FDA Develops Strategy to Prevent Adulteration of Berries with Enteric Viral Infections
Earlier this month, FDA released a summary of a strategy intended to prevent human norovirus and hepatitis A virus (HAV) outbreaks associated with fresh and raw berries. Both norovirus and HAV are types of enteric virus (effecting the gastroenteric system) which have been linked to imported fresh and frozen berries; domestically grown berries have not been linked to an outbreak of these viruses for 35 years.
Among the information consulted in developing the plan were the results of 1,558 samples of frozen strawberries, raspberries, and blackberries from November 2018 to September 2023, which showed HAV in 8 samples and norovirus in 10 samples.
The pillars of the plan are (1) promoting high compliance rates with FDA’s food safety requirements, (2) encouraging the berry industry to consistently apply pre- and post- harvest sanitation practices, including conducting root cause analysis when failures occur, (3) broadening knowledge regarding the viability, persistence, detection, and mitigation of viruses in fresh and frozen berries, pre- and post-harvest environments, and agricultural water sources, and (4) incentivizing the use of immunization to promote worker health.
Name That Chemical: California Adds New Requirement for Prop 65 Short-Form Warnings
Short-form warnings for products that may expose consumers to chemicals on California’s Prop 65 list must now include at least one chemical name to qualify for Prop 65’s “safe harbor” protections—with one caveat. Businesses may continue to use the previous version of the short-form warning on consumer products through the end of 2027.
Businesses risk steep penalties for failure to comply with Prop 65. Stay ahead by understanding the changes and creating proactive strategies to ensure you meet the requirements on time.
What is Prop 65?
California’s Proposition 65 requires businesses to provide a “clear and reasonable” warning before they knowingly and intentionally cause an exposure to a chemical listed as known to the state to cause cancer or reproductive toxicity.
Since 2016, businesses have had the option to use specific “safe harbor” short-form warning language to comply with Prop 65’s warning requirements (e.g., WARNING: Cancer and Reproductive Harm – www.P65Warnings.ca.gov). The short-form warnings were developed by the Office of Environmental Health Hazard Assessment (“OEHHA”) in response to stakeholders’ concerns that the full-length warning language would not fit on small products,[1] but were not limited to only small products. These warnings, unlike the full-length safe harbor warnings, did not require businesses to identify the specific chemical involved in the potential exposure.
New Regulations for Short-Form Warnings
On October 27, 2023, OEHHA published a Notice of Proposed Rulemaking to amend the short-form warnings, citing the overuse of short-form warnings and the need for additional consumer clarity. Specifically, OEHHA expressed concern that many businesses were using the short-form warning “prophylactically[,] because it protects from potential litigation and does not require identification of a specific chemical exposure for which the warning is being given,” which OEHHA believed “does not serve Proposition 65’s purpose of providing relevant hazard information to consumers about Proposition 65-listed chemicals in products they may use.”[2] On November 26, 2024, the Office of Administrative Law approved the rulemaking.
Under the new regulations, a short-form warning must state at least one chemical name for which the warning is being provided. The regulations also make explicit that short-form warnings may be used to provide safe harbor warnings for food products, and provide new tailored safe harbor warnings for passenger or off-highway motor vehicle parts and recreational marine vessel parts.
The effective date for the amendments is January 1, 2025, but businesses selling consumer products may use the existing short-form warnings without identifying a chemical until December 31, 2027.
Below are some example short-form warnings for listed carcinogens under the new regulations:
WARNING: [or CA WARNING: or CALIFORNIA WARNING:] Risk of cancer from exposure to [NAME OF CHEMICAL]. See www.P65Warnings.ca.gov
WARNING: [or CA WARNING: or CALIFORNIA WARNING:] Can expose you to [NAME OF CHEMICAL], a carcinogen. See www.P65Warnings.ca.gov
Option for use on consumer products until December 31, 2027:
WARNING: Cancer – www.P65Warnings.ca.gov
The final regulatory text, as amended, can be viewed here.
For Your To-Do List
Don’t wait until December of 2027 to assess your Prop 65 compliance. Make a plan now to:
Review your warnings with legal counsel.
Assess what chemicals are present in your products.
Revamp product packaging.
Revise your website and online product descriptions.
Update your communications with your business partners.
FOOTNOTES
[1] https://oehha.ca.gov/proposition-65/crnr/proposed-amendments-regulations-clear-and-reasonable-warnings-safe-harbor
[2] Id.
5 Key Takeaways | SI’s Downtown ‘Cats Discuss Artificial Intelligence (AI)
Recently, we brought together over 100 alumni and parents of the St. Ignatius College Preparatory community, aka the Downtown (Wild)Cats, to discuss the impact of Artificial Intelligence (AI) on the Bay Area business community.
On a blustery evening in San Francisco, I was joined on a panel by fellow SI alumni Eurie Kim of Forerunner Ventures and Eric Valle of Foundry1 and by my Mintz colleague Terri Shieh-Newton. Thank you to my firm Mintz for hosting us.
There are a few great takeaways from the event:
What makes a company an “AI Company”?
The panel confirmed that you cannot just put “.ai” at the end of your web domain to be considered an AI company.
Eurie Kim shared that there are two buckets of AI companies (i) AI-boosted and (ii) AI-enabled.
Most tech companies in the Bay Area are AI-boosted in some way – it has become table stakes, like a website 25 years ago. The AI-enabled companies are doing things you could not do before, from AI personal assistants (Duckbill) to autonomous driving (Waymo).
What is the value of AI to our businesses?
In the future, companies will be infinitely more interesting using AI to accelerate growth and reduce costs.
