizations (MSOs). Additionally, the new law mandates licensing for Urgent Care Centers and introduces licensing requirements for a newly established category known as Office-Based Surgical Centers.
To that end, the law strengthens the HPC’s market oversight authority to review “Material Changes” to “Providers” or “Provider Organizations” as required by Mass. Gen. Laws ch. 6D, § 13, which include companies:
in the business of health care delivery or management, […] that represents one or more health care Providers in contracting with Carriers or third-party administrators for the payments of Health Care Services; provided, that a Provider Organization shall include, but not be limited to, physician organizations, physician-hospital organizations, independent practice associations, Provider networks, accountable care organizations and any other organization that contracts with Carriers for payment for Health Care Services.
The Advance Guidance issued by the HPC provides requirements for the new triggering events and MCN process in advance of regulatory amendments to the current regulations, found at 958 CMR 7.02. “Providers” or “Provider Organizations” are still required to submit an MCN to the HPC 60 days in advance of the effective date of a “Material Change.” Information on these additional triggering events will allow the HPC to monitor the health care market and the ability of the Commonwealth’s health care system to deliver high quality, cost-effective care for all residents.
Advance Guidance
Beginning April 8, 2025, the definition of a “Material Change” that triggers the filing requirement for an MCN will be expanded to include:
Significant expansions in a “Provider or “Provider Organization’s” capacity, which includes any increase to a “Provider” or “Provider Organization’s” capacity that requires an Application for Substantial Capital Expenditure (defined at 105 CMR 100 as generally being in excess of the then-current Expenditure Minimum) to be submitted to the Massachusetts Department of Public Health’s Determination of Need Program;
Transactions involving a significant equity investor which result in a change of ownership or control of a “Provider” or “Provider Organization,” which includes any investment by an equity investor that will change the ownership of a “Provider” or “Provider Organization” or any investment in excess of US$10M that results in an equity investor having significant control over a “Provider” or “Provider Organization,” e.g., the potential to appoint a board member(s), make key business decisions (e.g., hiring or terminating staff);
Significant acquisitions, sales, or transfer of assets including, but not limited to, real estate sale lease-back arrangements as well as the sale of any licensed facility or the sale of real property assets where Health Care Services are delivered for the purposes of a real estate lease-back arrangement; and
Conversion of a “Provider” or “Provider Organization” from a nonprofit entity to a for-profit entity.
Additionally, the Advance Guidance describes the expansion of authority to request information from other “Providers,” “Provider Organizations,” or “Payors” to be provided within 21 days of such request from the HPC. Effective April 8, 2025, the HPC will have expanded authority to request information from significant equity investors and other parties involved in a given transaction.
Under Mass. Gen. L. ch. 6D, § 13(c)(2), as updated by Section 24 of Chapter 343 of the Acts of 2024, when a Material Change involves a “significant equity investor,” the HPC can identify specific information required to accompany the MCN submission. This may include details such as the significant equity investor’s capital structure, overall financial condition, ownership, and management structures, and audited financial statements, among other relevant items. Currently, the HPC does not mandate that such information be publicly disclosed as part of the MCN form; however, it reserves the right to request this information confidentially during its review process. The HPC will maintain the confidentiality of all nonpublic information and documentation received in connection with an MCN or cost and market impact review, as requested by the involved parties.
Finally, as previewed by the HPC Advance Guidance, the HPC has posted a revised MCN Form that “Providers” and “Provider Organizations” should use beginning on April 8, 2025.
Conclusion
The Advance Guidance issued by the HPC provides insights for “Providers” and “Provider Organizations” preparing for organizational changes subject to the MCN process. Released ahead of amendments to M.G.L. c. 6D, § 13 pursuant to Chapter 343 of the Acts of 2024 — which take effect on April 8, 2025 — this guidance outlines important updates including an expanded definition of “Material Change,” associated clarifying terms, broader authority for the HPC to request information related to such changes, and specific logistical adjustments in the required MCN Form. As this Advance Guidance has not gone through the proper rulemaking process, affected individuals should provide comments to the HPC about areas of disagreement or concern via email ([email protected]).
