Litigation Minute: Emerging Contaminants: What’s on the Horizon?
What You Need to Know in a Minute or Less
Emerging contaminants are synthetic or natural chemicals that have not been fully assessed from a health or risk perspective and are reportedly finding their way into consumer products and the environment. These include chemicals that have been widely used throughout society for decades but are now being targeted due to scientific developments and public scrutiny regarding their uses. Across industries, we are seeing increased regulation of consumer products, manufacturing processes, and industrial emissions, as well as new waves of litigation against unsuspecting businesses, putting their operations and financial stability at risk.
The first edition in this three-part series underscores the impact of the regulatory regime on the legal landscape and forecasts what lies ahead with a new regime and the substances likely in line for increased scrutiny, particularly ethylene oxide (EO) and perfluoroalkyl or polyfluoroalkyl substances (PFAS), as well as other chemicals.
In a minute or less, here is what you need to know about what is on the horizon for emerging contaminants litigation and regulation.
Regulation Drives Litigation
EO is a versatile compound used to make ethylene glycol and numerous consumer products, including household cleaners and personal care items. Also used to sterilize medical equipment and other plastics sensitive to heat or steam, its uptick in litigation was largely driven by regulators’ positions surrounding EO’s alleged carcinogenic risk.
In 2016, the US Environmental Protection Agency (EPA) released its Integrated Risk Information System (IRIS) Assessment, finding that EO was 60 times more toxic than previous estimates and “carcinogenic to humans.”1 Widespread litigation soon followed, despite:
the EPA recognizing that its assessment included several uncertainties;2
state agencies, such as the Texas Commission on Environmental Quality, concluding that the EPA significantly overestimated EO’s carcinogenic risks;3 and
state agencies, such as the Tennessee Department of Health, finding no evidence for the clustering of high numbers of cancers near facilities that emit EO.4
The takeaway: A lack of robust science does not minimize litigation risk. Immature and incomplete scientific information will drive early litigation, particularly when it receives regulatory attention and is widely publicized on social media and the popular press.
Where Federal Efforts Slow, States Pick Up the Slack
With Republicans taking control of the Senate, House of Representatives, and White House in November, expect that some legislation and regulation concerning emerging contaminants will be scaled back or unlikely to gain traction. This includes the EPA’s regulation of EO under the Clean Air Act and requirements for the use of EO as a pesticide, as well as bills introduced in Congress to phase out certain uses of PFAS, which are used in firefighting foams, personal care products, food packaging, and other consumer product applications.
But where federal legislation and regulation slow, expect state-level efforts and private litigation such as citizen suits to increase. For example, more than 20 states identified PFAS as an immediate, mid-, or long-term focus for 2025, and President Donald Trump’s first term saw a significant increase in environmental citizen suits.
The takeaway: Do not expect that the new administration will result in a lack of focus on emerging contaminants nationwide. Companies with products or intermediaries that become the focus of emerging contaminant legislation or regulation should consider whether it is appropriate to participate in legislative meetings, hearings, stakeholder sessions, and opportunities to comment and testify; meet with regulators and representatives in critical states; or contribute to the development of model legislation for use in various states.
Other Chemicals “Emerging” as Emerging Contaminants
With increased scientific scrutiny and regulatory activity acting as catalysts for litigation involving emerging contaminants, many other ubiquitous chemical substances may get caught up in the next waves of regulation and litigation—including, for example, microplastics, formaldehyde, and phthalates.
Microplastics
Microplastics can come from several sources, such as cosmetics, glitter, clothing, or larger plastic items breaking down over time. While a definitive correlation between microplastic exposure and adverse health effects has not yet been established, and the EPA states that “[m]icroplastics have been found in every ecosystem on the planet, from the Antarctic tundra to tropical coral reefs, and have been found in food, beverages, and human and animal tissue,” recent petitions to the EPA have called for increased monitoring of microplastics in drinking water. Examples of early litigation involving microplastics include consumer fraud and greenwashing claims.
Formaldehyde
Used in the production of construction materials, insulation, and adhesives, and as a preservative in cosmetics and personal care products, formaldehyde has seen an uptick in the filing of personal-injury claims and class actions alleging harm due to alleged exposure. These cases draw on the EPA’s August 2024 IRIS Toxicological Review of Formaldehyde and December 2024 final risk evaluation for formaldehyde under the Toxic Substances Control Act, despite high-profile challenges to the EPA’s assessments that have highlighted concerns with its scientific shortcomings.
Phthalates
The use of ortho-phthalate plasticizers in industrial applications and consumer products such as cosmetics, plastics, and food packaging has recently diminished. However, the listing of numerous phthalates as alleged reproductive toxicants and carcinogens under California’s Proposition 65, combined with Consumer Product Safety Commission restrictions on the use of phthalates in children’s toys and articles and the US Food and Drug Administration’s removal of 25 ortho-phthalate plasticizers from the Food Additive Regulations, are keeping phthalates in the spotlight. Recent phthalate litigation includes mislabeling and false advertising claims for food and childcare products containing trace phthalate residues.
The takeaway: Although litigation and regulatory developments related to EO and PFAS continue to capture headlines, more is on the horizon. Again, immature science can drive early litigation.
Connecticut Establishes Emergency Certificate of Need Process for Hospitals in Bankruptcy
On March 3, 2025, Connecticut Governor Ned Lamont signed a law establishing a new process for hospitals in bankruptcy to apply for an “emergency certificate of need” (CON) to approve a transfer of ownership. The law, titled “An Act Concerning An Emergency Certificate Of Need Application Process For Transfers Of Ownership Of Hospitals That Have Filed For Bankruptcy Protection, The Assessment Of Motor Vehicles For Property Taxation, A Property Tax Exemption For Veterans Who Are Permanently And Totally Disabled And Funding Of The Special Education Excess Cost Grant” (the “Act”), was passed by the Connecticut Legislature though its emergency certification process in order to expedite its approval, presumably to allow the law and new process to be available for CON review of the potential sale(s) of Prospect Medical hospitals in Connecticut expected this year.
