Maryland Clarifies Parental Leave Law: FMLA-Covered Employers Now Exempt
Takeaways:
Starting October 1, 2025, Maryland employers who are covered by the federal Family and Medical Leave Act (FMLA) are no longer required to comply with the state’s unpaid parental leave law.
Senate Bill 785 changes the definition of “employer” under Maryland’s Parental Leave Act to exclude those already covered by FMLA, even if they have between 15 and 49 employees.
Because both laws determine coverage based on employee counts over a 20-week period in the current or previous year, some employers may qualify for FMLA even if they currently have fewer than 50 employees—making them exempt from the state law under the new rule.
Effective October 1, 2025, Maryland employers covered by the federal Family and Medical Leave Act (“FMLA”) will no longer be subject to the state’s unpaid parental leave requirements.
Senate Bill 785, sponsored by Senator Justin Ready, was passed by the Maryland General Assembly and signed into law by Governor Wes Moore on May 6, 2025. The bill amends Maryland’s Parental Leave Act (“PLA”) to reduce overlap with federal law and ease compliance burdens for certain employers.
What Is the Maryland Parental Leave Act?
The Maryland PLA requires employers with 15 to 49 employees in Maryland to provide eligible employees with up to six weeks of unpaid parental leave for the birth, adoption, or foster placement of a child. To qualify, employees must have worked for a covered employer for at least 12 months and logged 1,250 hours in the prior 12 months before leave.
This law was designed to ensure that employees at smaller companies—those not covered by the federal FMLA—still had access to job-protected parental leave. A covered employer for purposes of the FMLA is one with 50 employees.
What’s Changing?
Senate Bill 785 changes the definition of “employer” under the PLA. Now, if an employer is already covered by the federal FMLA, they are excluded from the Maryland PLA—even if they have between 15 and 49 employees.
This change prevents employers from being subject to both state and federal leave laws. It simplifies compliance for businesses that already meet federal requirements.
Example: When This Applies
Let’s say a Maryland company has 48 employees in twenty or more workweeks this calendar year. Normally, that would make that employer subject to the Maryland PLA. But if that company had 50 or more employees for at least 20 workweeks in the prior calendar year, it is considered covered by the FMLA for the current year—even if their headcount has since dropped.
Under the new law, that company would no longer have to comply with Maryland’s PLA, because they are already covered by the FMLA.
OCR Reaches Settlement with Small Radiology Provider Over HIPAA Violations Stemming from Breach
On May 15, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced a settlement with Vision Upright MRI, a small California-based radiology provider, over alleged violations of the HIPAA Security and Breach Notification Rules. The enforcement action stems from a breach involving unauthorized access to a medical imaging server that exposed the protected health information (“PHI”) of over 21,000 individuals.
OCR initiated its investigation after receiving notification that Vision Upright MRI had experienced a breach involving its Picture Archiving and Communication System (“PACS”) server. The server, which stored and managed radiology images, had been accessed by an unauthorized third party.
OCR’s investigation revealed several key compliance failures:
Vision Upright MRI had had not conducted a HIPAA risk analysis, as required by the Security Rule.
Vision Upright MRI also failed to provide timely breach notifications to affected individuals, HHS, and the media, violating the Breach Notification Rule.
To resolve the investigation, Vision Upright MRI agreed to:
Pay a $5,000 monetary settlement to OCR.
Implement a corrective action plan that includes two years of OCR monitoring.
Take remedial steps to improve its HIPAA compliance posture.
Under the corrective action plan, Vision Upright MRI must:
Provide the required breach notifications to affected individuals, HHS, and the media.
Submit a comprehensive risk analysis covering all systems and locations containing ePHI.
Develop and implement a risk management plan to mitigate identified security vulnerabilities.
Create and maintain updated written HIPAA policies and procedures.
Provide HIPAA training to all workforce members with access to ePHI.
OCR Acting Director Anthony Archeval emphasized that HIPAA compliance obligations extend to entities of all sizes, and noted that small providers must conduct “accurate and thorough risk analyses to identify potential risks and vulnerabilities to protected health information and secure them.”
This latest settlement reinforces OCR’s continued focus on cybersecurity risks in healthcare and the need for all regulated entities, regardless of size, to maintain robust privacy and security programs.
Maryland Delays Start of Paid Family and Medical Leave Program
Hold your horses—Maryland just added a few more furlongs to its race toward a paid family leave.
On May 6, 2025, Governor Wes Moore signed House Bill 102 (“the Amendment”), which again pushes back the start date for Maryland’s Family and Medical Leave Insurance Program (FAMLI). This latest delay came as no surprise, given Maryland Department of Labor’s (MDOL) proposal earlier this year to extend the FAMLI implementation dates, because of the “high degree of instability and uncertainty for Maryland employers and workers” created by recent federal actions.
