HHS Secretary Kennedy Directs FDA to Explore Rulemaking to Eliminate Self-Affirmed GRAS Pathway
On March 10, 2025, the Department of Health & Human Services (HHS) Secretary Robert F. Kennedy Jr. announced that he is directing the U.S. Food & Drug Administration (FDA) “to explore potential rulemaking to revise its Substances Generally Recognized as Safe (GRAS) Final Rule and related guidance to eliminate the self-affirmed GRAS pathway.”
This self-affirmation process is built into the 1958 Food Additive Amendments, which amended the definition of a “food additive” and allows certain substances to be exempt from premarket review if they are GRAS based on scientific procedures or history of use in food as determined by qualified experts. Notably, the announcement also specifically references “substances that come into contact with food.”
The announcement is made to promote oversight and transparency. The announcement expresses a commitment to working with Congress to close the GRAS self-affirmation pathway and acknowledges that legislation will be pursued in tandem with potential future rulemaking.
Importantly, there is no immediate effect on ingredients currently marketed, allowing companies to continue their operations without disruption while FDA explores potential rulemaking. Keller and Heckman will continue to monitor developments related to the GRAS program.
Telehealth Companies and Social Media Influencers May Face New FDA Laws
On February 20, 2025, U.S. Senators Dick Durbin (D-IL) and Roger Marshall, M.D. (R-KS) introduced bipartisan legislation, the Protecting Patients from Deceptive Drug Ads Act (the Act), which closes perceived “legal loopholes” in social media advertisements by telehealth companies. The Act would require the U.S. Food & Drug Administration (FDA) to target false and misleading prescription drug promotions by social media influencers and telehealth companies.
Background
Whether or not telehealth companies are under FDA jurisdiction when marketing and promoting prescription drugs has been under debate since The New York Times published its 2019 article, Drug Sites Upend Doctor-Patient Relations: ‘It’s Restaurant-Menu Medicine’. The report called into question whether telehealth companies are — or ought to be — subject to FDA oversight when advertising drugs and medical devices. Subsequent investigative reporting alleged how some telehealth companies ran ads on social media describing benefits of prescription drugs but failing to describe the risks of these drugs. Reporters claimed telehealth companies promoted drugs for unapproved uses or featured “testimonials” without disclosing whether or not the testimonials came from actual patients or were from paid actors or company employees.
Under the Federal Food, Drug, and Cosmetic Act (FDCA), advertisements for prescription drugs may not be false, lacking in fair balance, or otherwise misleading. Any advertisements for prescription drugs (with the narrow exception of exempt reminder ads), must present a true statement of information in brief summary relating to side effects, contraindications, and effectiveness. The term “side effects, contraindications” means side effects, warnings, precautions, and contraindications, and also includes any such information under such headings as cautions, special considerations, important notes, etc.
Some have claimed these FDCA legal requirements, although clearly applicable to drug manufacturers, packers, and distributors, do not apply to telehealth companies and associated medical providers because the telehealth company and their associated providers are not addressed in the FDCA and not included in the definition of “firm” under applicable FDA Guidance documents. Under this argument, telehealth companies and their associated providers are not subject to these drug advertising laws in their direct-to-consumer marketing campaigns. Former FDA Commissioner Robert Califf observed how a number of online advertisements by telehealth companies fail to give the complete risk-benefit story (something drug manufacturers must do), as he noted how the FDA lacks the legal authority to regulate the advertising activities of such telehealth companies.
What’s Next?
If signed into law, the Protecting Patients from Deceptive Drug Ads Act would extend FDA’s jurisdiction to specifically include market surveillance of social media influencers and health care providers for whom a financial benefit exists when such communications contain false or inaccurate statements, omits labeling or other key facts regarding a medication, or fails to include traditional risk and side effect disclosures. The Act authorizes FDA to issue warning letters and civil penalties for non-compliance.
The Act is a bipartisan effort and the controversy surrounding telehealth advertising of prescription drugs is not new. We do not anticipate this issue will fade away soon, although similar legislation previously proposed did not pass. Whether this bill can garner sufficient support remains to be seen. What is clear is there is a growing concern among federal policymakers about what they consider unsafe and imbalanced advertisements for prescription drugs by telehealth companies. Given this climate, a best practice is to ensure advertisements and marketing campaigns are reviewed by skilled advisors who can maintain the effective impact of direct-to-consumer promotions while reducing the legal risk of non-compliant advertising campaigns. As the Act moves through Congress, we will provide updates.
Want to Learn More?
Regulation of Digital Health Products by FDA
FDA’s Final Rule on Direct-to-Consumer Advertising – Presentation of Risk Information
DTC Promotional Labeling and Advertisements: Quantitative Efficacy Wins Over FDA in Final Guidance on Presenting Risk Information
Scientific Information on Unapproved Uses of Medical Products: FDA’s Final Guidance on Firm Communication to Health Care Providers
Alert: New Mexico Is a Step Closer to Legalizing the Supervised Use of Psilocybin
We’ve previously highlighted psilocybin as an alternative treatment for various neuropsychiatric disorders, including anxiety, depression, and PTSD, along with legislative efforts at the state and federal levels to legalize and regulate the psychedelic drug. On March 12, 2025, New Mexico advanced its initiative to establish a therapeutic psilocybin program in the state.
By a bipartisan vote of 33-4, the New Mexico Senate passed Senate Bill 219, also known as the Medical Psilocybin Act, which now awaits a vote in the House of Representatives. If enacted, the bill would allow physicians to prescribe psylocybin to patients suffering from specific qualifying conditions such as major treatment-resistant depression, PTSD, substance use disorders, end-of-life care, and other conditions approved by the state’s Department of Health.
The bill defines psilocybin as “the naturally occurring psychedelic compound 4-phosphoryloxy-N,N-dimethyltryptamine, also known as 4-PO-DMT, and its pharmacologically active metabolite psilocin, 4-hydroxy-N,Ndimethyltryptamine, found in certain mushrooms, but does not include synthetic or synthetic analogs of psilocybin”. The bill proposes the establishment of a nine-member medical psilocybin advisory board to, among other things, “review and recommend to the [health] department for approval medical conditions that may benefit from the medical use of psilocybin” and “recommend formulation or preparation rules and dosage standards for psilocybin”. If the bill is enacted, New Mexico would join Oregon and Colorado as the only states to legalize the supervised use of psylocybin.
Not Much of a Thank You: TRICARE Contractor Resolves $11M False Claims Act Liability for Known Cybersecurity Violations
February 2025 saw an important False Claims Act settlement involving allegations of known cybersecurity failures by Health Net Federal Services Inc. (HNFS), a government contractor that provides TRICARE healthcare management services to active duty military members and their families. HNFS as well as its parent corporation Centene agreed to pay just over $11 million to resolve alleged false claims submitted to the U.S. Department of Defense.
While American values dictate that we thank service members for their role in protecting our freedoms, this government contractor instead chose to submit false claims in order to keep up their deal with the Department of Defense. Ultimately, it was taxpayers who footed the bill for fraud and false claims with government contractors. Taxpayers should never pay for shoddy services, especially not when it comes to healthcare and protecting personal and sensitive data relating to military members and their families.
