Massachusetts Governor Maura Healey Signs into Law a Sweeping Health Care Market Oversight Bill
On January 8, 2025, Massachusetts Governor Maura Healey signed into law House Bill No. 5159, “An Act enhancing the health care market review process” (“H. 5159”), which was passed by the Massachusetts legislature in the last few days of 2024.
The bill will implement greater scrutiny of certain health care entities and affiliated companies—including private equity sponsors, significant equity investors, health care real estate investment trusts (“REITs”), and management services organizations (“MSOs”)—as well as pharmaceutical companies and pharmacy benefit management companies (“PBMs”) in the Commonwealth.
The passage of H. 5159 follows debate between the House and Senate earlier in 2024 over similar bills, which failed to pass during the summer legislative session. Notably, similar bills included debt limitations on certain private investor-backed entities and bans of certain private equity investments, as well as significant restrictions on the MSO business model. However, these restrictions (among various others) were stripped from H. 5159.
Although H. 5159 has widespread implications for health care entities in the Commonwealth, a significant portion of the bill is clearly aimed at increasing regulatory oversight of for-profit-backed health care organizations through increased regulatory oversight of certain health care transactions and expanded reporting obligations. The bill also seeks to contain health care costs, including by increasing oversight of pharmaceutical company and PBM arrangements.
Below in this alert we highlight some of the more significant provisions of H. 5159.
Health Policy Commission – Notices of Material Change
H. 5159 extends the authority of the Health Policy Commission (“HPC”) in the context of notices of material change under M.G.L. c. 6D § 13 (“Notices of Material Change”) to indirect owners and affiliates of health care providers, such as private equity companies, significant equity investors, MSOs, and health care REITs.
The bill also broadens the transactions that are subject to the HPC’s Notice of Material Change requirements to include (i) significant expansions in capacity of a provider or provider organization; (ii) transactions involving a significant equity investor resulting in a change of ownership or control of a provider or provider organization; (iii) real estate sale lease-back arrangements and other significant acquisitions, sales, or transfers of assets; and (iv) conversions of a provider or provider organization from a non-profit to a for-profit.
In the context of the HPC’s review of a Notice of Material Change, the HPC will be authorized to require the submission of documents and information from significant equity investors, such as information regarding the significant equity investor’s capital structure, financial condition, ownership and management structure, and audited financials.
H. 5159 also implements other related changes, such as reducing the market share threshold for mergers or acquisitions to be subject to the Notice of Material Change process (from “near majority” to “dominant” market share), enhancing the HPC’s authority to monitor post-transaction impacts, and expanding the review criteria for a cost and market impact review.
Health Policy Commission – Registration of Provider Organizations
Under H. 5159, the data and information collected under the HPC’s Massachusetts Registration of Provider Organizations Program (“MA-RPO Program”) will now also cover ownership, governance, and operational structure information of significant equity investors, health care REITs, and MSOs. H. 5159 also amends the MA-RPO Program reporting threshold to include revenue generated from payers other than commercial payers, such as governmental payers.
Health Policy Commission – Annual Cost Trends Hearing
As a complement to the increased authority discussed above, the list of stakeholders required to testify at the HPC’s Annual Cost Trends Hearing is expanded to include, among others, significant equity investors, health care REITs, and MSOs as well as PBMs and pharmaceutical companies.
Testimony from significant equity investors, health care REITs, and MSOs must cover topics such as health outcomes, prices, staffing levels, clinical workflow, financial stability and ownership structure of associated providers or provider organizations, dividends paid out to investors, and compensation (e.g., base salaries, incentives, bonuses, stock options, deferred compensation, benefits, and contingent payments to officers, managers, and directors of provider organizations owned or managed by the significant equity investors, health care REITs, or MSOs.
Testimony from PBMs and pharmaceutical companies must cover topics such as factors underlying drug costs and price increases as well as the impact of aggregate manufacturer rebates, discounts, and other price concessions on net pricing (provided that the testimony will not undermine the financial, competitive, or proprietary nature of the data).
H. 5159 further expands the topics covered by HPC’s Annual Cost Trends Hearings to expressly include costs, prices, and cost trends of providers, provider organizations, private and public payers, pharmaceutical companies, and PBMs as well as any impact of significant equity investors, health care REITS, or MSO on those costs, prices, and cost trends.
Health Policy Commission and CHIA – Operations Assessments
H. 5159 expands the categories of entities required to pay assessments to help fund the HPC and Center for Health Information and Analysis (“CHIA”) to include “non-hospital provider organizations,” pharmaceutical companies, and PBMs. A “non-hospital provider organization” is defined as any provider organization registered under the MA-RPO Program that is a non-hospital-based physician practice with annual gross patient service revenue of at least $500 million, a clinical laboratory, an imaging facility, or a network of affiliated urgent care centers. The methodology for calculating the amount assessed against each entity is based on entity type and the total amount appropriated by the Massachusetts legislature for the operation of HPC and CHIA.
CHIA – Reporting Requirements
Under H. 5159, CHIA will collect additional information from acute and non-acute care hospitals regarding their parent organizations and significant equity investors, health care REITs, and MSOs. Such information includes the audited financial statements of parent organizations’ out-of-state operations, significant equity investors, health care REITs, and MSOs, as well as financial data on margins, investments, and any relationships with significant equity investors, health care REITs, and MSOs.
H. 5159 also expands the scope of CHIA’s data collection under the MA-RPO Program. Notably, information subject to annual reporting will include, in relevant part, (i) comprehensive financial statements that include data on parent entities (including their out-of-state operations), corporate affiliates (including significant equity investors, health care REITs, and MSOs, as applicable), annual costs, annual receipts, realized capital gains and losses, accumulated surplus, and accumulated reserves; and (ii) information regarding other assets and liabilities that may affect the financial condition of the provider organization or the provider organization’s facilities (e.g., real estate sale-leaseback arrangements with health care REITs).
H. 5159 further provides that CHIA may require in writing, at any time, such additional information as CHIA deems reasonable and necessary to determine a registered provider organization’s organizational structure, business practices, clinical services, market share, or financial condition, including information related to its total adjusted debt and total adjusted earnings.
CHIA will also have the authority to require registered provider organizations with private equity investment to report required information on a quarterly basis and require disclosure of relevant information from any significant equity investor associated with a registered provider organization. CHIA may also assess increased penalties for non-compliance with these reporting requirements.
Acute and non-acute care hospitals and registered provider organizations should note that, pursuant to M.G.L. c. 12C § 17, the Massachusetts Attorney General (“AG”) may review and analyze any information submitted to CHIA under M.G.L. c. 12C §§ 8, 9, and 10. Thus, the AG may review and analyze all information regarding significant equity investors, health care REITs, and MSOs submitted to CHIA under H. 5159’s expanded reporting requirements.
Department of Public Health (“DPH”) – Determinations of Need
With exceptions, existing Massachusetts law forbids entities from making substantial capital expenditures for the construction of a health care facility or substantially changing the service of the facility unless DPH has approved a determination of need application (“DON”). H. 5159 expands and clarifies DPH considerations in reviewing a DON. These include (i) the state health resource plan; (ii) the Commonwealth’s cost containment goals; (iii) the impacts on the applicant’s patients, including considerations of health equity, the workforce of surrounding health care providers and on other residents of the commonwealth; and (iv) any comments and relevant data from CHIA and the HPC, and any other state agency. H. 5159 codifies a current DPH regulation allowing the period of time DPH has to review a DON to toll if an independent cost-analysis is required and clarifies the effective date of a determination of need issued to holders subject to cost and market impact reviews and/or performance improvement plans. Finally, the legislation adds that a party of record may review a DON for which it is appropriately registered and provide written comment or specific recommendations for consideration by DPH.
