HHS Reverses Its Longstanding Policy and Limits Public Participation in Rulemaking
On March 3, 2025, the Secretary of Health and Human Services published a policy statement in the Federal Register that reverses a policy adopted over 50 years ago that was intended to expand public participation in the process of rulemaking at the Department of Health and Human Services (the “Department”). 90 Fed. Reg. 11029 (2025).
This action is at odds with the “radical transparency” that Secretary Kennedy had promised previously, and may affect many programs and financial relationships between individuals, organizations, and others that interact with Health and Human Services (“HHS”).
Regulatory agencies such as HHS and its components, including the Centers for Medicare and Medicaid Services (“CMS”), the Food and Drug Administration (“FDA”), and the National Institutes of Health (“NIH”) must follow rulemaking procedures set out in the Administrative Procedure Act (“APA”) when they formulate and publish regulations that are intended to implement a statute and have the force of law. Those procedures include offering the public an opportunity to be notified of proposed regulations and to submit comments to the agency. The APA also contains several exceptions to the notice and comment requirement, including one for matters relating to “public property, loans, grants, benefits, or contracts.” Nevertheless, HHS and several other federal departments adopted policies that voluntarily waived these exceptions.
In 1971, then-Secretary of Health, Education, and Welfare Elliot Richardson issued a policy statement announcing that the Department would voluntarily follow notice and comment procedures for regulations relating to public property, loans, grants, benefits, or contracts (the “Richardson Waiver”). That notice explained that the waiver would allow for greater participation by the public in the rulemaking process, and that the additional burden on the Department was outweighed by the public benefit. The policy also instructed that although the APA allows for rulemaking procedures to be waived when good cause exists, that exception should be used “sparingly.”
HHS’s New Policy Limiting Rulemaking and Potential Safeguards
The new HHS policy statement sweeps away the 1971 policy. Its impact may vary depending on the issue and component of HHS. For example, for research funded by the NIH or other projects funded by agencies within HHS, the new policy could allow a granting or contracting agency to amend financial terms without public participation. This exact issue is currently in the spotlight as courts actively evaluate the legality of the NIH’s recent Supplemental Guidance to the 2024 NIH Grants Policy Statement: Indirect Cost Rates (NOT-OD-25-068))(“Supplemental Guidance”), issued by the Office of the Director of the National Institutes of Health on February 7, 2025, which attempted to impose an across-the-board 15% cap on Indirect Cost (“IDC’) rates for all new grants as well as for existing grants awarded to Institutions of Higher Education. The District Court of Massachusetts has imposed a nationwide preliminary injunction (“PI”) prohibiting the Secretary and NIH from taking any steps to implement or enforce the Supplemental Guidance. Commonwealth of Massachusetts, et al. v. National Institutes of Health, et al., No. 25-CV-10338 (D. Mass. Mar. 5, 2025). The court concluded that the plaintiffs would be irreparably harmed by the Supplemental Guidance and agreed that the Supplemental Guidance was a legislative rule that failed to comply with the notice and comment requirements of the APA. It relied in part on the argument that under the Richardson Waiver, the Secretary could not change the IDC rate unilaterally. The timing of the Department’s policy reversing the Richardson Waiver might be viewed as directly responsive to this disputed point in the ongoing litigation.
In other areas, the policy statement may have little or no impact if there is a separate statutory requirement for rulemaking. In the Medicare statute, for example, Congress mandated in Section 1871(a)(2) of the Social Security Act that HHS must engage in notice and comment rulemaking for any “substantive legal standard governing the scope of benefits, the payment for services, or the eligibility of individuals, entities, or organizations to furnish or receive services or benefits . . . .” Should Congress decide to limit the scope of the new HHS policy, this statute could be a template for legislation.
The impact of the new policy on the Medicaid program is less clear. While there is no similar statutory requirement for rulemaking under the Medicaid program as there is for Medicare, the federal government also has more limited control over the direction of each individual State’s Medicaid program offering. However, there are areas where HHS has sought public comment on changes to state Medicaid program requirements in the past, such as changes proposed by States through Medicaid program waivers that the federal government has to approve. This new policy may be signaling that HHS will choose not to seek comments on those proposed changes in the future.
Returning to the IDC rate litigation, there arguably exists both statutory and regulatory grounding for applying grantees’ existing negotiated indirect cost rates, documented in the negotiated indirect cost rate agreement (“NICRA”) entered into between the government and grantee institutions. First, a provision in the annual appropriations act since 2018 has limited Congress’ ability to impose any type of across-the-board cap. See Further Consolidated Appropriations Act, 2024, P.L. 118-47, Title II, § 224. This was adopted in response to the first Trump administration’s attempt to impose an across-the-board cap of 10% in 2017. Second, in the HHS regulations applicable to IDC rates, there is an explicit requirement that the negotiated rates must be “accepted by all Federal awarding agencies.” 45 C.F.R. § 75.414(c)(1). This regulatory exception, and alleged noncompliance with the APA’s rulemaking requirement, is at the core of the ongoing IDC rate litigation. As such, there are arguably continued bases for the objection to the NIH Supplemental Guidance notwithstanding the recent reversal of the Richardson Waiver.
Does HHS’s New Policy Signal a Wider Use of the “Good Cause” Exception?
Another part of the new HHS policy to watch carefully involves the exception in the APA that allows agencies to dispense with notice and comment rulemaking when there is good cause that a notice and comment period is impractical or contrary to the public interest. The new HHS policy states that agencies may rely on the good cause exception “in appropriate circumstances” rather than “sparingly” but provides no further clarification.
Courts have interpreted this exception narrowly; for example, they have upheld good cause exceptions when agencies have responded to epidemics and natural disasters, but have rejected exceptions claimed by agencies due to statutory deadlines, economic concerns, or a need to implement a political goal rapidly. In addition, a 2012 report published by the General Accountability Office criticized the frequent use of the good cause exception to avoid public comments on rules. Therefore, it remains to be seen how and when HHS relies on this exception, and whether the reasons offered justify the exception or would stand up to judicial review.
OSHA Terminates COVID-19 Emergency Temporary Standard for Healthcare Workers
Is COVID-19 still a thing, and does OSHA care about it? Yes and yes. We all know that COVID-19 is still around. On the OSHA front, the agency seems to be focused less exclusively on COVID-19 and plans to take a broader approach.
Refresher on OSHA’s Work During the Pandemic
On June 21, 2021, OSHA issued an Emergency Temporary Standard (ETS) to protect healthcare workers from COVID-19. The ETS also served as a proposed rule for a permanent standard to address COVID-19 exposure in healthcare settings. OSHA submitted a draft final rule to the Office of Management and Budget in December 2022. However, the COVID-19 pandemic evolved, and the resources needed to finalize a separate COVID-19 standard grew, which resulted in a House Joint Resolution terminating the national emergency and OSHA terminating the rulemaking.
Now What?
OSHA determined that a more effective strategy would be to create a broader infectious diseases standard for healthcare workers. This new standard will cover multiple infectious diseases, including COVID-19, offering more comprehensive protections for healthcare workers. As a result, effective January 15, 2025, OSHA has decided to terminate its COVID-19 rulemaking and focus instead on this broader infectious diseases standard, rather than a disease-specific approach. On February 5, 2025, OSHA issued a memorandum that it will not enforce the COVID-19 recordkeeping and reporting requirements.
Listen to this post
This Week in 340B: February 25 – March 3, 2025
Find this week’s updates on 340B litigation to help you stay in the know on how 340B cases are developing across the country. Each week we comb through the dockets of more than 50 340B cases to provide you with a quick summary of relevant updates from the prior week in this industry-shaping body of litigation.
Issues at Stake: Antitrust; Contract Pharmacy; HRSA Audit Process; Rebate Model
In an antitrust class action case, the court granted the defendant’s motion to dismiss.