The Allegations Against Health Net Federal Services, LLC and Centene Corporation
According to the DOJ, parent corporation Centene and its subsidiary Health Net Federal Services (HNFS) failed to meet these minimum cybersecurity protocols between the period of 2015 and 2018 while providing data management services to the U.S. Department of Defense through its administration of TRICARE. HNFS may have exposed U.S. service members’ personal and health data, as well as that of their families, due to failing to scan for known vulnerabilities and patching known security flaws. The networks and systems maintained by HNFS during this three year period were reported by third party security auditors as well as the company’s own internal audit department for being inadequate in terms of:
Asset management
Access controls
Flawed configuration settings
Weak firewalls or lack of firewalls in use
End-of-life hardware and software in place
Lack of patch management
Vulnerability scanning
Shoddy password policies
HFNS not only allegedly failed to install updates from vendors that would have countered known threats; they also allegedly falsely certified compliance with annual reports to DHA in order to keep their government contract with TRICARE. In order to resolve these allegations, the company Centene Corporation, which acquired all shares of HFNS as well as its liabilities, has agreed to pay $11,253,400. The matter was resolved in collaboration with the U.S. Department of Justice Civil Division’s Commercial Litigation Branch (Fraud Section) and the U.S. Attorney’s Office for the Eastern District of California, as well as with assistance from the DoD Office of Inspector General, the DCIS, Cyber Field Office Western Region, the Inspector General’s Office of Audits, Cyberspace Operations Directorate, and the DoD’s Defense Contract Management Agency, Defense Industrial Base Cybersecurity Assessment Center.
What Is TRICARE?
TRICARE is a federal health insurance program administered by the U.S. Department of Defense and its contracts. TRICARE provides healthcare coverage to qualifying members of the U.S. military and their families, including:
Active duty service members and their families
National Guard and Reserve members and families
Medal of Honor recipients and their families
Survivors
Children
Former spouses
TRICARE is similar to Medicare in that it is a primary health insurance provider funded by taxpayer dollars and administered by a federal agency. While Medicare covers older Americans ages 65 and up, TRICARE provides medical, dental, and pharmacy coverage for U.S. military members, veterans, and family members. Because of this, TRICARE also maintains personal and sensitive data for military members, including some confidential location information for active duty personnel. Like all health data, TRICARE records include HIPAA-protected information and other confidential information, which can be exposed to data breaches by criminal hackers and contractors who do not take their cybersecurity obligations seriously. TRICARE breaches are especially troubling because they can lead to the unlawful dissemination of protected information that compromises individual health privacy and potentially national security.
Federal Healthcare Programs Are Vulnerable to Cybersecurity Breaches
Acting U.S. Attorney Michele Beckwith for the Eastern District of California spoke about the HNFS settlement, saying “Safeguarding sensitive government information, particularly when it relates to the health and well-being of millions of service members and their families, is of paramount importance. When HNFS failed to uphold its cybersecurity obligations, it didn’t just breach its contract with the government, it breached its duty to the people who sacrifice so much in defense of our nation.”
Both healthcare and defense spending for government contracts are two of the most at-risk areas for fraud, waste, and abuse. Taxpayers lose billions of dollars every year to government contractors and healthcare organizations that take advantage of federal healthcare programs like Medicare, Medicaid, and TRICARE, with an estimated 10% of program expenses at risk. Meanwhile, the Government Accountability Office reports that the U.S. Department of Defense is particularly vulnerable to false or fraudulent claims involving overbilling, billing for work never performed or services not rendered to beneficiaries, fraudulent bid submissions, non-competitive bids, the provisions of substandard parts or services, and the failure to disclose data breaches and other cybersecurity risks.
How Whistleblowers Can Protect Americans Through the False Claims Act
Under the U.S. Department of Justice’s Civil Cyber Fraud Initiative, private companies that contract with the federal government are obligated to uphold certain minimum cybersecurity standards. When they fail to do so, or falsely certify compliance with cybersecurity requirements, they can be held accountable under the False Claims Act for treble damages and penalties to the federal government. Through a qui tam lawsuit, whistleblowers who report on these kinds of violations can also receive a percentage of the government’s total recovery. These percentages can range from 10% to 30% of the final settlement. The False Claims Act imposes treble damages upon violators, as well as individual penalties for each false claims of up to $13,946 to $27,894 per violation. The law also allows whistleblowers (known as relators) who meet certain eligibility requirements and are the first to report cybersecurity fraud, government contractor fraud including DOD fraud, or healthcare fraud a reward for their inside information.
Whistleblowers can come from all walks of life and may include current or former employees of any potential defendant such as employees of government contractors, health care entities, or any regulated company, non-employees (examiners, competitors, clients, customers, auditors, reviewers, consultants, industry experts), anyone with evidence and knowledge of fraud involving government money. As long as you come forward willingly and in a timely manner you may be able to bring a qui tam case with the help of a qui tam lawyer and recover a reward. There are also additional protections for employees, including cybersecurity professionals, who speak up. These may include:
The option to initially report anonymously through a qui tam law firm
A federal right of action to sue for reinstatement if you are fired from your company as a result of your protected disclosure
Up to double back pay with interest from the period during which you were demoted, suspended, or let go
Possible front pay, in cases where reinstatement is not possible
Additional damages and attorneys’ fees.
McDermott+ Check-Up: March 14, 2025
THIS WEEK’S DOSE
Congress Debates Government Funding. A continuing resolution (CR) to fund the government through September passed the House and will very likely pass the Senate today.
Senate HELP Committee Advances NIH, FDA Nominations, Meanwhile White House Pulls CDC Director Nomination. National Institutes of Health (NIH) director nominee Jay Bhattacharya and US Food and Drug Administration (FDA) commissioner nominee Martin Makary are expected to be confirmed by the full Senate. The White House abruptly withdrew Dave Weldon’s nomination for Centers for Disease Control and Prevention (CDC) director just prior to his Senate confirmation hearing and has not yet announced a new nominee.
Senate Finance Committee Holds CMS Administrator Nomination Hearing. The committee held its nomination hearing for Mehmet Oz, MD, to be administrator of the Centers for Medicare and Medicaid Services (CMS) as this Check-Up went to press.
House Oversight Committee Holds Hearing on Preventing Improper Payments and Fraud. The hearing continued previous committee work broadly focused on improper payments and fraud, including in Medicare and Medicaid.
House Ways and Means Committee Examines Access to Medicare Post-Acute Care. Members discussed barriers to accessing quality post-acute care and highlighted potential solutions.
Senate Aging Committee Discusses Solutions to Senior Loneliness. There was bipartisan concern about the burden of senior loneliness.
CMS Issues Marketplace Integrity and Affordability Proposed Rule. The agency’s first proposed rule in the Trump administration aims to reduce improper enrollments in the Marketplace.
CMMI Releases Statement on Strategic Direction. The Center for Medicare and Medicaid Innovation (CMMI) announced actions to cancel certain models and transition participants to other models.
OCR Announces Investigations into Four Medical Schools and Hospitals. The schools and hospitals being investigated were not officially identified.
Federal Judges Rule Agencies Must Reinstate Fired Probationary Employees. One of the rulings applies to the US Department of Health and Human Services (HHS).