Dates to Begin Contributions and Use Leave Benefits
As we previously discussed, FAMLI will be funded through contributions from employees and employers with 15 or more employees. Although the Amendment does not alter FAMLI’s funding model, the required payroll deductions, previously scheduled to start on July 1, 2025, will now begin on January 1, 2027. The Maryland Secretary of Labor also now has until March 1, 2026, to set the contribution rates for 2027, and then until November 1st to designate the contribution rate for each subsequent calendar.
Notably, the Amendment does not establish an exact date on which employees can use paid family leave benefits. Instead, the Amendment only directs the Secretary of Labor to announce when the benefits will be available, provided the announcement is not later than January 3, 2028. Previously, benefits were supposed to begin January 1, 2026.
Finally, the minimum and maximum weekly benefit amounts remain unchanged for 2027 and 2028 at $50 and $1,000 respectively. Starting in 2029, however, FAMLI’s maximum weekly benefit amount will be tied to the Consumer Price Index to account for inflation.
Addition of the “Anchor Date”
The Amendment also added the term “Anchor Date,” which is defined as the earlier of the date on which a covered individual completes their FAMLI benefit application or the date the leave began. The state will use the Anchor Date as the new reference point for calculating (i) when an employee is eligible for paid family leave benefits; (ii) the covered employee’s average weekly wage, which is used to calculate the amount in benefits they receive; and (iii) their eligibility for increases in weekly benefits under the Program.
To qualify as a “covered employee” under the amended law, an individual must have worked at least 680 hours over the four completed calendar quarters immediately prior to the Anchor Date. Previously, employees needed only to work at least 680 hours in the four most recently completed calendar quarters before the date the leave began. Additionally, a covered employee’s average weekly wage will be calculated based on the total wages the employee received in the highest of the four completed calendar quarters that immediately precede the Anchor Date.
Finally, any increases to FAMLI’s weekly benefit amount will only apply to paid family leave applications with an Anchor Date that occurs on or after the date the increase becomes effective, except in certain cases where paid family leave benefits are paid intermittently.
Looking Ahead
The Maryland Department of Labor is in the process of developing regulations to help implement FAMLI and has already updated its website to reflect the new dates discussed here. We will continue to keep you updated as circumstances evolve.
2025 Enforcement Trends: Risk Analysis Failures at the Center of HHS’s Multimillion-Dollar HIPAA Penalties
In the first five months of 2025, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced it had entered into ten Health Insurance Portability and Accountability Act (HIPAA) resolution agreements reflecting the settlement of alleged HIPAA violations stemming from data breaches reported to OCR. These settlements span both the Biden and Trump administrations and involve a wide range of covered entities and business associates, from small physician groups to larger hospital authorities and IT service providers. Despite the diversity of organizations and underlying incidents, however, OCR’s enforcement focuses appear strikingly consistent. Each announcement indicates the resolution agreement was intended to cure defects in basic HIPAA Security Rule compliance, with a common emphasis on each organization’s failure to conduct a thorough risk analysis consistent with the HIPAA Security Rule.
Quick Hits
The HIPAA Security Rule requires HIPAA-covered entities and business associates to complete a comprehensive risk analysis, aimed at identifying potential risks and vulnerabilities to the electronic Protected Health Information in their possession.
Since January 1, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights has announced ten resolution agreements with HIPAA-covered entities and business associates that have highlighted the relevant organization’s failure to adhere to the HIPAA Security Rule’s risk analysis requirements.
Penalties for these violations included civil monetary penalties from $25,000 to $3,000,000, and often included requirements to implement a corrective action plan mandating the completion of a risk analysis.
It is no secret that data breaches have many possible root causes, and this reality is reflected in the resolution agreements announced by HHS in the early months of 2025. Indeed, the nature of the underlying data breaches that prompted HHS’s inquiry into each affected entity’s HIPAA compliance posture varied meaningfully. Several involved ransomware attacks that infiltrated healthcare systems and affected patient data, as was seen in the resolution agreements HHS entered into with a New York neurology practice and a public hospital in Guam. Others were triggered by phishing schemes, such as a California health network where dozens of employee email accounts were compromised, exposing nearly 200,000 individuals’ records. There was also an incident of electronic Protected Health Information (ePHI) being left unsecured on internet-facing servers. In each instance, however, OCR’s investigation revealed that the affected organization had not met a fundamental HIPAA Security Rule requirement: conducting an enterprise-wide risk analysis. Accordingly, in each resolution, the regulator identified the entity’s failure to assess and address vulnerabilities in their systems in this manner as a major compliance gap.
