Spurred on by the Steward Health Care Bankruptcy, Massachusetts Adopts Bill Regulating Private Equity and REITs in Health Care, Continuing a National Trend
On January 8, 2025, Massachusetts Governor Maura Healey signed into law House Bill 5159 (the “Bill”). The Bill grants the state new regulatory powers to oversee and review health care transactions involving private equity firms, real estate investment trusts (“REITs”), and management services organizations (“MSOs”). The Bill is the tenth law enacted in recent years to scrutinize health care transactions, and its enactment in Massachusetts highlights the continued expansion of state oversight of health care transactions.
Key Provisions
Expanded Definition of “Material Change Transaction” That Requires Reporting: As further described below, the Bill broadens the scope of what constitutes a material change transaction to include transactions involving private equity firms, REITs, and MSOs, such as changes in ownership, significant asset transfers, and conversions of nonprofit organizations to for‑profit entities.[1]
Additional Annual Reporting Requirements: For providers and facilities that have existing annual reporting obligations to the Center for Health Information and Analysis (“CHIA”), the Bill expands the reporting obligation to require detailed disclosures on ownership structures and finances, including information involving parent entities and affiliates.[2]
Penalties for Non‑Compliance: The Bill increases penalties for entities that fail to comply with reporting obligations to up to $25,000 per week.[3]
Post‑Closing Oversight by the Health Policy Commission (“HPC”): The Bill grants HPC authority to assess the impact of “significant equity investors” on health care costs, and such oversight may be exercised up to five years post‑closing of a transaction.[4]
Massachusetts False Claims Act Liability for Investors: The Bill expands the definition of “knowledge” under the Massachusetts False Claims Act, expanding potential liability to entities with an “ownership or investment interest” (defined below) that are aware of a False Claims Act violation but fail to disclose such violation within 60 days.[5] The expanded definition is presumably intended to target sponsors and investors, who, through transaction‑related diligence activities or post‑closing operational involvement, learn of potential violations of the state’s False Claims Act. Sponsors and investors with substantial exposure to businesses with Medicaid revenue should discuss the impacts of this theory of liability with regulatory and deal counsel.
Expanded Attorney General Involvement: The Bill grants the Attorney General with expanded powers to intervene in HPC hearings, and empowers the Attorney General to compel entities to produce documents or provide testimony under oath with respect to information submitted to CHIA.[6]
Prospective Prohibition on Hospital‑REIT Sale‑Leaseback Arrangements: Under the Bill, the state will not issue an acute‑care hospital license to any facility “if the main campus of the acute‑care hospital is leased” from a REIT.[7] Relationships in effect before April 1, 2024 will be grandfathered and such grandfathered status will be transferrable in a change of ownership.
History and Regulatory Backdrop
History of Regulation of Health Care Facilities
Although the Bill is among the most comprehensive and far‑reaching in the nation, it is not without precedent. As described by Proskauer in a number of recent alerts, publications, and presentations (including for the American Health Law Association and the New York State Bar Association), elected officials in a number of states have reacted to the decade‑old surge in investment in the health care sector with measures that are intended to scrutinize and increase transparency over such transactions.
In addition, transaction review laws build upon existing, and sometimes controversial, regulatory review mechanisms that impact the health care industry, particularly “Certificate of Need” (“CON”) laws. By way of background, and as a result of now‑defunct federal requirements, states in the 1970s adopted CON laws, a form of economic planning intended to avoid over‑supply.[8] State CON laws, many of which remain in effect,[9] regulate health care facilities (e.g., hospitals and ASCs) and typically impose approval or reporting requirements over certain transactions, such as facility renovations, expansions or mergers, or the purchase of complex medical equipment (e.g., CT or MRI).
Despite this backdrop of substantial regulation affecting health care facilities, many states have historically had limited to no regulatory review authority over transactions affected physicians and physician practices. In light of existing regulatory oversight affecting facilities, state legislators may view health care transaction laws as incremental expansions over state regulatory powers. In contrast, investors and their stakeholders are likely to view these laws as material expansions, given that there was historically limited regulatory oversight for these transactions.
The Impact of the Steward Health Care Bankruptcy
The Bill should be viewed as a reaction by Massachusetts elected officials to the bankruptcy of Steward Health Care. The bankruptcy, which was widely reported on and resulted in a number of federal and state‑level legislative hearings, impacted Massachusetts residents, in particular, and resulted in the Massachusetts Department of Public Health establishing a call center dedicated to answering public questions regarding the bankruptcy.
As summarized by the Massachusetts Senate in the first sentence of a press release concerning the Bill, the “Bill helps close gaps that caused the Steward Health Care collapse.”[10]
Expanded Definition of Material Change Transactions
Under existing Massachusetts law, health care providers and organizations with annual net patient service revenue exceeding $25 million are required to submit a Material Change Notice (“MCN”) to HPC, CHIA, and the Office of the Attorney General at least 60 days prior to a proposed material change.
The Bill broadens the scope of what constitutes a material change that requires the submission of an MCN to include the following:[11]
Transactions involving a “Significant Equity Investor” that result in a change of ownership or control of a provider or provider organization. The term “Significant Equity Investor” (which is excerpted, in its entirety, at the end of this post) is defined to include any private equity firm with a financial interest in a provider, provider organization, or MSO, as well as any investor or group holding 10% or more ownership in such entities.
“Significant acquisitions, sales, or transfers of assets, including, but not limited to, real estate sale‑leaseback arrangements.”
“Significant expansions in a provider or provider organization’s capacity.”
Conversion of nonprofit providers or organizations to for‑profit entities.
Mergers or acquisitions leading to a provider organization “attaining a dominant market share in a particular service or region.”
Of note, some of new categories, such as “significant expansion” in “capacity”, are ambiguous and do not adopt firm reporting threshold or parameters, which we expect are likely to be addressed via further rule‑making or guidance.
Implications for Private Equity Investors and REITs
The Bill represents a significant shift in the regulatory landscape for private equity investors and REITs in Massachusetts, and the Bill makes Massachusetts an outlier among the states with respect to the obligations and duties imposed upon investors and REITs.
Notwithstanding the foregoing, the Bill’s requirements represent a significant evolution, the product of ongoing legislative compromise. When introduced in the Massachusetts Senate as Senate Bill 2871 in 2024, the Bill’s precursor included additional statutory restrictions related to the corporate practice of medicine and “Friendly PC” model, maximum debt‑to‑EBITDA requirements for transactions involving providers or provider organizations, and bond requirements for private equity investors.
Stakeholders are advised to closely monitor further guidance and regulations that may be issued by Massachusetts authorities, and should continue to follow Proskauer’s Health Care Law Brief for continuing developments in this space.
Relevant Definitions
“Health care real estate investment trust” means a real estate investment trust, as defined by 26 U.S.C. section 856, whose assets consist of real property held in connection with the use or operations of a provider or provider organization.
“Non‑hospital provider organization” means a provider organization required to register under section 11 of the Bill that is: (i) a non‑hospital‑based physician practice with not less than $500,000,000 in annual gross patient service revenue; (ii) a clinical laboratory; (iii) an imaging facility; or (iv) a network of affiliated urgent care centers.
“Private equity company” means any company that collects capital investments from individuals or entities and purchases, as a parent company or through another entity that the company completely or partially owns or controls, a direct or indirect ownership share of a provider, provider organization, or management services organization; provided, however, that “private equity company” shall not include venture capital firms exclusively funding startups or other early‑stage businesses.
“Significant equity investor” means (i) any private equity company with a financial interest in a provider, provider organization, or management services organization; or (ii) an investor, group of investors, or other entity with a direct or indirect possession of equity in the capital, stock, or profits totaling more than 10% of a provider, provider organization, or management services organization; provided, however, that “significant equity investor” shall not include venture capital firms exclusively funding startups or other early‑stage businesses.
