Category: Health

Holy Hemp: New Jersey Court Partially Invalidates Hemp Law

On Oct. 10, 2024, a New Jersey Federal District Court made a big decision on hemp. The Court largely invalidated New Jersey’s recent attempt to tighten controls on “intoxicating hemp products” like Delta-8 and Delta-10, which were previously sold in gas stations, smoke shops, and convenience stores without much oversight. The state had put forward amendments aimed at restricting these products to those over 21 and regulating them like cannabis. New Jersey argued that it was time to clamp down on these sales, citing public health concerns and the rising number of minors getting their hands on these potent, unregulated products.

NJ Gov. Phil Murphy had signed off on these amendments despite admitting the law wasn’t perfect. For him, protecting minors was the priority. And today, the Court shared that sentiment—partially. It kept in place only the part that prevents the sale of these products to minors.

As for the rest of the amendment? The Court struck it down. The reason? It found that New Jersey’s approach violated federal law, essentially treating hemp products from out-of-state differently from those produced locally under the New Jersey Cannabis Regulatory Commission’s new process. This selective control crossed the line, according to the Dormant Commerce Clause of the Constitution and provisions in the Federal Farm Act, which stops states from blocking the transport of hemp products.

The Court’s decision made it clear that New Jersey does have the power to regulate these sales, but the amendments need legislative fine-tuning to meet federal standards. So, while New Jersey’s push to regulate intoxicating hemp is on pause, this is far from over.

Here’s where the decision makes things complicated for sellers: By Oct. 12, shops were supposed to pull these hemp products from the shelves, including Delta-8 drinks and THC-A gummies. That means, until New Jersey’s Cannabis Regulatory Commission issues new rules, those products are off-limits.

For anyone in the hemp or cannabis business in New Jersey, it’s a loud reminder—stay compliant, stay updated, and be ready to adapt quickly to changes.

by: Benjamin Sheppard of Norris McLaughlin P.A.
©2024 Norris McLaughlin P.A., All Rights Reserved

For more news on Hemp Legality, visit the NLR Biotech, Food, & Drug section.

Affordable Care Act Proposed Rule Would Broaden Access to Over-the-Counter Contraception Without Cost Sharing

Employer-sponsored health plans would be required to cover over-the-counter contraception, including condoms and emergency contraception, without a prescription and without cost sharing under newly proposed Affordable Care Act (ACA) regulations

Quick Hits

  • Proposed rules issued by the DOL, HHS, and Treasury are designed to increase coverage for over-the-counter contraceptives, such as condoms, spermicides, and emergency contraception, without a prescription.
  • If finalized, the proposed rules would be the first time that male contraceptives will be covered under the ACA preventive care requirements.
  • The public has until December 27, 2024, to submit comments on the proposed rules.

Fully insured and self-insured health plans would have to cover every Food and Drug Administration (FDA)-approved contraceptive drug or drug-led combination product without cost sharing, unless the plan or insurer covers a therapeutic equivalent without cost sharing, under rules proposed by the U.S. Departments of Health and Human Services, Labor, and Treasury.

Employer-sponsored health plans and insurers also would have to tell participants that over-the-counter contraception without a prescription is covered at no cost, under the proposed rules published October 28, 2024, in the Federal Register.

The ACA requires most group health plans to cover preventive care at no cost to patients. Preventive care under the ACA includes FDA-approved contraceptives for women, such as birth control pills, injectable contraceptives, contraceptive patches, implantable rods, intrauterine devices, diaphragms, sponges, vaginal rings, emergency contraception medication, and sterilization procedures for women. In 2022, the Health Resources and Services Administration (HRSA) issued updated guidelines that define which healthcare services are considered preventive for women.

Without a prescription, over-the-counter products were not included in the ACA’s coverage requirement. The proposed rule would change that.

In guidance issued earlier this year, the departments noted that they are still identifying plans that are out of compliance with the contraceptive care requirements. Employers that violate the ACA mandate can be fined $100 for each day in the noncompliance period for each affected employee. At first, the ACA granted exemptions to churches and other religious organizations that hold instilling religious values as their purpose and primarily employ people who share their religious beliefs. The criteria to qualify for an exemption were broadened later. Without an exemption, nongovernmental employers can use a self-certification form to instruct their health insurer to exclude contraceptive coverage from the group health plan and provide payments to patients for contraceptive services separate from the health plan.

In July 2020, the Supreme Court of the United States ruled that private employers with religious or moral objections can be exempt from the contraceptive mandate.

Seven states—California, Colorado, Maryland, New Jersey, New Mexico, New York, and Washington—already have laws requiring state-regulated health insurance policies to cover certain over-the-counter contraceptives without a prescription and without cost sharing.

Next Steps

Employers may want to review the coverage of contraceptives under their medical plans both to ensure that no improper restrictions are put on them currently and also to clarify how their coverage would need to expand if these proposed rules became final in a substantially similar form.

This article was co-authored by Leah J. Shepherd, who is a writer in Ogletree Deakins’ Washington, D.C., office.

© 2024, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.
For more news on ACA OTC Contraception Regulations, visit the NLR Health Law & Managed Care section.

Federal District Court in Florida Holds FCA’s Qui Tam Provisions Unconstitutional

In the Supreme Court’s 2022 decision in United States ex rel. Polansky v. Executive Health Resources, Inc., three justices expressed concern that the False Claims Act’s qui tam provisions violate Article II of the Constitution and called for a case presenting that question. Justice Clarence Thomas penned a dissent explaining that private relators wield significant executive authority yet are not appointed as “Officers of the United States” under Article II. Justice Brett Kavanaugh and Justice Amy Coney Barrett, concurring in the main opinion, agreed with Justice Thomas that this constitutional issue should be considered in an appropriate case.

Earlier this year, several defendants in a non-intervened qui tam lawsuit in the Middle District of Florida took up the challenge. The qui tam, styled United States ex rel. Zafirov v. Florida Medical Associates, LLC et al., involves allegations of Medicare Advantage coding fraud. After several years of litigation, the defendants moved for judgment on the pleadings, arguing the relator’s qui tam action was unconstitutional, citing Justice Thomas’s dissent in Polansky.

The defendants’ motion prompted a statement of interest from the United States and participation as amici by the U.S. Chamber of Commerce and the Anti-Fraud Coalition. The Court also asked for supplemental briefs on Founding-era historical evidence regarding federal qui tam enforcement.