In an appealed case challenging a proposed state law governing contract pharmacy arrangements, a group of amici filed an amicus brief in support of appellees.
In an appealed case challenging a proposed state law governing contract pharmacy arrangements, defendants-appellants filed an opening brief.
In a Freedom of Information Act (FOIA) case, the plaintiff filed a reply in support of its motion to strike the government’s motion for summary judgment.
In one Health Resources and Services Administration (HRSA) audit process case, the plaintiff filed a supplemental brief in support of the plaintiff’s motion for preliminary injunction.
A group of 340B covered entities filed a complaint against a group of commercial payors, alleging that the payors were in breach of their contracts by failing to pay the proper amounts for 340B-acquired drugs.
In three cases challenging a proposed state law governing contract pharmacy arrangements in Missouri, the court denied in part and granted in part two separate motions to dismiss and denied plaintiff’s motion for a preliminary injunction in a third case.
In two cases against HRSA alleging that HRSA unlawfully refused to approve drug manufacturers’ proposed rebate models:
In one such case, a group of amici filed an amicus brief in support of defendants.
In one such case, a group of amici moved for leave to file an amicus brief in support of plaintiffs’ motion for summary judgment.
Additional Authors: Kelsey Reinhardt and Nadine Tejadilla
California’s AI Revolution: Proposed CPPA Regulations Target Automated Decision Making
On November 8, 2024, the California Privacy Protection Agency (the “Agency” or the “CPPA”) Board met to discuss and commence formal rulemaking on several regulatory subjects, including California Consumer Privacy Act (“CCPA”) updates (“CCPA Updates”) and Automated Decisionmaking Technology (ADMT).
Shortly thereafter, on November 22, 2024, the CPPA published several rulemaking documents for public review and comment that recently ended February 19, 2025. If adopted, these proposed regulations will make California the next state to regulate AI at a broad and comprehensive scale, in line with Colorado’s SB 24-205, which contains similar sweeping consumer AI protections. Upon consideration of review and comments received, the CPPA Board will decide whether to adopt or further modify the regulations at a future Board meeting. This post summarizes the proposed ADMT regulations, that businesses should review closely and be prepared to act to ensure future compliance.
Article 11 of the proposed ADMT regulations outlines actions intended to increase transparency and consumers’ rights related to the application of ADMT. The proposed rules define ADMT as “any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking.” The regulations further define ADMT as a technology that includes software or programs, uses the output of technology as a key factor in a human’s decisionmaking (including scoring or ranking), and includes profiling. ADMT does not include technologies that do not execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking (this includes web hosting, domain registration, networking, caching, website-loading, data storage, firewalls, anti-virus, anti-malware, spam and robocall-filtering, spellchecking, calculators, databases, spreadsheets, or similar technologies). The proposed ADMT regulations will require businesses to notify consumers about their use of ADMT, along with their rationale for its implementation. Businesses also would have to provide explanations on ADMT output in addition to a process for consumers to request to opt-out from such ADMT use.
It is important to note that the CCPA Updates will be applicable to organizations that meet the thresholds of California civil codes 1798.140(d)(1)(A), (B) and (C). These civil codes apply to organizations that: (A) make more than $25,000,000 in gross annual revenues; (B) alone or in combination, annually buy, sell, or share the personal information of 100,000 or more consumers or households; and (C) derive 50% or more of its annual revenues from selling or sharing a consumers’ personal information. While not exhaustive of the extensive rules and regulations described in the proposed CCPA Updates, the following are the notable changes and potential business obligations under the new ADMT regulations.
Scope of Use
Businesses that use ADMT for making significant decisions concerning consumers must comply with the requirements of Article 11. “Significant decisions” include decisions that affect financial or lending services, housing, insurance, education, employment, healthcare, essential goods services, or independent contracting. “Significant decisions” may also include ADMT used for extensive profiling (including, among others, profiling in work, education, or for behavioral advertising), and for specifically training AI systems that might affect significant decisions or involve profiling.
Providing a Pre-Use Notice
Businesses that use ADMT must provide consumers with a pre-use notice that informs consumers about the use of ADMT, including its purpose, how ADMT works, and their CCPA consumer rights. The notice must be easy-to-read, available in languages the business customarily provides documentation to consumers, and accessible to those with disabilities. Business must also clearly present the notice to the consumer in the way which the business primarily interacts with the consumer, and they must do so before they use any ADMT to process the consumer’s personal information. Exceptions to these requirements will apply to ADMT used for security, fraud prevention, or safety, where businesses may omit certain details.
According to Section 7220 of the CCPA Updates, pre-use notice must contain:
A plain language explanation of the business’s purpose for using ADMT.
A description of the consumer’s right to opt-out of ADMT, as well as directions for submitting an opt-out request.
A description of the consumer’s right to access ADMT, including information on how the consumer can request access the business’ ADMT.
A notice that the business may not retaliate against a consumer who exercises their rights under the CPPA.
Any additional information (via a hyperlink or other simple method), in plain language, that discusses how the ADMT works.
Consumer Opt-Out Rights
Consumers must be able to opt-out of ADMT use for significant decisions, extensive profiling, or training purposes. Exceptions to opt-out rights include where businesses use ADMT for safety, security, or fraud prevention or for admission, acceptance, or hiring decisions, so long as it is necessary, and its efficacy has been evaluated to ensure it works as intended. Businesses must provide consumers at least two methods of opting out, one of which should reflect the way the business mainly interacts with consumers (e.g., email, internet hyperlink etc.). Any opt-out method must be easy to execute and should require minimal steps that do not involve creating accounts or providing unnecessary info. Businesses must process opt-out requests within 15 business days, and they may not retaliate against consumers for opting out. Businesses must wait at least 12 months before asking consumers who have opted out of ADMT to consent again for its use.
Providing Information on the ADMT’s Output
Consumers have the right to access information about the output of a business’s ADMT. The CPPA regulations do not define “output,” but the term likely includes outcomes produced by ADMT and the key factors influencing them.
When consumers request access to ADMT, businesses must provide information on how they use the output concerning the consumer and any key parameters affecting it. If they use the output to make significant decisions about the consumer, the business must disclose the role of the output and any human involvement. For profiling, businesses must explain the output’s role in the evaluation.
Output information includes predictions, content, recommendations, and aggregate statistics. Depending on the ADMT’s purpose, intended results, and the consumer’s request, the information provided can vary. Businesses must carefully consider these nuances to avoid over-disclosure.
Human Appeal Exception
The CPPA proposes a “human appeal exception,” by which consumers may appeal a decision to a human reviewer who has the authority to overturn the ADMT decision. Business can choose to offer a human appeal exception in lieu of providing the ability to opt out when using ADMT to make a significant decision concerning access to, denial, or provision of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or independent contracting opportunities or compensation, healthcare services, or essential goods or services.
To take advantage of the human appeal exception, the business must designate a human reviewer who is able to understand the significant decision the consumer is appealing and the effects of the decision on the consumer. The human reviewer must consider the relevant information provided by the consumer in their appeal and may also consider any other relevant source of information. The business must design a method of appeal that is easy for consumers to execute, requiring minimal steps, and that it clearly describes to the consumer. Communications and disclosures with appealing consumers must be easy to read and understand, written in the applicable language, and reasonably accessible.
Risk Assessments
Under the CPPA’s proposed rules, every business that processes consumer personal information must conduct a risk assessment before initiating that processing, especially if the business is using ADMT to make significant decisions concerning a consumer or for extensive profiling. Businesses must conduct risk assessments to determine whether the risks to consumers’ privacy outweigh the benefits to consumers, the business, and other stakeholders.
When conducting a risk assessment, businesses must identify and document: the categories of personal information to be processed and whether they include sensitive personal information; the operational elements of its ADMT processing (e.g., collection methods, length of collection, number of consumers affected, parties who can access this information, etc.); the benefits that this processing provides to the business, its consumers, other stakeholders, and the public at large; the negative impacts to consumers’ privacy; the safeguards that it plans to implement to address said negative impacts; information on the risk assessment itself and those who conducted it; and whether the business will initiate the use of ADMT despite the identified risks.
