HHS’s Proposed Security Rule Updates Could Require Group Health Plan Document Changes and New Plan Sponsor Security Practices
Proposed regulations may require employers to invest additional resources to safeguard group health plan participants’ protected health information.
In this installment of our blog series on the U.S. Department of Health and Human Services’ (HHS) HIPAA Security Rule updates in its January 6 Notice of Proposed Rulemaking (NPRM), we will explore the impact the NPRM could have for sponsors of group health plans.
As HIPAA-covered entities, group health plans that share protected health information (PHI) with employer plan sponsors must already include provisions in the plan documents reflecting the plan sponsors’ obligations to:
Establish and maintain administrative, physical, and technical safeguards to ensure ePHI confidentiality, integrity, and availability;
Limit access to ePHI to only authorized members of the plan sponsor’s workforce;
Require agents of the plan to establish reasonable and adequate security measures to protect ePHI; and
Report to the group health plan any security incident.
What’s New for Group Health Plans and Plan Sponsors?
So, what’s new in the NPRM? First, HHS proposes that group health plan documents tie the establishment of safeguards by plan sponsors and plan agents expressly to the corresponding provisions that apply to covered entities and business associates. In addition, new plan document language would specifically refer to the kind of contingency plan that is required to be established and maintained by covered entities and to report to the group health plan when the contingency plan is activated by a security incident. The NPRM would require plan documents to provide that plan sponsors will report to plans “without unreasonable delay” but not later than 24 hours after activation of its contingency plan in response to a real or suspected data security incident. (This specific reference to contingency plans is in addition to the existing requirement to report to the group health plan any security incident of which the plan sponsor becomes aware.)
While the NPRM may ignore the reality that plan sponsors are already largely responsible for the HIPAA compliance of their group health plans, including maintaining adequate policies and procedures, the proposed provisions would require existing plan documents to be amended to reflect the new language and references embedded in the applicable NPRM provisions. As a practical matter, however, it remains to be seen whether, if finalized, the NPRM would require new policies and procedures that diligent plan sponsors do not already have in place as part of an effective HIPAA compliance framework on behalf of its group health plans.
HHS has requested comments as to an appropriate deadline for group health plan documents to be amended as described by the NPRM and whether to permit a transition period for existing plan documents (such a transition period is proposed in the NPRM for business associate agreement changes that are required by the NPRM). Group health plan sponsors should also be aware of the proposed changes to business associate agreements described in our earlier post in the series.
Next Time
In our next two posts in this series, we will summarize what to expect from the NPRM’s proposed changes to the HIPAA Security Rule’s technical and administrative safeguards. In particular, we will discuss the revised rule’s provisions concerning encryption and multi-factor authentication (MFA), as well as administrative controls such as asset inventory, workforce clearance, access management, and more.
The Stop Campus Hazing Act—The Bipartisan Effort to Prevent Hazing in Higher Education Settings
At least forty-four states have enacted laws prohibiting hazing. However, the regulations, penalties, and requirements vary significantly by state. The enactment of the federal Stop Campus Hazing Act (SCHA) exemplifies the bipartisan effort aimed at combating hazing and protecting the health and safety of students on college campuses.
The SCHA’s focus on transparency allows students and their parents to make informed decisions when choosing which institutions to attend for postsecondary education and what institutional student organizations they should join. The SCHA also significantly increases the obligations of institutions to not only track, report, and publicly disclose incidents of hazing on campus, but also to develop hazing prevention and awareness programs for students, faculty, and staff.
Quick Hits
The SCHA requires that higher education institutions participating in Title IV of the Higher Education Act of 1965 programs collect, report, and publicly disclose hazing-related incidents and implement hazing prevention and awareness programs.
The SCHA also mandates that institutions, as part of their Clery Reports, begin collecting hazing data and statistics as of January 1, 2025, and include, among other items, all hazing incidents that were reported to campus security officers or local law enforcement within their 2026 Clery Reports.
The SCHA provides the first federal definitions of “hazing” and “student organizations.”
On December 23, 2024, President Joe Biden signed the Stop Campus Hazing Act into law, making it the first federal law to create anti-hazing requirements for institutions of higher education. The SCHA amends Section 485(f) of the Higher Education Act of 1965, otherwise known as the “Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act” (Clery Act). Notably, the SCHA also renamed the Clery Act the “Jeanne Clery Campus Safety Act,” evidencing the growth of the Clery Act over the last few decades and its application to a full spectrum of campus safety issues, which now includes hazing.
The SCHA went into effect on January 1, 2025, and focuses on increasing transparency around the issue of hazing on college campuses. It mandates that higher education institutions participating in programs under Title IV of the Higher Education Act of 1965 comply with, among other things, enhanced reporting guidelines and hazing prevention education requirements in order to achieve this goal of transparency.
In an effort to achieve its goal of transparency, the SCHA created two new hazing incident reporting procedures: (1) a new “Campus Hazing Transparency Report” requirement; and (2) a new mandate requiring higher education institutions to include campus hazing incidents within their annual security reports (often referred to as “Clery Reports”), as well as information relating to the institutions’ hazing policies and campus-wide hazing education and prevention programming.
The Implementation of Campus Hazing Transparency Reports
The SCHA requires institutions to create, publish, and update Campus Hazing Transparency Reports. The Campus Hazing Transparency Report must be posted on an institution’s website in a “prominent location” and include a statement notifying the public of the annual availability of statistics on hazing, including a link to the same, and information about the institution’s policies related to hazing and applicable local, state, and tribal laws.