Emergency CON Process
Under the Act, the emergency CON process is to be available when “(1) the hospital subject to the transfer of ownership has filed for bankruptcy protection in any court of competent jurisdiction, and (2) a potential purchaser for such hospital has been or is required to be approved by a bankruptcy court.”
The Act requires the Office of Health Strategy (OHS) to:
Develop an emergency CON application for parties to utilize, and in doing so OHS must “identify any data necessary to analyze the effects of a hospital’s transfer of ownership on health care costs, quality and access in the affected market.”
Notably, if the buyer is a for-profit entity, OHS is permitted to require additional information to ensure that the continuing operation of the hospital is in the public interest.
Make a “completeness” determination on a submitted application within 3 business days.
Once an emergency CON application is deemed complete, OHS may – but is not required to – hold a public hearing within 30 days thereafter, and if a hearing is held OHS must notify the applicant(s) at least 5 days in advance of the hearing date. The Act provides that a public hearing or other proceeding related to review of an emergency CON is not a “contested case” under the state’s Uniform Administrative Procedure Act, which limits the procedural and appeal rights of the applicant(s). The Act also allows OHS to contract with third-party consultants to analyze the effects of the transfer on cost, access, and quality in the community, with the cost borne by the applicant(s) and not to exceed $200,000.
Emergency CON Decisions and Conditions
The Act requires final decisions on emergency CONs to be issued within 60 days of the application being deemed complete. Importantly, OHS is required to “consider the effect of the hospital’s bankruptcy on the patients and communities served by the hospital and the applicant’s plans to restore financial viability” when issuing the final decision. The Act also permits OHS to “impose any condition on an approval of an emergency” CON, as long as OHS includes its rationale (legal and factual) for imposing the condition and the specific CON criterion that the condition relates to, and that such condition is reasonably tailored in time and scope. The Act also expressly provides that any condition imposed by OHS on the approval of an emergency CON will apply to the applicant(s), including any hospital subject to the transfer of ownership “and any subsidiary or group practice that would otherwise require” a CON under state law that is part of the bankruptcy sale. However, the Act does allow the applicant(s) to request a modification of conditions for good cause, including due to changed circumstances or hardship.
Finally, the Act provides that the final decision on an emergency CON, including any conditions imposed by OHS as part of the decision, is not subject to appeal.
Takeaways
The Act seeks to establish a clear expedited pathway for CON review of hospital (and health system) sales as part of the bankruptcy process. The specific process, including the form of application, is likely to be rolled out quickly by OHS to be available as part of the resolution of the Prospect Medical bankruptcy process anticipated to occur during 2025. The ultimate efficacy of the process will depend upon the specific data sought as part of the emergency CON process, and on the scope of any conditions imposed by OHS on the sales (which could introduce uncertainty into the bankruptcy sale and approval process), but the establishment of this avenue for review is likely to be welcomed by parties to hospital system bankruptcy actions.
No Funny Business: The Supreme Court Should Get Sirois
As you might have guessed from the title of this post, we are returning to cover new developments in the United States v. Sirois case. A few months ago, the First Circuit released an opinion that we discussed in an earlier post. As we predicted, the Rohrabacher-Farr issues have reappeared, with the Defendants in Sirois now petitioning the United States Supreme Court to grant them certiorari and review the case.
Rohrabacher-Farr Refresher
Just as a reminder, the Rohrabacher-Farr Amendment is an appropriations rider that was first passed in 2014. It bars the DOJ from using government funds to investigate and prosecute state-compliant medical marijuana operations. However, it does not on its face protect individuals who participate in adult-use marijuana operations, even if those operations are legal at the state level. Nor does it suspend the federal Controlled Substances Act. Remember, marijuana cultivation, sales, and use are still illegal under federal law, even in states with medical marijuana programs.
In practice, Rohrabacher-Farr allows state-compliant medical marijuana businesses to operate with much less fear that they will be prosecuted by the federal government.
Risky Business – United States v. Sirois
Before we head down to D.C., let’s take the third boxcar, midnight train up to our destination: Bangor, Maine. The Sirois Defendants were charged with a number of crimes, including violating the Controlled Substances Act while running their marijuana cultivation and sorting business based in Farmington, Maine. They were accused of, among other things, operating the business as a “collective” in violation of Maine law and facilitating illegal interstate sales of marijuana. Although the DEA initially claimed an even broader multi-drug conspiracy, it seems that the DOJ quickly gave up on proving that most of these people really still deal cocaine.
The trial court dismissed the Defendants’ attempt to enjoin their prosecution based on the Rohrabacher-Farr Amendment. The First Circuit upheld that decision, reasoning that the Defendants failed to show “substantial compliance” with state law and that they were not immune from prosecution due to their “blatantly illegitimate activity.”
Now, the Sirois Defendants have filed a petition for writ of certiorari to the U.S. Supreme Court. The petition seeks to resolve a split between Ninth and Eleventh Circuit precedent and get the Supreme Court to shift the burden of proof — requiring the DOJ to prove that a criminal defendant is noncompliant, rather than forcing the defendant to prove it was in either substantial or strict compliance with state law. The petition previews the Sirois Defendants’ arguments. It reasons that not only were the Defendants in compliance with state law, but that the current state of the law is uncertain, overburdens defendants, and allows the DOJ to overstep and disregard Congressional limits on its power.
We cannot know whether or how the Supreme Court will decide this case. However, given the Circuit split and the current tenor of discussions around executive overreach, this case is ripe for Court review.
Paranoia, Paranoia
Don’t worry, this is not cause for massive alarm. I know most medical marijuana operators out there don’t need to hear this, but we will say it anyway. Everyone is not, in fact, coming to get you. As we said in our last post on this case, we do not believe that Sirois signals mass-scale federal prosecution of state-legal medical marijuana businesses. It is also important to remember, too, that rescheduling may not actually affect the current state of affairs for state-legal operators (although it may make compliance more onerous, with added FDA, DEA, and state pharmaceutical oversight and licensing requirements).