A business will have 24 months from the effective date of these new regulations to submit the results of their risk assessment conducted from the effective date of these regulations to the date of submission. After completing its first submission, a business must submit subsequent risk assessments every calendar year. In addition, a business must review and update risk assessments to ensure accuracy at least once every three years, and it should convey updates through the required annual submission. If there is any material change to a business’ processing activity, it must immediately conduct a risk assessment. A business should retain all information collected of a business’ risk assessments for as long as the processing continues, or for five years after the completion of the assessment, whichever is later.
What Businesses Should Do Now
The CPPA’s proposed ADMT regulations under the CCPA emphasize the importance of transparency and consumer rights. By requiring businesses to disclose how they use ADMT outputs and the factors influencing the outputs, the regulations aim to ensure that consumers are well-informed, and safeguards exist to protect against discrimination. As businesses incorporate ADMT, including AI tools, for employment decision making, they should follow the proposed regulations’ directive to conduct adequate risk assessments. Regardless of the form in which these regulations go into effect, preparing a suitable AI governance program and risk assessment plan will protect the business’s interests and foster employee trust.
Please note that the information provided in the above summary is only a portion of the rules and regulations proposed by the CCPA Updates. Now that the comment period closed, the CPPA will deliberate and finalize the CCPA Updates within the year. Evidently, these proposed regulations will require more action by businesses to remain compliant. While waiting for the CPPA’s finalized update, it is important to use this time to plan and prepare for these regulations in advance.
Raw Milk: State Legislative Updates and Challenges
Several states have recently introduced or passed legislation related to raw milk, reflecting a growing interest in unpasteurized milk despite the fact that raw milk can carry harmful bacteria such as Salmonella, E.coli, and Listeria, posing serious health risks. The U.S. Food and Drug Administration (FDA) and the Centers for Disease Control (CDC) strongly advise against consuming raw milk due to these dangers and have implemented regulations to limit its sale.
Despite the long-standing position at both agencies, the new Secretary of the Department of Health and Human Services (HHS) Robert F. Kennedy Jr., has been a vocal advocate for raw milk promoting its benefits and criticizing regulatory restrictions. His support has brought renewed attention to the raw milk movement, influencing legislative efforts.
Arkansas Bill HB 1048: This bill would allow the sale of raw goat milk, sheep milk, and whole milk directly to consumers at the farm, at farmer’s markets, or via delivery by the farm.
Utah Bill HB414: This bill has passed the House and is now before the Senate. This bill establishes enforcement steps for raw milk suspected in foodborne illness outbreaks, aiming to protect consumers.
Other states’ Legislation: States including Iowa, Minnesota, West Virginia, Maryland, Rhode Island, Oklahoma, New York, Missouri, and Hawaii have introduced various raw milk-related bills with efforts ranging from expanding sales to implementing stricter safety regulations.
Proposed HIPAA Security Rule Updates May Significantly Impact Covered Entities and Business Associates
As we noted in our previous blog here, on January 6, 2025, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) published a Notice of Proposed Rulemaking (NPRM) proposing substantial revisions to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (45 C.F.R. Parts 160 and 164) (the “Security Rule”).
This NPRM is one of several recent actions taken on the federal level to improve health data security. A redline showing the NPRM’s proposed revisions to the existing Security Rule language is available here. Comments on this NPRM must be submitted to OCR by March 7, 2025. Over 2,800 comments have been submitted thus far. These comments include opposition from several large industry groups raising concerns about the costs of compliance, asserting that the NPRM would impose an undue financial burden without a clear need for such changes to the existing framework. Some commentators expressed concerns regarding the burden on smaller or solo practitioners, while other commentators wrote in support of the effort to improve cybersecurity and commented on suggested alterations to particular elements of the rulemaking. Although the Trump administration has not apparently publicly commented on the NPRM and the final outcome of the rulemaking remains unclear, this Insight details important changes in the NPRM and potential widespread impacts on both covered entities and business associates (collectively, “Regulated Entities”).
The NPRM, if finalized as drafted, establishes new prescriptive cybersecurity and documentation requirements. This represents a significant change for a rule whose hallmark has historically been a flexible approach based upon cybersecurity risk, considering the size and complexity of an organization’s operations. Notably, the background to the NPRM is that the Security Rule already applies to Regulated Entities, including health-related information technology (IT) and artificial intelligence (AI) organizations that process health data on behalf of covered entities. The overall impact of the proposed changes may vary because certain Regulated Entities may already have in place the more robust safeguards prescribed by the NPRM. However, for those Regulated Entities that have not previously taken all such steps, including complying with the enhanced documentation requirements, the burden of the new compliance requirements may be significant.
OCR pointed to several justifications for the proposed revisions to the Security Rule, including:
the need for strong security standards in the health care industry to improve the efficiency and effectiveness of the health care system;
the continuous evolution of technology since the Security Rule was last updated in 2013;
inconsistent and inadequate compliance with the Security Rule among Regulated Entities; and
the need to strengthen the Security Rule to address changes in the health care environment, including the increasing number of cybersecurity incidents resulting from a proliferation of evolving cyber threats.
Although not discussed in detail by OCR, the growing number of state privacy and data protection laws, risk management frameworks related to data protection, and court decisions have also contributed to the impetus for greater specificity in the Security Rule with its focus on protecting identifiable patient health information.
Notably, many of the substantive requirements in the NPRM are already incorporated in various guidelines and safeguards for protecting sensitive information, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework and HHS’s cybersecurity performance goals (CPGs). Voluntary compliance with these recognized guidelines has been incentivized pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act’s 2021 amendment because a Regulated Entity that adopts “recognized security practices” is entitled to have its adoption considered by OCR in determining fines and other consequences if the agency conducts a review of the Regulated Entity’s HIPAA compliance. Accordingly, OCR noted that these standards and other similar guidelines were considered in the development of the NPRM requirements. Moreover, even if they have already implemented these practices, Regulated Entities will be faced with significantly increased administrative requirements, such as regular review and enhanced documentation requirements.
Key Proposed Changes
The NPRM includes the following key revisions:
New/Updated Definitions Clarify Electronic Systems Within the Rule’s Protections
The NPRM includes 10 new definitions and 15 changed definitions. Some of the new definitions address basic concepts that OCR had not defined previously, including “risk,” “threat,” and “vulnerability.” These definitions are not groundbreaking but will help guide Regulated Entities in establishing a more uniform standard for what they should be evaluating when considering data security.
Another change to the definitions section involves OCR’s proposed updates to defining “information systems” as well as new definitions for “electronic information system” and “relevant electronic information system.” Throughout the NPRM, OCR clarifies when all electronic information systems must abide by a rule versus only the relevant electronic information systems. In effect, each definition narrows the preceding definition, with “relevant information electronic systems” encompassing the smallest group of systems.
The NPRM defines an “electronic information system” as an “interconnected set of electronic information resources under the same direct management control that shares common functionality” and “generally includes technology assets such as hardware, software, electronic media, information and data.” Conversely, “relevant electronic information systems” are only those electronic information systems that create, receive, maintain, or transmit electronic protected health information (ePHI) or that otherwise affect the confidentiality, integrity, or availability of ePHI. The catchall phrasing broadens the definition significantly, requiring Regulated Entities to consider electronic systems they rely on that do not contain any ePHI but may affect access to and/or the confidentiality or integrity of ePHI.
“Addressable” Security Implementation Specifications Would Become “Required”
The Security Rule sets forth three categories of safeguards an organization must address: (1) physical safeguards, (2) technical safeguards, and (3) administrative safeguards. Each set of safeguards comprises a number of standards, and, beyond that, each standard consists of a number of implementation specifications, which is an additional detailed instruction for implementing a particular standard.