Beginning on July 1, 2025, institutions must begin drafting Campus Hazing Transparency Reports summarizing their findings related to student organizations that are found to be in violation of the SCHA. The SCHA requires institutions to publish their Campus Hazing Transparency Reports no later than December 23, 2025. These reports must be updated “not less frequently than 2 times each year” and must include the following information: (1) the name of the organization involved in the hazing incident; (2) a description of the violation; (3) the date of the incident and investigation; (4) a description of the institution’s findings; and (5) the sanctions that were imposed as a result thereof.
Additionally, Campus Hazing Transparency Reports must not include any personally identifiable information (PII) about any particular student, or any information that could reveal PII. Further, information included in each report and update must be maintained by the institution for five calendar years.
New Disclosure Mandates for Clery Act reports
Institutions are currently mandated by the Clery Act to publish and distribute annual security reports, also known as Clery Reports. Clery Reports disclose campus crime statistics and campus security policies. The SCHA requires that institutions begin collecting hazing data and statistics as of January 1, 2025, and include all hazing incidents that were reported to campus security officers or local law enforcement within their 2026 Clery Reports.
In addition, each institution’s Clery Report must include a statement of its current hazing policies, how to report incidents of hazing, the process used to investigate alleged hazing violations, and information on applicable local, state, and tribal hazing laws. A Clery Report must also detail the institution’s hazing prevention and awareness programs.
Implementation of Hazing Prevention and Awareness Programs
In addition to the obligations outlined above, the SCHA also compels institutions to enact hazing prevention and awareness programs in their efforts to prevent hazing. The SCHA specifies that any such program implemented by an institution be “research-informed” and available “campus-wide” to effectively reach students, staff, and faculty. Further, the SCHA suggests that the program include “skill building for bystander intervention, information about ethical leadership, and the promotion of strategies for building group cohesion without hazing.” Therefore, if an institution does not have a hazing prevention and awareness program in place, or such program does not comply with the SCHA’s requirements, the policy must be in compliance on or before June 23, 2025.
In conjunction with implementing a hazing prevention and awareness program, the SCHA also requires an institution to create a hazing policy statement reflective of its anti-hazing policies on or before June 23, 2025. Pursuant to the SCHA, the hazing policy statement must include (1) a “statement of current policies relating to hazing (as defined by the institution)”; (2) the process by which someone may report an incident of alleged hazing; (3) an overview of the institution’s procedure for investigating a claim of hazing; and (4) all applicable local, state, and tribal laws.
Notably, while the SCHA requires institutions to enact anti-hazing policies, it does not specify what information should be included within those policies. However, the SCHA does mandate that the policy statement describe the institution’s hazing prevention and awareness program. Further, the information contained within the policy statement must also be included within the institution’s hazing prevention and awareness program. Therefore, institutions may want to immediately either begin reviewing their current hazing policies and prevention and awareness programs or begin creating policies and programs to ensure compliance with the SCHA’s guidelines.
Federal Definitions for ‘Hazing’ and ‘Student Organization’
The SCHA is the first law to provide federal definitions of “hazing” and “student organization” for purposes of Clery Act reporting. These definitions are important, as they dictate what incidents are deemed “reportable incidents” for higher education institutions to include within their Clery Reports. Because the SCHA’s definitions for “hazing” and “student organization” are broader than most state laws’, to the extent that these definitions conflict with state or local laws, institutions likely should utilize the new federal definitions of “hazing” and “student organizations” when drafting the applicable incident report in order to ensure compliance.
“Hazing” is defined under the SCHA as “any intentional, knowing, or reckless act committed by a person (whether individually or in concert with other persons) against another person or persons regardless of the willingness of such other person or persons to participate, that (I) is committed in the course of an initiation into, an affiliation with, or the maintenance of membership in, a student organization, [e.g., a club, student government, athletic team, fraternity, or sorority]; and (II) causes or creates a risk, above the reasonable risk encountered in the course of participation in the institution of higher education or the organization (such as the physical preparation necessary for participation in an athletic team), of physical or psychological injury.”
The SCHA provides a list of examples of conduct that “causes or creates a risk,” including:
“whipping, beating, striking, electronic shocking, placing of a harmful substance on someone’s body, or similar activity”;
“causing, coercing, or otherwise inducing sleep deprivation, exposure to the elements, confinement in a small space, extreme calisthenics, or other similar activity”;
“causing, coercing, or otherwise inducing another person to consume food, liquid, alcohol, drugs, or other substances”;
“causing, coercing, or otherwise inducing another person to perform sexual acts”;
“any activity that places another person in reasonable fear of bodily harm through the use of threatening words or conduct”;
“any activity against another person that includes a criminal violation of local, State, Tribal, or Federal law”; and
“any activity that induces, causes, or requires another person to perform a duty or task that involves a criminal violation of local, State, Tribal, or Federal law.”
Further, the SCHA defines the term “student organization” as “an organization at an institution of higher education (such as a club, society, association, varsity or junior varsity athletic team, club sports team, fraternity, sorority, band, or student government) in which two or more of the members are students enrolled at the institution of higher education, whether or not the organization is established or recognized by the institution.” However, the SCHA does not define what constitutes “above the reasonable risk” or what actions establish “an affiliation with” a student organization.
Summary of Critical Reporting Deadlines
Pursuant to the SCHA, the critical reporting deadlines are as follows:
January 1, 2025: Institutions must begin compiling statistics on hazing to include in their 2026 Clery Reports.
June 23, 2025: Institutions must publish their hazing policies and prevention programs.
July 1, 2025: Institutions must have systems in place for documenting violations of their anti-hazing policies in order to include those violations within their Campus Hazing Transparency Reports.
December 23, 2025: Institutions must publish their Campus Hazing Transparency Report on their website, documenting violations occurring since July 1, 2025.