If the Supreme Court grants certiorari, this case will almost certainly clarify the questions that the Sirois Defendants raise. First, state-licensed and authorized medical marijuana operators and patients will better know when the DOJ can criminally investigate and prosecute them for cultivating, distributing, possessing, or using medical marijuana. Second, those same parties will know whether they have the burden to prove they acted in compliance with state law. And third, they will know what they must show to prove that they were actually sufficiently compliant.
If you are still unconvinced, if nothing seems to satisfy you, and you feel like you’ll lose your mind trying to make sure you are following the law, give us a call. Your friends at Bradley are happy to advise you on any regulatory or compliance issues that your cannabis business faces.
California: AB 1415 and Expanded OHCA Oversight — What Providers, MSOs, and Investors Need to Know
On February 21, 2025, California introduced AB 1415, a bill aimed at expanding the regulatory oversight of the Office of Health Care Affordability (OHCA). As discussed in our previous blog, certain health care entities are required to provide written notice to OHCA of any proposed merger, acquisition, corporate affiliation, or other transaction that will result in a material change to the ownership, operations, or governance structure of a health care entity. AB 1415 seeks to expand the types of entities required to provide notice to OHCA by:
Expanding the definition of a “health care entity” to include management services organizations (MSOs).
Imposing notification requirements on private equity groups, hedge funds, and newly formed business entities involved in certain transactions.
Broadening the definition of “provider” to include health systems and entities that own, operate, or control a provider.
Inclusion of Management Services Organizations
Currently, the OHCA statutes and regulations define a “health care entity” as a payor, provider, or a fully integrated delivery system. AB 1415 would expand this definition to specifically include MSOs within the definition of a health care entity directly regulated by the statute. An MSO is defined in AB 1415 as “an entity that provides administrative services or support for a provider, not including the direct provision of health care services.” The bill specifies that administrative services may include, but are not limited to, functions such as utilization management, billing and collections, customer service, provider rate negotiation, and network development.
This broad definition could capture a broader scope of administrative service providers that have not been traditionally considered an MSO. For example, a business that exclusively provides billing and collections services to health care organizations may be included within the definition of an “MSO,” even though they are not engaged in the management of a health care practice. While these functions align with typical MSO activities, AB 1415’s use of open-ended language in the definition could extend OHCA’s oversight to other intermediaries that support providers but do not exert managerial control over them, such as third-party administrators (TPAs) and health care technology firms.
If interpreted broadly, AB 1415 could impose unintended compliance burdens on entities that offer administrative services without directly influencing health care delivery, potentially increasing regulatory complexity for non-clinical service providers.
Notification Requirements for Private Equity and Hedge Funds
AB 1415 would establish a notification requirement for private equity groups, hedge funds, and newly formed business entities involved in transactions with health care entities. These entities would be required to provide written notice to OHCA before entering into agreements that:
Sell, transfer, lease, or otherwise dispose of a material amount of a health care entity’s assets to another entity.
Transfer control, responsibility, or governance over a material portion of the health care entity’s operations or assets.
Notably, the definition of a “private equity group” in AB 1415 is broader than the definition of that same phrase in the recently proposed SB 351. SB 351 similarly targets private equity and hedge fund involvement with management arrangements of medical and dental practices in California.
If enacted, California would be among the first states to require private equity groups to report such transactions, and the only state to explicitly include hedge funds in its health care transaction review law.
Expanded Definition of “Provider”
AB 1415 proposes expanding the definition of “provider” to include both private and public health care providers, health systems, and any entity that owns, operates, or controls a provider.
The current OHCA statute and regulations apply to nearly all health systems in California, because the definition of a “provider” includes acute care hospitals and several other types of provider organizations that comprise a “health system.” AB 1415 would separate “health systems” into their own category of a “provider,” which would encompass both for-profit and nonprofit health systems, and combinations of hospitals and other physician organizations or health care service plans. It is not entirely clear whether the addition of “health systems” to the definition of “providers” will further expand the scope of OHCA’s applicability.
In addition, by expanding the definition of “provider” to include entities that own, operate, or control a provider, AB 1415 would extend regulatory oversight beyond direct care providers to financial and management entities, including holding companies, parent corporations, and private equity-backed groups.
Takeaways
AB 1415 represents a potential significant expansion of regulatory oversight in California’s health care market. By broadening the scope of health care entities required to notify OHCA of material transactions, the bill seeks to increase transparency, prevent unchecked consolidation, and include oversight extending beyond direct care providers. However, the bill’s proposed broad definitions may capture more entities than intended, increase compliance burdens, and slow down transactions in an already complex regulatory environment.
Stay tuned for further updates as AB 1415 moves through the legislative process. For now, health care providers, investors, and management entities should closely monitor its progress. If passed, the bill will create new compliance obligations that could significantly impact future health care transactions and corporate ownership structures.
First Class Action Filed Under Washington’s MY Health MY Data Act Draws Parallels to Previous SDK Litigation
On February 10, 2025, the first class action complaint was filed pursuant to Washington’s MY Health MY Data Act (“MHMDA”), Wash. Rev. Code Ann. § 19.373.005 et seq. See Maxwell v. Amazon.com, Inc. et al., Case No. 2:25-cv-261 (W.D. Wash.). Broadly, the lawsuit alleges that, by using software development kits (“SDKs”), defendants Amazon.com, Inc. and Amazon Advertising, LLC harvested the location data of tens of millions of Americans without their consent and used that information for profit. The Complaint’s core allegations in that regard are akin to previous SDK class actions, but the MHMDA claim is new.
Software Development Kits:
The Maxwell lawsuit focuses on an SDK allegedly licensed by Amazon to a variety of mobile applications. SDKs are bundles of pre-written software code used in mobile and other applications. Many SDKs include code required in virtually every app: APIs, code samples, document libraries, and authentication tools. Rather than writing code from scratch, developers often license SDKs to streamline the app development process. In theory, SDKs allow developers to build apps in a fast and efficient manner. However, many SDKs also gather user information, including location data.