“Ownership or investment interest” means any: (1) direct or indirect possession of equity in the capital, stock, or profits totaling more than 10% of an entity; (2) interest held by an investor or group of investors who engages in the raising or returning of capital, and who invests, develops, or disposes of specified assets; or (3) interest held by a pool of funds by investors, including a pool of funds managed or controlled by private limited partnerships, if those investors or the management of that pool or private limited partnership employ investment strategies of any kind to earn a return on that pool of funds.
[1] Bill, Section 24.
[2] Bill, Section 42.
[3] Bill, Section 43.
[4] Bill, Section 24.
[5] Bill, Section 29.
[6] Bill, Section 49.
[7] Bill, Section 64
[8] See National Health Planning and Resources Development Act of 1974 (P.L. 93‑641).
[9] See, e.g., National Conference of State Legislatures, Certificate of Need State Laws, available at: https://www.ncsl.org/health/certificate‑of‑need‑state‑laws.
[10] Commonwealth of Massachusetts, Senate Press Room, Legislature Passes Major Health Care Oversight Legislation, Regulates Private Equity (Dec. 30, 2024), available at: https://malegislature.gov/PressRoom/Detail?pressReleaseId=164.
[11] See Bill, Section 24.
Proposed Modernization of the HIPAA Security Rules
The HIPAA Security Rule was originally promulgated over 20 years ago.
While it historically provided an important regulatory floor for securing electronic protected health information, the Security Rule’s lack of prescriptiveness, combined with advances in technology and evolution of the cybersecurity landscape, increasingly indicate the HIPAA Security Rule neither reflects cybersecurity best practices nor effectively mitigates the proliferation of cyber risks in today’s interconnected digital world. On December 27, 2024, the HHS Office of Civil Rights (“OCR”) announced a Notice of Proposed Rulemaking, including significant changes to strengthen the HIPAA Security Rule (the “Proposed Rule”). In its announcement, OCR stated that the Proposed Rule seeks to “strengthen cybersecurity by updating the Security Rule’s standards to better address ever-increasing cybersecurity threats to the health care sector.” One key aim of the Proposed Rule is to provide a much clearer roadmap to achieve Security Rule compliance.
The Proposed Rule contains significant textual modifications to the current HIPAA Security Rule. While the actual redline changes may appear daunting, the proposed new requirements are aimed at aligning with current cybersecurity best practices as reflected across risk management frameworks, including NIST’s Cybersecurity Framework. For organizations that have already adopted these “best practices”, many of the new Proposed Rule requirements will be familiar and, in many cases, will have already been implemented. Indeed, for such organizations, the biggest challenge will be to comply with the new administrative requirements, which will involve policy updates, updates to business associate agreements, increased documentation rules (including mapping requirements), and the need for additional vendor management. For organizations that are still trying to meaningfully comply with the existing HIPAA Security Rule, or that seek to extend the Rule’s application to new technologies and systems handling PHI, the Proposed Rule will likely require significant investment of human and financial resources to meet the new requirements.
Proposed Key Changes to the HIPAA Security Rule
The following is a summary of the proposed key changes to the HIPAA Security Rule:
Removal of the distinction between “Addressable” and “Required” implementation specifications. Removal of the distinction is meant to clarify that the implementation of all the HIPAA Security Rule specifications is NOT optional.
Development of a technology asset inventory and network map. You cannot protect data unless you know where it resides, who has access to it, and how it flows within and through a network and information systems (including third party systems and applications used by the Covered Entity or Business Associate).
Enhancement of risk analysis requirements to provide more specificity regarding how to conduct a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Specifically, the risk analysis must consider and document the risks to systems identified in the technology asset inventory.
Mandated incident and disaster response plans. This will require organizations to have documented contingency plans in place, including a process to restore critical data within 72 hours of a loss. This reflects a broader trend across the data protection landscape to ensure operational “resiliency”, recognizing that cyber attacks are routinely successful.
Updated access control requirements to better regulate which workforce members have access to certain data and address immediate termination of access when workforce members leave an organization.
Annual written verification that a Covered Entity’s Business Associates have implemented the HIPAA Security Rule.
Implementation of annual HIPAA Security Rule compliance audits.
Adoption of certain Security Controls:
Encryption of ePHI at rest and in transit;
Multi-factor authentication (i.e. requiring authentication of a user’s identity by at least two of three factors – e.g., password plus a smart identification card);
Patch management;
Penetration testing every 12 months;
Vulnerability scans every 6 months;
Network Segmentation;
Anti-malware protection; and
Back-up and recovery of ePHI.
Next Steps
The Proposed Rule was published in the Federal Register on January 6, 2025, and the 60-day comment period runs until March 7, 2025. We encourage regulated organizations to consider the impact of the Proposed Rule on their own systems and/or submit comments as the Proposed Rule will likely have substantial implications on the people, processes, and technologies of organizations required to comply.
Reconciliation and Healthcare Policies
Republicans hold a trifecta of control after winning the White House, US Senate, and US House of Representatives for the 119th Congress. They will aim to pass an agenda backed by President Trump that is focused on tax cuts, energy, and immigration. Healthcare policies are likely to be used as savers and to produce reductions in federal spending. To achieve this goal, Republicans will need to utilize the budget reconciliation process to bypass the Senate filibuster.
This report provides an overview of the reconciliation process, explains the Byrd rule, and illustrates recent examples of healthcare-related Byrd rule challenges.
Read the full report here
Julia Grabo also contributed to this article.
McDermott+ Check-Up: January 31, 2025
THIS WEEK’S DOSE
Senate Finance, HELP Committees Hold RFK Jr. Nomination Hearings. The Senate Finance Committee must vote on Robert F. Kennedy (RFK) Jr.’s nomination before it moves to the full Senate for confirmation.
Senate VA Committee Holds Oversight Hearing on Community Care. The hearing followed a House Veterans’ Affairs (VA) Committee hearing on the same issue last week, covering many similar topics.
Senate Aging Committee Holds Hearing on Fiscal Health for Seniors. The hearing focused on the causes of inflation, and health-related discussion centered mostly on prescription drugs and Medicaid.
Trump Issues EOs and Actions Focused on Abortion, Care for Transgender Children. The actions were highly anticipated and follow themes from his campaign.
White House Issues, Rescinds Memo Freezing Funding for Federal Assistance Programs. The original memo, now rescinded, directed agencies to temporarily pause all federal financial assistance funding that could be implicated by Trump’s executive orders (EOs).
Trump Administration Offers Deferred Resignation to All Federal Employees. The offer is in place through February 6 and states that employees who take advantage of this offer would be paid through September 2025.
CONGRESS
Senate Finance, HELP Committees Hold RFK Jr. Nomination Hearings. RFK Jr., nominated for Secretary of Health and Human Services (HHS), testified before the Senate Finance Committee on January 29 and before the Senate Health, Education, Labor, and Pensions (HELP) Committee on January 30. Some senators serve on both committees and therefore were able to question him twice. Republicans largely asked RFK Jr. about his positions and plans for issues such as Medicaid, rural health, food safety, transparency, and abortion. RFK Jr. noted that he would work with Members of Congress on such issues, if confirmed. While some Democrats agreed that the healthcare system was broken, they noted disagreement with several of RFK Jr.’s positions. Democrats on both committees largely questioned his qualifications and alleged that he had inconsistent views on issues such as abortion and vaccines. RFK Jr. defended his past statements and noted his belief that Democrats were misrepresenting his positions.
The next step for RFK Jr.’s nomination is a Senate Finance Committee vote, which has yet to be scheduled. His nomination would then move to the Senate floor. If every Democrat on the floor opposed him, he could only lose three Republican votes and still be confirmed.
Senate VA Committee Holds Oversight Hearing on Community Care. During the hearing, members heard from veterans, family members, and experts about how veterans continue to lack access to timely mental health and healthcare services in the Community Care program. Witnesses unanimously agreed that the VA fell short in providing access to timely and quality care for its veterans, and that the VA often restricted the use of the Community Care program. Democratic members focused on the recent firing of federal inspectors general and how federal funding cuts would impact these health programs, while Republican members focused on accountability and the inappropriate management of the VA.
