Bufkin v. Collins (No. 23-713)
When a veteran seeks disability benefits, federal law provides that ties go to the applicant. But if the Veterans Administration decides it’s not a tie—that is, the preponderance of the evidence comes out against the veteran—then it has no occasion to apply this tiebreaking rule. That leads to a question only an appellate lawyer would ask: What standard of review applies to the VA’s determination that the evidence isn’t even: The de novo standard generally used for legal questions or the clear error one used for findings of fact? In Bufkin v. Collins (No. 23-713), a seven-Justice majority held that this is a best seen as a mixed question of law and fact where the fact piece dominates, meriting clear error review. That prompted a dissent from the two Justices perhaps most likely to favor the little guy against the big-bad government—Justices Jackson and Gorsuch—who thought the whole point of this tie-breaking rule was to thwart the VA’s historical reluctance to award veterans the disability benefits they should receive.
Joshua Bufkin and Norman Thornton are two veterans who applied for disability benefits for PTSD caused by their time in the military. Their claims began in local VA regional offices (the first port of call for veterans seeking disability benefits), where Bufkin’s claim was denied entirely, while Thornton received lower benefits than he sought. Both then appealed to the Board of Veterans’ Appeals, an Article I court that reviews the benefits decisions of VA regional offices. The Board affirmed both regional offices’ decisions. In doing so, it acknowledged that whenever “there is an approximate balance of positive and negative evidence” on any issue material to a veteran’s claim, the VA must “give the benefit of the doubt to the claimant.” 38 U.S.C. § 5107(b). But the Board concluded that the evidence was not approximately balanced, so Bufkin and Thornton weren’t entitled to that deferential standard.
Bufkin and Thornton then appealed their respective cases to the U.S. Court of Appeals for Veterans Claims (the “Veterans Court”), another Article I tribunal, which reviews decisions from the Board. There, they argued that the evidence supporting their claims was about equal to the evidence against them, and that they were therefore entitled to get the benefit of the doubt. Federal law provides that in reviewing Board decisions, the Veterans Court must “take due account” of this benefit-of-the-doubt rule. But the Veterans Court concluded that the account that was “due” wasn’t much: Seeing no clear error in the Board’s decision that evidence weighed more strongly against the veterans, it affirmed the Board.
Bufkin and Thornton then appealed the Veterans Court’s decisions to the U.S. Court of Appeals for the Federal Circuit, a genuine Article III court that (among a great many other things) reviews decisions from the Veterans Court. It agreed with the Veterans Court that clear error applies to the Board’s decision that the evidence wasn’t roughly 50-50, so it too affirmed the denial of benefits. These three rounds of appeals weren’t enough for Bufkin and Thornton, though, as they successfully convinced the Supreme Court to grant cert to address the appropriate standard of review.
Unfortunately for our persistent appellants, the Court affirmed all the courts below it in a 7-2 opinion authored by Justice Thomas. It began with the language of the statute which, as discussed above, requires the Veterans Court to take “due account” of the “benefit-of-the-doubt” rule in reviewing the Board’s decisions. But the phrase “due account” doesn’t have a lot of content on its own, so Thomas concluded the general standards of review called for by the veterans statutes are all the “account” that is “due.” Those statutes prescribe the ordinary standards of review appellate lawyers know well, calling for the Veterans Court to review conclusions of law de novo and findings of fact for clear error. So in which bucket fell the Board’s conclusion that the evidence wasn’t about equal, meaning there’s no “doubt” for the veteran to benefit from? For Thomas and majority, weighing up the evidence involves both legal and factual work, making it a mixed question of fact and law. And because this particular mixed question “is about as factual sounding as any question gets,” Thomas thought it was appropriately reviewed only for clear error.
Justice Thomas then brushed aside two objections to this reasoning. First, Bufkin and Thornton argued this interpretation of the legislative command that the Veterans Court take “due account” of the benefit-of-the-doubt rule made the “due account” provision surplusage. Thomas acknowledged that this objection was “a serious one,” but the problem was that it’s just as true if you apply the de novo standard Bufkin and Thornton asked for: Either way, you’re simply following the statute’s default standards of review. Thomas thus concluded that this wasn’t a context where the rule against surplusage could do any work. Second, the veterans observed that some mixed questions of law and fact—like probable cause determinations—are reviewed de novo. But for Thomas, probable cause determinations dwelt in the “constitutional realm,” giving rise to heightened scrutiny. The “benefit-of-the-doubt” standard, by contrast, was a create of statute. And further, probable cause asks the legal-sounding question of what the hypothetical reasonable man might think of a particular set of facts. The question here—whether the evidence is about equal—was just too fact-like for an appellate court to conduct de novo review.
In dissent, Justice Jackson, joined by Justice Gorsuch, disagreed on both points. In her view, the statutory mandate that the Veterans Court “take due account” of the benefit-of-the-doubt rule should be understood as superseding the general standard of review found in the statute, thereby mandating de novo review. And even if one were to apply the baseline standards of review, Jackson thought that the Board’s determination about whether the benefit-of-the-doubt rule applied looked more like a probable cause determination, meriting de novo review. Although couched in the language of textualism, Jackson’s dissent relied heavily on legislative history, pointing to past drafts of the statute and testimony from veterans groups to Congress, all of which suggested that the whole point of the “due account” provision was to override the Veterans Court’s perceived record of being too deferential to the Board. Finally, Jackson bolstered her ultimate conclusion with the so-called veterans canon, which provides that statutory provisions for the benefit of veterans should be construed in the beneficiary’s favor. It is notable that Justice Gorsuch signed on to a dissent that made such heavy use of legislative history. Perhaps he simply thought veterans should get the benefit of the doubt.
Why Having a Special Needs Child Sign a Power of Attorney Is Not a Good Idea
In a previous blog, I discussed the process of a parent obtaining a guardianship for their special needs child. This blog discusses why it is not a good idea to try to shortcut this process and to simply have your child sign a power of attorney. Unfortunately, I have heard practitioners suggest this approach, and frankly, it made me cringe as it would be committing legal malpractice to have most special needs children sign a power of attorney.
In order for a power of attorney to be considered legally valid, the person granting the power of attorney would have to fully comprehend the power of attorney, including the powers that it grants to others to act on their behalf. The reality is that the majority of special needs children would be unable to fully comprehend a power of attorney to the extent they are legally required to do so in order to be able grant such authority. While some special needs children may possess the necessary intellect and understanding to grant a power of attorney, most special needs children could not meet this burden. Despite this reality, I have seen practitioners have special needs children sign powers of attorneys when they were simply not competent to do so. Unfortunately, this can lead to future problems for both the parent and child as discussed below.
One potential problem could arise if an individual, who is a family member or any other party with a potential interest, seeks to challenge the power of attorney in court. Should such a challenge be levied, an evaluation would be performed as to legal capacity of the child to grant a power of attorney. Should the challenge prove successful it would result in the invalidation of the power of attorney, and further, can lead to the invalidation of other transactions wherein the power of attorney was utilized, as well as the assessment of counsel fees and sanctions against the parent who improperly obtained the power of attorney. This could lead to a disastrous result for both the child and his/her family. Another problem that could arise is that the power of attorney does not legally establish that the child is legally incapacitated. As such, in the absence of this finding by a court, which is always made during a guardianship proceeding, the child may be able to legally bind himself/herself to transactions that they undertook, or they may undertake other transactions contrary to their interest which may be difficult to unwind. On the contrary, once a legal guardianship is granted by a court and there is a finding of legally incapacity, the guardian would be able to quickly void any such transactions which may not be in the best interests of the child.