On September 30, 2024, Judge Kathryn Kimball Mizelle granted the defendants’ motion, agreeing the relator was unconstitutionally appointed and dismissing her complaint. Judge Mizelle, who clerked for Justice Thomas, held a private FCA relator exercises significant authority that is constitutionally reserved to the executive branch, including the right to bring an enforcement action on behalf of the United States and recover money for the U.S. Treasury. In doing so, a relator chooses which claims to prosecute, which theories to raise, which defendants to sue, and which arguments to make on appeal, resulting in precedent that binds the United States. Yet, a relator is not appointed by the president, a department head, or a court of law under Article II, making the qui tam device unconstitutional.

Judge Mizelle distinguished historical qui tam statutes, which were largely abandoned early in our nation’s history, on the ground that few gave a relator the level of authority the FCA does. And while the FCA itself dates back to the Civil War, the statute largely remained dormant (aside from a flurry of use in the 1930s and 40s) until the 1986 amendments set off a new wave of qui tam litigation.

The ruling is significant for the future of the FCA. As Judge Mizelle’s opinion explains, most FCA actions are brought by relators as opposed to the government itself. If the decision is upheld on appeal, a number of outcomes are possible. If the FCA is to continue as a significant source of revenue generation for the government, the DOJ must devote more resources to bringing FCA actions directly. Congress may also consider amending the FCA’s qui tam provisions to limit relators’ authority to conduct FCA litigation, thereby maintaining the statute as a viable avenue for whistleblowing.

One thing is almost certain, however. FCA defendants across the country will likely raise similar arguments in light of Judge Mizelle’s ruling. Whether in Zafirov or another case, it appears the Supreme Court will get to decide the constitutionality of the FCA’s qui tam provisions sooner rather than later.

© 2024 Bradley Arant Boult Cummings LLP
For more on Qui Tam Provisions, visit the NLR Criminal Law Business Crimes section.

Supreme Court Declines to Hear “Willfulness” Case

On Monday, October 7, 2024, the U.S. Supreme Court declined to consider a petition for certiorari in United States ex rel. Hart v. McKesson Corp., Case No. 23-1293, where relator, Adam Hart (“Relator”), sought review of a Second Circuit decision upholding the dismissal of Relator’s complaint against pharmaceutical distributor, McKesson Corporation (“McKesson”).

The case involved allegations that McKesson violated the Anti-Kickback Statute (“AKS”), which prohibits offering, paying, soliciting, or receiving remuneration to induce the purchase of goods and services paid for by a federal health program. Relator, a former McKesson employee, filed a qui tam action, claiming McKesson provided valuable business management tools—valued at over $150,000—to oncology practices at no cost, in order to induce them to purchase oncology pharmaceuticals from McKesson.

The Second Circuit dismissed Relator’s federal claims, reasoning that the allegations failed to meet the mens rea (intent) element under the AKS. The Court held that, to act willfully under the AKS, a defendant must know that its conduct is unlawful, either under the AKS or other law. Since Relator’s allegations did not plausibly suggest McKesson acted with knowledge of illegality, his federal False Claims Act claims based on the federal AKS were dismissed.

The Supreme Court’s refusal to hear Relator’s case preserves the existing circuit split regarding the interpretation of “willfulness” under the AKS. The Second Circuit, along with the Eleventh Circuit, has adopted the view that the AKS is violated when a defendant intends to violate a legal standard. This contrasts with the Fifth Circuit, which interprets the mens rea element to prohibit acts done knowingly and willfully, as opposed to by mistake or accident, and the Eight Circuit, which requires intent to commit an act known to be wrongful, but not necessarily known to be unlawful.

As it stands, the unresolved split among the circuits on this critical issue remains, and providers should be mindful that, at least in the Second and Eleventh Circuits, the stricter interpretation of “willfulness” under the AKS will continue to apply.

© Polsinelli PC, Polsinelli LLP in California
For more news on Anti-Kickback Litigation, visit the NLR Health Law & Managed Care section.

Mental Health Parity and Addiction Equity Act Final Rules (“Final Rules”) Are Released: Plans and Issuers Must Prepare for January 1, 2025 Effective Date (US)

The long-awaited Final Rules amending the Mental Health Parity and Addiction Equity Act (“MHPAEA”) were released on September 9, 2024, with the bulk of the requirements going into effect on January 1, 2025. As we previously reported here, in August 2023, the Departments of Labor, Health and Human Services (“HHS”) and Treasury (together, the “Departments”) published proposed rules further regulating insurance coverage for treatment for mental health and substance use disorders. Although the Final Rules appear less burdensome than the proposed rules, they do impose significant changes to the obligations of group health plans and health insurance issuers with a short time to achieve compliance. The key provisions are summarized below.

Key Changes in the Final Rules

The Final Rules’ stated intent is to “strengthen consumer protections consistent with MHPAEA’s fundamental purpose,” which includes reducing burdens on access to benefits for individuals in group health plans or with group or individual health insurance coverage seeking treatment for mental health and substance use disorders (“MH/SUD”) as compared to accessing benefits for the treatment of medical/surgical (“M/S”) conditions.

The Final Rules purport to achieve that goal through four key changes to the MHPAEA:

  • Mandating content requirements for performing a comparative analysis of the design and application of each non-quantitative treatment limitation (“NQTL”) applicable to MH/SUD benefits.
  • Setting forth design and application requirements and relevant data evaluation requirements to ensure compliance with NQTL rules.
  • Increasing scrutiny of network adequacy for MH/SUD benefits.
  • Introducing core treatment coverage requirements to the meaningful benefit standard.

Comparative Analysis Content Requirements

Since 2021, insurance plans and issuers offering plans that cover both M/S and MH/SUD benefits and impose NQTLs on MH/SUD benefits must have a written comparative analysis demonstrating that the factors used to apply an NQTL to MH/SUD benefits are comparable to and applied no more stringently than those used to apply that same NQTL to M/S benefits, as set forth in the 2021 Consolidated Appropriations Act (“CAA”). The Final Rules expand upon the NQTL analysis required by the CAA and include six specific content elements:

  1. a description of the NQTL;
  2. identification and definition of the factors and evidentiary standards used to design or apply the NQTL;
  3. a description of how factors are used in the design or application of the NQTL;
  4. a demonstration of comparability and stringency, as written;
  5. a demonstration of comparability and stringency, in operation, including the required data, evaluation of that data, explanation of any material differences in access, and description of reasonable actions taken to address such differences; and
  6. findings and conclusions.