October 1, 2026: Institutions must include 2025 hazing statistics within their Clery Reports for the first time.
Key Takeaways
As of January 1, 2025, institutions may want to begin collecting data for mandatory Clery Reporting. Institutions may want to confer with their campus Clery Act coordinators and other applicable staff to understand what constitutes an incident of “hazing,” how to properly count and document each incident of hazing, and which campus groups constitute “student organizations” under the Stop Campus Hazing Act.
Institutions may want to complete a thorough review of all current anti-hazing policies and/or enact anti-hazing policies on or before June 23, 2025. All policies are required to comply with the definition of “hazing” as outlined within the SCHA, include information on how to report an incident of alleged hazing, and outline the process of investigating an incident of alleged hazing.
Institutions may want to update and/or create hazing prevention and awareness programs for students, faculty, and staff.
Institutions may want to ensure that student handbooks and other institutional documents reflect the SCHA’s requirements and definition of “hazing.”
Lastly, institutions may want to ensure staff, including campus security authorities and campus Clery Act coordinators, are properly trained and notified of their responsibilities when a report of alleged hazing is made and have established a system for the collection, reporting, and documentation of the required data and information on hazing incidents.
New York Data Breach Notification Law Updated
New York Governor Kathy Hochul recently signed into law several bills (S2659B and S2376B) modifying the state’s data breach notification law. The amendments revise the timing requirements for notice to affected individuals, expand the list of regulators to be notified, and add new data elements to New York’s definition of “private information.”
Timing Requirements: Before the amendment, New York’s breach notification law required notification to affected New York residents “in the most expedient time possible and without unreasonable delay.” As of December 21, 2024, the law requires affected individuals to be notified no later than 30 days after discovery of the breach, except “for the legitimate needs of law enforcement.”
Additional Regulator Notice Requirements: Also effective December 21, 2024, the law now requires notice to the New York Department of Financial Services. Previously, the law required notice to the New York State Attorney General, the New York Department of State, and the Division of State Police.
Revised Definition of “Private Information:” Effective March 25, 2025, the definition of “private information” subject to the law’s notification requirements will include (1) medical information (i.e., any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional) and (2) health insurance information (i.e., an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual or any information in an individual’s application and claims history, including, but not limited to, appeals history).
HIPAA Exemption: Pursuant to the law’s HIPAA exemption, a breach of protected health information would not trigger additional notification requirements to affected individuals. However, the law still requires notice to certain regulators, including the New York State Attorney General, the New York Department of State, and the Division of State Police. Notably, the HIPAA exemption was not amended and does not reflect the law’s new general requirement to notify the New York Department of Financial Services.
EPA Releases Compliance Guidance for Workplace Chemical Protection Requirements in TSCA Risk Management Rules
On January 16, 2025, the U.S. Environmental Protection Agency (EPA) released a compliance guide to assist the regulated community in complying with Workplace Chemical Protection Program (WCPP) requirements for chemicals regulated under Section 6 of the Toxic Substances Control Act (TSCA). EPA states that a WCPP “is a chemical protection program designed to address unreasonable risk posed by chemical exposure to persons in occupational settings.” The compliance guide provides an overview of typical WCPP requirements that the regulated community may be subject to as part of a TSCA Section 6(a) rulemaking. As reported in our previous memoranda, in 2024, EPA issued final risk management rules with WCPP requirements for methylene chloride, perchloroethylene, trichloroethylene, and carbon tetrachloride.
According to EPA, the compliance guide is intended for owners and operators of businesses that manufacture (including import) or process, distribute in commerce, use, or dispose of a chemical regulated under TSCA Section 6 that is subject to the WCPP in EPA rules. EPA notes that the guide will also be of interest to people who may be exposed to these regulated chemicals in the workplace. The guide broadly addresses the requirements of a typical WCPP, including:
EPA TSCA occupational exposure limits (Existing Chemical Exposure Limits (ECEL) or EPA Short-Term Exposure Limits (EPA STEL)) designated under TSCA;
ECEL action levels;
Occupational exposure monitoring;
Regulated areas;
Direct dermal contact controls (DDCC);
Respirators;
Personal protective equipment (PPE);
Exposure control plans;
Recordkeeping; and
Downstream notifications.
EPA states that while the compliance guide “provides useful information to consider when implementing a WCPP, the regulated community should also consult the WCPP provisions within the applicable risk management rule.” Individual compliance guides for rules may also provide additional chemical-specific guidance. EPA has issued guides for methylene chloride, trichloroethylene, and for the use of perchloroethylene in dry cleaning (also available in Korean and Spanish) and energized electrical cleaning.
EPA’s diligence in preparing the compliance guide is commendable given all of the other demands on EPA’s time. Stakeholders are urged to review the guide as its contents could be of use to regulated entities.
RWI in Health Care M&A: Part 2 [Podcast]
In part two of this two-part series, Matt Miller and Andrew Lloyd analyze representations and warranties insurance (RWI) in the health care M&A landscape.
They discuss the process of finding and securing an insurance underwriter, practical tips for structuring and negotiating RWI policies, how to navigate a claim after the policy is in place, and future trends in the RWI market.
Find part one of this series here.
This Week in 340B: January 21 – 27, 2025
Find this week’s updates on 340B litigation to help you stay in the know on how 340B cases are developing across the country. Each week we comb through the dockets of more than 50 340B cases to provide you with a quick summary of relevant updates from the prior week in this industry-shaping body of litigation.
Issues at Stake: HRSA; HRSA Audit Process
In a suit by a 340B covered entity against the Health Resources and Services Administration (HRSA), HRSA filed a response to show cause and a response to motion for a temporary restraining order (TRO) and preliminary injunction, and the covered entity filed a motion to enforce administrative stay.