For more information, please join us at our upcoming webinar with the Healthcare Financial Management Association on April 30, “Private Equity and Health Care – A Policy Discussion.” The registration link is available here.
Even Jepson Preambles Require Written Description Support
The US Court of Appeals for the Federal Circuit found a Jepson claim unpatentable where the specification did not provide adequate written description for the portion of the claim purporting to recite what was already well known in the prior art. In re Xencor, Inc., Case No. 24-1870 (Fed. Cir. Mar. 13, 2025) (Hughes, Stark, Schroeder, JJ.)
Xencor filed a patent application claiming a modified anti-C5 antibody treatment with certain amino acid substitutions that provide for longer serum half-lives and reduce the need for more frequent treatment. The application included:
A Jepson claim reciting, “[i]n a method of treating a patient by administering an anti-C5 antibody with an Fc domain, the improvement comprising” certain amino acid substitutions, wherein the modified antibody has “increased in vivo half-life.”
A non-Jepson claim directed to “a method of treating a patient by administering an anti-C5 antibody comprising” certain amino acid substitutions, wherein the modified antibody “has increased in vivo half-life.”
The specification provided one example of an anti-C5 antibody, 5G1.1, and three high-level examples of potential uses for anti-C5 antibodies. The examiner rejected the claims for lack of written description. Xencor unsuccessfully appealed the rejection to the Patent Trial & Appeal Board. Xencor then unsuccessfully petitioned the Board for reconsideration. Xencor appealed to the Federal Circuit, which resulted in a remand to the Board’s Appeals Review Panel (ARP).
The ARP concluded that Jepson claim preambles require written description support and that the preamble language of “treating a patient” was limiting – even without the Jepson claim format – because it gave life and meaning to the claim recitations “increased in vivo half-life” and “administering.” Because the specification did not provide a representative number of species to support the broad genus of anti-C5 antibodies, a description of conditions that can successfully be treated with an anti-C5 antibody, or even a single working example describing treatment with an anti-C5 antibody with the claimed modifications, the ARP found that the claims lacked written description and that Xencor had not shown that anti-C5 antibodies were well known. Xencor again appealed, arguing that “treating a patient” was not limiting and that Jepson preambles do not require written description support.
With respect to the preamble of the method claim, the Federal Circuit noted that Xencor agreed that the “administering” portion was limiting but nonetheless argued that “treating a patient” was not. Although a preamble can be split into limiting and non-limiting parts, the Court reasoned that the preamble here could not be neatly packaged into separate portions because the phrase “treating a patient” was directly connected through the word “by” to the phrase “administering an anti-C5 antibody,” and each phrase gave meaning to the other. The Court further explained that the entire preamble provided the raison d’être of the claimed method: When a patient is treated with the modified anti-C5 antibody, the treatment lasts longer, reducing the frequency of treatments. Accordingly, the Court agreed with the ARP that the recitation “treating a patient” was limiting.
The Federal Circuit next concluded that substantial evidence supported the ARP’s determination that the specification did not provide written description support for “treating a patient.” Because the specification was not limited to treating a particular disease, “treating a patient” meant “treating all patients and all diseases.” While the specification provided three examples of classes of diseases that might benefit from the claimed treatment, the Court agreed with the ARP that this disclosure was inadequate to demonstrate possession of a method of treating any particular disease, let alone all diseases.
Finally, the Federal Circuit explained that a Jepson claim preamble requires written description support because it is used to define the claimed invention and the claim scope. The Court cautioned that a patentee cannot obviate the written description requirement by using a Jepson claim to avoid the requirement that the inventor be in possession of the claimed invention – otherwise, a patentee could obtain a Jepson claim with a preamble that recited a time machine as well known in the art without describing a time machine. To provide adequate written description for a Jepson claim, the applicant must establish that what is claimed to be well known in the art actually is well known in the art. The Court explained that the amount of disclosure necessary varies depending on the level of knowledge of the person skilled in the art, the unpredictability of the art, and the newness of the technology.
Given the large number of possible antibodies in the anti-C5 antibody genus and the limited disclosure in the specification, the Federal Circuit affirmed the ARP’s determination that the Jepson claim lacked adequate written description.