The HIPAA Security Rule requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” One of the methodologies required for meeting this standard involves completing a “risk analysis,” or an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].” The penalties assessed by OCR in 2025 for failing to do this are significant. The monetary fines announced in conjunction with the resolution agreements ranged from as little as $25,000 at the low end to as much as $3 million for a national medical supplier that did not conduct a “compliant risk analysis” and subsequently suffered a major data breach after a phishing incident. Other financial penalties fell in between, with midsized providers and service companies typically agreeing to five- or six-figure fines. Beyond the dollar amounts, however, resolution agreements also included detailed corrective action plans, often requiring several years of close regulatory monitoring and mandating steps like the completion of fulsome risk analyses, implementation of risk management plans, completion of staff training, and regular updates to security policies, all with ongoing HHS involvement and oversight.
These recent OCR actions underscore that performing a HIPAA risk analysis is not an optional or “check-the-box” exercise for covered entities or business associates, but rather is a critical compliance step regulators are focusing on and actively enforcing against. OCR has made risk analyses a focal point of its enforcement initiatives in 2025, signaling to the industry that no organization is too large or too small to be held accountable for this basic requirement. The message for covered entities and business associates is clear: a comprehensive risk analysis is one of the simplest and most effective tools to protect against data breaches, and failing to complete one can directly lead to regulatory scrutiny and meaningful financial consequences.
In light of this enforcement focus, healthcare organizations and companies that provide services to healthcare organizations will be well served to proactively prioritize regular risk analyses and security improvements. Ensuring that all ePHI is accounted for and safeguarded—before an incident happens—is not only a straightforward compliance task, but also a central enforcement focus.
New Mexico Legalizes Medical Use of Psilocybin
On April 7, 2025, New Mexico became the third state to legalize psilocybin (colloquially known as “magic mushrooms” or “shrooms”) for medical purposes. New Mexico is the first state to legalize psilocybin via legislation and not a ballot initiative, like its predecessors Colorado and Oregon.
Quick Hits
On April 7, 2025, New Mexico became the third state to legalize access to psilocybin, following Colorado and Oregon.
Employers are not required to accommodate employees under the influence of psilocybin at work.
Under the new law—the “Medical Psilocybin Act”—the following qualifying conditions are listed as eligible for psilocybin treatment: “(1) major treatment-resistant depression; (2) post-traumatic stress disorder; (3) substance use disorders; (4) end-of-life care.” The law also allows the New Mexico Department of Health to promulgate regulations that would add qualifying conditions to that list.
New Mexico’s secretary of health has been tasked with establishing a “medical psilocybin advisory board,” to consist of nine members who have knowledge of the medical use of psilocybin. At least one member must be a member of an Indian nation, one must be a behavioral health advocate, and another must be “a representative of the health care authority.” The law also establishes a research fund to allow New Mexico state universities to research additional medical benefits of psilocybin. Finally, the law establishes an “equity fund” which allows for qualified patients who meet certain income requirements to receive psilocybin treatment.
A key takeaway for employers is that the law does not create a private cause of action for violations of its provisions. Thus, as of now, an employee cannot sue an employer for failing to accommodate his or her medical use of psilocybin. However, underlying Americans with Disabilities Act (ADA) claims could arise from failing to accommodate an employee’s use of psilocybin.
It is likely to take a few years for the psilocybin program to be fully operational. (The law requires the program to be implemented by December 31, 2027.) However, in the meantime, employers in New Mexico may want to review their drug testing and accommodations policies with regard to medical psilocybin for qualified patients. As a reminder, employers are not required to accommodate employees who are under the influence of psilocybin while at work.
What Means Means for Mushrooms and Marijuana: How Might Trump’s Surgeon General Nominee Shift the Conversation for Cannabis and Psychedelics?
Earlier this month, President Trump tapped “physician-turned wellness influencer” Casey Means as his nominee for surgeon general. Means has close ties to Health and Human Services Secretary Robert F. Kennedy Jr., and Trump has touted her “impeccable” Make America Health Again (MAHA) credentials. We’ve written previously on what impact Trump’s second presidency could have on American cannabis and psychedelic policy, but Means’ public statements on cannabis and psychedelics got us pondering on how she may shift the conversation.
We’ll start with the good news for those who are proponents of expanding access to psychedelics. Means has been vocal about her support of psychedelic therapy. In her 2024 book Good Energy: The Surprising Connection Between Metabolism and Limitless Health,Means touted her positive experience with psychedelics. She described her experience and encouraged those that felt so called “to explore intentional, guided psilocybin therapy.” She explained that “[s]trong scientific evidence suggests that this psychedelic therapy can be one of the most meaningful experiences of life for some people” as it had been for her. She states:
If the word psychedelics makes you cringe, I used to be in your position. I spent my childhood and young adult life being extremely judgmental about the use of any type of drug. But I became interested in plant medicine and psychedelics after learning more about their extensive traditional use, analyzing the groundbreaking research… Our brains are profoundly suffering in modern society right now, and I believe that anything that can safely increase neuroplasticity and ground us in more gratitude, awe, connection, and a sense of cosmic safety should be taken very seriously.
