Health Law Advisor

In August, the United States filed a Complaint-in-Intervention in a False Claims Act (FCA) whistleblower suit alleging that the Georgia Institute of Technology (“Georgia Tech”) and an affiliate, Georgia Tech Research Corp. (GTRC), violated cybersecurity requirements in connection with Department of Defense (DOD) contracts.

The complaint and accompanying press release reflect the Department of Justice’s (DOJ’s) heightened focus on using the FCA to address cybersecurity issues. The DOJ’s Civil Cyber-Fraud Initiative, designed to combat new and emerging cyber threats to sensitive information and critical systems, uses the federal FCA to pursue cyber-related fraud by government contractors and grant recipients.

The U.S. government joins a case originally filed in 2022 by two qui tam whistleblowers, both senior members of Georgia Tech’s cybersecurity compliance team. Both complaints allege that the defendants failed to comply with federal cybersecurity requirements and attempted to obscure this failure by submitting false claims to the government.

The widespread availability of Artificial Intelligence (AI) tools has enabled the growing use of “deepfakes,” whereby the human voice and likeness can be replicated seamlessly such that impersonations are impossible to detect with the naked eye (or ear). These deepfakes pose substantial new risks for commercial organizations. For example, deepfakes can threaten an organization’s brand, impersonate leaders and financial officers, and enable access to networks, communications, and sensitive information.

In 2023, the National Security Agency (NSA), Federal Bureau of Investigations (FBI), and Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Information Sheet (the “Joint CSI”) entitled “Contextualizing Deepfake Threats to Organizations,” which outlines the risks to organizations posed by deepfakes and recommends steps that organizations, including national critical infrastructure companies (such as financial services, energy, healthcare and manufacturing organizations), can take to protect themselves. Loosely defining deepfakes as “multimedia that have either been created (fully synthetic) or edited (partially synthetic) using some form of machine/deep learning (artificial intelligence),” the Joint CSI cautioned that the “market is now flooded with free, easily accessible tools” such that “fakes can be produced in a fraction of the time with limited or no technical expertise.” Thus, deepfake perpetrators could be mere amateur mischief makers or savvy, experienced cybercriminals. 

Over the past several years, the number of states with comprehensive consumer data privacy laws has increased exponentially from just a handful—California, Colorado, Virginia, Connecticut, and Utah—to up to twenty by some counts. Many of these state laws will go into effect starting Q4 of 2024 through 2025. We have previously written in more detail on New Jersey’s comprehensive data privacy law, which goes into effect January 15, 2025, and Tennessee’s comprehensive data privacy law, which goes into effect July 1, 2025. Some laws have already gone into effect, like Texas’s Data Privacy and Security Act, and Oregon’s Consumer Privacy Act, both of which became effective July of 2024. Now is a good time to take stock of the current landscape as the next batch of state privacy laws go into effect. 

Over the next year, the following laws will become effective:

1. Montana Consumer Data Privacy Act (effective Oct. 1, 2024)
2. Delaware Personal Data Privacy Act (effective Jan. 1, 2025)
3. Iowa Consumer Data Protection Act (effective Jan. 1, 2025)
4. Nebraska Data Privacy Act (effective Jan. 1, 2025)
5. New Hampshire Privacy Act (effective Jan. 1, 2025)
6. New Jersey Data Privacy Act (effective Jan. 15, 2025)
7. Tennessee Information Protection Act (effective July 1, 2025)
8. Minnesota Consumer Data Privacy Act (effective July 31, 2025)
9. Maryland Online Data Privacy Act (effective Oct. 1, 2025)

These nine state privacy laws contain many similarities, broadly conforming to the Virginia Consumer Data Protection Act we discussed here.  All nine laws listed above contain the following familiar requirements:

New from the Diagnosing Health Care Podcast: Workplace violence in health care settings is on the rise, capturing the attention of both state and federal lawmakers.

As awareness grows, so too does legal scrutiny and the push for new regulations and enforcement. In these seemingly critical times, what should health care employers be thinking about and incorporating into their comprehensive strategies to prevent and address workplace violence?

On this episode, Epstein Becker Green attorneys Sharon Peters, Eric Neiman, and Avery Schumacher dissect the legal landscape surrounding health care workplace violence, examining the steps being taken at various levels of government and what they mean for health care providers and institutions. Join us as we explore the legal frameworks, emerging policies, and broader compliance implications for health care employers.