In two HRSA audit process cases, the government filed reply briefs in further support of the government’s motion to dismiss.
Massachusetts Enhances Regulatory Oversight of Health Care Transactions on For-Profit and Private Equity Investments
Massachusetts has expanded regulatory oversight of health care transactions by imposing False Claims Act liability on health care owners and investors for changes including failure to disclose violations. On January 8, 2025, Governor Maura Healey signed into law H.5159, An Act enhancing the market review process (the Act). Among other matters, the Act aims to strengthen oversight of private equity investors and related entities in the health care industry, including the expansion of the investigatory and enforcement powers of the Massachusetts Attorney General as they relate to health care activities. The Act also intends to fill perceived gaps in regulatory oversight, that many view as contributors to the Steward Health Care bankruptcy and related hospital closures across Massachusetts, by directly addressing regulation of for-profit health care entities and private equity ownership.
The following Act provisions expand the authority of the Massachusetts Health Policy Commission (HPC), Center for Health Information and Analysis (CHIA), and Attorney General’s Office (AGO) to oversee private equity investors and related entities, including through expansions of HPC’s existing oversight authority and extension of the Commonwealth’s state False Claims Statute (MA FCA) to owners and investors of violators. The Act also contains myriad changes impacting the health care industry. It strengthens regulatory oversight over private equity, pharmacy benefit managers, real estate investment trusts (REITs), management service organizations (MSOs), and other industry participants.
Expansions of HPC and AGO authority under the Act:
Establish new definitions for entities involved in, or related to, private equity operations [1]:
“Health care real estate investment trust,” a real estate investment trust, as defined by 26 U.S.C § 856, whose assets consist of real property held in connection with the use or operations of a provider or provider organization.
“Private equity company,” any company that collects capital investments from individuals or entities and purchases, as a parent company or through another entity that the company completely or partially owns or controls, a direct or indirect ownership share of a provider, provider organization or management services organization; provided, however, that “private equity company” shall not include venture capital firms exclusively funding startups or other early-stage businesses.“Significant equity investor,” (i) any private equity company with a financial interest in a provider, provider organization, or management services organization; or (ii) an investor, group of investors, or other entity with a direct or indirect possession of equity in the capital, stock, or profits totaling more than ten percent of a provider, provider organization, or management services organization; provided, however, that “significant equity investor” shall not include venture capital firms exclusively funding startups or other early-stage businesses.“Management services organization,” a corporation that provides management or administrative services to a provider or provider organization for compensation.
Revise the composition, necessary expertise, and responsibility for appointments to the HPC Board [2]. While the Board will continue to consist of 11 members, the Commissioner of Insurance is now a required member, as are appointed individuals with expertise in representing hospitals and hospital systems and in health care innovation, including pharmaceuticals, biotechnology, or medical devices. However, the HPC will no longer require membership of the Secretary for Administration and Finance, a Primary Care Physician, and an individual with expertise as a health insurance purchaser representing management. Finally, the auditor is no longer responsible for appointments to the HPC Board; all members, other than the Secretary of Health and Human Services and Commissioner of Insurance, will now be appointed solely by the Governor or Attorney General. These changes may reflect a shift in priorities for regulatory oversight of hospital administration, health care innovation, and health care insurance.
Expand the HPC Notice of Material Change process [3]. As previously required, every provider or provider organization must provide notice of a “material change” not less than 60 days before the date of the proposed change.
The previous statutory Notice of Material Change reporting requirements only covered:
mergers or acquisitions of hospitals or hospital systems;
a corporate merger, acquisition or affiliation of a provider or provider organization and a carrier;
an acquisition of insolvent provider organizations; and
mergers or acquisitions of provider organizations which will result in a provider organization having a near-majority of market share in a given service or region [4].
The Act expands the above-referenced statute mandating the reporting of “material change” requiring notice to the applicable government agencies to also include the following as examples:
significant expansions in a provider or provider organization’s capacity;
transactions involving a significant equity investor which result in a change of ownership or control of a provider or provider organization;
significant acquisitions, sales, or transfers of assets including, but not limited to, real estate sale lease-back arrangements; and
conversion of a provider or provider organization from a non-profit entity to a for-profit entity.
The Act also changes the current material change reporting threshold for mergers or acquisitions of a provider organization, which will result in a provider organization having a near-majority market share in a given service or region to provide that the standard is whether the provider organization will have a “dominant market share in a given service or region” (and not a “near-majority”).
Adoption of implementing regulations. While the Act does not include financial thresholds for reporting, the Act does direct the HPC to adopt regulations for administering the section, conduct cost and market impact reviews, and allow filing thresholds to be adopted in the regulations, subject to annual adjustments based on inflation [5].
Expands the HPC Cost and Market Impact Review process as follows:
HPC may now require significant equity investors, as well as other parties involved, in a given transaction to submit documents and information in connection with a Notice of Material Change or Cost and Market Impact Review [6].
HPC may require submitting certain information regarding the significant equity investor’s capital structure, general financial condition, ownership and management structure, and audited financial statements.
HPC may require submitting certain post-transaction data and information for up to five years following the material change date. Such data collection significantly expands the power and task, including the ability to assess post-transaction impacts.
Expands the factors HPC may consider as part of the Cost and Market Impact Review by also reviewing [7]:
the size and market share of any corporate affiliates or significant equity investors of the provider or provider organization;
the inventory of health care resources maintained by the DPH; and
any related data or reports from the Office of Health Resource Planning.