Forerunner, who has successfully invested in direct-to-consumer darlings like Bonobos, Warby Parker, Oura, Away and Chime, is investing in companies using AI to win on quality.
Eurie explained that we do not need more information from companies on the internet, we need the answer. Eurie believes that AI can deliver on the era of personalization in consumer purchasing that we have been talking about for the last decade.
What are the limitations of AI?
The panel discussed that there is a difference between how AI can handle complex human problems and simple human problems. Right now, AI can replace humans for simple problems, like gathering all of the data you need to make a decision. But, AI has struggled to solve for the more complex human problems, like driving an 18-wheeler from New York to California.
This means that, we will need humans using AI to effectively solve complex human problems. Or, as NVIDIA CEO Jensen Huang says, “AI won’t take your job, it’s somebody using AI that will take your job.”
What is one of the most unique uses of AI today?
Terri Shieh-Newton shared a fascinating use of AI in life sciences called “Digital Twinning”. This is the use of a digital twin for the placebo group in a clinical trial. Terri explained that we would be able to see the effect of a drug being tested without testing it on humans. This reduces the cost and the number of people required to enroll in a clinical trial. It would also have a profound human effects because patients would not be disappointed at the end of the trial to learn that they were taking the placebo and not receiving the treatment.
Why is so much money being invested in AI companies?
Despite the still nascent AI market, a lot of investors are pouring money into building large language models (LLMs) and investing in AI startups.
Eric Valle noted that early in his career the tech market generally delivered outsized returns to investors, but the maturing market and competition among investors has moderated those returns. AI could be the kind of investment that could generate those returns 20x+ returns.
Eric also talked about the rise of venture studios like his Foundry1 in AI. Venture studios are a combination of accelerator, incubator and traditional funds, where the fund partners play a direct role in formulating the idea and navigating the fragile early stages. This venture studio model is great for AI because the studio can take small ideas and expand them exponentially – and then raise the substantial amount of money it takes to operationalize an AI company.
Happy Privacy Day: Emerging Issues in Privacy, Cybersecurity, and AI in the Workplace
As the integration of technology in the workplace accelerates, so do the challenges related to privacy, cybersecurity, and the ethical use of artificial intelligence (AI). Human resource professionals and in-house counsel must navigate a rapidly evolving landscape of legal and regulatory requirements. This National Privacy Day, it’s crucial to spotlight emerging issues in workplace technology and the associated implications for data privacy, cybersecurity, and compliance.
We explore here practical use cases raising these issues, highlight key risks, and provide actionable insights for HR professionals and in-house counsel to manage these concerns effectively.
1. Wearables and the Intersection of Privacy, Security, and Disability Law
Wearable devices have a wide range of use cases including interactive training, performance monitoring, and navigation tracking. Wearables such as fitness trackers and smartwatches became more popular in HR and employee benefits departments when they were deployed in wellness programs to monitor employees’ health metrics, promote fitness, and provide a basis for doling out insurance premium incentives. While these tools offer benefits, they also collect sensitive health and other personal data, raising significant privacy and cybersecurity concerns under the Health Insurance Portability and Accountability Act (HIPAA), the Americans with Disabilities Act (ADA), and state privacy laws.
Earlier this year, the Equal Employment Opportunity Commission (EEOC) issued guidance emphasizing that data collected through wearables must align with ADA rules. More recently, the EEOC withdrew that guidance in response to an Executive Order issued by President Trump. Still, employers should evaluate their use of wearables and whether they raise ADA issues, such as voluntary use of such devices when collecting confidential medical information, making disability-related inquiries, and using aggregated or anonymized data to prevent discrimination claims.
Beyond ADA compliance, cybersecurity is critical. Wearables often collect sensitive data and transmit same to third-party vendors. Employers must assess these vendors’ data protection practices, including encryption protocols and incident response measures, to mitigate the risk of breaches or unauthorized access.
Practical Tip: Implement robust contracts with third-party vendors, requiring adherence to privacy laws, breach notification, and security standards. Also, ensure clear communication with employees about how their data will be collected, used, and stored.
2. Performance Management Platforms and Employee Monitoring
Platforms like Insightful and similar performance management tools are increasingly being used to monitor employee productivity and/or compliance with appliable law and company policies. These platforms can capture a vast array of data, including screen activity, keystrokes, and time spent on tasks, raising significant privacy concerns.
While such tools may improve efficiency and accountability, they also risk crossing boundaries, particularly when employees are unaware of the extent of monitoring and/or where the employer doesn’t have effective data minimization controls in place. State laws like the California Consumer Privacy Act (CCPA) can place limits on these monitoring practices, particularly if employees have a reasonable expectation of privacy. They also can require additional layers of security safeguards and administration of employee rights with respect to data collected and processed using the platform.
Practical Tip: Before deploying such tools, assess the necessity of data collection, ensure transparency by notifying employees, and restrict data collection to what is strictly necessary for business purposes. Implement policies that balance business needs with employee rights to privacy.
3. AI-Powered Dash Cams in Fleet Management
AI-enabled dash cams, often used for fleet management, combine video, audio, GPS, telematics, and/or biometrics to monitor driver behavior and vehicle performance, among other things. While these tools enhance safety and efficiency, they also present significant privacy and legal risks.
State biometric privacy laws, such as Illinois’s Biometric Information Privacy Act (BIPA) and similar laws in California, Colorado, and Texas, impose stringent requirements on biometric data collection, including obtaining employee consent and implementing robust data security measures. Employers must also assess the cybersecurity vulnerabilities of dash cam providers, given the volume of biometric, location, and other data they may collect.
Practical Tip: Conduct a legal review of biometric data collection practices, train employees on the use of dash cams, and audit vendor security practices to ensure compliance and minimize risk.
