2025 Employment Law Updates
Many state and local government employment laws went into effect January 1, 2025. Here is a non-exhaustive list of 2025 employment law updates.
The Worker’s Compensation Time of Hire Notice can be found here.
The Worker’s Compensation Updated Poster can be found here.
Employers should also be aware that numerous hourly minimum wage rate increases are set to take effect in various jurisdictions on January 1, 2025, as previously detailed here.
Again, this is a non-exhaustive list of employment law updates. Contact your Polsinelli attorney if you have any questions or need assistance regarding employment law compliance in 2025, as well as to get up to speed on the latest employment law updates.
The BR Privacy & Security Download: February 2025
STATE & LOCAL LAWS & REGULATIONS
New York Legislature Passes Comprehensive Health Privacy Law: The New York state legislature passed SB-929 (the “Bill”), providing for the protection of health information. The Bill broadly defines “regulated health information” as “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual.” Regulated health information includes location and payment information, as well as inferences derived from an individual’s physical or mental health. The term “individual” is not defined. Accordingly, the Bill contains no terms restricting its application to consumers acting in an individual or household context. The Bill would apply to regulated entities, which are entities that (1) are located in New York and control the processing of regulated health information, or (2) control the processing of regulated health information of New York residents or individuals physically present in New York. Among other things, the Bill would restrict regulated entities to processing regulated health information only with a valid authorization, or when strictly necessary for certain specified activities. The Bill also provides for individual rights and requires the implementation of reasonable administrative, physical, and technical safeguards to protect regulated health information. The Bill would take effect one year after being signed into law and currently awaits New York Governor Kathy Hochul’s signature.
New York Data Breach Notification Law Updated: Two bills, SO2659 and SO2376, that amended the state’s data breach notification law were signed into law by New York Governor Kathy Hochul. The bills change the timing requirement in which notice must be provided to New York residents, add data elements to the definition of “private information,” and adds the New York Department of Financial Services to the list of regulators that must be notified. Previously, New York’s data breach notification statute did not have a hard deadline within which notice must be provided. The amendments now require affected individuals to be notified no later than 30 days after discovery of the breach, except for delays arising from the legitimate needs of law enforcement. Additionally, as of March 25, 2025, “private information” subject to the law’s notification requirements will include medical information and health insurance information.
California AG Issues Legal Advisory on Application of California Law to AI: California’s Attorney General has issued legal advisories to clarify that existing state laws apply to AI development and use, emphasizing that California is not an AI “wild west.” These advisories cover consumer protection, civil rights, competition, data privacy, and election misinformation. AI systems, while beneficial, present risks such as bias, discrimination, and the spread of disinformation. Therefore, entities that develop or use AI must comply with all state, federal, and local laws. The advisories highlight key laws, including the Unfair Competition Law and the California Consumer Privacy Act. The advisories also highlight new laws effective on January 1, 2025, which include disclosure requirements for businesses, restrictions on the unauthorized use of likeness, and regulations for AI use in elections and healthcare. These advisories stress the importance of transparency and compliance to prevent harm from AI.
New Jersey AG Publishes Guidance on Algorithmic Discrimination: On January 9, 2025, New Jersey’s Attorney General and Division on Civil Rights announced a new civil rights and technology initiative to address the risks of discrimination and bias-based harassment in AI and other advanced technologies. The initiative includes the publication of a Guidance Document, which addresses the applicability of New Jersey’s Law Against Discrimination (“LAD”) to automated decision-making tools and technologies. It focuses on the threats posed by automated decision-making technologies in the housing, employment, healthcare, and financial services contexts, emphasizing that the LAD applies to discrimination regardless of the technology at issue. Also included in the announcement is the launch of a new Civil Rights Innovation lab, which “will aim to leverage technology responsibly to advance [the Division’s] mission to prevent, address, and remedy discrimination.” The Lab will partner with experts and relevant industry stakeholders to identify and develop technology to enhance the Division’s enforcement, outreach, and public education work, and will develop protocols to facilitate the responsible deployment of AI and related decision-making technology. This initiative, along with the recently effective New Jersey Data Protection Act, shows a significantly increased focus from the New Jersey Attorney General on issues relating to data privacy and automated decision-making technologies.
New Jersey Publishes Comprehensive Privacy Law FAQs: The New Jersey Division of Consumer Affairs Cyber Fraud Unit (“Division”) published FAQs that provide a general summary of the New Jersey Data Privacy Law (“NJDPL”), including its scope, key definitions, consumer rights, and enforcement. The NJDPL took effect on January 15, 2025, and the FAQs state that controllers subject to the NJDPL are expected to comply by such date. However, the FAQs also emphasize that until July 1, 2026, the Division will provide notice and a 30-day cure period for potential violations. The FAQs also suggest that the Division may adopt a stricter approach to minors’ privacy. While the text of the NJDPL requires consent for processing the personal data of consumers between the ages of 13 and 16 for purposes of targeted advertising, sale, and profiling, the FAQs state that when a controller knows or willfully disregards that a consumer is between the ages of 13 and 16, consent is required to process their personal data more generally.
CPPA Extends Formal Comment Period for Automated Decision-Making Technology Regulations: The California Privacy Protection Agency (“CPPA”) extended the public comment period for its proposed regulations on cybersecurity audits, risk assessments, automated decision-making technology (“ADMT”), and insurance companies under the California Privacy Rights Act. The public comment period opened on November 22, 2024, and was set to close on January 14, 2025. However, due to the wildfires in Southern California, the public comment period was extended to February 19, 2025. The CPPA will also be holding a public hearing on that date for interested parties to present oral and written statements or arguments regarding the proposed regulations.
Oregon DOJ Publishes Toolkit for Consumer Privacy Rights: The Oregon Department of Justice announced the release of a new toolkit designed to help Oregonians protect their online information. The toolkit is designed to help families understand their rights under the Oregon Consumer Privacy Act. The Oregon DOJ reminded consumers how to submit complaints when businesses are not responsive to privacy rights requests. The Oregon DOJ also stated it has received 118 complaints since the Oregon Consumer Privacy Act took effect last July and had sent notices of violation to businesses that have been identified as non-compliant.
California, Colorado, and Connecticut AGs Remind Consumers of Opt-Out Rights: California Attorney General Rob Bonta published a press release reminding residents of their right to opt out of the sale and sharing of their personal information. The California Attorney General also cited the robust privacy protections of Colorado and Connecticut laws that provide for similar opt-out protections. The press release urged consumers to familiarize themselves with the Global Privacy Control (“GPC”), a browser setting or extension that automatically signals to businesses that they should not sell or share a consumer’s personal information, including for targeted advertising. The Attorney General also provided instructions for the use of the GPC and for exercising op-outs by visiting the websites of individual businesses.
FEDERAL LAWS & REGULATIONS
FTC Finalizes Updates to COPPA Rule: The FTC announced the finalization of updates to the Children’s Online Privacy Protection Rule (the “Rule”). The updated Rule makes a number of changes, including requiring opt-in consent to engage in targeted advertising to children and to disclose children’s personal information to third parties. The Rule also adds biometric identifiers to the definition of personal information and prohibits operators from retaining children’s personal information for longer than necessary for the specific documented business purposes for which it was collected. Operators must maintain a written data retention policy that documents the business purpose for data retention and the retention period for data. The Commission voted 5-0 to adopt the Rule, but new FTC Chair Andrew Ferguson filed a separate statement describing “serious problems” with the rule. Ferguson specifically stated that it was unclear whether an entirely new consent would be required if an operator added a new third party with whom personal information would be shared, potentially creating a significant burden for businesses. The Rule will be effective 60 days after its publication in the Federal Register.
Trump Rescinds Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence: President Donald Trump took action to rescind former President Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (“AI EO”). According to a Biden administration statement released in October, many action items from the AI EO have already been completed. Recommendations, reports, and opportunities for research that were completed prior to revocation of the AI EO may continue in place unless replaced by additional federal agency action. It remains unclear whether the Trump Administration will issue its own executive orders relating to AI.
U.S. Justice Department Issues Final Rule on Transfer of Sensitive Personal Data to Foreign Adversaries: The U.S. Justice Department issued final regulations to implement a presidential Executive Order regarding access to bulk sensitive personal data of U.S. citizens by foreign adversaries. The regulations restrict transfers involving designated countries of concern – China, Cuba, Iran, North Korea, Russia, and Venezuela. At a high level, transfers are restricted if they could result in bulk sensitive personal data access by a country of concern or a “covered person,” which is an entity that is majority-owned by a country of concern, organized under the laws of a country of concern, has its principle place of business in a country of concern, or is an individual whose primary residence is in a county of concern. Data covered by the regulation includes precise geolocation data, biometric identifiers, genetic data, health data, financial data, government-issued identification numbers, and certain other identifiers, including device or hardware-based identifiers, advertising identifiers, and demographic or contact data.