Expands the scope of the HPC’s examination of costs, prices, and cost trends, as follows [8]:
The HPC cost trends hearings will include an examination of any relevant impacts of significant equity investors, health care REITs, and MSOs on costs, prices, and cost trends. Stakeholders from these organizations associated with a provider organization will now be required to testify at the HPC’s annual cost trends hearing concerning: “health outcomes, prices charged to insurers and patients, staffing levels, clinical workflow, financial stability and ownership structure of an associated provider or provider organization, dividends paid out to investors, compensation including, but not limited to, base salaries, incentives, bonuses, stock options, deferred compensations, benefits and contingent payments to officers, managers and directors of provider organizations in the commonwealth acquired, owned or managed, in whole or in part, by said significant equity investors, health care real estate investment trusts or management services organizations.”
The HPC will utilize new data collected as part of the Registered Provider Organization process. The Act revised this process to require submissions from significant equity investors, health care real estate investment trusts, and management services organizations regarding ownership, governance, and organizational information.
Given the broad, sweeping nature of the changes, additional regulations and guidance should be expected.
[1] To be codified at MGL 6D, s. 1.
[2] To be codified at MGL 6D, s. 2.
[3] To be codified at MGL 6D, § 13.
[4] CITE TO EXISTING NMC FORM
[5] To be codified at MGL 6D, s. 13.
[6] To be codified at MGL 6D, s. 13.
[7] To be codified at MGL 6D, s. 13.
[8] To be codified at MGL 6D, ss. 8 and11.
FDA Develops Strategy to Prevent Adulteration of Berries with Enteric Viral Infections
Earlier this month, FDA released a summary of a strategy intended to prevent human norovirus and hepatitis A virus (HAV) outbreaks associated with fresh and raw berries. Both norovirus and HAV are types of enteric virus (effecting the gastroenteric system) which have been linked to imported fresh and frozen berries; domestically grown berries have not been linked to an outbreak of these viruses for 35 years.
Among the information consulted in developing the plan were the results of 1,558 samples of frozen strawberries, raspberries, and blackberries from November 2018 to September 2023, which showed HAV in 8 samples and norovirus in 10 samples.
The pillars of the plan are (1) promoting high compliance rates with FDA’s food safety requirements, (2) encouraging the berry industry to consistently apply pre- and post- harvest sanitation practices, including conducting root cause analysis when failures occur, (3) broadening knowledge regarding the viability, persistence, detection, and mitigation of viruses in fresh and frozen berries, pre- and post-harvest environments, and agricultural water sources, and (4) incentivizing the use of immunization to promote worker health.
Name That Chemical: California Adds New Requirement for Prop 65 Short-Form Warnings
Short-form warnings for products that may expose consumers to chemicals on California’s Prop 65 list must now include at least one chemical name to qualify for Prop 65’s “safe harbor” protections—with one caveat. Businesses may continue to use the previous version of the short-form warning on consumer products through the end of 2027.
Businesses risk steep penalties for failure to comply with Prop 65. Stay ahead by understanding the changes and creating proactive strategies to ensure you meet the requirements on time.
What is Prop 65?
California’s Proposition 65 requires businesses to provide a “clear and reasonable” warning before they knowingly and intentionally cause an exposure to a chemical listed as known to the state to cause cancer or reproductive toxicity.
Since 2016, businesses have had the option to use specific “safe harbor” short-form warning language to comply with Prop 65’s warning requirements (e.g., WARNING: Cancer and Reproductive Harm – www.P65Warnings.ca.gov). The short-form warnings were developed by the Office of Environmental Health Hazard Assessment (“OEHHA”) in response to stakeholders’ concerns that the full-length warning language would not fit on small products,[1] but were not limited to only small products. These warnings, unlike the full-length safe harbor warnings, did not require businesses to identify the specific chemical involved in the potential exposure.
New Regulations for Short-Form Warnings
On October 27, 2023, OEHHA published a Notice of Proposed Rulemaking to amend the short-form warnings, citing the overuse of short-form warnings and the need for additional consumer clarity. Specifically, OEHHA expressed concern that many businesses were using the short-form warning “prophylactically[,] because it protects from potential litigation and does not require identification of a specific chemical exposure for which the warning is being given,” which OEHHA believed “does not serve Proposition 65’s purpose of providing relevant hazard information to consumers about Proposition 65-listed chemicals in products they may use.”[2] On November 26, 2024, the Office of Administrative Law approved the rulemaking.
Under the new regulations, a short-form warning must state at least one chemical name for which the warning is being provided. The regulations also make explicit that short-form warnings may be used to provide safe harbor warnings for food products, and provide new tailored safe harbor warnings for passenger or off-highway motor vehicle parts and recreational marine vessel parts.
The effective date for the amendments is January 1, 2025, but businesses selling consumer products may use the existing short-form warnings without identifying a chemical until December 31, 2027.
Below are some example short-form warnings for listed carcinogens under the new regulations:
WARNING: [or CA WARNING: or CALIFORNIA WARNING:] Risk of cancer from exposure to [NAME OF CHEMICAL]. See www.P65Warnings.ca.gov
WARNING: [or CA WARNING: or CALIFORNIA WARNING:] Can expose you to [NAME OF CHEMICAL], a carcinogen. See www.P65Warnings.ca.gov
Option for use on consumer products until December 31, 2027:
WARNING: Cancer – www.P65Warnings.ca.gov
The final regulatory text, as amended, can be viewed here.
For Your To-Do List
Don’t wait until December of 2027 to assess your Prop 65 compliance. Make a plan now to:
Review your warnings with legal counsel.
Assess what chemicals are present in your products.
Revamp product packaging.
Revise your website and online product descriptions.
