New Fact Sheet Highlights ASTP’s Concerns About Certified API Practices

On October 29, 2024, the US Department of Health and Human Services (HHS) Assistant Secretary for Technology Policy (ASTP) released a fact sheet titled “Information Blocking Reminders Related to API Technology.” The fact sheet reminds developers of application programming interfaces (APIs) certified under the ASTP’s Health Information Technology (IT) Certification Program and their health care provider customers of practices that constitute information blocking under ASTP’s information blocking regulations and information blocking condition of certification applicable to certified health IT developers.

In Depth

The fact sheet is noteworthy because it follows ASTP’s recent blog post expressing concern about reports that certified API developers are potentially violating Certification Program requirements and engaging in information blocking. ASTP also recently strengthened its feedback channels by adding a section specifically for API-linked complaints and inquiries to the Health IT Feedback and Inquiry Portal. It appears increasingly likely that initial investigations and enforcement of the information blocking prohibition by the HHS Office of Inspector General will focus on practices that may interfere with access, exchange, or use of electronic health information (EHI) through certified API technology.

The fact sheet focuses on three categories of API-related practices that could be information blocking under ASTP’s information blocking regulations and Certification Program condition of certification:

  • ASTP cautions against practices that limit or restrict the interoperability of health IT. For example, the fact sheet states that health care providers who locally manage their fast healthcare interoperability resources (FHIR) servers without certified API developer assistance may engage in information blocking when they refuse to provide to certified API developers the FHIR service base URL necessary for patients to access their EHI.
  • ASTP states that impeding innovations and advancements in access, exchange, or use of EHI or health-IT-enabled care delivery may be information blocking. For example, the fact sheet indicates that a certified API developer may engage in information blocking by refusing to register and enable an application for production use within five business days of completing its verification of an API user’s authenticity as required by ASTP’s API maintenance of certification requirements.
  • ASTP states that burdensome or discouraging terms, delays, or influence over customers and users may be information blocking. For example, ASTP states that a certified electronic health record (EHR) developer may engage in information blocking by conditioning the disclosure of interoperability elements to third-party developers on the third-party developer entering into business associate agreements with all of the EHR developer’s covered entity customers, even if the work being done is not for the benefit of the customers and HIPAA does not require the business associate agreements.

The fact sheet does not address circumstances under which any of the above practices of certified API developers may meet an information blocking exception (established for reasonable practices that interfere with access, exchange, or use of EHI). Regulated actors should consider whether exceptions apply to individual circumstances.

© 2024 McDermott Will & Emery
For more on API Practices, visit the NLR Health Law Managed Care section

HIPAA Gets a Potential Counterpart in HISAA

Americans hear about cybersecurity incidents on a frequent basis. As the adage goes, it is not a matter of “if” a breach or security hack occurs; it is a matter of “when.” At no time was that more evident earlier this year when the healthcare industry was hit with the widespread ransomware attack on Change Healthcare, a subsidiary of the United Health Group. Because of the nature of the Change Healthcare shutdown and its impact across the industry, the U.S. Department of Health & Human Services (HHS) and its HIPAA enforcement arm, the Office for Civil Rights (OCR), conducted investigations and issued FAQ responses for those impacted by the cybersecurity event.

In further response, Senators Ron Wyden (D-OR) and Mark Warner (R-VA) introduced the Health Infrastructure Security and Accountability Act (HISAA) on September 26, 2024. Like HIPAA and HITECH before it, which established minimum levels of protection for healthcare information, HISAA looks to reshape how healthcare organizations address cybersecurity by enacting mandatory minimum security standards to protect healthcare information and by providing initial financial support to facilitate compliance. A copy of the legislative text can be found here, and a one-page summary of the bill can be found here.

To date, HIPAA and HITECH require covered entities and business associates to develop, implement, and maintain reasonable and appropriate “administrative, technical, physical” safeguards to protect electronic Protected Health Information or e-PHI. However, the safeguards do not specify minimum requirements; instead, they prescribe standards intended to be scalable, depending on the specific needs, resources, and capabilities of the respective organization. What this means is that e-PHI stored or exchanged among interconnected networks are subject to systems with often different levels of sophistication or protection.

Given the considerable time, effort, and resources dedicated to HIPAA/HITECH compliance, many consider the current state of voluntary safeguards as inadequate. This is especially the case since regulations under the HIPAA Security Rule have not been updated since 2013. As a result, Senators Wyden and Warner introduced HISAA in an effort to bring the patchwork of healthcare data security standards under one minimum umbrella and to require healthcare organizations to remain on top of software systems and cybersecurity standards.