4. Assessing Vendor Cybersecurity for Employee Benefits Plans
Third-party vendors play a crucial role in processing data for retirement plans, such as 401(k) plan, as well as health and welfare plans. The Department of Labor (DOL) emphasized in recent guidance the importance of ERISA plan fiduciaries’ role to assess the cybersecurity practices of such service providers.
The DOL’s guidance underscores the need to evaluate vendors’ security measures, incident response plans, and data breach notification practices. Given the sensitive nature of data processed as part of plan administration—such as Social Security numbers, health records, and financial information—failure to vet vendors properly can lead to breaches, lawsuits, and regulatory penalties, including claims for breach of fiduciary duty.
Practical Tip: Conduct regular risk assessments of vendors, incorporate cybersecurity provisions into contracts, and document the due diligence process to demonstrate compliance with fiduciary obligations.
5. Biometrics for Access, Time Management, and Identity Verification
Biometric technology, such as fingerprint or facial recognition systems, is widely used for identity verification, physical access, and timekeeping. While convenient, the collection of biometric data carries significant privacy and cybersecurity risks.
BIPA and similar state laws require employers to obtain written consent, provide clear notices about data usage, and adhere to stringent security protocols. Additionally, biometrics are uniquely sensitive because they cannot be changed if compromised in a breach.
Practical Tip: Minimize reliance on biometric data where possible, ensure compliance with consent and notification requirements, and invest in encryption and secure storage systems for biometric information. Check out our Biometrics White Paper.
6. HIPAA Updates Affecting Group Health Plan Compliance
Recent changes to the HIPAA Privacy Rule, including provisions related to reproductive healthcare, significantly impact group health plans. The proposed HIPAA Security Rule amendments also signal stricter requirements for risk assessments, access controls, and data breach responses.
Employers sponsoring group health plans must stay ahead of these changes by updating their HIPAA policies and Notice of Privacy Practices, training staff, and ensuring that business associate agreements (BAAs) reflect the new requirements.
Practical Tip: Regularly review HIPAA compliance practices and monitor upcoming changes to ensure your group health plan aligns with evolving regulations.
7. Data Breach Notification Laws and Incident Response Plans
Many states have updated their data breach notification laws, lowering notification thresholds, shortening notification timelines, and expanding the definition of personal information. Employers should revise their incident response plans (IRPs) to align with these changes.
Practical Tip: Ensure IRPs reflect updated laws, test them through simulated breach scenarios, and coordinate with legal counsel to prepare for reporting obligations in case of an incident.
8. AI Deployment in Recruiting and Retention
AI tools are transforming HR functions, from recruiting to performance management and retention strategies. However, these tools require vast amounts of personal data to function effectively, increasing privacy and cybersecurity risks.
The EEOC and other regulatory bodies have cautioned against discriminatory impacts of AI, particularly regarding protected characteristics like disability, race, or gender. (As noted above, the EEOC recently withdrew its AI guidance under the ADA and Title VII following an Executive Order by the Trump Administration.) For example, the use of AI in hiring or promotions may trigger compliance obligations under the ADA, Title VII, and state laws.
Practical Tip: Conduct bias audits of AI systems, implement data minimization principles, and ensure compliance with applicable anti-discrimination laws.
9. Employee Use of AI Tools
Moving beyond the HR department, AI tools are fundamentally changing how people work. Tasks that used to require time-intensive manual effort—creating meeting minutes, preparing emails, digesting lengthy documents, creating PowerPoint decks—can now be completed far more efficiently with assistance from AI. The benefits of AI tools are undeniable, but so too are the associated risks. Organizations that rush to implement these tools without thoughtful vetting processes, policies, and training will expose themselves to significant regulatory and litigation risk.
Practical Tip: Not all AI tools are created equal—either in terms of the risks they pose or the utility they provide—so an important first step is developing criteria to assess, and then going through the process of assessing, which AI tools to permit employees to use. Equally important is establishing clear ground rules for how employees can use those tools. For instance, what company information are they permitted to use to prompt the tool; what are the processes for ensuring the tool’s output is accurate and consistent with company policies and objectives; and should employee use of AI tools be limited to internal functions or should they also be permitted to use these tools to generate work product for external audiences.
10. Data Minimization Across the Employee Lifecycle
At the core of many of the above issues is the principle of data minimization. The California Privacy Protection Agency (CPPA) has emphasized that organizations must collect only the data necessary for specific purposes and ensure its secure disposal when no longer needed.
From recruiting to offboarding, HR professionals must assess whether data collection practices align with the principle of data minimization. Overcollection not only heightens privacy risks but also increases exposure in the event of a breach.
Practical Tip: Develop a data inventory mapping employee information from collection to disposal. Regularly review and update policies to limit data retention and enforce secure deletion practices.
Conclusion
The rapid adoption of emerging technologies presents both opportunities and challenges for employers. HR professionals and in-house counsel play a critical role in navigating privacy, cybersecurity, and AI compliance risks while fostering innovation.
By implementing robust policies, conducting regular risk assessments, and prioritizing data minimization, organizations can mitigate legal exposure and build employee trust. This National Privacy Day, take proactive steps to address these issues and position your organization as a leader in privacy and cybersecurity.
Pivotal Labor and Employment Law Issues in 2025: Healthcare
Employers in the healthcare industry will navigate a landscape marked by rapid change and evolving challenges over the course of 2025, including those related to labor organizing, workplace safety, noncompete agreements, pay transparency, and immigration.