As such, for the reasons discussed above it is bad idea to attempt to utilize a power of attorney when a guardianship is more appropriate. Frankly, this blog simply touches the tip of the iceberg as to potential issues, however, it should be clear that a guardianship is vastly preferred for most special needs children. Obviously, parents who are interested in this process should consult with competent legal counsel to guide them through it.
Proposed Rules for Minnesota’s Earned Sick and Safe Time Law: Key Insights for Employers
Over a year after Minnesota’s Earned Sick and Safe Time (ESST) law went into effect in January 2024, Minnesota’s Department of Labor and Industry (DLI) recently published proposed permanent rules (the Proposed Rules) that, if adopted, will regulate the ESST law. Although the rules are not yet final, they offer insights for employers on DLI’s interpretation of the ESST law.
Certain Employees Accrue ESST When Working Outside of Minnesota
As a reminder, under the Minnesota ESST law, employees accrue one hour of ESST for every 30 hours worked, up to 48 hours annually. The Proposed Rules explain that an employee’s hours worked outside of Minnesota count towards accrual as long as the employer anticipates the employee will work more than 50% of their hours for the employer inside of Minnesota per accrual year. If the employer anticipates that the employee will work 50% or less of their hours in Minnesota during the accrual year, then only the employee’s hours worked in Minnesota will count toward accrual of ESST. If the employee begins the accrual year without the expectation of working in Minnesota for more than 50% of their work time, but the expectation of working in Minnesota increases during the year to more than 50% of worked time, then the employer must allow the employee to accrue hours beginning on the date of the change in circumstances. Under the Proposed Rules, an employee who is teleworking is considered to be working in the state from which they telework.
Guidance on Calculating ESST Deductions for Indeterminate Shifts
When an employee takes ESST for a shift scheduled for an indeterminate time, the ESST law does not expressly state how an employer should calculate the hours to deduct from an employee’s ESST bank. The Proposed Rules clarify that an employer can only deduct from an employee’s “accrued” ESST the hours worked by the employee who picked up the ESST-taking employee’s shift. If there is not a replacement worker for that shift, but there are similarly situated employees, then the employer can deduct: either the average hours worked by the similarly situated employees who worked the same shift or the greatest hours worked by a similarly situated employee who worked the same shift. If there is no replacement worker or any similarly situated employees, then the employer may use the hours worked by the ESST-taking employee in their most recent similar shift of an indeterminate length.
Employers Can Demand Documentation from Employees Suspected of ESST Misuse
The Proposed Rules provide guidance on an employer’s ability to address a suspected “pattern of misuse” of ESST. The Proposed Rules define a pattern of misuse for claimed unforeseeable use of ESST as an employee routinely taking ESST (1) before a weekend, vacation, or holiday; or (2) before the start of a scheduled shift for under 30 minutes. The Proposed Rules do not indicate what number of such suspected misuses qualify as “routine.” When an employer observes a pattern of misuse, the Proposed Rules allow the employer to demand reasonable documentation from the employee suspected of ESST misuse. The reasonable documentation is limited to the definition in the ESST statute.
The ESST Law Covers Other Paid Time Off Used for Qualified ESST Purposes
If a covered employer provides paid time off beyond the hours required by the ESST law to an employee for absences from work due to personal illness or injury, then under the Proposed Rules, the excess paid time off is also subject to certain requirements imposed by the ESST law when the employee uses the time off for a reason covered by the ESST law. Such requirements include but are not limited to those related to the ESST requirements on notice, documentation, and anti-retaliation.
Next Steps
The DLI has opened a second comment period on these Proposed Rules. Comments are due by April 7, 2025. We will continue to monitor these developments.
Minnesota Department of Labor and Industry Proposes Rules on Statewide Earned Sick and Safe Time Law
The Minnesota Department of Labor and Industry (MNDOLI) recently issued proposed rules for governing Minnesota’s Earned Sick and Safe Time Law (ESST). The proposed rules are open for public comment through April 2, 2025.
Quick Hits
The Minnesota Department of Labor and Industry issued proposed rules stating that employees anticipated to work over 50 percent in Minnesota in an accrual year would accrue earned sick and safe time leave (ESST) for all hours worked despite location.
The proposed rules would allow employers to “advance” ESST hours.
The proposed rules also clarify that employees have a choice to use paid ESST or take unpaid and “unprotected” leave, and that employers may not require employees to use ESST.
The proposed rules are open for public comment through April 2, 2025.
Definitions
The proposed rules define “Accrual Year,” “Qualifying Purpose,” and “Work Day.” Namely, a “work day” means a consecutive period of time not greater than twenty-four hours.
Accrual Year
The Minnesota ESST law requires employers to designate and notify employees of the accrual year. Under the proposed rules, “[i]f an employer fails to designate and clearly communicate the accrual year to each employee … the accrual year is a calendar year.” The proposed rules would require employers to “provide a revised written notice” to affected employees if the accrual year changes before the change takes effect and “[i]f an employee has not received timely revised written notice … then the employee’s designated accrual year remains unchanged, unless the employee agrees otherwise.”
Hours Worked
Location of hours worked: The proposed rules would allow employees to accrue ESST as follows:
If the employer anticipates that an employee will work more than 50 percent of his or her hours for that employer in Minnesota in an accrual year, then all hours worked would count toward accrual of ESST regardless of the employee’s location.
If the employer anticipates the employee will work 50 percent or less of his or her hours for that employer in Minnesota in an accrual year, then only the hours worked in Minnesota would count toward the employee’s ESST accrual.
If there is a change in circumstances during the accrual year (e.g., change in location or duties) and the employee is working more than 50 percent in Minnesota in the accrual year or 50 percent or less in Minnesota in the accrual year, then the employer would be required to apply the applicable accrual when the change occurs.
For this section only, a teleworking employee would be considered working in the state where the employees teleworks.
Indeterminate shifts: Under the proposed rules, an employer would be required to deduct an employee’s ESST for an indeterminate length accordingly:
If a replacement worker is used to cover the employee’s shift, the hours worked by the replacement worker;
If no replacement worker, but similarly situated employees, then either:
the average hours worked of the other similarly situated employees who worked the same shift for which the employee used ESST; or
the greatest hours worked by a similarly situated employee who worked the shift for which the employee used ESST.
If no replacement worker and no similarly situated employees, then the hours worked in the most recent similar shift of an indeterminate length worked by the employee.
Time Credited and Increments of Accrual
Processing and crediting accrual: Under the proposed rules, employers would be required to credit accrued ESST by the end of the pay period. ESST would be “accrued” when the employer processes and credits the time to the employee at the end of each pay period.
Increment of time accrued: The proposed rules clarify that employers would not be “required to credit employees with less than hour-unit increments of [ESST].”
Rehire: The proposed rules also clarify that “[a]n employee rehired by the same employer within 180 days of separation is entitled to a maximum reinstatement of 80 hours of previously accrued but unused” ESST, unless law, policy, contract, or other authority requires a greater amount.
Accrual and Advancing Methods
Advancing hours: The proposed rules would allow employees to “advance” ESST hours. In other words, “[w]hen an employee begins employment, an employer is permitted to advance [ESST] to an employee based on the number of hours the employee is anticipated to work for the remaining portion of the accrual year and calculated at no less than the rate required in” Minn. Stat. § 181.9446(a), provided an employer need not advance over forty-eight ESST hours (unless law, policy, contract, or other authority requires a greater amount). However, if the advanced amount were less than the amount the employee would have accrued based on the actual hours worked for the rest of the accrual year, the employer would be required to provide more ESST to make up the difference within fifteen days of the actual accrued amount surpassing the advanced amount.
