DOL: Employers Cannot Mandate PTO Use with State/Local Paid Leave Benefits During FMLA
The U.S. Department of Labor Wage and Hour Division (“WHD”) has issiued an opinion letter stating that employers cannot require employees to substtute accrued paid time off during a Family and Medical Leave Act (“FMLA”) leave where the employee is also receiving benefits under a state or local paid family or medical leave program.
The opinion letter – which does not have the force of law but sets forth the agency’s enforcement position – answers a longstanding open question around the interplay between the FMLA, state/local paid leave programs, and accrued paid time off.
A Quick Refresher: FMLA and State Family/Medical Leave Programs
The federal FMLA entitles eligible employees of covered employers to up to 12 weeks (or in limited cases, 26 weeks) of unpaid, job-protected leave per 12-month period for specified family and medical reasons. Covered reasons for FMLA leave include an employee’s own serious health condition, caring for a parent, spouse or child with a serious health condition, and caring for a new child following birth, adoption or foster placement.
Since the FMLA’s enactment in 1993, numerous states (including New York, California, Massachusetts, Connecticut, and others) have instituted family and/or medical leave programs that provide partially paid leave (usually based on a percentage of the employee’s wages, up to a set cap) for personal medical, family care and/or parental leave reasons. Likewise, certain local governments have implemented paid family and medical leave programs specifically for their municipal employees. Many of these programs permit leave for reasons that are also qualifying reasons for leave under the FMLA. However, state/local paid leave programs often include benefits that differ from or exceed what the FMLA provides, such as longer leave periods or additional covered reasons for leave.
What Do the FMLA Regulations Say About Substitution of PTO?
While FMLA leave is unpaid, the governing regulations allow an employee to elect, or an employer to require the employee, to “substitute” accrued employer-provided paid time off (e.g., paid vacation, paid sick leave, etc.) for any part of an unpaid FMLA period – that is, the accrued paid time off may be used concurrently with FMLA leave to enable the employee to receive full pay during an otherwise unpaid leave period. However, the regulations further state that, during any part of an FMLA leave where an employee is receiving disability or workers’ compensation benefits, neither the employer nor the employee can require substitution of paid time off because such leave is not unpaid. Rather, when disability or workers’ compensation benefits are being received, the employer and the employee may only mutually agree (where state law permits) that accrued paid time off will be used to supplement such benefits.
EXAMPLE: John tells his employer he requires 12 weeks of leave to recover from a serious back surgery. John’s employer designates the 12 weeks as FMLA leave. John also applies and is approved for 12 weeks of disability benefits under his employer’s short-term disability program, pursuant to which he will receive a benefit equal to two-thirds of his regular wages. John’s employer cannot require John to substitute his accrued vacation time because he is receiving disability benefits and therefore his FMLA is not unpaid. However, John and his employer agree to use one-third of his available vacation time each week to supplement his disability pay so John receives 100% pay during the leave.
How Does the Opinion Letter Impact Substitution of PTO During FMLA?
Because they have only more recently come into existence, state and local paid family or medical leave programs are not directly addressed in the FMLA regulations. However, the opinion letter now makes clear that “the same principles apply to such programs as apply to disability plans and workers compensation programs.”
First, the opinion letter emphasizes that “where an employee takes leave under a state or local paid family or medical leave program, if the leave is covered by the FMLA, it must be designated as FMLA leave[.]” The opinion letter then goes on to state:
[W]here an employee, during leave covered by the FMLA, receives compensation from a state or local family or medical leave program, the FMLA substitution provision does not apply to the portion of leave that is compensated. Because the substitution provision does not apply, neither the employee nor the employer may use the FMLA substitution provision to unilaterally require the concurrent use of employer-provided paid leave during the portion of the leave that is compensated by the state or local program. [However], if the employee is receiving compensation through state or local paid family or medical leave that does not fully compensate the employee for their FMLA covered leave, and the employee also has available employer-provided paid leave, the employer and the employee may agree, where state law permits, to use the employee’s employer-provided accrued paid leave to supplement the payments under a state or local leave program.
The opinion letter also notes that if an employee’s leave under a state or local paid family or medical leave program ends before the employee has exhausted their full FMLA leave entitlement and the leave therefore becomes unpaid, the FMLA substitution provision would then apply and the employee would be able to elect, or the employer would be able to require the employee, to substitute accrued paid time off.
EXAMPLE: Jane tells her employer she requires 12 weeks of leave to care for her husband while he recovers from a serious back surgery. Jane’s employer designates the 12 weeks as FMLA leave. Jane also applies and is approved for 8 weeks of paid family care benefits under her state’s paid family and medical leave program, pursuant to which she will receive a benefit equal to two-thirds of her regular wages. Jane’s employer cannot require Jane to substitute her accrued vacation time during the 8 weeks of her FMLA leave where she is concurrently receiving state family care benefits because her FMLA during that time is not unpaid. However, Jane and her employer agree to use one-third of her available vacation time each week during the first 8 weeks to supplement her state family care benefit so Jane receives 100% pay during that time. Beginning on week 9, Jane is no longer eligible for state family care benefits and her FMLA leave is now unpaid, so pursuant to its FMLA policy Jane’s employer requires her to substitute her remaining accrued vacation time during the FMLA leave until it is exhausted.
Implications and Action Steps for Employers
The opinion letter clarifies what has been a gray area around the interplay between the FMLA, state/local paid leave programs, and accrued paid time off. For example, the regulations governing the New York Paid Family Leave Law (“NYPFL”) state that “[a]n employer covered by the FMLA . . . that designates a concurrent period of family leave under [the NYPFL] may charge an employee’s accrued paid time off in accordance with the provisions of the FMLA.” However, it had previously been unclear whether this language in fact permitted employers to require substitution of accrued paid time off during a concurrent FMLA and NYPFL leave. It is now clear that such a requirement is impermissible, though employers and employees may agree to use paid time off to supplement NYPFL benefits.