She went on to describe her experience on psylocibin as “bask[ing] in the moon’s bright rays… experience[ing] the embodiment of being one with the moon, every star, every atom in the grains of sand I was sitting on, and my mother in an inextricable and unbreakable chain of universal connectedness for which the human concept of ‘death’ was no match.”
She’s also referenced and advocated for the “plant medicine” psilocybin on her blog. In one post she explained that one of the modalities she has gone “deepest in” included “plant medicine (psilocybin).”
But Means’ position on cannabis isn’t as rosy. Means has expressed opposition to marijuana, saying in her book that “people who use cannabis as well as tobacco products should stop these completely” because they will “hurt your mitochondria and vastly diminish your ability to make Good Energy.” She goes on in her book to say:
There has always been suffering in the world, but now we can see exponentially more of it than ever, all at once, on screens we hold in our beds and at the dinner table. In response, modern humans have looked for salvation and coping anywhere we can get a hit of dopamine-fueled ‘pleasure’ and distraction: things like processed sugar, alcohol, soda, refined carbs, vapes, cigarettes, weed, porn, dating apps, email, texts, casual sex, online gambling, video games, Instagram, TikTok, Snapchat, and the relentless novelty of experiences.
She remains critical on her blog as well. It’s not hard to read Means’ statements and assume that anyone using cannabis is doomed to end up like the character in Afroman’s hit 2000’s bop “Because I Got High.”
What this means (pun intended) for proponents of expanded access to cannabis and psychedelics is difficult to say for sure.
As an initial matter, Means still has to be confirmed, and she’s already faced “pushback on multiple fronts.” Means has drawn criticism for not having a current medical license, including from former surgeon generals, as well as questions about whether she should even be eligible to be surgeon general. She’s also received criticism from some in the MAHA camp for not taking a strong enough stance on other issues. In other words, in a political climate where nothing is certain, there is far from any guarantee that Means will be confirmed as the new surgeon general.
If she is confirmed, we think she’ll take the approach we’ve seen many proponents of psychedelics take to advance them as medicine. The political climate is ripe to do so. Bipartisan lawmakers this month asked Trump’s head of the U.S. Department of Veterans Affairs to meet with them “to discuss ways to provide access to psychedelic medicine for military veterans.” At a cabinet meeting, VA Secretary Doug Collins advised Trump that his agency was “opening up the possibility of psychedelic treatment for veterans.” The leader of the MAHA movement, RFK Jr., even discussed the “wonderful experience” he had with LSD when he was younger.
We remain skeptical that even with the confirmation of Means we will see significant psychedelic reform, but we do think it makes it more likely that we would see more science-based reform efforts, focused on scientific and medicinal benefits. We’re less sure about what it may mean for any meaningful cannabis reform. As Marijuana Moment noted on the issue recently, Trump endorsed rescheduling, industry banking access for cannabis businesses, and a Florida legalization ballot initiative, but these issues seem to have taken a backseat for key officials and lawmakers.
So, I guess that brings us back where it all begins. Does Means mean business when it comes to psychedelic or cannabis reform? And even if she does, is there the political interest and will amongst the relevant agencies and Congress to see those changes through? Only time will tell, but we’ll stay on top of it so you don’t have to.
Cal/OSHA’s Latest on Lead Exposure: Clarification for the Construction Industry
On May 5, 2025, the California Department of Industrial Relations made an important announcement that affects employers in the construction industry. Cal/OSHA has clarified lead exposure prevention guidance specific to protecting workers conducting dry abrasive blasting while performing construction work.
California’s recently amended lead standards for the construction industry went into effect on January 1, 2025 (California Code of Regulations, title 8, section 1532.1) as part of a broader effort to provide greater protection for workers from the health effects tied to lead exposure. These requirements, which are generally more protective than existing federal regulations, emphasize an increase in the use of protective measures, including substitution, engineering controls, and administrative controls.
According to Cal/OSHA’s guidance, employers must assess their workers’ exposure to lead when conducting abrasive blasting. Until the employer completes the assessment, dry abrasive blasting is currently limited to five hours a day, dropping to two hours per day in 2030. After completing the assessment, there is no time limit, but exposure must stay below the permissible regulatory limit of 25 micrograms per cubic meter of air. Beginning January 1, 2030, this limit drops to 10 micrograms.
Cal/OSHA directs employers to Table 1 of section 5144 to determine respirator protection factors. Using respirators can help manage lead exposure, but they must be used correctly to be effective.