Upon request, plans and issuers must provide written comparative analyses to U.S. regulators, plan beneficiaries, participants, or enrollees who have received an adverse benefit determination related to MH/SUD benefits, and participants and beneficiaries in plans governed by ERISA at any time. Plans and issuers only have 10 business days to respond to a request from the relevant Secretary to review its comparative analyses and, if an initial determination of noncompliance is made, the plan or issuer only has 45 calendar days to respond with specific actions it will take to bring the plan into compliance and provide additional comparative analyses that demonstrate compliance. Upon a final determination of noncompliance, notice must be given to all participants, beneficiaries, and enrollees within seven business days after the relevant Secretary’s determination.

Demonstrating Compliance with NQTL Rules

The Final Rules also require that a NQTL applicable to MH/SUD benefits in a classification is no more restrictive than the predominant NQTL applied to M/S benefits in the same classification. In order to ensure compliance with NQTL rules, plans and issuers must satisfy two sets of requirements: (1) the design and application requirements, and (2) the relevant data evaluation requirements. For example, under the design and application requirements, a plan cannot reimburse non-physician providers of MH/SUD services by reducing the rates for physician providers of MH/SUD services unless it applies the same reduction to non-physician providers of M/S services from the rate for physician providers of such services. Under the relevant data evaluation requirements, to compare the impact of NQTLs related to network composition on access to MH/SUD versus M/S benefits, a plan should evaluate metrics relating to the time and distance from plan participants and beneficiaries to network providers, the number of network providers accepting new patients, provider reimbursement rates, and in-network and out-of-network utilization rates.

Design and Application

Plans and issuers must examine the factors used to design and apply an NQTL to MH/SUD benefits to ensure such factors are comparable to those used with respect to M/S benefits in the same classification. The Final Rules also prohibit using information that discriminates against MH/SUD benefits as compared to M/S benefits, meaning information that systematically disfavors or was specifically designed to disfavor access to MH/SUD benefits. Appropriate information and other factors to use in designing and applying an NQTL to MH/SUD benefits include generally recognized independent professional medical or clinical standards.

Relevant Data Evaluation

The relevant data evaluation requirement means plans and issuers must collect and evaluate data to ensure, in operation, that an NQTL applicable to MH/SUD benefits is not more restrictive than the NQTL applied to M/S benefits in the same classification. The Final Rules anticipate that the relevant data for any given NQTL will depend on the facts and circumstances and provide flexibility for plans to determine what should be collected and evaluated. Examples of relevant data provided in the Final Rules include the number and percentage of claim denials, utilization rates, and network adequacy rates.

Network Adequacy

The Final Rules demonstrate the Departments’ increased scrutiny of network adequacy issues for MH/SUD benefits. For NQTLs related to network composition standards, a plan or issuer must collect data to assess the NQTLs’ aggregate impact on access to MH/SUD benefits and M/S benefits. By way of example, suppose the evaluated data suggests that an NQTL contributes to a material difference in access to MH/SUD benefits compared to M/S benefits. In that case, plans and issuers must act to address any material differences in access. The Final Rules provide examples of reasonable compliance actions, including increased recruiting efforts for MH/SUD providers, expanding telehealth options under the plan, and ensuring that provider directories are accurate and reliable. A plan must document the actions that it takes to address differences in access to in-network MH/SUD providers as compared to in-network M/S providers.

Meaningful Benefit Standard

The Final Rules require plans to provide “meaningful” benefits for MH/SUD disorders in every classification in which the plan provides M/S benefits. Benefits are “meaningful,” for MHPAEA purposes, when they cover core treatments for that condition, meaning a standard treatment or course of treatment, therapy, service, or intervention indicated by generally recognized independent standards of current medical practice.

The Final Rules provide examples to demonstrate the application of the meaningful benefits standard. In one example, a plan covers the full range of outpatient treatments (including core treatments) and treatment settings for M/S benefits when provided on an out-of-network basis. The same plan covers outpatient, out-of-network developmental screenings for a mental health condition but excludes all other benefits, such as therapeutic intervention, for outpatient treatment when provided on an out-of-network basis. The Departments view therapeutic intervention, however, as a core treatment for the mental health condition under generally recognized independent standards of current medical practice. Per the Final Rules, the Departments interpret such exclusion as a violation because the plan does not cover a core treatment for the mental health disorder in the outpatient, out-of-network classification. Since the plan’s coverage for M/S benefits includes a core treatment in the classification, the Final Rules opine that the plan fails to provide meaningful benefits for treatment of the mental health disorder.

Effective Dates

The new requirements of the Final Rules will go into effect on different dates. Plans and issuers have until January 1, 2026, to comply with the meaningful benefits standard, the prohibition on discriminatory factors and evidentiary standards, the relevant data evaluation requirements, and the related requirements in the provisions for comparative analyses. During this time, plans and issuers should assess whether their mental health provider networks are adequate, and also consider expanding the scope of MH/SUD benefits across classifications to meet new parity requirements.

The other requirements, including most of the new requirements affecting comparative analyses, go into effect on January 1, 2025. Accordingly, plans and issuers should the time remaining this year to develop a plan to prepare NQTL comparative analyses within the three-month compliance period, and have processes in place to quickly address any material changes to benefit design in the future.

© Copyright 2024 Squire Patton Boggs (US) LLP
For more on MHPAEA, visit the NLR Health Law Managed Care section.

The Evolution of AI in Healthcare: Current Trends and Legal Considerations

Artificial intelligence (AI) is transforming the healthcare landscape, offering innovative solutions to age-old challenges. From diagnostics to enhanced patient care, AI’s influence is pervasive, and seems destined to reshape how healthcare is delivered and managed. However, the rapid integration of AI technologies brings with it a complex web of legal and regulatory considerations that physicians must navigate.

It appears inevitable AI will ultimately render current modalities, perhaps even today’s “gold standard” clinical strategies, obsolete. Currently accepted treatment methodologies will change, hopefully for the benefit of patients. In lockstep, insurance companies and payors are poised to utilize AI to advance their interests. Indeed, the “cat-and-mouse” battle between physician and overseer will not only remain but will intensify as these technologies intrude further into physician-patient encounters.

  1. Current Trends in AI Applications in Healthcare

As AI continues to evolve, the healthcare sector is witnessing a surge in private equity investments and start-ups entering the AI space. These ventures are driving innovation across a wide range of applications, from tools that listen in on patient encounters to ensure optimal outcomes and suggest clinical plans, to sophisticated systems that gather and analyze massive datasets contained in electronic medical records. By identifying trends and detecting imperceptible signs of disease through the analysis of audio and visual depictions of patients, these AI-driven solutions are poised to revolutionize clinical care. The involvement of private equity and start-ups is accelerating the development and deployment of these technologies, pushing the boundaries of what AI can achieve in healthcare while also raising new questions about the integration of these powerful tools into existing medical practices.