Senate Aging Committee Holds Hearing on Fiscal Health for Seniors. The hearing included a panel of economic and social security experts to discuss how inflation has affected the lives of seniors. The hearing focused widely on what is causing inflation, and healthcare discussion centered on Medicaid, high prescription drug costs, and the Inflation Reduction Act (IRA). Republicans largely blamed inflation on government spending and welfare programs, while Democrats focused on the impact that inflation will have on housing, prescription drug, and retirement costs for older Americans.
ADMINISTRATION
White House Issues, Rescinds Memo Freezing Funding for Federal Financial Assistance Programs. Late on January 27, the Office of Management and Budget (OMB) released a memo directing federal agencies to pause all activities related to obligations or disbursement of all federal financial assistance and other relevant agency activities that may be implicated by President Trump’s recent EOs. The memo explicitly excluded Medicare and Social Security but caused widespread confusion as to the breadth of programs that could be impacted. Concerns were exacerbated by the release of an internal OMB listing of programs being investigated, which was far broader than the programs many stakeholders considered likely to be impacted by the EOs issued to date.
In the health arena, Medicaid was not given the protection that Medicare and Social Security received and also appeared on the OMB listing. Many organizations dependent on government funding were unable to access their funds on January 28, and the website used to track and disburse Medicaid funding was not operating correctly either. A lawsuit was immediately filed, and OMB released a Q&A factsheet noting that any program providing direct benefits to individuals was exempt from the pause, including Medicaid and the Supplemental Nutrition Assistance Program. OMB’s factsheet also noted that the only programs implicated were those impacted by seven specific Trump EOs, including those that address government diversity, equity, and inclusion programs; the Hyde Amendment; and gender ideology. Despite this communication, it remained unclear who would determine the scope of the temporary pause and how long the pause would last.
These actions from the Trump Administration were met with concern and criticism from impacted stakeholders and congressional Democrats, who noted that Congress approved these funds and that they are not optional. In response to the lawsuit, a federal judge granted an administrative stay that temporarily paused the order until February 3. On January 29, the Trump Administration rescinded the original OMB memo. Confusion remains, however, as Trump Administration officials stated that the rescission only applies to the memo, and that they will continue to proceed with freezing federal funds implicated by the EOs. In response, another federal judge has indicated that he may intervene with a broader action to prohibit the freeze in payments.
Trump Issues EOs and Actions Focused on Abortion, Care for Transgender Children. The anticipated actions provide further insight on the new Administration’s direction in these areas:
Enforcing the Hyde Amendment. This EO directs OMB to issue guidance ensuring that agencies comply with the Hyde Amendment, which is passed by Congress annually and prohibits federal funding for abortion.
Memo on the Mexico City Policy. This memorandum reinstates the so-called Mexico City Policy that prohibits foreign organizations that receive US federal funding from providing or promoting abortions. The policy has consistently been revoked by Democratic presidents and reinstated by Republican presidents, dating back to President Reagan.
Ending Gender-Affirming Care for Children. Entitled “Protecting Children from Chemical and Surgical Mutilation,” this EO states that federal agencies shall not “fund, sponsor, promote, assist, or support the so-called ‘transition’ of a child from one sex to another.” It defines a child as an individual under 19 years of age, and it defines “chemical and surgical mutilation” to include a range of services and medications, including certain applications of puberty blockers, sex hormones, and surgery. The EO directs agencies that provide research or education grants to medical institutions to ensure that grantees do not perform any care that is prohibited under this EO. It directs HHS, TRICARE, and the federal employee health benefits program to not cover this care, and it directs HHS to take action through vehicles such as Medicare or Medicaid conditions of participation, Section 1557, and mandatory drug use reviews.
Reinstating Service Members Discharged Under the Military’s COVID-19 Mandate. This EO reinstates service members who were discharged for refusing to comply with the COVID-19 vaccine mandate that was imposed in August 2021 and rescinded in January 2023.
Additional EOs are reportedly forthcoming as early as today. We will continue to provide updates on EOs impacting healthcare.
Trump Administration Offers Deferred Resignation to all Federal Employees. Federal employees have until February 6 to decide if they would like to accept the offer. The offer states that employees who accept will receive pay and benefits through September 30. The notice has caused widespread confusion and concern among federal employees, and labor representatives are urging federal employees to reject the offer, as it may not be enforceable. The administration subsequently released a frequently asked questions document with further information. The Trump Administration’s goal is to reduce the size of the federal workforce through voluntary means, but officials have indicated an intention to go further in the future, noting in the offer that they cannot provide assurance on the certainty of positions. Reductions in the federal workforce could have implications for federal healthcare programs.
QUICK HITS
Date Set for Trump Address to Joint Session of Congress. On March 4, President Trump will address both chambers for the first time since returning to office.
Trump Administration Removes Inspectors General. The Trump Administration fired 18 inspectors general across federal agencies, including the previous HHS Inspector General Christi Grimm. The action received broad criticism for violating a required 30-day notice to Congress to dismiss inspectors general. Senate Judiciary Chairman Grassley (R-IA) and Ranking Member Durbin (D-IL) issued a joint inquiry seeking “a lawfully-required substantive rationale behind his recent decision to dismiss Inspectors General (IGs) from 18 offices.”
CMS Issues Statement on IRA Medicare Drug Price Negotiations. The brief statement indicates that the Trump Administration is committed to incorporating stakeholder feedback and increasing transparency in the IRA drug price negotiation program.
NEXT WEEK’S DIAGNOSIS
The Senate Finance Committee has yet to schedule a vote on RFK Jr.’s nomination, but it could occur next week, before moving to the full Senate floor. The Senate will be in session all of next week, and the House will be in session starting on Tuesday. The House Energy & Commerce Committee Health Subcommittee will hold a hearing on combatting existing and emerging illicit drug threats. In addition, the House Budget Committee reportedly plans to mark up a budget resolution to formally begin the reconciliation process, although it has not yet been formally announced.
Illinois Ruling on Civil Liability for Employers Confirms Risks to Companies
Since their inception, the Illinois Workers’ Compensation Act (820 ILCS 305/1 et seq.) and Workers’ Occupational Diseases Acts (820 ILCS 310/1 et seq.) (the “Acts” or “Act”) have offered some certainty and predictability with respect to injuries sustained in the course of employment. The Acts provide a clear framework within which injured employees may pursue claims against their employers and ensures they can receive payment of their medical expenses, lost wages associated with their injuries, and compensation for any permanent disabilities and/or disfigurement sustained, without having to prove fault on behalf of the employer. In exchange, the employer pays for these benefits and enjoys some predictability and limitations on the allowable damages under the Acts, assured that the Acts offer the exclusive remedy against the employer, such that no civil lawsuits, where awards may include pain and suffering and be much higher in value, may be brought against them for the same injury. Generally, an employer would be entitled to the exclusive remedies provided under the Acts, assuming that the injury or disease was accidental, arose during and in the course of employment, and is compensable under the Acts. 820 ILCS 310/5(a), 11 (West 2022); 820 ILCS 305/5(a), 11 (West 2022). So, understandably, when an employer is sued in a civil court for a work-related injury, they may look to the protection of the Acts, to defend the claim and argue for dismissal based on the Acts’ exclusivity provisions.