Department of Public Health – Licensure of Acute-Care Hospitals
H. 5159 adds provisions to the licensure process of acute-care hospitals, mandating that no original license shall be granted or renewed to establish or maintain such facilities if the main campus of the acute-care hospital is leased from a health care REIT (with an exemption for those acute-care hospitals leasing a main campus from a health care REIT as of April 1, 2024). An exempt acute-care hospital shall remain exempt “after a transfer to any transferee and subsequent transferees,” and those transferees shall be issued a license upon meeting all other requirements. “Main campus” is defined in H. 5159 as “the licensed premises within which the majority of inpatient beds are located.” Additional new licensure requirements for acute-care hospitals mandate the disclosure of documents to DPH relating to leases, licenses, or other agreements for the use, occupancy, or utilization of the premises occupied by the acute-care hospital. Acute-care hospitals also must remain in compliance with applicable reporting requirements.
Department of Public Health – Licensure of Office-Based Surgical Centers
H. 5159 mandates that DPH, in consultation with the Massachusetts Board of Registration in Medicine, establish rules, regulations, and practice standards for the licensing of office-based surgical centers by October 1, 2025. Such licensure will be effective for an initial period of two years and subject to renewal. Pursuant to H. 5159, DPH may impose a fine of up to $10,000 on (1) a person or entity advertising, announcing, establishing, or maintaining an office-based surgical center without a license and (2) a licensed office-based surgical center that violates DPH’s forthcoming rules and regulations. Each day during which a violation continues will constitute a separate offense, and DPH may conduct surveys and investigations to enforce compliance. Notwithstanding the foregoing, H. 5159 permits DPH to grant a one-time provisional license to applicant office-based surgical centers if such applicants hold a (1) current accreditation from the Accreditation Association for Ambulatory Health Care, American Association for Accreditation of Ambulatory Surgery Facilities, or the Joint Commission; or (2) current certification for participation in Medicare or Medicaid, and DPH determines that such applicants meet all other licensure requirements.
Attorney General’s Office – False Claims Statute
H. 5159 amends the Massachusetts False Claims Statute to extend potential liability to those with an “ownership or investment interest” in an entity that violates the statute, if such owner or investor knows of the violation and fails to disclose it to the Commonwealth within 60 days of identifying the violation. As a result, the AG has broadened authority to pursue actions against private equity companies and other owners or investors for not addressing a violation of the False Claims Act of which they are aware, regardless of whether the private equity company or other owner or investor caused the violation. Notably, the definition of “ownership or investment interest” captures significant equity investors, as defined elsewhere in the bill, as well as private equity companies with any investment or ownership interest in an entity that violates the statute.
Primary Care Payment and Delivery Task Force
H. 5159 also establishes a 23-member primary care payment and delivery task force (“Task Force”) charged with (i) studying primary care access, delivery, and payment; (ii) developing and issuing recommendations to stabilize and strengthen the primary care system and increase recruitment and retention of primary care workers; and (iii) increasing investment in, and patient access to, primary care in the Commonwealth.
Among other recommendations, the Task Force must create a primary care spending target for private and public payers that takes into account the cost to deliver evidence-based, equitable, and culturally competent primary care services and propose payment models to increase private and public reimbursement for primary care services.
The bill requires the Task Force to issue its first recommendations by September 15, 2025, and requires recommendations to be issued in a sequential manner thereafter, through May 15, 2026.
Takeaways
The true impact of H. 5159 will depend in large part on the regulatory bodies tasked with enforcement and implementation of its provisions. Importantly, we expect that HPC, which has been petitioning the legislature for greater oversight authority over the past several years to review private equity health care investments in Massachusetts, will play a central role in determining the level of scrutiny for-profit investors in hospital systems and provider organizations will face moving forward.
Ann W. Parks contributed to this article
Solo Aging: Planning for Your Best Life
More and more of the clients I see lately are solo agers. A recent study found that 34 percent of older adults do not have a spouse, significant other or children who can provide their care. Although historically children and close relatives were the primary support for aging adults, there are many ways to fill that gap. Whether through informal networks of friends and “found” families, or through the guidance of professionals like our firm, it is important to plan.
When you live alone, you need to plan for aging differently than someone who is married or has a life-partner. In most instances, those with a partner can rely on them to help out with expenses and be a caregiver, if they should become ill. However, when you are single, especially if you do not have close family, you need to plan in advance and you need to plan better.
Most important of all: make sure that decisions about your health and well-being are made the way you want them to be made, if there comes a time you are not able to make them for yourself. That means picking a person you trust and giving them everything they need to act on your behalf. Your surrogate needs to know about your finances, your health information, your values and goals, so they can step into your shoes.
New Jersey law provides several tools to allow individuals to plan for their future and legacy wishes. In addition to a Will, POA, and health proxy, revocable trusts and health care instruction directives can be very useful for directing your surrogate as to how and where you want to be cared for if you need long term care. Solo agers will be best served if they think beyond basic formulaic legal documents. Because New Jersey does not have required statutory forms, estate planning documents can build in protections against financial exploitation such as trust protectors or advisors, POA monitors or tie-breakers, or trusted contacts. A POLST (Practitioner Order on Life Sustaining Treatment) is another great tool in New Jersey to ensure your treatment wishes are followed. Because it is a medical order, it is more likely to be honored than a Living Will. New Jersey also allows individuals to name a Funeral Representative in their Wills which can be essential for those who want to designate someone other than their next of kin to handle their arrangements.
Getting estate planning documents completed is important but it is not the only thing to consider. You need a care plan which addresses emergencies as well as a financial plan. You may want to consider long term care insurance. Someone turning 65 has a nearly 70% chance of needing long-term care in their remaining years. Solo agers are more likely to need to rely on paid professional caregivers. It’s important to consider your options for care before you need it. You also should discuss these issues with your friends or family who you have nominated to make decisions for you, so they know your wishes. No one likes to think about these issues, but studies show that individuals who have not created a care plan and designated a surrogate often end up receiving care they did not want and are more likely to end up in an institutional setting.
There are a growing array of resources and options available to individuals who are ready to put together an aging life care plan and a team to support them along the way. Being proactive will give you the peace of mind to know you do not have to face aging and illness alone.
Federal Government Urges Court of Appeals to Uphold Constitutionality of FCA Qui Tam Provisions
Headlines that Matter for Companies and Executives in Regulated Industries
Federal Government Urges Court of Appeals to Uphold Constitutionality of FCA Qui Tam Provisions
In a brief filed earlier this week, the US federal government has urged the Eleventh Circuit Court of Appeals to uphold the constitutionality of the False Claims Act’s (FCA) qui tam provisions, challenging a Florida district court’s ruling that found them to be unconstitutional.
The appeal stems from an underlying case with relator Clarissa Zafirov, who filed a qui tam action in 2019 against several health care entities, accusing them of misrepresenting patient conditions to Medicare. While the government initially declined to intervene, it later elected to defend the constitutionality of the FCA’s provisions.
At the district court level, the court found that whistleblowers are officers of the United States and must be appointed according to the appointments clause, leading to the dismissal of Zafirov’s suit. Per the government’s appellate brief, the district court decision is an “outlier ruling” that contradicts US Supreme Court precedent. The government specifically pointed to the decision in Vermont Agency of Natural Resources v. United States ex rel. Stevens, 529 US 765 (2000), in which the Supreme Court held that the FCA’s qui tam provisions are consistent with Article III and argued that this makes clear that relators do not exercise executive power when they sue under the Act. Instead, relators are “pursuing a private interest in the money they will obtain if their suit prevails.” As such, they do not exercise executive power and do not require appointment under the appointments clause.
The government further emphasized that qui tam actions are subject to government oversight and cannot proceed without the government’s decision on intervention. Accordingly, the federal government now seeks to reverse the district court’s decision and has urged the Eleventh Circuit Court of Appeals to maintain the established legal framework supporting whistleblower actions under the FCA.
The case is Clarissa Zafirov v. Florida Medical Associates LLC et al., Nos. 24-13581 and 24-13583, in the US Court of Appeals for the Eleventh Circuit. The government’s appellate brief is available here.
Community Health Network Reaches Third FCA Settlement in 10 Years, Agreeing to Pay $135 Million to Resolve Outstanding Claims
In a deal reached two years after the Indiana health care system agreed to pay $345 million to settle FCA allegations with the federal government, Community Health Network has now agreed to pay $135 million to resolve federal health care fraud claims brought by its former chief financial officer.