Employers should now review their leave policies and practices to ensure that any provisions around the use of accrued paid time off during FMLA leave comport with the WHD’s interpretation of the requirements of the law. To the extent that any such policies require employees to substitute accrued paid time off during an FMLA leave where an employee is concurrently receiving disability, workers’ compensation or state/local paid family or medical leave benefits, the policies should be revised to provide that paid time off may only be used to supplement such other payments and only if both the employer and the employee agree.
However, employers are reminded that, as noted above, there may be situations where employees are eligible for benefits under state/local paid leave laws that are not also covered by the FMLA. As such, employers should also take note of what an applicable state/local paid family or medical leave law may permit (or not permit) around the substitution of paid time off and apply those rules during any leave period that does not run concurrently with the FMLA.
Recent Developments in Health Care Cybersecurity and Oversight: 2024 Wrap Up and 2025 Outlook
As Cyberattacks targeting the health care sector have continued to intensify over the past year, including ransomware attacks that have resulted in major data breaches impacting health care organizations, the protection of health data has gained the focus of regulators and prompted bipartisan legislative efforts to strengthen cybersecurity requirements in the health care sector.
OIG Report on OCR’s HIPAA Audit Program
Under the Health Information Technology for Economic and Clinical Health Act (HITECH), the HHS Office for Civil Rights (OCR) is required to perform periodic audits of covered entities and business associates (collectively, Regulated Entities) to assess compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules (collectively, “HIPAA Rules”).
Last month, the HHS Office of Inspector General (OIG) released a new report assessing OCR’s HIPAA audit program, raising concerns about the effectiveness of current oversight and the need for enhanced measures to address growing cybersecurity risks in the sector. In its assessment of OCR’s HIPAA audit program, OIG reviewed OCR’s final HIPAA audit reports of Regulated Entities, guidance, and enforcement activities from January 2016 to December 2020.
Although OIG found that OCR fulfilled its obligations under HITECH to conduct periodic audits of Regulated Entities, the report also highlighted several critical issues. First, OCR’s HIPAA audits of Regulated Entities were found to be narrowly scoped, covering only a small fraction of the required protections under the HIPAA Rules. Of the 180 requirements in the HIPAA Rules, OCR’s audits assessed only eight requirements – two Security Rule administrative safeguards (Risk Analysis and Risk Management), three Privacy Rule provisions (Notice of Privacy Practices and Content Requirements, Provision of Notice, and Right of Access), three Breach Notification Rule provisions (Timeliness of Notification, Content of Notification, and Notification by a Business Associate), and zero physical or technical safeguard requirements under the Security Rule.
Second, OIG found that OCR’s HIPAA audit program did not effectively address compliance issues discovered during these narrowly scoped audits of Regulated Entities. For example, OIG highlighted the absence of corrective action requirements following audits that raised concerns about the program’s ability to drive improvements in cybersecurity protections following audits of Regulated Entities.
In response to these findings, OIG made several recommendations to OCR, including:
Expanding the scope of HIPAA audits to assess Regulated Entities’ compliance with physical and technical safeguards under the Security Rule;
Implementing standards and guidance to ensure deficiencies identified during HIPAA audits are corrected in a timely manner;
Establishing criteria for determining when issues discovered during audits should lead to the initiation of a compliance review; and
Defining metrics for monitoring the effectiveness of OCR’s HIPAA audit program in improving audited Regulated Entities’ protections of electronic PHI.
Recent Regulatory and Legislative Efforts to Address Health care Cybersecurity
OIG’s report is timely and comes amid broader regulatory and bipartisan legislative efforts to strengthen cybersecurity protections across the health care sector, including:
Proposed Regulatory Updates to the HIPAA Security Rule, issued by OCR on January 6, 2025. The proposed regulation is aimed at strengthening the existing requirements under HIPAA Security Standards for the Protection of Electronic Health Information (the “Proposed Rule”), including addressing deficiencies OCR states it has observed during investigations of Regulated Entities. Among other updates, the Proposed Rule eliminates the distinction between “required” and “addressable” specifications (a change OCR says reflects its current view that all specifications in the existing Security Rule are effectively required) and expands existing documentation requirements. The comment period for the Proposed Rule closes on March 7, 2025.
Health Infrastructure Security and Accountability Act of 2024 (5218) (HISAA), a bipartisan bill introduced by Senators Ron Wyden and Mark Warner. For information about this bill, visit our recent blog post summarizing HISAA’s key provisions.
Health Care Cybersecurity and Resiliency Act of 2024 (5390), a bipartisan bill introduced by Senators Bill Cassidy, Mark Warner, John Cornyn and Maggie Hassan. The legislation aims to modernize HIPAA to better address cybersecurity threats facing health care entities. Key provisions include the development of a cybersecurity incident response plan by HHS and the creation of training programs for health care workers in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA).
Healthcare Cybersecurity Improvement Act (R.10455), introduced by Representative Robin Kelly. If passed, the bill would require hospitals to establish basic cybersecurity standards as a Medicare Condition of Participation. It would also allocate $100 million in grants to small and medium-sized hospitals to enhance cybersecurity measures and create liability protection for larger health care systems that provide smaller health care organizations access to cybersecurity resources.