Update your communications with your business partners.
FOOTNOTES
[1] https://oehha.ca.gov/proposition-65/crnr/proposed-amendments-regulations-clear-and-reasonable-warnings-safe-harbor
[2] Id.
5 Key Takeaways | SI’s Downtown ‘Cats Discuss Artificial Intelligence (AI)
Recently, we brought together over 100 alumni and parents of the St. Ignatius College Preparatory community, aka the Downtown (Wild)Cats, to discuss the impact of Artificial Intelligence (AI) on the Bay Area business community.
On a blustery evening in San Francisco, I was joined on a panel by fellow SI alumni Eurie Kim of Forerunner Ventures and Eric Valle of Foundry1 and by my Mintz colleague Terri Shieh-Newton. Thank you to my firm Mintz for hosting us.
There are a few great takeaways from the event:
What makes a company an “AI Company”?
The panel confirmed that you cannot just put “.ai” at the end of your web domain to be considered an AI company.
Eurie Kim shared that there are two buckets of AI companies (i) AI-boosted and (ii) AI-enabled.
Most tech companies in the Bay Area are AI-boosted in some way – it has become table stakes, like a website 25 years ago. The AI-enabled companies are doing things you could not do before, from AI personal assistants (Duckbill) to autonomous driving (Waymo).
What is the value of AI to our businesses?
In the future, companies will be infinitely more interesting using AI to accelerate growth and reduce costs.
Forerunner, who has successfully invested in direct-to-consumer darlings like Bonobos, Warby Parker, Oura, Away and Chime, is investing in companies using AI to win on quality.
Eurie explained that we do not need more information from companies on the internet, we need the answer. Eurie believes that AI can deliver on the era of personalization in consumer purchasing that we have been talking about for the last decade.
What are the limitations of AI?
The panel discussed that there is a difference between how AI can handle complex human problems and simple human problems. Right now, AI can replace humans for simple problems, like gathering all of the data you need to make a decision. But, AI has struggled to solve for the more complex human problems, like driving an 18-wheeler from New York to California.
This means that, we will need humans using AI to effectively solve complex human problems. Or, as NVIDIA CEO Jensen Huang says, “AI won’t take your job, it’s somebody using AI that will take your job.”
What is one of the most unique uses of AI today?
Terri Shieh-Newton shared a fascinating use of AI in life sciences called “Digital Twinning”. This is the use of a digital twin for the placebo group in a clinical trial. Terri explained that we would be able to see the effect of a drug being tested without testing it on humans. This reduces the cost and the number of people required to enroll in a clinical trial. It would also have a profound human effects because patients would not be disappointed at the end of the trial to learn that they were taking the placebo and not receiving the treatment.
Why is so much money being invested in AI companies?
Despite the still nascent AI market, a lot of investors are pouring money into building large language models (LLMs) and investing in AI startups.
Eric Valle noted that early in his career the tech market generally delivered outsized returns to investors, but the maturing market and competition among investors has moderated those returns. AI could be the kind of investment that could generate those returns 20x+ returns.
Eric also talked about the rise of venture studios like his Foundry1 in AI. Venture studios are a combination of accelerator, incubator and traditional funds, where the fund partners play a direct role in formulating the idea and navigating the fragile early stages. This venture studio model is great for AI because the studio can take small ideas and expand them exponentially – and then raise the substantial amount of money it takes to operationalize an AI company.
Happy Privacy Day: Emerging Issues in Privacy, Cybersecurity, and AI in the Workplace
As the integration of technology in the workplace accelerates, so do the challenges related to privacy, cybersecurity, and the ethical use of artificial intelligence (AI). Human resource professionals and in-house counsel must navigate a rapidly evolving landscape of legal and regulatory requirements. This National Privacy Day, it’s crucial to spotlight emerging issues in workplace technology and the associated implications for data privacy, cybersecurity, and compliance.
We explore here practical use cases raising these issues, highlight key risks, and provide actionable insights for HR professionals and in-house counsel to manage these concerns effectively.
1. Wearables and the Intersection of Privacy, Security, and Disability Law
Wearable devices have a wide range of use cases including interactive training, performance monitoring, and navigation tracking. Wearables such as fitness trackers and smartwatches became more popular in HR and employee benefits departments when they were deployed in wellness programs to monitor employees’ health metrics, promote fitness, and provide a basis for doling out insurance premium incentives. While these tools offer benefits, they also collect sensitive health and other personal data, raising significant privacy and cybersecurity concerns under the Health Insurance Portability and Accountability Act (HIPAA), the Americans with Disabilities Act (ADA), and state privacy laws.
Earlier this year, the Equal Employment Opportunity Commission (EEOC) issued guidance emphasizing that data collected through wearables must align with ADA rules. More recently, the EEOC withdrew that guidance in response to an Executive Order issued by President Trump. Still, employers should evaluate their use of wearables and whether they raise ADA issues, such as voluntary use of such devices when collecting confidential medical information, making disability-related inquiries, and using aggregated or anonymized data to prevent discrimination claims.
Beyond ADA compliance, cybersecurity is critical. Wearables often collect sensitive data and transmit same to third-party vendors. Employers must assess these vendors’ data protection practices, including encryption protocols and incident response measures, to mitigate the risk of breaches or unauthorized access.
Practical Tip: Implement robust contracts with third-party vendors, requiring adherence to privacy laws, breach notification, and security standards. Also, ensure clear communication with employees about how their data will be collected, used, and stored.
2. Performance Management Platforms and Employee Monitoring
Platforms like Insightful and similar performance management tools are increasingly being used to monitor employee productivity and/or compliance with appliable law and company policies. These platforms can capture a vast array of data, including screen activity, keystrokes, and time spent on tasks, raising significant privacy concerns.