Currently, the Security Rule categorizes implementation specifications as either “addressable” (i.e., which give Regulated Entities flexibility in how to approach them) or “required” (i.e., they must be implemented by Regulated Entities). In meeting standards that contain addressable implementation specifications, a Regulated Entity currently has the option to (1) implement the addressable implementation specifications, (2) implement one or more alternative security measures to accomplish the same purpose, or (3) not implement either an addressable implementation specification or an alternative. In any event, the Regulated Entity’s choice and rationale must be documented.
According to the NPRM, OCR has become concerned that Regulated Entities view addressable implementation specifications as optional, thereby reducing the ultimate effectiveness of the Security Rule. The NPRM proposes to remove the distinction between “addressable” and “required” specifications, making all implementation specifications required, except for a few narrow exemptions.
Technology Asset Inventories and Information System Maps Are Required
The current Security Rule requires Regulated Entities to assess threats, vulnerabilities, and risks but stops short of prescribing particular methods or means of doing so. Certain recognized security practices generally include assessing technology assets and reviewing the movement of ePHI through technological systems to ensure there are no blatant vulnerabilities or overlooked risks.
The NPRM proposes to turn these practices into explicit requirements to create a technology asset inventory and a network map. The technology asset inventory would require written documentation identifying all technology assets, including location, the person accountable for such assets, and the version of each asset. The network map must illustrate the movement of ePHI through electronic information systems, including how ePHI enters, exits, and is accessed from outside systems. Additionally, the network map must account for the technology assets used by business associates to create, receive, maintain, or transmit ePHI. Both the technology asset inventory and network map would need to be reviewed and updated at least once every 12 months.
More Specific Risk Analysis Elements and Frequency Requirements Are Imposed
The Security Rule currently requires Regulated Entities to conduct a risk analysis assessing the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by such entities. As mentioned above, the Security Rule itself does not actually define “risk,” leaving some latitude for Regulated Entities to determine what should be included and considered in their risk analyses. While NIST (e.g., SP 800-30), the CPGs, and other authoritative sources have, over time, developed practices for conducting risk analyses, the current Security Rule (last updated in 2013) does not reflect what many now consider to be “best practices,” nor does it provide a specific methodology for Regulated Entities to consider in analyzing risks.
The NPRM imposes specific requirements that must be included in a risk analysis and its documentation, including:
a review of the aforementioned technology asset inventory and network map;
identification of all reasonably anticipated threats to the ePHI created, received, maintained, or transmitted by the Regulated Entity;
identification of potential vulnerabilities to the relevant electronic information systems of the Regulated Entity;
an assessment and documentation of the security measures the Regulated Entity uses to ensure that the measures protect the confidentiality, integrity, and availability of the ePHI;
a reasonable determination of the likelihood that “each” of the identified threats will exploit the identified vulnerabilities; and
if applicable, a reasonable determination of the potential impact of such exploitation and the risk level of each threat.
OCR notes in its preamble that there is still flexibility in determining risk based on the specific type of Regulated Entity and that entity’s specific circumstances. A high or critical risk to one Regulated Entity might be low or moderate to another. OCR is attempting to draw a fine line between telling Regulated Entities more explicitly what they should consider as risks (and what classification of risk should be assigned) while staying true to the hallmark flexibility of the Security Rule in allowing Regulated Entities to determine criticality.
The NPRM requires that risk analyses be reviewed, verified, and updated at least once every 12 months or in response to environmental or operational changes impacting ePHI. In addition to the risk analysis, the NPRM also proposes a separate evaluation standard wherein the Regulated Entity must create a written evaluation to determine whether any and all proposed changes in environment or operations would affect the confidentiality, integrity, or availability of ePHI prior to making that change.
Patch Management Is Now Subject to Mandated Timing Requirements
The NPRM proposes a new patch management standard that requires Regulated Entities to implement policies and procedures for identifying, prioritizing, and applying software patches throughout their relevant electronic information systems. The NPRM proposes specific timing requirements for patching, updating, or upgrading relevant electronic information systems based on the criticality of the patch in question:
15 calendar days for a critical risk patch,
30 calendar days for a high-risk patch, and
a reasonable and appropriate period of time based on the Regulated Entity’s policies and procedures for all other patches.
The NPRM contains limited exceptions for patch requirements where a patch is not available or would adversely impact the confidentiality, integrity, or availability of ePHI. Regulated Entities must document if/when they rely on such an exception, and they must also implement reasonable and appropriate compensating controls to address the risk until an appropriate patch becomes available.
Workforce Controls Are Tightened, Including Training and Terminating Access
The Security Rule currently has general workforce management requirements, including procedures for reviewing system activity, policies for ensuring workforce members have appropriate access, and required security awareness training. Although Regulated Entities are currently required to identify the security official responsible for the development and implementation of the security policies and technical controls, the NPRM would require the identification to be in writing.
Despite the current rules relative to workforce security, OCR noted that many Regulated Entities are not in full compliance with such requirements. OCR cited to an investigation involving unauthorized access by a former employee of a Regulated Entity as an example of Regulated Entities not tightly controlling and securing access to their systems. The NPRM addresses that issue by outlining more explicit requirements for workforce control policies, which must be written and reviewed at least once every 12 months.
In addition, the NPRM proposes strict timing requirements for workforce access and training:
Terminated employees’ access to systems must end no later than one hour after termination.
Other Regulated Entities must be notified after a change in or termination of a workforce member’s authorization to access ePHI of those other Regulated Entities no later than 24 hours after the change or termination.
New employees must receive training within 30 days of establishing access and at least once every 12 months thereafter.
Verifying Business Associate Compliance Is Required to Protect Against Supply Chain Risks
The NPRM also includes a new requirement for verifying business associate technical safeguards. Under the NPRM, Regulated Entities must obtain written verification of the technical safeguards used by business associates/subcontractors that create, maintain, or transmit ePHI on their behalf at least every 12 months. Such verification must be written by a person with appropriate knowledge of, and experience with, generally accepted cybersecurity principles and methods, which the HHS website refers to as a “subject matter expert.”
Multi-Factor Authentication and Other Technical Controls Are Mandatory
While the Security Rule has significant overlap with the NIST Cybersecurity Framework and CPGs, the NPRM would further align the Security Rule with these frameworks relative to technical controls. For example, the NPRM would require Regulated Entities to implement minimum password strength requirements that are consistent with NIST. Additionally, the NPRM proposes multi-factor authentication requirements that are consistent with the CPGs, which identify multi-factor authentication as an “essential goal” to address common cybersecurity vulnerabilities. Under the NPRM, multi-factor authentication will require verification through at least two of the following categories:
Information known by the user, such as a password or personal identification number (PIN);
Items possessed by the user, including a token or a smart identification card; and
Personal characteristics of the user, such as a fingerprint, facial recognition, gait, typing cadence, or other biometric or behavioral characteristics.
The NPRM permits limited exceptions from multifactor authentication where (1) current technology assets do not support multi-factor authentication, and the Regulated Entity implements a plan to migrate to a technology asset that does; (2) an emergency or other occurrence makes multi-factor authentication infeasible; or (3) the technology asset is a device approved by the U.S. Food and Drug Administration.
Other proposed minimum technical safeguards in the NPRM include:
segregation of roles by increased privileges,
automatic logoff,
log-in attempt controls,
network segmentation,
encryption at rest and in transit,
anti-malware protection,
standard configuration for OS and software,
disable network ports,
audit trails and logging,
vulnerability scanning every six months, and
penetration testing every 12 months.
Contingency/Disaster Planning Is Required to Ensure Resiliency
The Security Rule requires contingency planning for responding to emergencies or occurrences that damage systems containing ePHI, including periodic testing and revision of those plans.