Takeaways
The OIG’s findings, along with regulatory and bipartisan legislative efforts, highlight that Covered Entities and Business Associates will face increased scrutiny of their cybersecurity practices. In particular, OCR’s HIPAA audit program may expand in scope in response to OIG’s report and in light of the Proposed Rule, with a greater focus on evaluating technical and physical safeguards under the Security Rule. In addition, new legislative measures, if passed, will impose more stringent cybersecurity requirements across the health care sector.
As organizations grapple with the potential increase in oversight and regulatory obligations, it is important to note, as we highlighted in our previous post, the HITECH safe harbor that requires the Secretary of HHS to consider a Regulated Entity’s adoption of “recognized cybersecurity practices” in making determinations related to fines, audits, and mitigation remedies. Now more than ever, it is essential for healthcare organizations to ensure they have established and implemented a recognized cybersecurity framework. Organizations that have not yet effectively assessed and documented their current practices, particularly with respect to technical and physical safeguards, should consider doing so.
DOJ Reports Substantial Procurement Fraud Recoveries in FY 2024
The Department of Justice (DOJ) recently announced that it obtained more than $2.9 billion in False Claims Act (FCA) settlements and judgments in the fiscal year ending Sept. 30, 2024.
DOJ reports that matters that involved the healthcare industry comprised the largest portion of these FCA recoveries in FY 2024, but that “procurement fraud” recoveries, once again, were significant for DOJ this past year.
Among the more notable procurement fraud recoveries from the past year were:
A large government contractor paid $428 million to resolve allegations that it knowingly provided false cost and pricing data when negotiating with the Department of Defense for numerous government contracts and double billed on a weapons maintenance contract, leading to the company receiving profits in excess of negotiated rates. This is the second largest government procurement fraud recovery under the False Claims Act in history.
A large federal contractor paid $70 million to resolve allegations they overcharged the U.S. Navy for spare parts and materials needed to repair and maintain the primary aircraft used to train naval aviators. The government alleged that these entities, which were owned by the same parent company, entered into an improper subcontract that resulted in the Navy paying inflated costs for parts.
A federal contractor paid $811,259 to resolve allegations that it knowingly supplied valves that did not meet military specifications. The government alleged that, under a U.S. Navy contract, the company invoiced for military-grade valves to be installed on certain combat ships when the company knew the valves had not met the testing requirements to be deemed military grade.
DOJ brought claims against a federal contractor and an individual estate of the founder, majority owner and chief operating officer of the company for allegedly causing the submission of false claims to the Department of Defense under contracts to provide Army combat uniforms. The government alleged that the company and the founder falsified the results of the insect repellant testing to conceal failing test results, including by inappropriately combining results from different rounds of testing, re-labeling test samples to hide the true origin of the samples, and performing re-tests of uniforms in excess of what the contract permitted.
A government contractor paid $55.1 million to satisfy a judgment that it made knowingly false claims to the United States when it misrepresented its commercial sales practices during the negotiation and subsequent performance of a General Services Administration (GSA) contract. The court found that the false disclosures induced GSA to accept and then continue to pay higher prices than it would have had it known of the company’s actual commercial pricing practices. The court also found that the company continuously violated the Price Reduction Clause, “a standard term in these types of contracts that requires the contractor throughout performance of the contract to maintain GSA’s price position in relation to an identified customer or category of customer agreed upon in contract negotiations.”
The City of Los Angeles paid $38.2 million to resolve allegations that it failed to meet federal accessibility requirements when it sought and used Department of Housing and Urban Development (HUD) grant funds for multifamily affordable housing. The government alleged that the city failed to make its affordable multifamily housing program accessible to people with disabilities. The government also alleged that the city failed to maintain a publicly available list of accessible units and their accessibility features, and the city, on an annual basis, falsely certified to HUD that it complied with related grant requirements.
A federal contractor paid $26.8 million to resolve allegations that Hahn Air failed to remit to the United States certain travel fees collected from commercial airline passengers flying into or within the United States.
A government contractor paid $18.4 million to resolve allegations that it billed for time not worked at the National Nuclear Security Administration’s Pantex Site near Amarillo, Texas.
A large federal contractor paid $11.8 million to resolve allegations that it submitted false claims to the Federal Emergency Management Agency for the replacement of certain educational facilities located in Louisiana that were damaged by Hurricane Katrina. The government alleged that the contractor submitted to FEMA fraudulent requests for disaster assistance funds and did not correct applications that included materially false design, damage and replacement eligibility descriptions. Combined with settlements with other entities involved in the alleged conduct, the government recovered over $25 million in connection with the disaster assistance applications prepared by the contractor.
Listen to this post
Congress Declines to Extend HDHP First-Dollar Telehealth Coverage Relief
After Congress declined to extend certain relief allowing first-dollar coverage of telehealth services by high-deductible health plans (HDHPs), health plan sponsors may need to make immediate changes to preserve employees’ health savings account (HSA) eligibility.
Quick Hits
Due to the expiration of certain relief that allowed pre-deductible coverage of telehealth, employers offering HDHPs with first-dollar telehealth coverage may need to amend their plans by January 1, 2025 (for calendar year plans) to ensure employees remain eligible to contribute to their HSAs.
In connection with this change, plan sponsors may also need to update their HDHP participant communications to reflect changes in cost sharing for telehealth services.
As mentioned in our December 3, 2024, article on HDHP plan amendments, the CARES Act of 2020, which was extended through the Consolidated Appropriations Act, 2023, allowed, but did not require, HDHPs to provide first-dollar coverage of telehealth without negatively affecting participants’ HSA eligibility. The extension expired at the end of the 2024 plan year (December 31, 2024, for calendar year plans), and Congress’s year-end spending bill, the American Relief Act, 2025, did not include an extension of the HDHP telehealth relief.