The MY Health MY Data Act:
The MHMDA came into effect on March 31, 2024, and regulates the collection and use of “consumer health data.” The term is broadly defined as personal information linked or reasonably linkable to a consumer and identifies the consumer’s physical or mental health status, including “[p]recise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies.” Wash. Rev. Code Ann. § 19.373.010. Among other things, regulated entities must provide consumers with a standalone consumer health data privacy policy; adhere to consent and authorization requirements; refrain from prohibited geofencing practices; comply with valid consumer requests; and enter into certain agreements with their processors. Unlike some other relatively similar state laws, the MHMDA includes a broad private right of action.
The Complaint:
Plaintiff Cassaundra Maxwell alleges that Amazon’s SDKs, operating in the background of other applications like the Weather Channel and OfferUp apps, unlawfully obtained user location data without consumers’ knowledge or consent. More specifically, Plaintiff claims that “Amazon collected Plaintiff’s consumer health data, including biometric data and precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies” without sufficient notice or consent. Plaintiff further asserts that, once the data was harvested, Amazon used it for its own targeted advertising purposes and for sale to third parties.
Plaintiff seeks to certify a class consisting of all natural persons residing in the United States whose mobile device data was obtained by Defendants through the Amazon SDK. The Complaint includes seven purported causes of action: (1) Federal Wiretap Act violations, (2) Stored Communications Act violations, (3) Computer Fraud and Abuse Act violations, (4) Washington Consumer Protection Act violations, (5) MHMDA violations, (6) invasion of privacy, and (7) unjust enrichment.
Historical Perspective:
Despite the new MHMDA claim, the Maxwell v. Amazon Complaint is similar to those from prior SDK cases. In Greenley v. Kochava, Inc., 684 F. Supp. 3d 1024 (S.D. Cal. 2023), for example, California residents brought a putative class action alleging improper data collection and dissemination by data broker Kochava. Similar to the Maxwell case, the plaintiffs in Greenley claimed that Kochava developed and coded its SDK for data collection and embedded it in third-party apps. They claimed the SDK secretly collected app users’ data, which was then packaged by Kochava and sold to clients for advertising purposes. Much like the Maxwell litigation, the improper interception and use of location data was a focal point of the Greenley plaintiffs’ allegations. Whereas the action against Amazon relies on the MHMDA, other Washington state law, and federal statues, the Greenley plaintiffs’ claims were rooted in alleged violations of California state law, including the California Computer Data Access and Fraud Act (CDAFA), California Invasion of Privacy Act (CIPA), and California Unfair Competition Law (UCL). In Greenley, Defendants filed a motion to dismiss, arguing inter alia that Plaintiff lacked standing. The Court denied the motion, holding that, “[T]he Complaint plausibly alleges Defendant collected Plaintiff’s data” and “there is no constitutional requirement that Plaintiff demonstrate lost economic value.” Greenley v. Kochava, Inc., 684 F. Supp. 3d 1024 (S.D. Cal. 2023).
Although the facts vary, some recent cases suggest courts may still be receptive to lack of standing arguments under certain circumstances. In a class action in the Southern District of New York, plaintiff claimed Reuters unlawfully collected and disclosed IP address information. Xu v. Reuters News & Media Inc., 1:24-cv-2466 (S.D.N.Y.). Plaintiff alleged violations of the California Invasion of Privacy Act. The Court dismissed Plaintiff’s claims for lack of standing, holding that the IP address used by Plaintiff to visit Reuters’ website does not constitute sensitive or personal information. Xu v. Reuters News & Media Inc., No. 24 CIV. 2466 (PAE), 2025 WL 488501 (S.D.N.Y. Feb. 13, 2025). The Complaint included no allegations of physical, monetary, or reputational harm. The Court noted that Plaintiff did not claim he received any targeted advertising (much less that he was harmed by such advertising) or that Reuters collected sensitive or personal identifying information data that could be used to steal his identify or inflict similar harm. See also Gabrielli, v. Insider, Inc., No. 24-CV-01566 (ER), 2025 WL 522515, at *4 (S.D.N.Y. Feb. 18, 2025) (holding that, “Not only does an IP address fail to identify the actual individual user, but the geographic information that can be gleaned from the IP address is only as granular as a zip code.”)
Takeaways:
Although the Maxwell Complaint against Amazon relies on the recently enacted MHMDA, its underlying allegations largely track previous SDK claims. As states continue to enact privacy legislation granting private rights of action, businesses should expect to see SDK complaints repackaged to fit the confines of each statute. Until courts sort through these types of claims over the course of the next several years, we may see many more cases follow in Maxwell’s footsteps. Businesses, particularly those in the healthcare space, should be mindful about their use of SDKs going forward.
A Brief Reminder About the Florida Information Protection Act
According to one survey, Florida is fourth on the list of states with the most reported data breaches. No doubt, data breaches continue to be a significant risk for all business, large and small, across the U.S., including the Sunshine State. Perhaps more troubling is that class action litigation is more likely to follow a data breach. A common claim in those cases – the business did not do enough to safeguard personal information from the attack. So, Florida businesses need to know about the Florida Information Protection Act (FIPA) which mandates that certain entities implement reasonable measures to protect electronic data containing personal information.
According to a Law.com article:
The monthly average of 2023 data breach class actions was 44.5 through the end of August, up from 20.6 in 2022.
While a business may not be able to completely prevent a data breach, adopting reasonable safeguards can minimize the risk of one occurring, as well as the severity of an attack. Additionally, maintaining reasonable safeguards to protect personal information strengthens the businesses’ defensible position should it face an government agency investigation or lawsuit after an attack.
Entities Subject to FIPA
FIPA applies to a broad range of organizations, including:
• Covered Entities: This encompasses any sole proprietorship, partnership, corporation, or other legal entity that acquires, maintains, stores, or uses personal information…so, just about any business in the state. There are no exceptions for small businesses.