First Complaint Filed Under Protecting Americans’ Data from Foreign Adversaries Act: The Electronic Privacy Information Center (“EPIC”) and the Irish Counsel for Civil Liberties (“ICCL”) Enforce Unit filed the first-ever complaint under the Protecting Americans’ Data from Foreign Adversaries Act (“PADFAA”). PADFAA makes it unlawful for a data broker to sell, license, rent, trade, transfer, release, disclose, or otherwise make available specified personally identifiable sensitive data of individuals residing in the United States to North Korea, China, Russia, Iran, or an entity controlled by one of those countries. The complaint alleges that Google’s real-time bidding system data includes personally identifiable sensitive data, that Google executives were aware that data from its real-time bidding system may have been resold, and that Google’s public list of certified companies that receive real-time bidding bid request data include multiple companies based in foreign adversary countries.
FDA Issues Draft Guidance for AI-Enabled Device Software Functions: The U.S. Food and Drug Administration (“FDA”) published its January 2025 Draft Guidance for Industry and FDA Staff regarding AI-enabled device software functionality. The Draft provides recommendations regarding the contents of marketing submissions for AI-enabled medical devices, including documentation and information that will support the FDA’s evaluation of their safety and effectiveness. The Draft Guidance is designed to reflect a “comprehensive approach” to the management of devices through their total product life cycle and includes recommendations for the design, development, and implementation of AI-enabled devices. The FDA is accepting comments on the Draft Guidance, which may be submitted online until April 7, 2025.
Industry Coalition Pushes for Unified National Data Privacy Law: A coalition of over thirty industry groups, including the U.S. Chamber of Commerce, sent a letter to Congress urging it to enact a comprehensive national data privacy law. The letter highlights the urgent need for a cohesive federal standard to replace the fragmented state laws that complicate compliance and stifle competition. The letter advocates for legislation based on principles to empower startups and small businesses by reducing costs and improving consumer access to services. The letter supports granting consumers the right to understand, correct, and delete their data, and to opt out of targeted advertising, while emphasizing transparency by requiring companies to disclose data practices and secure consent for processing sensitive information. It also focuses on the principles of limiting data collection to essential purposes and implementing robust security measures. While the principles aim to override strong state laws like that in California, the proposal notably excludes data broker regulation, a previous point of contention. The coalition cautions against legislation that could lead to frivolous litigation, advocating for balanced enforcement and collaborative compliance. By adhering to these principles, the industry groups seek to ensure legal certainty and promote responsible data use, benefiting both businesses and consumers.
Cyber Trust Mark Unveiled: The White House launched a labeling scheme for internet-of-things devices designed to inform consumers when devices meet certain government-determined cybersecurity standards. The program has been in development for several months and involves collaboration between the White House, the National Institute of Standards and Technology, and the Federal Communications Commission. UL Solutions, a global safety and testing company headquartered in Illinois, has been selected as the lead administrator of the program along with 10 other firms as deputy administrators. With the main goal of helping consumers make more cyber-secure choices when purchasing products, the White House hopes to have products with the new cyber trust mark hit shelves before the end of 2025.
U.S. LITIGATION
Texas Attorney General Sues Insurance Company for Unlawful Collection and Sharing of Driving Data: Texas Attorney General Ken Paxton filed a lawsuit against Allstate and its data analytics subsidiary, Arity. The lawsuit alleges that Arity paid app developers to incorporate its software development kit that tracked location data from over 45 million consumers in the U.S. According to the lawsuit, Arity then shared that data with Allstate and other insurers, who would use the data to justify increasing car insurance premiums. The sale of precise geolocation data of Texans violated the Texas Data Privacy and Security Act (“TDPSA”) according to the Texas Attorney General. The TDPSA requires the companies to provide notice and obtain informed consent to use the sensitive data of Texas residents, which includes precise geolocation data. The Texas Attorney General sued General Motors in August of 2024, alleging similar practices relating to the collection and sale of driver data.
Eleventh Circuit Overturns FCC’s One-to-One Consent Rule, Upholds Broader Telemarketing Practices: In Insurance Marketing Coalition, Ltd. v. Federal Communications Commission, No. 24-10277, 2025 WL 289152 (11th Cir. Jan. 24, 2025), the Eleventh Circuit vacated the FCC’s one-to-one consent rule under the Telephone Consumer Protection Act (“TCPA”). The court found that the rule exceeded the FCC’s authority and conflicted with the statutory meaning of “prior express consent.” By requiring separate consent for each seller and topic-related call, the rule was deemed unnecessary. This decision allows businesses to continue using broader consent practices, maintaining shared consent agreements. The ruling emphasizes that consent should align with common-law principles rather than be restricted to a single entity. While the FCC’s next steps remain uncertain, the decision reduces compliance burdens and may challenge other TCPA regulations.
California Judge Blocks Enforcement of Social Media Addiction Law: The California Protecting Our Kids from Social Media Addiction Act (the “Act”) has been temporarily blocked. The Act was set to take effect on January 1, 2025. The law aims to prevent social media platforms from using algorithms to provide addictive content to children. Judge Edward J. Davila initially declined to block key parts of the law but agreed to pause enforcement until February 1, 2025, to allow the Ninth Circuit to review the case. NetChoice, a tech trade group, is challenging the law on First Amendment grounds. NetChoice argues that restricting minors’ access to personalized feeds violates the First Amendment. The group has appealed to the Ninth Circuit and is seeking an injunction to prevent the law from taking effect. Judge Davila’s decision recognized the “novel, difficult, and important” constitutional issues presented by the case. The law includes provisions to restrict minors’ access to personalized feeds, limit their ability to view likes and other feedback, and restrict third-party interaction.
U.S. ENFORCEMENT
FTC Settles Enforcement Action Against General Motors for Sharing Geolocation and Driving Behavior Data Without Consent: The Federal Trade Commission (“FTC”) announced a proposed order to settle FTC allegations against General Motors that it collected, used, and sold driver’s precise geolocation data and driving behavior information from millions of vehicles without adequately notifying consumers and obtaining their affirmative consent. The FTC specifically alleged General Motors used a misleading enrollment process to get consumers to sign up for its OnStar-connected vehicle service and Smart Driver feature without proper notice or consent during that process. The information was then sold to third parties, including consumer reporting agencies, according to the FTC. As part of the settlement, General Motors will be prohibited from disclosing driver data to consumer reporting agencies, required to allow consumers to obtain and delete their data, required to obtain consent prior to collection, and required to allow consumers to limit data collected from their vehicles.
FTC Releases Proposed Order Against GoDaddy for Alleged Data Security Failures: The Federal Trade Commission (“FTC”) has announced it had reached a proposed settlement in its action against GoDaddy Inc. (“GoDaddy”) for failing to implement reasonable and appropriate security measures, which resulted in several major data breaches between 2019 and 2022. According to the FTC’s complaint, GoDaddy misled customers of its data security practices, through claims on its websites and in email and social media ads, and by representing it was in compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. However, the FTC found that GoDaddy failed to inventory and manage assets and software updates, assess risks to its shared hosting services, adequately log and monitor security-related events, and segment its shared hosting from less secure environments. The FTC’s proposed order against GoDaddy prohibits GoDaddy from misleading its customers about its security practices and requires GoDaddy to implement a comprehensive information security program. GoDaddy must also hire a third-party assessor to conduct biennial reviews of its information security program.
CPPA Reaches Settlements with Additional Data Brokers: Following their announcement of a public investigative sweep of data broker registration compliance, the CPPA has settled with additional data brokers PayDae, Inc. d/b/a Infillion (“Infillion”), The Data Group, LLC (“The Data Group”), and Key Marketing Advantage, LLC (“KMA”) for failing to register as a data broker and pay an annual fee as required by California’s Delete Act. Infillion will pay $54,200 for failing to register between February 1, 2024, and November 4, 2024. The Data Group will pay $46,600 for failing to register between February 1, 2024, and September 20, 2024. KMA will pay $55,800 for failing to register between February 1, 2024, and November 5, 2024. In addition to the fines, the companies have agreed to injunctive terms. The Delete Act imposes fines of $200 per day for failing to register by the deadline.
Mortgage Company Fined by State Financial Regulators for Cybersecurity Breach: Bayview Asset Management LLC and three affiliates (collectively, “Bayview”) agreed to pay a $20 million fine and improve their cybersecurity programs to settle allegations from 53 state financial regulators. The Conference of State Bank Supervisors (“CSBS”) alleged that the mortgage companies had deficient cybersecurity practices and did not fully cooperate with regulators after a 2021 data breach. The data breach compromised data for 5.8 million customers. The coordinated enforcement action was led by financial regulators in California, Maryland, North Carolina, and Washington State. The regulators said the companies’ information technology and cybersecurity practices did not meet federal or state requirements. The firms also delayed the supervisory process by withholding requested information and providing redacted documents in the initial stages of a post-breach exam. The companies also agreed to undergo independent assessments and provide three years of additional reporting to the state regulators.