Quick Hits
Healthcare employers will have to navigate several labor and employment law issues in 2025, including a potential continued rise in union organizing, new restrictions on the use of noncompete agreements, emerging workplace safety risks, compliance concerns, additional pay transparency laws, and immigration regulatory and enforcement changes.
The issues arise as the new presidential administration seeks to shift federal policy on several of the key issues, including labor relations and immigration.
Healthcare employers may want to monitor these developments and consider steps to adapt to this evolving landscape and remain compliant and competitive.
Here is a close look at critical issues that will shape the current environment and are poised to significantly impact the industry’s future.
Labor Organizing Efforts
Organizing efforts among healthcare professionals, notably including physicians, have been gaining momentum in recent years, in part brought on by COVID-19 pandemic. In addition, several healthcare union contracts are set to expire in 2025, meaning many healthcare employers will be engaged in negotiations that will likely impact the industry for years to come.
The National Labor Relations Board (NLRB) has issued several union-friendly rulings over the past two years, making it more difficult for employers to challenge majority union representation status and express concerns about the impact of unionization on workplace dynamics. However, President Donald Trump, who was sworn into office on January 20, 2025, has taken actions to shift the NLRB’s political leadership and policy priorities.
Restrictions on Noncompete Agreements
The use of noncompete agreements, which restrict doctors, nurses, and other healthcare employees from working for competing healthcare facilities for certain periods of time and in specific geographic areas after leaving their current employers, has faced increased scrutiny in recent years. In April 2024, the Federal Trade Commission (FTC) sought to ban nearly all noncompete agreements in employment, though federal district courts enjoined that effort in Florida and Texas (currently being considered on appeal). However, it is not expected that the new presidential administration will seek to continue with this rule.
In the meantime, states have increasingly sought to regulate noncompete agreements and restrictive covenants in employment in recent years in ways that will impact healthcare employers. Notably, Pennsylvania Governor Josh Shapiro, in July 2024, signed a law to prohibit certain noncompete agreements with doctors. The law, which went into effect on January 1, 2025, prohibits “noncompete covenant[s]” with time periods of more than one year entered into by healthcare practitioners and employers, as well as imposes certain notification requirements on healthcare employers. Notably, Pennsylvania was previously one of a dozen states with no laws restricting noncompete agreements.
Emerging Workplace Safety Challenges
Workplace safety has always been a paramount concern in the healthcare industry, given the inherent risks associated with patient care. However, recent developments in the wake of the COVID-19 pandemic have brought new challenges and heightened awareness of the importance of comprehensive safety protocols.
The U.S. Department of Labor’s Occupational Safety and Health Administration (OSHA) and a growing number of states have made protecting doctors, nurses, and other healthcare workers who have direct patient interaction from workplace violence a priority. OSHA has been preparing a proposed standard on workplace violence prevention in healthcare settings, which had been slated to be released in December 2024.
Healthcare employers may want to review their workplace safety practices and ensure they address emerging risks. Updates can include additional physical safety measures, such as improved personal protective equipment (PPE) and infection control protocols, initiatives that support the mental health and well-being of healthcare workers, new technologies for risk mitigation, and continued safety training and planning.
Pay Transparency Compliance Obligations
Pay transparency compliance is also becoming an increasingly important issue in the healthcare industry as healthcare organizations strive to attract and retain top talent. A growing list of more than a dozen states and the District of Columbia have enacted pay transparency laws, requiring employers to disclose in postings for new jobs and internal promotions details such as pay ranges, benefits, bonus structures, and other compensation information. New laws in Illinois and Minnesota already took effect on January 1, 2025, with laws in New Jersey, Vermont, and Massachusetts set to take effect later in the year.
New Immigration Regulations and Enforcement
Immigration is a critical issue for the healthcare industry, which relies heavily on international talent to fill various roles, from physicians and nurses to researchers and support staff. Potential changes to U.S. immigration laws and regulations—including changes to visa requirements, work authorization processes, and other programs—in 2025 may significantly impact the ability of healthcare employers to recruit and retain skilled professionals from abroad.
Notably, the U.S. Department of Homeland Security (DHS) revamped the process for H-1B “specialty occupation” visas with a new rule that took effect on January 17, 2025. Further, in his first days in office, President Trump signed several executive orders (EO) seeking to implement more restrictive U.S. immigration policies.
Cal/OSHA Provides Guidance for Managing Post-Fire Cleanup Efforts
In light of the ongoing and devastating fires in Los Angeles County, Cal/OSHA released new guidance to ensure the safety and health of workers involved in fire damage cleanup.
Of note, Cal/OSHA’s standards may apply to some household domestic service workers. Historically, domestic service workers have not been subject to Cal/OSHA’s standards while cooking, cleaning, and providing childcare for a family. Cal/OSHA reminded employers that household domestic service workers are governed by Cal/OSHA’s standard if the workers are engaged in fire cleanup work, such as removing ash and debris and cleaning fire-damaged structures. As such, it is important for those employers who have employees performing post-fire cleaning to take note of the Cal/OSHA guidance.
As a reminder and unrelated to this recent guidance, effective July 1, 2025, Cal/OSHA will gain control over workplace safety for some household domestic services.
Key Points to Note:
Employers are required to identify and evaluate potential hazards in fire-damaged areas. This includes assessing risks such as unstable structures, hazardous materials, and environmental dangers like ash and soot.
Proper training and instruction must be provided to employees before they begin cleanup work. This training should cover the specific hazards they may encounter and the safety measures they need to take.
Employers must ensure that workers have access to and use appropriate PPE. This includes NIOSH-certified respirators, gloves, eye protection, and other necessary gear to protect against inhalation of harmful substances and physical injuries.