CONGRESS
Congress Debates Government Funding. In advance of the March 14, 2025, government funding deadline, House Republicans on March 8 released a 99-page CR to fund the government through September 30, 2025, the end of the fiscal year (FY). The CR includes short-term extensions of healthcare programs and provisions, including Medicare telehealth flexibilities and community health center funding, through September 30. The legislation includes increases in defense spending and cuts to nondefense spending, including a 50% cut to the Congressionally Directed Medical Research Programs (CDMRP) within the US Department of Defense. CDMRP funds biomedical research on conditions such as cancer, Alzheimer’s disease, and autism.
The CR does not include a Medicare physician payment fix or additional bipartisan health provisions, such as pharmacy benefit manager reform, from the December 2024 bipartisan healthcare package, which has been reintroduced by Sens. Wyden (D-OR) and Sanders (I-VT). Rep. Murphy (R-NC), Co-Chair of the GOP Doctors Caucus, originally said he would oppose the CR if it did not include the so-called doc fix. However, the caucus received a commitment from Republican leadership to include a doc fix in the upcoming budget reconciliation bill, so Rep. Murphy supported the CR.
On March 11, 2025, the House passed the CR mostly along party lines in a 217 – 213 vote. Rep. Golden (D-ME) joined Republicans in voting yes, and Rep. Massie (R-KY) joined Democrats in voting no. In the Senate, the bill needs 60 votes to overcome a procedural hurdle, known as cloture, before final passage, necessitating support from Democrats. Senate Minority Leader Schumer (D-NY) initially pushed back and said Democrats would seek a separate vote on a clean, shorter-term CR that would allow appropriators to finish the full slate of FY 2025 bills. Schumer later reversed and stated he and other Senate Democrats would vote yes on the cloture vote to avoid a government shutdown. The final cloture vote was xx – xx. XX Democrats voted with all but one Republican, Sen. Paul (KY), to achieve the 60 votes necessary to clear the procedural hurdle. As of the time of this publication, a vote on final passage is expected today to avert a government shutdown and complete the FY 2025 appropriations process.
Senate HELP Committee Advances NIH, FDA Nominations, Meanwhile White House Pulls CDC Director Nomination. The Senate Health, Education, Labor, and Pensions (HELP) Committee voted on the nominations of Jay Bhattacharya, MD, for NIH director and Martin Makary, MD, for FDA commissioner. The committee held its nomination hearings last week. Bhattacharya advanced with a vote of 12 – 11 along party lines. Makary advanced with a vote of 14 – 9, with Sens. Hassan (D-NH) and Hickenlooper (D-CO) joining Republicans. Both nominations now move to the full Senate floor, where they are expected to be confirmed. Sen. Hawley (R-MO) expressed concern over Makary’s initial support of Hilary Perkins as FDA chief counsel. Perkins previously worked for the US Department of Justice under President Biden and defended that administration’s abortion and vaccine policies. Sen. Hawley noted that Makary withdrew his support for Perkins, who resigned on March 13, 2025, only two days after becoming FDA chief counsel.
On the morning of Dave Weldon’s scheduled Senate HELP Committee nomination hearing for CDC director, the White House suddenly withdrew his nomination. Weldon was previously a US representative from Florida. He has been subject to significant scrutiny for his views on vaccines, and there have been rumors for some time that his nomination could be withdrawn. At the time of publication, President Trump had not yet announced a new CDC director nominee.
Senate Finance Committee Holds CMS Administrator Nomination Hearing. The Senate Finance Committee held its nomination hearing for Mehmet Oz, MD, to be administrator of CMS as this issue went to press.
House Oversight Committee Holds Hearing on Preventing Improper Payments and Fraud. The hearing included three witnesses who discussed the prevalence of fraud broadly across federal spending, including in Social Security and Medicaid. Members of both parties expressed interest in working together to address waste, fraud, and abuse, but Democrats emphasized the importance of Medicaid and ensuring it remains accessible. Republicans highlighted the Department of Government Efficiency’s role in addressing waste, fraud, and abuse.
House Ways and Means Committee Examines Access to Medicare Post-Acute Care. During the hearing, Democrats predominantly focused on the impact that potential cuts to Medicare and Medicaid (under discussion as part of the ongoing budget reconciliation process) would have on long-term care hospitals and skilled nursing facilities. Republicans focused on the burden of prior authorization for beneficiaries and the impact of workforce shortages on access to care. Both members and witnesses discussed the importance of Medicare telehealth flexibilities in home health and hospice care and the proposal to create a single Medicare payment system for all post-acute care providers.
Senate Aging Committee Discusses Solutions to Senior Loneliness. Witnesses for the hearing included individuals from organizations that provide social services to seniors. Members of both parties expressed concern about senior loneliness and its impact on health outcomes. Both members and witnesses expressed support for the Social Engagement and Network Initiatives for Older Relief (SENIOR) Act and the Older Americans Act. There was discussion about the cost burden of senior loneliness on Medicare and Medicaid.
ADMINISTRATION
CMS Issues ACA Marketplace Integrity and Affordability Proposed Rule. CMS issued a proposed rule on March 10, 2025, that would undo Biden-era policies designed to enhance enrollments through the Marketplace. Key proposals include the following:
CMS proposes to shorten the annual open enrollment period by one month, such that it would run from November 1 to December 15, as under the first Trump administration, instead of November 1 to January 15. CMS also proposes to apply this timeframe to state-based Marketplaces, which were previously permitted flexibility on this front.
CMS proposes to add sex-trait modifications to the list of items and services that may not be covered as essential health benefits beginning in plan year 2026.
CMS proposes to amend the definition of “lawfully present” to exclude Deferred Action for Childhood Arrivals recipients for purposes of enrolling in Marketplace coverage.
CMS proposes to end the availability of the monthly special enrollment period for individuals with household incomes below 150% of the federal poverty level. All Marketplaces would also have to reinstitute pre-enrollment verifications of eligibility for special enrollment periods and conduct further verifications of income when no tax data is available for verification.
The policies would have varying effective dates, some as early as immediately upon implementation, but the proposed rule specifically requests input on implementation timelines. There is a 30-day comment window that ends April 11, 2025. Click here for the press release, and here for the fact sheet.
CMMI Releases Statement on Strategic Direction. On March 12, 2025, CMMI stated that it plans to announce a new strategy focused on choice, competition, consumer empowerment, and evidence-based practices. CMMI will also work to streamline payment models, and some models will end early on December 31, 2025, with participants transitioning to other models. CMMI subsequently announced that the Maryland Total Cost of Care, Primary Care First, ESRD Treatment Choices, and Making Care Primary models will end early. CMMI is considering options to reduce the size of the Integrated Care for Kids model, and the Medicare $2 Drug List and Accelerating Clinical Evidence models will not be implemented. CMMI estimates that ending these models will save taxpayers approximately $750 million but doesn’t spell out how those savings will be realized. Read more about what’s next for value-based care under the Trump administration here.
OCR Announces Investigations into Four Medical Schools and Hospitals. The HHS Office for Civil Rights (OCR) stated that four medical schools and hospitals provide medical education and training that discriminates on the basis of race, color, national origin, or sex. OCR alleges that the institutions are in violation of Title VI of the Civil Rights Act and Section 1557 of the Affordable Care Act. The announcement states that the action aligns with President Trump’s executive order “Ending Illegal Discrimination and Restoring Merit-Based Opportunity.” The institutions subject to the investigation are not officially identified. For more details, please see this article by our McDermott Will & Emery colleagues.