SEC Reaches Settlement over Misleading Cybersecurity Disclosures: The SEC announced it has settled charges with Ashford Inc., an asset management firm, over misleading disclosures related to a cybersecurity incident. This enforcement action stemmed from a ransomware attack in September 2023, compromising over 12 terabytes of sensitive hotel customer data, including driver’s licenses and credit card numbers. Despite the breach, Ashford falsely reported in its November 2023 filings that no customer information was exposed. The SEC alleged negligence in Ashford’s disclosures, citing violations of the Securities Act of 1933 and the Exchange Act of 1934. Without admitting or denying the allegations, Ashford agreed to a $115,231 penalty and an injunction. This case highlights the critical importance of accurate cybersecurity disclosures and demonstrates the SEC’s commitment to ensuring transparency and accountability in corporate reporting.
FTC Finalizes Data Breach-Related Settlement with Marriott: The FTC has finalized its order against Marriott International, Inc. (“Marriott”) and its subsidiary Starwood Hotels & Resorts Worldwide LLC (“Starwood”). As previously reported, the FTC entered into a settlement with Marriott and Starwood for three data breaches the companies experienced between 2014 and 2020, which collectively impacted more than 344 million guest records. Under the finalized order, Marriott and Starwood are required to establish a comprehensive information security program, implement a policy to retain personal information only for as long as reasonably necessary, and establish a link on their website for U.S. customers to request deletion of their personal information associated with their email address or loyalty rewards account number. The order also requires Marriott to review loyalty rewards accounts upon customer request and restore stolen loyalty points. The companies are further prohibited from misrepresenting their information collection practices and data security measures.
New York Attorney General Settles with Auto Insurance Company over Data Breach: The New York Attorney General settled with automobile insurance company, Noblr, for a data breach the company experienced in January 2021. Noblr’s online insurance quoting tool exposed full, plaintext driver’s license numbers, including on the backend of its website and in PDFs generated when a purchase was made. The data breach impacted the personal information of more than 80,000 New Yorkers. The data breach was part of an industry-wide campaign to steal personal information (e.g., driver’s license numbers and dates of birth) from online automobile insurance quoting applications to be used to file fraudulent unemployment claims during the COVID-19 pandemic. As part of its settlement, Noblr must pay the New York Attorney General $500,000 in penalties and strengthen its data security measures such as by enhancing its web application defenses and maintaining a comprehensive information security program, data inventory, access controls (e.g., authentication procedures), and logging and monitoring systems.
FTC Alleges Video Game Maker Violated COPPA and Engaged in Deceptive Marketing Practices: The Federal Trade Commission (“FTC”) has taken action against Cognosphere Pte. Ltd and its subsidiary Cognosphere LLC, also known as HoYoverse, the developer of the game Genshin Impact (“HoYoverse”). The FTC alleges that HoYoverse violated the Children’s Online Privacy Protection Act (“COPPA”) and engaged in deceptive marketing practices. Specifically, the company is accused of unfairly marketing loot boxes to children and misleading players about the odds of winning prizes and the true cost of in-game transactions. To settle these charges, HoYoverse will pay a $20 million fine and is prohibited from allowing children under 16 to make in-game purchases without parental consent. Additionally, the company must provide an option to purchase loot boxes directly with real money and disclose loot box odds and exchange rates. HoYoverse is also required to delete personal information collected from children under 13 without parental consent. The FTC’s actions aim to protect consumers, especially children and teens, from deceptive practices related to in-game purchases.
OCR Finalizes Several Settlements for HIPAA Violations: Prior to the inauguration of President Trump, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) brought enforcement actions against four entities, USR Holdings, LLC (“USR”), Elgon Information Systems (“Elgon”), Solara Medical Supplies, LLC (“Solara”) and Northeast Surgical Group, P.C. (“NESG”), for potential violations of the Health Insurance Portability and Accountability Act’s (“HIPAA”) Security Rule due to the data breaches the entities experienced. USR reported that between August 23, 2018, and December 8, 2018, a database containing the electronic protected health information (“ePHI”) of 2,903 individuals was accessed by an unauthorized third party who was able to delete the ePHI in the database. Elgon and NESG each discovered a ransomware attack in March 2023, which affected the protected health information (“PHI”) of approximately 31,248 individuals and 15,298 individuals, respectively. Solara experienced a phishing attack that allowed an unauthorized third party to gain access to eight of Solara’s employees’ email accounts between April and June 2019, resulting in the compromise of 114,007 individuals’ ePHI. As part of their settlements, each of the entities is required to pay a fine to OCR: USR $337,750, Elgon $80,000, Solara $3,000,000, and NESG $10,000. Additionally, each of the entities is required to implement certain data security measures such as conducting a risk analysis, implementing a risk management plan, maintaining written policies and procedures to comply with HIPAA, and distributing such policies or providing training on such policies to its workforce.
Virgina Attorney General Sues TikTok for Addictive Fees and Allowing Chinese Government to Access Data: Virginia Attorney General Jason Miyares announced his office had filed a lawsuit against TikTok and ByteDance Ltd, the Chinese-based parent company of TikTok. The lawsuit alleges that TikTok was intentionally designed to be addictive for adolescent users and that the company deceived parents about TikTok content, including by claiming the app is appropriate for children over the age of 12 in violation of the Virginia Consumer Protection Act.
INTERNATIONAL LAWS & REGULATIONS
UK ICO Publishes Guidance on Pay or Consent Model: On January 23, the UK’s Information Commissioner’s Office (“ICO”) published its Guidance for Organizations Implementing or Considering Implementing Consent or Pay Models. The guidance is designed to clarify how organizations can deploy ‘consent or pay’ models in a manner that gives users meaningful control over the privacy of their information while still supporting their economic viability. The guidance addresses the requirements of applicable UK laws, including PECR and the UK GDPR, and provides extensive guidance as to how appropriate fees may be calculated and how to address imbalances of power. The guidance includes a set of factors that organizations can use to assess their consent models and includes plans to further engage with online consent management platforms, which are typically used by businesses to manage the use of essential and non-essential online trackers. Businesses with operations in the UK should carefully review their current online tracker consent management tools in light of this new guidance.
EU Commission to Pay Damages for Sending IP Address to Meta: The European General Court has ordered the European Commission to pay a German citizen, Thomas Bindl, €400 in damages for unlawfully transferring his personal data to the U.S. This decision sets a new precedent regarding EU data protection litigation. The court found that the Commission breached data protection regulations by operating a website with a “sign in with Facebook” option. This resulted in Bindl’s IP address, along with other data, being transferred to Meta without ensuring adequate safeguards were in place. The transfer happened during the transition period between the EU-U.S. Privacy Shield and the EU-U.S. Data Protection Framework. The court determined that this left Bindl in a position of uncertainty about how his data was being processed. The ruling is significant because it recognizes “intrinsic harm” and may pave the way for large-scale collective redress actions.
European Data Protection Board Releases AI Bias Assessment and Data Subject Rights Tools: The European Data Protection Board (“EDPB”) released two AI tools as part of the AI: Complex Algorithms and effective Data Protection Supervision Projects. The EDPB launched the project in the context of the Support Pool of Experts program at the request of the German Federal Data Protection Authority. The Support Pool of Experts program aims to help data protection authorities increase their enforcement capacity by developing common tools and giving them access to a wide pool of experts. The new documents address best practices for bias evaluation and the effective implementation of data subject rights, specifically the rights to rectification and erasure when AI systems have been developed with personal data.
European Data Protection Board Adopts New Guidelines on Pseudonymization: The EDPB released new guidelines on pseudonymization for public consultation (the “Guidelines”). Although pseudonymized data still constitutes personal data under the GDPR, pseudonymization can reduce the risks to the data subjects by preventing the attribution of personal data to natural persons in the course of the processing of the data, and in the event of unauthorized access or use. In certain circumstances, the risk reduction resulting from pseudonymization may enable controllers to rely on legitimate interests as the legal basis for processing personal data under the GDPR, provided they meet the other requirements, or help guarantee an essentially equivalent level of protection for data they intend to export. The Guidelines provide real-world examples illustrating the use of pseudonymization in various scenarios, such as internal analysis, external analysis, and research.