Pressing Pause: Federal Agencies Halt Enforcement of Mental Health Parity Rule
On May 15, 2025, the Departments of Labor, Health and Human Services and the Treasury (the Departments) announced a non-enforcement policy regarding the final rule issued in September 2024 under the Mental Health Parity and Addiction Equity Act (MHPAEA) (the 2024 Final Rule).
This announcement comes after President Donald J. Trump issued Executive Order 14219 earlier this year, directing federal agencies to review regulations to identify those that are unconstitutional, otherwise not supported by statutory language, harm the national interest or place undue burdens on small businesses or private parties that are not outweighed by public benefits.
The enforcement pause also comes in the wake of a lawsuit filed by the ERISA Industry Committee (ERIC) in the United States District Court for the District of Columbia challenging the Nonquantitative Treatment Limitations (NQTL) requirements of the 2024 Final Rule on the grounds that they are arbitrary and capricious and contrary to law. In their announcement, the Departments requested that the ERIC litigation be stayed while they reconsider whether to rescind the 2024 Final Rule in its entirety in accordance with Executive Order 14219.
In the event the Departments choose not to rescind the 2024 Final Rule, the non-enforcement policy still provides a significant amount of runway before plan sponsors will be required to comply with the 2024 Final Rule as the Departments have stated that they will not enforce the 2024 Final Rule until a final decision in the ERIC litigation is issued and for an additional 18 months thereafter.
What Does This Mean for Plan Sponsors?
Importantly, this enforcement relief does not modify the provisions of the Consolidated Appropriations Act of 2021 (CAA of 2021) that the regulations were meant to implement, cease all enforcement activities related to the MHPAEA, or invalidate previous guidance issued by the Departments related to mental health parity. Rather, it only applies to those portions of the 2024 Final Rule that implemented the CAA of 2021 and were considered new, for example:
Updated evidentiary standards and processes related to a plan’s NQTLs, including the need to collect and evaluate outcomes data;
New standards associated with a plan’s NQTL Comparative Analysis, including: (i) content requirements of the NQTL comparative analysis itself; (ii) the fiduciary certification requirements;
New definitions for key terms under MHPAEA; and
The meaningful benefits requirement.
As a result, although this enforcement pause is extremely welcome and does provide substantial relief to plan sponsors and third party administrators attempting to implement the significant changes described above, plan sponsors must continue to comply with the mental health parity requirements set out in the MHPAEA, the 2013 final rule and related sub regulatory guidance as there is no indication that the Departments will cease general investigation and enforcement of MHPAEA. Plan sponsors should also consider if any action is required to comply with the NQTL Comparative Analysis provisions of the CAA of 2021.
6 Signs You Should Contact a Personal Injury Lawyer Immediately
An unexpected injury can leave you with a lot of questions, especially if it occurred due to someone else’s negligence. Whether it was a car accident, a fall, or something else, knowing when to contact a personal injury lawyer can be unclear.
In Michigan, your rights are protected, but timing matters. Below are six signs it might be time to speak with a lawyer and why reaching out sooner can make all the difference.
1. You’re Facing Expensive Medical Bills
Even with insurance, medical care can be costly. If your injuries require emergency care, follow-ups, physical therapy, or long-term treatment, those expenses can pile up fast. A lawyer can help you seek compensation for current and future medical costs.
2. You Missed Work Because of the Injury
Lost wages can have a serious impact on your financial stability. Whether you were out for a few days or you’re unable to return to your job at all, you may be entitled to recover those losses. A personal injury attorney can help you calculate and claim that income.
3. The Insurance Company Is Delaying or Denying Your Claim
If your claim is being ignored, undervalued, or denied outright by an insurance company, it’s a strong sign you need legal backup. A lawyer knows how to deal with adjusters and can help ensure you’re treated fairly.
4. You’re Unsure Who Was at Fault
If liability is unclear or if multiple parties are involved, things can quickly become complicated. A personal injury lawyer can investigate what happened, gather evidence, and identify who’s legally responsible.
5. You’re Being Blamed for the Accident
If the other party or their insurance company is accusing you of causing the incident, you should have someone in your corner. Comparative fault laws vary by state, and being wrongly blamed can significantly reduce or eliminate your compensation.
6. Your Injuries Are Serious or Life-Altering
When an injury leads to long-term disability, chronic pain, or permanent damage, the stakes are much higher. These cases often involve complex legal and medical issues, and having an experienced attorney on your side can make a big difference in the outcome.
Final Thoughts
Navigating the aftermath of an injury can be overwhelming. In Michigan, it’s important to act promptly, as the statute of limitations for most personal injury claims is three years from the date of the injury. Delaying action could jeopardize your ability to seek compensation.