Cal/OSHA emphasizes the importance of adhering to existing health and safety standards. This includes regulations on heat illness prevention, confined space entry, and handling of hazardous materials.
Employers must establish and communicate clear emergency procedures. This includes protocols for evacuations, first aid, and reporting unsafe conditions.
Funding Freeze for Health Care Providers – What You Need to Know
Last night, the Office of Management and Budget (“OMB”) released a memo directing federal agencies to take several actions impacting federal grant programs (outlined in greater detail below) that are resulting in real money consequences for health care providers today. Providers need to be aware of these issues and the challenges ahead. We are already working with several providers to mitigate damages and develop strategies to respond to these updates in real time. Each provider is unique, and every provider will respond to and be impacted by these changes differently.
What Happened?
Late on January 27, 2025, the Trump Administration’s Office of Management and Budget (“OMB”) released a memorandum placing a moratorium on payments for almost all federal grants (the “OMB Memo”).1 OMB explained the justification for this pause as follows:
“Financial assistance should be dedicated to advancing Administration priorities, focusing taxpayer dollars to advance a stronger and safer America, eliminating the financial burden of inflation for citizens, unleashing American energy and manufacturing, ending “wokeness” and the weaponization of government, promoting efficiency in government and Making America Healthy Again. The use of Federal resources to advance Marxist equity, transgenderism and green new deal social engineering policies is a waste of taxpayer dollars that does not improve the day-to-day lives of those we serve.”
The OMB Memo directs federal agencies to undertake the following tasks:
Complete a comprehensive analysis of all existing Federal financial assistance programs to determine their alignment with Presidential orders;
During the course of this review, pause (a) the issuance of new awards and (b) the disbursement of federal funds under existing awards. Agencies must also take all other relevant agency actions to comply with this direction and Trump’s executive orders until directed by OMB to do otherwise; and
Every federal financial assistance program must be assigned to a senior political appointee who will evaluate, modify or cancel existing awards that conflict with Administration policies, and ensure adequate oversight over award distribution.
Timeline
January 27, 2025 – OMB Memo issued
January 28, 2025 (5:00 PM) – Funding freeze implemented (on hold)
February 3, 2025 (5:00 PM) – Order halting funding freeze expires
February 7, 2025 – OMB guidance deadline for agency submission of information regarding identified programs with funding or activities planned through March 15, 2025
February 10, 2025 – OMB Memo deadline for agencies to provide detailed information on review of programs
Why Does This Matter for Health Care Providers?
Providers of every type depend on federal grant funds as a key component of their operating and service budgets. Both the Medicaid and CHIP Programs are structured as “grant” programs to the states and are specifically identified by OMB on the list of grant programs to be reviewed.2 Guidance issued today by OMB suggests that Medicaid is a mandatory program that will not be paused, but we have also seen reports from several states, including Illinois, that they are unable to access federal Medicaid funding.3 Regardless of the ultimate outcome, providers can expect temporary uncertainty related to Medicaid funding status.
In addition to major sources of health care coverage, there are innumerable smaller grants that providers rely on to help make ends meet and extend services to their communities, including grants for substance use disorder treatment, provider education and training, telehealth expansion and rural health care services. Without the availability of these programs, even on a temporary basis, health care providers face a difficult operational reality resulting in loss of cash flow, failure to meet payment obligations (even payroll) and service disruption for particularly vulnerable patient populations. We are already aware of providers who have been frozen out of grant portals, and who are unable to draw down funds.
Providers who rely on federal funds should inventory each of their grant programs and determine whether they can still lawfully access funds.4 Keep watching this space – there will be rapid developments over the next several days as providers, state governments and other stakeholders respond. There is a wide array of options available to providers to respond to these changes – if you’re unsure of the best path for your organization, we’re here to help.
As of 3:30pm (MST) A D.C. Federal Judge temporarily blocked Trumps administration from freezing federal grants. More details will be available in the webinar tomorrow.
Temporary Reprieve. Late afternoon, D.C. District Court Judge Loren AliKhan temporarily halted the freeze ordered by the OMB Memo to allow additional time for consideration. Judge AliKhan’s order expires February 3 at 5:00 pm, and there will likely be many further developments over the next week.
[1] Executive Office of the President, Office of Management and Budget, M-25-13 Temporary Pause of Agency Grant, Loan, and Other Financial Assistance Programs (Jan. 27, 2025).
[2] The OMB Memo specifically exempts Social Security and Medicare, these are the only two express exemptions.
[3] Executive Office of the President, Office of Management and Budget, Untitled FAQ (Jan. 28, 2025).
[4] Executive Office of the President, Office of Management and Budget, Instructions for Federal Financial Assistance Analysis in Support of M-25-13 (Jan. 27, 2025).
Complying with the ACA Disclosure Requirements Just Got a Whole Lot Easier!
New legislation liberalizing certain disclosure requirements under the Affordable Care Act (“ACA”) was passed at the end of 2024.
Effective for 2024 reporting, mailing a paper copy of Forms 1095-C/1095-B is no longer required if the employer timely provides employees with proper notice by January 31, 2025.
Under the ACA, Applicable Large Employers (ALEs) are required to provide minimum essential health care coverage to at least 95% of their full-time employees that meets “minimum value” and “affordability” standards, or potentially pay a penalty to the Internal Revenue Service (“IRS”) under the ACA’s employer shared responsibility provisions. In connection with this requirement, health insurers and ALEs are required to provide full-time employees and employees with health care coverage with an annual IRS Form 1095-C/1095-B that discloses the coverage.
