Health Law Advisor

New York State appears poised to become the fourth state to explicitly regulate consumer health data not covered by the federal Health Insurance Portability and Accountability Act (HIPAA). In May of 2023, Washington State enacted the My Health My Data Act; in June of 2023, Connecticut amended its Data Privacy Act; and in March of 2024, Nevada passed Senate Bill 370. In many respects, NY HIPA is broader in scope and effect than its three predecessors.

New York’s S929 (Health Information Privacy Act or NY HIPA), sponsored by state Senator Liz Krueger (D), establishes requirements for communications to individuals regarding the disposition of their health information; and requires written consent or a designated necessary purpose for the processing of such health information. NY HIPA addresses vulnerabilities unaddressed by HIPAA because it applies to a broader range of private companies and protects health information at risk of disclosure through the commercialization of health data.

On Friday, February 14, 2025, the Drug Enforcement Administration (“DEA”) and the U.S. Department of Health and Human Services (“HHS”) announced that the effective dates for two recently published final rules involving telemedicine prescribing of controlled substances – the final rule titled “Expansion of Buprenorphine Treatment via Telemedicine Encounter” and the final rule titled “Continuity of Care via Telemedicine for Veterans Affairs Patients” (collectively referred to herein as the “Buprenorphine and VA Telemedicine Prescribing Rules”) – are delayed from February 18, 2025, until at least March 21, 2025 (see our previous post on the Buprenorphine and VA Telemedicine Prescribing Rules).

The final rule delaying the effective dates of these final rules is scheduled for publication to the Federal Register on Wednesday, February 19, 2025.

The delays stem from the Presidential Memorandum titled “Regulatory Freeze Pending Review,” (the “Freeze Memo”) issued on January 20, 2025. The Freeze Memo orders all executive departments and agencies to “consider postponing” the effective dates of all rules published to the Federal Register that have not yet taken effect, such as the Buprenorphine and VA Telemedicine Prescribing Rules, until at least March 21, 2025 (sixty days from the issuance of the Freeze Memo), to allow review of any questions of fact, law, and/or policy raised by the rule, and to “consider opening” a comment period for stakeholders to comment on those questions. Accordingly, the DEA is also soliciting comments on: 1) the extension of the effective dates, 2) whether the effective dates should be further extended, and 3) questions of fact, law, and policy raised by these rules, for consideration by officials of the two agencies. Comments are due by February 28, 2025.

New from the Diagnosing Health Care Video Podcast: It is critical for health care and life sciences businesses to understand what might and might not change during this transitionary period.

How can you advocate for your needs and priorities in a time of such uncertainty? 

On this episode, Epstein Becker Green (EBG) attorneys James Boiani, Rachel Snyder Good, Marjorie Scher, and Rob Wanerman discuss the proposed leadership of the U.S. Department of Health and Human Services under the second Trump administration and the top-ticket items for these potential new leaders.

On February 7, the National Institutes of Health (“NIH”) issued a Notice (NOT-OD-25-068) entitled “Supplemental Guidance to the 2024 NIH Grants Policy Statement: Indirect Cost Rates” (the “Notice”), though which NIH announced the adoption of a uniform indirect cost rate (“IDC Rate”) of 15% applicable to all new grants, and to existing grants awarded to Institutions of Higher Education (“IHEs”) – encompassing the vast majority of postsecondary educational institutions in the United States – as of the date the Notice was issued (February 7, 2025). The Notice also indicates the policy will apply for “all current grants for go forward expenses from February 10, 2025 as well as for all new grants issued.” The Notice, as written and supported by underlying regulations, appears to apply the 15% IDC Rate to existing awards only for IHE recipients (see the Notice’s acknowledgment that “NIH may deviate from the negotiated rate both for future grant awards and, in the case of grants to institutions of higher education (“IHEs”), for existing grant awards.  See 45 CFR Appendix III to Part 75, § C.7.a; see 45 C.F.R. 75.414(c)(1).” (emphasis added)). However, there is some ambiguity in the wording and existing non-IHE awardees should be prepared for a possibly broader read by the NIH. The IDC Rate covers “facilities” and “administration” costs of the grantee institution. As a general matter, an institution’s IDC Rate is pre-negotiated and although the NIH cited 27-28% as the average negotiated IDC Rate, it has been reported that many institutions negotiate upwards of 50-60%, with some even as high as 75%.

On January 21, 2025, President Trump issued an executive order titled “Ending Illegal Discrimination and Restoring Merit-Based Opportunity” (the “EO”), which aims to eliminate diversity, equity, and inclusion (DEI) policies and programs across the federal government and within companies that do business with the federal government. Importantly, the EO revokes Executive Order 11246, which, since 1965, has mandated affirmative action in employment from government contractors and required implementation of affirmative action programs.^[i]

Federal contractors and grant recipients have until April 21, 2025 (90 days from the issuance of the EO) to comply with the EO’s provisions. 

Below, we summarize the False Claims Act (FCA) implications of the EO.^[ii] Briefly stated, federal contractors and grant recipients, including certain health care organizations, should pay close attention to the EO’s required certifications since they directly tie to potential FCA liability premised on false certification of compliance with the federal anti-discrimination laws.