The NPRM outlines more concrete obligations relative to contingency planning, including requirements to identify critical electronic information systems. The NPRM proposes relatively short timing requirements, requiring the implementation of procedures to restore critical electronic information systems and data within 72 hours of a loss and requiring business associates to notify covered entities upon activation of their contingency plans within 24 hours after activation.
Regulated Entities are granted the ability to define what these critical electronic information systems are in conducting their criticality analysis and should consider the quick turnaround time for restoring access when making these determinations.
Impact of the Proposed Changes
Regardless of what security framework, controls, and processes Regulated Entities may already have in place, there are three areas where all organizations can expect to see a significant impact in terms of planning and implementation: (1) increased documentation burden; (2) increased compliance obligations; and (3) business associate agreements (BAAs) compliance. The compliance burden will certainly be significant (as many of the commentators have pointed out), but given the breadth of the NPRM, the full extent of the compliance burden will need to await a final resolution of the rulemaking process.
Increased Documentation Burden
While the Security Rule already requires that Regulated Entities develop and maintain security policies and procedures, the NPRM would expressly require that those policies and procedures, as well as proposed additional plans (e.g., security incident response plans), be documented in writing. As a result, if/when OCR is assessing a Regulated Entity’s compliance with the Security Rule, it will likely have a longer checklist of written policies and procedures it expects to see. In addition, the technology asset inventory, network map, written verification of technical safeguards used by business associates, and all of the analyses and evaluations required by the NPRM would need to be memorialized in writing. Many of these documents would require review at least once per year. Many Regulated Entities may find the new documentation requirements impose an increased administrative burden. Further, with respect to Regulated Entities that do not have sufficient internal expertise or resources to tackle the implementation of these proposed requirements, it is likely that Regulated Entities will need to engage third-party legal and IT experts to meet these requirements.
Increased Compliance Obligations
With the additional written policies and procedures come additional obligations to test and review those procedures. Policies cannot be established and stored away until OCR asks to review them; rather, security policies must be revisited and reviewed at least every 12 months. The NPRM also requires that some of these policies be put to the test to determine the adequacy of the procedures in place at least once every 12 months. This will require dedication of additional time and resources on an ongoing basis. Again, to meet these requirements, Regulated Entities may need to engage third-party legal and IT experts to support these efforts.
The NPRM also contains some new timing requirements that may necessitate the development and implementation of new processes to meet these tight deadlines:
A former employee’s access must end within one hour of the termination of the individual’s employment.
Business associates must report to covered entities within 24 hours of activating contingency plans.
Disaster plans must restore critical electronic information systems and data within 72 hours of a loss.
Critical and high-risk patches not exempted from the rule must be deployed within 15 and 30 days, respectively.
Business Associate Agreements Compliance
As business associates are directly regulated under the Security Rule, they will also be beholden to the enhanced requirements of the NPRM. In addition, as a result of many of the NPRM’s proposed changes, covered entities and business associates will owe one another new obligations.
As a result, it is likely that these new requirements under the NPRM will impact what is memorialized in BAAs. For example, Regulated Entities must obtain written verification from their business associates that they have implemented the required technical safeguards not only upon contracting but at least once a year thereafter. Regulated Entities should also consider revising their existing BAAs to make more explicit the security safeguard requirements that the NPRM imposes, such as multi-factor authentication and patch management. Further, in light of the potential significant changes to security obligations under the NPRM, parties may also wish to reconsider other provisions in their BAAs regarding risk allocation and indemnification rights, audit rights, third-party certification obligations, offshoring, and reporting triggers and timelines, among others. Depending on the volume of BAAs a Regulated Entity maintains, this renegotiation of BAAs could become a costly and time-consuming endeavor.
Recognition of New/Emerging Technologies
Finally, OCR acknowledged the constantly evolving nature of technology, including quantum computing, AI, and virtual and augmented reality. OCR reiterated its position that the Security Rule, as written, is meant to be technology-neutral; therefore, Regulated Entities should comply with the rule regardless of whether they are using new and emerging technologies. Nevertheless, OCR discussed how the Security Rule may apply in the case of quantum computing, AI, or virtual and augmented reality use and has included a request for information from industry stakeholders and others regarding:
whether HHS’s understanding of how the Security Rule applies to new technologies involving ePHI is not comprehensive and, if so, what issues should also be considered;
whether there are technologies that currently or in the future may harm the security and privacy of ePHI in ways that the Security Rule could not mitigate without modification, and, if so, what modifications would be required; and
whether there are additional policy or technical tools that HHS may use to address the security of ePHI in new technologies.
* * * * *
The future of the NPRM remains uncertain as to whether it will be finalized under the second Trump administration. While efforts to strengthen cybersecurity protections across the health care sector have gained bipartisan support, including under the first Trump administration, the estimated cost of compliance and heightened regulatory obligations under the NPRM may face challenges in light of the second Trump administration’s stated position against increased federal regulation.
Alaap B. Shah also contributed to this article.
Litigation Minute: Emerging Contaminants: What’s on the Horizon?
What You Need to Know in a Minute or Less
Emerging contaminants are synthetic or natural chemicals that have not been fully assessed from a health or risk perspective and are reportedly finding their way into consumer products and the environment. These include chemicals that have been widely used throughout society for decades but are now being targeted due to scientific developments and public scrutiny regarding their uses. Across industries, we are seeing increased regulation of consumer products, manufacturing processes, and industrial emissions, as well as new waves of litigation against unsuspecting businesses, putting their operations and financial stability at risk.
The first edition in this three-part series underscores the impact of the regulatory regime on the legal landscape and forecasts what lies ahead with a new regime and the substances likely in line for increased scrutiny, particularly ethylene oxide (EO) and perfluoroalkyl or polyfluoroalkyl substances (PFAS), as well as other chemicals.
In a minute or less, here is what you need to know about what is on the horizon for emerging contaminants litigation and regulation.
Regulation Drives Litigation
EO is a versatile compound used to make ethylene glycol and numerous consumer products, including household cleaners and personal care items. Also used to sterilize medical equipment and other plastics sensitive to heat or steam, its uptick in litigation was largely driven by regulators’ positions surrounding EO’s alleged carcinogenic risk.
In 2016, the US Environmental Protection Agency (EPA) released its Integrated Risk Information System (IRIS) Assessment, finding that EO was 60 times more toxic than previous estimates and “carcinogenic to humans.”1 Widespread litigation soon followed, despite:
the EPA recognizing that its assessment included several uncertainties;2
state agencies, such as the Texas Commission on Environmental Quality, concluding that the EPA significantly overestimated EO’s carcinogenic risks;3 and
state agencies, such as the Tennessee Department of Health, finding no evidence for the clustering of high numbers of cancers near facilities that emit EO.4
The takeaway: A lack of robust science does not minimize litigation risk. Immature and incomplete scientific information will drive early litigation, particularly when it receives regulatory attention and is widely publicized on social media and the popular press.
Where Federal Efforts Slow, States Pick Up the Slack
With Republicans taking control of the Senate, House of Representatives, and White House in November, expect that some legislation and regulation concerning emerging contaminants will be scaled back or unlikely to gain traction. This includes the EPA’s regulation of EO under the Clean Air Act and requirements for the use of EO as a pesticide, as well as bills introduced in Congress to phase out certain uses of PFAS, which are used in firefighting foams, personal care products, food packaging, and other consumer product applications.
But where federal legislation and regulation slow, expect state-level efforts and private litigation such as citizen suits to increase. For example, more than 20 states identified PFAS as an immediate, mid-, or long-term focus for 2025, and President Donald Trump’s first term saw a significant increase in environmental citizen suits.
The takeaway: Do not expect that the new administration will result in a lack of focus on emerging contaminants nationwide. Companies with products or intermediaries that become the focus of emerging contaminant legislation or regulation should consider whether it is appropriate to participate in legislative meetings, hearings, stakeholder sessions, and opportunities to comment and testify; meet with regulators and representatives in critical states; or contribute to the development of model legislation for use in various states.