While such tools may improve efficiency and accountability, they also risk crossing boundaries, particularly when employees are unaware of the extent of monitoring and/or where the employer doesn’t have effective data minimization controls in place. State laws like the California Consumer Privacy Act (CCPA) can place limits on these monitoring practices, particularly if employees have a reasonable expectation of privacy. They also can require additional layers of security safeguards and administration of employee rights with respect to data collected and processed using the platform.
Practical Tip: Before deploying such tools, assess the necessity of data collection, ensure transparency by notifying employees, and restrict data collection to what is strictly necessary for business purposes. Implement policies that balance business needs with employee rights to privacy.
3. AI-Powered Dash Cams in Fleet Management
AI-enabled dash cams, often used for fleet management, combine video, audio, GPS, telematics, and/or biometrics to monitor driver behavior and vehicle performance, among other things. While these tools enhance safety and efficiency, they also present significant privacy and legal risks.
State biometric privacy laws, such as Illinois’s Biometric Information Privacy Act (BIPA) and similar laws in California, Colorado, and Texas, impose stringent requirements on biometric data collection, including obtaining employee consent and implementing robust data security measures. Employers must also assess the cybersecurity vulnerabilities of dash cam providers, given the volume of biometric, location, and other data they may collect.
Practical Tip: Conduct a legal review of biometric data collection practices, train employees on the use of dash cams, and audit vendor security practices to ensure compliance and minimize risk.
4. Assessing Vendor Cybersecurity for Employee Benefits Plans
Third-party vendors play a crucial role in processing data for retirement plans, such as 401(k) plan, as well as health and welfare plans. The Department of Labor (DOL) emphasized in recent guidance the importance of ERISA plan fiduciaries’ role to assess the cybersecurity practices of such service providers.
The DOL’s guidance underscores the need to evaluate vendors’ security measures, incident response plans, and data breach notification practices. Given the sensitive nature of data processed as part of plan administration—such as Social Security numbers, health records, and financial information—failure to vet vendors properly can lead to breaches, lawsuits, and regulatory penalties, including claims for breach of fiduciary duty.
Practical Tip: Conduct regular risk assessments of vendors, incorporate cybersecurity provisions into contracts, and document the due diligence process to demonstrate compliance with fiduciary obligations.
5. Biometrics for Access, Time Management, and Identity Verification
Biometric technology, such as fingerprint or facial recognition systems, is widely used for identity verification, physical access, and timekeeping. While convenient, the collection of biometric data carries significant privacy and cybersecurity risks.
BIPA and similar state laws require employers to obtain written consent, provide clear notices about data usage, and adhere to stringent security protocols. Additionally, biometrics are uniquely sensitive because they cannot be changed if compromised in a breach.
Practical Tip: Minimize reliance on biometric data where possible, ensure compliance with consent and notification requirements, and invest in encryption and secure storage systems for biometric information. Check out our Biometrics White Paper.
6. HIPAA Updates Affecting Group Health Plan Compliance
Recent changes to the HIPAA Privacy Rule, including provisions related to reproductive healthcare, significantly impact group health plans. The proposed HIPAA Security Rule amendments also signal stricter requirements for risk assessments, access controls, and data breach responses.
Employers sponsoring group health plans must stay ahead of these changes by updating their HIPAA policies and Notice of Privacy Practices, training staff, and ensuring that business associate agreements (BAAs) reflect the new requirements.
Practical Tip: Regularly review HIPAA compliance practices and monitor upcoming changes to ensure your group health plan aligns with evolving regulations.
7. Data Breach Notification Laws and Incident Response Plans
Many states have updated their data breach notification laws, lowering notification thresholds, shortening notification timelines, and expanding the definition of personal information. Employers should revise their incident response plans (IRPs) to align with these changes.
Practical Tip: Ensure IRPs reflect updated laws, test them through simulated breach scenarios, and coordinate with legal counsel to prepare for reporting obligations in case of an incident.
8. AI Deployment in Recruiting and Retention
AI tools are transforming HR functions, from recruiting to performance management and retention strategies. However, these tools require vast amounts of personal data to function effectively, increasing privacy and cybersecurity risks.
The EEOC and other regulatory bodies have cautioned against discriminatory impacts of AI, particularly regarding protected characteristics like disability, race, or gender. (As noted above, the EEOC recently withdrew its AI guidance under the ADA and Title VII following an Executive Order by the Trump Administration.) For example, the use of AI in hiring or promotions may trigger compliance obligations under the ADA, Title VII, and state laws.
Practical Tip: Conduct bias audits of AI systems, implement data minimization principles, and ensure compliance with applicable anti-discrimination laws.
9. Employee Use of AI Tools
Moving beyond the HR department, AI tools are fundamentally changing how people work. Tasks that used to require time-intensive manual effort—creating meeting minutes, preparing emails, digesting lengthy documents, creating PowerPoint decks—can now be completed far more efficiently with assistance from AI. The benefits of AI tools are undeniable, but so too are the associated risks. Organizations that rush to implement these tools without thoughtful vetting processes, policies, and training will expose themselves to significant regulatory and litigation risk.
Practical Tip: Not all AI tools are created equal—either in terms of the risks they pose or the utility they provide—so an important first step is developing criteria to assess, and then going through the process of assessing, which AI tools to permit employees to use. Equally important is establishing clear ground rules for how employees can use those tools. For instance, what company information are they permitted to use to prompt the tool; what are the processes for ensuring the tool’s output is accurate and consistent with company policies and objectives; and should employee use of AI tools be limited to internal functions or should they also be permitted to use these tools to generate work product for external audiences.