CJEU Issues Ruling on Excessive Data Subject Requests: On January 9, the Court of Justice of the European Union (“CJEU”) issued its ruling in the case Österreichische Datenschutzbehörde (C‑416/23). The primary question before the Court was when a European data protection authority may deny consumer requests due to their excessive nature. Rather than specifying an arbitrary numerical threshold of requests received, the CJEU found that authorities must consider the relevant facts to determine whether the individual submitting the request has “an abusive intention.” While the number of requests submitted may be a factor in determining this intention, it is not the only factor. Additionally, the CJEU emphasized that Data Protection Authorities should strongly consider charging a “reasonable fee” for handling requests they suspect may be excessive prior to simply denying them.
Daniel R. Saeedi, Rachel L. Schaller Gabrielle N. Ganz, Ana Tagvoryan, P. Gavin Eastgate, Timothy W. Dickens, Jason C. Hirsch, Tianmei Ann Huang, Adam J. Landy, Amanda M. Noonan, and Karen H. Shin contributed to this article
Health-e Law Episode 15: Healthcare Security is Homeland Security with Jonathan Meyer, former DHS GC and Partner at Sheppard Mullin [Podcast]
Welcome to Health-e Law, Sheppard Mullin’s podcast exploring the fascinating health tech topics and trends of the day. In this episode, Jonathan Meyer, former general counsel of the Department of Homeland Security and Leader of Sheppard Mullin’s National Security Team, joins us to discuss cyberthreats and data security from the perspective of national security, including the implications for healthcare.
What We Discussed in This Episode
How do cyberattacks and data privacy impact national security?
How can personal data be weaponized to cause harm to an individual, and why should people care?
Many adults are aware they need to keep their own personal data secure for financial reasons, but what about those who aren’t financially active, such as children?
How is healthcare particularly vulnerable to cyberthreats, even outside the hospital setting?
What can stakeholders do better at the healthcare level?
What can individuals do better to ensure their personal data remains secure?
HHS Publishes Notice of Proposed Rulemaking to Amend HIPAA Security Rule Requirements – Comments Due March 7, 2025
Summary
On December 27, 2024, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) published its Notice of Proposed Rulemaking (“NPRM”) titled HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information. HHS seeks comments on proposed modifications to the Security Standards for the Protection of Electronic Protected Health Information comprising 45 C.F.R. Parts 160 and 164, Subpart C, commonly known as the “Security Rule”, to address modern breach and cybersecurity risks to electronic protected health information (“ePHI”)[1] and common deficiencies observed by HHS in Security Rule compliance investigations, and to incorporate current industry best practices[2] and court decisions affecting enforcement of the Security Rule[3].[4] As summarized below, the proposed modifications signal HHS’s commitment to aligning the Security Rule requirements with current cybersecurity standards and addressing areas of non-compliance with more prescriptive measures to enhance ePHI security in the face of evolving cyber threats and technological advancements. HHS invites interested parties to submit comments by March 7, 2025.
Two weeks after the NPRM was published in the Federal Register, President Trump issued an Executive Order requiring a “Regulatory Freeze Pending Review.” The regulatory freeze makes the fate of the proposed Security Rule amendments unclear. If the proposed Security Rule amendments proceed unchanged, regulated entities and health plan sponsors could incur significant combined costs, which HHS estimates at approximately $9.3 billion in the first year of implementation.[5]
HIPAA Framework
The statutory and regulatory framework that governs the privacy and security of (most) health information in the United States is codified under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, enacted on August 21, 1996 (“HIPAA”). Changes and additional requirements to this statutory and regulatory framework were included in the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-5, signed into law on February 17, 2009. Additionally, the Genetic Information and Nondiscrimination Act of 2008 (“GINA”), Public Law 110-233, signed into law on May 21, 2008, included provisions governing the use of genetic data.
In addition to the Security Rule, HHS issued regulations under HIPAA on Standards for Privacy of Individually Identifiable Health Information comprising 45 C.F.R. Parts 160 and 164, Subparts A and E (“Privacy Rule”), Standards for Notification in the Case of Breach of Unsecured Protected Health Information comprising 45 C.F.R. Parts 160 and 164, Subpart D (“Breach Notification Rule”), and Rules for Compliance and Investigations, Impositions of Civil Monetary Penalties, and Procedures for Hearings comprising 45 C.F.R. Part 160, Subparts C, D, and E (”Enforcement Rule”). These rules, developed through successive waves of the administrative rulemaking process, are extensive and complex.
Summary of the NPRM and Specific Requests for Comment
The Security Rule applies only to ePHI transmitted by or maintained in electronic media by covered entities and business associates (“regulated entities”). The NPRM proposes several modifications to the Security Rule in recognition of the “significant changes in which health care is provided and how the health care industry operates”[6] since the Security Rule was last revised in 2013. As is common for significant rulemaking, HHS often requests comments on its proposed rule changes, including perceived benefits, drawbacks, unintended consequences, and specific considerations for each proposal.
Security Rule Requirements Are Not Optional. The Security Rule currently distinguishes between “addressable” and “required” implementation specifications to provide regulated entities with flexibility to implement administrative, physical, and technical safeguards that are reasonable and appropriate based on their risk analysis, risk mitigation strategies, existing security measures, and implementation costs. HHS has observed that, despite extensive guidance and regulation, some regulated entities have incorrectly interpreted “addressable” implementation specifications to be “optional” requirements, resulting in compliance gaps and increased risks to ePHI.[7] HHS proposes to eliminate the distinction between “addressable” and “required” implementation specifications to simplify and clarify the baseline mandatory security measures that regulated entities must meet in order to demonstrate they are reasonably and appropriately safeguarding ePHI.[8] With respect to this proposed modification, HHS requests comment on whether removing the distinction between required and addressable implementation specifications would result in unintended negative consequences for regulated entities and recommendations for how HHS may clarify that regulated entities are required to implement the security measures proposed in the NPRM.[9]
Routine Review and Testing of Security Measures. The proposed amendments to the Security Rule would require regulated entities to review and test the effectiveness of their required security measures “on a specified cadence” and to modify them as reasonable and appropriate.[10] Some of the proposed measures for reviewing and testing measures are undertaking tabletop exercises to assess how effectively personnel follow incident response and security procedures, conducting knowledge assessments after training on policies and procedures, and reviewing system logs and access records to evaluate whether personnel are properly complying with policies and procedures governing access to ePHI.[11]
Data Inventory, Network Map, and Risk Analysis.[12] The proposed Security Rule amendments include replacing the existing standard for security management process (45 C.F.R. 164.308(a)(1)) with a new requirement that a regulated entity conduct and maintain a written technology asset inventory. This inventory would demonstrate the regulated entity’s awareness of the location of ePHI it records, maintains, or processes. Additionally, regulated entities would be required to maintain a network map of their “electronic information systems”, including all technology assets that may impact the confidentiality, integrity, or availability of ePHI. The network map must detail the movement of ePHI within the regulated entity’s electronic information systems, showing how ePHI enters, exits, and is accessed from outside the electronic information systems. HHS also proposes to require a regulated entity to use information from the data inventory and network map to conduct a risk analysis to identify the potential risks and vulnerabilities to ePHI and related electronic information systems.[13] These proposed changes to the administrative safeguard requirements align with HHS’s objective of harmonizing HIPAA standards with familiar concepts from other data privacy and security frameworks and laws[14] that require organizations to understand the flow of the data they process. The changes also aim to enhance a regulated entity’s ability to identify and manage risks to the confidentiality, integrity, and availability of ePHI.
Encryption as a Standard.[15]HHS proposes to redesignate encryption and decryption from an implementation specification for access control (45 C.F.R. 164.312(a)) and transmission security (45 C.F.R. 164.312(e)) to a standalone standard for technical safeguards in order “to increase its visibility and prominence.” The proposed amendments would require a regulated entity to use widely accepted encryption standards to protect ePHI at rest and in transit, update encryption methods as standards evolve, and maintain up-to-date risk analyses and security plans, subject to limited exceptions. For example, if a regulated entity is currently using a technology asset that does not support prevailing encryption standards, the regulated entity may still be in compliance with the encryption requirement provided that it “establish[es] a written plan to migrate ePHI to technology assets that support encryption consistent with prevailing [encryption] standards and to implement such a plan… within a reasonable and appropriate period of time.”[16] Another proposed exception would be when a regulated entity is transmitting unencrypted ePHI in response to an individual’s request pursuant to 45 CFR 164.524 (HIPAA Right of Access), wherein the individual instructs the regulated entity to submit responsive data in an unencrypted format (e.g., some types of text messaging instant messaging, or via an unencrypted app).[17]
Authentication. HHS also proposes amendments to the existing standard for authentication by requiring a regulated entity to implement procedures that include technical controls for verifying the identity of those accessing a regulated entity’s electronic information system. HHS also proposes four new implementation specifications under this standard: (i) eliminate the use of default passwords, such as by requiring personnel to change any default passwords to unique passwords that are consistent with current authoritative source recommendations for unique passwords;[18] (ii) require regulated entities to use multi-factor authentication (“MFA”) to all technology assets in its relevant electronic information systems to verify that the person seeking access is the one claimed;[19] (iii) specific exceptions to MFA, including for currently-used technology assets that do not support MFA, when MFA is infeasible during an emergency, and for a technology asset that is a “device” defined under section 201(h) of the Federal Food, Drug, and Cosmetic Act;[20] and (iv) require a regulated entity to review and test the effectiveness of technical controls required by the authentications standard at least once every 12 months or in response to environmental or operational changes, whichever is more frequent, and modifying as reasonable appropriate.[21]
Contingency Planning and Response.[22] The proposed Security Rule amendments would require a regulated entity to establish and implement, as needed, a written contingency plan that includes policies and procedures for responding to emergencies, such as fire, system failure, natural disaster, or security incident that adversely impacts the confidentiality, integrity, and availability of ePHI. The proposed standard for contingency planning would require regulated entities to, among other things, perform and document an assessment of the criticality of relevant electronic information systems that create, receive, maintain, or transmit ePHI or that are otherwise crucial to ensuring the confidentiality, integrity, or availability of ePHI, providing patient care, and supporting other business needs. Additionally, regulated entities would be required to establish and implement a written data backup plan that includes procedures for creating and maintaining exact retrievable copies of ePHI; to restore critical relevant electronic information systems and data within 72 hours of loss; and to review and implement procedures for testing contingency plans at least once every 12 months and to document and modify as appropriate the results of such tests.