Over 10 years ago, in 2014, Community Health CFO and COO Thomas Fischer filed a lawsuit under the FCA’s qui tam provisions, alleging that Community Health overpaid physicians to secure referrals in violation of state and federal laws, including the federal Stark Law and Anti-Kickback Statute (AKS). Per the complaint, Community Health utilized an “aggressive strategy” to grow its physician network and garner referrals, including the recruitment of doctors by providing payment in excess of the market rate through large base salaries and sizable bonuses, among other means.
The US Department of Justice (DOJ) elected to intervene in the case. The $345 million settlement addressed some of Fischer’s claims, leaving others unresolved. In 2020, the district court allowed Fischer to file an amended complaint that asserted additional FCA claims separate from those pursued by the government. This latest settlement with Community Health resolves those remaining claims. Among other things, the deal resolves claims that (1) Community Health paid above fair-market value rent to a physician-owned real estate partnership to induce those doctors to refer patients to a Community Health-owned ambulatory surgical center in violation of the AKS, and (2) Community Health overpaid physicians employed by the organization and also by an independent oncology group that contracted exclusively with the health nonprofit.
Notably, Community Health additionally reached a $20.3 million settlement with the DOJ in 2015 to resolve civil allegations that the health nonprofit submitted false claims to Medicare and Medicaid programs. All told, Community Health has now paid more than half a billion dollars to resolve three FCA matters over the past 10 years. Nonetheless, Community Health has emphasized that all claims were resolved with no finding of wrongdoing, and the issues were unrelated to the quality or appropriateness of the health care provided by Community Health to its patients.
The case is US and State of Indiana ex rel Fischer v. Community Health Network, Inc., et al., Case No. 1:14-cv-1215, in the US District Court for the Southern District of Indiana.
The DOJ’s press release on the 2015 $20.3 million settlement is available here. The DOJ’s press release on the 2023 $345 million settlement is available here.
Athira Pharma Inc. Agrees to Pay Over $4 Million to Settle FCA Allegations
Athira Pharma Inc., based in Bothwell, Washington, has agreed to pay $4,068,698 to settle allegations that it violated the FCA.
Per the DOJ, this settlement will resolve allegations that, between January 1, 2016, and June 20, 2021, Athira failed to report allegations of research misconduct regarding grant applications and grant award progress reports and assurances to both the National Institutes of Health (NIH) and the US Department of Health and Human Services (HHS) Office of Research Integrity. The alleged misconduct included that Athira’s former CEO, Leen Kawas, falsified and manipulated scientific images in her doctoral dissertation and in published research papers that were referenced in several grant applications submitted to NIH, including in a grant that NIH funded in 2019.
Notably, Athira immediately notified NIH of the research misconduct after the full board of directors learned of it. Underscoring the significance of cooperation credit, the DOJ noted specifically that “the company’s transparency significantly helped Athira mitigate its damages and demonstrated its resolve towards coming into compliance with the relevant law and regulations.”
The settlement additionally resolves claims brought under the FCA’s qui tam provisions, with whistleblower Andrew P. Mallon, Ph.D., receiving $203,434.
The DOJ’s press release is available here.
Iron Man 2 Actor Sentenced for COVID-19 Scam
Earlier this week, Keith Lawrence Middlebrook, a bodybuilder and actor known for his role in Iron Man 2, was sentenced to over eight years in prison for attempting to defraud investors by falsely claiming he had discovered a cure for COVID-19 and that National Basketball Association legend Magic Johnson was a major investor.
Middlebrook was arrested in March 2020, becoming the first person in the United States charged with a COVID-19-related scam. The case included recorded calls with an undercover FBI agent where Middlebrook claimed his treatments could generate significant profits. Middlebrook’s scheme involved promoting fake COVID-19 treatments and soliciting investments through social media and other channels, falsely claiming Johnson’s involvement to lend credibility.
The recent sentencing follows a guilty verdict on all 11 counts of wire fraud faced by Middlebrook, rendered by a 12-person jury after a three-day trial. During sentencing, and among other things, Middlebrook denied any wrongdoing and claimed to have a relationship with Johnson, who testified that he did not recall meeting Middlebrook. While video evidence showed Middlebrook and Johnson at the same event, the court was unmoved by the defense counsel’s suggestion at trial that Johnson gave false testimony. Specifically, the court noted that it was “inconceivable” that Johnson would have forgotten some of the lengthy interactions that Middlebrook had alleged occurred between them.
In the end, the court’s sentence of 98 months aligned with the sentence sought by the prosecutors.
The case is USA v. Keith Middlebrook, No. 2:20-cr-00229, in the US District Court for the Central District of California.
What to Know About the HHS HIPAA Security Standards Proposal
At the close of 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (the Proposed Rule) to amend the Security Rule regulations established for protecting electronic health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The updated regulations would increase cybersecurity protection requirements for electronic protected health information (ePHI) maintained by covered entities and their business associates to combat rising cyber threats in the health care industry.
The Proposed Rule seeks to strengthen the HIPAA Security Rule requirements in various ways, including:
Removing the “addressable” standard for security safeguard implementation specifications and making all implementation specifications “required.”
This, in turn, will require written documentation of all Security Rule policies and encryption of all ePHI, except in narrow circumstances.
Requiring the development or revision of technology asset inventories and network maps to illustrate the movement of ePHI throughout electronic information system(s) on an ongoing basis, to be addressed not less than annually and in response to updates to an entity’s environment or operations potentially affecting ePHI.
Setting forth specific requirements for conducting a risk analysis, including identifying all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI, identifying potential vulnerabilities, and assigning a risk level for each threat and vulnerability identified.
Requiring prompt notification (within 24 hours) to other healthcare providers or business associates with access to an entity’s systems of a change or termination of a workforce member’s access to ePHI; in other words, entities will now be obligated to immediately communicate changes if an employee’s or contractor’s access to patient data is altered or revoked to mitigate the risk of unauthorized access to ePHI.
Establishing written procedures on how the entity will restore the loss of relevant electronic information systems and data within 72 hours.
Testing and revising written security incident response plans.
Requiring encryption of ePHI at rest and in transit.
Requiring specific security safeguards on workstations with access to ePHI and/or storage of ePHI, including anti-malware software, removal of extraneous software from ePHI systems, and disabling network ports pursuant to the entity’s risk analysis.
Requiring the use of multi-factor authentication (with limited exceptions).
Requiring vulnerability scanning at least every six (6) months and penetration testing at least once every year.
Requiring network segmentation.
The Proposed Rule notably includes some requirements specific to business associates only. These include a proposed new requirement for business associates to notify covered entities (and subcontractors to notify business associates) within 24 hours of activating their contingency plans. Business associates would also be required to verify, at least once a year, to their covered entity customers that the business associate has deployed the required technical safeguards to protect ePHI. This must be conducted by a subject matter expert who provides a written analysis of the business associate’s relevant electronic information systems and a written certification that the analysis has been performed and is accurate.
The Proposed Rule even includes a specific requirement for group health plans, requiring such plans to include in their plan documents requirements for their group health plan sponsors to comply with the administrative, physical, and technical safeguards of the Security Rule, requiring any agent to whom they provide ePHI to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans no more than 24 hours after activation of their contingency plans.
Ultimately, the Proposed Rule seeks to implement a comprehensive update of mandated security protections and protocols for covered entities and business associates, reflecting the significant changes in health care technology and cybersecurity in recent years. The Proposed Rule’s changes are also a tacit acknowledgment that current Security Rule standards have not kept up with threats or operational changes.
The government is soliciting comments on the Proposed Rule, and all public comments are due by March 7, 2025. Given the scope of the proposed changes and the heightened obligations for all individuals and entities subject to HIPAA, there will likely be many comments from various stakeholders. We will continue to follow the Proposed Rule and reactions thereto. The Proposed Rule is available here.
US Surgeon General Advises on Link Between Alcohol and Cancer, Recommends Cancer Warnings on Alcohol Labels
On January 3, the US Surgeon General issued an advisory on the association between alcohol and the risk of cancer.
The advisory outlines current scientific literature and concludes that alcohol consumption is the third leading preventable cause of cancer in the United States. Among other things, the advisory recommends updating the “Government Warning” statement on alcohol beverage labels to warn consumers about the cancer risk.