• Governmental Entities: Any state department, division, bureau, commission, regional planning agency, board, district, authority, agency, or other instrumentality that handles personal information.
• Third-Party Agents: Entities contracted to maintain, store, or process personal information on behalf of a covered entity or governmental entity. This means that just about any vendor or third party service provider that maintains, stores, or processes personal information for a covered entity is also covered by FIPA.
Defining “Reasonable Measures” in Florida
FIPA requires:
Each covered entity, governmental entity, or third-party agent shall take reasonable measures to protect and secure data in electronic form containing personal information.
While FIPA mandates the implementation of “reasonable measures” to protect personal information, it does not provide a specific definition, leaving room for interpretation. However, guidance can be drawn from various sources:
Industry Standards: Adhering to established cybersecurity frameworks, such as the Center for Internet Security’s Critical Security Controls, can demonstrate reasonable security practices.
Regulatory Guidance: For businesses that are more heavily regulated, such as healthcare entities, they can looked to federal and state frameworks that apply to them, such as the Health Insurance Portability and Accountability Act (HIPAA). Entities in the financial sector may be subject to both federal regulations, like the Gramm-Leach-Bliley Act, and state-imposed data protection requirements. The Florida Attorney General’s office may offer insights or recommendations on what constitutes reasonable measures. Here is one example, albeit not comprehensive.
Standards in Other States: Several other states have outlined more specific requirements for protecting personal information. Examples include New York and Massachusetts.
Best Practices for Implementing Reasonable Safeguards
Very often, various data security frameworks have several overlapping provisions. With that in mind, covered businesses might consider the following nonexhaustive list of best practices toward FIPA compliance. Many of the items on this list will seem obvious, even basic. But in many cases, these measures either simply have not been implemented or are not covered in written policies and procedures.
Conduct Regular Risk Assessments: Identify and evaluate potential vulnerabilities within your information systems to address emerging threats proactively.
Implement Access Controls: Restrict access to personal information to authorized personnel only, ensuring that employees have access solely to the data necessary for their roles.
Encrypt Sensitive Data: Utilize strong encryption methods for personal information both at rest and during transmission to prevent unauthorized access.
Develop and Enforce Written Data Security Policies, and Create Awareness: Establish comprehensive data protection policies and maintain them in writing. Once completed, information about relevant policies and procedures need to shared with employees, along with creating awareness about the changing risk landscape.
Maintain and Practice Incident Response Plans: Prepare and regularly update a response plan to address potential data breaches promptly and effectively, minimizing potential damages. Letting this plan sit on the shelf will have minimal impact on preparedness when facing a real data breach. It is critical to conduct tabletop and similar exercises with key members of leadership.
Regularly Update and Patch Systems: Keep all software and systems current with the latest security patches to protect against known vulnerabilities.
By diligently implementing these practices, entities can better protect personal information, comply with Florida’s legal requirements, and minimize risk.
Two Employer-Friendly ACA Changes
Two recent developments make significant changes to Affordable Care Act (ACA) compliance, both effective immediately and offering important benefits for employers.
Providing Forms 1095 to Employees
Since ACA was first implemented, employers have been required to report their offers of health care coverage to employees by filing Form 1095-B or 1095-C with the IRS and providing a copy of the form to employees.
Beginning with the 2024 tax year, which the reporting forms were set to be distributed in early 2025, employers are no longer required to automatically provide these forms to employees, provided two requirements are met. First, employers must notify employees that the employer will no longer automatically provide Form 1095, including a statement saying employees may request a copy and instructions on how to do so. Second, employers must provide a copy of Form 1095 to any employee who requests it, within 30 days of the request.
Note that employers must still file Form 1094 and Form 1095 with the IRS; this new rule simply relieves the responsibility to provide a copy to employees. Employers who wish to take advantage of the new rule should continue to coordinate with their service providers to ensure that Forms 1095 are prepared in time for filing to the IRS, and available to provide to employees upon request. This change may help employers save on the cost and administrative responsibility of sending the forms to each employee.
ACA Penalty Statute of Limitations
Congress has also established a new six-year statute of limitations for employer penalty assessments under the ACA. While this may seem lengthy, especially considering the common three-year statute of limitations that applies to many tax assessments, the IRS had previously taken the position that there was no statute of limitations because Forms 1094 and 1095 were not tax returns.
This change is particularly important due to frequent delays between an employer’s alleged failure to comply with ACA requirements and the IRS’s notification of a proposed penalty assessment. This delay could be multiple years, meaning that if an employer had a systematic issue regarding its offers of coverage or reporting, penalties could be assessed for several years before the employer was notified that a change was necessary for compliance. Especially in corporate transactions, this change will help provide clarity and limit exposure for ACA compliance.
Site-Neutral Medicare Proposals Currently on the Table: Considerations for Stakeholders
Site-neutral payment policies aim to standardize payments for healthcare services regardless of the site of care. Last Congress, lawmakers considered a number of Medicare site-neutral policies, ranging from ones addressing single services to broader policies that would adjust payments across multiple services and care settings. Some of these policies have also been presented as options to reduce federal spending, including on mandatory healthcare programs.
If Congressional Republicans decide to pursue cuts in Medicare spending, site-neutral policies may well be considered. In this +Insight, we review and categorize recent Medicare site-neutral policy proposals and suggest considerations to guide analysis of these policies’ potential impact.
DOWNLOAD REPORT
Healthcare Preview for the Week of: March 3, 2025 [Podcast]
Attention Turns to Government Funding
Last week, after some drama on the floor, the House passed its version of a budget resolution in a 217 – 215 vote, a week after the Senate passed its “skinny” resolution. For the reconciliation process to move forward, the chambers must work together to agree on an aligned resolution, which is likely to include Medicaid reforms.