Diagnostics and Predictive Analytics:

AI-powered diagnostic tools are becoming sophisticated, capable of analyzing medical images, genetic data, and electronic health records (EHRs) to identify patterns that may elude human practitioners. Machine learning algorithms, for instance, can detect early signs of cancer, heart disease, and neurological disorders with remarkable accuracy. Predictive analytics, another AI-driven trend, is helping clinicians forecast patient outcomes, enabling more personalized treatment plans.

 

Telemedicine and Remote Patient Monitoring:

The COVID-19 pandemic accelerated the adoption of telemedicine, and AI is playing a crucial role in enhancing these services. AI-driven chatbots and virtual assistants are set to engage with patients by answering queries and triaging symptoms. Additionally, AI is used in remote and real-time patient monitoring systems to track vital signs and alert healthcare providers to potential health issues before they escalate.

 

Drug Discovery and Development:

AI is revolutionizing drug discovery by speeding up the identification of potential drug candidates and predicting their success in clinical trials. Pharmaceutical companies are pouring billions of dollars in developing AI-driven tools to model complex biological processes and simulate the effects of drugs on these processes, significantly reducing the time and cost associated with bringing new medications to market.

Administrative Automation:

Beyond direct patient care, AI is streamlining administrative tasks in healthcare settings. From automating billing processes to managing EHRs and scheduling appointments, AI is reducing the burden on healthcare staff, allowing them to focus more on patient care. This trend also helps healthcare organizations reduce operational costs and improve efficiency.

AI in Mental Health:

AI applications in mental health are gaining traction, with tools like sentiment analysis, an application of natural language processing, being used to assess a patient’s mental state. These tools can analyze text or speech to detect signs of depression, anxiety, or other mental health conditions, facilitating earlier interventions.

  1. Legal and Regulatory Considerations

As AI technologies become more deeply embedded in healthcare, they intersect with legal and regulatory frameworks designed to protect patient safety, privacy, and rights.

Data Privacy and Security:

AI systems rely heavily on vast amounts of data, often sourced from patient records. The use of this data must comply with privacy regulations established by the Health Insurance Portability and Accountability Act (HIPAA), which mandates stringent safeguards to protect patient information. Physicians and AI developers must ensure that AI systems are designed with robust security measures to prevent data breaches, unauthorized access, and other cyber threats.

Liability and Accountability:

The use of AI in clinical decision-making raises questions about liability. If an AI system provides incorrect information or misdiagnoses a condition, determining who is responsible—the physician, the AI developer, or the institution—can be complex. As AI systems become more autonomous, the traditional notions of liability may need to evolve, potentially leading to new legal precedents and liability insurance models.

These notions beg the questions:

  • Will physicians trust the “judgment” of an AI platform making a diagnosis or interpreting a test result?
  • Will the utilization of AI platforms cause physicians to become too heavily reliant on these technologies, forgoing their own professional human judgment?

Surely, plaintiff malpractice attorneys will find a way to fault the physician whatever they decide.

Insurance Companies and Payors:

Another emerging concern is the likelihood that insurance companies and payors, including Medicare/Medicaid, will develop and mandate the use of their proprietary AI systems to oversee patient care, ensuring it aligns with their rules on proper and efficient care. These AI systems, designed primarily to optimize cost-effectiveness from the insurer’s perspective, could potentially undermine the physician’s autonomy and the quality of patient care. By prioritizing compliance with insurer guidelines over individualized patient needs, these AI tools could lead to suboptimal outcomes for patients. Moreover, insurance companies may make the use of their AI systems a prerequisite for physicians to maintain or obtain enrollment on their provider panels, further limiting physicians’ ability to exercise independent clinical judgment and potentially restricting patient access to care that is truly personalized and appropriate.

Licensure and Misconduct Concerns in New York State:

Physicians utilizing AI in their practice must be particularly mindful of licensure and misconduct issues, especially under the jurisdiction of the Office of Professional Medical Conduct (OPMC) in New York. The OPMC is responsible for monitoring and disciplining physicians, ensuring that they adhere to medical standards. As AI becomes more integrated into clinical practice, physicians could face OPMC scrutiny if AI-related errors lead to patient harm, or if there is a perceived over-reliance on AI at the expense of sound clinical judgment. The potential for AI to contribute to diagnostic or treatment decisions underscores the need for physicians to maintain ultimate responsibility and ensure that AI is used to support, rather than replace, their professional expertise.

Conclusion

AI has the potential to revolutionize healthcare, but its integration must be approached with careful consideration of legal and ethical implications. By navigating these challenges thoughtfully, the healthcare industry can ensure that AI contributes to better patient outcomes, improved efficiency, and equitable access to care. The future of AI in healthcare looks promising, with ongoing advancements in technology and regulatory frameworks adapting to these changes. Healthcare professionals, policymakers, and AI developers must continue to engage in dialogue to shape this future responsibly.

©2024 Norris McLaughlin P.A., All Rights Reserved
For more on AI, visit the NLR Artificial Intelligence section.

Application of New Mental Health Parity Rules to Provider Network Composition and Reimbursement: Perspective and Analysis

On September 23, 2024, the U.S. Departments of Labor, the Treasury, and Health and Human Services (collectively, the “Departments”) released final rules (the “Final Rules”) that implement requirements under the Mental Health Parity and Addiction Equity Act (MHPAEA).

The primary focus of the Final Rules is to implement new statutory requirements under the Consolidated Appropriations Act of 2021, which amended MHPAEA to require health plans and issuers to develop comparative analyses to determine whether nonquantitative treatment limitations (NQTLs)—which are non-financial restrictions on health care benefits that can limit the length or scope of treatment—for mental health and substance use disorder (MH/SUD) benefits are comparable to and applied no more stringently than NQTLs for medical/surgical (M/S) benefits.

Last month, Epstein Becker Green published an Insight entitled “Mental Health Parity: Federal Departments of Labor, Treasury, and Health Release Landmark Regulations,” which provides an overview of the Final Rules. This Insight takes a closer look at the application of the Final Rules to NQTLs related to provider network composition and reimbursement rates.

Provider Network Composition and Reimbursement NQTL Types

A key focus of the Final Rules is to ensure that NQTLs related to provider network composition and reimbursement rates do not impose greater restrictions on access to MH/SUD benefits than they do for M/S benefits.