Potential Changes to Mandatory Government Warning
Since 1988, federal law has required a “Government Warning” statement on every alcoholic beverage sold in the United States. Under existing law, the Government Warning must state that (1) pregnant women should not drink alcohol because of the risk of birth defects and (2) that alcohol may impair one’s ability to drive a car, operate machinery, and could cause health problems. It is also subject to strict formatting and placement requirements.
If enacted, the Surgeon General’s recommendation would require alcohol beverage suppliers to update the Government Warning statement for the first time since the statement became mandatory nearly four decades ago. Nonetheless, only Congress has the power to update existing federal law to require alcohol labels to warn of the risk of cancer. Therefore, alcohol beverage companies should continue to closely monitor congressional action for potential changes to the mandatory governmental warning.
Globally, the advisory notes that there are currently 47 countries that require alcohol warning labels related to health and safety. Of those, South Korea currently requires a cancer-specific warning, and Ireland will require the following cancer warning starting in 2026: “There is a direct link between alcohol and fatal cancers.”
Conclusion
While it would take an act of Congress to change the current mandatory Government Warning statement on alcohol beverage labels, the Surgeon General’s advisory is likely to increase scrutiny on the potential links between alcohol consumption and cancer risk. Additionally, this advisory may signal new regulatory requirements for alcohol beverage suppliers in the future.
Listen to this article
What Private Equity Investors and Real Estate Investment Trusts Need to Know About the Newly Enacted Massachusetts Health Oversight Law
On December 30, 2024, the Massachusetts state legislature passed House Bill 4653 (the Act), which significantly enhances regulatory oversight in the Massachusetts health care market. As signed into law by Governor Maura Healy on January 8, the Act will have profound effects for private equity (PE) investors and real estate investment trusts (REITs) engaging with the Massachusetts health care market. Passage of the Act comes on the heels of prominent PE-backed hospital failures in Massachusetts.
The Act Expands Existing Law and Government Infrastructure to Address Issues in Health Care Quality and Affordability
The Act overhauls the functions of, and increases coordination among, certain state agencies, including the Health Policy Commission (HPC), Department of Public Health (DPH), and the Center for Health Information and Analysis (CHIA). In addition, the Act expands the investigatory and enforcement powers of the Massachusetts Attorney General (MA AG) as it relates to health care activities, with particular attention to private equity investors, REITs, and management services organizations (MSOs). The Act does the following:
Increases HPC Oversight for PE Investors, REITs, and MSOs
The HPC is a Massachusetts government agency charged with monitoring health care cost trends and reviewing certain “material changes” to health care providers (e.g., proposed changes in ownership, sponsorship, or operations by health care providers). The Act broadens the scope of the HPC cost trend hearings to encompass a review of pharmaceutical manufacturers, pharmacy benefit managers (PBMs), PE investors, REITs, and MSOs. Additionally, Registered Provider Organizations (RPO) now must disclose ownership information about PE investors, REITs, and MSOs to HPC.
The bill amends the HPC Material Change Notification (MCN) process and now stipulates that the following activities are material changes for providers and provider organizations, in addition to certain mergers, affiliations, and acquisitions:
Significant expansions in capacity.
Transactions involving a significant equity investor which result in a change of ownership or control.
Significant transfers of assets, including, but not limited to, real estate sale leaseback arrangements.
Conversion from a non-profit to a for-profit organization.
In addition to expanding the scope of the MCN process, the Act allows the HPC to make and refer to the MA AG a report on certain proposed material change transactions, which creates a rebuttable presumption that the provider or provider organization has engaged in unfair or deceptive trade practices. Upon receipt of such a report, the MA AG is permitted to seek legal redress, including injunctive relief, and the proposed material change cannot be completed while that legal action remains pending.
Expands CHIA Oversight of PE Investors, REITs, and MSOs
CHIA is an existing Massachusetts government agency that is generally charged with improving transparency and equity in the health care delivery system. Significant among CHIA’s responsibilities is the collection, evaluation, and reporting of financial information from certain health care organizations. The Act expands CHIA’s oversight in the following ways:
As with the HPC, expands RPO reporting requirements to include PE investors, REITs, MSOs, and certain other entities.
Increases financial penalties for failure to make timely reports to CHIA.
Expands hospital financial information reporting and monitoring requirements as to relationships with significant equity investors, REITs, and MSOs.
Requires CHIA to notify HPC and DPH of failures to comply with reporting requirement which, in turn, will be considered by HPC and DPH in their review and oversight activities.
Increases DPH Oversight and Authority to Include Hospitals with PE Investor or REIT Relationships
The Act expands DPH health facility licensure and Determination of Need (DON) oversight and authority in a variety of ways:
Charges DPH with establishing licensure and practice standards for office-based surgical centers and urgent care centers.
Directs that the Board of Registration in Medicine be under the oversight of DPH in certain ways.
Amends the DON review process for projects, which will be guided by considerations that include the state health plan, the state’s cost-containment goals, impacts on patients and the community, and comments and relevant data from CHIA, HPC, and other state agencies. DPH may impose reasonable conditions on the DON as necessary to achieve specified objectives, including measures to address health care disparities to better align with community needs. The DPH may also consider special circumstances related to workforce, research, capacity, and cost. These special needs and circumstances may pertain to a lack of supply for a region, population, or service line as identified in the state health plan or focused assessments.
Prohibits DPH from granting or renewing a license for an acute care hospital if its main campus is leased from a REIT. However, any acute care hospital leasing its main campus from a REIT as of April 1, 2024, is exempt from this prohibition.
Prohibits DPH from granting or renewing a hospital license unless all documents related to any lease, master lease, sublease, license, or any other agreement for the use, occupancy, or utilization of the premises are disclosed to DPH.
Prohibits DPH from granting or renewing any hospital license unless the applicant is in compliance with all CHIA reporting requirements.
Permits DPH to seek an HPC analysis on the impact of a proposed hospital closure or discontinuation of services.
Expanded MA AG Authority Over PE Investors, REITs, and MSOs
In addition to the MA AG authority noted above in seeking to enjoin transactions that create concern for the HPC, the Act expands the MA AG’s investigatory powers pertaining to false claims to encompass document production, answering interrogatories, and providing testimony under oath by provider organizations, significant equity investors, health care REITs, and MSOs. Similarly, and significantly, the MA AG’s authority to seek civil monetary penalties for health care false claims act violations is expanded to include those parties that have an ownership or investment interest in a violating party.
Key Takeaways
The Massachusetts legislature aims to improve the quality and affordability of health care in the Commonwealth by increasing transparency of private investment in the health care market. The Act overhauls and increases coordination among state agencies like the HPC, DPH, and CHIA, and expands the investigatory and enforcement powers of the MA AG. For-profit investors and REITs must be aware of the following provisions of the Act to avoid civil penalties and state-sanctioned injunctions, and in planning for transactions and investments in Massachusetts:
Increased HPC Oversight: The HPC’s annual cost trend includes reviews of pharmaceutical manufacturers, PBMs, PE investors, REITs, and MSOs. New MCNs (significant expansions, equity investor transactions, asset transfers, and organizational conversions) must be reported to HPC in a timely manner.
Increased CHIA Oversight: CHIA’s scope of oversight for RPOs includes PE firms, REITs, and MSOs. The Act increases financial penalties for providers’ noncompliance and enhances hospital financial reporting. CHIA must inform HPC and DPH of providers’ reporting failures, which will influence HPC and DPH oversight activities.
Increased DPH Authority: DPH’s oversight now includes development and implementation of licensure standards for surgical and urgent care centers. DPH may not issue or renew licenses for acute care hospitals leasing their main campus from an REIT, subject to the April 1 exemption, or to a party not in compliance with CHIA reporting requirements. DPH also has increased authority to require information regarding leasing and other operational contracts prior to issuing a hospital license.
Increased MA AG Authority: The MA AG’s powers are expanded to include investigatory and enforcement actions against false claims involving PE investors, REITs, and MSOs.
