On February 7, the National Institutes of Health (“NIH”) issued a Notice (NOT-OD-25-068) entitled “Supplemental Guidance to the 2024 NIH Grants Policy Statement: Indirect Cost Rates” (the “Notice”), though which NIH announced the adoption of a uniform indirect cost rate (“IDC Rate”) of 15% applicable to all new grants, and to existing grants awarded to Institutions of Higher Education (“IHEs”) – encompassing the vast majority of postsecondary educational institutions in the United States – as of the date the Notice was issued (February 7, 2025). The Notice also indicates the policy will apply for “all current grants for go forward expenses from February 10, 2025 as well as for all new grants issued.” The Notice, as written and supported by underlying regulations, appears to apply the 15% IDC Rate to existing awards only for IHE recipients (see the Notice’s acknowledgment that “NIH may deviate from the negotiated rate both for future grant awards and, in the case of grants to institutions of higher education (“IHEs”), for existing grant awards. See 45 CFR Appendix III to Part 75, § C.7.a; see 45 C.F.R. 75.414(c)(1).” (emphasis added)). However, there is some ambiguity in the wording and existing non-IHE awardees should be prepared for a possibly broader read by the NIH. The IDC Rate covers “facilities” and “administration” costs of the grantee institution. As a general matter, an institution’s IDC Rate is pre-negotiated and although the NIH cited 27-28% as the average negotiated IDC Rate, it has been reported that many institutions negotiate upwards of 50-60%, with some even as high as 75%.
As discussed in an earlier blog post, the New York state Stop Hacks and Improve Electronic Data Security Act (or “SHIELD Act”), was signed into law on July 25, 2019. A potential unintended side effect of the SHIELD Act may require health care companies to provide notification to the NY Attorney General for events that occurred well before its enforcement date. While the SHIELD Act’s data security requirements, which are covered under §4, will not come into effect until March 21, 2020, all other requirements, including the breach notification requirement, became effective on October 23, 2019. The notification enforcement date is important for any Covered Entity, as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), that has suffered a Breach, as defined by HIPAA, involving fewer than 500 individuals (“Minor HHS Breach”), was a breach of computerized data, and involved a New York resident.
Blog Editors
Recent Updates
- Important Negotiating Points in Commercial Real Estate Purchase and Sale Contracts Negotiating the Letter of Intent
- 2025 Picks Up Steam with Increased Scrutiny of Health Care Transactions and Corporate Structures
- HHS Reverses Its Longstanding Policy and Limits Public Participation in Rulemaking
- Sitting Atop a Telehealth Cliff?
- A Regulatory Haze of Uncertainty Continues as the Clock Ticks Toward Phase One of FDA’s LDT Final Rule