The Acts contain a repose period of 25 years for injury or disability caused by exposure to asbestos. See 820 ILCS 310/1(f) and 820 ILCS 305/1(f). Thus, prior to 2019, no claims could be brought under the Acts more than 25 years after the date of last exposure to asbestos. In the 2015 landmark case of Folta v. Ferro Engineering, 43 N.E. 108 (Ill. 2015), Mr. Folta claimed his mesothelioma was caused, at least in part, from exposure to asbestos while working for his employer, Ferro Engineering, for whom he last worked in 1970. Mr. Folta was diagnosed with mesothelioma over 40 years later in 2011, and filed a civil lawsuit against Ferro (and others) in state court. Ferro moved to dismiss the civil suit, arguing that Mr. Folta’s exclusive remedy was found in the Workers’ Occupational Disease Act, and could not be brought as a civil action against it. However, Mr. Folta argued that because more than 25 years had passed since his exposure to asbestos at Ferro, his claim would be barred by the 25-year repose period and is not “compensable” under the Act, leaving him without any remedy if not allowed to proceed in state court. The Illinois Supreme Court affirmed that the Act’s 25-year statute of repose acts as a complete bar, and yet still held that the Act provided Mr. Folta’s exclusive remedy against his employer. The Court noted the question of “compensability” turned on whether the type of injury sustained would fall within the scope of the Act, not whether there is an ability or possibility to recover benefits under the Act. Given that Mr. Folta’s injury was compensable, the Act provided his exclusive remedy, and his claim under the Act was time-barred by the 25-year statute of repose.
While acknowledging that the outcome may be a harsh result as to the plaintiff, leaving him with no remedy against his employer for his latent disease, the Court in Folta noted its job is not to find a compromise, but to interpret the statutes as written, suggesting if a different balance should be struck, it would be the duty of the legislature to do so. And that is what happened in 2019, when the Illinois Senate and House introduced two new statutes carving out exceptions to the exclusive remedy provisions for both the Workers’ Compensation and Workers’ Occupational Diseases Acts. Under the new statutes, the Acts no longer prohibit workers with latent diseases or injuries from pursuing their claims after the repose period in civil court. The new statute added to the Workers Occupational Disease Act, 820 ILCS 310/1.1, states:
Permitted civil actions. Subsection (a) of Section 5 and Section 11 do not apply to any injury or death resulting from an occupational disease as to which the recovery of compensation benefits under this Act would be precluded due to the operation of any period of repose or repose provision. As to any such occupational disease, the employee, the employee’s heirs, and any person having standing under the law to bring a civil action at law, including an action for wrongful death and an action pursuant to Section 27-6 of the Probate Act of 1975, has the nonwaivable right to bring such an action against any employer or employers.
When Governor J.B. Pritzker signed the bill into law in May 2019, he issued a statement, indicating the purpose of the revised legislation is to allow workers to “pursue justice,” given that in some cases, the 25-year limit is shorter than the medically recognized latency period of some diseases, such as those caused by asbestos exposure. The impact on employers, however, was not addressed. And employers were left with questions, including critically, whether this new change to the law can apply retroactively, when the statute itself is silent as to the temporal scope. Having relied on the provisions of the Acts in place at the time for basic and critical business decisions, including procurement of appropriate insurance and establishment of wages and benefits, employers cannot now go back in time and change those decisions to offset the increased liability which they now face. Further, following Folta, employers have a vested defense in the Acts’ exclusivity and statute of repose provisions. So, retroactive application of the new statutes could impose new liabilities not previously contemplated and could strip defendant employers of their vested defenses, violating Illinois’ due process guarantee. Anticipating plaintiffs’ firms would file latent disease claims against employers in civil court going forward, and with decades of case law to support prospective application only, it was just a matter of time before the issue reached further judicial scrutiny.
And that brings us to the Illinois Supreme Court’s January 24, 2025 decision in the matter of Martin v. Goodrich, 2025 IL 130509. Mr. Martin worked for BF Goodrich Company (“Goodrich”) from 1966 to 2012, where he was exposed to vinyl chloride monomer and vinyl chloride-containing products until 1974. He was diagnosed with angiosarcoma of the liver, a disease allegedly caused by exposure to those chemicals, in December of 2019, passing away in 2020. His widow filed a civil lawsuit against Goodrich alleging wrongful death as a result of his exposure, invoking the new exception found in section 1.1 of the Act to bring the matter in civil court. In response, Goodrich moved to dismiss the case based on the Act’s exclusivity provisions, arguing that section 1.1 did not apply because Section 1(f) was not a statute of repose. Alternatively, Goodrich argued that using the exception to revive Martin’s claim would infringe its due process rights under the Illinois Constitution. The district court denied Goodrich’s motion, and Goodrich asked the court to certify two questions to the US Court of Appeals for the Seventh Circuit for interlocutory appeal: first, whether section 1(f) is a statue of repose for purposes of section 1.1, and second, if so, whether applying section 1.1 to Martin’s suit would violate Illinois’ constitutional due process. Finding the questions impact numerous cases and Illinois’ policy interests, the Seventh Circuit certified the questions, and added a third question: if section 1(f) falls within the section 1.1 exception, what is the temporal reach? Answering these questions, the Illinois Supreme Court held that (1) the period referenced in section 1(f) is a period of repose, (2) the exception in section 1.1 applies prospectively pursuant to the Statute on Statutes, and therefore, (3) it does not violate Illinois’ due process guarantee.
But what did the Court mean when it held that the exception in section 1.1 applies prospectively? Goodrich argued that prospective application would mean that the exception in section 1.1 does not apply to this case, because the last exposure was in 1976, before the amendment was made, and the defendant had a vested right to assert the statute of repose and exclusivity provisions of the Act, which would prohibit the civil suit. The Court pointed out, however, that the amendment did not revive Mr. Martin’s ability to seek compensation under the Act, such that the employer’s vested statute of repose defense would apply. Rather, the amendment gave him the ability to seek compensation through a civil suit outside of the Act. So, the question becomes only whether the employer has a vested right to the exclusivity defense, such that applying section 1.1 would violate due process. The Court held that the exclusivity provisions of the Act are an affirmative defense, such that the employer’s potential for liability exists unless and until the defense is established. And a party’s right to a defense does not accrue until the plaintiff’s right to a cause of action accrues. Applying the new statute prospectively, the Court found the cause of action could be filed in civil court, because the relevant time period for considering applicability of the affirmative defense of the Act’s exclusivity is when the employee discovers his injury. Since Mr. Martin’s cause of action accrued when he was diagnosed in December of 2019, which was after section 1.1 was added, Goodrich did not have a vested exclusivity defense, so Mr. Martin’s claim may proceed without violating due process.
While the court did not apply the new statute retroactively, the effect is essentially the same from the employers’ perspective, as latent injury claims will be allowed to proceed in civil court, as long as the injuries were discovered after expiration of the repose period and after the new statutes went into effect in May of 2019. This was not the outcome defendant employers were hoping to receive, but it is what the Court decided. So, unless or until the legislative tides change again, Illinois employers should be aware of the potential for civil suits for employees’ latent injury or disease claims.
Maryland’s FAMLI Program, Part III: Claims and Dispute Resolution Proposed Regulations
Starting July 1, 2026, Maryland’s Family and Medical Leave Insurance (FAMLI) law will provide up to twelve weeks of paid family and medical leave, with the possibility of an additional twelve weeks of paid parental leave, through a state-run program. Contributions from employers and employees to fund the program will begin July 1, 2025, and the Maryland Department of Labor (MDOL) is currently in the process of developing regulations to implement this law.
Quick Hits
The Maryland Department of Labor has taken an extensive approach to rulemaking for the FAMLI program, including public engagement sessions and multiple iterations of draft and proposed regulations, with the latest section on dispute resolution now open for public comment.
Proposed regulations for Maryland’s FAMLI program cover claims and dispute resolution, detailing procedures for benefit claims, employer responses, and appeals, while also highlighting significant employer concerns such as limited options to challenge fraudulent applications.
Comments on the dispute resolution proposed regulations may be submitted through February 10, 2025.
We explained in part two of this series that the MDOL has taken an unusually extensive and inclusive approach to the traditional rulemaking process, which normally involves the release of proposed regulations for comment, followed by final regulations. Here, however, the MDOL first held a series of public engagement sessions, after which it issued informal “draft” regulations at the beginning of 2024. Following amendments to the FAMLI law made during the 2024 Maryland General Assembly session, the MDOL released a second iteration of “draft” regulations. This was followed by a set of official proposed regulations, for which the comment period closed in November 2024, and now another section of proposed regulations, which are open for public comment.