In the Final Rules, the Departments decline to specify which strategies and functions they expect to be analyzed as separate NQTL types, instead requiring health plans and issuers to identify, define, and analyze the NQTL types that they apply to MH/SUD benefits. However, the Final Rules set out that the general category of “provider network composition” NQTL types includes, but is not limited to, “standards for provider and facility admission to participate in a network or for continued network participation, including methods for determining reimbursement rates, credentialing standards, and procedures for ensuring the network includes an adequate number of each category of provider and facility to provide services under the plan or coverage.”[1]

For NQTLs related to out-of-network rates, the Departments note that NQTLs would include “[p]lan or issuer methods for determining out-of-network rates, such as allowed amounts; usual, customary, and reasonable charges; or application of other external benchmarks for out-of-network rates.”[2]

Requirements for Comparative Analyses and Outcomes Data Evaluation

For each NQTL type, plans must perform and document a six-step comparative analysis that must be provided to federal and state regulators, members, and authorized representatives upon request. The Final Rules divide the NQTL test into two parts: (1) the “design and application” requirement and (2) the “relevant data evaluation” requirement.

The “design and application” requirement, which builds directly on existing guidance, requires the “processes, strategies, evidentiary standards, or other factors” used in designing and applying an NQTL to MH/SUD benefits to be comparable to, and applied no more stringently than, those used for M/S benefits. Although these aspects of the comparative analysis should be generally familiar, the Final Rules and accompanying preamble provide extensive new guidance about how to interpret and implement these requirements.

The Final Rules also set out a second prong to the analysis: the requirement to collect and evaluate “relevant data” for each NQTL. If such analysis shows a “material difference” in access, then the Final Rules also require the plan to take “reasonable” action to remedy the disparity.

The Final Rules provide that relevant data measures for network composition NQTLs may include, but are not limited to:

  • in-network and out-of-network utilization rates, including data related to provider claim submissions;
  • network adequacy metrics, including time and distance data, data on providers accepting new patients, and the proportions of available MH/SUD and M/S providers that participate in the plan’s network; and
  • provider reimbursement rates for comparable services and as benchmarked to a reference standard, such as Medicare fee schedules.

Although the Final Rules do not describe relevant data for out-of-network rates, these data measures may parallel measures to evaluate in-network rates, including measures that benchmark MH/SUD and M/S rates against a common standard, such as Medicare fee schedule rates.

Under the current guidance, plans have broad flexibility to determine what measures must be used, though the plan must ensure that the metrics that are selected reasonably measure the actual stringency of design and application of the NQTL with regard to the impact on member access to MH/SUD and M/S benefits. However, additional guidance is expected to further clarify the data evaluation requirements that may require the use of specific measures, likely in the form of additional frequently asked questions as well as updates to the Self-Compliance Tool published by the Departments to help plans and issuers assess whether their NQTLs satisfy parity requirements.

The Final Rules require plans to look at relevant data for network composition NQTLs in the aggregate—meaning that the same relevant data must be used for all NQTL types (however defined). As such, the in-operation data component of the comparative analysis for network composition NQTLs will be aggregated.

If the relevant data indicates a “material difference,” the threshold for which the plan must establish and define reasonably, the plan must take “reasonable actions” to address the difference in access and document those actions.

Examples of a “reasonable action” that plans can take to comply with network composition requirements “include, but are not limited to:

  1. Strengthening efforts to recruit and encourage a broad range of available mental health and substance use disorder providers and facilities to join the plan’s or issuer’s network of providers, including taking actions to increase compensation or other inducements, streamline credentialing processes, or contact providers reimbursed for items and services provided on an out-of-network basis to offer participation in the network;
  2. Expanding the availability of telehealth arrangements to mitigate any overall mental health and substance use disorder provider shortages in a geographic area;
  3. Providing additional outreach and assistance to participants and beneficiaries enrolled in the plan or coverage to assist them in finding available in-network mental health and substance use disorder providers and facilities; and
  4. Ensuring that provider directories are accurate and reliable.”

These examples of potential corrective actions and related discussion in the Final Rules provide an ambitious vision for a robust suite of strategies that the Departments believe that plans should undertake to address material disparities in access as defined in the relevant data. However, the Final Rules put the onus on the plan to design the strategy that it will use to define “material differences” and remedy any identified disparity in access. Future guidance and enforcement may provide examples of how this qualitative assessment will play out in practice and establish both what the Departments will expect with regard to the definition of “material differences” and what remedial actions they consider to be sufficient. In the interim, it is highly uncertain what the practical impact of these new requirements will be.

Examples of Network Analyses Included in the Final Rules

The Final Rules include several examples to clarify the application of the new requirements to provider network composition NQTLs. Unfortunately, the value of these examples for understanding how the Final Rules will impact MH/SUD provider networks in practice may be limited. As a result, given the lack of detail regarding the complexity of analyzing these requirements for actual provider networks, as well as the fact that the examples fail to engage in any meaningful discussion of where to identify the threshold for compliance with these requirements, it remains to be seen how regulators will interpret and enforce these requirements in practice.

  • Example 1 demonstrates that it would violate the NQTL requirements to apply a percentage discount to physician fee schedule rates for non-physician MH/SUD providers if the same reduction is not applied for non-physician M/S providers. Our takeaways from this example include the following:
    • This example is comparable to the facts that were alleged by the U.S. Department of Labor in Walsh v. United Behavioral Health, E.D.N.Y., No. 1:21-cv-04519 (8/11/21).
    • Example 1 is useful to the extent that it clarifies that a reimbursement strategy that specifically reduces MH/SUD provider rates in ways that do not apply to M/S provider rates would violate MHPAEA. However, such cut-and-dried examples may be rare in practice, and a full review of the strategies for developing provider reimbursement rates is necessary.
  • Example 4 demonstrates that plans may not simply rely on periodic historic fee schedules as the sole basis for their current fee schedules. Here are some key takeaways from this example:
    • Even though this methodology may be neutral and non-discriminatory on its face, given that the historic fee schedules are not themselves a non-biased source of evidence, to meet the new requirements for evidentiary standards and sources, the plan would have to demonstrate that these historic fee schedules were based on sources that were objective and not biased against MH/SUD providers.
    • If the plan cannot demonstrate that the evidentiary standard used to develop its fee schedule does not systematically disfavor access to MH/SUD benefits, it can still pass the NQTL test if it takes steps to cure the discriminatory factor.
    • Example 4 loosely describes a scenario where a plan supplements a historic fee schedule that is found to discriminate against MH/SUD access by accounting for the current demand for MH/SUD services and attracting “sufficient” MH/SUD providers to the network. Unfortunately, however, the facts provided do not clarify what steps were taken to achieve this enhanced access or how the plan or regulator determined that access had become “sufficient” following the implementation of the corrective actions.
  • Example 10 provides that if a plan’s data measures indicate a “material difference” in access to MH/SUD benefits relative to M/S benefits that are attributable to these NQTLs, the plan can still achieve compliance by taking corrective actions. Our takeaways from this example include the following:
    • The facts in this example stipulate that the plan evaluates all of the measure types that are identified above as examples. Example 10 also states that a “material difference” exists but does not identify the measure or measures for which a difference exists or what facts lead to the conclusion that the difference was “material.” To remedy the material difference, this example states that the plan undertakes all of the corrective actions to strengthen its MH/SUD provider network that are identified above as examples and, therefore, achieves compliance. However, this example fails to clarify how potentially inconsistent outcomes across the robust suite of identified measures were balanced to determine that the “material difference” standard was ultimately met. Example 10 also does not provide any details about what specific corrective actions the plan takes or what changes result from these actions.