Other Chemicals “Emerging” as Emerging Contaminants
With increased scientific scrutiny and regulatory activity acting as catalysts for litigation involving emerging contaminants, many other ubiquitous chemical substances may get caught up in the next waves of regulation and litigation—including, for example, microplastics, formaldehyde, and phthalates.
Microplastics
Microplastics can come from several sources, such as cosmetics, glitter, clothing, or larger plastic items breaking down over time. While a definitive correlation between microplastic exposure and adverse health effects has not yet been established, and the EPA states that “[m]icroplastics have been found in every ecosystem on the planet, from the Antarctic tundra to tropical coral reefs, and have been found in food, beverages, and human and animal tissue,” recent petitions to the EPA have called for increased monitoring of microplastics in drinking water. Examples of early litigation involving microplastics include consumer fraud and greenwashing claims.
Formaldehyde
Used in the production of construction materials, insulation, and adhesives, and as a preservative in cosmetics and personal care products, formaldehyde has seen an uptick in the filing of personal-injury claims and class actions alleging harm due to alleged exposure. These cases draw on the EPA’s August 2024 IRIS Toxicological Review of Formaldehyde and December 2024 final risk evaluation for formaldehyde under the Toxic Substances Control Act, despite high-profile challenges to the EPA’s assessments that have highlighted concerns with its scientific shortcomings.
Phthalates
The use of ortho-phthalate plasticizers in industrial applications and consumer products such as cosmetics, plastics, and food packaging has recently diminished. However, the listing of numerous phthalates as alleged reproductive toxicants and carcinogens under California’s Proposition 65, combined with Consumer Product Safety Commission restrictions on the use of phthalates in children’s toys and articles and the US Food and Drug Administration’s removal of 25 ortho-phthalate plasticizers from the Food Additive Regulations, are keeping phthalates in the spotlight. Recent phthalate litigation includes mislabeling and false advertising claims for food and childcare products containing trace phthalate residues.
The takeaway: Although litigation and regulatory developments related to EO and PFAS continue to capture headlines, more is on the horizon. Again, immature science can drive early litigation.
Connecticut Establishes Emergency Certificate of Need Process for Hospitals in Bankruptcy
On March 3, 2025, Connecticut Governor Ned Lamont signed a law establishing a new process for hospitals in bankruptcy to apply for an “emergency certificate of need” (CON) to approve a transfer of ownership. The law, titled “An Act Concerning An Emergency Certificate Of Need Application Process For Transfers Of Ownership Of Hospitals That Have Filed For Bankruptcy Protection, The Assessment Of Motor Vehicles For Property Taxation, A Property Tax Exemption For Veterans Who Are Permanently And Totally Disabled And Funding Of The Special Education Excess Cost Grant” (the “Act”), was passed by the Connecticut Legislature though its emergency certification process in order to expedite its approval, presumably to allow the law and new process to be available for CON review of the potential sale(s) of Prospect Medical hospitals in Connecticut expected this year.
Emergency CON Process
Under the Act, the emergency CON process is to be available when “(1) the hospital subject to the transfer of ownership has filed for bankruptcy protection in any court of competent jurisdiction, and (2) a potential purchaser for such hospital has been or is required to be approved by a bankruptcy court.”
The Act requires the Office of Health Strategy (OHS) to:
Develop an emergency CON application for parties to utilize, and in doing so OHS must “identify any data necessary to analyze the effects of a hospital’s transfer of ownership on health care costs, quality and access in the affected market.”
Notably, if the buyer is a for-profit entity, OHS is permitted to require additional information to ensure that the continuing operation of the hospital is in the public interest.
Make a “completeness” determination on a submitted application within 3 business days.
Once an emergency CON application is deemed complete, OHS may – but is not required to – hold a public hearing within 30 days thereafter, and if a hearing is held OHS must notify the applicant(s) at least 5 days in advance of the hearing date. The Act provides that a public hearing or other proceeding related to review of an emergency CON is not a “contested case” under the state’s Uniform Administrative Procedure Act, which limits the procedural and appeal rights of the applicant(s). The Act also allows OHS to contract with third-party consultants to analyze the effects of the transfer on cost, access, and quality in the community, with the cost borne by the applicant(s) and not to exceed $200,000.
Emergency CON Decisions and Conditions
The Act requires final decisions on emergency CONs to be issued within 60 days of the application being deemed complete. Importantly, OHS is required to “consider the effect of the hospital’s bankruptcy on the patients and communities served by the hospital and the applicant’s plans to restore financial viability” when issuing the final decision. The Act also permits OHS to “impose any condition on an approval of an emergency” CON, as long as OHS includes its rationale (legal and factual) for imposing the condition and the specific CON criterion that the condition relates to, and that such condition is reasonably tailored in time and scope. The Act also expressly provides that any condition imposed by OHS on the approval of an emergency CON will apply to the applicant(s), including any hospital subject to the transfer of ownership “and any subsidiary or group practice that would otherwise require” a CON under state law that is part of the bankruptcy sale. However, the Act does allow the applicant(s) to request a modification of conditions for good cause, including due to changed circumstances or hardship.
Finally, the Act provides that the final decision on an emergency CON, including any conditions imposed by OHS as part of the decision, is not subject to appeal.
Takeaways
The Act seeks to establish a clear expedited pathway for CON review of hospital (and health system) sales as part of the bankruptcy process. The specific process, including the form of application, is likely to be rolled out quickly by OHS to be available as part of the resolution of the Prospect Medical bankruptcy process anticipated to occur during 2025. The ultimate efficacy of the process will depend upon the specific data sought as part of the emergency CON process, and on the scope of any conditions imposed by OHS on the sales (which could introduce uncertainty into the bankruptcy sale and approval process), but the establishment of this avenue for review is likely to be welcomed by parties to hospital system bankruptcy actions.
No Funny Business: The Supreme Court Should Get Sirois
As you might have guessed from the title of this post, we are returning to cover new developments in the United States v. Sirois case. A few months ago, the First Circuit released an opinion that we discussed in an earlier post. As we predicted, the Rohrabacher-Farr issues have reappeared, with the Defendants in Sirois now petitioning the United States Supreme Court to grant them certiorari and review the case.
Rohrabacher-Farr Refresher
Just as a reminder, the Rohrabacher-Farr Amendment is an appropriations rider that was first passed in 2014. It bars the DOJ from using government funds to investigate and prosecute state-compliant medical marijuana operations. However, it does not on its face protect individuals who participate in adult-use marijuana operations, even if those operations are legal at the state level. Nor does it suspend the federal Controlled Substances Act. Remember, marijuana cultivation, sales, and use are still illegal under federal law, even in states with medical marijuana programs.
In practice, Rohrabacher-Farr allows state-compliant medical marijuana businesses to operate with much less fear that they will be prosecuted by the federal government.
Risky Business – United States v. Sirois
Before we head down to D.C., let’s take the third boxcar, midnight train up to our destination: Bangor, Maine. The Sirois Defendants were charged with a number of crimes, including violating the Controlled Substances Act while running their marijuana cultivation and sorting business based in Farmington, Maine. They were accused of, among other things, operating the business as a “collective” in violation of Maine law and facilitating illegal interstate sales of marijuana. Although the DEA initially claimed an even broader multi-drug conspiracy, it seems that the DOJ quickly gave up on proving that most of these people really still deal cocaine.
The trial court dismissed the Defendants’ attempt to enjoin their prosecution based on the Rohrabacher-Farr Amendment. The First Circuit upheld that decision, reasoning that the Defendants failed to show “substantial compliance” with state law and that they were not immune from prosecution due to their “blatantly illegitimate activity.”