Compliance Audits.[23]The proposed Security Rule amendments require that a regulated entity conduct and document an audit of compliance with each standard and implementation specification of the Security Rule, either via an internal or third-party compliance audit, at least once every 12 months.
Business Associate Management.[24] HHS proposes to require regulated entities to verify that their business associates have implemented required technical safeguards and to obtain satisfactory assurances of compliance with the Security Rule. To support compliance with this new standard, regulated entities will be required to obtain written verification from their business associates at least once every 12 months. The verification must include a written analysis of the business associate’s electronic information systems conducted by a qualified individual with expertise in cybersecurity principles, and must be accompanied by a written certification from an authorized representative of the business associate, affirming that the analysis has been completed and is accurate. The proposed Security Rule amendment allows flexibility in selecting the individual to perform the analysis, permitting a regulated entity to select either an internal or third party to conduct the required analyses. This proposed requirement aligns with HHS’s Cybersecurity Performance Goals for Vendor/Supplier Cybersecurity,[25] which emphasizes identifying, assessing, and mitigating risks to ePHI shared with business associates.
Updated and New Definitions. HHS proposes to update 15 existing definitions in the Security Rule: access, administrative safeguards, authentication, availability, confidentiality, information system and electronic information system, malicious software, password, physical safeguards, security or security measures, security incident, technical safeguards, user, and workstation, primarily to clarify inconsistencies within the Security Rule.[26] For example, the proposed Security Rule amendments seek to modify the definitions for “administrative safeguards,” “physical safeguards,” and “technical safeguards”[27] to clarify that requirements also apply to actions to the policies and procedures addressing the activities covered by each definition. The proposed Security Rule amendments also seek to update the definition of “electronic media”[28] to include not only media on which data is or may be recorded electronically, but also media on which data may be maintained or processed. The proposed update expands the definition, capturing potential vectors for accessing or transmitting ePHI under the Security Rule’s requirements, thus reducing gaps in compliance. The proposed Security Rule amendments also propose to add 10 new defined terms to the Security Rule including: deploy, implement, electronic information system, multi-factor authentication, relevant electronic information system, risk, technical controls, technology asset, threat, and vulnerability[29] to clarify the scope of the Security Rule’s requirements and to further align the Security Rule with NIST CSF and other common security frameworks. HHS requests comments on whether the proposed updated definitions “would be problematic for regulated entities or result in unintended adverse consequences.” HHS also requests specific comments on some of the proposed definitions, including whether the proposed definition for “electronic media” accurately captures current uses and allows for future technological innovation, and whether additions to the non-exhaustive list of examples of electronic media are needed.
Impact on Regulated Entities
President Trump’s “Regulatory Freeze Pending Review” Executive Order directed federal agencies to “not propose or issue any rule in any manner… until a department or agency head appointed or designated by the President after noon on January 20, 2025, reviews and approves the rule.” While hearings for confirmation of the President’s nominee for Secretary of Health and Human Services are in process, the proposed amendments to the Security Rule face an uncertain future: they could move ahead as proposed in the NPRM, the proposed amendments could be revised and reissued, or the NPRM could be withdrawn entirely.
If, however, the proposed Security Rule amendments move forward in their current form, the impact on regulated entities and health plan sponsors would be substantial. HHS estimated that in the first year of implementing the proposed regulatory changes, regulated entities would incur approximately $4.655 billion in costs, while plan sponsors would incur about $4.659 billion.[30] HHS attributes these estimated costs to the following activities: conducting a Security Rule compliance audit; obtaining verification of business associates’ and subcontractors’ compliance with technical safeguards; providing verification of business associates’ compliance with technical safeguards; providing notification of termination or change of workforce members’ access to ePHI; deploying MFA and penetration testing; segmenting networks; disabling unused ports; removing extraneous software; notifying covered entities or business associates, as applicable, upon activation of a contingency plan; and updating health plan documents, policies and procedures, workforce training, and business associate agreements. These costs also include deployment of safeguards by health plan sponsors for their relevant electronic information systems to meet the new Security Rule standards and notifying group health plans upon activation of a plan sponsor’s contingency plan.
For more information, please contact the authors or your Squire Patton Boggs relationship attorney.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only and is not intended to constitute or be relied upon as legal advice.
[1] 45 CFR 160.103.
[2] See, e.g., NIST Cybersecurity Framework (“NIST CSF”), HHS’ Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients, the HHS Cybersecurity Performance Goals, the Federal Trade Commission’s (“FTC”) ‘‘Start with Security: A Guide for Business.” U.S. Department of Health and Human Services, 90 Fed. Reg. 900 (January 6, 2025).
[3] See, e.g., University of Texas M.D. Anderson Cancer Center v. U.S. Department of Health and Human Services, 985 F.3d 472, 478 (5th Cir. 2021). 90 Fed. Reg. 916.
[4] 90 Fed. Reg. 898.
[5] 90 Fed. Reg. 1010.
[6] 90 Fed. Reg. 899.
[7] 90 Fed. Reg. 917.
[8] 90 Fed. Reg. 933.
[9] 90 Fed. Reg. 934.
[10] 90 Fed. Reg. 936.
[11] Id.
[12] 90 Fed. Reg. 937.
[13] 90 Fed. Reg. 940.
[14] National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”), EU General Data Protection Regulation (“GDPR”), California Consumer Privacy Act (“CCPA”), Brazilian General Personal Data Protection Law (“LGPD”), and Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”).
[15] 90 Fed. Reg. 968.
[16] 90 Fed. Reg. 968-969.
[17] 90 Fed. Reg. 969.
[18] 90 Fed. Reg. 974.
[19] 90 Fed. Reg. 974-976.
[20] 90 Fed. Reg. 975.
[21] 90 Fed. Reg. 976-977.
[22] 90 Fed. Reg. 955.
[23] Id.
[24] 90 Fed. Reg. 924.
[25] https://hhscyber.hhs.gov/performance-goals.html.
[26] 90 Fed. Reg. 922.
[27] 45 C.F.R. 164.304
[28] 45 C.F.R. 160.103
[29] 90 Fed. Reg. 922.
[30] 90 Fed. Reg. 1010.
HHS’s Proposed Security Rule Updates Will Substantially Increase the Controls Needed to Comply with the Technical Safeguard Requirements
In this week’s installment of our blog series on the U.S. Department of Health and Human Services’ (HHS) HIPAA Security Rule updates in its January 6 Notice of Proposed Rulemaking (NPRM), we are tackling the proposed updates to the HIPAA Security Rule’s technical safeguard requirements (45 C.F.R. § 164.312). Last week’s post on group health plan and sponsor practices is available here.
Existing Requirements
Under the existing regulations, HIPAA-covered entities and business associates must generally implement the following five standard technical safeguards for electronic protected health information (ePHI):
Access Controls – Implementing technical policies and procedures for its electronic information systems that maintain ePHI to allow only authorized persons to access ePHI.
Audit Controls – Implement hardware, software, and/or procedural mechanisms to record and examine activity in information systems that contain or use ePHI.
Integrity – Implementing policies and procedures to ensure that ePHI is not improperly altered or destroyed.
Authentication – Implementing procedures to verify that a person seeking access to ePHI is who they say they are.
Transmission Security – Implementing technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic network.
The existing requirements either do not identify the specific control methods or technologies to implement or are otherwise “addressable” as opposed to “required” in some circumstances for regulated entities — until now.