Cybersecurity in Digital Health: Why HIPAA Compliance Alone Is Not Enough for M&A Success
In today’s health care landscape, cybersecurity is not only an operational concern — it is quite literally a dealbreaker in corporate transactions. For digital health companies eyeing growth through mergers and acquisitions (M&A), cybersecurity due diligence is now a deal-defining factor. Increasingly, buyers are demanding rigorous proof of HIPAA compliance, a mature cybersecurity program, and an articulate explanation of any cybersecurity incidents and how the target handled them. Weaknesses in any of these areas can quickly turn a promising opportunity into a missed one.
Cybersecurity Due Diligence Is Now Deal Diligence
A company’s cybersecurity posture directly impacts valuation, closing timelines, and integration. Buyers are not only reviewing documentation, they are assessing historical vulnerabilities, breach response protocols, and the strength of cybersecurity governance. If risks surface late in the due diligence process, deals can fall through or valuations may be significantly reduced. Worse still, buyers may inherit undisclosed weaknesses, exposing these buyers to post-close litigation, regulatory fines, and reputational damage.
Forward-thinking CEOs are responding by proactively preparing for digital health M&A readiness — conducting internal audits and penetration testing, strengthening their HIPAA compliance, and demonstrating a culture of security through strong governance and stakeholder involvement.
Showcase Incident Response to Build Buyer Confidence
One of the most overlooked yet powerful messages that buyers and sellers overlook is the target company’s track record when responding to past incidents. If properly managed and documented, a prior data breach or threat event can become a credibility builder as opposed to a red flag.
Buyers want to see:
A clear, documented, tested, and up-to-date incident response plan
Timely HIPAA breach notifications and regulatory compliance
A thorough assessment of any incidents that were not treated as breaches (e.g., where individuals or regulators were not notified)
Evidence of remediation, including system hardening and employee training
Board and leadership involvement in crisis management
Showcasing your health care data incident response process, whether through tabletop exercises or past real-world events, signals operational maturity and reduces buyer uncertainty. One certain red flag for data intensive or heavily regulated targets is the lack of a breach history. Sellers routinely dealing in large volumes of personally identifiable information or HIPAA-protected health information that allege to have never experienced a data breach may be viewed skeptically by prospective buyers that understand the low probability of this.
Beyond HIPAA: Cyber Risk Management as a Strategic Imperative
HIPAA compliance remains essential, but it’s no longer sufficient for true cybersecurity readiness. HIPAA was not designed to account for today’s attack vectors — ransomware, API vulnerabilities, or third-party SaaS breaches. A narrow focus on the HIPAA Security Rule misses the broader challenge of managing cyber risk across an expanding digital ecosystem.
Digital health CEOs must adopt a risk management strategy that evolves with their platform. This includes:
Conducting dynamic, scenario-based risk analyses and assessments
Embedding security into product development and data infrastructure
Treating cybersecurity as a board-level and investor-facing priority
Investing in modern threat detection, zero-trust architectures, and breach containment protocols
Identifying and partnering with incident response firms and forensic investigators during peacetime so that those partners can promptly assist in the wake of an incident.
In short, HIPAA compliance helps avoid penalties, but true cyber risk management builds trust, partnerships, and company value.
What CEOs Should Be Doing Now
More than a defensive posture, cybersecurity is now a source of strategic differentiation. Enterprise clients, payors, and health systems increasingly make cybersecurity maturity a precondition to doing business. Pre-go-live audits by payors and health systems are now common occurrences.
Preparing for cybersecurity scrutiny has become foundational. Whether planning for M&A, raising capital, or entering payor-provider partnerships, strong cybersecurity maturity is now table stakes.
To get there, companies should prioritize the following action items:
Conduct a comprehensive, enterprise-wide HIPAA security risk analysis and cyber risk audit and update those audits regularly
Enforce due diligence across all third-party vendors — it is not enough to simply sign business associate agreements (BAAs)
Encrypt protected health information (PHI) maintained in all environments, from app to cloud to mobile
Train your workforce to recognize and engage, through role-based security simulations, such as red-team penetration tests
Regularly run incident response drills to prove real-world readiness
Establish an insurance program that accounts for the risks the company may face
Review past incidents and breaches for lessons learned
Looking Ahead
With AI-powered diagnostics, remote monitoring platforms, and interoperable patient engagement tools on the rise, cybersecurity risk in digital health will only become more complex. Companies that bake security into their DNA — not just their IT stack — will earn trust, win contracts, and scale responsibly.
Utah Law Aims to Regulate AI Mental Health Chatbots
Those in the tech world and in medicine alike see potential in the use of AI chatbots to support mental health—especially when human support is unavailable, or therapy is unwanted.
Others, however, see the risks—especially when chatbots designed for entertainment purposes can disguise themselves as therapists.
So far, some lawmakers agree with the latter. In April, U.S. Senators Peter Welch (D-Vt.) and Alex Padilla (D-Calif.) sent letters to the CEOs of three leading artificial intelligence (AI) chatbot companies asking them to outline, in writing, the steps they are taking to ensure that the human interactions with these AI tools “are not compromising the mental health and safety of minors and their loved ones.”