Now, the Sirois Defendants have filed a petition for writ of certiorari to the U.S. Supreme Court. The petition seeks to resolve a split between Ninth and Eleventh Circuit precedent and get the Supreme Court to shift the burden of proof — requiring the DOJ to prove that a criminal defendant is noncompliant, rather than forcing the defendant to prove it was in either substantial or strict compliance with state law. The petition previews the Sirois Defendants’ arguments. It reasons that not only were the Defendants in compliance with state law, but that the current state of the law is uncertain, overburdens defendants, and allows the DOJ to overstep and disregard Congressional limits on its power.
We cannot know whether or how the Supreme Court will decide this case. However, given the Circuit split and the current tenor of discussions around executive overreach, this case is ripe for Court review.
Paranoia, Paranoia
Don’t worry, this is not cause for massive alarm. I know most medical marijuana operators out there don’t need to hear this, but we will say it anyway. Everyone is not, in fact, coming to get you. As we said in our last post on this case, we do not believe that Sirois signals mass-scale federal prosecution of state-legal medical marijuana businesses. It is also important to remember, too, that rescheduling may not actually affect the current state of affairs for state-legal operators (although it may make compliance more onerous, with added FDA, DEA, and state pharmaceutical oversight and licensing requirements).
If the Supreme Court grants certiorari, this case will almost certainly clarify the questions that the Sirois Defendants raise. First, state-licensed and authorized medical marijuana operators and patients will better know when the DOJ can criminally investigate and prosecute them for cultivating, distributing, possessing, or using medical marijuana. Second, those same parties will know whether they have the burden to prove they acted in compliance with state law. And third, they will know what they must show to prove that they were actually sufficiently compliant.
If you are still unconvinced, if nothing seems to satisfy you, and you feel like you’ll lose your mind trying to make sure you are following the law, give us a call. Your friends at Bradley are happy to advise you on any regulatory or compliance issues that your cannabis business faces.
California: AB 1415 and Expanded OHCA Oversight — What Providers, MSOs, and Investors Need to Know
On February 21, 2025, California introduced AB 1415, a bill aimed at expanding the regulatory oversight of the Office of Health Care Affordability (OHCA). As discussed in our previous blog, certain health care entities are required to provide written notice to OHCA of any proposed merger, acquisition, corporate affiliation, or other transaction that will result in a material change to the ownership, operations, or governance structure of a health care entity. AB 1415 seeks to expand the types of entities required to provide notice to OHCA by:
Expanding the definition of a “health care entity” to include management services organizations (MSOs).
Imposing notification requirements on private equity groups, hedge funds, and newly formed business entities involved in certain transactions.
Broadening the definition of “provider” to include health systems and entities that own, operate, or control a provider.
Inclusion of Management Services Organizations
Currently, the OHCA statutes and regulations define a “health care entity” as a payor, provider, or a fully integrated delivery system. AB 1415 would expand this definition to specifically include MSOs within the definition of a health care entity directly regulated by the statute. An MSO is defined in AB 1415 as “an entity that provides administrative services or support for a provider, not including the direct provision of health care services.” The bill specifies that administrative services may include, but are not limited to, functions such as utilization management, billing and collections, customer service, provider rate negotiation, and network development.
This broad definition could capture a broader scope of administrative service providers that have not been traditionally considered an MSO. For example, a business that exclusively provides billing and collections services to health care organizations may be included within the definition of an “MSO,” even though they are not engaged in the management of a health care practice. While these functions align with typical MSO activities, AB 1415’s use of open-ended language in the definition could extend OHCA’s oversight to other intermediaries that support providers but do not exert managerial control over them, such as third-party administrators (TPAs) and health care technology firms.
If interpreted broadly, AB 1415 could impose unintended compliance burdens on entities that offer administrative services without directly influencing health care delivery, potentially increasing regulatory complexity for non-clinical service providers.
Notification Requirements for Private Equity and Hedge Funds
AB 1415 would establish a notification requirement for private equity groups, hedge funds, and newly formed business entities involved in transactions with health care entities. These entities would be required to provide written notice to OHCA before entering into agreements that:
Sell, transfer, lease, or otherwise dispose of a material amount of a health care entity’s assets to another entity.
Transfer control, responsibility, or governance over a material portion of the health care entity’s operations or assets.
Notably, the definition of a “private equity group” in AB 1415 is broader than the definition of that same phrase in the recently proposed SB 351. SB 351 similarly targets private equity and hedge fund involvement with management arrangements of medical and dental practices in California.
If enacted, California would be among the first states to require private equity groups to report such transactions, and the only state to explicitly include hedge funds in its health care transaction review law.
Expanded Definition of “Provider”
AB 1415 proposes expanding the definition of “provider” to include both private and public health care providers, health systems, and any entity that owns, operates, or controls a provider.
The current OHCA statute and regulations apply to nearly all health systems in California, because the definition of a “provider” includes acute care hospitals and several other types of provider organizations that comprise a “health system.” AB 1415 would separate “health systems” into their own category of a “provider,” which would encompass both for-profit and nonprofit health systems, and combinations of hospitals and other physician organizations or health care service plans. It is not entirely clear whether the addition of “health systems” to the definition of “providers” will further expand the scope of OHCA’s applicability.
In addition, by expanding the definition of “provider” to include entities that own, operate, or control a provider, AB 1415 would extend regulatory oversight beyond direct care providers to financial and management entities, including holding companies, parent corporations, and private equity-backed groups.
Takeaways
AB 1415 represents a potential significant expansion of regulatory oversight in California’s health care market. By broadening the scope of health care entities required to notify OHCA of material transactions, the bill seeks to increase transparency, prevent unchecked consolidation, and include oversight extending beyond direct care providers. However, the bill’s proposed broad definitions may capture more entities than intended, increase compliance burdens, and slow down transactions in an already complex regulatory environment.
Stay tuned for further updates as AB 1415 moves through the legislative process. For now, health care providers, investors, and management entities should closely monitor its progress. If passed, the bill will create new compliance obligations that could significantly impact future health care transactions and corporate ownership structures.
First Class Action Filed Under Washington’s MY Health MY Data Act Draws Parallels to Previous SDK Litigation
On February 10, 2025, the first class action complaint was filed pursuant to Washington’s MY Health MY Data Act (“MHMDA”), Wash. Rev. Code Ann. § 19.373.005 et seq. See Maxwell v. Amazon.com, Inc. et al., Case No. 2:25-cv-261 (W.D. Wash.). Broadly, the lawsuit alleges that, by using software development kits (“SDKs”), defendants Amazon.com, Inc. and Amazon Advertising, LLC harvested the location data of tens of millions of Americans without their consent and used that information for profit. The Complaint’s core allegations in that regard are akin to previous SDK class actions, but the MHMDA claim is new.
Software Development Kits:
The Maxwell lawsuit focuses on an SDK allegedly licensed by Amazon to a variety of mobile applications. SDKs are bundles of pre-written software code used in mobile and other applications. Many SDKs include code required in virtually every app: APIs, code samples, document libraries, and authentication tools. Rather than writing code from scratch, developers often license SDKs to streamline the app development process. In theory, SDKs allow developers to build apps in a fast and efficient manner. However, many SDKs also gather user information, including location data.
The MY Health MY Data Act:
The MHMDA came into effect on March 31, 2024, and regulates the collection and use of “consumer health data.” The term is broadly defined as personal information linked or reasonably linkable to a consumer and identifies the consumer’s physical or mental health status, including “[p]recise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies.” Wash. Rev. Code Ann. § 19.373.010. Among other things, regulated entities must provide consumers with a standalone consumer health data privacy policy; adhere to consent and authorization requirements; refrain from prohibited geofencing practices; comply with valid consumer requests; and enter into certain agreements with their processors. Unlike some other relatively similar state laws, the MHMDA includes a broad private right of action.