COURTS
Federal Judges Rule Agencies Must Reinstate Fired Probationary Employees. On March 13, 2025, two federal judges ruled that certain federal agencies must reinstate fired probationary employees. The first judge’s order applied only to six agencies, while the second judge’s order applied to 18 agencies, including HHS. Both judges ruled that the firings by the Office of Personnel Management were unlawful. The Trump administration is likely to appeal the decisions. Other efforts by the Trump administration to shrink the federal workforce, including a reduction in force, will likely continue.
QUICK HITS
House Democratic Health Leaders Send Letter to CMS on Staff Firings. The ranking members of the full Ways and Means Committee and Energy and Commerce Committee, along with the ranking members of the Health Subcommittees, expressed concern over the impact of the recent firings of Medicare and Medicaid staff. The letter from Reps. Neal (D-MA), Pallone (D-NJ), Doggett (D-TX), and DeGette (D-CO) poses 15 questions to Acting Administrator Stephanie Carlton and asks for responses by March 17, 2025.
OGC Announces Reorganization Effort. The HHS Office of General Counsel (OGC) will consolidate its regional offices from 10 to four. House Ways and Means Committee Ranking Member Neal and Energy & Commerce Committee Ranking Member Pallone released a statement criticizing the action as inhibiting efforts to reduce waste, fraud, and abuse.
Senate HELP Chairman Cassidy Announces CDC Working Group. Chairman Cassidy (R-LA) along with Sens. Johnson (R-WI), Lee (R-UT), Marshall (R-KS), Murkowski (R-AK), Paul (R-KY), and Scott (R-SC) announced the working group to examine potential legislative reforms to the CDC. The press release states that the working group aims to restore the public’s trust in the CDC.
Congressional Democrats File Amicus Brief in Supreme Court Medicaid Case. All Senate Democrats and 191 House Democrats filed the brief in Medina v. Planned Parenthood South Atlantic. At question is whether South Carolina’s exclusion of abortion providers from the Medicaid program violates the “any qualified provider” Medicaid provision.
MACPAC, MedPAC Release March 2025 Reports to Congress. The Medicaid and CHIP Payment and Access Commission (MACPAC) report includes recommendations to improve the managed care external quality review process, home- and community-based services (HCBS) access, and Medicaid Section 1915 authorities for HCBS. The Medicare Payment Advisory Commission (MedPAC) report includes recommendations for updating 2026 payment rates in traditional Medicare.
Sen. Jeanne Shaheen (D-NH) Won’t Run for Reelection. Sen. Shaheen has been in office since 2009 and serves on the Senate Appropriations Committee. She is the third Democratic senator, following Sens. Peters (D-MI) and Smith (D-MN), to announce they won’t run for reelection. Her announcement exacerbates Democrats’ challenge to take back the Senate in 2026, as open seats are often more difficult to win than those with incumbents running for reelection.
CMS Postpones, Renames Annual Conference. CMS postponed its annual Health Equity Conference, originally scheduled for April 23 – 24, 2025 and renamed it the Conference for Building a Healthier America. A new date has not been announced.
BIPARTISAN LEGISLATION SPOTLIGHT
Reps. Matsui (D-CA) and Bilirakis (R-FL) and Sens. Klobuchar (D-MN) and Wicker (R-MS) reintroduced the Scientific External Process for Educated Review of Therapeutics Act of 2025. The legislation would require the FDA to convene quarterly externally-led scientific-focused drug development meetings to discuss the development and review of rare disease treatments.
NEXT WEEK’S DIAGNOSIS
The House and Senate are both scheduled to be in recess next week and return March 24, 2025. After the federal government is funded, Republicans will return their attention to the budget reconciliation process. Votes to confirm President Trump’s nominees are also expected to continue in the Senate when members return.
IRS Roundup February 17 – March 14, 2025
Check out our summary of recent Internal Revenue Service (IRS) guidance for February 17, 2025 – March 14, 2025.
Editors’ note: With the change in presidential administrations, the IRS has undergone significant transition in recent weeks and issued significantly less guidance than normal. We did not publish the IRS Roundup regularly during these weeks as we awaited new guidance from the agency.
February 19, 2025: The IRS issued Revenue Ruling 2025-6, providing the March 2025 short-, mid-, and long-term applicable federal rates for purposes of Section 1274(d) of the Internal Revenue Code (Code), as well as other provisions.
February 21, 2025: The IRS issued Notice 2025-15, providing guidance on the alternative method for furnishing health insurance coverage statements to individuals, as required by Code Sections 6055 and 6056. This alternative method allows entities to post a clear and conspicuous notice on their websites, informing individuals that they can request a copy of their health coverage statement. This notice must be posted by the due date for furnishing the statements and retained through October 15, 2026. The guidance applies to statements for calendar years after 2023.
March 5, 2025: The IRS issued Revenue Procedure 2025-17, providing guidance for individuals who failed to meet the eligibility requirements of Code Section 911(d)(1) (foreign earned income exclusion) for 2024 because of adverse conditions in certain foreign countries. The revenue procedure lists specific countries, including Ukraine, Iraq, Haiti, and Bangladesh, where war, civil unrest, or similar conditions precluded normal business conduct. Individuals who left these countries on or after specified dates in 2024 may still qualify for the foreign earned income exclusion if they can demonstrate that they would have met the eligibility requirements but for these adverse conditions.
March 5, 2025: The IRS issued Notice 2025-16, providing adjustments to the limitation on housing expenses for 2025 under Code Section 911. These adjustments account for geographic differences in housing costs relative to those in the United States. The notice includes a detailed table listing the adjusted housing expense limitations for locations worldwide. It also allows taxpayers to apply the 2025 adjusted limitations to their 2024 taxable year if the new limits are higher.
March 6, 2025: The IRS issued Revenue Ruling 2025-7, providing interest rates for tax overpayments and underpayments for the second quarter of 2025 in accordance with Code Section 6621.
March 11, 2025: The IRS issued Notice 2025-17, providing updates on the corporate bond monthly yield curve, spot segment rates, and 24-month average segment rates used under Code Sections 417(e)(3) and 430(h)(2). The notice includes the interest rate on 30-year Treasury securities and the 30-year Treasury weighted average rate for plan years beginning before 2008. It also specifies the minimum funding requirements for single-employer plans, the methodology for determining monthly corporate bond yield curves, and the adjusted 24-month average segment rates for March 2025. Additionally, the notice outlines the permissible range of rates for calculating current liability for multiemployer plans.
Executive Order Signals Healthcare Price Transparency as a Priority
Highlights
A recent executive order from the Trump administration on healthcare price transparency signals this issue remains a priority
The order requires federal agencies to issue guidance on standardizing pricing information and enforcement policies by May 26, 2025
All healthcare providers should be aware of the implications of the order and begin preparing for compliance by identifying exact prices of healthcare services and a presentable format for the information
On Feb. 25, 2025, President Donald Trump issued an executive order to “empower patients with clear, accurate, and actionable healthcare pricing information.” The order signals a return to a priority from President Trump’s first term.
A 2019 executive order from the first Trump administration required hospitals and health plans to publish “meaningful price and quality information” for public use. Hospitals were required to display pricing information for up to 300 services, and health plans were to post their negotiated rates. Both types of healthcare entities were required to make the information consumer-friendly.