ALEs are no longer required to do a mass mailing of these forms to their employees if the employer meets certain notice requirements. If an employer posts a clear, conspicuous and accessible notice informing employees that any individual to whom Form 1095-C/1095-B would otherwise be required to be provided may request a copy of the applicable forms, a broad mailing to all employees is not required. There has not been subsequent guidance on what will qualify as “clear, conspicuous and accessible,” so for purposes of complying with the notice condition this year, employers are left to make a good-faith and reasonable interpretation of the standards.
Deadline – January 31: The notice must be posted no later than January 31 following the year of the reporting. For the 2024-year reporting, the notice must be posted by Friday, January 31, 2025.
Responding to Requests: Upon request, employers must provide the requested IRS Form 1095-C/1095-B to the employee by the later of January 31 or 30 days after receiving the employee’s request.
Employers still need to complete and file Forms 1095-C and 1094-C with the IRS. If filed electronically, the forms are due no later than March 31, 2025; if filed in paper form, the forms are due no later than February 28, 2025.
Next Steps for Employers:
If an employer wishes to take advantage of this reprieve, the employer should prepare and conspicuously post an accessible notice to employees informing them of their right to request a Form 1095-C/1095-B. The notice must be posted by January 31, 2025.
Employers should adopt a process for managing employee requests for forms.
Employers should continue to prepare and submit required ACA forms with the IRS.
The Trump Administration’s Immigration Enforcement Policy: What Hospitals and Health Care Providers Must Know for Their Patients and Visitors [Video]
It is by now common knowledge that on Inauguration Day, January 20, 2025, President Trump signed numerous executive orders geared toward the implementation of his immigration policy objectives, setting the stage for what he has called “the largest domestic deportation operation in American history.”
Less well known is the directive issued the following day by Acting Department of Homeland Security (DHS) Secretary Benjamine Huffman lifting Biden administration restrictions on Immigration and Customs Enforcement (ICE) agents that prevented the arrest of immigrants without legal status in certain specified sensitive areas, such as hospitals, churches, and schools. Thus, immigration enforcement personnel are now permitted to find individuals without legal status in or near sensitive areas, including hospitals and medical clinics.
Then, on January 26, The Washington Post reported that quotas of between 1,200 and 1,500 arrests per day had been placed on immigration enforcement agencies. As a result, there is a growing concern among health care providers who treat populations likely to contain disproportionate numbers of undocumented individuals that ICE agents will request information from them about their patients, including protected health information (PHI), and may even seek to question or detain patients when they have been admitted to the hospital or come to a clinic to obtain treatment, or about visitors to the facility.
This Insight provides background about immigration enforcement, describes what happens during an ICE raid, and offers information regarding policies that health care providers should have in place to be prepared for a patient- or visitor-focused enforcement action at their facility.[1]
What Could Happen During an ICE Raid?
In light of these recent changes to ICE policies, hospital systems and other medical providers should be prepared for the possibility of increased immigration-related law enforcement activity. Raids conducted by law enforcement agents are not announced in advance, and it has been reported that in recent years, ICE has used increasingly aggressive tactics in connection with federal immigration enforcement. Reports of ICE enforcement since the inauguration show federal agents wearing technical gear, which can be an alarming sight in a patient-centered care environment. One substantial concern is that ICE and other law enforcement agents will arrive at hospitals and health care clinics and insist that they be permitted to enter treatment areas to question patients about their immigration status and detain those not able to demonstrate they are in the United States legally.
Law enforcement agents are free to enter any public areas of a business, such as the lobby or a parking lot. However, to enter non-public business premises, which includes patient evaluation and treatment areas and administrative offices, the agent must have a signed judicial search warrant, i.e., issued by a judge and not merely an administrative warrant from an agency. While the agent can also enter with the consent of the health care provider, the provider must take care to uphold privacy protections, notably, the Health Insurance Portability and Accountability Act (HIPAA) and state privacy laws, even if the provider opts to respond to immigration enforcement requests.
What Can Health Care Providers Do Now to Prepare?
It is imperative that health care providers take the following steps in advance to prepare for a potential onsite ICE enforcement activity:
Assess and review the entity’s policy on responding to law enforcement. Many hospitals and other providers currently maintain policies on federal/local investigations and interactions with law enforcement. These policies should be updated to address the potential for immigration enforcement and to ensure consistent application across differing situations. Many hospitals and other providers have frequent contact with local law enforcement and are used to responding to police inquiries.
Designate a person in advance within the Legal Department (preferred) or senior on-site administrator with access to legal counsel to be the primary point of contact. A backup liaison should also be available during off-hours.
Establish basic protocols for the designated entity representative to follow, including obtaining identification of the law enforcement officers (i.e., name and business card). This should include reviewing with legal counsel the type and scope of documentation presented by the agents to justify their inquiry to determine whether it aligns with the request being made.
Provide a checklist of the basic protocols for the designated entity representative to follow, and keep copies in an easily accessible location, including on the designated representative’s work-related cellular phone.
Provide training to security and “front desk” personnel (and whoever else is likely to be the first person encountered) regarding how to respond to a variety of potential law enforcement scenarios, including raids, targeted enforcement involving those with criminal histories, document requests, and requests for information. This should include obtaining identification of the law enforcement officers, reviewing the materials to determine whether the agents have judicially authorized search warrants (as required to enter non-public business premises) and/or only administrative subpoenas/deportation orders, referring them to the designated entity representative, and requesting they remain in a specified office while the designated representative evaluates the appropriate response.
Notify and train personnel who may encounter ICE agents that they are not authorized to provide information or documentation or permit entry to non-public areas of the provider’s premises without direction from the designated representative and that they should be courteous and fully document all occurrences and actions of the agents.