The proposed regulations thus far are divided into five sections. In part two of this series, we discussed the “General Provisions,” “Contributions,” and “Equivalent Private Insurance Plans” (EPIPs) sections. In part three, we summarize the sections on “Claims,” and—just issued—”Dispute Resolution” as well as some significant employer concerns that have not been addressed by the proposed regulations.
Claims
The “Claims” section is a lengthy and detailed section of the regulations. Of particular note, there are extremely limited options for an employer to report fraud, and no guidance on how the MDOL’s FAMLI Division will handle such reports. Other important points include the following.
Definitions
The proposed regulations add the following significant definitions:
“Alternative FAMLI Purpose Leave” (AFPL) means a separate bank of employer-provided leave specifically designated for medical leave, family leave, qualifying exigency leave, or leave under a disability policy. The regulations specify that such leave must be specifically designed to fulfill a FAMLI purpose, paid, not accrued, not subject to repayment upon departure, not available for general purposes, and available without a requirement to exhaust other leave.
“General purpose leave” means employer-provided paid leave, such as general paid time off (PTO), vacation, personal leave, or sick leave.
“Good cause” refers to the inability to file a complete claim application because of an unanticipated and prolonged period of incapacity due to a serious health condition; a demonstrated inability to reasonably access a means of filing (e.g., natural disaster, power outage, or a significant and prolonged MDOL system outage); or a demonstrated failure of the employer to provide the required notification to the employee.
Required Documentation
Claimants must provide certain documentation to support their benefits claims to include personal identifying information; information about their employers; proof of relationship, meaning a signed affidavit from the employee, official governmental documentation, or documentation from licensed foster care or adoption providers; and certification of a qualifying event containing information that generally mimics the certification requirements under the federal Family and Medical Leave Act (FMLA) (the FAMLI Division will provide forms for an employee’s own or a family member’s serious health condition, and military caregiving reasons).
Employer Response
Employers have five business days to respond to notice of an application, and if they fail to respond, the claim is considered complete. If the employer challenges an employee’s eligibility for benefits, the FAMLI Division will investigate and make a determination. If the employer submits a response after the five-day period that establishes ineligibility, the employee will retain any benefits received, but additional benefits will not be paid and job protection will no longer apply.
Claim Updates
Claimants must update their claims within ten days, or as soon as practicable if there is good cause, for changes in the following: the basis for leave, the dates that leave will be taken, the duration of the leave, and whether the claimant has begun receiving workers’ compensation or unemployment insurance benefits.
Employer Notice
The proposed regulations add “6 months prior to commencement of benefits” to the required points of time in which notice must be provided to employees. In addition, the FAMLI Division will issue forms and templates that employers will be required to use for such notices.
Employee Notice
In addition to reiterating the law’s notice requirements for foreseeable and unforeseeable leave, the proposed regulations provide that employers may waive notice and will be deemed to have done so if they did not include the failure of notice in their responses to claims or if they did not inform an employee that notice is required.
Intermittent Leave
Employees must provide reasonable and practicable notice of the reason, dates, and duration of the leave. If they fail to provide reasonable and practicable notice of their intermittent leave schedule, they may be held accountable under their employers’ attendance policies, but only if the employers first notify the FAMLI Division. If an employee’s use of intermittent leave is inconsistent with the FAMLI leave approval, the employer may request additional information related to the employee’s use of FAMLI leave.
State/EPIP Notice to Claimants
Claimants will receive notice from the state program or the EPIP of the following:
submission of an application and whether it is complete;
when notice is sent to the employer;
when the employer’s response is submitted;
whether the application is approved, including details of benefits; and
whether the application is denied, with the reason and appeal rights.
State/EPIP Notice to Employers
Employers will receive notice from the state program or the EPIP of the following:
submission of an application and, if initially incomplete, a complete application;
claim determination;
reconsideration of appeal of a benefits determination; and
changes to benefits determinations.
Coordination of Benefits
Alternative FAMLI Purpose Leave (AFPL): The proposed regulations assert that an employer may require employees to use AFPL concurrently or in coordination with FAMLI leave, but only if the employer provides advance written notice of this requirement. Then, if an employee declines to apply for FAMLI leave, the employee’s FAMLI benefit eligibility is reduced by the AFPL taken. If the employee receives both, the FAMLI benefit is primary and AFPL may be used to bridge the difference between the FAMLI benefit and full pay, but the employer may deduct the full amount of time taken from the AFPL balance.
General Purpose Leave (GPL): Neither an employer nor employee can require the substitution of GPL for FAMLI leave, but they can agree in writing to use GPL to bridge the gap between FAMLI benefits and full pay. Employers must document and retain any such agreement. Unlike AFPL, only the actual amount of GPL used may be deducted from an employee’s GPL balance.
Sick leave: An employee may use sick leave prior to receiving FAMLI benefits without the employer’s agreement.
Benefit Payment
The first payment will be within five business days after a claim is approved or FAMLI leave has started, whichever is later. Subsequent payments will be made every two weeks. If there is an overpayment, such as benefits being paid erroneously or based on a willful misrepresentation of the claimant, or a claim was rejected after benefits were paid, the FAMLI Division may seek repayment.
Fraud
If fraud is proven after benefits have been approved and issued, those benefits will be treated as an overpayment and job and anti-retaliation protections will not apply.
Dispute Resolution
This newest section of the proposed regulations establishes dispute resolution procedures for the denial of a claimant’s benefits, the denial or termination of an employer’s EPIP, and the reconsideration of an employer’s contribution liability determination. It does not provide an avenue for an employer to challenge the award of benefits. Some of the more significant points follow.
Definitions
“Good Cause” for failing to timely file a request for reconsideration or an appeal is almost the same as that set forth in “Claims,” above, with the only difference being the failure by the entity issuing the adverse determination to provide notice of the dispute resolution procedures.
“Party” means a claimant, an individual who has been disqualified from receiving benefits, an EPIP administrator, and the FAMLI Division. It does not include an employer.
EPIP Denial or Termination
Employers may request review if their application for an EPIP was denied or the EPIP was involuntarily terminated. Requests for review must be filed within ten business days (absent good cause), in writing, with an explanation of why the decision was in error. Decisions will be made within twenty business days by FAMLI Division personnel who did not participate in the EPIP decision at issue, and there may be an informal conference to discuss the review request during that time.
Reconsideration of Adverse Benefit Determination
Employees may request reconsideration of a denial of benefits within thirty (apparently calendar) days (absent good cause), in writing, with an explanation of why the decision was in error. Notice is provided to all “parties” and the employer. Decisions will be made within ten business days by the FAMLI Division or an EPIP administrator personnel who did not participate in the decision at issue, and there may be an informal conference to discuss the review request during that time.
Appeal of Benefit Denials, Underpayments, or Disqualifications
Employees may also appeal an adverse decision, following a request for reconsideration. The appeal must be filed within thirty days. Again, notice is provided to “parties” and the employer. An informal conference may be held at the sole discretion of the FAMLI Division. A hearing will normally be held within thirty days of the filing, with a detailed notice to the “parties” related to the hearing itself. There are also detailed regulations regarding the hearing including: how notice may be provided; the parties’ right to representation; proceeding with the hearing where a party has failed to appear; postponement of the hearing; subpoenas; the hearing procedures; evidence; creation of the record; interpreters; the claimant’s burden of proof; recording; and recusal of hearing officers. Decisions will be issued at the conclusion of the hearing in a final written order to the parties. Such orders are subject to judicial review.