The 2025 executive order picks up where the 2019 executive order left off. It directs the federal government to prioritize steps to “promote universal access to clear and accurate healthcare prices.” To realize these goals, it states federal agencies must: 1) require hospitals and health plans to disclose the actual price of items and services, 2) issue updated guidance or proposed actions to ensure pricing information is standardized and easily comparable across healthcare providers, and 3) issue guidance updating enforcement policies to ensure compliance. Federal agencies have until May 26, 2025, to take these actions.
What Does This Mean for Providers?
The language of the executive order sheds some light on what healthcare providers can expect. First, while the 2019 order was directed at hospitals and health plans, the 2025 order includes no such limitation. This signals an expansion of price transparency across all provider classes. While hospitals and health plans should be prepared for new agency guidance and enforcement around price transparency, providers of all types should pay attention to this new guidance when it issues.
Second, healthcare providers should begin analyzing pricing data to identify actual costs and present the information in a useful, consumer-friendly manner. Of note, the order explicitly prohibits healthcare providers from using price estimates. They must disclose the actual prices.
Finally, healthcare providers should be prepared for increased scrutiny, additional enforcement, and faster compliance timelines. In 2023, the Centers for Medicare & Medicaid Services (CMS) enforced violations by sending noncompliant hospitals or health plans a warning notice with instructions to correct the deficiencies within 90 days. If the hospital or health plan remained noncompliant, CMS issued a correct active plan (CAP) request with a 45-day deadline. Hospitals and health plans that still did not complete the necessary steps to come into compliance received a civil monetary penalty (CMP).
Typically, providers took 195-220 days to come into compliance. As of April 2023, CMS issued 730 warning notices and 269 CAPS and imposed CMPs on four hospitals. The CMPs range from $300 to $5,500 per day of noncompliance times the number of beds at the hospital. However, the executive order signals a push for federal agencies, including CMS, to enforce price transparency faster and more rigorously. This may include use of automation to check providers’ compliance.
Key Takeaways
All healthcare providers should be aware of the implications of this executive order and the May 26 deadline, particularly those who may be at increased risk for enforcement. Since there is some question of how healthcare providers will calculate exact prices, providers should consider using this time to sort through billing data, bundled pricing, and drug prices to identify prices. Further, providers should begin considering how the information can be presented in a useful, consumer-friendly manner. Using this time can ensure providers are prepared once federal agencies begin publishing guidance on standardization and enforcement.
Paid Sick Leave in Michigan: Legislature Changes Course at the One-Yard Line
On February 21, 2025, as Michigan employers were preparing to comply with the provisions of the Earned Sick Time Act (the “Original ESTA”) taking effect that day, Governor Gretchen Whitmer signed a last-minute bill (the “Amended ESTA”) that had immediate effect.
Since then, the Michigan Department of Labor and Economic Opportunity (LEO) has updated its Earned Sick Time Act: Frequently Asked Questions (FAQ) and published the slides from a live webinar it held in February to field questions from covered employers.
While much of the substance of the Original ESTA remains in place, the Amended ESTA makes several key changes that employers should consider before implementing their Michigan sick time policies.
Scope and Coverage
Although most Michigan employees remain eligible for paid sick time, the Amended ESTA now excludes certain workers from the definition of a “covered employee,” including:
U.S. government employees;
unpaid trainees or unpaid interns;
minors employed pursuant to the Youth Employment Standards Act; and
individuals who work according to an employer policy, so long as (1) the policy allows the individual to schedule the individual’s own working hours and (2) the policy prohibits the employer from taking adverse personnel action against the individual if the individual does not schedule a minimum number of working hours.
The Amended ESTA continues to apply to all employers with one or more Michigan employees. It does, however, change the threshold at which an employer qualifies as a “small business.” The change expands the small business threshold for businesses to exactly 10 employees, amending the definition from “fewer than 10 individuals” to “10 or fewer individuals.” Note that the small business threshold takes account of all workers employed in the United States or its territories (and not just Michigan-based workers). This includes part-time and temporary employees, even if the employer hires them through a temporary service, staffing agency, or similar entity. Once a business employs 11 or more employees for 20 or more workweeks in the current or prior calendar year, it will not qualify as a “small business” and cannot again until it has not employed more than 10 employees in the current or prior calendar year.
Delayed Effective Date for Small Businesses
Most employers became subject to the revised sick time requirements immediately on February 21, 2025. However, the Amended ESTA permits small businesses to postpone accrual and use of sick time until October 1, 2025. In addition, new small businesses (meaning those that did not employ anyone prior to February 21, 2025) need not comply with the requirements under the Amended ESTA until three years after the business has its first employee. New employers, however, should note that neither the law nor the available guidance addresses whether an employer must immediately comply with the ESTA if it grows to more than 10 employees before the three-year period is up.
Accrual and Usage
The Amended ESTA continues to require that employees accrue at least one hour of sick time for every 30 hours worked beginning on February 21, 2025 (October 1, 2025, for small businesses), or upon hire, whichever is later. Most employers may cap usage at 72 hours per year, though small businesses may cap usage at 40 hours per year. In a notable change, under the Amended ESTA, small businesses no longer need to provide 32 hours of unpaid sick time in addition to the 40 hours of paid leave. Employers may still use their existing paid time off (PTO) policy to comply with Michigan’s sick time law if that policy provides at least the same benefits as the Amended ESTA. In other words, the employee must accrue at least 72 hours (40 hours for small businesses) of PTO, at least at the same rate as provided in the ESTA, and they must be permitted to use the PTO for the same reasons and under the same terms as described in the Amended ESTA.
The Amended ESTA also extends the permissible waiting period for new employees to use sick time from 90 to 120 calendar days after commencing employment. Both the protected uses and minimum increments of sick time an employee may use remain unchanged from the Original ESTA.
Carryover and Frontloading
While the Original ESTA required that employers allow employees to carry over all accrued, unused earned sick time, the Amended ESTA now allows employers to cap the amount of earned sick time that employees may carry over from one benefit year to the next at 72 hours, or at 40 hours for a small business. Employers can define their “benefit year” as any regular, consecutive 12-month period.
Further, while the Original ESTA did not explicitly address the frontloading of an employee’s earned sick time, the Amended ESTA clarifies that employers may provide all 72 hours of earned sick time (40 hours for small businesses) to full-time employees at the start of each benefit year or a prorated amount if they become eligible for sick leave during the benefit year. Additionally, employers who frontload sick time are exempt from the law’s carryover and accrual tracking requirements. The Amended ESTA also allows employers to frontload earned sick time for part-time employees if they meet the following three requirements:
The employer provides the part-time employee with written notice at the time of hire stating how many hours the employer expects the part-time employee to work for the following year.
The amount of leave provided to the part-time employee at the beginning of the year is, at a minimum, proportional to the earned sick time that the part-time employee would accrue if the part-time employee worked all the hours expected as provided for in the written notice.
If the part-time employee works more hours than what the employer expects, as provided in the written notice, the employer must provide the part-time employee with additional earned sick time in accordance with the accrual requirements under the Amended ESTA’s frontloading provisions.