Accordingly, an employer that provides HDHP health plan coverage will need to amend its HDHP if it includes first-dollar telehealth coverage. Since the prior relief was not extended, individuals who are covered by an HDHP that covers telehealth services before the deductible will not be eligible to contribute to an HSA for some or all of 2025.
Effective January 1, 2025 (for a calendar year plan), to preserve employees’ HSA eligibility, an HDHP that covers telehealth services may not cover such services until the employee has met the annual deductible. Employers with non–calendar year plans will have until the end of the plan year that began in 2024 to make the change. In either case, employers will want to confirm that their plan documents, summary plan descriptions, and summaries of benefits and coverage are updated to reflect any changes to participant cost sharing for telehealth services.
Second Circuit Revives New York Reproductive Health Bias Law’s Notice Requirement for Employee Handbooks
On January 2, 2024, the U.S. Court of Appeals for the Second Circuit reinstated the New York Reproductive Health Bias Law’s requirement that New York State employers include a notice in their employee handbooks regarding the law’s prohibition on discrimination and retaliation based on employees’ reproductive health care choices.
Quick Hits
The Second Circuit has revived a requirement that New York employers include in employee handbooks a notice informing employees of their right to be free from discrimination or retaliation based on their [the employees’] or their dependents’ reproductive health decisions.
The ruling also revived a First Amendment challenge by religious organizations to New York’s Reproductive Health Bias Law (New York Labor Law Section 203-e), impacting how employers may address expressive association claims in the employment context.
In CompassCare v. Hochul, three religious groups—CompassCare, the National Institute of Family and Life Advocates (NIFLA), and First Bible Baptist Church—challenged the constitutionality of New York Labor Law Section 203-e, which went into effect in November 2019.
The law prohibits employers from accessing personal information regarding employees’ or their dependents’ reproductive health decision making without the employees’ “prior informed affirmative written consent.” The law also prohibits employers from discriminating or retaliating against employees based on their reproductive health decisions, “including, but not limited to, a decision to use or access a particular drug, device, or medical service.” Importantly, the law included a notice provision requiring employers to inform employees of their rights and remedies under the law in employee handbooks.
On March 29, 2022, the U.S. District Court for the Northern District of New York entered a permanent injunction blocking the State of New York from enforcing the requirement that employers that issue employee handbooks “include in the handbook notice of employee rights and remedies under [Section 203-e].” The district court found that the notice provision of Section 203-e violated the First Amendment because it compelled speech that was contrary to the religious organizations’ religious beliefs as they related to reproductive choices.
The Second Circuit reversed that permanent injunction, finding the notice requirement “a content-based regulation of speech” that “is subject to … rational basis review.” Under that review, the Second Circuit found that the notice requirement did “not interfere with [the] [p]laintiffs’ greater message and mission” and that “the required disclosure of the existence and basic nature of an otherwise-valid statute” was a simple expression of employee rights, similar to many other required employment rights notices and postings.
Additionally, the Second Circuit remanded the case to the district court for reconsideration in light of the Second Circuit’s 2023 decision in Slattery v. Hochul, which held that an employer may have an associational rights claim if the law “forces [the employer] to employ individuals who act or have acted against the very mission of its organization.” (Emphasis in the original.)
The Second Circuit stated that to sustain such a claim, an employer must show that it does not simply hold particular views or interests but that an association threatens the “very mission” of the employer “in the context of a specific employment decision.” This showing would be based on an assessment of whether (1) a position at issue is client-facing or involves expressing the particular views of the employer, and (2) the conduct or specific attribute of an employee “renders the employment of that person, in that position, a threat to the employer’s mission,” the court stated.
Next Steps
As a result of this ruling, New York employers must immediately comply with the notice provision of Section 203-e. Thus, employers with New York employees that issue employee handbooks must include a notification to employees of their rights and remedies under Section 203-e in their employee handbooks or in an addendum containing New York–specific employment policies.
This requirement includes informing employees of their rights to make reproductive health decisions and not be discriminated against or retaliated against for such decisions.
With respect to the expressive association claim, employers, particularly those with specific missions or religious affiliations, may have grounds to challenge laws that they believe force them to employ individuals whose actions conflict with their organizational missions. However, such claims must be specific and demonstrate how the law threatens the organization’s mission in the context of particular employment decisions.
HHS-OCR’s Proposed Rule and HIPAA Security Risk Assessment
On December 27, 2024, in the midst of the holiday season, the U.S. Department of Health and Human Services (HHS) deployed a proposed rule that would significantly modify the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Specifically, the proposed new rule includes express requirements for Covered Entities when conducting a Security Risk Assessment (SRA).
New requirements would include a written assessment that contains, among other things:
A review of the technology asset inventory and network map
Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI
Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems
An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
Notably, while the “new” requirements have yet to be finalized or take effect, HHS’s Office of Civil Rights (HHS-OCR) has already begun to enforce these requirements on Covered Entities including the imposition of fines and penalties against Covered Entities whose failure to implement the proposed requirements result in a data breach affecting its patients’ protected health information (PHI).
For some time, HHS-OCR has acknowledged that the HIPAA Security Rule does not prescribe a specific risk analysis methodology, and it has recognized that methods of conducting a SRA will vary depending on the size, complexity, and capabilities of the organization. Further, HHS-OCR Guidance on Risk Analysis does not endorse or recommend any particular risk analysis or risk management model. While HHS-OCR provides a free proprietary tool for small to medium-size organizations to use when conducting a SRA, its product contains a disclaimer that use of the tool does not guarantee compliance with federal, state, or local laws.
Covered entities are therefore left to their own devices in discerning what methodologies and management models are appropriate for their organization when conducting a SRA. At the same time, the adopted methodology that an organization chooses may not be considered insufficient under HHS-OCR’s undisclosed standards. A Covered Entity with no SRA or an insufficient SRA may face significant fines and penalties in the event they are subject to a data breach and subsequent HIPAA compliance audit.