Reconsideration of Contribution Liability Determination
Employers may request reconsideration of a determination of their contribution liability, meaning the amount the FAMLI Division determines to be due each quarter, including both the employer and employee portions. Requests for reconsideration must be filed within thirty days (absent good cause), in writing, with an explanation of why the decision was in error. Decisions will be made within thirty business days by FAMLI Division personnel who did not participate in the decision at issue,
Appeal of Contribution Liability Determination
Employers may also appeal a determination, following a request for reconsideration. The appeal must be filed within thirty days. A hearing will normally be held within sixty days of the filing, with a detailed notice to the employer related to the hearing itself. There are similar provisions to those related to claims appeals, above, such as: how notice is provided; representation; failure to appear; postponement; subpoenas; the hearing procedures; evidence; creation of the record; interpreters; the employer’s burden of proof; recording; and recusal. Decisions will be issued within ninety days, and subject to judicial review.
Enforcement
Although the “draft” regulations included this section, albeit without content, neither section of the proposed regulations does. Presumably, it will be released at a later date.
Continuing Concerns
The proposed regulations do not address some significant concerns for employers. One such concern is that the ability of employers to challenge fraudulent applications for benefits is quite limited. As noted above, employers have five days in which to respond to an application. The regulations contemplate that an employer may provide relevant information after that five-day period, but if that information would result in a revocation of benefits, the employee is still entitled to the benefits already received and, more troublingly, job and anti-retaliation protection continue to apply until benefits are revoked. A separate section states that job and anti-retaliation protections do not apply once fraud is “proven.” There is no clarification of what that means or timeline for how long that might be—meaning that an employer may be required to continue active employment for an employee whom it knows to have engaged in fraud until the FAMLI Division says otherwise.
The regulations provide that, where an employee is taking FAMLI leave to care for a family member and the family member dies, the benefits continue for an additional seven days—which effectively provides bereavement leave that is not one of the specified reasons that one can qualify for leave under the FAMLI law.
While the proposed regulations permit an employer to request additional information where an employee’s use of intermittent leave is inconsistent with the leave approval, there is no provision for an employer to request additional information in response to an initial notice of the need for leave, which may be necessary to establish fraud.
Interested parties may submit comments only on the Dispute Resolution section through February 10, 2025, to the FAMLI Division at [email protected]. As noted previously, the comment period for the sections on General Provisions, Contributions, Equivalent Private Insurance Plans, and Claims has already closed. The FAMLI Division may make additional changes to the proposed regulations based on the comments it receives before issuing them in final form.
New Statutory Entitlements for Neonatal Leave and Pay in the United Kingdom
Parents of babies who require neonatal care will have a right to up to twelve weeks of leave and pay under the Neonatal Care (Leave and Pay) Act 2023, coming into force on 6 April 2025. This affects England, Scotland, and Wales, but not Northern Ireland.
Quick Hits
Under the Neonatal Care (Leave and Pay) Act 2023, employed parents whose babies are admitted to neonatal care within the first twenty-eight days of birth and remain in hospital for at least seven consecutive days have a right to up to twelve weeks of leave and pay.
The act aims to allow new parents necessary time during challenging circumstances without interfering with their maternity, paternity, or parental leave.
The UK government anticipates that approximately 60,000 new parents will benefit from the new rights.
The act will introduce additional time off as a day one right beginning on 6 April 2025. The right to neonatal leave and pay applies to individuals with a parental or significant personal relationship to a baby, born after 6 April 2025, receiving neonatal care. Eligible parents will be able to take neonatal care for each week that their baby is in the hospital, up to a maximum of twelve weeks. The leave must be used within the first sixty-eight weeks of the baby’s birth (or placement or entry to Great Britain in the event of adoption).
To qualify for neonatal pay an employee must have worked for the employer for at least twenty-six weeks before requesting leave and have earned at least £125 per week on average. This is similar to the existing entitlement for maternity pay.
The same employment protections that apply to other types of family-related leave will also apply to parents who take neonatal leave, including protection from dismissal or detriment as a result of taking or applying for neonatal leave. Employees will also remain entitled to the same terms and conditions of employment, with the exception of pay. Additionally, employees who have taken six consecutive weeks of neonatal leave will benefit from extended redundancy protection rights (if these do not already apply via an employee’s notification of their pregnancy, or through the taking of maternity, adoption, or paternity leave) with the right to return to the same job or to be offered a suitable alternative depending on the date on which the right to return is exercised.
Upcoming Changes
The updates to neonatal leave and pay are due to be implemented alongside other changes coming into force from 6 April 2025. In particular, the rate of statutory sick pay will increase from £116.75 to £118.75 per week. The statutory rates of maternity pay, maternity allowance, adoption pay, paternity pay, shared parental pay, and parental bereavement pay will also all increase from £184.03 to £187.18 per week. The lower earnings limit will also increase to £125 from £123.
FDA Releases Draft Guidance on AI-Enabled Medical Devices
Go-To Guide:
The FDA issued draft guidance on AI-enabled medical devices, emphasizing a total product life cycle approach from design to post-market monitoring.
The guidance outlines recommended documentation for marketing submissions, including device descriptions, performance validation, and risk management plans.
Transparency and bias mitigation are highlighted as crucial elements in fostering trust and ensuring equitable outcomes for AI-enabled devices.
The FDA encourages manufacturers to provide clear, user-friendly labeling that explains AI functionality, limitations, and instructions for use.
This guidance may be subject to review and revision in light of President Trump’s recent AI-focused Executive Order.
On Jan. 7, 2025, the FDA issued its draft guidance, “Artificial Intelligence-Enabled Device Software Functions: Lifecycle Management and Marketing Submission Recommendations.” In its latest draft guidance on medical devices, the FDA provides recommendations on the documentation and information that should be included in marketing submissions for devices that include AI-enabled device software functions.
The guidance emphasizes the FDA’s holistic total product life cycle (TPLC) approach, which requires manufacturers to consider the entire lifespan of an AI-enabled device—from initial concept and design to post-market performance monitoring. The guidance also underscores the importance of transparency and bias mitigation in AI-enabled devices to foster trust and equitable outcomes. By addressing the unique challenges AI poses, the guidance establishes standards for transparency, accountability, and flexibility in managing AI-enabled devices across their TPLC.
Total Product Life Cycle Approach
The guidance highlights the importance of managing AI-enabled devices using a TPLC approach. This method seeks to ensure continuous oversight, from design and development through post-market performance. The FDA’s recommendations for manufacturers at each TPLC phase include:
Design and Development: Integrate risk management and human factors engineering early in the design process to mitigate potential risks associated with AI functionalities.
Validation and Testing: Utilize rigorous methodologies to validate AI performance, ensuring effectiveness across diverse patient populations and real-world settings.
Post-Market Monitoring: Continuously monitor in real-time to identify and address performance deviations or safety concerns, supported by mechanisms for timely updates.
Marketing Submission Requirements
The FDA emphasizes the critical elements that sponsors should provide in premarket submissions for AI-enabled devices. These include:
Device Description: Clear, comprehensive details about the device’s inputs and outputs, an explanation of how AI is used to achieve the device’s intended use, a description of the intended users, the level and type of training intended users have or will receive, the intended use environment, the intended workflow of the use of the device, and a description of installation and maintenance procedures, as well as any calibration or configuration procedures that must be regularly performed by users.
User Interface Information: Information that demonstrates the device workflow and how that information is presented to users, which may be accomplished through graphical representations, written descriptions, example reports, and recorded videos.
Labeling: Explanations, in an appropriate reading level, that the device includes AI, how AI is used to achieve the device’s intended use, model inputs and outputs, any automated functions, model architecture, development and performance data and metrics, performance monitoring, any known limitations of the device, and instructions for use. Appendix E provides exemplar communication models for sponsors to consider when developing labeling.
Training and Testing Data: Descriptions of data collection, data cleaning and processing, test data independence, reference standards, and representativeness.
Performance Validation: Evidence to demonstrate accuracy, reliability, and repeatability in clinical and non-clinical settings, including testing for specific populations. Appendix C includes recommendations for clinical performance validation, while Appendix D describes human factors considerations.