Epstein Becker Green’s Perspective

The new requirements of the Final Rules will significantly increase the focus of the comparative analyses on the outcomes of the provider network NQTLs. For many years, the focus of the comparative analyses was primarily on determining whether any definable aspect of the plan’s provider contracting and reimbursement rate-setting strategies could be demonstrated to discriminate against MH/SUD providers. The Final Rules retain those requirements but now put greater emphasis on the results of network composition activities with regard to member access and require plans to pursue corrective actions to remediate any material disparities in that data. This focus on a robust “disparate impact” form of anti-discrimination analysis may lead to a meaningful increase in reimbursement for MH/SUD providers or other actions to more aggressively recruit them to participate in commercial health plan networks.

However, at present, it remains unclear which measures the Departments will ultimately require for reporting. Concurrent with the release of their Notice of Proposed Rulemaking on July 23, 2023, the Departments published Technical Release 2023-01P to solicit comments on key approaches to evaluating comparability and stringency for provider network access and reimbursement rates (including some that are referenced as examples in the Final Rules). Comments to the Technical Release highlighted significant concerns with nearly all of the proposed measures. For example, proposals to require analysis of MH/SUD and M/S provider reimbursement rates for commercial markets that are benchmarked to Medicare fee schedules in a simplistic way may fail to account for differences in population health and utilization, value-based reimbursement strategies, and a range of other factors with significant implications for financial and clinical models for both M/S and MH/SUD providers. Requirements to analyze the numbers or proportions of MH/SUD and M/S providers that are accepting new patients may be onerous for providers to report on and for plans to collect and may obscure significant nuances with regard to wait times, the urgency of the service, and the match between the provider’s training and service offerings to the patient’s need. Time and mileage standards highlighted by the Departments not only often fail to capture important access challenges experienced by patients who need MH/SUD care from sub-specialty providers or facilities but also fail to account for evolving service delivery models that may include options such as mobile units, school-based services, home visits, and telehealth. Among the measures identified in the Technical Release, minor differences in measure definitions and specifications can have significant impacts on the data outcomes, and few (if any) of the proposed measures have undergone any form of testing for reliability and validity.

Also, it is still not clear where the Departments will draw the lines for making final determinations of noncompliance with the Final Rules. For example, where a range of different data measures is evaluated, how will the Departments resolve data outcomes that are noisy, conflicting, or inconclusive? Similarly, where regulators do conclude that the data that are provided suggest a disparity in access, the Final Rules identify a highly robust set of potential corrective actions. However, it remains to be seen what scope of actions the Departments will determine to be “good enough” in practice.

Finally, we are interested in seeing what role private litigation will play in driving health plan compliance efforts and practical impacts for providers. To date, plaintiffs have found it challenging to pursue litigation on the basis of claims under MHPAEA, due in part to the highly complex arguments that must be made to evaluate MHPAEA compliance and in part to the challenge for plaintiffs to have adequate insight into plan policies, operations, and data across MH/SUD and M/S benefits to adequately assert a complaint under MHPAEA. Very few class action lawsuits or large settlements have occurred to date. These challenges for potential litigants may continue to limit the volume of litigation. However, to the extent that the additional guidance in the Final Rules does give rise to an uptick in successful litigation, it is possible that the courts may end up having a greater impact on health plan compliance strategies than regulators.

ENDNOTES

[1] 26 CFR 54.9812- 1(c)(4)(ii)(D), 29 CFR 2590.712(c)(4)(ii)(D), and 45 CFR 146.136(c)(4)(ii)(D).

[2] 26 CFR 54.9812- 1(c)(4)(ii)(E), 29 CFR 2590.712(c)(4)(ii)(E), and 45 CFR 146.136(c)(4)(ii)(E).

©2024 Epstein Becker & Green, P.C. All rights reserved.
For more on Mental Health, visit the NLR Health Law Managed Care section

USTR Finalizes New Section 301 Tariffs

The United States Trade Representative (USTR) published a Federal Register notice detailing its final modifications to the Section 301 tariffs on China-origin products. USTR has largely retained the proposed list of products subject to Section 301 tariffs announced in the May 2024 Federal Register notice (see our previous alert here) with a few modifications, including adjusting the rates and implementation dates for a number of tariff categories and expanding or limiting certain machinery and solar manufacturing equipment exclusions. USTR also proposes to impose new Section 301 tariff increases on certain tungsten products, polysilicon, and doped wafers.

The notice, published on September 18, 2024, clarifies that tariff increases will take effect on September 27, 2024, and subsequently on January 1, 2025 and January 1, 2026 (Annex A). The final modifications to Section 301 tariffs will apply across the following strategic sectors:

  • Steel and aluminum products – increase from 0-7.5% to 25%
  • Electric vehicles (EVs) – increase from 25% to 100%
  • Batteries
    • Lithium-ion EV batteries – increase from 7.5% to 25%
    • Battery parts (non-lithium-ion batteries) – increase from 7.5% to 25%
    • Certain critical minerals – increase from 0% to 25%
    • Lithium-ion non-EV batteries – increase from 7.5% to 25% on January 1, 2026
    • Natural graphite – increase from 0% to 25% on January 1, 2026
  • Permanent magnets – increase from 0% to 25% on January 1, 2026,
  • Solar cells (whether or not assembled into modules) – increase from 25% to 50%
  • Ship-to-shore cranes – increase from 0% to 25% (with certain exclusions)
  • Medical products
    • Syringes and needles (excluding enteral syringes) – increase from 0% to 100%
    • Enteral syringes – increase from 0% to 100% on January 1, 2026
    • Surgical and non-surgical respirators and facemasks (other than disposable):
      • increase from 0-7.5% to 25%; increase from 25% to 50% on January 1, 2026
    • Disposable textile facemasks
      • January 1, 2025, increase from 5% to 25%; increase from 25% to 50% on January 1, 2026
    • Rubber medical or surgical gloves:
      • increase from 7.5% to 50% on January 1, 2025; increase from 50% to 100% on January 1, 2026
    • Semiconductors – increase from 25% to 50% on January 1, 2025

USTR adopted 14 exclusions to temporarily exclude solar wafer and cell manufacturing equipment from Section 301 tariffs (Annex B), while rejecting five exclusions for solar module manufacturing equipment proposed in the May 2024 notice. The exclusions are retroactive and applicable to products entered for consumption or withdrawn from warehouse for consumption on or after January 1, 2024, and through May 31, 2025. USTR also granted a temporary exclusion for ship-to-shore gantry cranes imported under contracts executed before May 14, 2024, and delivered prior to May 14, 2026. To use this exclusion, the applicable importers must complete and file the certification (Annex D).