What Are the New Technical Safeguard Requirements?
The NPRM substantially modifies and specifies the particular technical safeguards needed for compliance. In particular, the NPRM restructured and recategorized existing requirements and added stringent standard and implementation specifications, and HHS has proposed removing the distinction between “required” and “addressable” implementation specifications, making all implementation specifications required with specific, limited exceptions.
A handful of the new or updated standards are summarized below:
Access Controls – New implementation specifications to require technical controls to ensure access are limited to individuals and technology assets that need access. Two of the controls that will be required are network segmentation and account suspension/disabling capabilities for multiple log-in failures.
Encryption and Decryption – Formerly an addressable implementation specification, the NPRM would make encryption of ePHI at-rest and in-transit mandatory, with a handful of limited exceptions, such as when the individual requests to receive their ePHI in an unencrypted manner.
Configuration Management – This new standard would require a regulated entity to establish and deploy technical controls for securing relevant electronic information systems and the technology assets in its relevant electronic information systems, including workstations, in a consistent manner. A regulated entity also would be required to establish and maintain a minimum level of security for its information systems and technology assets.
Audit Trail and System Log Controls – Identified as “crucial” in the NPRM, this reorganized standard formerly identified as the “audit control” would require covered entities to monitor in real-time all activity in its electronic information systems for indications of unauthorized access and activity. This standard would require the entity to perform and document an audit at least once every 12 months.
Authentication – This standard enhances the implementation specifications needed to ensure ePHI is properly protected from improper alteration or destruction. Of note, the NPRM would require all regulated entities to deploy multi-factor authentication (MFA) on all technology assets, subject to limited exceptions with compensating controls, such as during an emergency when MFA is infeasible. One exemption is where the regulated entity’s existing technology does not support MFA. However, the entity would need to implement a transition plan to have the ePHI transferred to another technology asset that does support MFA within a reasonable time. Medical devices authorized for marketing by the FDA before March 2023 would be exempt from MFA if the entity deployed all recommended updates and after that date if the manufacturer supports the device or the entity deployed any manufacturer-recommended updates or patches.
Other Notable Standards – In addition to the above, the NPRM would add standards for integrity, transmission security, vulnerability management, data backup and recovery, and information systems backup and recovery. These new standards would prescribe new or updated implementation specifications, such as conducting vulnerability scanning for technical vulnerabilities, including annual penetration testing and implementing a patch management program.
Listen to this article
Healthcare Industry Leaders Predict Four Areas to Watch After the U.S. Election: Takeaways from the Business of Health Care Conference Hosted by the Miami Herbert Business School
The recent U.S. election has had profound implications for the healthcare industry, prompting industry leaders to reexamine their strategies and day-to-day operations. At the Miami Herbert Business School’s annual “The Business of Health Care” conference on January 24, 2025, a pivotal forum brought together stakeholders across key sectors—home care, hospital systems, payors, and others—to assess the election’s impact and chart a path forward. The conference highlighted the need for collaboration, innovative solutions, and strategic leadership in addressing the challenges ahead.
The speakers emphasized the need for collaboration across the healthcare spectrum to harness technological advancements, ensure sustainable healthcare financing, and address systemic challenges like provider shortages and public trust, with four key areas for potential change:
Deploying Artificial Intelligence Solutions: The administration has made funding and supporting AI technology development a priority, and AI has the potential to achieve significant administrative efficiencies and cost-savings for payors, health systems and providers. It can also contribute to developing novel drug therapies, support public health surveillance, and drive new clinical treatment modalities to support physicians. It may also help to reduce discrimination in claims processing, ensuring fairer results for patients regardless of race. However, the conference also underscored the challenges of integrating AI into health care. Valid data and clinician oversight are essential to ensure that AI systems enhance human judgment rather than replace it, particularly in pre-authorization decisions. The speakers stressed the importance of balancing technological innovation with the preservation of medical expertise to ensure equitable and effective outcomes.
Ensuring Sustainability for Medicare Advantage and ACA Policies. The oldest Baby Boomers are starting to reach 80 years of age, and the U.S. population will continue to age at a rapid pace in the coming decades. Our country’s healthcare spending is unsustainable at current pace, and value-based care solutions will be necessary to provide patients with timely access to needed care. In addition, dealing with obesity and other co-morbid conditions (e.g., hypertension, diabetes mellitus, heart failure, arthritis, etc.) requires a multi-faceted approach and collaboration among payors, providers, and the government. In strategizing about potential solutions, the panelists identified the following critical action items: controlling pharmacy costs (including via pharmacy benefit manager regulation), providing access to preventative care and early-stage interventions, having healthcare payments be consistent across various sites-of-service, and expanding the use of and access to hospice for patients at the end of their lives. Early-stage interventions and preventative care were emphasized as cost-effective strategies to improve outcomes while managing resources effectively. These value-based initiatives represent a necessary shift to meet the demands of an aging and increasingly complex patient population.
Solving for Provider Shortages, Particularly in Rural Areas. Along with an aging population, the U.S. is also grappling with widespread provider shortages, particularly in rural parts of the country, and provider burnout with physicians, nurses, and other clinical roles across the industry. The conference highlighted several strategies to address this issue, including financial incentives to attract providers to underserved areas and workplace violence prevention programs to improve working conditions for nursing staff. The panelists also highlighted that the number of medical school graduates working on the administrative side of health care has increased significantly in recent years, with lower numbers of practicing clinicians available to render care. In terms of potential solutions, the panelists highlighted that AI support may help alleviate some of the stressors, as would efforts to reduce provider burnout. The panelists also highlighted the need to make clinical work – particularly in rural areas – attractive for physicians from a financial standpoint. Finally, they identified the adoption of team-based care strategies, alone or in conjunction with value-based care solutions, is a potential way to solve for the challenges to access and timely care caused by the shortages. The speakers also emphasized the adoption of team-based care strategies, which can alleviate pressure on individual clinicians and improve the efficiency of care delivery. By fostering collaboration among healthcare professionals, team-based models can help bridge gaps in access and address the growing demand for services.
Bolstering Public Trust in Science and Institutions. The erosion of public trust in science and healthcare institutions, exacerbated by the COVID-19 pandemic and political polarization, was another pressing issue discussed. Patients’ concerns about cost, access, and claims challenges have fueled frustration, making it critical for healthcare leaders to foster transparency and combat misinformation. The panelists noted that patients have genuine concerns with respect to access, cost, and claims challenges. In addition, the fragmenting of information from social media may negatively influence patients’ opinions and attitudes toward providers. The biggest concern is that in response to another pandemic or major issue like widespread antibiotic resistance, there may be insufficient support and funding for science-based solutions. While that is a significant concern, the panelists noted that many of them are actively engaging with and educating the administration on potential policy initiatives, their outcomes, and hoping to support the strength of those institutions and their ability to respond in a crisis. The panelists noted the importance of actively engaging with communities and policymakers to address these issues and rebuild confidence in the healthcare system. They stressed that public trust is essential not only for managing future crises, but also for advancing systemic reforms that benefit all stakeholders.
The Miami Herbert Business School conference underscored the importance of strategic collaboration and adaptive leadership in addressing the healthcare industry’s most pressing challenges. As highlighted throughout the discussions, sectors such as home care, hospital systems, and payors must work together to harness AI, implement value-based care, and address workforce shortages while fostering public trust.
By prioritizing innovation, equity, and transparency, healthcare leaders can navigate these challenges and build a more efficient, sustainable, and resilient healthcare system for the future. The lessons and insights from this pivotal forum offer a roadmap for turning challenges into opportunities and delivering meaningful progress for patients, providers and payors alike.
This Week in 340B: January 28 – February 3, 2025
Find this week’s updates on 340B litigation to help you stay in the know on how 340B cases are developing across the country. Each week we comb through the dockets of more than 50 340B cases to provide you with a quick summary of relevant updates from the prior week in this industry-shaping body of litigation.
Issues at Stake: HRSA Audit Process; Contract Pharmacy; Rebate Model; Other
In one Health Resources and Services Administration (HRSA) audit process case, the plaintiff filed a brief in opposition to the government’s motion to dismiss.
In a Freedom of Information Act (FOIA) case, the government filed a motion for summary judgment.
In a breach of contract claim filed by a 340B covered entity against several related party Medicare Advantage plans, defendants’ filed an amended answer and defenses to plaintiff’s second amended complaint, and plaintiff filed a response in opposition to defendants’ motion to compel plaintiff’s claims spreadsheet.
In several cases challenging HRSA’s policy prohibiting all manufacturer conditions on 340B transactions, the court granted the parties’ joint motion for a stipulated protective order.
In a case challenging a proposed state law governing contract pharmacy arrangements in West Virginia, the court granted plaintiff’s third motion for an extension of time to respond to defendants’ motion to consolidate.