Employer Notice Requirements
The Original ESTA required employers to provide written notice to employees of their rights under the ESTA by February 21, 2025. However, the amendment delayed the compliance deadline from February 21 to March 23, 2025. As a reminder, the notice of rights must include:
the amount of earned sick time that the employee is required to be provided with under the Amended ESTA;
the employer’s choice of how to calculate a “year” (e.g., calendar or fiscal);
the terms under which an employee may use earned sick time;
a statement that an employer is prohibited from taking retaliatory personnel action against an employee for requesting or using earned sick time for which the employee is eligible is prohibited; and
a statement concerning the employee’s right to file a complaint with the department for any violation of the Amended ESTA.
Employers can satisfy the notice requirement using the LEO’s model poster, which is currently available in English, Spanish, and Arabic.
Note that neither the statute nor the available guidance appears to provide a small business exception to this notice requirement. Therefore, even though employers with 10 or fewer employees do not need to permit their Michigan employees to accrue or use sick time until October 1, 2025 (or later for new businesses), they should still download, distribute, and post the required notice/poster by the compliance deadline.
Impact on Unionized Employees
The Amended ESTA also clarifies how the state’s paid sick time requirements apply to employees subject to a collective bargaining agreement (CBA). When employees are subject to a CBA that is completely silent with respect to sick time benefits, the ESTA covers the employees, and they must immediately begin accruing sick time benefits as of February 21, 2025 (October 1, 2025, for small businesses). If, however, the CBA explicitly excludes sick time benefits or provides sick time, PTO for sick time, or a similar time-off benefit that is less than what is required by the Amended ESTA, the CBA’s terms will apply until the agreement expires.
Employee Notice and Documentation
Like the Original ESTA, the Amended ESTA allows employers to require up to seven days advance notice for foreseeable uses of earned sick time. The Amended ESTA, however, provides additional provisions surrounding the unforeseeable use of earned sick time. When an employee takes earned sick time that is not foreseeable, the employee must provide notice (a) as soon as practicable or (b) in accordance with the employer’s policy related to requesting or using sick time if the employer provides a written copy of the policy to the employee that (i) describes how the employee must provide notice and (ii) allows the employee to provide notice after they are aware of the need for sick time.
The Amended ESTA also provides that even where an employer requires notice for using earned sick time that is not foreseeable, an employer may not deny an employee’s use of earned sick time that is not foreseeable if either (a) the employer did not provide a written policy to the employee as required above or (b) the employer subsequently made a change to the written policy and failed to provide notice of the change to the employee within five days after making such change.
The Amended ESTA remains mostly unchanged as it relates to its documentation provisions. Like the Original ESTA, the Amended ESTA allows employers to request reasonable documentation when an employee has taken more than three consecutive days of earned sick time. Whereas the Original ESTA required that an employee provide the documentation to an employer “in a timely manner,” the Amended ESTA requires that employees provide this requested documentation to an employer “not more than 15 days after the employer’s request.”
Anti-Retaliation and Enforcement
Although the Amended ESTA continues to prohibit employers from retaliating against employees who take paid sick time, it eliminates the rebuttable presumption that would have existed if an employer took an adverse personnel action against an employee within 90 days of that employee’s exercise of their rights under the law. Additionally, the Amended ESTA explicitly permits employers to take adverse personnel action against an employee who uses earned sick time for a non-covered purpose or who violates the notice requirements, as discussed above.
In addition to providing civil remedies provided to affected employees, the Amended ESTA also clarifies that employers who retaliate against an employee for exercising their rights under the law will be subject to civil penalties of up to $1,000 per violation, and those who fail to provide an employee with earned sick time in accordance the Amended ESTA will be subject to a civil fine of up to eight times the employee’s normally hourly wage. However, the Amended ESTA no longer provides employees with a private right of action—all enforcement will run through LEO.
What Should Michigan Employers Do?
With the Amended ESTA already in effect, time is of the essence for most Michigan employers. Unless an employer has fewer than 11 employees nationwide, we recommend moving swiftly on the following action items:
Review the company’s sick time and PTO policies and procedures for its Michigan employees to ensure compliance with the Amended ESTA’s requirements.
Ensure that human resources personnel understand the rights and protections afforded to employees under the Amended ESTA, including administration of all leave policies, notice and posting requirements, and recordkeeping obligations.
For employers with employees subject to a CBA, calendar the expiration date of such CBA and prepare for negotiating its provisions to comply with the Amended ESTA.
Train managers to avoid retaliating against an employee because the employee has exercised a right protected under the Amended ESTA.
Additionally, all employers should download, display, and distribute the required workplace poster by March 23, 2025.
FDA’s Backup LDT Enforcement Method: Specimen Collection Kits
We have written at length about the U.S. Food and Drug Administration’s (FDA’s) actions to promulgate regulations specifying the agency’s authority to regulate laboratory developed tests (LDTs) as medical devices and to phase out the agency’s historical approach of enforcement discretion towards such tests (see here, here, here, and here). However, one infrequently considered regulatory compliance issue for LDTs is their reliance on separate specimen collection devices or convenience kits. All LDTs require the use of some form of biological specimen, such as blood or saliva, which may be collected by health care professionals in a clinical setting or by consumers in their homes before being submitted to a laboratory for testing.
As we detail below, specimen collection devices and kits are independently regulated as medical devices by FDA, and any clinical laboratory developing or performing LDTs must have a sound strategy for either manufacturing and distributing them in compliance with device regulations or sourcing them from FDA-compliant third-party suppliers. Although the LDT final rule is currently under attack in the courts and may not survive those challenges, stakeholders should keep in mind that FDA has an alternative method to bring enforcement actions against clinical laboratories: targeting noncompliant specimen collection devices and kits being distributed in interstate commerce.
How Are Specimen Collection Devices and Kits Regulated?
Under long-standing FDA regulations, any product that is “intended for use in the collection, preparation, and examination of specimens taken from the human body” for the ultimate purpose of diagnosing diseases or other conditions is an “in vitro diagnostic product” (see 21 C.F.R. 809.3(a)). This means that any device that collects patients’ biological specimens for use in clinical assays is an in vitro diagnostic (IVD) product. Furthermore, all IVD products are regulated as medical devices under the federal Food, Drug, and Cosmetic Act (FD&C Act) because they are “intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease” (see 21 U.S.C. 321(h)).
In addition, FDA considers individual devices packaged together in a branded and marketed kit (i.e., not just co-packaged in the same shipping container) to be a “convenience kit” because they are assembled and sold together as a unit for the convenience of the end user. The agency has clearly stated that “[c]onvenience kits are…medical devices in their own right, apart from their constituent devices” (see the Unique Device Identification (UDI) System Rule at 78 FR 58792) and are subject to the device general controls, such as establishment registration, product listing, labeling (including UDI requirements), and quality system requirements. Therefore, specimen collection kits, which typically include multiple devices whose purpose is to aid in the collection of a biological sample for subsequent diagnostic testing, qualify as convenience kits and must comply with FDA device regulations separate and apart from the individual device components contained within the kit.FDA’s “interim” guidance on convenience kits (published almost 30 years ago, in May 1997) includes a list of convenience kit types that are subject to enforcement discretion with respect to pre-market notification (510(k)) requirements only, which by definition means that all other device general controls apply to such kits.