Changing methods: The proposed rules clarify that employers can “change methods” (i.e., switch from accrual to frontloading and vice versa) so long as the employer communicates the change to employees in writing and the change does not take effect until the first day of the next accrual year. If an employer fails to provide adequate notice, the prior accrual method remains in effect unless the employee agrees otherwise.
No additional accrual necessary: The proposed rules clarify that if an employer is frontloading ESST, the employee would not also accrue ESST under the accrual method.
Employee Use
The proposed rules would give employees the right to use ESST and prohibit employers from requiring employees to use ESST. However, if an employee chooses not to use ESST, the absence would not be protected by the ESST law.
Employee Misuse of ESST
The proposed rules address ESST misuse by clarifying that an employee’s use of ESST for a non-ESST covered reason would not be protected by the ESST law. The proposed rules would allow employers to “demand reasonable documentation from an employee when there is a pattern of misuse … for a claimed unforeseeable use,” notwithstanding the timeline in Minn. Stat. § 181.9447(3)(a). Misuse is defined to include an employee routinely using ESST the day immediately before or after a weekend, vacation, or holiday; or using increments of ESST in less than thirty minutes at the start of a scheduled shift. The proposed rules further specify that employers would be barred from denying an employee ESST based on earlier misuse or the employer’s suspicion that the employee may misuse ESST.
More Generous Sick and Safe Time Policies
The Minnesota ESST law requires paid time off and other paid leave provided to employees over the minimum amount required under the ESST law for absences from work due to personal illness or injury (but not including short-term or long-term disability or other salary continuation benefits) to meet or exceed the minimum standards and requirements under the ESST law other than Minn. Stat. § 181.9446 (i.e., ESST accrual). The proposed rules clarify this would only apply “when the leave is being used for a qualifying purpose.”
Defense Verdict in First Ethylene Oxide Case to Go To Verdict in Colorado
Background
Ethylene Oxide (EtO) is an industrial solvent widely used as a sterilizing agent for medical and other equipment that cannot otherwise be sterilized by heat/steam. EtO may also be used as a component for producing other chemicals, including glycol and polyglycol ethers, emulsifiers, detergents, and solvents. Allegations that exposure to EtO increases the risk of certain cancers has led to governmental regulation as well as private tort actions against companies that operate sterilization facilities that utilize EtO.
The first ethylene oxide case to go to trial was the Kamuda matter, in which an Illinois jury awarded $263 million in September of 2022 against Sterigenics for ethylene oxide exposure from that company’s Willowbrook facility. A subsequent trial in the same jurisdiction against the same defendant resulted in a defense verdict. Ultimately, Sterigenics resolved its pending claims involving the Willowbrook plant in the amount of $408 million.
Colorado Verdict
In only the third ethylene oxide case to go to verdict in the country (and the first one outside of Illinois), on March 14, 2025 a Colorado jury rendered a verdict in favor of defendant Terumo BCT Inc. Not only was this the first ethylene oxide trial to go to verdict outside of Illinois, it was the first one not involving defendant Sterigenics. The Colorado case is Isaacks et al. v. Terumo BCT Sterilization Services Inc. et al. in the First Judicial District of Colorado (docket number 2022CV031124). This was a bellwether trial that lasted six weeks, and involved four female plaintiffs. The jury determined that the defendant was not negligent in its handling of emissions from its Lakewood plant. The plaintiffs had sought $217 million in damages for their alleged physical impairment and also $7.5 million for past and future medical expenses as well as punitive damages. In light of the fact that the six person jury found the defendant Terumo not negligent, it did not need to consider damages or causation. Notably, there remain hundreds more pending claims against Terumo in Colorado. In fact, plaintiffs’ counsel filed almost 25 more cases while the trial was in progress.
All of the plaintiffs alleged that they had developed cancer as a result of ethylene oxide emissions from the Terumo facility. One plaintiff alleged breast cancer as a result of 23 years of exposure from the plant, while another alleged breast cancer after almost 35 years of exposure (these two plaintiffs were neighbors). Another plaintiff alleged multiple myeloma while the fourth plaintiff alleged Hodgkin’s lymphoma.
Analysis
While it is difficult to draw conclusions from a sample size of three verdicts given the differences in plaintiffs, jurisdictions, and alleged disease processes, we continue to believe that plaintiff firms will recruit new clients who allege some type of cancer as a result of residing in the vicinity of an ethylene oxide plant. In fact, there is ongoing ethylene oxide litigation in California and a few other states. How long will it be until we see television advertisements run by plaintiff firms seeking new plaintiffs? We’ve seen this in asbestos, talc, contaminated water, firefighting foam, defective earplugs, and other types of litigation. It is not out of the realm of possibility to think that we will see this with ethylene oxide litigation at some point in the near future.
Unclaimed Property Laws and the Health Industry: Square Peg, Round Hole
Likely due to the tremendous number of healthcare mergers, acquisitions, and private equity deals that have been taking place, the industry has recently been the target of multistate unclaimed property audits. This increased scrutiny has highlighted many of the complexities and tensions that exist in this space. At almost every stage of the process, healthcare industry holders are pressured by state unclaimed property auditors and administrators to fit a square peg in a round hole – something both they and their advocates should continue to vigorously push back against.
Determining whether any “property” exists to report in the first instance can be a daunting task in an industry where multiple parties are involved in a single patient transaction that is documented by complex business arrangements between sophisticated parties, which are updated and accounted for on a rolling basis. Unclaimed property audits are conducted in a vacuum of one single holder and use standard document requests that were developed to apply to all businesses, creating unrealistic record retention and management expectations that almost never neatly align with healthcare industry laws or practices.
Making matters worse, unclaimed property auditors and voluntary disclosure agreement (VDA) administrators frequently do not have a detailed understanding of the complex healthcare privacy, billing, and payment practices, yet these practices materially impact how providers manage unclaimed property and when they report it. Getting them up to speed on these laws, practices, and procedures can be very time-consuming. For example, providers or their advisors may need to explain to auditors what HIPAA is or what prompt pay laws are. Many of the payments in this space are managed or funded by the US government, resulting in federal preemption of a state’s ability to demand at least some portion of the funds a review is likely to identify. And while some of the larger healthcare providers and payors have detailed records for more recent periods, the degree of detail requested by the auditors is frequently unreasonable (in both time and scope) and can result in sampling, extrapolation, and grossly overstated audit results.
This article explores some of the unclaimed property law tensions and legal risks that exist for healthcare providers of all sizes.
COMMON PROPERTY TYPES
Some common property types at risk of exposure in the healthcare industry include patient credit balances, accounts payable checks, payroll checks, refund checks, and voided checks. These risk areas can result in unclaimed credit balances for varying reasons, such as overpayment and payment of the same bill by multiple sources. Healthcare providers and insurance companies periodically engage in settlement audits to resolve open items. However, a healthcare provider may make adjustments and write-offs to accounts receivable arising from a settlement, thus creating tension with the statutory anti-limitation provisions of unclaimed property law.
FEDERAL PREEMPTION
Although all 50 states and the District of Columbia have enacted unclaimed property laws, federal laws may preempt their ability to exert jurisdiction and regulate certain (otherwise) unclaimed property. Federal preemption can often be raised as a defense in the healthcare industry where federal law robustly governs the space (such as Medicare) or conflicts with state unclaimed property laws. For example, these defenses can be raised when federal law either establishes or abrogates property rights, claim obligations, and periods of limitation.