While Covered Entities may turn to third-party vendors that market themselves as specialists in providing HIPAA compliance services, including conducting SRAs, there is no guarantee this will satisfy the requirements under HIPAA. Recently, HHS-OCR has regarded SRAs performed by these vendors as deficient without providing any specific guidance to the Covered Entity as to exactly what aspects of their SRA were noncompliant with HIPAA.
This conundrum has recently dismayed a number of Covered Entities that are now facing fines and penalties in light of HHS-OCR’s recent HIPAA Security Risk Assessment enforcement initiative, which it has relentlessly pursued since October of 2024. It’s not yet clear whether the proposed requirements will make compliance with HIPAA’s Security Rule easier or create further confusion.
This Week in 340B: January 7 – 13, 2025
Find this week’s updates on 340B litigation to help you stay in the know on how 340B cases are developing across the country. Each week we comb through the dockets of more than 50 340B cases to provide you with a quick summary of relevant updates from the prior week in this industry-shaping body of litigation.
Issues at Stake: Contract Pharmacy; Other
In two appealed cases challenging a proposed Louisiana law governing contract pharmacy arrangements, the appellants filed their opening brief.
In a breach of contract case related to the Medicare 340B cuts, the court terminated the action without prejudice.
Matt David, associate in McDermott’s Los Angeles office, also contributed to this blog post.
December 2024 Bounty Hunter Plaintiff Claims
California’s Proposition 65 (“Prop. 65”), the Safe Drinking Water and Toxic Enforcement Act of 1986, requires, among other things, sellers of products to provide a “clear and reasonable warning” if use of the product results in a knowing and intentional exposure to one of more than 900 different chemicals “known to the State of California” to cause cancer or reproductive toxicity, which are included on The Proposition 65 List. For additional background information, see the Special Focus article, California’s Proposition 65: A Regulatory Conundrum.
Because Prop. 65 permits enforcement of the law by private individuals (the so-called bounty hunter provision), this section of the statute has long been a source of significant claims and litigation in California. It has also gone a long way in helping to create a plaintiff’s bar that specializes in such lawsuits. This is because the statute allows recovery of attorney’s fees, in addition to the imposition of civil penalties as high as $2,500 per day per violation. Thus, the costs of litigation and settlement can be substantial.
The purpose of Keller and Heckman’s latest publication, Prop 65 Pulse, is to provide our readers with an idea of the ongoing trends in bounty hunter activity.
In December of 2024, product manufacturers, distributors, and retailers were the targets of 394 new Notices of Violation (“Notices”) and amended Notices, alleging a violation of Prop. 65 for failure to provide a warning for their products. This was based on the alleged presence of the following chemicals in these products. Noteworthy trends and categories from Notices sent in December 2024 are excerpted and discussed below. A complete list of Notices sent in December 2024 can be found on the California Attorney General’s website, located here: 60-Day Notice Search.
Food and Drug
Product Category
Notice(s)
Alleged Chemicals
Fruits, Vegetables, and Mushrooms: Notices include farro porcini mushrooms, chopped spinach, capers, chili mango, flavored sunflower seeds, shiitake mushrooms, kale chips, flax seeds, artichoke quarters in brine, moringa, dried apricot, madras lentils, cactus chips, bamboo shoots, and stuffed manzanilla olives
38 Notices
Lead and Lead Compounds, and Cadmium and Cadmium Compounds
Prepared Foods: Notices include soup bowls, noodle bowls, salt & vinegar potato chips, bundt cake mix, flatbread mix, granola bars, crackers, nut butter, vegetable biryani, vegan chips, mushroom ravioli, gluten-free tortilla wraps, and plant-based ground meat
36 Notices
Lead and Lead Compounds, Cadmium, and Mercury
Seafood: Notices include Alaska pink salmon, tuna salad, mackerel in olive oil, sardines, seasoned squid, dried seaweed, fried anchovy, dried mackerel, ground shrimp, dried sea mustard seaweed, raw seaweed, and shrimp paste
32 Notices
Lead and Lead Compounds, Cadmium and Cadmium Compounds, and Mercury
Dietary Supplements: Notices include plant-based protein shakes, green powder superfood, greens, protein powder, electrolyte formula beverages, pre-workout beverages, ginkgo biloba powder and tea, and spirulina powder
26 Notices
Cadmium, Lead and Lead Compounds, Mercury and Mercury Compounds, and Perfluorooctanoic Acid (PFOA)
THC-containing Products: Notices include gummies, chocolates, soft gels, flavored beverages, and candies
13 Notices
Delta-9-tetrahydrocannabinol
Sauces: Notices include red mole, aged balsamic vinegar, sundried tomato paste, and basil pesto sauce
4 Notices
Lead and Lead Compounds
Packaged Liquids: Notices include vegetable stock and fruit-flavored beverages, and canned coconut water
4 Notices
Perfluorononanoic Acid (PFNA) and its salts, Perfluorooctanoic Acid (PFOA), and Bisphenol A (BPA)
Cosmetics and Personal Care
Product Category
Notice(s)
Alleged Chemicals
Personal Care Items: Notices include hair color, aloe vera lotions, skin toners, spot treatments, face masks, vitamin C serum, enzyme scrub, body cleaners, eye serums and creams, hair color treatments, hair gels, body wash and foaming cleansers, pain relief cream, body glow, and squirt blood
66 Notices
Diethanolamine
Cosmetics: Notices include mascara, cream makeup, matte lipstick, eyeliner pens, concealers, face primer, and cake makeup