In a case challenging HRSA’s policy prohibiting manufacturer rebate models, three intervenors filed a motion to intervene.
In a case against HRSA alleging that HRSA prevented a 340B covered entity from accessing the 340B Program, the court granted the covered entity’s unopposed motion to stay all deadlines.
A drug manufacturer filed suit against HRSA to challenge certain of HRSA’s eligibility determinations.
False Claims Act: 2024 Year in Review
In 2024, the government and whistleblowers were party to 558 False Claims Act (“FCA”) settlements and judgments, just slightly fewer cases than last year’s record. As a result, collections under the FCA exceeded $2.9 billion, confirming that the FCA remains one of the government’s most important tools to root out fraud, safeguard government programs, and ensure that public funds are used appropriately. As in recent years, the healthcare industry was the primary focus of FCA enforcement, with over $1.67 billion recovered from matters involving managed care providers, hospitals, pharmacies, physicians, laboratories, and long-term acute care facilities. Other areas of focus in 2024 were government procurement fraud, pandemic fraud, and enforcement through the government’s Cyber-Fraud Initiative.
To keep you apprised of the current enforcement trends and the status of the law, Bradley’s Government Enforcement and Investigations Practice Group is pleased to present the False Claims Act: 2024 Year in Review, our thirteenth annual review of significant FCA cases, developments, and trends.
Giovanni P. Giarratana, Gregory G. Marshall, Jack W. Selden, Erin K. Sullivan, Rico Falsone, Lyndsay E. Medlin, Tara S. Sarosiek, Anna M. Lashley, Ocasha O. Musah, Brianna Rhymes, and Virginia C. Wright contributed to this article.
More Whistleblower Suits Filed Than Ever Before: The False Claims Act in 2024
As in recent years, the False Claims Act (FCA) continued to serve as a tool utilized by the federal government against government contractors in 2024. The government collected more than $2.9 billion as a result of 558 FCA settlements and judgments. Although procurement fraud was not as large a driver of the government’s recoveries as it has been in prior years, matters involving the military’s purchase of goods and services, including allegations related to the procurement process, failing to comply with contract requirements, and paying kickbacks have and will continue to be a significant concern for the government. In addition, the government’s effort to root out COVID-19-related fraud resulted in more than 250 FCA settlements and judgments, and the government collecting more than $250 million. To keep you apprised of the current enforcement trends and the status of the law, Bradley’s Government Enforcement & Investigations Practice Group is pleased to present the False Claims Act: 2024 Year in Review, our 13th annual review of significant FCA cases, developments, and trends.
Listen to this post
New EPA Administrator, Same Freeze on EPA Activity
On January 29, 2025, Lee Zeldin was confirmed as the 17th Environmental Protection Agency (EPA) Administrator. After a week on the job, Zeldin continued to maintain several policies that had been put in place immediately after the Trump administration took office. Some of these policies are summarized below. While these actions are generally expected when a new administration begins, there is a sense that additional, significant changes are around the corner.
Freeze on External Actions
On January 24, 2025, the then acting EPA Administrator ordered a temporary halt on all environmental lawsuits to review and possibly change the agency’s stance on these issues. The Department of Justice’s (DOJ) Environment and Natural Resources Division, which enforces environmental protection laws, has also been ordered to freeze all activities. This included stopping pending court filings and delaying new complaints, with pending Comprehensive Environmental Response, Compensation, and Liability Act negotiations also on hold for an undetermined time.
This was followed by an internal memorandum instructing EPA staff to halt external communications (e.g., press releases, blog updates, and social media posts), except for discussions with state and federal agencies not related to enforcement, necessary communications regarding imports, and as related to the carrying out of inspections.
The EPA also announced delays for several finalized environmental rules from the prior administration. This includes rules regarding air pollution and the regulation of trichloroethylene (TCE).
The duration of each of these “freezes” is not clear at this time, but it seems aimed at helping the new administration evaluate what can be changed and likely beginning that change.
Staffing
As federal agencies implement a presidential order to limit telework and remote work, EPA employees must return to the office full-time next month. The EPA stated that regular telework and remote work agreements will be canceled to follow the recent Executive Order on the subject. EPA staff are expected to be in the office daily by February 24, unless they have a disability, medical condition, or other significant reasons certified by their supervisor.
It was also recently reported that the EPA is expected to cut over 1,000 employees who joined the agency within the past year, with a focus on those working on climate change, air pollution, and environmental regulation programs. Additionally, several senior civil service managers in the DOJ’s Environment and Natural Resource Division have reportedly been reassigned to focus on immigration matters rather than environmental issues.
How Employers and Healthcare Providers Can Navigate Immigration Enforcement
Despite the anticipation of increased enforcement of US immigration laws, the rules and practical advice related to an employer’s legal duties under the Immigration Reform and Control Act (IRCA) and what to do if US Immigration and Customs Enforcement (ICE) officers present themselves at your place of business have not changed.
This client alert provides a brief overview, proactive suggestions, and practical tips for employers, as well as for healthcare providers, whose patients may be the target of an ICE visit.
In Depth
EMPLOYER’S LEGAL DUTIES UNDER THE IRCA, AND DHS-ICE AUTHORITY TO ENFORCE IMMIGRATION LAWS
Under the IRCA, it is unlawful in the United States to hire, recruit, or continue to employ a person who is not in the country legally and not authorized to work (“an unauthorized alien,” as defined by law). An employer has a defense if it, in good faith, reviewed and accepted Form I-9 documentation that reasonably appeared to be genuine on its face.
The US Department of Homeland Security (DHS) has the authority to conduct worksite inspections and audits. ICE, the DHS component responsible for enforcing the IRCA, has the authority to appear at a worksite with a notice of inspection or subpoena, demanding the production of various documents within three days, including:
Historical lists of workers
Payroll and tax records
Company ownership information
Staffing vendor information
I-9 forms
Copies of identity and authorization documents presented by employees
During an audit, ICE may issue a “Notice of Suspect Documents” for workers believed to be unauthorized based on database checks, even if the Form I-9 was completed correctly. Employers must either contest the finding or terminate the workers, often with little time for resolution. ICE is rarely wrong about suspect documents, and confronting the worker often results in the worker not returning to work.
DHS may investigate employers, plant undercover agents within the workforce, and conduct raids with armed agents, presenting search and seizure warrants. They may seize documents, computers, and phones, and arrest unauthorized workers. The department may also prosecute employer owners and managers on charges such as harboring and trafficking unauthorized workers, mail and wire fraud, document fraud, and tax evasion. Criminal charges can result in significant fines and imprisonment.
ICE has the authority to arrest and detain most non-citizens, including those with arrest histories and certain long-term permanent residents. It can conduct workplace raids and other enforcement activities to effectuate these arrests. ICE must present a judicial warrant to enter nonpublic areas of a workplace. A judicial warrant is signed by a federal judge, not an immigration officer. The warrant must provide specific details, such as the name of the individual to be arrested, the location, and the reason for the arrest. Without a warrant, ICE is only allowed to be in public areas of the workplace.
According to a recent DHS memorandum, the department is availing itself of law enforcement components of the US Department of Justice (DOJ) – including the US Drug Enforcement Administration (DEA), the ATF, the US Marshals Service, and the Federal Bureau of Prisons (BOP) – to carry out “functions” of an immigration officer to enforce immigration law. Historically, only the US Marshals were tapped to assist when a migrant became a fugitive. Although it remains to be seen how these DOJ law enforcement resources will be directed, it is possible that DHS’s immigration enforcement capacity will be more far-reaching than under previous administrations.
POTENTIAL SANCTIONS AND PENALTIES
Employers are subject to sanctions for incorrectly completed I-9 forms, missing forms, or knowingly hiring unauthorized workers, which can range from $300 to $30,000 per worker, as well as debarment from federal contracts. Employers are allowed 10 days to correct technical errors, but certain substantive errors cannot be corrected to avoid penalties. ICE can also fine employers for failing to comply with technical requirements for electronic storage of completed forms.
Interfering with an ICE arrest warrant can also lead to criminal charges for obstructing justice. This can include fines and imprisonment, depending on the severity of the interference.
GENERAL TIPS FOR ALL EMPLOYERS
Maintain and enforce a comprehensive, compliant immigration policy.
Identify coordinators and designated points of contact in the event of any visit by ICE agents, including an ICE raid.
Conduct annual self-audits of I-9 forms to identify and address any issues before enforcement actions occur. Note: An employer is required to accept a List A document, or a List B and C document, from employees. Accepting and keeping copies of too many documents is also an IRCA violation.
Hint: If an employee presents a document from all three lists, return them and ask them to either provide a List A document, or provide a List B and a List C document. Let the employee choose, then review the requisite and correct number of documents for the Form I-9 Verification.