Listen to this article
This Week in 340B: December 17, 2024 – January 6, 2025
Find updates on 340B litigation from December 17, 2024 – January 6, 2025 to help you stay in the know on how 340B cases are developing across the country. Each week we comb through the dockets of more than 50 340B cases to provide you with a quick summary of relevant updates from the prior week in this industry-shaping body of litigation.
Issues at Stake: HRSA Audit Process, Contract Pharmacy; Other
In a Health Resources and Services Administration (HRSA) audit process case, the government filed a brief in opposition to the plaintiff’s motion for preliminary injunction and the plaintiff filed a reply brief in support of the same motion.
In four HRSA audit process cases, the plaintiffs filed responses to the defendants’ motions to dismiss and briefs in opposition to Johnson & Johnson Health Care System Inc.’s motions for leave to file as amicus curiae.
In an appealed case challenging a proposed state law governing contract pharmacy arrangements, the appellants filed their opening brief.
In a breach of contract claim filed by a 340B Covered Entity against several related party Medicare Advantage plans, plaintiffs filed a second amended complaint under seal with jury demand. Additionally, defendants filed an answer and defenses to plaintiffs’ second amended complaint
In a case challenging HRSA’s policy prohibiting manufacturer rebate models, defendants filed a consent motion to vacate the answer deadline and set summary judgment briefing schedule.
A covered entity filed a breach of contract claim against an insurance company, alleging that it failed to pay the covered entity the proper amounts because it relied on an outpatient prescription reimbursement rate ruled unlawful by the US Supreme Court.
A group of drug manufacturers filed a claim against HRSA, alleging that HRSA’s decision to certify a group of entities as 340B-eligible was arbitrary, capricious, and not in accordance with law.
In seven cases challenging a proposed state law governing contract pharmacy arrangements in West Virginia, Missouri, and Mississippi:
WV: In three cases, the court issued a memorandum opinion and order granting plaintiffs’ preliminary injunction motions, denying defendants’ motions to dismiss, and ordering defendants to file answers to plaintiffs’ complaints. In three of the cases, the court granted the parties’ joint motion for extension of time for plaintiff to respond to defendants’ motions to consolidate. In another one of the cases, plaintiffs filed a memorandum in opposition to defendants’ motion to consolidate and stay deadlines pending the court’s ruling on motions for preliminary injunction. In one of the cases, defendants filed an answer to plaintiff’s complaint.
MS: The court denied the plaintiff’s motion for preliminary injunction.
MO: The court denied defendant’s motion for transfer in two cases. In one case, plaintiff filed reply suggestions in support of the motion for preliminary injunction. In another case, plaintiff filed suggestions in opposition to a motion to dismiss for failure to state a claim.
The BR Privacy & Security Download: January 2025
Must Read! The U.S. Department of Health and Human Services Office for Civil Rights recently proposed an amendment to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule to strengthen cyber security protections for electronic protected health information. Read the full alert to learn more about the first significant update to HIPAA’s Security Rule in over a decade. Read More > >
STATE & LOCAL LAWS & REGULATIONS
Five New State Comprehensive Privacy Laws Effective in January with Three More to Follow in 2025: With the start of the new year, five new state comprehensive privacy laws have become effective. The comprehensive privacy laws of Delaware, Iowa, Nebraska, and New Hampshire became effective on January 1, 2025, and New Jersey’s law will come into effect on January 15, 2025. Tennessee, Minnesota, and Maryland will follow suit and take effect on July 1, 2025, July 31, 2025, and October 1, 2025, respectively. Companies should review their privacy compliance programs to identify potential compliance gaps with differences in the increasing patchwork of state laws.
Colorado Issues Proposed Draft Amendments to CPA Rules: The Colorado Attorney General announced the adoption of amendments to the Colorado Privacy Act (“CPA”) rules. The rules will become effective on January 30, 2025. The rules provide enhanced protections for the processing of biometric data as well as the processing of the online activities of minors. Specifically, companies must develop and implement a written biometric data policy, implement appropriate security measures regarding biometric data, provide notice of the collection and processing of biometric data, obtain employee consent for the processing of biometric data, and provide a right of access to such data. In the context of minors, the amendment requires that entities obtain consent prior to using any system design feature designed to significantly increase the use of an online service of a known minor and to update the Data Protection Assessments to address processing that presents heightened risks to minors. Entities already subject to the CPA should carefully review whether they may have heightened obligations for the processing of employee biometric data, a category of data previously exempt from the scope of the CPA.
CPPA Announces Increased Fines and Penalties Under CCPA: The California Privacy Protection Agency (“CPPA”), the enforcement authority of the California Consumer Privacy Act (“CCPA”), has adjusted the fines and monetary thresholds of the CCPA. Under the CCPA, in January of every odd-numbered year, the CPPA must make this adjustment to account for changes in the Consumer Price Index. The CPPA has increased the monetary thresholds of the CCPA from $25,000,000 to $26,625,000. The CPPA also increased the range of monetary damages from between $100 to $750 per consumer per incident or actual damages (whichever is greater) to $107 to $799. The range of civil penalties and administrative fine amounts further increased from $2,500 for each violation of the CCPA or $7,500 for each intentional violation and violations involving the personal information of children under 16 to $2,663 and $7,988, respectively. The new amounts went into effect on January 1, 2025.
Connecticut State Senator Previews Proposed Legislation to Update State’s Comprehensive Privacy Law: Connecticut State Senator James Maroney (D) has announced that he is drafting a proposed update to the Connecticut Privacy Act that would expand its scope, provide enhanced data subject rights, include artificial intelligence (“AI”) provisions, and potentially eliminate certain exemptions currently available under the Act. Senator Maroney expects that the proposed bill could receive a hearing by late January or early February. Although Maroney has not published a draft, he indicated that the draft would likely (1) reduce the compliance threshold from the processing of the personal data of 100,000 consumers to 35,000 consumers; (2) include AI anti-discrimination measures, potentially in line with recent anti-discrimination requirements in California and Colorado; (3) expand the definition of sensitive data to include religious beliefs and ethnic origin, in line with other state laws; (4) expand the right to access personal data under the law to include a right to access a list of third parties to whom personal data was disclosed, mirroring similar rights in Delaware, Maryland, and Oregon; and (5) potentially eliminate or curtail categorical exemptions under the law, such as that for financial institutions subject to the Gramm-Leach-Bliley Act.
CPPA Endorses Browser Opt-Out Law: The CPPA’s board voted to sponsor a legislative proposal that would make it easier for California residents to exercise their right to opt out of the sale of personal information and sharing of personal information for cross-context behavioral advertising purposes. Last year, Governor Newsome vetoed legislation with the same requirements. Just as last year’s vetoed legislation, the legislative proposal sponsored by the CPPA requires browser vendors to include a feature that allows users to exercise their opt-out right through opt-out preference signals. Under the CCPA, businesses are required to honor opt-out preference signals as valid opt-out requests. Opt-out preference signals allow a consumer to exercise their opt-out right with all businesses they interact with online without having to make individualized requests with each business. If the proposal is adopted, California would be the first state to require browser vendors to offer consumers the option to enable these signals. Six other states (Colorado, Connecticut, Delaware, Montana, Oregon, and Texas) require businesses to honor browser privacy signals as an opt-out request.
FEDERAL LAWS & REGULATIONS
HHS Proposes Updates to HIPAA Security Rule: The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) issued a Notice of Proposed Rulemaking (“NPRM”) to amend the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule to strengthen cybersecurity protections for electronic protected health information (“ePHI”). The NPRM proposes the first significant updates to HIPAA’s Security Rule in over a decade. The NPRM makes a number of updates to the administrative, physical, and technical safeguards specified by the Security Rule, removes the distinction between “required” and “addressable” implementation specifications, and makes all implementation specifications “required” with specific, limited exceptions.