With respect to machinery exclusion, USTR added five additional subheadings to the proposed 312 subheadings to be eligible for consideration of temporary exclusions. USTR did not add subheadings outside of Chapters 84 and 85 or subheadings that include only parts, accessories, consumables, or general equipment that cannot physically change a good. USTR will likely issue additional guidance to seek exclusions of products under these eligible subheadings.

Importers should assess the (i) table of the tariff increases for the specified product groups (Annex A), (ii) temporary exclusions for solar manufacturing equipment (Annex B), (iii) the Harmonized Tariff Schedule of the United States (HTSUS) modifications to impose additional duties, to increase rates of additional duties, and to exclude certain solar manufacturing equipment from additional duties (Annex C), (iv) Importer Certification for ship-to-shore cranes entering under the exclusion (Annex D), and (v) HTSUS subheadings eligible for consideration of temporary exclusion under the machinery exclusion process (Annex E). The descriptions set forth in Annex A are informal summary descriptions, and importers should refer to the HTSUS modifications contained in Annex C for the purposes of assessing Section 301 duties and exclusions.

Importers should also carefully review the final list of products subject to the increased Section 301 tariff, with their supply chains, to identify products subject to increases in tariff rates as a result of the recent of USTR and consider appropriate mitigation strategies.

© 2024 Miller, Canfield, Paddock and Stone PLC
For more news on Section 301 Tariffs, visit the NLR Antitrust Trade Regulation section.

Walgreens Settles for $106.8 Million Over FCA Violations

On September 13, the US Department of Justice (DOJ) announced that Walgreens Boots Alliance Inc. and Walgreen Co. (collectively, Walgreens) agreed to pay $106.8 million to resolve allegations of violating the False Claims Act (FCA) and state statutes. The allegations pertain to billing government health care programs for prescriptions that were never dispensed. The government alleged that from 2009 until 2020, Walgreens submitted claims to federal health care programs for prescriptions that were processed but never picked up by beneficiaries. This resulted in Walgreens receiving 10s of millions of dollars for prescriptions that were never actually provided to health care beneficiaries.

Under the resolution, Walgreens agreed to enhance its electronic pharmacy management system to prevent future occurrences and self-reported certain conduct. In addition, Walgreens refunded $66,314,790 related to the settled claims, which allowed Walgreens to receive credit under the DOJ’s guidelines for taking disclosure, cooperation, and remediation into account in FCA cases.

Under the settlement agreement, the federal government received $91,881,530, and the individual states received $14,933,259 through separate settlement agreements. The settlement will resolve three cases pending in the District of New Mexico, Eastern District of Texas, and Middle District of Florida under the qui tam, or whistleblower, provision of the FCA. Whistleblowers Steven Turck and Andrew Bustos, former Walgreens employees, will receive $14,918,675 and $1,620,000, respectively, for their roles in filing the suits.

The DOJ’s press release can be found here.

CVS Health Subsidiary Settles FCA Allegations for $60 Million

On September 16, Chicago company Oak Street Health, a subsidiary of CVS Health, agreed to pay $60 million to resolve allegations that it violated the FCA by paying kickbacks to third-party insurance agents in exchange for recruiting seniors to Oak Street Health’s primary care clinics from September 2020 through December 2022.

According to the DOJ, in 2020, Oak Street Health developed a program called the Client Awareness Program. Under the program, which was developed to increase patient membership, seniors who were eligible for Medicare Advantage received marketing messages designed to generate interest in Oak Street Health. Upon receipt of these messages, third-party insurance agents organized three-way phone calls with Oak Street Health employees for the interested seniors. Oak Street Health paid agents around $200 per beneficiary referred or recommended as part of this service. Instead of basing referrals and recommendations on the best interest of the seniors, these payments allegedly encouraged agents to base referrals and recommendations on Oak Street Health’s financial interests.

The DOJ’s press release can be found here.

Dunes Surgical Hospital Settles for $12.76 Million Over FCA Violations

On September 16, South Dakota companies Siouxland Surgery Center LLP, d.b.a. Dunes Surgical Hospital, United Surgical Partners International Inc. (USPI), and USP Siouxland Inc. agreed to pay approximately $12.76 million to settle FCA allegations related to improper financial relationships between Dunes and two physician groups. Since July 1, 2014, USPI has maintained partial ownership of Dunes through USP Siouxland, a wholly owned subsidiary of USPI. Following an internal investigation, Dunes and USPI disclosed the arrangements at issue to the government.

From at least 2014 through 2019, Dunes allegedly made financial contributions to a nonprofit affiliate of a physician group whose physicians referred patients to Dunes. According to the complaint, those payments allegedly funded the salaries of referring employees. Other allegations include that Dunes provided a different physician group with below-market-value clinic space, staff, and supplies. The DOJ alleged that these arrangements violated both the Anti-Kickback Statute and the Stark Law, which are “designed to ensure that decisions about patient care are based on physicians’ independent medical judgment and not their personal financial interest.”

Following Dunes’ and USPI’s internal compliance review and independent investigation, the companies promptly took remedial actions and disclosed such arrangements to the DOJ. The companies also provided the government with detailed and thorough written disclosures and cooperated throughout its investigation, resulting in cooperation credit for the companies.

Under the settlement, Dunes and USPI will pay $12.76 million to the federal government for alleged violations of the FCA, and approximately $1.37 million to South Dakota, Iowa, and Nebraska for their share of the Medicaid portion of the settlement.

The DOJ’s press release can be found here.

California Man Convicted for Paying Illegal Kickbacks for Patient Referrals to Addiction Treatment Facilities

On September 11, a federal jury convicted Casey Mahoney, 48, of Los Angeles, for paying nearly $2.9 million in illegal kickbacks for patient referrals to his addiction treatment facilities in Orange County, California. The facilities involved are Healing Path Detox LLC and Get Real Recovery Inc.