10. Data Minimization Across the Employee Lifecycle
At the core of many of the above issues is the principle of data minimization. The California Privacy Protection Agency (CPPA) has emphasized that organizations must collect only the data necessary for specific purposes and ensure its secure disposal when no longer needed.
From recruiting to offboarding, HR professionals must assess whether data collection practices align with the principle of data minimization. Overcollection not only heightens privacy risks but also increases exposure in the event of a breach.
Practical Tip: Develop a data inventory mapping employee information from collection to disposal. Regularly review and update policies to limit data retention and enforce secure deletion practices.
Conclusion
The rapid adoption of emerging technologies presents both opportunities and challenges for employers. HR professionals and in-house counsel play a critical role in navigating privacy, cybersecurity, and AI compliance risks while fostering innovation.
By implementing robust policies, conducting regular risk assessments, and prioritizing data minimization, organizations can mitigate legal exposure and build employee trust. This National Privacy Day, take proactive steps to address these issues and position your organization as a leader in privacy and cybersecurity.
Pivotal Labor and Employment Law Issues in 2025: Healthcare
Employers in the healthcare industry will navigate a landscape marked by rapid change and evolving challenges over the course of 2025, including those related to labor organizing, workplace safety, noncompete agreements, pay transparency, and immigration.
Quick Hits
Healthcare employers will have to navigate several labor and employment law issues in 2025, including a potential continued rise in union organizing, new restrictions on the use of noncompete agreements, emerging workplace safety risks, compliance concerns, additional pay transparency laws, and immigration regulatory and enforcement changes.
The issues arise as the new presidential administration seeks to shift federal policy on several of the key issues, including labor relations and immigration.
Healthcare employers may want to monitor these developments and consider steps to adapt to this evolving landscape and remain compliant and competitive.
Here is a close look at critical issues that will shape the current environment and are poised to significantly impact the industry’s future.
Labor Organizing Efforts
Organizing efforts among healthcare professionals, notably including physicians, have been gaining momentum in recent years, in part brought on by COVID-19 pandemic. In addition, several healthcare union contracts are set to expire in 2025, meaning many healthcare employers will be engaged in negotiations that will likely impact the industry for years to come.
The National Labor Relations Board (NLRB) has issued several union-friendly rulings over the past two years, making it more difficult for employers to challenge majority union representation status and express concerns about the impact of unionization on workplace dynamics. However, President Donald Trump, who was sworn into office on January 20, 2025, has taken actions to shift the NLRB’s political leadership and policy priorities.
Restrictions on Noncompete Agreements
The use of noncompete agreements, which restrict doctors, nurses, and other healthcare employees from working for competing healthcare facilities for certain periods of time and in specific geographic areas after leaving their current employers, has faced increased scrutiny in recent years. In April 2024, the Federal Trade Commission (FTC) sought to ban nearly all noncompete agreements in employment, though federal district courts enjoined that effort in Florida and Texas (currently being considered on appeal). However, it is not expected that the new presidential administration will seek to continue with this rule.
In the meantime, states have increasingly sought to regulate noncompete agreements and restrictive covenants in employment in recent years in ways that will impact healthcare employers. Notably, Pennsylvania Governor Josh Shapiro, in July 2024, signed a law to prohibit certain noncompete agreements with doctors. The law, which went into effect on January 1, 2025, prohibits “noncompete covenant[s]” with time periods of more than one year entered into by healthcare practitioners and employers, as well as imposes certain notification requirements on healthcare employers. Notably, Pennsylvania was previously one of a dozen states with no laws restricting noncompete agreements.
Emerging Workplace Safety Challenges
Workplace safety has always been a paramount concern in the healthcare industry, given the inherent risks associated with patient care. However, recent developments in the wake of the COVID-19 pandemic have brought new challenges and heightened awareness of the importance of comprehensive safety protocols.
The U.S. Department of Labor’s Occupational Safety and Health Administration (OSHA) and a growing number of states have made protecting doctors, nurses, and other healthcare workers who have direct patient interaction from workplace violence a priority. OSHA has been preparing a proposed standard on workplace violence prevention in healthcare settings, which had been slated to be released in December 2024.
Healthcare employers may want to review their workplace safety practices and ensure they address emerging risks. Updates can include additional physical safety measures, such as improved personal protective equipment (PPE) and infection control protocols, initiatives that support the mental health and well-being of healthcare workers, new technologies for risk mitigation, and continued safety training and planning.
Pay Transparency Compliance Obligations
Pay transparency compliance is also becoming an increasingly important issue in the healthcare industry as healthcare organizations strive to attract and retain top talent. A growing list of more than a dozen states and the District of Columbia have enacted pay transparency laws, requiring employers to disclose in postings for new jobs and internal promotions details such as pay ranges, benefits, bonus structures, and other compensation information. New laws in Illinois and Minnesota already took effect on January 1, 2025, with laws in New Jersey, Vermont, and Massachusetts set to take effect later in the year.
New Immigration Regulations and Enforcement
Immigration is a critical issue for the healthcare industry, which relies heavily on international talent to fill various roles, from physicians and nurses to researchers and support staff. Potential changes to U.S. immigration laws and regulations—including changes to visa requirements, work authorization processes, and other programs—in 2025 may significantly impact the ability of healthcare employers to recruit and retain skilled professionals from abroad.
Notably, the U.S. Department of Homeland Security (DHS) revamped the process for H-1B “specialty occupation” visas with a new rule that took effect on January 17, 2025. Further, in his first days in office, President Trump signed several executive orders (EO) seeking to implement more restrictive U.S. immigration policies.