Change Management Plans: Information regarding performance monitoring plans, including measures to capture device performance after deployment, including updates, mitigations, and corrective actions.
Risk Management: A risk management file that includes a risk management plan and robust assessments to evaluate the risks of AI functions and their impact on patient safety, considering biases, software malfunctions, or data inaccuracies.
Cybersecurity and Data Integrity: Information regarding the measures taken to protect against data breaches and ensure the integrity of AI models.
Public Submission Summary: A summary with details about the AI-enabled device’s characteristics for use in public facing documents. Appendix F provides examples for communicating the required information.
Appendix B includes recommendations for developing a transparent device centered on users. The draft guidance encourages sponsors to take a holistic, user-centered approach to transparency, beginning at the design phase of the TPLC to ensure important information is both accessible and functionally understandable. Because transparency is contextually dependent, appropriate information to include would vary across devices, and the draft provides examples for sponsors to consider.
Conclusion
By focusing on lifecycle management, transparency, bias mitigation, and flexibility, the FDA aims to balance innovation with public safety. Aligning with these recommendations may help manufacturers accelerate AI technology deployment in healthcare. The FDA actively seeks input from stakeholders, including manufacturers, healthcare professionals, and the public, to refine this draft guidance. Comments on the guidance are welcomed through April 7, 2025.
While currently uncertain, President Trump’s rescission of President Biden’s AI Executive Order No. 14110 and issuance of his own AI-focused Executive Order entitled “Removing Barriers to American Leadership in Artificial Intelligence” on Jan. 23, 2025, may lead to a widespread reevaluation of all AI policies and guidances agencies such as the FDA have submitted. Accordingly, relevant stakeholders should monitor the viability and advancement of this draft guidance.
New York’s Health Information Privacy Act: A Turning Point for Digital Health or a Roadblock to Innovation?
The proposed New York Health Information Privacy Act (NYHIPA), currently awaiting Governor Kathy Hochul’s signature, represents a major step in the state’s approach to protecting personal health data in the digital age. At its core, the bill aims to establish stronger privacy protections and restrict the use and sale of health-related data without explicit user consent. Supporters see it as a necessary evolution of data privacy laws, addressing gaps in federal regulations like HIPAA and responding to growing consumer concerns.
However, while the bill’s intent is clear, its practical implications are far more complex. If enacted, NYHIPA could create significant operational and financial burdens for digital health companies, insurers, and other businesses handling health information. It also raises pressing questions about the future of innovation in health technology, data-driven research, and even the fundamental business models that underpin much of today’s digital healthcare ecosystem. As New York weighs this decision, stakeholders must consider not only the benefits of stronger privacy protections but also the unintended consequences that could hinder the growth of the state’s thriving health tech sector.
In recent years, states across the country have introduced privacy laws that aim to strengthen consumer protections in response to widespread data breaches and growing concerns about corporate data practices. California’s Consumer Privacy Act (CCPA) and Privacy Rights Act (CPRA), Illinois’s Biometric Information Privacy Act (BIPA), and similar laws have set the stage for a complex web of state-led privacy regulations. At the federal level, the Federal Trade Commission (FTC) has intensified its scrutiny of health data practices, issuing warnings and imposing fines on companies that fail to protect consumer privacy.
New York’s legislation stands out because it casts a wide net in defining what constitutes “regulated health information.” Unlike HIPAA, which primarily governs hospitals, insurers, and healthcare providers, NYHIPA extends its scope to include any company that collects health-related data from New York residents. This means that digital health apps, wellness platforms, employers offering health benefits, and even non-traditional healthcare-adjacent businesses could be subject to its requirements. Companies would need to overhaul their data collection and consent practices, develop new compliance systems, and ensure that they are aligned with both state and federal regulations.
While these measures are intended to protect consumers, they also introduce significant challenges. Businesses operating in New York may find themselves facing higher compliance costs, which could be particularly burdensome for startups and mid-sized companies that lack the resources of larger corporations. If companies are forced to invest heavily in compliance, they may pass these costs onto consumers or scale back their services, limiting access to innovative digital health solutions. There is also the risk that companies could choose to leave New York or avoid entering the state altogether, putting New York at a competitive disadvantage in the rapidly growing health tech sector.
Beyond the financial and operational burdens, there is also concern about the unintended consequences this law could have on innovation. Many of the advances in health technology rely on data-driven insights to improve patient outcomes, streamline care coordination, and develop more personalized treatment plans. Overly restrictive regulations may limit the ability of companies to leverage data in ways that could be beneficial to patients and providers alike. If businesses are forced to navigate a regulatory minefield, some may choose to take a more cautious approach, slowing down progress in areas where data-driven innovation could make a meaningful difference.
At the same time, there is no denying that security threats and consumer expectations are changing. Cyberattacks on healthcare systems have become more frequent, with ransomware attacks targeting hospitals and breaches exposing millions of patient records. Consumers are becoming increasingly aware of how their data is being used and are demanding greater control over their personal information. Across the country, there is a growing push for opt-in models and stricter limitations on the use of personally identifiable information. Whether or not NYHIPA becomes law, companies should expect privacy regulations to become stricter in the coming years and take proactive steps to enhance security and transparency.
For businesses, adapting to this new landscape will require a strategic approach. Companies that process health-related data will need to closely examine how they collect, store, and use information. Those that can demonstrate a commitment to privacy and data security may find themselves with a competitive advantage as consumers become more discerning about which platforms they trust. At the same time, industry leaders should engage in policy discussions to ensure that privacy regulations are designed in a way that balances consumer protection with the need for continued innovation.
New York has an opportunity to be a leader in health data privacy, but it must do so without stifling the industry that relies on responsible data use to drive advancements in health care. Governor Hochul’s decision on NYHIPA will set an important precedent for the future of digital health regulation, not just in New York but across the country. If done right, this legislation could serve as a model for balancing privacy protections with business realities. If not, it risks becoming a case study in how regulatory overreach can do more harm than good.
OFCCP Welcomes New Acting Director Amidst Policy Shift
In a significant move, the Office of Federal Contract Compliance Programs (OFCCP) has appointed Michael Schloss as the new acting director and deputy director of policy. This appointment comes as part of the Trump administration’s broader strategy to reshape the agency’s mission following the issuance of executive order (EO) Ending Illegal Discrimination and Restoring Merit-Based Opportunity, which revoked EO 11246. Schloss is tasked with guiding OFCCP as it shifts focus toward enforcing Section 503 of the Rehabilitation Act and the Vietnam Era Veterans’ Readjustment Assistance Act (VEVRAA).
Quick Hits
OFCCP has appointed Michael Schloss as the new acting director and deputy director of policy, as part of the new administration’s overall strategy to reshape the agency.
Schloss previously served as director of the Office of Field Administration at the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA).
Schloss will now guide OFCCP’s focus on enforcing Section 503 of the Rehabilitation Act and VEVRAA.
Acting Director Schloss transitions to OFCCP from the U.S. Department of Labor’s (DOL) Employee Benefits Security Administration (EBSA), where he served as Director of the Office of Field Administration. In that role he oversaw EBSA’s ten regional offices and three district offices, ensuring the execution of enforcement, outreach, education, and assistance programs related to Employee Retirement Income Security Act (ERISA) requirements. His responsibilities included overseeing fiduciary standards, prohibited transactions, and group health plan requirements, as well as coordinating efforts across EBSA’s regions and other DOL program offices. Acting Director Schloss’s background in benefits law and EBSA operations suggests he is new to OFCCP policy.
Stay tuned for further updates as the OFCCP navigates this transition under Schloss’s leadership.
Unlocking Transparency: New DOL Guidance Clarifies Gag Clause Prohibition Rules Helping Health Plans Secure Their Claims Data
On January 14, 2025, the U.S. Department of Labor (DOL), Health and Human Services (HHS) and Treasury Department jointly issued new guidance in a FAQ format (Guidance) regarding compliance with certain provisions of Title I (No Surprises Act) and Title II (Transparency) of the Consolidated Appropriations Act, 2021.