According to court documents and evidence presented at trial, Mahoney paid illegal kickbacks to “body brokers” who referred patients to his facilities. These brokers appeared to pay thousands of dollars in cash to patients to induce them to procure treatment at Mahoney’s facilities. Mahoney allegedly concealed these illegal kickbacks through sham contracts with the body brokers. The contracts purportedly required fixed payments and prohibited payments based on the volume or value of patient referrals, when in reality, payments were negotiated based on patients’ insurance reimbursements and the number of days Mahoney could bill for treatment. Mahoney also allegedly laundered the proceeds of the conspiracy through payments to the mother of one of the body brokers, falsely characterizing them as consulting fees.

The Eliminating Kickbacks in Recovery Act formed the basis of the charges against Mahoney. He was convicted of one count of conspiracy to solicit, receive, pay, or offer illegal remunerations for patient referrals, seven counts of illegal remunerations for patient referrals, and three counts of money laundering. He is scheduled to be sentenced on January 17, 2025, and faces a maximum penalty of five years in prison for the conspiracy charge, 10 years in prison for each illegal remuneration count, and 20 years in prison for each money laundering count.

The DOJ’s press release can be found here.

© 2024 ArentFox Schiff LLP

by: D. Jacques SmithRandall A. BraterMichael F. DearingtonNadia PatelHillary M. Stemple, and Rebekkah R.N. Stoeckler of ArentFox Schiff LLP

For more news on FCA Violations visit the NLR Criminal Law Business Crimes section.

Consumer Privacy Update: What Organizations Need to Know About Impending State Privacy Laws Going into Effect in 2024 and 2025

Over the past several years, the number of states with comprehensive consumer data privacy laws has increased exponentially from just a handful—California, Colorado, Virginia, Connecticut, and Utah—to up to twenty by some counts.

Many of these state laws will go into effect starting Q4 of 2024 through 2025. We have previously written in more detail on New Jersey’s comprehensive data privacy law, which goes into effect January 15, 2025, and Tennessee’s comprehensive data privacy law, which goes into effect July 1, 2025. Some laws have already gone into effect, like Texas’s Data Privacy and Security Act, and Oregon’s Consumer Privacy Act, both of which became effective July of 2024. Now is a good time to take stock of the current landscape as the next batch of state privacy laws go into effect.

Over the next year, the following laws will become effective:

  1. Montana Consumer Data Privacy Act (effective Oct. 1, 2024)
  2. Delaware Personal Data Privacy Act (effective Jan. 1, 2025)
  3. Iowa Consumer Data Protection Act (effective Jan. 1, 2025)
  4. Nebraska Data Privacy Act (effective Jan. 1, 2025)
  5. New Hampshire Privacy Act (effective Jan. 1, 2025)
  6. New Jersey Data Privacy Act (effective Jan. 15, 2025)
  7. Tennessee Information Protection Act (effective July 1, 2025)
  8. Minnesota Consumer Data Privacy Act (effective July 31, 2025)
  9. Maryland Online Data Privacy Act (effective Oct. 1, 2025)

These nine state privacy laws contain many similarities, broadly conforming to the Virginia Consumer Data Protection Act we discussed here.  All nine laws listed above contain the following familiar requirements:

(1) disclosing data handling practices to consumers,

(2) including certain contractual terms in data processing agreements,

(3) performing risk assessments (with the exception of Iowa); and

(4) affording resident consumers with certain rights, such as the right to access or know the personal data processed by a business, the right to correct any inaccurate personal data, the right to request deletion of personal data, the right to opt out of targeted advertising or the sale of personal data, and the right to opt out of the processing sensitive information.

The laws contain more than a few noteworthy differences. Each of the laws differs in terms of the scope of their application. The applicability thresholds vary based on: (1) the number of state residents whose personal data the company (or “controller”) controls or processes, or (2) the proportion of revenue a controller derives from the sale of personal data. Maryland, Delaware, and New Hampshire each have a 35,000 consumer processing threshold. Nebraska, similar to the recently passed data privacy law in Texas, applies to controllers that that do not qualify as small business and process personal data or engage in personal data sales. It is also important to note that Iowa adopted a comparatively narrower definition of what constitutes as sale of personal data to only transactions involving monetary consideration. All states require that the company conduct business in the state.

With respect to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Iowa’s, Montana’s, Nebraska’s, New Hampshire’s, and Tennessee’s laws exempt HIPAA-regulated entities altogether; while Delaware’s, Maryland’s, Minnesota’s, and New Jersey’s laws exempt only protected health information (“PHI”) under HIPAA. As a result, HIPAA-regulated entities will have the added burden of assessing whether data is covered by HIPAA or an applicable state privacy law.

With respect to the Gramm-Leach-Bliley Act (“GLBA”), eight of these nine comprehensive privacy laws contain an entity-level exemption for GBLA-covered financial institutions. By contrast, Minnesota’s law exempts only data regulated by GLBA. Minnesota joins California and Oregon as the three state consumer privacy laws with information-level GLBA exemptions.

Not least of all, Maryland’s law stands apart from the other data privacy laws due to a number of unique obligations, including:

  • A prohibition on the collection, processing, and sharing of a consumer’s sensitive data except when doing so is “strictly necessary to provide or maintain a specific product or service requested by the consumer.”
  • A broad prohibition on the sale of sensitive data for monetary or other valuable consideration unless such sale is necessary to provide or maintain a specific product or service requested by a consumer.
  • Special provisions applicable to “Consumer Health Data” processed by entities not regulated by HIPAA. Note that “Consumer Health Data” laws also exist in Nevada, Washington, and Connecticut as we previously discussed here.
  • A prohibition on selling or processing minors’ data for targeted advertising if the controller knows or should have known that the consumer is under 18 years of age.

While states continue to enact comprehensive data privacy laws, there remains the possibility of a federal privacy law to bring in a national standard. The American Privacy Rights Act (“APRA”) recently went through several iterations in the House Committee on Energy and Commerce this year, and it reflects many of the elements of these state laws, including transparency requirements and consumer rights. A key sticking point, however, continues to be the broad private right of action included in the proposed APRA but absent from all state privacy laws. Only California’s law, which we discussed here, has a private right of action, although it is narrowly circumscribed to data breaches.  Considering the November 2024 election cycle, it is likely that federal efforts to create a comprehensive privacy law will stall until the election cycle is over and the composition of the White House and Congress is known.

©2024 Epstein Becker & Green, P.C. All rights reserved.
For more on Data Privacy, visit the NLR Communications Media Internet section.