36 Notices
Diethanolamine
Personal Care Products: Notices include shave gel, shave foam, and volumizing foam
3 Notices
Nitrous Oxide
Consumer Products
Product Category
Notice(s)
Alleged Chemicals
Plastic Pouches, Bags, and Accessories: Notices include children’s bags, beauty bags, bento bags, fanny packs, backpacks, wallets, picking bags, weight stabilizing bags, travel bags, rescuer guide packs, shoe covers, and cases for wheel sets
26 Notices
Di(2-ethylhexyl)phthalate (DEHP), Diisononyl phthalate (DINP), and Di-n-butyl phthalate (DBP)
Miscellaneous Consumer Products: Notices include orthodontic kits, keychains, back scratchers, safety flags, vinyl banners, engraved wax sealers, steering wheel covers, lamps, stethoscopes, salt and pepper shakers with PVC components, luggage tag, and vinyl roll holders
26 Notices
Di(2-ethylhexyl)phthalate (DEHP), Diisononyl phthalate (DINP), Di-n-butyl phthalate (DBP), and Lead
Hardware and Home Improvement Products: Notices include long handle hooks, garden hose splitters, coatings and paints, soldering wire, tools with PVC grips, pressure gauge, thermocouples, wing nuts, pop-up drains, propane tank adapter, and thread tape
23 Notices
Lead and Lead Compounds, Di(2-ethylhexyl)phthalate (DEHP), Diisononyl phthalate (DINP), and Perfluorooctanoic Acid (PFOA)
Clothing and Shoes: Notices include gloves made with leather, bucket hats, sandals with PVC components, golf gloves, weatherproof jackets, slides, fuzzy socks, and ski pants
22 Notices
Di(2-ethylhexyl)phthalate (DEHP), Chromium (hexavalent compounds), Perfluorooctanoic Acid (PFOA),
and Bisphenol A (BPA)
Glassware, Metals, and Ceramics: Notices include mugs, glass sets, blue multi-colored glass, metal and glass organizers, spoon rests, shakers, and soap dispenser/sponge holders
19 Notices
Lead and Lead Compounds
Miscellaneous Consumer Products: Notices include shower curtains, tablecloths, pillows, pet beds, athletic bandages, and outdoor cushions
10 Notices
Perfluorooctanoic Acid (PFOA)
Hobby Items: Notices include artist paste paints, art panels, lens mounts, pickleball paddles, jump rope, molding cream, and golf storage boot
8 Notices
Di(2-ethylhexyl)phthalate (DEHP), Di-n-butyl phthalate (DBP), Lead, Diethanolamine, and Perfluorooctanoic Acid (PFOA)
Coal Tar Epoxy
1 Notice
Bisphenol A (BPA), Epichlorohydrin, Ethylbenzene, soots, tar and mineral oils (coal tar)
There are numerous defenses to Prop. 65 claims, and proactive measures that industry can take prior to receiving a Prop. 65 Notice in the first place. Keller and Heckman attorneys have extensive experience in defense of Prop. 65 claims and in all aspects of Prop. 65 compliance and risk management. We provide tailored Proposition 65 services to a wide range of industries, including food and beverage, personal care, consumer products, chemical products, e-vapor and tobacco products, household products, plastics and rubber, and retail distribution.
New Artificial Intelligence (AI) Regulations and Potential Fiduciary Implications
Fiduciaries should be aware of recent developments involving AI, including emerging and recent state law changes, increased state and federal government interest in regulating AI, and the role of AI in ERISA litigation. While much focus has been on AI’s impact on retirement plans, which we previously discussed here, plan fiduciaries of all types, including health and welfare benefit plans, must also stay informed about recent AI developments.
Recent State Law Changes
Numerous states recently codified new laws focusing on AI, some of which regulate employers’ human resource decision-making processes. Key examples include:
California – In 2024, California enacted over 10 AI-related laws, addressing topics such as:
The use of AI with datasets containing names, addresses, or biometric data;
How one communicates health care information to patients using AI; and
AI-driven decision-making in medical treatments and prior authorizations.
For additional information on California’s new AI laws, see Foley’s Client Alert, Decoding California’s Recent Flurry of AI Laws.
Illinois – Illinois passed legislation prohibiting employers from using AI in employment activities in ways that lead to discriminatory effects, regardless of intent. Under the law, employers are required to provide notice to employees and applicants if they are going to use AI for any workplace-related purpose.
For additional information on Illinois’ new AI law, see Foley’s Client Alert, Illinois Enacts Legislation to Protect against Discriminatory Implications of AI in Employment Activities.
Colorado – The Colorado Artificial Intelligence Act (CAIA), effective February 1, 2026, mandates “reasonable care” when employers use AI for certain applications.
For additional information on Colorado’s new AI law, see Foley’s Client Alert, Regulating Artificial Intelligence in Employment Decision-Making: What’s on the Horizon for 2025.
While these laws do not specifically target employee benefit plans, they reflect a trend toward states regulating human resource practices broadly, are aimed at regulating human resource decision-making processes, and are part of an evolving regulatory environment. Hundreds of additional state bills were proposed in 2024, along with AI-related executive orders, signaling more forthcoming regulation in 2025. Questions remain about how these laws intersect with employee benefit plans and whether federal ERISA preemption could apply to state attempts at regulation.
Recent Federal Government Actions
The federal government recently issued guidance aimed at preventing discrimination in the delivery of certain healthcare services and completed a request for information (RFI) for potential AI regulations involving the financial services industry.