[

The HIPAA Security Rule was originally promulgated over 20 years ago. While it historically provided an important regulatory floor for securing electronic protected health information, the Security Rule’s lack of prescriptiveness, combined with advances in technology and evolution of the cybersecurity landscape, increasingly indicate the HIPAA Security Rule neither reflects cybersecurity best practices nor effectively mitigates the proliferation of cyber risks in today’s interconnected digital world.  On December 27, 2024, the HHS Office of Civil Rights (“OCR”) announced a Notice of Proposed Rulemaking, including significant changes to strengthen the HIPAA Security Rule (the “Proposed Rule”).  In its announcement, OCR stated that the Proposed Rule seeks to “strengthen cybersecurity by updating the Security Rule’s standards to better address ever-increasing cybersecurity threats to the health care sector.”  One key aim of the Proposed Rule is to provide a much clearer roadmap to achieve Security Rule compliance.

The Proposed Rule contains significant textual modifications to the current HIPAA Security Rule.  While the actual redline changes may appear daunting, the proposed new requirements are aimed at aligning with current cybersecurity best practices as reflected across risk management frameworks, including NIST’s Cybersecurity Framework.  For organizations that have already adopted these “best practices”, many of the new Proposed Rule requirements will be familiar and, in many cases, will have already been implemented.  Indeed, for such organizations, the biggest challenge will be to comply with the new administrative requirements, which will involve policy updates, updates to business associate agreements, increased documentation rules (including mapping requirements), and the need for additional vendor management.  For organizations that are still trying to meaningfully comply with the existing HIPAA Security Rule, or that seek to extend the Rule’s application to new technologies and systems handling PHI, the Proposed Rule will likely require significant investment of human and financial resources to meet the new requirements.

What may have seemed like an out-of-the-blue question to the casual observer was no surprise to those who represent individuals and entities in the health care and life sciences industries: U.S. Attorney General (AG) nominee Pam Bondi was asked to share her thoughts on the constitutionality of the False Claims Act (FCA) and its qui tam provisions during her January 15, 2025, confirmation hearings.

Senator Chuck Grassley (R-IA) prefaced his questioning by noting that the FCA is “central to fighting government waste and fraud.” And since 1986—when Grassley authored amendments that modernized and strengthened the Civil War-era statute—he has been a fierce defender. Since the 1986 amendments, the FCA has brought in $78 billion for the federal government, with more than $2.9 billion recovered in fiscal year (FY) 2024. 

“Most of that is due to patriotic whistleblowers who found the fraud and brought the cases forward at their own risk,” Grassley said.

On January 20, 2025, a new administration took control of the Executive Branch of the federal government, and it has signaled that it will make aggressive use of executive orders.  This would be a good time to review the scope of executive orders and how they may affect employers and health care organizations.

Executive orders are not mentioned in the Constitution, but they have been around since the time of George Washington. Executive orders are signed, written, and published orders from the President of the United States that manage and direct the Executive Branch and are binding on Executive Branch agencies.  Executive orders can be used to implement or clarify existing federal law or policies and can direct and manage the way federal agencies interact with private entities.   However, executive orders are not a substitute for either statutes or regulations.

The current procedure for implementing executive orders was set out in a 1962 executive order that requires that all such orders must be published in the Federal Register, the same publication where executive agencies publish proposed and final rules. Once published, any executive order can be revoked or modified simply by issuing a new executive order.  In addition, Congress can ratify an existing executive order in cases where the authority may be ambiguous.

Remote prescribing via telemedicine continues to be a huge area of interest among prescribers and other health care providers.

After publishing a Notice of Proposed Rulemaking (“NPRM”) in March 2023 on the prescribing of controlled substances via telemedicine that was widely criticized for being far more restrictive than temporary waivers then in place under the COVID-19 public health emergency, the Drug Enforcement Administration (“DEA”) went back to the drawing board.

Additional time and a new year has brought renewed focus. Published January 17 in the Federal Register as one NPRM and two final rules (collectively referred to herein as the “DEA’s 2025 Rules”), the DEA’s 2025 Rules seek, as DEA indicates in its press release, to “focus[] on the patient to ensure telemedicine is accessible for medical care.”

On January 6, 2025, the U.S. District Court for the District of Massachusetts granted a defendant laboratory’s motion for summary judgment in a False Claims Act (FCA)/Anti-Kickback Statute (AKS) case brought by a physician objecting to the lab’s testing practices and its use of independent contractors paid on commission. Judge Patti B. Saris held that plaintiffs in FCA cases must establish that “but for” the payment of illegal remuneration in violation of the AKS, the claim would not have been submitted. Applying the “but-for” standard, Judge Saris dismissed OMNI Healthcare Inc. v. MD Spine Solutions LLC, et al. because the record did not support that the independent contractor status of some of the lab’s sales representatives or their conduct unduly influenced any provider’s decision to purchase the product.

Adoption of “But-For” Causation in FCA Cases

There is a circuit split regarding whether FCA plaintiffs must prove that “but for” the AKS violation, a claim would not have been submitted. Requiring “but-for” causation poses a significantly greater burden for plaintiffs seeking to advance FCA claims because they must show the kickback actually affected what good, item, or service was provided.

In the U.S. Courts of Appeals for the Sixth and Eighth Circuits, the heightened “but-for” causation must be established. The Third Circuit has adopted a less rigorous standard, requiring only a showing that at least one of the claims sought reimbursement for medical care that was provided in violation of the AKS. Plaintiffs in circuits with no clear precedent often argue for the application of the more plaintiff-friendly standards of the Third Circuit and use that ambiguity as leverage in negotiating settlement agreements.