Global hospital budgets, where hospitals receive a fixed amount of revenue for the upcoming year for a specific patient population (e.g., Medicare and/or Medicaid), are the opposite of fee for service reimbursement.

The Center for Medicare and Medicaid Services (CMS) and state Medicaid programs have taken interest in global hospital budgets and hospitals in impacted states will need to prepare.  This article summarizes two of these programs: the federal Advancing All-Payer Health Equity Approaches and Development (AHEAD) model and New York’s Health Equity Reform 1115 Medicaid Waiver.

In our ongoing series of blog posts, we have examined key negotiating points for tenants in triple net health care leases. We also have offered suggestions for certain lease provisions designed to protect tenants from overreaching and unfair expenses, overly burdensome obligations, and ambiguous terms with respect to the rights and responsibilities of the parties. These suggestions are intended to result in efficient lease negotiations and favorable lease terms from a tenant’s perspective.

In our previous blog posts, we considered the importance of negotiating initial terms and renewal terms, operating expense provisions, assignment and subletting terms, maintenance and repair obligations, holdover provisions and surrender terms. This latest blog post focuses on negotiating lease terms governing tenant improvement allowances. A tenant should negotiate for landlord to provide a tenant improvement allowance to prepare the leased premises for the tenant’s occupancy and should consider important factors including the amount of the tenant improvement allowance, whether tenant or landlord will complete the work, and how and when the tenant improvement allowance will be paid.

New from the Diagnosing Health Care Podcast: The game has changed—are you positioned to adapt? Over the past 12 months, the federal government has been heavily regulating private investment in health care entities.

Simultaneously, multiple states have enacted or introduced new laws restricting or requiring approval of such investments. The question arises: What do you do if you already have investments in these health care entities?

On this episode, Leslie Norwalk, Strategic Counsel at Epstein Becker Green (EBG), joins EBG attorneys Josh Freemire, Tim Murphy, and Ted Kennedy, Jr., to discuss how health care entities, investors, and board members should be responding to an evolving political and regulatory environment that has increased the scrutiny of private investment in health care entities.

This month, I explore just how old medical devices are as measured by the date they were cleared or approved by the FDA, using the Global Unique Device Identification Database.

That database is the only one that FDA maintains that gives insight into specifically what devices are currently marketed in the United States.  And of course, this being unpacking averages, I don’t just want the average, but I want to understand the range.

On July 31, the Centers for Medicare and Medicaid Services (“CMS”) published its mammoth proposed rule entitled “Medicare and Medicaid Programs: Calendar Year 2025 Payment Policies under the Physician Fee Schedule and Other Changes to Part B Payment and Coverage Policies; Medicare Shared Savings Program Requirements; Medicare Prescription Drug Inflation Rebate Program; and Medicare Overpayments” (“CY25 PFS Proposed Rule”).

The CY25 PFS Proposed Rule came on the heels of another CMS rule, published on July 22, covering “Medicare and Medicaid Programs: Hospital Outpatient Prospective Payment and Ambulatory Surgical Center Payment Systems”—and more (“CY25 OPPS Proposed Rule”). Both rules have a comment period that closes on September 9.

The recent Supreme Court decisions of SEC v. Jarkesy[1] and Loper Bright Enterprises v. Raimondo[2] have the potential to meaningfully impact the implementation and enforcement of the Drug Supply Chain Security Act[3] (“DSCSA”) as industry transitions away from the “stabilization period” ending on November 27, 2024.  The DSCSA statute contemplated that the Enhanced Drug Distribution Security system (“EDDS”) was to be effective November 27, 2023.[4]  Recognizing that many Trading Partners were not yet ready to fully comply with the November 27, 2023 deadline, in August 2023, the FDA issued a compliance policy guidance document with regard to EDDS.[5]  This guidance document provided Trading Partners with a one-year “stabilization period”, through November 27, 2024, during which the FDA would not enforce the statutory EDDS requirements.[6] The stabilization period was implemented to avoid supply chain disruption and to ensure continued patient access to prescription drug products, while Trading Partners continue to work towards compliance with the EDDS requirements.

As we move from the “stabilization period” to perhaps a period of greater enforcement, each of these decisions favor the potential positions of regulated trading partners over the FDA in application to the DSCSA.