Reconciliation will move to the background for these next two weeks as Congress shifts its focus to government funding. The continuing resolution (CR) passed in late December 2024 funded the government through March 14, 2025. The CR also included healthcare extenders, such as Medicare telehealth flexibilities, disproportionate share hospital payments, and the hospital at home waiver, but they have an expiration date of March 31 (read more on the full list of extenders here). Republican lawmakers are debating the length and scope of the next government funding package, which could be a “clean” CR to fund the government through the remainder of fiscal year 2025. If public statements are accurate, spending cuts related to Department of Government Efficiency efforts may not be pursued in this immediate government funding package. House Republicans will likely need votes from Democrats to pass a CR, so all eyes are on the outline of this package.
In his first congressional address since returning to the White House, President Trump will head to Congress on Tuesday night to deliver an address to a joint session of Congress. Like a state of the union, the address will likely focus on Trump’s agenda for his next four years, including actions on immigration, tariffs, extending tax cuts, and reducing the government’s footprint. While healthcare is not anticipated as a feature of the speech, Trump could discuss his executive orders on healthcare price transparency, Make America Healthy Again, and gender-affirming care for youth, and could lay out additional healthcare agenda priorities. Sen. Elissa Slotkin (D-MI) will provide the Democratic response.
The Senate will continue with nomination hearings this week. The Senate Health, Education, Labor, and Pensions (HELP) Committee will hold back-to-back hearings for National Institutes of Health (NIH) director nominee Jay Bhattacharya, MD, on Wednesday and US Food and Drug Administration commissioner nominee Martin Makary, MD, on Thursday. Sen. Warren (D-MA), although not on the HELP Committee, sent both nominees letters requesting confirmation that they would not lobby for the industries they would regulate for four years after leaving office. Similar topics are likely to be brought up during the hearings. Bhattacharya’s hearing will also likely focus on the recent NIH guidance capping indirect costs for research grants and his views on research transparency and NIH structure reform. Later this week, the Medicare Payment Advisory Commission will meet and discuss various topics, including draft recommendations to reform the physician fee schedule and reduce cost-sharing for outpatient services at critical access hospitals.
Today’s Podcast
In this week’s Healthcare Preview, Debbie Curtis and Rodney Whitlock join Julia Grabo to discuss the state of the government funding package ahead of the March 14 deadline.
Alabama Legislature Weighs Substantial Cannabis Reforms: Let’s All Take a Deep Breath
Well, it’s officially crazy season. An annual tradition in the Alabama statehouse since the inception of Alabama’s medical cannabis program, last week we saw a flurry of cannabis-related bills introduced with great fanfare and the accompanying panic amongst cannabis stakeholders in Alabama. I was inundated with a high volume of calls, texts, and emails unseen since the last Alabama legislative session.
And there was a little something for everyone involved in cannabis, both on the hemp and medical cannabis side. The good news? Things may be trending in the right direction.
Let’s get into it.
Medical Cannabis Proposal Encounters Substantial Opposition, Drawing to a Head Whether There Is a Real Need for a “Legislative Fix”
Shortly before he gaveled his committee to order, Sen. Tim Melson introduced a substitute to Senate Bill 72. As a reminder, the original version of SB72 would have, in relevant part: (1) expanded the total number of integrated licenses from five to seven; (2) shifted the authority of issuing licenses from the AMCC to a consultant; and (3) shielded the decision from any judicial review. And, just as important, licenses wouldn’t be issued until well into 2026, assuming there was no litigation – an assumption I defy any serious person to tell me with a straight face is valid.
When the original version of SB72 was introduced, I wrote:
In my opinion, this bill has little chance of becoming law as drafted. I base that on my opinion that the Alabama Legislature has little interest in revisiting cannabis proposals at this time, my conversations with various stakeholders (including well-heeled applicants that employ influential governmental affairs specialists), and by the knowledge that it is easier to defeat legislation than it is to pass it.
For what it’s worth, I do believe the Legislature would pass a bill if all of the relevant stakeholders agreed it was the right way forward. Unfortunately, and this is inherent in any limited license situation, we are operating in a zero-sum game where there will be winners and there will be losers and those who believe a proposal will end in their defeat will fight tooth and nail to stop it.
The substitute bill would change the agencies tasked with appointing the consultant and would allow for the Alabama Court of Civil Appeals to review the award of licenses if the award was arbitrary or capricious or constituted a gross abuse of discretion. It would also move up the time to issue licenses, but it would still be in 2026, again assuming no lawsuits. While the substitute is a small step in the right direction and an acknowledgment of the flaws in the original bill, I still do not see it as the right path forward.
And here’s why: I reject that Alabama’s medical cannabis program requires a “legislative fix.” I believe that the original medical cannabis law, passed four years ago, isn’t broken. Major provisions in the law are currently awaiting a decision from the Alabama Court of Civil Appeals. I attended that oral argument in person – the first oral argument heard by the appellate court about the medical cannabis program. In my opinion, and the nearly unanimous opinion of people I trust to call balls and strikes, the panel signaled with unusual clarity and unanimity that it would be upholding the law and the challenged actions of the AMCC. If that is the case, we may be mere months away from issuing licenses to dispensaries and integrated facilities.
Once a single dispensary license is issued, Alabama doctors can begin obtaining certifications to qualify patients for medical cannabis and Alabamians with qualifying conditions can begin to obtain medical cannabis cards. So, if you believe that the appellate court offers a path forward that may allow medical cannabis in 2025, why would you press for a bill that would ensure that it isn’t? Put simply, if it ain’t broke, don’t legislatively “fix” it.
Psychoactive Hemp Ban Appears to Be Heading Towards Reasonable Compromise
Shortly before he gaveled his committee to order, Melson introduced a substitute to Senate Bill 132. As a reminder, that legislation would, in relevant part, “provide that only non-psychoactive cannabinoids derived from or found in hemp are exempt from [Alabama’s] Schedule I controlled substances list, thus classifying psychoactive cannabinoids as controlled substances” under Alabama law. That means “[i]f enacted into law, that’s the ballgame for nearly all non-industrial hemp products in Alabama. Say goodbye to your increasingly popular THC-infused seltzers. Adios federally compliant gummies and the like.”