U.S. Department of Health and Human Services (HHS) Civil Rights AI Nondiscrimination Guidance – HHS, through its Office for Civil Rights (OCR), recently issued a “Dear Colleague” letter titled Ensuring Nondiscrimination Through the Use of Artificial Intelligence and Other Emerging Technologies. This guidance emphasizes the importance of ensuring that the use of AI and other decision-support tools in healthcare complies with federal nondiscrimination laws, particularly under Section 1557 of the Affordable Care Act (Section 1557).
Section 1557 prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in health programs and activities receiving federal financial assistance. OCR’s guidance underscores that healthcare providers, health plans, and other covered entities cannot use AI tools in a way that results in discriminatory impacts on patients. This includes decisions related to diagnosis, treatment, and resource allocation. Employers and plan sponsors should note that this guidance applies to a subset of health plans, including those that fall under Section 1557, but not to all employer-sponsored health plans.
Treasury Issues RFI for AI Regulation – In 2024, the U.S. Department of Treasury published an RFI on the Uses, Opportunities, and Risks of Artificial Intelligence in the Financial Services Sector. The RFI included several key considerations, including addressing AI bias and discrimination, consumer protection and data privacy, and risks to third-party users of AI. While the RFI has not yet led to concrete regulations, it underscores federal attention to AI’s impact on financial and employee benefit services. The ERISA Industry Committee, a nonprofit association representing large U.S. employers in their capacity as employee benefit plan sponsors, commented that AI is already being used for retirement readiness applications, chatbots, portfolio management, trade executions, and wellness programs. Future regulations may target these and related areas.
AI-Powered ERISA Litigation
Potential ERISA claims against plan sponsors and fiduciaries are being identified using AI. In just one example, an AI platform, Darrow AI, claims to be:
“designed to simplify the analysis of large volumes of data from plan documents, regulatory filings, and court cases. Our technology pinpoints discrepancies, breaches of fiduciary duty, and other ERISA violations with accuracy. Utilizing our advanced analytics allows you to quickly identify potential claims, assess their financial impact, and build robust cases… you can effectively advocate for employees seeking justice regarding their retirement and health benefits.”
Further, this AI platform claims it can find violations affecting many types of employers, whether a small business or a large corporation, by analyzing diverse data sources, including news, SEC filings, social networks, academic papers, and other third-party sources.
Notably, health and welfare benefit plans are also emerging as areas of focus for AI-powered ERISA litigation. AI tools are used to analyze claims data, provider networks, and administrative decisions, potentially identifying discriminatory practices or inconsistencies in benefit determinations. For example, AI could highlight patterns of bias in prior authorizations or discrepancies in how mental health parity laws are applied.
The increasing sophistication of these tools raises the stakes for fiduciaries, as they must now consider the possibility that potential claimants will use AI to scrutinize their decisions and plan operations with unprecedented precision.
Next Steps for Fiduciaries
To navigate this evolving landscape, fiduciaries should take proactive steps to manage AI-related risks while leveraging the benefits of these technologies:
Evaluate AI Tools: Undertake a formal evaluation of artificial intelligence tools utilized for plan administration, participant engagement, and compliance. This assessment includes an examination of the algorithms, data sources, and decision-making processes involved, including an assessment to ensure their products have been evaluated for compliance with nondiscrimination standards and do not inadvertently produce biased outcomes.
Audit Service Providers: Conduct comprehensive audits of plan service providers to evaluate their use of AI. Request detailed disclosures regarding the AI systems in operation, focusing on how they mitigate bias, ensure data security, and comply with applicable regulations.
Review and Update Policies: Formulate or revise internal policies and governance frameworks to monitor the utilization of AI in operational planning and compliance with nondiscrimination laws. These policies should outline guidelines pertaining to the adoption, monitoring, and compliance of AI technologies, thereby ensuring alignment with fiduciary responsibilities.
Enhance Risk Mitigation:
Fiduciary Liability Insurance: Consider obtaining or enhancing fiduciary liability insurance to address potential claims arising from the use of AI.
Data Privacy and Security: Enhance data privacy and security measures to safeguard sensitive participant information processed by AI tools.
Bias Mitigation: Establish procedures to regularly test and validate AI tools for bias, ensuring compliance with anti-discrimination laws.
Integrate AI Considerations into Requests for Proposals (RFPs): When selecting vendors, include specific AI-related criteria in RFPs. This may require vendors to demonstrate or certify compliance with state and federal regulations and adhere to industry best practices for AI usage.
Monitor Legal and Regulatory Developments: Stay informed about new state and federal AI regulations, along with the developing case law related to AI and ERISA litigation. Establish a process for routine legal reviews to assess how these developments impact plan operations.
Provide Training: Educate fiduciaries, administrators, and relevant staff on the potential risks and benefits of AI in plan administration, emerging technologies and the importance of compliance with applicable laws. The training should provide an overview of legal obligations, best practices for implementing AI, and strategies for mitigating risks.
Document Due Diligence: Maintain comprehensive documentation of all steps to assess and track AI tools. This includes records of audits, vendor communications, and updates to internal policies. Clear documentation can act as a crucial defense in the event of litigation.
Assess Applicability of Section 1557 to Your Plan: Health and welfare plan fiduciaries should determine whether your organization’s health plan is subject to Section 1557 and whether OCR’s guidance directly applies to your operations, and if not, confirm and document why not.
Fiduciaries must remain vigilant regarding AI’s increasing role in employee benefit plans, particularly amid regulatory uncertainty. Taking proactive measures and adopting robust risk management strategies can help mitigate risks and ensure compliance with current and anticipated legal standards. By dedicating themselves to diligence and transparency, fiduciaries can leverage the benefits of AI while safeguarding the interests of plan participants. At Foley & Lardner LLP, we have experts in AI, retirement planning, cybersecurity, labor and employment, finance, fintech, regulatory matters, healthcare, and ERISA. They regularly advise fiduciaries on potential risks and liabilities related to these and other AI-related issues.