PROMPT PAY STATUTES AND RECOUPMENT
Prompt pay statutes are generally designed to ensure that physicians and medical providers are recovering their payment claims with insurance providers in a timely manner. Most states contain laws that typically include (1) a period in which claims are required to be processed, (2) types of claims covered, and (3) penalties for failure to comply. The statutes’ deadlines for making payments typically range from 15 to 60 days, depending on the state. Moreover, recoupment provisions in many states provide that refunds of paid claims by insurers are barred after the expiration of a specific period of time from the date of payment. Under these provisions, insurers cannot avoid this requirement via their contracts with the provider. Individual state statutes will render different results related to the coordination of benefits for federally funded plans such that there is either no recoupment period or a longer one. The finer details of prompt pay and recoupment statutes are important for states and their auditors to understand and, if not properly accounted for in an audit or VDA, can lead to vastly overstated results.
BUSINESS-TO-BUSINESS EXEMPTION
Some states exempt business-to-business payments and/or credit due from unclaimed property reporting. The scope of these exemptions can vary widely and sometimes contain traps for the unwary, requiring careful review before they are broadly implemented into a provider’s reporting process. In many states, there are viable defenses to unclaimed property audit assessments seeking payor funds held by a provider.
REVENUE RECOGNITION BASED ON CONTRACT
Contractual allowance adjustments and accounts receivable credit reclasses in the contractual allowance account can give the appearance of unclaimed property if not resolved timely, accurately, and with the appropriate supporting documentation. Examples of accounts that can give rise to potential unclaimed property credits include expired or outdated contracts between a healthcare provider and insurance company, unaccounted contract revisions or adjustments, and others that are unique to the healthcare industry to account for the complex flow of funds between patient, provider, and payor.
M&A DEALS
Unclaimed property results can vary significantly based on the terms and type of deal. It is best practice for unclaimed property counsel to be involved in healthcare deals to ensure any potential unclaimed property is accounted for. The typical failure to maintain records in a searchable manner post-acquisition may result in either (1) false positives during the next audit in an address review or (2) a windfall for the state of formation if an estimation is performed. Reviewing key provisions in the agreement when conducting a deal can identify complications that may arise and ensure the parties proactively account for any risk and maintain the records needed.
False Claims Acts
Many state False Claims Acts (FCAs) permit a private party (a relator) with knowledge of past or present underpayments to the government to bring a sealed lawsuit on its behalf. When these suits are successful, the relators receive 15% to 30% of any judgment or settlement recovered, which includes treble damages of the alleged unclaimed property liability and interest, per occurrence penalties, and even costs and attorneys’ fees.
In California ex rel. Nguyen v. U.S. Healthworks, Inc., the plaintiff brought a suit alleging that the failure to report credits as potential overpayments violated California unclaimed property law and the state FCA. The California attorney general filed an unclaimed property complaint in intervention against the healthcare provider, identifying the ongoing failure to comply with state unclaimed property law as a key factor in the attorney general’s decision to pursue the case under California’s FCA before agreeing to settle for $7.7 million in 2023.
Other states, including New York, are actively involved in aggressively enforcing their unclaimed property laws as punitively as possible through state FCAs. The U.S. Healthworks case is a cautionary tale for healthcare providers that have not robustly analyzed their unclaimed property law compliance practices.
Medicare Telehealth Gets Another Temporary Lifeline – Will Congress Make it Permanent?
On March 15, 2025, President Trump signed a continuing resolution to avert a government shutdown, which included a critical six-month extension of Medicare telehealth flexibilities through September 30, 2025. This six-month extension provides a temporary reprieve from the looming expiration of telehealth waivers that have been in place since the COVID-19 Public Health Emergency (PHE). While this is a positive development, it underscores the ongoing uncertainty surrounding Medicare’s long-term telehealth policy—an issue that Congress must address with a more permanent solution. The healthcare industry has increasingly emphasized the need for regulatory certainty to support long-term planning, investment in telehealth infrastructure and sustained access to care for Medicare beneficiaries.
What the Extension Means for Providers
Medicare providers will continue to operate under the existing telehealth flexibilities for an additional six months. This means:
No Geographic or Site Restrictions – Medicare beneficiaries can receive telehealth services regardless of their location, including from their homes.
Expanded Practitioner Eligibility – A broader range of healthcare providers, including physical therapists, occupational therapists and speech-language pathologists, can continue furnishing telehealth services.
Coverage for Audio-Only Services – Medicare will maintain reimbursement for certain audio-only visits, which have been critical for reaching patients without reliable broadband access.
Hospital and Facility-Based Telehealth – Flexibilities allowing hospitals and health systems to use telehealth for certain hospital-at-home and outpatient services remain in place.
FQHCs and RHCs Participation – Federally Qualified Health Centers and Rural Health Clinics can continue to offer telehealth services, ensuring access in underserved areas.
Mental Health Flexibilities – The in-person evaluation requirement for mental health services delivered via telehealth has been deferred, allowing patients to continue receiving mental health care via telehealth.
For hospitals, health systems and provider groups that have invested heavily in telehealth infrastructure, this extension offers short-term stability. However, the uncertainty beyond September 2025 remains a pressing concern.
Industry Perspective on the Need for Regulatory Certainty
Since the expanded use of telehealth under Medicare, healthcare providers, hospitals and technology developers have adapted their care delivery models and made significant investments in telehealth infrastructure. Many industry stakeholders have highlighted the following considerations as Congress continues evaluating the long-term future of Medicare telehealth policy:
Regulatory Stability for Long-Term Decision-Making – Healthcare organizations make strategic decisions—ranging from workforce planning to technology investments—based on long-term regulatory and reimbursement expectations. Without a definitive, long-term Medicare telehealth policy, providers must plan within an uncertain framework, creating challenges in making sustainable investments.
Access to Care for Underserved and Rural Populations – Telehealth has played a key role in expanding access to care, particularly for rural and underserved populations who may face geographic, transportation or mobility barriers. Healthcare providers serving these communities have emphasized the importance of telehealth in maintaining access to primary care, specialty services and mental health treatment. Given the growing reliance on telehealth among Medicare beneficiaries, there is industry interest in ensuring continued access to these services beyond temporary extensions.
Innovation and Growth in Digital Health – The expansion of telehealth has supported technological innovation across the healthcare industry, from remote patient monitoring to AI-driven clinical documentation tools. Industry stakeholders have noted that uncertainty around Medicare’s long-term telehealth policy can impact investment in emerging digital health solutions, as healthcare organizations and technology developers assess future regulatory and reimbursement environments.
What’s Next? The Push for Permanent Reform
With the clock now ticking toward the new September 30, 2025, deadline, major healthcare organizations are advocating for permanent legislative action. The American Telemedicine Association (ATA) and American Hospital Association (AHA) continue to urge Congress to cement telehealth’s place in modern healthcare, emphasizing its role in expanding access, improving outcomes and addressing provider shortages. Similarly, several bipartisan efforts have been initiated to establish permanent telehealth policies:
1. Telehealth Modernization Act of 2024 (H.R. 7623)This bill seeks to permanently extend certain telehealth flexibilities that were initially authorized during the COVID-19 public health emergency.
2. Creating Opportunities Now for Necessary and Effective Care Technologies (CONNECT) for Health Act of 2023 (H.R. 4189; S. 2016)This bill proposes to expand coverage of telehealth services under Medicare, aiming to remove geographic restrictions and expand originating sites, including to allow patients to receive telehealth services in their homes.
3. Preserving Telehealth, Hospital, and Ambulance Access Act (H.R. 8261)This bill aims to extend key telehealth flexibilities through 2026, including provisions for hospital-at-home programs and ambulance services.
While there appears to be bipartisan support recognizing telehealth as a vital component of modern healthcare delivery, a long-term solution is critical to ensuring that telehealth remains a viable and effective care delivery option for Medicare beneficiaries well beyond 2025. Providers should take advantage of the additional time to solidify their telehealth strategies while remaining engaged in advocacy efforts.