This Guidance provides important clarifications on the Gag Clause Prohibition rules that will help group health benefit plans ensure that the federal government’s transparency mandates are complied with and that requests for claims data from health insurance carriers are obeyed.
Background
The Gag Clause Prohibition, enacted under the Consolidated Appropriations Act of 2021 (CAA), includes a set of federal regulations and rules that were designed to promote transparency in the employee benefit and healthcare insurance industries. These regulations prohibit group health benefit plans and health insurance carriers from entering into contracts that restrict access to critical claims data and cost or quality information, or otherwise prevent group health benefit plans or insurance carriers from disclosing such claims data and information to plan participants, beneficiaries, or enrollees; plan sponsors (e.g., employers); or to a plan’s business associate, such as a third-party administrator (TPA) or vendor, consistent with applicable privacy regulations.
Despite the clear mandates of the Gag Clause Prohibition rules, for the last four years, some health insurance carriers have repeatedly obstructed or refused to adequately comply with the federal transparency mandates. Specifically, some health insurance carriers who own healthcare provider networks and who essentially rent such networks to group health benefit plans have continuously refused to share a complete and accurate set of health claims data either with the plan sponsor or the plan’s business associates.
Likewise, if a group health benefit plan engaged its own independent TPA with the expectation that they would separately contract with the health insurance carrier who owns the provider network the plan wants access to, the health insurance carrier would refuse to allow the TPA to share a complete and accurate set of health claims data either with the plan sponsor or the plan’s business associates.
In both instances, health insurance carriers would justify their refusal on the basis that their separate “downstream” agreements with their participating provider networks took precedence over the federal Gag Clause Prohibition rules. In essence, they argued their private contractual rights, and confidentiality or data restriction provisions stated therein, allowed them to sidestep the transparency obligations imposed by the federal government.
As a result, group health benefit plans, their sponsors, TPAs and vendors have been advocating for additional guidance or clarification on the federal transparency rules. Some group health benefit plans and plan sponsors have even initiated lawsuits against carriers who refused to provide the plan and plan sponsor their claims data. See e.g., Trustees of the International Union of Bricklayers and Allied Craftworkers Local 1 Connecticut Health Fund et al v. Elevance, Inc. et al, Docket No. 3:22-cv-01541 (D. Conn. Dec 05, 2022); Owens & Minor, Inc. et al v. Anthem Health Plans of Virginia, Inc., Docket No. 3:23-cv-00115 (E.D. Va. Feb 13, 2023).
Updated Guidance
The new Guidance provides the following clarifications:
All separate “downstream agreements” that restrict a group health benefit plan or health insurance carrier from providing, electronically accessing, or sharing critical claims data and cost or quality information with a plan sponsor, its participants or beneficiaries, or the plan’s business associates are prohibited.
Likewise, owners of provider networks cannot use discretionary language or self-serving contractual provisions (e.g., only allowing de-identified claims data to be shared at “its discretion”) in their agreements with group health benefit plans, providers, TPAs or other service providers which have the practical effect of preventing disclosure of critical claims data, and cost or quality information data, to a plan sponsor or a plan’s business associates, consistent with applicable privacy regulations.
Health insurance carriers and provider networks cannot place any limitation on the “scope, scale or frequency of electronic access to de-identified” claims data when requested as part of an audit or claims review.
Lastly, most group health benefit plans are likely aware of the Gag Clause Prohibition through compliance with the annual attestation requirement. The Guidance makes clear that plan sponsors, when submitting their annual attestation of compliance, can essentially report any other vendor or carrier who refuses to remove a gag clause in any separate “downstream” agreements if the plan sponsor has taken steps to ensure their own compliance, including requesting the gag clause be eliminated.
Action Steps
In light of the new Guidance, group health benefit plans, plan sponsors and plan vendors should consult counsel to assist with obtaining plan claims data and cost or quality information from carriers, healthcare providers, TPAs or others with control over that data. They should also review their contracts with those entities to help identify and eliminate gag clauses or other restrictive provisions that run afoul of the federal government’s transparency rules.
To the extent any group health benefit plan or plan sponsor receives pushback from a carrier or provider, this new Guidance can be leveraged to challenge the restrictive practices in place and refute any arguments by such insurance carriers and/or providers who may be attempting to sidestep the federal transparency rules.
Additional Author: Justin Wolber
Employer Group Sues to Block Mental Health Parity Rules
Only weeks after the principal effective date for the final 2024 federal mental health parity rules for employer-sponsored health benefit plans, those rules—and specifically some key features that are frustrating employers—are being challenged as examples of regulatory overreach.
Quick Hits
A large employer advocacy group sued three federal agencies over their final rules implementing the federal mental health parity law applicable to employer-sponsored health plans.
The industry group argues the federal agencies did not have the authority to create a benefit mandate.
The federal agencies have until March 17, 2025, to respond to the complaint. They have argued that the mental health parity rules are not a benefit mandate.
The ERISA Industry Committee (ERIC), a large employer advocacy group, is asking a federal court to vacate certain provisions or the entire 2024 final regulations under the Mental Health Parity and Addiction Equity Act (MHPAEA), as well as permanently enjoin enforcement of the specific provisions or the regulations overall.
The complaint was filed on January 17, 2025, in the U.S. District Court for the District of Columbia against the U.S. Departments of Health and Human Services, Treasury, and Labor.
In its complaint, ERIC specifically criticizes requirements in the MHPAEA rules, including those that:
require named fiduciaries to make certifications regarding the “comparative analysis” prepared for the plan;
require plans to comply with the final rules generally as of January 1, 2025 (less than four months following publication of the final rules); and
require fiduciaries to determine whether a service provider is “qualified” to do a comparative analysis.
ERIC generally argues that these 2025 requirements, as well as several requirements that would take effect in 2026, exceed the agencies’ authority to implement the MHPAEA and related statutes, or are too imprecise to serve as a legitimate basis for enforcement against employer-sponsored health plans.
On September 23, 2024, the federal agencies published final rules requiring group health plans to provide “meaningful benefits” for mental health or substance use disorders in coverage categories where medical or surgical benefits are also provided. Meaningful benefits cover core treatments, defined as standard treatments or interventions indicated by “generally recognized independent standards of current medical practice.”
The bulk of the final rules took effect on January 1, 2025, with some provisions scheduled to take effect on January 1, 2026. The meaningful benefits requirement is slated to become effective on January 1, 2026.
The lawsuit argues that the meaningful benefits requirement exceeds the federal agencies’ authority because it imposes a benefits mandate. It also claims the federal agencies violated the Administrative Procedure Act’s notice and comment requirements.
“All that is required is parity in particular plan terms and their application, not parity in access to mental health/substance use disorder benefits, much less provision of particular benefits,” the lawsuit states. “Congress has repeatedly made clear that the MHPAEA is not a benefits mandate, and it therefore does not require health plans to provide any particular mental health/substance use disorder benefits, or even to provide mental health/substance use disorder benefits at all.”
It also argues that the meaningful benefits requirement is antithetical to the Employee Retirement Income Security Act (ERISA), which governs most private health plans.
In the final rule, the federal agencies emphasized that the meaningful benefits requirement “is not a coverage mandate, but rather another approach to ensuring parity between mental health or substance use disorder benefits and medical/surgical benefits in a classification.”
Next Steps
The meaningful benefits requirement is scheduled to take effect on January 1, 2026. It is unclear what the federal court will ultimately decide in this case. If the court finds in favor of the ERISA Industry Committee, then the obligation to provide “meaningful benefits” for mental illness and addiction could become moot.
In the meantime, employers may want to review the terms of their group health plans for compliance with the mental health parity requirements and work closely with their plan administrators and other professionals to document their analysis of how the plan meets the mental health parity requirements in operation based upon available data and guidance.