This Week in 340B: March 18 – 24, 2025
Find this week’s updates on 340B litigation to help you stay in the know on how 340B cases are developing across the country. Each week we comb through the dockets of more than 50 340B cases to provide you with a quick summary of relevant updates from the prior week in this industry-shaping body of litigation.
Issues at Stake: Contract Pharmacy; Rebate Model
In a case by a drug manufacturer challenging a state law, the intervenor defendant filed a brief in support of its motion to compel discovery, and the drug manufacturer filed a brief in opposition to the intervenor’s motion for judgment on the pleadings.
In four cases against the Health Resources and Services Administration (HRSA) alleging that HRSA unlawfully refused to approve drug manufacturers’ proposed rebate models, the intervenor defendants filed a cross motion for summary judgment and opposition to the plaintiff’s motion for summary judgment.
In one such case, 37 state and regional hospital associates filed a motion for leave to file an amici brief in support of HRSA.
2026 Medicare Advantage and Part D Final Rate Notice: What to Expect
Key Takeaways
CMS is expected to issue the 2026 final rate notice for Medicare Advantage (MA) and Part D plans by April 7, 2025.
The January 2025 advance notice proposed policies that would increase payments to MA plans by 2.23% on average; accounting for expected changes in coding increases CMS’ estimate to 4.33%. The increase is driven largely by a projected 5.93% growth in benchmarks, continued phase-in of a new risk model, and adjustments to risk scores.
Plans have advocated with CMS to increase cost growth projections and minimize the impact of payment and risk score adjustments, with the goal of improving on the 2.23% payment increase.
An expected MA and Part D final rule could also affect how plans and other stakeholders approach the 2026 payment year.
Why This Matters
The Centers for Medicare & Medicaid Services (CMS) is expected to finalize payment rates and policies for the 2026 Medicare Advantage (MA) and Part D programs in early April 2025. The final rate notice kicks off the sprint to submit 2026 plan bids to CMS by the June 2, 2025, deadline.
The final payment policies determine how plans approach bidding, including:
Whether and by how much they can provide core Medicare benefits below the benchmarks CMS sets.
How many rebate dollars they must spend on supplemental benefits that enrollees value.
How much they must spend to offer Part D benefits for the majority of plans that combine medical and prescription drug coverage.
A growing number of physicians are also taking note of the rate setting process. Physicians who participate in shared risk and other value-based payment models with MA plans stand to gain or lose revenue depending on the final payment rates and policies. Providers considering whether to participate in MA networks may look to the final rate notice to evaluate a program’s potential growth in the coming year, because rate increases typically lead to more generous benefits and drive enrollment.
The following key elements of the rate notice will determine the final payment update for 2026.
Growth Rate
The growth rate is CMS’s estimate of how much the cost of providing care to enrollees will change in 2026. It forms the basis for benchmark payments to plans and is primarily based on utilization trends among Medicare beneficiaries in the “traditional” or fee-for-service (FFS) program. MA plans benefit when the growth rate is high.
The advance notice estimated the 2026 growth rate at 5.93%, which is an increase over recent years. MA plans noted that this estimate relied on FFS data only through early 2024, however, and argued that using more recent data would suggest even higher utilization. Plans have urged CMS to do so for the final notice.
The advance notice also proposed “technical” adjustments to the way CMS calculates FFS utilization and costs. These adjustments would effectively lower the growth rate, and plans have urged CMS to slow or halt the changes’ implementation to limit that impact.
Stakeholders should keep in mind that the growth rate announced in the final rate notice is a national average. Benchmark payments are set at the county level, so a plan’s payments will rise or fall based on where it offers coverage and enrolls members. Payments are also affected by a plan’s Star rating and its enrollees’ health status. Plans will rely on detailed county-level data released in conjunction with the final rate notice to determine exactly how their payments will change for 2026.