Trump Selects Andrew Ferguson as New FTC Chair: President-elect Donald Trump has selected current Federal Trade Commission (“FTC”) Commissioner Andrew Ferguson to replace Lina Khan as the new FTC Chair. Ferguson is one of two Republicans of the five FTC Commissioners and has been a Commissioner since April of 2024. Prior to becoming an FTC Commissioner, Ferguson served as Virginia’s solicitor general. During his time as an FTC Commissioner, Ferguson dissented from several of Khan’s rulemaking efforts, including a ban on non-compete clauses in employment contracts. Separately, Trump also selected Mark Meador to be an FTC Commissioner. Once Meador is confirmed to give the FTC a Republican majority, a Republican-led FTC under Ferguson may deprioritize rulemaking and enforcement efforts relating to privacy and AI. In a leaked memo first reported by Punchbowl News, Ferguson wrote to Trump that, under his leadership, the FTC would “stop abusing FTC enforcement authorities as a substitute for comprehensive privacy legislation” and “end the FTC’s attempt to become an AI regulator.”
FERC Updates and Consolidates Cybersecurity Requirements for Gas Pipelines : The U.S. Federal Energy Regulatory Commission (“FERC”) has issued a final rule to update and consolidate cybersecurity requirements for interstate natural gas pipelines. Effective February 7, 2025, the rule adopts Version 4.0 of the Standards for Business Practices of Interstate Natural Gas Pipelines, as approved by the North American Energy Standards Board (“NAESB”). This update aims to enhance the efficiency, reliability, and cybersecurity of the natural gas industry. The new standards consolidate existing cybersecurity protocols into a single manual, streamlining processes and strengthening protections against cyber threats. This consolidation is expected to make it easier and faster to revise cybersecurity standards in response to evolving threats. The rule also aligns with broader U.S. government efforts to prioritize cybersecurity across critical infrastructure sectors. Compliance filings are required by February 3, 2025, and the standards must be fully adhered to by August 1, 2025.
House Taskforce on AI Delivers Report to Address AI Advancements: The House Bipartisan Task Force on Artificial Intelligence (the “Task Force”) submitted its comprehensive report to Speaker Mike Johnson and Democratic Leader Hakeem Jeffries. The Task Force was created to ensure America’s continued global leadership in AI innovation with appropriate safeguards. The report advocates for a sectoral regulatory structure and an incremental approach to AI policy, ensuring that humans remain central to decision-making processes. The report provides a blueprint for future Congressional action to address advancements in AI and articulates guiding principles for AI adoption, innovation, and governance in the United States. Key areas covered in the report include government use of AI, federal preemption of state AI law, data privacy, national security, research and development, civil rights and liberties, education and workforce development, intellectual property, and content authenticity. The report aims to serve as a roadmap for Congressional action, addressing the potential of AI while mitigating its risks.
CFPB Proposes Rule to Restrict Sale of Sensitive Data: The Consumer Financial Protection Bureau (“CFPB”) proposed a rule that would require data brokers to comply with the Fair Credit Reporting Act (“FCRA”) when selling income and certain other consumer financial data. CFPB Director Rohit Chopra stated the new proposed rule seeks to limit “widespread evasion” of the FCRA by data brokers when selling sensitive personal and financial information of consumers. Under the proposed rule, data brokers could sell financial data only for permissible purposes under the FCRA, including checking on loan applications and fraud prevention. The proposed rule would also limit the sale of personally identifying information known as credit header data, which can include basic demographic details, including names, ages, addresses, and phone contacts.
FTC Issues Technology Blog on Mitigating Security Risks through Data Management, Software Development and Product Design: The Federal Trade Commission (“FTC”) published a blog post identifying measures that companies can take to limit the risks of data breaches. These measures relate to security in data management, security in software development, and security in product design for humans. The FTC emphasizes comprehensive governance measures for data management, including (1) enforcing mandated data retention schedules; (2) mandating data deletion in accordance with these schedules; (3) controlling third-party data sharing; and (4) encrypting sensitive data both in transit and at rest. In the context of security in software development, the FTC identified (1) building products using memory-safe programming languages; (2) rigorous testing, including penetration and vulnerability testing; and (3) securing external product access to prevent unauthorized remote intrusions as key security measures. Finally, in the context of security in product design for humans, the FTC identified (1) enforcing least privilege access controls; (2) requiring phishing-resistant multifactor authentication; and (3) designing products and services without the use of dark patterns to reduce the over-collection of data. The blog post contains specific links to recent FTC enforcement actions specifically addressing each of these issues, providing users with insight into how the FTC has addressed these issues in the past. Companies reviewing their security and privacy governance programs should ensure that they consider these key issues.
U.S. LITIGATION
Texas District Court Prevents HHS from Enforcing Reproductive Health Privacy Rule Against Doctor: The U.S. District Court for the Northern District of Texas ruled that a Texas doctor is likely to prevail on her claim that HHS exceeded its statutory authority when it adopted an amendment to the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule that protects reproductive health care information and enjoined HHS from enforcing the rule against her. The 2024 amendment to the HIPAA Privacy Rule prohibits covered entities from disclosing information that could lead to an investigation or criminal, civil, or administrative liability for seeking, obtaining, providing, or facilitating reproductive health care. The Court stated that the rule likely unlawfully interfered with the plaintiff’s state-law duty to report suspected child abuse in violation of Congress’s delegation to the agency to enact rules interpreting HIPAA without limiting any law providing for such reporting. The plaintiff argued that, under Texas law, she is obligated to report instances of child abuse within 48 hours, and that relevant requests from Texas regulatory authorities demand the full, unredacted patient chart, which for female patients includes information about menstrual periods, number of pregnancies, and other reproductive health information, among other reproductive health information.
Attorneys General Oppose Clearview AI Biometric Data Privacy Settlement: A proposed settlement in the Clearview AI Illinois Biometric Information Privacy Act (“BIPA”) litigation is facing opposition from 22 states and the District of Columbia. The Attorneys General of each state argue that the settlement, which received preliminary approval in June 2024, lacks meaningful injunctive relief and offers an unusual financial stake in Clearview AI to plaintiffs. The settlement would grant the class of consumers a 23 percent stake in Clearview AI, potentially worth $52 million, based on a September 2023 valuation. Alternatively, the class could opt for 17 percent of the company’s revenue through September 2027. The AGs contend the settlement doesn’t adequately address consumer privacy concerns and the proposed 39 percent attorney fee award is excessive. Clearview AI has filed a motion to dismiss the states’ opposition, arguing it was submitted after the deadline for objections. A judge will consider granting final approval for the settlement at a hearing scheduled on January 30, 2025.
Federal Court Upholds New Jersey’s Daniel’s Law, Dismissing Free Speech Challenges: A federal judge affirmed the constitutionality of New Jersey’s Daniel’s Law, dismissing First Amendment objections raised by data brokers. Enacted following the murder of Daniel Anderl, son of U.S. District Judge Esther Salas, the law permits covered individuals—including active, retired, and former judges, prosecutors, law enforcement officers, and their families—to request the removal of personal details, such as home addresses and unpublished phone numbers, from online platforms. Data brokerage firms that find themselves on the receiving end of such requests are mandated by the statute to comply within ten (10) business days, with penalties for non-compliance including actual damages or a $1,000 fine for each violation, as well as potential punitive damages for instances of willful disregard. Notably, in 2023, Daniel’s Law was amended to allow claim assignments to third parties, resulting in over 140 lawsuits filed by a single consumer data protection company: Atlas Data Privacy Corporation. Atlas Data, a New Jersey firm specializing in data deletion, has emerged as a significant force in this litigation, utilizing Daniel’s Law to challenge data brokers on behalf of around 19,000 individuals. The court, in upholding Daniel’s Law, emphasized its critical role in safeguarding public officials while concurrently ensuring public oversight remains strong. Although data brokers contended that the law infringed on free speech and unfairly targeted their operations, the court dismissed these claims as lacking merit, instead placing significant emphasis on the statute’s relatively focused scope and substantial state interest at play. Although unquestionably a significant victory for advocates of privacy rights, the judge permitted an immediate appeal by the data brokers.