The Complaint:
Plaintiff Cassaundra Maxwell alleges that Amazon’s SDKs, operating in the background of other applications like the Weather Channel and OfferUp apps, unlawfully obtained user location data without consumers’ knowledge or consent. More specifically, Plaintiff claims that “Amazon collected Plaintiff’s consumer health data, including biometric data and precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies” without sufficient notice or consent. Plaintiff further asserts that, once the data was harvested, Amazon used it for its own targeted advertising purposes and for sale to third parties.
Plaintiff seeks to certify a class consisting of all natural persons residing in the United States whose mobile device data was obtained by Defendants through the Amazon SDK. The Complaint includes seven purported causes of action: (1) Federal Wiretap Act violations, (2) Stored Communications Act violations, (3) Computer Fraud and Abuse Act violations, (4) Washington Consumer Protection Act violations, (5) MHMDA violations, (6) invasion of privacy, and (7) unjust enrichment.
Historical Perspective:
Despite the new MHMDA claim, the Maxwell v. Amazon Complaint is similar to those from prior SDK cases. In Greenley v. Kochava, Inc., 684 F. Supp. 3d 1024 (S.D. Cal. 2023), for example, California residents brought a putative class action alleging improper data collection and dissemination by data broker Kochava. Similar to the Maxwell case, the plaintiffs in Greenley claimed that Kochava developed and coded its SDK for data collection and embedded it in third-party apps. They claimed the SDK secretly collected app users’ data, which was then packaged by Kochava and sold to clients for advertising purposes. Much like the Maxwell litigation, the improper interception and use of location data was a focal point of the Greenley plaintiffs’ allegations. Whereas the action against Amazon relies on the MHMDA, other Washington state law, and federal statues, the Greenley plaintiffs’ claims were rooted in alleged violations of California state law, including the California Computer Data Access and Fraud Act (CDAFA), California Invasion of Privacy Act (CIPA), and California Unfair Competition Law (UCL). In Greenley, Defendants filed a motion to dismiss, arguing inter alia that Plaintiff lacked standing. The Court denied the motion, holding that, “[T]he Complaint plausibly alleges Defendant collected Plaintiff’s data” and “there is no constitutional requirement that Plaintiff demonstrate lost economic value.” Greenley v. Kochava, Inc., 684 F. Supp. 3d 1024 (S.D. Cal. 2023).
Although the facts vary, some recent cases suggest courts may still be receptive to lack of standing arguments under certain circumstances. In a class action in the Southern District of New York, plaintiff claimed Reuters unlawfully collected and disclosed IP address information. Xu v. Reuters News & Media Inc., 1:24-cv-2466 (S.D.N.Y.). Plaintiff alleged violations of the California Invasion of Privacy Act. The Court dismissed Plaintiff’s claims for lack of standing, holding that the IP address used by Plaintiff to visit Reuters’ website does not constitute sensitive or personal information. Xu v. Reuters News & Media Inc., No. 24 CIV. 2466 (PAE), 2025 WL 488501 (S.D.N.Y. Feb. 13, 2025). The Complaint included no allegations of physical, monetary, or reputational harm. The Court noted that Plaintiff did not claim he received any targeted advertising (much less that he was harmed by such advertising) or that Reuters collected sensitive or personal identifying information data that could be used to steal his identify or inflict similar harm. See also Gabrielli, v. Insider, Inc., No. 24-CV-01566 (ER), 2025 WL 522515, at *4 (S.D.N.Y. Feb. 18, 2025) (holding that, “Not only does an IP address fail to identify the actual individual user, but the geographic information that can be gleaned from the IP address is only as granular as a zip code.”)
Takeaways:
Although the Maxwell Complaint against Amazon relies on the recently enacted MHMDA, its underlying allegations largely track previous SDK claims. As states continue to enact privacy legislation granting private rights of action, businesses should expect to see SDK complaints repackaged to fit the confines of each statute. Until courts sort through these types of claims over the course of the next several years, we may see many more cases follow in Maxwell’s footsteps. Businesses, particularly those in the healthcare space, should be mindful about their use of SDKs going forward.
A Brief Reminder About the Florida Information Protection Act
According to one survey, Florida is fourth on the list of states with the most reported data breaches. No doubt, data breaches continue to be a significant risk for all business, large and small, across the U.S., including the Sunshine State. Perhaps more troubling is that class action litigation is more likely to follow a data breach. A common claim in those cases – the business did not do enough to safeguard personal information from the attack. So, Florida businesses need to know about the Florida Information Protection Act (FIPA) which mandates that certain entities implement reasonable measures to protect electronic data containing personal information.
According to a Law.com article:
The monthly average of 2023 data breach class actions was 44.5 through the end of August, up from 20.6 in 2022.
While a business may not be able to completely prevent a data breach, adopting reasonable safeguards can minimize the risk of one occurring, as well as the severity of an attack. Additionally, maintaining reasonable safeguards to protect personal information strengthens the businesses’ defensible position should it face an government agency investigation or lawsuit after an attack.
Entities Subject to FIPA
FIPA applies to a broad range of organizations, including:
• Covered Entities: This encompasses any sole proprietorship, partnership, corporation, or other legal entity that acquires, maintains, stores, or uses personal information…so, just about any business in the state. There are no exceptions for small businesses.
• Governmental Entities: Any state department, division, bureau, commission, regional planning agency, board, district, authority, agency, or other instrumentality that handles personal information.
• Third-Party Agents: Entities contracted to maintain, store, or process personal information on behalf of a covered entity or governmental entity. This means that just about any vendor or third party service provider that maintains, stores, or processes personal information for a covered entity is also covered by FIPA.
Defining “Reasonable Measures” in Florida
FIPA requires:
Each covered entity, governmental entity, or third-party agent shall take reasonable measures to protect and secure data in electronic form containing personal information.
While FIPA mandates the implementation of “reasonable measures” to protect personal information, it does not provide a specific definition, leaving room for interpretation. However, guidance can be drawn from various sources:
Industry Standards: Adhering to established cybersecurity frameworks, such as the Center for Internet Security’s Critical Security Controls, can demonstrate reasonable security practices.
Regulatory Guidance: For businesses that are more heavily regulated, such as healthcare entities, they can looked to federal and state frameworks that apply to them, such as the Health Insurance Portability and Accountability Act (HIPAA). Entities in the financial sector may be subject to both federal regulations, like the Gramm-Leach-Bliley Act, and state-imposed data protection requirements. The Florida Attorney General’s office may offer insights or recommendations on what constitutes reasonable measures. Here is one example, albeit not comprehensive.
Standards in Other States: Several other states have outlined more specific requirements for protecting personal information. Examples include New York and Massachusetts.
Best Practices for Implementing Reasonable Safeguards
Very often, various data security frameworks have several overlapping provisions. With that in mind, covered businesses might consider the following nonexhaustive list of best practices toward FIPA compliance. Many of the items on this list will seem obvious, even basic. But in many cases, these measures either simply have not been implemented or are not covered in written policies and procedures.
Conduct Regular Risk Assessments: Identify and evaluate potential vulnerabilities within your information systems to address emerging threats proactively.
Implement Access Controls: Restrict access to personal information to authorized personnel only, ensuring that employees have access solely to the data necessary for their roles.
Encrypt Sensitive Data: Utilize strong encryption methods for personal information both at rest and during transmission to prevent unauthorized access.
Develop and Enforce Written Data Security Policies, and Create Awareness: Establish comprehensive data protection policies and maintain them in writing. Once completed, information about relevant policies and procedures need to shared with employees, along with creating awareness about the changing risk landscape.
Maintain and Practice Incident Response Plans: Prepare and regularly update a response plan to address potential data breaches promptly and effectively, minimizing potential damages. Letting this plan sit on the shelf will have minimal impact on preparedness when facing a real data breach. It is critical to conduct tabletop and similar exercises with key members of leadership.
Regularly Update and Patch Systems: Keep all software and systems current with the latest security patches to protect against known vulnerabilities.
By diligently implementing these practices, entities can better protect personal information, comply with Florida’s legal requirements, and minimize risk.