The concern was real: in October 2024, a Florida parent filed a wrongful death lawsuit in federal district court, alleging that her son committed suicide with a family member’s gun after interacting with an AI chatbot that enabled users to interact with “conversational AI agents, or ‘characters.’” The boy’s mental health allegedly declined to the point where his primary relationships “were with the AI bots which Defendants worked hard to convince him were real people.”
The Florida lawsuit also claims that the interactions with the chatbot became highly sexualized and that the minor discussed suicide with the chatbot, saying that he wanted a “pain-free death.” The chatbot allegedly responded, “That’s not a reason not to go through with it.”
Another lawsuit in Texas, meanwhile, claims that a chatbot commiserated with a minor over a parents’ time use limit for a phone, mentioning news headlines such as “child kills parents.”
In February 2025, the American Psychological Association urged regulators and legislators to adopt safeguards. In their April 2 letters described above, the senators informed the CEOs that the attention that users receive from the chatbots can lead to “dangerous levels of attachment and unearned trust stemming from perceived social intimacy.”
“This unearned trust can [lead], and has already[ led,] users to disclose sensitive information about their mood, interpersonal relationships, or mental health, which may involve self-harm and suicidal ideation—complex themes that the AI chatbots on your products are wholly unqualified to discuss,” the senators assert.
Utah’s Solution
States are taking note. In line with national objectives, Utah is embracing AI technology and innovation while still focusing on ethical use, protecting personal data/privacy, ensuring transparency, and more.
Several of these new Utah laws to analyze the impact across industries and have broad-reaching implications across a variety of sectors. For example:
The Artificial Intelligence Policy Act (B. 149) establishes an “AI policy lab” and creates a number of protections for users and consumers of AI, including requirements for healthcare providers to prominently disclose any use of generative AI in patient treatment.
The AI Consumer Protection Amendments (B. 226) limit requirements regarding the use of AI to high-risk services.
The Unauthorized Artificial Intelligence Impersonation Amendments (B. 271) protect creators by prohibiting the unauthorized monetization of art and talent.
Utah’s latest AI-related initiatives also include H.B. 452, which took effect May 7 and which creates a new code section titled “Artificial Intelligence Applications Relating to Mental Health.” This new code section imposes significant restrictions on mental health chatbots using AI technology. Specifically, the new law:
establishes protections for users of mental health chatbots using AI technology;
prohibits certain uses of personal information by a mental health chatbot;
requires disclosures to users that a mental health chatbot is AI technology, as opposed to a human;
places enforcement authority in the state’s division of consumer protection;
contains requirements for creating and maintaining chatbot policies; and
contains provisions relating to suppliers who comply with policy requirements.
We summarize the key highlights below.
H.B. 452: Regulation of Mental Health Chatbots Using AI Technology
Definitions. Section 13-72a-101 defines a “mental health chatbot” as AI technology that:
Uses generative AI to engage in interactive conversations with a user, similar to the confidential communications that an individual would have with a licensed mental health therapist; and
A supplier represents, or a reasonable person would believe, can or will provide mental health therapy or help a user manage or treat mental health conditions.
“Mental health chatbot” does not include AI technology that only
Provides scripted output (guided meditations, mindfulness exercises); or
Analyzes an individual’s input for the purpose of connecting the individual with a human mental health therapist.
Protection of Personal Information. Section 13-72a-201 provides that a supplier of a mental health chatbot may not sell to or share with any third party: 1) individually identifiable health information of a Utah user; or 2) the input of a Utah user. The law exempts individually identifiable health information—defined as any information relating to the physical or mental health of an individual—that is requested by a health care provider, with user consent, or provided to a health plan of a Utah user upon request.
A supplier may share individually identifiable health information necessary to ensure functionality of the chatbot if the supplier has a contract related to such functionality with another party, but both the supplier and the third party must comply with all applicable privacy and security provisions of 45 C.F.R. Part 160 and Part 164, Subparts A and E (see the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)).
Advertising Restrictions. Section 13-72a-202 states that a supplier may not use a mental health chatbot to advertise a specific product or service absent clear and conspicuous identification of the advertisement as an advertisement, as well as any sponsorship, business affiliation, or third-party agreement regarding promotion of the product or service. The chatbot is not prohibited from recommending that the user seek assistance from a licensed professional.
Disclosure Requirements. Section 13-72a-203 provides that a supplier shall cause the mental health chatbot to clearly and conspicuously disclose to a user that the chatbot is AI and not human—before the chatbot features are accessed; before any interaction if the user has gone seven days without access; and any time a user asks or prompts the chatbot about whether AI is being used.