GoodRx Settles Class Action Suit Over Alleged Data Sharing Violations: GoodRx has agreed to a $25 million settlement in a class-action lawsuit alleging the company violated privacy laws by sharing users’ sensitive health data with advertisers like Meta Platforms, Google, and Criteo Corp. The settlement, if approved, would resolve a lawsuit filed in February 2023. The lawsuit followed an FTC action alleging that GoodRx shared information about users’ prescriptions and health conditions with advertising companies. GoodRx settled the FTC matter for $1.5 million. The proposed class in the class-action lawsuit is estimated to be in the tens of millions and would give each class member an average recovery ranging from $3.31 to $11.03. The settlement also allows the plaintiffs to use information from GoodRx to pursue their claims against the other defendants, including Meta, Google, and Criteo.
23andMe Data Breach Suit Settlement Approved: A federal judge approved a settlement to resolve claims that alleged 23andMe Inc. failed to secure the sensitive personal data causing a data breach in 2023. According to 23andMe, a threat actor was able to access roughly 14,000 user accounts through credential stuffing, which further enabled access to the personal information that approximately 6.9 million users made available through 23andMe’s DNA Relative and Family Tree profile features. Under the terms of the $30 million settlement, class members will receive cash compensation and three years of data monitoring services, including genetic services.
U.S. ENFORCEMENT
FTC Takes Action Against Company for Deceptive Claims Regarding Facial Recognition Software: The Federal Trade Commission (“FTC”) announced that it has entered into a settlement with IntelliVision Technologies Corp. (“IntelliVision”), which provides facial recognition software used in home security systems and smart home touch panels. The FTC alleged that IntelliVision’s claims that it had one of the highest accuracy rates on the market, that its software was free of gender or racial bias, and was trained on millions of faces was false or misleading. The FTC further alleged that IntelliVision did not have adequate evidence to support its claim that its anti-spoofing technology ensures the system cannot be tricked by a photo or video image. The proposed order against IntelliVision specifically prohibits IntelliVision from misrepresenting the effectiveness, accuracy, or lack of bias of its facial recognition technology and its technology to detect spoofing, and the comparative performance of the technology with respect to individuals of different genders, ethnicities, and skin tones.
FTC Settles Enforcement Actions with Data Brokers for Selling Sensitive Location Data: The FTC announced settlements with data brokers Gravy Analytics Inc. (“Gravy Analytics”) and Mobilewalla, Inc. (“Mobilewalla”) related to the tracking and sale of sensitive location data of consumers. According to the FTC, Gravy Analytics violated the FTC Act by unfairly selling sensitive consumer location data, by collecting and using consumers’ location data without obtaining verifiable user consent for commercial and government uses, and by selling data regarding sensitive characteristics such as health or medical decisions, political activities, and religious views derived from location data. Under the proposed settlement, Gravy Analytics will be prohibited from selling, disclosing, or using sensitive location data in any product or service, delete all historic location data and data products using such data, and must establish a sensitive data location compliance program. Separately, the FTC settled allegations against Mobilewalla stemming from allegations that Mobilewalla collected location data from real-time bidding exchanges and third-party aggregators, including data related to health clinic visits and visits to places of worship, without the knowledge of consumers, and subsequently sold such data. According to the FTC, when Mobilewalla bid to place an ad for its clients on a real-time advertising bidding exchange, it unfairly collected and retained the information in the bid request, even when it didn’t have a winning bid. Under the proposed settlement, Mobilewalla will be prohibited from selling sensitive location data and from collecting consumer data from online advertising auctions for purposes other than participating in those auctions.
Texas Attorney General Issues New Warnings Under State’s Comprehensive Privacy Law: The Texas Attorney General issued warnings to satellite radio broadcaster Sirius XM and three mobile app providers that they appear to be sharing sensitive data of consumers, including location data, without proper notification or obtaining consent. The letter warnings did not come with a press release or other public statement and were reported by Recorded Future News, who obtained the notices through a public records request. The letter to Sirius XM stated that the Attorney General’s office found a number of violations of the Texas Data Privacy and Security Act by the Sirius XM privacy notice, including failing to provide reasonably clear notice of the categories of sensitive data being processed and processing sensitive data without appropriate consent. Similar letters were sent to mobile app providers stating that the providers failed to obtain consumer consent for data sharing or including information on how consumers could exercise their rights under Texas law.
Texas Attorney General Launches Investigations Into 15 Companies for Children’s Privacy Practices: The Texas Attorney General’s office announced it had launched investigations into Character.AI and 14 other companies including Reddit, Instagram, and Discord. The Attorney General’s press release stated that the investigations related to the companies’ privacy and safety practices for minors pursuant to the Securing Children Online through Parental Empowerment (“SCOPE”) Act and the Texas Data Privacy and Security Act (“TDPSA”). Details of the Attorney General’s allegations were not provided in the announcement. The TDPSA requires companies to provide notice and obtain consent to collect and use minors’ personal data. The SCOPE Act prohibits digital service providers from sharing, disclosing, or selling a minor’s personal identifying information without permission from the child’s parent or legal guardian and provides parents with tools to manage privacy settings on their child’s account.
HHS Imposes Penalty Against Medical Provider for Impermissible Access to PHI and Security Rule Violations: The U.S. Department of Health and Human Services Office of Civil Rights (“OCR”) announced that it imposed a $1.19 million civil penalty against Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute (“GCPC”) for violations of the HIPAA Security Rule arising from a data breach. GCPC’s former contractor had impermissibly accessed GCPC’s electronic medical record system to retrieve protected health information (“PHI”) for use in potential fraudulent Medicare claims. OCR’s investigation determined that the impermissible access occurred on three occasions, affecting approximately 34,310 individuals. The compromised PHI included patient names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information, and primary care information. OCR’s investigations revealed multiple potential violations of the HIPAA Security Rule, including failures to conduct a compliant risk analysis and implement procedures to regularly review records of activity in information systems and terminate former workforce members’ access to electronic PHI.
HHS Settles with Health Care Clearinghouse for HIPAA Security Rule Violations: OCR announced a settlement with Inmediata Health Group, LLC (“Inmediata”), a healthcare clearinghouse, for potential violations of the HIPAA Security Rule, following OCR’s receipt of a 2018 complaint that PHI was accessible to search engines like Google, on the Internet. OCR’s investigation determined that from May 2016 through January 2019, the PHI of 1,565,338 individuals was made publicly available online. The PHI disclosed included patient names, dates of birth, home addresses, Social Security numbers, claims information, diagnosis/conditions, and other treatment information. OCR’s investigation also identified multiple potential HIPAA Security Rule violations including failures to conduct a compliant risk analysis and to monitor and review Inmediata’s health information systems’ activity. Under the settlement, Inmediata paid OCR $250,000. OCR determined that a corrective action plan was not necessary in this resolution as Inmediata had previously agreed to a settlement with 33 states that included corrective actions that addressed OCR’s findings.
New York State Healthcare Provider Settles with Attorney General Regarding Allegations of Cybersecurity Failures: HealthAlliance, a division of Westchester Medical Center Health Network (“WMCHealth”), has agreed to pay a $1.4 million fine, with $850,000 suspended, due to a 2023 data breach affecting over 240,000 patients and employees in New York State. The breach at issue, which occurred between September and October 2023, was reportedly caused by a security flaw in Citrix NetScaler—a tool used by many organizations to optimize web application performance and availability by reducing server load—that went unpatched. Although HealthAlliance was made aware of the vulnerability, they were unsuccessful in patching it due to technical difficulties, ultimately resulting in the exposure of 196 gigabytes of data, including particularly sensitive information like Social Security numbers and medication records. As part of its agreement with New York State, HealthAlliance must enhance its cybersecurity practices by implementing a comprehensive information security program, developing a data inventory, and enforcing a patch management policy to address critical vulnerabilities within 72 hours. For more details, view the press release from the New York Attorney General’s office.
HHS Settles with Children’s Hospital for HIPAA Privacy and Security Violations: OCR announced a $548,265 civil monetary penalty against Children’s Hospital Colorado (“CHC”) for violations of the HIPAA Privacy and Security Rules arising from data breaches in 2017 and 2020. The 2017 data breach involved a phishing attack that compromised an email account containing 3,370 individuals’ PHI and the 2020 data breach compromised three email accounts containing 10,840 individuals’ PHI. OCR’s investigation determined that the 2017 data breach occurred because multi-factor authentication was disabled on the affected email account. The 2020 data breach occurred, in part, when workforce members gave permission to unknown third parties to access their email accounts. OCR found violations of the HIPAA Privacy Rule for failure to train workforce members on the HIPAA Privacy Rule, and the HIPAA Security Rule requirement to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems.