I wrote at the time:
I suspect that certain psychoactive hemp restrictions will become law in Alabama in the current legislative session or in the coming years.
If it were my call, I would choose a path that regulates these products to ensure safety and only adult access, rather than to ban them outright. Put simply: Regulate, don’t eliminate.
If the stated goals of the supporters of SB132 are to keep psychoactive hemp out of the hands of minors and ensure that psychoactive hemp is safe, then why not pass laws to keep psychoactive hemp out of the hands of minors and ensure that psychoactive hemp is safe?
When it comes to keeping psychoactive hemp out of the hands of minors, the purveyors of psychoactive hemp products should be required to employ the same type of age-gating policies employed by sellers of tobacco and alcohol. These policies have been in place for years and should be able to govern psychoactive hemp sales without much difficulty. And law enforcement – aided by law-abiding psychoactive hemp companies policing bad actors – should take the law seriously and enforce it just as they do tobacco and alcohol.
When it comes to ensuring that psychoactive hemp products are safe for consumption, the law should require that products undergo the same type of rigorous testing and analysis required of marijuana products. The products should be tested by independent laboratories, and the results should be easily accessible and made available to consumers. Any batch that fails to meet the legal requirements for hemp or reveals unsafe materials in the batch should be destroyed before it is made available to the public.
In Alabama, this would be a substantial burden to many hemp manufacturers and retailers. But there are (at least) two reasons why it makes sense. First, responsible hemp operators welcome these types of regulation, and most of them are taking these steps already. Second, the law creates a higher barrier to entry into the psychoactive hemp market and makes it more difficult for less capitalized and unsavory companies. That should have the dual benefit of eliminating untested products and reducing the shelf space of what I call “gas station crank.”
This proposal would, as a practical matter, mean that the psychoactive hemp market would be dominated by increasingly popular hemp beverages and low-THC edibles. Those are two of the most popular versions of psychoactive hemp and have been widely accepted as alternatives to alcohol and controlled substances by cohorts ranging from young adults looking to turn away from alcohol in increasing numbers, middle-aged consumers looking to cut down on their midweek alcohol intake, and older Alabamians who increasingly look to psychoactive hemp for pain relief and sleep aids.
The substitute bill addresses many of the concerns I expressed about the original version of SB132. With a few tweaks, I think it could be a workable model for other states trying to adopt responsible hemp programs.
The substitute is essentially a two-part bill that separately addresses rules for (1) “hemp beverages” and (2) “psychoactive hemp products.”
Hemp beverages would essentially be treated like beer and wine. They would be subject to the traditional three-tiered model (manufacturer to distributor to retailer) and subject to the same franchise laws. They would be subject to much stricter testing rules to ensure conformance with federal and state laws, and they would have labeling requirements to ensure both that the products are not targeting children or making health claims and that a certificate of analysis was embedded in a QR code so that consumers could be confident that the beverage is what it purports to be. There would also be a 6% excise tax on hemp beverages in addition to any other applicable sales taxes.
The substitute defines and permits under certain defined circumstances the sale of “psychoactive hemp products.” The bill would define “psychoactive hemp product” to include:
A liquid that contains psychoactive cannabinoids and may include flavorings or other ingredients that are intended for use in an electronic nicotine delivery system or any other product marketed to consumers as an electronic cigarette, electronic cigarillo, electronic pipe, electronic hookah, vape pen, vape tool, vaping device, or any variation of these terms.
A candy, gummy, capsule, or other product that contains psychoactive cannabinoids and is intended to be ingested into the body.
An oil or tincture that contains psychoactive cannabinoids and is marketed to deliver to the body sublingually psychoactive cannabinoids.
Psychoactive hemp products may not contain more than a total of 10 milligrams of psychoactive cannabinoids per serving, and one gummy may not contain more than one serving.
Each product must be labeled in a manner that includes all of the following:
The name and website of the manufacturer
The batch number
The total number of milligrams of psychoactive cannabinoids found in a single serving
The International Intoxicating Cannabinoid Product Symbol (IICPS)
A list of ingredients, including identification of any major food allergens declared by name
So, What Now?
Loyal readers of Budding Trends will recall that multiple proposals were voted out of the same committee last legislative session and did not become law. They will also recall that it took more than one legislative session to pass a medical cannabis law in the first place. Is past prologue or is this another example of reform taking time?
The Montgomery political ecosystem is largely an echo chamber powered by rumors, innuendo, gossip, and occasionally facts purveyed specifically to influence the actions of legislators. This influence can take the form of flattery, a well-intended desire for positive change, or fear. Not fear of physical harm, but fear of being out of the loop; fear of being out of touch; fear of being on the wrong side.
Anyone who can get someone to pay them to offer an opinion on what will happen moving forward can probably get whatever the opinion they are paying to hear. After all, what’s the point in hiring someone in a government affairs role if they can’t convince you they can accomplish your objectives? With that in mind, and with full disclosure that I have clients who wish for differing outcomes (although I’m obviously not working any client against another), I think the best advice is to just read the room. What is leadership in the House and Senate saying publicly on the issue? What are the implications of the fact that the Alabama Court of Civil Appeals is currently deciding a case that could bring finality (or more confusion) to the issue? Who benefits most from change? Who suffers? And what is the chance that the Alabama Legislature could see this fight unfold and decide a medical cannabis program simply isn’t workable?
Find someone who can tell you the answers to those questions, and you’ll be in good hands.
Sitting Atop a Telehealth Cliff?
Once again, Congress is quickly approaching a telehealth cliff.
Without passing additional legislation, current Medicare telehealth flexibilities will expire on March 31, 2025. If this happens, millions of beneficiaries who have used telehealth as a means for receiving needed and often critical health care services, especially since 2020, will lose coverage for this benefit starting on April 1, 2025. This will mean, with limited exceptions, that Medicare beneficiaries will have to travel to a health care provider’s office or a health care facility to receive most telehealth services.