Affirmative Defense. Section 58-60-118 allows for an affirmative defense to liability in an administrative or civil action alleging a violation if the supplier demonstrates that it:
created, maintained, and implemented a written policy, filed with the state’s Division of Consumer Protection, which it complied with at the time of the violation; and
maintained documentation regarding the development and implementation of the chatbot that describes foundation models; training data; compliance with federal health privacy regulations; user data collection and sharing practices.
The law also contains specific requirements regarding the policy and the filing.
Takeaways
A violation of the Utah statute carries an administrative fine of up to $2500 per violation, and the state’s Division of Consumer Protection may bring an action in court to enforce the statute. The attorney general may also bring a civil action on behalf of the Division. As chatbots become more sophisticated, and more harms are realized in the context of mental health, other states are sure to follow Utah’s lead.
Noteworthy False Claims Act Settlement Demonstrates DOJ’s Continued Scrutiny of Arrangements Between Hospitals and Physician Practices
On May 14, 2025, Fresno Community Hospital and Medical Center d/b/a Community Health System (CHS) and its technology partner, Physicians Network Advantage, Inc. (PNA), agreed to pay $31.5 million and enter into a Corporate Integrity Agreement to settle allegations of violating the federal anti-kickback statute (AKS) and physician self-referral law (Stark Law) under the False Claims Act (FCA). The alleged conduct at issue revolved around CHS’s plan beginning in 2013 to assist local area physicians in their adoption of the electronic health records (EHR) platform used by CHS and its establishment of PNA to support that goal. For decades, the government has strongly promoted the adoption of interoperable EHR platforms by physician practices (e.g., Meaningful Use payments), given that EHR systems allow for better care coordination, increased efficiency, and improved patient experience. Moreover, as described in more detail below, the Department of Health and Human Services (HHS) adopted an AKS safe harbor and Stark Law exception that allowed certain entities, including hospitals, to donate EHR technology and services to physicians if certain conditions are satisfied. However, CHS’s and PNA’s alleged conduct exceeds what is permissible under the relevant safe harbor and exception.
Background
CHS operates a network of hospitals across Fresno County, California, delivering health care services to beneficiaries of federal health care programs. PNA, founded in 2010 with financial and operational support from CHS, focused on expanding EHR technology in physician offices.
A relator – PNA’s former Controller – sued PNA and CHS along with another health system, health foundation, physician group, and individuals on behalf of the United States for alleged FCA, AKS, and Stark Law violations. The Settlement Agreement described the following conduct provided to induce referrals of business reimbursable by federal health care programs:
PNA’s headquarters included a posh space known as “HQ2,” where health care providers received high-end hospitality—such as fine wine, liquor, cigars, and catered food.
CHS and PNA provided substantial financial subsidies and cost reductions for EHR services to a large physician practice, including deferring upfront costs.
CHS and PNA allegedly supplied grants to a large physician network to pay for EHR-related software and subsidize upfront cost-sharing amounts related to EHR items and services.
CHS purportedly issued grants to certain providers and medical practices before formal EHR contracts were in place.
The relator alleges to have discovered defendants’ kickbacks initially following a fire at PNA headquarters, which revealed a surplus of expensive wine that a defendant told relator was leftover from a holiday party. The relator, while serving as PNA’s Controller, began to dig further into PNA’s business expenses. The relator confronted PNA’s sole shareholder and officer, who allegedly refused to discontinue the illegal conduct, and the relator then resigned from his position as Controller.
EHR Technology
As noted above, HHS recognizes the importance of supporting the adoption of EHR technology as evidenced by the AKS’s EHR safe harbor and the Stark Law’s EHR exception. The EHR safe harbor and exception allow hospitals and health systems to provide interoperable EHR technology to physician practices under specific conditions, including structuring the arrangements to avoid improper inducements for referrals.
While hospitals and health systems may offer EHR subsidies and cost reductions compliantly, CHS’s EHR subsidies and cost reductions purportedly failed to meet the AKS EHR safe harbor or Stark Law EHR exception because:
The subsidies and cost reductions were allegedly provided in return for referrals of patients to CHS for services reimbursed by federal health care programs, violating both the AKS safe harbor and Stark Law exception, which prohibit any link between financial benefits and the volume or value of referrals.
The arrangements allegedly included delayed collection of upfront cost-sharing for the EHR items or services, and the applicable Stark Law exception requires the physician practice to contribute 15% of the cost before receiving the EHR items or services.
The settlement does not indicate that the EHR donations were governed by written agreements that clearly specified the items/services, cost, and recipient contribution—requirements under both the AKS safe harbor and Stark Law exception.
Conclusion
This settlement is yet another example of the Department of Justice’s continued focus on enforcing Stark Law and AKS violations by hospitals and health systems. For more context, see our analysis of 2024’s key FCA settlements here.