Stakeholders—including hospitals, health systems, provider groups and digital health technology companies —must continue urging Congress to pass permanent telehealth legislation that preserves access, ensures fair reimbursement and provides regulatory clarity.
New Michigan Law Strengthens Legal Protections for Assisted Reproduction
The Assisted Reproduction and Surrogacy Parentage Act (ARSPA), also known as the Michigan Family Protection Act, enhances legal protections for families using assisted reproductive technology. Effective April 2, 2025, this legislation updates parentage laws to account for the use of assisted reproductive technology, providing greater clarity and legal security.
Legal Parentage for Children Conceived Through Assisted Reproduction
One of the law’s most impactful components is Part 2, which addresses the parentage of children conceived through assisted reproduction without surrogacy. The law defines assisted reproduction as “a method of causing pregnancy through means other than by sexual intercourse” and includes in vitro fertilization (IVF), gamete donation (i.e., sperm, egg, and embryo), artificial insemination, and other assisted reproductive technologies.
Before the new law, non-biological parents in Michigan had to undergo a lengthy and costly stepparent adoption process to establish legal parental rights. Now, intended parents who conceive a child through assisted reproduction can petition the court for a judgment of parentage, legally establishing them as a child’s parent and granting them all rights and responsibilities associated with being a legal parent.
This change removes unnecessary barriers for many families, including non-biological mothers in same-sex couples who conceive using sperm donors and heterosexual couples using sperm, egg, or embryo donors due to infertility.
Estate Planning Considerations
With ARSPA in effect, individuals who have children or grandchildren through assisted reproduction should review their estate planning documents to ensure their children and grandchildren are included. Many estate plans define “child” to include adopted children but may not explicitly cover non-biological children conceived through assisted reproduction. Updating these documents can help avoid potential legal complications and ensure all children and grandchildren are treated equally.
Medicare Telehealth Flexibilities Extended through September 30, 2025
On March 14, 2025, as part of a spending bill to avert a federal government shutdown, Congress extended COVID-era telehealth “waivers” applicable to Medicare until September 30, 2025. These were originally scheduled to end March 31, 2025.
This is welcome news for health care organizations who have relied on the flexibility offered by these waivers to extend access to telehealth services for Medicare beneficiaries and other patients nationwide since the COVID-19 pandemic. However, this represents another short-term extension by the government and poses questions on whether all or some of the telehealth flexibilities will be codified into law.
As a reminder, a set of key waivers to Medicare telehealth payment restrictions were enacted under the Social Security Act temporarily in connection with COVID-19 pandemic measures. These statutory waivers have now been extended by act of Congress multiple times, and this latest extension will have the following impacts related to telehealth:
Telehealth at Home: Medicare patients will continue to be able to receive telehealth services in their homes and in any other location in the country through at least September 30, 2025.
In the absence of this extension, Medicare beneficiaries would have only been permitted to receive telehealth services in certain approved health care facilities in rural locations (outside of metropolitan statistical areas) as of April 1, 2025.
Note that the Social Security Act does include a narrow exception that permits telehealth services in the home (or other locations) for patients in specific circumstances approved by law or regulation, including patients being treated for acute stroke symptoms, patients with a substance use disorder diagnosis, or patients with a mental health disorder (but see the additional in-person requirement for mental health telehealth treatment noted below), and patients on home dialysis for related clinical assessments.
Audio-Only Telehealth: Telehealth services can continue to be provided via audio-only communications systems.
Without the extension, telehealth services would no longer have been available via audio-only systems as of April 1, 2025, and to be reimbursed for telehealth services would require the use of approved interactive telecommunications systems only (which are defined generally to refer to audio/video equipment allowing for two-way real-time interactive communications between the patient and provider, except in narrow exceptions for store-and-forward technology under telemedicine demonstration programs).
Telehealth Providers: Medicare patients can continue to receive telehealth services from all types of approved Medicare-enrolled providers (the waiver permits qualified occupational therapists, physical therapists, speech-language pathologists, and audiologists to furnish services via telehealth and be paid by Medicare for doing so).
FQHC/RHC Telehealth: Federally qualified health centers (FQHCs) and rural health clinics (RHCs) can continue to provide telehealth services to patients in other locations.
Additionally, the legislation extends until October 1, 2025, the effective date of a requirement for reimbursement by Medicare of telehealth services to a Medicare beneficiary for purposes of diagnosis, evaluation, or treatment of a mental health disorder that:
the provider must have furnished a Medicare-covered item or service to the beneficiary in-person (without the use of telehealth) within the prior 6 months before furnishing such telehealth services, and
the provider must continue to furnish Medicare-covered items or services in-person (without the use of telehealth) to the beneficiary at least once a year following each subsequent telehealth service.
The annual in-person follow-up is not required if the provider and beneficiary agree the risks of an in-person service outweigh the benefits.
Once required, the foregoing in-person visit requirement could also be fulfilled by another provider of the same specialty in the same group as the provider furnishing the telehealth service if the telehealth provider is not available to do so.
Despite this temporary reprieve to sustain current telehealth waivers through September 30, 2025, health care organizations should start preparing now for the potential end of the waivers and additional restrictions on telehealth services as soon as October 1, 2025. Moreover, health care organizations should also be aware that additional flexibilities and waivers tied to the COVID-19 era remain in place but are scheduled to expire at the end of 2025, including DEA tele-prescribing flexibilities previously discussed here.
Seth Orkand contributed to this article
Gender-Affirming Care Protections Eroded by Recent HHS Guidance and White House Executive Orders
On February 20, 2025, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the recission of “HHS Notice and Guidance on Gender Affirming Care, Civil Rights, and Patient Privacy” (the “Rescinded 2022 Guidance”) pursuant to recent Executive Order (“EO”) 14187 (“Protecting Children from Chemical and Surgical Mutilation”) and EO 14168 (“Defending Women from Gender Ideology Extremism and Restoring Biological Truth to the Federal Government”), issued under the current Trump administration.
These executive orders directed HHS to revoke policies promoting gender-affirming care and reconsider its interpretation of civil rights protections and health information privacy laws as they relate to such care.
Background on the Rescinded 2022 Guidance
The Rescinded 2022 Guidance, originally issued on March 2, 2022 under the Biden administration, and which we previously discussed here, established a framework for applying federal civil rights protections and patient privacy laws to gender-affirming care in three key ways:
Section 1557 of the Affordable Care Act (ACA): The Rescinded 2022 Guidance asserted that federally funded entities restricting access to gender-affirming care could be in violation of Section 1557, which prohibits discrimination based on sex, including gender identity.
Section 504 of the Rehabilitation Act and the Americans with Disabilities Act (ADA): The Rescinded 2022 Guidance took the position that gender dysphoria could qualify as a disability, meaning that restricting access to care based on gender dysphoria could constitute unlawful discrimination.
Health Insurance Portability and Accountability Act of 1996 (HIPAA): The Rescinded 2022 Guidance interpreted HIPAA’s Privacy Rule to prohibit the disclosure of protected health information (PHI) related to gender-affirming care without the patient’s authorization, except in limited circumstances when explicitly required by law.
HHS Bases for the Rescission
OCR Acting Director, Anthony Archeval, stated that the “recission is a significant step to align civil rights and health information privacy enforcement with a core Administrative policy that recognizes that there are only two sexes: male and female.” The HHS Office on Women’s Health also issued guidance expanding on the sex-based definitions set forth in the EO 14168. This HHS guidance contained the following definitions:
Sex: A person’s immutable biological classification as either male or female.
Female: is a person of the sex characterized by a reproductive system with the biological function of producing eggs (ova). We note that EO 14168 defines female in a slightly different manner to mean “a person belonging, at conception, to the sex that produces the large reproductive cell.”