Risk Model
While the growth rate determines how much the benchmark payment in a county will change for 2026, the risk model is also an important piece of payment. In 2024, CMS began phasing in an updated risk model for MA that was intended to address concerns about coding intensity that led to higher risk-adjusted payments. The transition to the new risk model is scheduled to conclude in 2026, but some plans have urged CMS to freeze the transition at the current stage or reinstate the old risk model. Even if the Trump administration is sympathetic to this request, it likely would not have enough time to reinstate the old risk model for the 2026 bid cycle. Other stakeholders have urged CMS to finish the phase-in as scheduled, arguing that the new model imposes necessary curbs on the growing gap between FFS and MA risk scores.
A separate risk model adjusts Part D payments. The Inflation Reduction Act changed Part D benefit design by shifting a greater share of risk from the government to plans. As a result, the Part D risk model has taken on added importance for plans. Almost all MA enrollees choose plans that include Part D benefits, so changes to the Part D risk model are an important part of the MA payment calculation. CMS adjusted the model in 2025 and proposed more updates for 2026 to keep up with drug prices and utilization trends. Stakeholders have generally expressed support for the proposed updates, and CMS will likely finalize them as proposed.
Normalization Factor
The normalization factor is a highly technical adjustment CMS makes to risk scores and payments to account for changes in the FFS population’s underlying risk. It is one of the few levers CMS has, besides the growth rate, to dial MA payments up or down in a given year. How CMS calculates the normalization factor can have a big impact on payment. Because the healthcare disruptions of the COVID-19 pandemic made it difficult to identify risk trends, CMS has varied its calculation approach in recent years. For 2026, CMS proposed to use the same calculation method as in 2025, which would result in substantial cuts to MA risk scores and payments. Plans have urged CMS to adopt a different calculation approach that would soften the payment impact of the normalization adjustment.
In 2025 CMS changed the way Part D normalization is applied by creating separate factors for plans that combine MA and Part D benefits (MA-PDs) and plans that offer Part D benefits only (PDPs). CMS’s rationale was that Part D risk scores have increased much faster for MA-PDs than for PDPs. CMS proposed to continue this method in 2026, which could mean large reductions in Part D risk scores and payments to MA-PDs. Plans have argued that lower Part D risk-adjusted payments will lead to higher Part D premiums, which they must “buy down” with rebate dollars in order to offer plans that include both medical and drug coverage with no monthly premium. About 60% of MA enrollees enrolled in a $0 premium plan in 2025.
Stars Rating System
High scores in the Stars Rating System trigger bonus payments for MA plans and are an important marketing tool. The 2026 advance notice discussed several measure updates and work on potential changes like simplifying the measures and methods used to calculate ratings but most Stars changes come through rulemaking, not the rate notice process. While stakeholders should not expect to see any of these changes formalized in the final rate notice, they offer a preview of rulemaking to come.
Upcoming Final Rule
The final rate notice is not CMS’s only opportunity to make changes to the MA and Part D programs for 2026. In late 2024, CMS released a proposed rule for MA and Part D with provisions that would take effect in 2026. The final rule is now under review at the Office of Management and Budget, so CMS potentially could finalize some or all of those provisions in time for the 2026 bid cycle. One key proposal would allow Part D plans to cover anti-obesity medications such as Wegovy and Zepbound. While plans and other stakeholders have raised serious concerns about this proposal and urged CMS not to finalize it, many beneficiaries have expressed support.
The Bottom Line and What to Expect
When releasing the advance rate notice, CMS estimated MA payment rates would rise by 2.23% for 2026, on average. After factoring in expected trends in diagnosis coding, the agency projected an average MA payment rate increase of 4.33%. The advance rate notice was released under the Biden administration, so changes in the final rate notice might illuminate the Trump administration’s approach to MA. A bottom-line increase that improves on the 2.23% in the advance notice might bode well for plans and their physician partners. Anything less than 2.23% might signal rough seas ahead for the MA program.
The Trump Administration Proposes Changes to Regulations Governing Insurance Subject to the Affordable Care Act
In its first major attempt to reform the Affordability Care Act (“ACA”), the Trump Administration issued a proposed rule on March 10, 2025 (“Proposed Rule”) amending regulations governing insurance coverages subject to the ACA.[1] Public comments on the Proposed Rule will be accepted for consideration until April 11, 2025.