If a specimen collection device or convenient kit must be cleared by FDA through the 510(k) pathway prior to marketing, the 510(k) submission must include an intended use describing the environment in which the device may be used, such as point-of-care by a medical professional or at home by a consumer. In particular, 510(k) submissions for specimen collection devices and kits that are intended for at-home use by laypersons without the assistance or supervision of a health care professional must specify the user’s home as the intended use environment and must include substantial evidence, such as data from human factors studies, demonstrating that the design and labeling are sufficient to allow a consumer to use the device or kit safely and effectively with minimal risk (see FDA’s guidance for industry on Design Considerations for Devices Intended for Home Use).
Enforcement Hooks for Specimen Collection Devices and Kits Used for LDTs
A clinical laboratory must have some method to distribute (either itself or through a third-party vendor) specimen collection devices or kits to health care professionals or consumers so that the laboratory can receive the necessary biological specimens to test with its LDT. There are many specimen collection devices that are already authorized and marketed in the United States (e.g., blood vials, urine containers, safety lancets, saliva collection systems), so in many cases, laboratories do not need to design and develop a brand-new collection device or engage a contract manufacturer to do so for their specific LDTs. Specimen collection kits are also common in the marketplace, but as described above, each custom kit with specific components is subject to general controls and the manufacturer of such devices, also called a kit assembler, must be registered as a medical device establishment and must list the kit with FDA.
Despite FDA’s requirements relating to specimen collection devices and kits, some laboratories and even kit assemblers developing and providing such products are not aware that convenience kits are separately regulated devices and may not be complying with applicable general controls. There also are specimen collection devices or kits being marketed for intended uses that are not consistent with their FDA-authorized uses (e.g., dried blood spot cards to collect blood specimens for testing other than newborn screening), as well as kits containing class II devices being distributed directly to consumers even though they are not specifically cleared for at-home use. All of these situations lead to the manufacture and distribution of noncompliant commercial device products and could lead to FDA enforcement action.
It is also important to remember that the specimen collection device or kit is not a “component” of an LDT being offered by a licensed clinical laboratory – it is a separate medical device that is independently subject to FDA regulations when placed in interstate commerce. This means that even if FDA exercises enforcement discretion with respect to a given LDT, the specimen collection device or kit used in conjunction with that LDT is not necessarily under enforcement discretion as well. In contrast, IVD manufacturers may submit information relating to a specimen collection device or kit with a pre-market submission for an IVD assay because FDA will review all information about the assay and collection method (including validation testing data showing that the collection method reliably and safely collects biological specimens that lead to accurate results) together. The option to couple the assay and collection method into one submission is not available to a clinical laboratory, unless its entire LDT assay is submitted for pre-market review.
If a clinical laboratory decides to use a class II or III specimen collection device or kit in conjunction with an LDT, it can create a Catch 22 for some clinical laboratories because FDA will require adequate data demonstrating that the specimen collection device or kit (especially those intended for at-home use) is safe and effective for use with the LDT in order to clear or approve the kit for that specific intended use. But obtaining such data can be difficult without conducting a formal clinical trial—the laboratory cannot collect real world data because the specimen collection device or kit cannot be distributed to consumers prior to obtaining marketing authorization. Moreover, submitting a novel specimen collection device or kit for pre-market review means providing assay-specific information to FDA, which could result in the agency scrutinizing and commenting on the LDT assay itself. Distributing and promoting a class II or III specimen collection device or kit for an unauthorized intended use is at high risk of enforcement action, especially in the context of LDTs that FDA considers inherently to pose greater risks for patients, such as tests for serious communicable diseases or cancer.
Although FDA has not frequently targeted specimen collection devices and kits in enforcement actions in the past (especially in the context of LDTs), there has been a recent uptick in agency warnings and safety notices relating to collection kits, indicating that the agency is monitoring compliance in this area. State agencies with authority over clinical laboratories and LDTs, such as the New York State Department of Health Clinical Laboratory Evaluation Program (CLEP), have also stated to clinical laboratories that any device or kit intended to collect biological specimens for an LDT must comply with FDA’s device regulations.
Impact of the LDT Final Rule
The LDT final rule is currently in effect and year one of the enforcement discretion phase-out process is almost complete. In May 2025, clinical laboratories are expected to be complying with medical device reporting, correction and removal reporting, and compliant handling requirements. As the phase-out process continues (if it is not invalidated by a court or otherwise rescinded) and FDA begins to review LDTs for device marketing authorization, it is possible that enforcement of specimen collection devices and kits will increase because the agency will have better information about the intended uses and distribution of such products to obtain patient specimens for those LDTs.
However, even if the final rule is invalidated or rescinded, FDA may resort to increasing compliance monitoring and enforcement for specimen collection devices and kits as a method of maintaining an oversight foothold in clinical laboratories that design, offer, and perform LDTs. As described above, certain intended uses of specimen collection devices and kits may require pre-market clearance or approval, irrespective of what happens to the LDT final rule, such that FDA could demand detailed data demonstrating safety and effectiveness, which could even include clinical trials that involve the LDT itself.
Conclusion
Throughout the LDT design, development, and validation process, clinical laboratories and those who assist laboratories with bringing an LDT to market should remember that the design or selection of the device or kit that will be used by health care professionals or consumers to collect the biological specimens needed for the assay is a critical decision with many regulatory implications. FDA has been clear that specimen collection devices and kits are medical devices separate and apart from the assay used to test the specimen, even if the assay is an LDT, and the agency is beginning to step up enforcement against noncompliant devices and kits. Moreover, in the preamble to the final rule, FDA highlighted the desire to use its existing device authority to ensure the safety and effectiveness of LDTs, and full implementation of the final rule’s framework will likely lead to increased oversight of and enforcement actions against clinical laboratories. However, even if the final rule is invalidated or rescinded, it is possible that FDA will still increase oversight and enforcement activities against clinical laboratories by focusing on the specimen collection devices and kits they choose to pair with their LDTs.
OCR Imposes $200,000 Penalty Against Oregon Health & Science University for HIPAA Right of Access Violations
On March 6, 2025, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced a $200,000 civil monetary penalty against Oregon Health & Science University (“OHSU”), a public academic health center and research university, for allegedly violating the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule’s right of access provisions.
The HIPAA Privacy Rule requires covered entities to provide individuals or their personal representatives with access to their protected health information upon request within 30 days, with the possibility of one 30-day extension. In May 2020, OCR received a complaint regarding an individual who did not receive their requested records after their personal representative made an access request to OHSU on the individual’s behalf in April 2019. OCR resolved the complaint after notifying OHSU of its potential noncompliance with the Privacy Rule’s right of access provisions. OCR then initiated an investigation of OHSU based on a second complaint with respect to the same individual filed in January 2021.
Although OHSU provided part of the requested records in April 2019, OCR alleged that the university did not provide all of the requested records until August 2021. OCR’s investigation determined that OHSU failed to take timely action in response to the individual’s right of access requests, and subsequently imposed a $200,000 civil monetary penalty against OHSU.
Skin360 App Can’t Escape Scrutiny under Illinois Biometric Law
A federal district court has denied a motion by Johnson & Johnson Consumer Inc. (JJCI) to dismiss a second amended complaint alleging it violated the Illinois Biometric Information Privacy Act (BIPA) by collecting and storing biometric information through its Neutrogena Skin 360 beauty app without consumers’ informed consent or knowledge. The plaintiffs also allege that the biometric information collected through the app is then linked to their names, birthdates, and other personal information.