Male: is a person of the sex characterized by a reproductive system with the biological function of producing sperm. We note that EO 14168 defines female in a slightly different manner to mean “a person belonging, at conception, to the sex that produces the small reproductive cell.”
In its February 20, 2025 press release, HHS further stated that “[t]his rescission supports Administration policy in Executive Order 14187 that HHS will not promote, assist, or support “the so-called ‘transition’ of a child from one sex to another, and it will rigorously enforce all laws that prohibit or limit these destructive and life-altering procedures.”
Further, OCR’s formal recission letter dated February 20, 2025, outlining several reasons leading to the Rescinded 2022 Guidance:
ACA (Section 1557): HHS cited recent federal cases, Texas v. EEOC and Bostock v. Clayton County, as calling into question the legal basis for extending Section 1557 protections to gender identity. But see Kadel v. Folwell, 2024 WL 1846802 (4th Cir. 2024) (On May 8, 2024, the Fourth Circuit affirmed the trial court rulings that the exclusion of coverage for gender affirming care by state health plans in West Virginia and North Carolina violated the nondiscrimination protections of the Affordable Care Act (ACA) Section 1557).
Rehabilitation Act and ADA: HHS argued that gender dysphoria does not meet the statutory definition of a disability, as the law explicitly excludes gender identity-related conditions unless resulting from a physical impairment. However, the Fourth Circuit, in Williams v. Kincaid, 45 F. 4th 759, 770 (4th Cir. 2022), concluded that gender dysphoria is a disability protected under the ADA and does not fall within the ADA’s exclusion for “gender identity disorders not resulting from physical impairments.” See also Blatt v. Cabela’s Retail, Inc., 2017 WL 2178123 (E.D. Pa. May. 18, 2017) (Plaintiff’s gender dysphoria, which substantially limits her major life activities of interacting with others, reproducing, and social and occupational functioning, is not excluded from ADA protection.)
HIPAA: HHS stated that the Rescinded 2022 Guidance lacked a legal foundation for restricting PHI disclosures beyond HIPAA’s established exceptions. However, we note that current established exceptions already allow disclosures without patient authorization in certain circumstances, including when required by law. Interestingly, the new reproductive health amendments to HIPAA, which became effective on December 23, 2024, may, if interpreted broadly, provide additional privacy protections to information related to gender affirming care.
In addition to the recission, HHS also announced its launch of HHS’ Office on Women’s Health website, which we reference above, to promote these policies.
Impact on HIPAA and Patient Privacy
In the wake of the Rescinded 2022 Guidance and associated OCR statements, it remains unclear how OCR will now handle complaints related to the use and disclosure of PHI concerning gender-affirming care. Accordingly, entities that handle such data should carefully review their internal policies to ensure compliance with evolving interpretations of HIPAA’s Privacy Rule.
However, entities should also consider the HIPAA Privacy Rule to Support Reproductive Health Care Privacy, finalized in April 2024, which broadly defines “reproductive health care.” Gender-affirming care often falls within this definition, meaning that certain privacy protections may still apply under this rule despite the Rescinded 2022 Guidance. While HHS’s recent actions suggest a lack of intent to defend this interpretation, the 2024 reproductive health rule remains in effect despite ongoing litigation in Texas challenging these amendments. On September 8, 2024, the Texas Attorney General, in litigation pending in the Northern District of Texas, claimed that the new rule harms the AG’s ability to investigate medical care, lacks statutory authority, and is arbitrary and capricious. This litigation is still pending.
Compliance and Legal Considerations
Federal vs. State Law Conflicts: Entities must navigate the potential conflicts between state laws and the rescission of the Rescinded 2022 Guidance. For instance, Colorado and California have laws explicitly protecting access to gender-affirming care, which could create legal complexities for providers and insurers operating under multiple jurisdictions.
Litigation and Injunctions: On March 4, 2025, a federal judge in Maryland issued a preliminary injunction enjoining federal agencies from issuing regulations or guidance or otherwise implementing mandates of EO 14187. This injunction applies nationwide. In a more limited fashion, a judge in Washington issued a preliminary injunction which applies only to Washington, Colorado, Minnesota, and Oregon. As the Maryland court is still deciding on the merits of the case before it, entities should monitor these legal developments to understand go forward compliance obligations under both federal and state regulations.
Potential Whistleblower Protections. EO 14187 also directs HHS, in consultation with the Attorney General, to “issue new guidance protecting whistleblowers who take action related to ensuring compliance with this order.” Accordingly, it is possible that under such contemplated guidance, an increase in whistleblower-initiated compliance investigation may ensue. Yet, such increase in whistleblowing as an avenue to evaluate compliance would not address the potential friction between the requirements under the HIPAA Privacy Rule to Support Reproductive Health Care Privacy.
Threats to Funding. On March 5, 2025, numerous health care providers enrolled in the Medicare and Medicaid programs received a letter from CMS stating that “CMS may begin taking steps in the future to align policy, including CMS-regulated provider requirements and agreements, with the highest-quality medical evidence in the treatment of the nation’s children” as it relates to gender affirming care. The following day, on March 6, 2025, SAMHSA and HRSA sent similar letters to Hospital Administrators and Grant Recipients referencing the March 5, 2025 CMS letter and threatening examination of current grants and the “re-scoping, delaying or potentially cancelling new grants in the future” depending upon the nature of the work being performed by the providers and/or grant recipients as it relates to gender affirming care for minors.
Key Takeaways
The rescission of the 2022 “HHS Notice and Guidance on Gender Affirming Care, Civil Rights, and Patient Privacy” seeks to align HHS’s policies with the Trump administration’s stance on gender-affirming care. The recission introduces financial and compliance challenges for entities regulated by the HHS. However, the recission of the Rescinded 2022 Guidance does not eliminate all HIPAA provisions related to reproductive health and other state-level protections may still provide certain privacy and anti-discrimination safeguards relative to individuals seeking gender affirming care. Given this uncertainty, organizations should revisit their policies and procedures, closely monitor the evolving regulatory landscape, and keep a close eye on litigation outcomes to ensure continued compliance.
Proskauer on Privacy: 2024 Reflections & 2025 Predictions
2024 marked another significant year for privacy law, with new state legislation and high-stakes litigation reshaping the landscape. Legal battles over tracking technologies, biometric data, and children’s privacy intensified, while federal agencies, including the Federal Trade Commission (“FTC”) and the U.S. Department of Health and Human Services Office for Civil Rights (“HHS OCR”), ramped up their efforts through major enforcement actions and high-profile settlements, marking a new era of increased accountability.
Federal Privacy Law Gridlock
Attempts to pass comprehensive federal privacy legislation in 2024 fell short once again, leaving a significant gap in U.S. data protection standards and a lack of a national data privacy standard. Despite bipartisan support, the American Privacy Rights Act (“APRA”), designed to unify privacy laws, preempt conflicting state regulations, introduce a private right of action, and enforce opt-out mechanisms, did not pass the 118th Congress. Still, the last Congress passed, as part of a larger appropriations bill, the “Protecting Americans’ Data from Foreign Adversaries Act of 2024” (15 U.S.C. § 9901), which makes it unlawful for a data broker “to sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available personally identifiable sensitive data of a United States individual to (1) any foreign adversary country; or (2) any entity that is controlled by a foreign adversary.” Without a comprehensive federal privacy law, states were forced to fill the void by passing their own. But each state that did so had independent and distinct requirements for those laws, leading to burdensome compliance efforts, higher operational costs, and increased legal risks for businesses.