In conjunction with the Proposed Rule, the Centers for Medicare & Medicaid Services (“CMS”) issued a statement explaining that the proposed regulations include “critical and necessary steps to protect people from being enrolled in Marketplace coverage without their knowledge or consent, promote stable and affordable health insurance markets, and ensure taxpayer dollars fund financial assistance only for the people the ACA set out to support.” To support its position, CMS cited a report from the Paragon Health Institute suggesting “4 to 5 million people were improperly enrolled in subsidized ACA coverage in 2024, costing federal taxpayers up to $20 billion.” The impact analysis that accompanies the Proposed Rule shows that the Proposed Rule will reduce enrollment in the ACA plans, reduce the number of people who access premium tax credits and cost-sharing reductions that make coverage more affordable, and limit benefits available to individuals including, specifically, coverage for services related to a sex-trait modification as an essential health benefit.
As summarized below, the Proposed Rule contains a variety of key changes to the regulations governing health insurance subject to the ACA that will impact those seeking to obtain health coverage through state and federal insurance marketplaces (the “Marketplace”). In this regard, the Proposed Rule does the following
Allows insurers to deny coverage to individuals who have past-due premium from prior coverage, allowing insurers to consider past due premium amounts as owed as the initial premium for new coverage.
Excludes persons who are Deferred Action for Childhood Arrivals (“DACA”) from eligibility to enroll in a health insurance plans offered on the Marketplace or access premium tax credits and cost-sharing reductions.
Requires CMS to apply a “preponderance of the evidence” standard before terminating an agent for cause as to their agreement with CMS to solicit and sell Marketplace coverage.
Eliminates the ability of an individual to certify to their income when applying for premium tax credits and cost-sharing reductions, instead requiring income determinations be reconciled with tax filing or other information potentially creating coverage delays and administrative barriers. In addition, if an individual does not file a Federal income tax return for two years, the individual will not be eligible for premium tax credits and cost-sharing reductions.
Institutes income eligibility verifications for premium tax credits and cost-sharing reductions and charges people auto-reenrolled into zero-premium plans a small monthly payment until they confirm their eligibility information.
Adjusts the automatic enrollment hierarchy for individuals.
Shortens the annual open enrollment period from the current period, November 15 to January 15, reducing it by one month, to November 15 to December 15.
Removes the monthly special enrollment period (“SEP”) for qualified individuals who become eligible for premium tax credits and cost-sharing reductions because their projected household income falls to or below 150% of the federal poverty level, which means that these individuals will have to wait before they can access premium tax credits and cost sharing reductions.
Changes de minimis thresholds for the actuarial value for plans subject to essential health benefits (“EHB”) requirements and for income-based cost-sharing reduction plan variations.
Updates the annual premium adjustment percentage methodology to establish a premium growth measure that according to the Proposed Rule reflects premium growth in all affected markets, increasing the cost of coverage.
Prohibiting insurance companies subject to ACA requirements from providing coverage for services related to a sex-trait modification as an essential health benefit.
These changes will not take effect immediately, as the Proposed Rule now faces a public comment period that stays open until April 11, 2025. After receipt of public comments, CMS may revise the Proposed Rule before issuing it in final form. If instituted, these changes could have significant impacts on the approximately 24 million Americans who enrolled in coverage in the ACA Marketplace for 2025 and who plan to enroll in coming years. Most importantly, consumers will have less time to enroll and need to present additional documentation to demonstrate eligibility for premium tax credits and cost-sharing reductions creating administrative barriers to enrolling in coverage. In addition, automatically re-enrolled consumers will be charged a small monthly fee until they confirm their eligibility information. Significantly, individuals who are brought to the country from abroad as children and are DACA status will be prohibited in enrolling in Marketplace coverage. And finally, the Proposed Rule prohibit insurers from covering gender-affirming care as essential health benefits.
[1] Patient Protection and Affordable Care Act; Marketplace Integrity and Affordability, CMS-9884-P, 90 Fed. Reg. 12942 et seq. (the “Proposed Rule”).