Plaintiffs alleged that the Skin360 app is depicted as “breakthrough technology” that provides personalized at-home skin assessments by scanning faces and analyzing skin to diagnose enigmas like wrinkles, fine lines, and dark spots. The app then uses that data to recommend certain Neutrogena products for the consumer to eliminate those concerns. JJCI argued that the Skin360 app recommends products designed to improve skin health, which means that the consumers should be considered patients in a healthcare setting, making BIPA inapplicable.
However, the court disagreed and cited Marino v. Gunnar Optiks LLC, 2024 Ill. App. (1st) 231826 (Aug. 30, 2024), which held that a customer trying on non-prescription sunglasses using an online “try-on” tool is not considered a patient in a healthcare setting. In Marino, the court defined a patient as an individual currently waiting for or receiving treatment or care from a medical professional. Alternatively, Skin360 uses artificial intelligence software to compare a consumer’s skin to a database of images and provides an assessment based on a comparison of these images. Of course, JCCI did not dispute that no medical professionals are involved in providing the service through the Skin360 app.
The court stated that “[e]ven assuming Skin360 provides users with this AI assistant and ‘science-backed information’ the court finds it a reach to consider these services ‘medical care’ under BIPA’s health care exemption; [i]ndeed, Skin360 only recommends Neutrogena products to users of the technology, which suggests it is closer to a marketing and sales strategy rather than to the provision of informed medical care or treatment.”
Proving Fraud is and Should Be Hard: Lessons from a Recent Medicare Advantage False Claims Act Decision
The litigator’s adage “it’s easy to plead, it’s hard to prove” once again came true in the long-running False Claims Act (FCA) case targeting Medicare Advantage (“MA”) plans operated by UnitedHealth (United). Eight years after the complaint was filed, a Special Master recommended granting United’s motion for summary judgment. U.S. ex rel. Poehling v. UnitedHealth Group, Inc., 2025 U.S. Dist. LEXIS 40921 (CD CA). Both the litigation and the Special Master’s report contain valuable insights for all FCA defendants, and especially for those matters involving allegations related to diagnosis coding.
The government alleged that United violated the FCA’s “reverse false claim” provision by failing to return overpayments related to the submission of allegedly invalid diagnosis codes in connection with the MA program. The Special Master recommended summary judgment in United’s favor due to the government’s inability to prove both that United was actually overpaid, and that it improperly avoided an obligation to repay the government. In doing so, the ruling highlights the government’s burden to prove that 1) a diagnosis code is false; and 2) that a defendant “deceived” the government in “improperly” withholding an overpayment. It also confirms that materiality is an essential element of a “reverse” FCA violation.
Lesson #1: The Government Must Prove Its Case
The Special Master found that the government did not prove the diagnosis codes were unsupported by medical records because the government did not actually review the medical records. Instead, the government identified nearly 28 million diagnosis codes that it argued were invalid, but “did not compare the diagnosis codes submitted by United’s doctors against the underlying medical records to identify unsupported diagnosis codes.” Rather, “if United’s coders did not identify a diagnosis code during chart review as supported by a medical record, the government assume[d] the diagnosis code was, in fact, not supported.” (Emphasis in original). The Special Master found that assumption woefully insufficient.
The Special Master also found it compelling that CMS’s own RADV audits “found support in medical records for diagnosis codes that the government has alleged were unsupported based solely on such codes not having been coded during United’s chart review. These findings undercut the government’s theory that any diagnosis code submitted by United to CMS but not identified by coders in chart review is presumptively invalid.”
The Special Master further pointed out that “the government has repeatedly attempted to shift the burden to United to disprove the government’s allegations. Rather than review medical records itself, the government served discovery asking United to identify which of the approximately 28 million diagnosis codes, if any, United contends were supported by medical records and to produce the medical records providing such support.” (Emphases in original). United properly objected to this as “‘an improper contention interrogatory that impermissibly seeks to shift the burden of proving an essential element of the government’s False Claims Act case on to UnitedHealth . . .’” but offered to produce the 21 million underlying medical records in order to resolve the discovery dispute. The government rejected that offer, apparently, due to the volume of documents. The Special Master wryly noted that “the government was responsible for placing that volume of records in dispute.” Defendants should push back on government attempts to force them to prove their innocence, and to take on the government’s own investigatory and evidentiary obligations.
Lesson #2: The FCA Is A Fraud Statute
At base, the False Claims Act is a “fraud statute.” See e.g., United States ex rel. Schutte v. SuperValu, Inc., 598 U.S. 739, 750-51 (2023). As such, the Special Master appropriately focused on the government’s position that “mere avoidance of an obligation to repay money to the government is enough to create liability under the FCA, without the need to prove any deceptive conduct” and found that this position obviates the nature of a fraud statute. The Special Master ruled that “the impropriety of a defendant’s retention of an overpayment cannot be grounded in the mere fact of the defendant having received the overpayment, or even of being obligated to return it. Otherwise, the requirement of ‘improper’ conduct would introduce circularity and surplusage into a statute where Congress clearly intended nothing of the kind.” Quite simply, “a reverse FCA claim requires proof that the defendant engaged in conduct that deceived the government about an obligation to repay funds.”
Here, the government did not allege “any sort of deception.” Even if United had retained an overpayment, “[t]he mere retention of overpayments may deprive the government of funds it is owed, but that is not fraud.” While the failure to allege deception was fatal by itself, here there was also evidence that “the government knew of the very chart review practices of which it now claims United prevented it from learning, and thus the government cannot have been duped into relying on any action or inaction by United in determining whether it had been the victim of overpayments.”
The bar for both pleading and proving fraud is high. Fed. R. Civ. Pro. 9(b). Here, the Special Master correctly recognized that “[i]n relying upon only the ‘knowing and improper avoidance’ formulation of reverse FCA liability, the government must establish that United knew it had received overpayments and acted in a way that kept the government from learning of the overpayment.” Defendants should hold the government to those requirements. Quite simply, fraud and breach of contract are radically different, and proving fraud is, and should be, hard.
Lesson #3: Materiality Matters
In the eight years since the publication of Universal Health Services v. United States ex rel. Escobar, 579 U.S. 176 (2016), this blog has written extensively about materiality. More than 1,100 court decisions cite to Escobar. Escobar’s impact is significant and pervasive. Here, the government argued that “materiality is not a required element of establishing liability under the second prong of the reverse false claim provision.” The Special Master disagreed:
Escobar and subsequent Ninth Circuit cases recognize that, like the FCA as a whole, its reverse false claims provision incorporates the elements of common law fraud (although the provision expands the notion of what constitutes a “false claim” under the statute). Accordingly, a materiality element must apply to that provision, regardless of which of its two prongs is the basis for the government’s claim in a given case, because of the inconceivability of fraud absent a materiality element.
(Emphasis added, citations omitted). FCA defendants should continue to hold the government to its burden to prove materiality as well.
Conclusion
While the threat of treble damages, per claim penalties, and a variety of administrative remedies (including, but not limited to, suspension and debarment) are intimidating, FCA defendants should take comfort in this decision, which underscores the value of investing in a good defense and litigation strategy. Courts will hold the government’s feet to the fire and require it to meet its burden to prove fraud which, as here, it often simply cannot do.
Listen to this post