FTC Rulemaking and Enforcement Intensifies
In 2024, the FTC prioritized safeguarding sensitive data, focusing on location tracking, health data, children’s privacy, and cybersecurity. The agency secured key settlements, banning the sale of sensitive location data without consent or deidentification, investigating health data misuse, and filing a Children’s Online Privacy Protection Act (“COPPA”) action against TikTok. In terms of children’s privacy, it should also be noted that at the close of the Biden administration, the FTC finalized changes to the COPPA Rule to set new requirements surrounding the collection, use and disclosure of children’s personal information, including requiring covered websites and online service operators to obtain opt-in consent from parents for targeted advertising and other disclosures to third parties.
One notable FTC settlement prohibited a data broker from selling or sharing sensitive location data after it was collected and distributed without adequate safeguards. Another targeted a cybersecurity company accused of unlawfully selling browser data and engaging in deceptive practices. The FTC also filed complaints and secured proposed settlements with an alcohol addiction treatment service and a mental health telehealth company, alleging they illegally shared users’ health information for advertising purposes through third-party tracking tools.
The agency also intensified its focus on deceptive and fraudulent claims surrounding AI products and services. Companies using AI-driven platforms were also urged to take “necessary steps to prevent harm before and after deploying [an AI] product” to ensure fairness, minimize bias, and comply with evolving regulatory standards. As the FTC expanded enforcement in this area, businesses faced growing pressure to proactively mitigate risks and implement safeguards to avoid costly investigations and penalties.
HIPAA Enforcement and Judicial Constraints
In 2024, the HHS OCR focused heavily on enforcing the Health Insurance Portability and Accountability Act (“HIPAA”), concluding over 22 enforcement actions. However, the landmark ruling in American Hospital Association v. Becerra curtailed HHS’s authority over online tracking liability under HIPAA, holding that HHS could only regulate information that both identifies an individual and directly relates to their health.
Following the ruling, HHS voluntarily withdrew its appeal, signaling a shift in its approach to online tracking and privacy enforcement. The decision marked a critical limitation on HHS’s ability to regulate digital health technologies and underscored the ongoing tension between evolving digital practices and traditional privacy regulations.
Litigation Trends: Old Laws, Modern Issues
With no federal privacy law in place, plaintiffs in 2024 relied heavily on old electronic privacy statutes for class action lawsuits, including the Video Privacy Protection Act of 1988 (“VPPA”), Electronic Communications Privacy Act of 1986 (“ECPA”), and numerous state laws, such as California’s Invasion of Privacy Act of 1967 (“CIPA”) and Song Beverly Credit Card Act of 1971 (“SCCA”), to address modern online privacy concerns.
While VPPA was designed to prevent video rental stores (e.g., Blockbuster) from sharing customers’ personal data and the ECPA and CIPA to prevent eavesdropping and traditional wiretapping, plaintiffs have recently repurposed these laws to target alleged misuse of internet technologies such as cookies, pixels, chatbots, and session replay technology, a trend that continued to gain traction throughout 2024. Plaintiffs have also attacked the use of these technologies using the SCCA—a statute that restricts businesses from collecting unnecessary personal identification information during credit card transactions. While originally intended for brick-and-mortar retailers, plaintiffs are now extending the statute’s application to digital commerce, limiting how businesses can request and store consumer data during online purchases.
Class action lawsuits over data breaches and mishandled opt-out requests also continued to surge, fueled by regulatory developments and high-profile breaches. Data subject requests for deletion, access, and opt-outs increased by 246% between 2021 and 2023, highlighting the demand for transparency and control. A 2024 audit found 75% of businesses failed to honor opt-out requests, highlighting the practical challenges of data privacy compliance.
To mitigate their legal privacy risks, companies will need to consider refining consent mechanisms, implementing robust consent management platforms, and exploring alternatives to cookie-based or pixel tracking. Compliance with all of these laws are critical to ensure proper disclosures, limit personal data requests, and reinforce consumer trust.
Comprehensive State Privacy Laws
In 2024, seven states enacted comprehensive privacy laws in 2024 – raising the total number of comprehensive state privacy laws to 20. Many of these laws, including Florida, Montana, Oregon, and Texas, went into effect in 2024 – Nebraska, New Hampshire, Delaware, Iowa, and New Jersey – went into effect at the beginning of 2025, Minnesota, Tennessee and Maryland will go into effect later in the year (i.e., July 2025 and October 2025 respectively). Kentucky, Rhode Island and Indiana are scheduled to go into effect in 2026.
State-level enforcement also intensified, with California, Texas, and New Hampshire leading major efforts. For example, California reached a settlement with DoorDash in February 2024 after the company purportedly sold its California customers’ personal information without providing notice or an opportunity to opt out in violation of the California Consumer Privacy Act (“CCPA”) and CalOPPA. In June 2024, the state reached another settlement with Tilting Point Media for violations of CCPA and COPPA for Tilting Point’s alleged collection and sharing children’s data without parental consent.
In addition, Texas reached several major settlements, two of which involved Meta and the company’s purported violations of biometric privacy laws, and a first of a kind settlement involving a Dallas based artificial intelligence healthcare tech company for alleged deceptive generative AI practices. The state also initiated a new suit against General Motors in August 2024 for unlawful sale of driving data, and announced an investigation into fifteen companies for potential violations of Texas’ Securing Children Online through Parental Empowerment Act and Data Privacy and Security Act.
2025 Privacy Predictions
2025 is expected to be another defining year for privacy regulation, with key trends from recent years continuing to evolve and present new challenges for businesses. The fragmentation of state-level privacy laws, increased enforcement, and the rapid evolution of rules governing biometric data and AI technologies are expected to intensify.
Businesses can expect heightened scrutiny on algorithmic transparency, and biometric protections. Generative AI is also expected to draw significant regulatory attention as the technology matures and states continue to consider additional legislation or regulations, whether it be related to marketing claims, employment, transparency, AI deepfakes, or publicity rights. Companies in health, finance, and technology, specifically, should remain vigilant as regulators push for stricter accountability. While compliance challenges and rising operational costs are likely, organizations that proactively audit data-sharing practices, update privacy policies, and ensure AI compliance will be equipped to navigate the evolving regulatory landscape and reduce overall legal risks.
Federal Legislative Efforts Still Struggle
Despite a growing appetite for a unified privacy framework, progress remains slow heading into 2025. The inability to advance the APRA in 2024 underscores the challenge of balancing state autonomy with uniform, national standards. These challenges are only further compounded by the Trump administration’s emphasis on deregulation and a heavily divided Congress. Businesses will likely continue operating without a comprehensive federal privacy law for the foreseeable future. However, renewed lobbying efforts, Congressional hearings, and mounting industry pressure suggest that the core concepts undergirding the APRA could reemerge with modifications. Moreover, it is conceivable Congress could pass legislation strengthening children’s privacy, given that the Senate overwhelmingly, with a 91-3 vote, passed legislation that included the Kids Online Safety Act and the Teen’s Online Privacy Protection Act (collectively known as COPPA 2.0); the legislation later died in the House, but it will likely be taken up again in the current session of Congress.
In the absence of clear federal guidance, businesses should expect to rely on recognized industry standards in the interim. While these standards are instructive, businesses should note that strict adherence to them may not ensure compliance with the complex web of multi-state regulations. Companies operating across multiple jurisdictions should be sure to consult legal counsel as they navigate the current patchwork of privacy laws to reduce their legal risk.
More States Join the Privacy Landscape. With More to Come?
In 2025, several state privacy laws have recently gone into effect and more are set to take effect later in the year, including Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Tennessee. These comprehensive privacy laws significantly expand state-level data protection regulations bringing the total number of states with privacy laws to 20. In addition, other states have lifted the data privacy law template and are debating similar bills of their own in 2025 (e.g., New York S365B), and have debated other bills related to consumer health privacy (e.g., New York Health Information Privacy Act, awaiting the governor’s signature), social media restrictions and other data privacy related issues.