Notify appropriate staff they must not provide legal advice to patients or employees who may be affected by immigration enforcement measures. Instead, if they wish, they may make available pamphlets or other literature regarding immigrant rights from recognized immigration support organizations and refer them to such organizations for further information.
Connect with legal counsel specializing in health care, privacy, and immigration law to obtain guidance regarding internal policies, procedures, and training and support to the designated entity representative.
Assess whether, and to what extent, information regarding immigration status should be obtained from patients.
What Else Should Health Care Providers Know?
Health care providers are generally not obligated to share the immigration status (if known) of their patients, nor are they obligated to provide immigration officials with access to treatment spaces in their facilities, which are non-public, absent a judicially issued search warrant or a warrant to arrest a specific individual. While HIPAA generally permits the disclosure of PHI to law enforcement in limited circumstances, as described in the regulations, it does not require disclosure of PHI. The definition of PHI is, of course, quite comprehensive and includes information such as name, address, date of birth, immigration status, admission status, and anticipated discharge date. Visitors to a facility will not have the same HIPAA protections as patients.
The staff of health care providers are also generally under no obligation to speak with ICE agents or other immigration enforcement personnel and should be advised they are not authorized to speak or release any documentation or information on behalf of the provider entity. Legal counsel should be consulted to determine what disclosure is permitted under HIPAA based on the documentation presented and what response, if any, is required by such documents.
With all this in mind, health care providers should be careful not to engage in a physical or verbal altercation with any law enforcement officer or otherwise be seen as obstructing or interfering with the government’s actions. Note also it is illegal to intentionally protect from detention a person who is in the United States unlawfully. Balancing this with the ongoing obligation to observe HIPAA and other privacy laws, as well as holding law enforcement to their legal standards for entry and access to patients and visitors, requires some analysis and judgment. This is the basis for recommending the designation (in advance) of a Legal Department or other senior on-site administrator with access to legal counsel to be the primary point of contact for law enforcement personnel, including for after-hours inquiries.
ENDNOTE
[1] As employers, you may also be interested in a companion Insight, “The New Trump Administration’s Immigration Enforcement Policy: What Employers Must Know,” as well as the blog post “Responding to Law Enforcement Demands for HIPAA Protected Information” and the video below.
Additional Authors: Stephen R. Kleinman and Jennifer M. Nelson Carney
New York State Legislature Passes Health Data Law to Protect Abortion Rights
On January 21, 2025, the New York legislature passed Senate Bill S929, an act to amend the general business law, in relation to providing for the protection of health information (the “Act”). The Act would provide for the protection of health information and require written consent or a designated necessary purpose for the processing of an individual’s health information. The bill is pending Governor Kathy Hochul’s signature.
The Act prohibits the sale of regulated health information and limits the circumstances in which an entity can lawfully “process” regulated health information, including but not limited to the collection, use, access and monetization of such information. It defines regulated health information to mean “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual,” including location or payment information. Notably, regulated health information does not include deidentified information, or information that “cannot reasonably be used to infer information about, or otherwise be linked to a particular individual, household, or device,” given reasonable technical safeguards.
Entities will still be able to “process” regulated health information in certain circumstances, including when they have received “valid authorization” from an individual to do so. In order for the authorization to be valid, it must satisfy 11 different conditions set forth by the Act. These include authorization made by written or electronic signature; the individual has the ability to provide or withhold authorization for different categories of processing activities; the individual has the ability to revoke authorization; and failure “to provide authorization will not affect the individual’s experience of using the regulated entity’s products or services.” Authorizations must expire within one year of being provided.
The Act provides for other circumstances that allow entities to “process” regulated health information absent “valid authorization” from the individual, including when such information is “strictly necessary” for “providing… a specific product or service requested by [the] individual,” “conducting… internal business operations,” “protecting against… illegal activity,” and “detecting, responding to, or preventing security incidents or threats.”
The Act would take effect one year after it is signed into law. Rules or regulations necessary to implement the Act are authorized to be made immediately following its passage and may be completed before the effective date.
The Act is now awaiting the signature of Governor Kathy Hochul. Governor Hochul’s Office has not yet commented on the bill, but she has been a longtime supporter of abortion access, a position on which she campaigned.
HHS-OIG Issues Favorable Opinion on Drug Manufacturer’s Free Genetic Testing, Counseling for Patients
Highlights
HHS-OIG recently released Advisory Opinion No. 24-12, a favorable opinion involving a drug manufacturer’s patient support program for individuals who suffer from genetic condition causing chronic kidney stones
The proposed arrangement is consistent with previous HHS-OIG guidance on patient assistance that promotes access to care involving rare health conditions
The HHS-OIG noted several factors that limited the possibility of fraud and abuse, even though the arrangement implicates the Anti-Kickback Statute and the civil monetary penalty provision prohibiting inducements to beneficiaries
The U.S. Department of Health and Human Services’ Office of Inspector General (HHS-OIG) recently released Advisory Opinion No. 24-12, a favorable opinion regarding a drug manufacturer’s program to sponsor genetic testing, related genetic counseling, and disease-state awareness education for certain hereditary conditions that may cause kidney stones. The manufacturer of a drug used to treat chronic kidney stones caused by a rare genetic condition requested the advisory opinion.
The manufacturer proposes the program be offered to certain patients that meet specified criteria. Eligible patients are those who: 1) have a family history of recurrent kidney stones, 2) received inconclusive results after testing for the genes responsible for the genetic condition, 3) have lab results indicating a potential monogenic disorder resulting in chronic kidney stones, 4) suffer from chronic kidney disease of unknown etiology, 5) suffer from nephrocalcinosis, 6) have a history of recurring kidney stones, or 7) are younger than two years old and failing to thrive with impaired renal function.