Ensure proper Form I-9 verification and storage, including in digital format. Designate and train individuals in I-9 verification and retention.
Enroll in E-Verify to verify social security numbers and names and ensure compliance with the IRCA. E-Verify is a platinum standard protection for employers. But it is not a safe harbor. Employers can still be fined for I-9 violations.
Use the Social Security Administration (SSA) website, if your organization is not enrolled in E-Verify, to confirm social security numbers match the employee’s name and identification.
Comply with no-match letters from the SSA by presenting the letter to the employee and asking them to present correct and valid documentation. Check that new documentation matches the name using the SSA website.
Identify and stop systematic improprieties in hiring practices.
Pay employees and submit tax withholding payments correctly, using real and correct social security numbers.
Educate staff on how to interact with ICE, DHS, or other law enforcement agents, including calling counsel and managing the situation calmly and professionally.
SPECIAL CONSIDERATIONS FOR HOSPITALS AND OTHER HEALTHCARE FACILITIES
In 2011 and 2021, ICE established a policy that generally prohibited engaging in enforcement actions at “sensitive locations,” such as healthcare facilities, schools, and religious institutions, unless exigent circumstances existed (namely, public safety threats, imminent risk of death, violence, physical harm, or destruction of evidence material to an ongoing investigation). On January 20, 2025, the Trump administration rescinded that policy, and ICE may again conduct enforcement actions in these locations. Enforcement actions may include interviews, arrests, searches, inspections, surveillance, and requests for protected health information (PHI). The Privacy Rule adopted under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) permits (but does not require) disclosure of PHI in accordance with a valid court order or court-ordered warrant or a subpoena or summons issued by a judicial officer.
Healthcare professionals may have state law or ethical obligations to consider the best interests of patients. Accordingly, healthcare workers should consider any state law or ethical responsibilities to protect patients’ health with their obligations to comply with federal law. For example, in a case where ICE presents a valid judicial warrant for the arrest of a patient, if that patient is in a life-threatening or severe state, the healthcare provider could explain this to ICE officers and request that ICE officials work with the healthcare provider to determine a safe course of action for the patient.
TIPS FOR HEALTHCARE FACILITIES
Ensure staff members are familiar with the organization’s policies on patient confidentiality and the rights of both patients and healthcare providers.
Comply with the law and be mindful of emerging state laws on this issue. California is advising healthcare providers not to document patients’ immigration status on bills and medical records and advising patients and providers that they do not have to assist federal agents in arrests. Florida and Texas, by contrast, require healthcare facilities that accept Medicaid to ask the immigration status of patients (although a patient may decline to answer) and tally the cost to taxpayers of providing care to immigrants living in the United States without authorization.
Develop and train on protocols that outline the steps to be taken in the event of an ICE raid.
Designate specific roles to appropriate staff members, such as who will act as the point of contact with ICE agents and who will interact with patient(s) in question.
Healthcare facilities may post signage about patient rights, including that exam-room conversations are confidential and that privacy laws protect information in the medical record (including identifying information), and patients’ right to remain silent in the event of an ICE raid.
Healthcare facilities that are HIPAA-covered entities must provide patients an opportunity to decline to be listed in a facility directory or otherwise restrict or prohibit use of PHI for facility directory purpose.
WHAT TO DO IF AN ICE AGENT VISITS, OR IF RAIDS OCCUR AT A HEALTHCARE FACILITY
All staff members should remain calm and composed.
Only the designated points of contact should interact with ICE agents. These individuals should be well-versed in the organization’s policies and the legal rights of patients and staff.
Designated points of contact should have ICE agents identify themselves by name and badge number. While healthcare workers and organizations have no affirmative legal obligation to report undocumented immigrants to officials, healthcare workers must lawfully abide with providing information and access to facilities where a valid warrant is presented.
Designated points of contact should politely request to see and review any warrants presented by ICE agents and ensure the warrants are valid and specific to the premises before permitting access to any private areas. For the warrant to be valid, it must be signed by a federal judge (a judge’s signature will indicate such).
Hint: If the warrant is a DHS Form I-200 or I-205 signed by an immigration officer, this is not a judicial warrant. In this case, the healthcare provider can advise the ICE agent that the warrant is not a valid judicial warrant and that the ICE agents may not enter any private areas – they must remain only in public areas.
Points of contact should provide information or documents required by a valid warrant but need not provide information or records falling outside of the warrant to maintain patient confidentiality.
After the ICE visit or raid, document the event by immediately identifying the names and badge numbers of ICE agents who were present, the time and duration of their presence, and any actions taken by the agents. Secure all patient records that may have been accessed during the event.
Patient liaisons may reach out to all patients affected by the raid to inform them of what occurred and reassure them of their safety and the confidentiality of their records. Patient liaisons may also provide impacted patients and their families with information to immigration advocacy organizations and legal aid groups who can provide legal support, particularly if a patient is taken into immigration custody.
CONCLUSION
Employers and healthcare providers must remain vigilant and proactive in managing immigration compliance to avoid significant penalties and disruptions. By following these tips and working closely with experienced counsel, organizations can be in legal compliance, navigate the complexities of immigration control, and protect their businesses and managers.
Trump Administration’s ‘Regulatory Freeze Pending Review’ Pauses OSHA’s Rulemaking on Heat Illness and Emergency Response
The second term of President Donald J. Trump started with a flurry of executive orders, presidential memoranda, and directives, some of which were signed on January 20, 2025, shortly after he took the oath of office.
While the Occupational Safety and Health Administration (OSHA) is not mentioned by name in those presidential documents, it will feel the impact of requirements outlined in several. In particular, several proposals for new OSHA standards or revisions to existing OSHA standards made during the last years of the Biden presidency will be impacted.
Quick Hits
On January 20, 2025, President Trump issued a presidential memorandum, “Regulatory Freeze Pending Review,” directing “all executive departments and agencies” to refrain from proposing or issuing “any rule in any manner” until a department or agency head appointed or designated by the president reviews and approves the rule.
It immediately withdraws any rules that have been sent to the Office of the Federal Register but have not yet been published.
The memorandum’s directives apply to a broad range of OSHA activity, including rulemaking related to “Heat Injury and Illness Prevention in Outdoor and Indoor Work Settings” and the “Emergency Response Standard.” OSHA’s “Walkaround Rule,” recent Hazard Communication Standard updates, and the most recent updates to OSHA’s recordkeeping rules would appear not to be affected.
Executive action related to new and pending rules is not unique to this administration but instead has almost become a standard practice for an incoming president. The “Regulatory Freeze Pending Review” memorandum states, in pertinent part, the following:
(1) Do not propose or issue any rule in any manner, including by sending a rule to the Office of the Federal Register (the “OFR”), until a department or agency head appointed or designated by the President after noon on January 20, 2025, reviews and approves the rule. […]
(2) Immediately withdraw any rules that have been sent to the OFR but not published in the Federal Register, so that they can be reviewed and approved as described in paragraph 1….
(3) …[C]onsider postponing for 60 days from the date of this memorandum the effective date for any rules that have been published in the Federal Register,or any rules that have been issued in any manner but have not taken effect, for the purpose of reviewing any questions of fact, law, and policy that the rules may raise.
The directives apply to “rules,” broadly defined to include a wide range of agency actions and terms, including:
“rule[s],” as defined by the Administrative Procedure Act;
“regulatory action,” as defined in section 3(e) of Executive Order 12866 of September 30, 1993 (“Regulatory Planning and Review”), as amended; and
“guidance document[s],” as defined in section 2(b) of Executive Order 13891 of October 9, 2019 (“Promoting the Rule of Law Through Improved Agency Guidance Documents”).
The presidential memorandum states that its requirements apply to “any substantive action by an agency (normally published in the Federal Register) that promulgates or is expected to lead to the promulgation of a final rule or regulation” and “any agency statement of general applicability and future effect that sets forth a policy on a statutory, regulatory, or technical issue or an interpretation of a statutory or regulatory issue.”
Squarely within the parameters of this executive action are OSHA’s “Heat Injury and Illness Prevention in Outdoor and Indoor Work Settings” rulemaking and the “Emergency Response Standard” rulemaking. Neither of these proposals was expected to survive the change in administrations resulting from the 2024 presidential election.
Rulemakings in process that the memorandum’s directives will not directly impact include the “Prevention of Workplace Violence in Healthcare and Social Assistance” rulemaking, the proposed infectious disease standard for the healthcare sector, the proposed tree care standard, the communications tower safety standard, and revisions to the process safety management standard. Other rulemaking that will not be impacted include the so-called “Walkaround Rule,” the recent Hazard Communication Standard updates, and the most recent updates to OSHA’s recordkeeping rules.
Similarly, until the sixty-day period mentioned in the presidential memorandum expires, employers should not expect that any pending standard interpretations or other guidance will be forthcoming from OSHA.