What Medicare Beneficiaries Have Come to Rely Upon
The COVID-19 pandemic changed perceptions of telehealth for many Americans. Starting in March 2020, Congress eased restrictions for Medicare beneficiaries as many health care providers closed offices and patients worried about being exposed to the virus in traditional in-person health care settings. Telehealth, and the greater access that the Medicare flexibilities allowed beneficiaries to have, was enormously appealing to patients living in rural areas or with mobility problems. Between April 2020 and June 2020, nearly half of all Medicare beneficiaries had at least one virtual medical visit.
Fast forward to May 2023, when the COVID-19 public health emergency officially came to an end. Congress folded extensions of the Medicare telehealth flexibilities into various spending bills, including a bill passed in December 2024. The difference? Unlike the other extensions, the bill (the American Relief Act, 2025 or “Act”) only created a 90-day extension for the Medicare telehealth flexibilities, through the end of March 2025. Section 3207 of the Act outlines what the continued flexibilities currently are:
Lifting geographic restrictions and maintaining the expanded list of originating sites including patients’ homes.
Expanding the list of distant site practitioners to include all practitioners who are eligible to bill Medicare for covered services (e.g., physical therapists, occupational therapists, speech-language pathologists, audiologists, marriage and family therapists, and mental health counselors).
Allowing federally qualified health centers and rural health clinics to serve as distant site providers of telehealth services.
Allowing payment for audio-only telehealth services.
Extending the waiver of the requirement for practitioners who provide behavioral and mental health via telehealth to provide in-person visits within 6 months of the first telehealth visit and annually thereafter.
Extending Acute Care Hospital at Home waiver authorities.
Medicare beneficiaries can receive the telehealth services described above through March 31, 2025.
What Happens Next?
With the March 31st deadline fast approaching, key organizations like the American Telemedicine Association (ATA) are working overtime to raise awareness of the pending deadline and ensuring telehealth remains accessible and viable for both patients and providers. In a recent letter to policymakers, ATA urged Congress to act decisively before the looming deadline. The ATA’s letter focused on the following priorities:
Making Medicare telehealth flexibilities permanent—removing geographic restrictions limiting telehealth to rural areas, ensuring FQHCs and RHCs can continue offering virtual care, and guaranteeing fair reimbursement rates for all providers.
Preserving audio-only telehealth options—for many telehealth users, especially seniors and those living in locations without reliable broadband access, phone calls are the only way to connect patients to providers in order to receive care via telehealth. Losing this flexibility will disproportionately affect vulnerable patients.
Rolling back restrictive Drug Enforcement Administration regulations—removing in-person visit requirements for prescribing controlled substances via telehealth. This has been a subject of other recent Health Law Advisor posts.
The More Things Change… DOJ’s Latest Cyber Settlement Shows Continued False Claims Act Risk
Although the change in administrations has heralded shifting enforcement priorities at the U.S. Department of Justice (DOJ), cybersecurity enforcement under the False Claims Act (FCA) appears to be alive and well. That is the takeaway from the recent DOJ announcement that Health Net Federal Services and its parent, Centene Corporation, have agreed to pay over US$11 million to resolve a FCA matter alleging cybersecurity violations.
The Health Net Settlement
According to DOJ, Health Net entered into a contract with the Department of Defense to administer the Defense Health Agency’s TRICARE health benefits program. Health Net allegedly failed to meet certain cybersecurity controls as part of its government contract and falsely certified compliance with those requirements in annual reports to the government. The government alleged that the company failed to timely scan for known vulnerabilities and to remedy security flaws on its networks and systems. In addition, according to the government, Health Net allegedly ignored reports from third-party security auditors and its own audit department regarding cybersecurity risks on the company’s networks and systems. Those risks related to, among other things, asset management, firewalls, patch management, and password policies. The government alleged that, as a result of these purported failures, the company’s claims for reimbursement under the contract were false, even if there was not any exfiltration or compromise of data or protected health information.
This latest settlement builds on prior DOJ actions against government contractors for alleged cybersecurity failures. Foley has reported on those prior actions here and here, including DOJ’s FCA suit against Georgia Tech, which remains pending.
The Health Net settlement demonstrates that the Trump Administration’s DOJ remains focused on cybersecurity enforcement, particularly pursuant to the FCA. This is not surprising, given the administration’s pronouncements about stamping out alleged fraud, waste, and abuse. Further, this was a theme echoed by several DOJ speakers at a national qui tam conference in Washington, D.C. in February 2025.
Also, where a federal contract involves the military, as was the case with the Health Net settlement, this administration is likely to be especially committed in its investigative and prosecution efforts. Indeed, it is notable that the Health Net settlement does not appear to have arisen from a qui tam suit, which would mean the government initiated the investigation on its own. Finally, the fact remains that cybersecurity has always been a bipartisan issue.
Recommendations
In light of the Health Net settlement and the new administration’s interest in cybersecurity enforcement, companies and other recipients of federal funds (including colleges and universities) should consider the following steps to enhance cybersecurity compliance and reduce FCA risk:
Catalogue and monitor compliance with all government-imposed cybersecurity standards. This includes not only ongoing knowledge of the organization’s contracts, but also continuously monitoring and assessing the organization’s cybersecurity program to identify and patch vulnerabilities and to assess compliance with those contractual cybersecurity standards.
Develop and maintain a robust and effective compliance program that addresses cybersecurity issues. In many companies, the compliance program and information security functions are not well integrated. An effective compliance program will address cybersecurity concerns and encourage employees to report such concerns. When concerns are identified, it is critical to escalate and investigate them promptly. Because the FCA’s qui tam provisions allow employees and others to file suit on behalf of the United States, it is critical to respond to employees’ concerns effectively.
Where non-compliance with cybersecurity standards is identified, organizations should evaluate potential next steps. This includes whether to disclose the matter to the government and cooperate with government investigators. Organizations should work with experienced counsel in this regard. Proactively mapping out a strategy for investigating and responding to potential non-compliance can instill discipline to the process and streamline the organization’s approach.