INTERNATIONAL LAWS & REGULATIONS
Italy Imposes Landmark GDPR Fine on AI Provider for Data Violations: In the first reported EU penalty under the GDPR relating to generative AI, Italy’s data protection authority, the Garante, fined OpenAI 15 million euros for breaching the European Union’s General Data Protection Regulation (“GDPR”). The penalty was linked to three specific incidents involving OpenAI: (1) unauthorized use of personal data for ChatGPT training without user consent, (2) inadequate age verification risking exposure of minors to inappropriate content, and (3) failure to report a March 2023 data breach that exposed users’ contact and payment information. The investigation into OpenAI, which began after the Garante was made aware of the March 2023 breach, initially resulted in Italy temporarily blocking access to ChatGPT but eventually reinstated it after OpenAI made concrete improvements to its age verification and privacy policies. Alongside the monetary penalty, OpenAI is additionally mandated to conduct a six-month public awareness campaign in Italy to educate the Italian public on data collection and individual user rights under GDPR. OpenAI has said that it plans to appeal the Garante’s decision, arguing that the fine exceeds its revenue in Italy.
Australian Parliament Approves Privacy Act Reforms and Bans Social Media Use by Minors: The Australian Parliament passed a number of privacy bills in December. The bills include reforms to the Australian Privacy Act, a law requiring age verification by social media platforms, and a law banning social media use by minors under the age of 16. Privacy Act reforms include new enforcement powers for the Office of the Australian Information Commissioner that clarify when “serious” breaches of the Privacy Act occur and allow the OAIC to bring civil penalty proceedings for lesser breaches. Other reforms include requiring entities that use personal data for automated decision-making to include in their privacy notices information about what data is used for automated decision-making and what types of decisions are made using automated decision-making technology.
EDPB Releases Opinion on Personal Data Use in AI Models: In response to a formal request from Ireland’s Data Protection Commission asking for clarity about how the EU General Data Protection Regulation (“GDPR”) applies to the training of large language models with personal data, the European Data Protection Board (“EDPB”) released its opinion regarding the lawful use of personal data for the development and deployment of artificial intelligence models (the “Opinion”). The Irish Data Protection Commission specifically requested EDPB to opine on: (1) when and how an AI model can be considered anonymous, (2) how legitimate interests can be used as the legal basis in the development and deployment phases of an AI model, and (3) the consequences of unlawful processing in the development phase of an AI model on its subsequent operation. With respect to anonymity, the EDPB stated this should be analyzed on a case-by-case basis taking into account the likelihood of obtaining personal data of individuals whose data was used to build the model and the likelihood of extracting personal data from queries. The Opinion describes certain methods that controllers can use to demonstrate anonymity. With respect to the use of legitimate interest as a legal basis for processing, the EDPB restated a three-part test to assess legitimate interest from its earlier guidance. Finally, the EDPB reviewed several scenarios in which personal data may be unlawfully processed to develop an AI model.
Second Draft of General-Purpose AI Code of Practice Published: The European Commission announced that independent experts published the Second Draft of the General Purpose AI Code of Practice. The AI Code of Practice is designed to be a guiding document for providers of general-purpose AI models, allowing them to demonstrate compliance with the AI Act. Under the EU AI Act, providers are persons or entities that develop an AI system and place that system on the market. This second draft is based on the responses and comments received on the first draft and is designed to provide a “future-proof” code. The first part of the Code details transparency and copyright obligations for all providers of general-purpose AI models. The second part of the Code applies to providers of advanced general-purpose AI models that could pose systemic risks. This section outlines measures for systemic risk assessment and mitigation, including model evaluations, incident reporting, and cybersecurity obligations. The Second Draft will be open for comments until January 15, 2025.
NOYB Approved to Bring Collective Redress Claims: The Austrian-based non-profit organization None of Your Business (“NOYB”) has been approved as a Qualified Entity in Austria and Ireland, enabling it to pursue collective redress actions across the European Union (“EU”). Famous for challenging the EU-US data transfer framework through its Schrems I and II actions, NOYB intends to use the EU’s collective action redress system to challenge what it describes as unlawful processing without consent, use of deceptive dark patterns, data sales, international data transfers, and use of “absurd” language in privacy policies. Unlike US class actions, these EU actions are strictly non-profit. However, they do provide for both injunctive and monetary redress measures. NOYB intends to bring its first actions in 2025. Click here to learn more and read NOYB’s announcement.
EDPB Issues Guidelines on Third Country Authority Data Requests: The EDPB published draft guidelines on Article 48 of the GDPR relating to the transfer or disclosure of personal data to a governmental authority in a third country (the “Guidelines”). The Guidelines state that, as a general rule, requests from governmental authorities are recognizable and enforceable under applicable international agreements. The Guidelines further state that any such transfer must also comply with Article 6 with respect to legal basis for processing and Article 46 regarding legal mechanism for international data transfer. The Guidelines will be available for public consultation until January 27, 2025.
Irish DPC Fines Meta €251 Million for Violations of the GDPR: The Irish Data Protection Commission (DPC) fined Meta €251 million following a 2018 data breach that affected 29 million Facebook accounts globally, including 3 million in the European Union. The breach exposed personal data such as names, contact information, locations, birthdates, religious and political beliefs, and children’s data. The DPC found that Meta Ireland violated General Data Protection Regulation (GDPR) Articles 33(3) and 33(5) by failing to provide complete information in their breach notification and to properly document the breach. Furthermore, Meta Ireland infringed GDPR Articles 25(1) and 25(2) by neglecting to incorporate data protection principles into the design of their processing systems and by processing more data than necessary by default.
Additional Authors: Daniel R. Saeedi, Rachel L. Schaller, Gabrielle N. Ganze, Ana Tagvoryan, P. Gavin Eastgate, Timothy W. Dickens, Jason C. Hirsch, Tianmei Ann Huang, Adam J. Landy, Amanda M. Noonan, and Karen H. Shin
Navigating Change: OSHA’s 2024 Wrap-Up and a Look Ahead to 2025
In the latest episode of Greenberg Traurig’s Workplace Safety Review podcast, co-hosts Adam Roseman and Joshua Bernstein provide a comprehensive wrap-up of the significant OSHA developments from 2024 and explore what’s on the horizon for 2025. They delve into the impacts of administrative changes, including the Supreme Court’s Loper Bright decision, which overturned Chevron deference, and how it may affect OSHA litigation.
Their discussion highlights key regulatory updates, like the proposed heat stress and lockout/tagout standards, and examines the potential implications of the Kenrick Steel case challenging the constitutionality of the Occupational Safety and Health Review Commission.
As the Trump administration prepares to take office, the hosts consider the prospective leadership and policy direction under Secretary of Labor nominee Lori Chavez-DeRemer and the next OSHA head.
HHS OCR Proposes Significant Modifications to HIPAA Security Rule
Overview
The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced on December 27, 2024, and published in the Federal Register on January 6, 2025, a Notice of Proposed Rulemaking (NPRM) proposing extensive modifications to the HIPAA Security Rule. If finalized, these would be the first modifications of the Security Rule since 2013 and could entail significant additional compliance obligations and costs for HIPAA covered entities and business associates (collectively, regulated entities). For reference, a redline of the existing language of the Security Rule with the NPRM’s proposed modifications is available here.
READ FULL REPORT
Life Science Dealmaking Trends 2025
In this series of videos, International Chair of Life Sciences Cheryl Reicin provides valuable insights on a number of trends she is seeing in Big Pharma dealmaking and M&A. She discusses 2025 deal trends, M&A drivers, patent cliff impacts, and the hottest emerging sectors.
Drivers of Big Pharma M&A
Big Pharma Patent Cliff Impacts to M&A
What are the Hottest Sectors in the Life Science Industry?
Central Nervous System (CNS) Investment Opportunities
How Do You See Big Pharmas in AI?