With compliance becoming more complex, investments in automated tools to monitor regional legal variations are expected to grow, as businesses recognize them as critical for long-term regulatory resilience in an ever-changing environment.
Litigation Trends: Internet Tracking Technologies & Healthcare Data
Regulators and plaintiffs continue to focus on cases involving internet tracking technologies, particularly under statutes including VPPA, ECPA (and state wiretapping laws), and CIPA, as well as laws governing the general collection of website user information, such as the SCCA. These cases increasingly scrutinize how companies track, collect, and use consumer data, particularly in sensitive contexts such as healthcare and wellness.
Against this backdrop, Washington’s My Health My Data Act (“MHMDA”) which went into effect in 2024, imposes strict privacy protections on consumer health data, extending beyond traditional healthcare providers to include wellness apps, online health services, and companies handling health-related consumer information. The law requires businesses to obtain explicit consent before collecting or sharing health data, maintain transparent privacy policies, and enforce stringent security measures to prevent unauthorized access or misuse.
Notably, the first lawsuit under MHMDA was recently filed against Amazon, marking a significant test case for the law’s enforcement. Given the evolving regulatory landscape, businesses should closely monitor litigation and compliance developments in this space.
Continued Momentum for AI, Biometric and Neural Data
Neural data has become a significant privacy concern with the rapid growth of wearable devices and brain-computer interfaces. In 2024, California and Colorado amended their privacy laws to extend protections to neural data, sparking broader regulatory interest and prompting advocacy groups to push for ethical standards and stricter consent requirements. Companies developing neural data technologies, including VR applications, brainwave monitoring devices, and other wearables, are investing in advanced encryption, secure storage, and anonymization methods to safeguard this highly sensitive information.
AI also remains a key driver of both cybersecurity advancements and emerging risks in 2025. In response to privacy violations linked to AI-powered tracking in 2024, businesses are increasingly deploying AI tools to improve threat detection, monitor compliance, and secure sensitive data. Cybercriminals have also embraced AI, using it to execute more targeted and complex attacks, such as deepfake impersonation, advanced phishing schemes, automated network breaches, and large-scale data theft.
As AI adoption grows, companies face rising legal and regulatory risks. To address these challenges, businesses should consider comprehensive AI governance frameworks, including regular algorithm audits, bias detection systems, and accountability structures to meet regulatory standards and maintain consumer trust and a high-quality standard of work.
Conclusion
The transition from 2024 to 2025 marks another important moment in the privacy landscape, with escalating state regulatory demands and stricter enforcement reshaping business practices. Companies must embed privacy into their core operations. By investing in privacy-by-design frameworks, adaptive compliance systems, and monitoring of emerging risks, businesses can stay ahead of shifting regulations. Those that anticipate change, take decisive action, and prioritize reasonable data protection as a competitive advantage will not only reduce risks but position themselves as leaders in an era where privacy drives both trust and innovation.
My Health, My Dollar: Amazon’s Health Data Troubles in Washington
Amazon faces allegations of unauthorized data collection in violation of federal and state privacy laws, including a first-of-its-kind claim under Washington’s My Health My Data Act (“MHMDA”).
The MHMDA restricts businesses from collecting, sharing, or selling any-health related information about a consumer without their consent of “valid authorization”, going beyond the typical protections provided by the Health Insurance Portability Accountability Act (“HIPAA”).
The case against Amazon brings into focus the potential repercussions for companies dealing in health-related data and using modern internet tracking technologies for the operation of their websites.
Businesses—especially those dealing in health-related data—must scrutinize their data privacy practices to ensure alignment with an ever-evolving legal landscape.
* * *
Privacy and health law experts no longer need to hold their breath: the first major lawsuit under Washington’s recently enacted MHMDA was filed against Amazon. (Maxwell v. Amazon.com, Inc., No. 2:25-cv-00261 (W.D. Wash. Filed Feb. 10, 2025)). In broad terms, the Western District of Washington lawsuit alleges that Amazon violated federal wiretapping laws and Washington state privacy and consumer protection rules by gathering location data via its software development kits (“SDKs”), which it then used for targeted advertising and third party data sales, all without affirmative user consent or valid authorization.
At the heart of Maxwell is the alleged violation of the MHMDA. Under the MHMDA, a violation is deemed an unfair or deceptive act under the Washington state consumer protection statute (the “Washington CPA”). The case underscores the growing risks companies engaging with consumer health information face in the modern privacy era.
Washington’s My Health My Data Act
Enacted in April 2023 and effected March 2024, MHMDA (HB 1155) represents a significant stride toward enhancing privacy protections related to health data within Washington. Emerging from growing concerns surrounding the misuse of reproductive health data, the Act aims to safeguard personal health information from unauthorized collection, storage, or sale, except where explicit consent is given by individuals.
Specifically, the MHMDA states that a regulated entity or a “small business” may not collect or share any consumer health data except “with consent from the consumer for such collection for a specified purpose” or “to the extent necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business.” The Act also applies to a wider range of consumer health data than what is typically covered under HIPAA, obliging entities falling under its scope to meticulously manage health-related data practices and paving the way for increased scrutiny over the efficacy of those practices in protecting sensitive consumer information.
Notably, the MHMDA grants a private right of action to impacted plaintiffs, with remedies that include actual damages and attorney’s fees (plus the potential for an additional award of trebled damages) under the Washington CPA.
Maxwell v. Amazon
The Maxwell case marks the debut of the first private right of action for a MHMDA violation. The putative class action complaint alleges that Amazon improperly accessed and monetized user data obtained through certain location-based apps (e.g., OfferUp and the Weather Channel) equipped with its SDKs, taking advantage of geolocation functions inherent in them. According to the lawsuit, these apps transmitted sensitive information, including biometric and precise location data, which might reflect individuals’ engagements with health services or attempts to acquire or receive health services or supplies—a direct breach of the MHMDA’s stringent privacy mandate.
In addition, the complaint alleges that beyond not obtaining consumer consent, Amazon did not make certain MHMDA-required disclosures, such as failing to: “clearly and conspicuously disclose the categories of consumer health data collected or shared; the purpose of the collection or sharing of consumer health data; the categories of entities with whom the consumer health data is shared; and how the consumer can withdraw consent from future collection.to disclose prior to the data collection the categories of consumer health data collected or shared, the purpose of such alleged data collection, the categories of entities with whom the consumer health data is shared; and how the consumer can withdraw consent from future collection.”
According to the plaintiff, Amazon defies the prohibitions outlined by both federal statutes and the MHMDA because users were unaware of—and thus did not consent to—Amazon’s full data access when using those apps. The complaint asserts that when a mobile app using Amazon’s SDK requests location data access, users are “not provided with an opportunity to grant or deny access to Amazon as well.” The suit seeks not only injunctive relief to halt data practices lacking user consent but also damages for the purported privacy violations.
While the outcome remains uncertain, the first-of-its-kind case will serve as a critical data point in evaluating the MHMDA’s strength and definition in legal environments, drawing parallels to prior claims under California’s privacy laws.
Key Takeaways
Implicated business navigating this novel territory will want to pay close attention to the Maxwell case.
More importantly, those businesses should be sure to normalize regular assessments of their privacy policies and tracking technology functionalities to ensure compliance with, among the patchwork of state privacy laws across the country, the MHMDA.
Legal counsel should guide companies involved in the data-driven market in tailoring strategies to mitigate privacy risks, avoiding hefty fines and legal disputes.