FDA Announces Red No. 3 Authorizations to be Revoked as Matter of Law, not Safety
Today FDA announced that it is revoking the color additive authorizations for Red No. 3 in food (including dietary supplements) and ingested drugs based on evidence showing that Red No. 3 is carcinogenic to male rats (not humans, or even female rats) and the so-called “Delaney Clause” of the Federal Food, Drug, and Cosmetic Act (FD&C Act) which prevents the agency from authorizing an additive that has been found to cause cancer in humans or animals. The Delaney Clause as it pertains to color additives can be found in section 721(b)(5)(B) of the FD&C Act (21 USC 379e(b)(5)(B)) and a similar provision pertaining to food additives can be found in section 409(c)(3)(A) (21 USC 348(c)(3)(A)).
FDA’s announcement makes clear that the currently available scientific information does not support safety concerns regarding the use of Red No. 3 and that its decision was one it feels it was required to make based on the extremely broad scope of the Delaney Clause, which was added to the FD&C Act over 60 years ago and has not been updated since to keep up with new scientific understandings of cancer.
More specifically, consistent with its prior statements on Red No. 3, FDA concluded that Red No. 3 causes cancer in male rats at high doses by increasing the levels of a thyroid hormone (TSH). However, this mechanism of action is not relevant to humans; rats are much more sensitive to changes in TSH levels and studies in humans have not demonstrated that Red No. 3 changes thyroid hormone levels, including TSH. Finally, carcinogenicity of Red No. 3 has not been observed when female rats were tested, or when either sex of mice, gerbils, or dogs were tested.
The decision will be published in the federal register tomorrow (01/16/2025), but a pre-publication version of the federal register notice is available here. Manufacturers using Red No. 3 in food will have until January 15, 2027 to reformulate their products while manufacturers using Red No. 3 in ingested drugs will have until January 18, 2028 to reformulate.
This follows California’s ban of Red No. 3 with the signing of the California Food Safety Act in 2023 by Gov. Gavin Newsom which will go into effect in 2027 as well.
The Telehealth Extension Has Ended…For Now
During the COVID-19 crisis, newly-created relief allowed first dollar coverage for telehealth services under a high deductible health plan (HDHP) without ruining health savings account (HSA) eligibility. That relief was extended for plan years beginning prior to January 1, 2025. You can read our articles regarding the initial relief and subsequent extensions here, here, and here.
An earlier version of the 2025 budget bill included a two-year extension of this HSA telehealth safe harbor relief. However, that provision did not make it into the slimmed down version of the budget bill that was signed by President Biden in late December. The slimmed down budget bill was intended to serve as a stop gap to keep the Federal government running through March 14, 2025. Industry members are hopeful that when budget talks resume, a telehealth extension will be a part of that discussion.
For now, the telehealth relief has ended. For plan years beginning on or after January 1, 2025, pre-HDHP deductible coverage for telehealth services will disqualify an individual from contributing to an HSA unless another exception applies.
New York’s Reproductive Health Handbook Notice Requirement Reinstated
Don’t finalize your 2025 handbooks just yet!
On January 2, 2025, the United States Court of Appeals for the Second Circuit vacated a permanent injunction, which had blocked a requirement that New York employers with employee handbooks include a notice against discrimination based on reproductive health care choices. As a result, handbooks covering New York employees must again include such notices.
The notice requirement originates from a series of legislation intended to protect reproductive health rights enacted on November 8, 2019. As we previously reported, one of the bills (A584/S660) added Section 203-e to the New York labor law, which prohibits employers from discriminating against employees based on an employee’s or their dependents’ sexual and reproductive health choices, including their choice to use or access a particular drug, device, or medical service. The law also prohibits employers from accessing such information without prior consent, and directed New York employers with employee handbooks to include a notice of employee rights and remedies. Although the law took effect immediately upon passage, a second bill (S4413) delayed the effective date of the notice requirement until January 2020.
A little more than two years later, the U.S. District Court for the Northern District of New York blocked the notice requirement. In CompassCare et al. v. Cuomo, several faith-based employers challenged Section 203-e in its entirety as violative of the First Amendment to the United States Constitution. Although the District Court dismissed most of the claims, on March 29, 2022, the court permanently enjoined enforcement of the notice requirement stating that it “would compel [the plaintiffs] to promote a message about conduct contrary to their religious perspectives” as they relate to reproductive health choices, such as birth control and abortion. The court found that, while New York has a compelling interest in protecting employee privacy, the State had not demonstrated that the notice requirement was the least restrictive means of achieving that interest. For example, employers could inform employees of their rights and the remedies under the law in other ways, such as placing posters at the job site, or advertising the statutory provision generally.
On appeal nearly three years later, the Second Circuit vacated the permanent injunction, thus reinstating the handbook notice requirement. The Second Circuit panel found that the requirement is similar to other state and federal laws requiring workplace disclosures and noted that while the policy judgments motivating Section 203-e may be “controversial”, so are those underlying Title VII or minimum wage laws, but that does not make an employer’s obligation to comply controversial. The Second Circuit also stated that the notice requirement does not prevent employers from otherwise communicating to employees, in their handbooks or elsewhere, their political or religious views, including their disagreement with Section 203-e.
In light of the Second Circuit’s decision, New York employers should review and revise their employee handbook to include a notice of employees’ reproductive health rights and remedies as provided by Section 203-e. The law does not provide specific language to include – and New York has not published a model notice or any further guidance on the law to date – thus, employers should consult employment counsel to ensure that their handbook notice satisfies the law’s requirements.