Under the program, no patient or payor would be billed for any of the tests or counseling services. The services would not be conditional on the use of the company’s drug or any other items or services sold by the company or its affiliates. The company acknowledged that the arrangement could result in healthcare providers scheduling, conducting, and billing eligible patients and their payors for additional visits to review patient test results generated by the program. However, these visits are not required under the program and would be solely done at the provider’s discretion in consultation with the patient.
The HHS-OIG concluded that the proposed arrangement implicated both the Anti-Kickback Statute and the civil monetary penalty provision prohibiting inducements to beneficiaries and would not fall directly within any exception or safe harbor. Nevertheless, the agency concluded the risk of fraud and abuse is sufficiently low and it would not impose sanctions on the proposed arrangement.
The HHS-OIG cited the following factors as limiting the possibility for fraud and abuse:
The narrow eligibility requirements regarding how a patient obtains genetic tests and counseling reduce the risk of over-utilization and improper utilization
The arrangement is unlikely to skew clinical decision-making or raise concerns regarding patient safety or quality of care because the manufacturer does not provide any sort of incentive to providers who order genetic testing or counseling
The manufacturer does not receive any information that identifies the prescribers or the patients who receive free genetic testing and counseling under the arrangement, and therefore, the company cannot target any drug marketing materials specifically to those individuals
Genetic counselors discuss genetic testing and hereditary diseases, but do not discuss treatment options therefore limiting any marketing of the drug
Notably, the HHS-OIG warned that it would likely reach a different conclusion if patient or provider data was shared with the drug manufacturer that would allow it to perform target marketing of the drug based on the arrangement. The HHS-OIG also noted its conclusion would likely be different if there was a more direct nexus between the free genetic testing, counseling, and education and ordering or purchasing the manufacturer’s drug.
Takeaways
This advisory opinion continues to demonstrate HHS-OIG’s leniency toward targeted patient support programs for rare diseases and genetic conditions. It also shows HHS-OIG’s tolerance for arrangements that increase the standard of care while limiting costs to federal healthcare programs, especially when patient data under the arrangement cannot be used for marketing purposes or other financial gain.
Massachusetts Expands FCA Liability To Owners and Private Equity Investors
Under a new 2025 law, Massachusetts is one of the first in the nation to broaden its state False Claims Act (FCA) to require disclosures by investors and owners of health care entities. On January 8, 2025, Governor Maura Healey signed into law H.5159, An Act enhancing the market review process (the Act), significantly changing Massachusetts’s regulatory and enforcement landscape. As discussed in further detail here, the law imposes FCA liability against investors and focuses on private equity and corporate ownership in health care. While this Act appears to be the first direct codification of FCA liability, it is consistent with the Department of Justice (DOJ) and Office of the Inspector General, U.S. Department of Health and Human Services’ (HHS-OIG) recent focus on private equity and the impact on health care.[1] While the DOJ has focused on private equity firms that allegedly knew of misconduct at portfolio companies and failed to stop it through their involvement in the operations of those companies, the MA FCA goes further by imposing liability on health care investors for merely being aware of misconduct and failing to report it to the state. H. 5159 expands the scope of the MA FCA enforced by the Commonwealth’s Attorney General[2] to apply to any person who has an “ownership or investment interest” and any person who violates the false claim statute that “knowingly” or “knows” about the violation[3] and fails to disclose the violation to the government within 60 days of identifying the violation. This is a significant expansion of the traditional protections afforded by the corporate veil and appears to be designed to hold private equity and other owners liable if they become aware of any MA FCA violations and fail to take action.
As part of the expansion, the Act defines “ownership or investment interest” as any: (1) direct or indirect possession of equity in the capital, stock, or profits totaling more than ten percent of an entity; (2) interest held by an investor or group of investors who engages in the raising or returning of capital and who invests, develops, or disposes of specified assets; or (3) interest held by a pool of funds by investors, including a pool of funds managed or controlled by private limited partnerships, if those investors or the management of that pool or private limited partnership employ investment strategies of any kind to earn a return on that pool of funds. This amendment clearly expands MA FCA liability to private equity investors and appears to codify the Massachusetts Attorney General’s approach in an October 2021 settlement with a private equity firm and former executives of South Bay Mental Health Center, Inc. for allegedly causing the submission of false claims submitted to MA’s Medicaid program.[1]
Additional enforcement mechanisms codified in the Act include expanding the Attorney General’s authority to obtain information as part of a civil investigative demand from significant equity investors, health care real estate investment trusts, or management services organizations.[2]
We will continue to monitor this activity and any resulting litigation and its possible impact on organizations transacting business in Massachusetts.
[1] https://www.mass.gov/news/private-equity-firm-and-former-mental-health-center-executives-pay-25-million-over-alleged-false-claims-submitted-for-unlicensed-and-unsupervised-patient-care.
[2] To be codified at MGL 12, s. 11N.
[1] For example, see Justice Department, Federal Trade Commission and Department of Health and Human Services Issue Request for Public Input as Part of Inquiry into Impacts of Corporate Ownership Trend in Health Care, available at https://www.justice.gov/opa/pr/justice-department-federal-trade-commission-and-department-health-and-human-services-issue; see also, https://www.hhs.gov/about/news/2025/01/15/hhs-releases-report-consolidation-private-equity-health-care-markets.html
[2] To be codified at MGL 12, §§ 5A and 5B.
[3] The Act clarifies that “knowing,” “knowingly,” or “knows” all mean “possessing actual knowledge of relevant information, acting with deliberate ignorance of the truth or falsity of the information or acting in reckless disregard of the truth or falsity of the information; provided, however, that no proof of specific intent to defraud shall be required.”