Key pieces of HISAA, as proposed, include:

  1. Mandatory Cybersecurity Standards—If enacted, the Secretary of HHS, together with the Director of the Cybersecurity and Infrastructure Security Agency (CISA) and the Director of National Intelligence (DNI), will oversee the development and implementation of required standards and the standards will be subject to review and update every two years to counter evolving threats.
  2. Annual Audits and Stress Tests—Like current Security Risk Assessment (SRA) requirements, HISAA will require healthcare organizations to conduct annual cybersecurity audits and document the results. Unlike current requirements, these audits will need to be conducted by independent organizations to assess compliance, evaluate restoration abilities, and conduct stress tests in real-world simulations. While smaller organizations may be eligible for waivers from certain requirements because of undue burden, all healthcare organizations will have to publicly disclose compliance status as determined by these audits.
  3. Increased Accountability and Penalties—HISAA would implement significant penalties for non-compliance and would require healthcare executives to certify compliance on an annual basis. False information in such certifications could result in criminal charges, including fines of up to $1 million and prison time for up to 10 years. HISAA would also eliminate fine caps to allow HHS to impose penalties commiserate with the level needed to deter lax behaviors, especially among larger healthcare organizations.
  4. Financial Support for Enhancements—Because the costs for new standards could be substantial, especially for smaller organizations, HISAA would allocate $1.3 billion to support hospitals for infrastructure enhancements. Of this $1.3 billion, $800 million would be for rural and safety net hospitals over the first two years, and an additional $500 million would be available for all hospitals in succeeding years.
  5. Medicare Payment Adjustments—Finally, HISAA enables the Secretary of HHS to provide accelerated Medicare payments to organizations impacted by cybersecurity events. HHS offered similar accelerated payments during the Change Healthcare event, and HISAA would codify similar authority to HHS for recovery periods related to future cyberattacks.

While HISAA will establish a baseline of cybersecurity requirements, compliance with those requirements will require a significant investment of time and resources in devices and operating systems/software, training, and personnel. Even with the proposed funding, this could result in substantial challenges for smaller and rural facilities to comply. Moreover, healthcare providers will need to prioritize items such as encryption, multi-factor authentication, real-time monitoring, comprehensive response and remediation plans, and robust training and exercises to support compliance efforts.

Finally, at this juncture, the more important issue is for healthcare organizations to recognize their responsibilities in maintaining effective cybersecurity practices and to stay updated on any potential changes to these requirements. Since HISAA was introduced in the latter days of a hectic (and historic) election season, we will monitor its progress as the current Congress winds down in 2024 and the new Congress readies for action with a new administration in 2025.

© 2024 Winstead PC.
For more on HIPAA, visit the NLR Health Law Managed Care section

50 Creative Content Ideas for Businesses and Consultants

When it comes to professional service firms and consultants, the challenge isn’t finding content ideas, it’s choosing the ones that will truly resonate with your audience. The goal is to fill your editorial calendar with posts that keep you visible, relevant and connected with the people who matter most, which include clients, potential hires and referral sources. It’s about creating content that offers real value and positions you as a trusted resource.

Building a Content Strategy That Resonates for Professional Service Firms and Consultants

For professional service firms and consultants, creating engaging content is about more than just filling up an editorial calendar, it’s about choosing ideas that connect with your audience on a deeper level. The real challenge lies in selecting topics that are not only relevant but also genuinely valuable to clients, potential hires and referral sources. Effective content keeps you visible, showcases your expertise and strengthens your reputation as a trusted resource in your field.

Here’s how to create impactful content for your blog, LinkedIn and other social channels. This approach will help you create content that resonates with the people who matter most to your business, driving engagement and helping you stay top-of-mind in a crowded market.

  1. Understand Your Audience’s Needs and Interests; Take time to research what topics are top-of-mind for your clients, prospective clients and industry connections. What questions are they asking? What challenges do they face? Tailoring content around these insights ensures that your posts provide practical answers and value.
  2. Prioritize Value-Driven Content: When brainstorming ideas, focus on content that educates, informs or provides actionable insights. Avoid self-promotional or overly technical topics that may not resonate. Content that genuinely helps your audience solve problems or understand industry trends will set you apart as a valuable resource.
  3. Use Varied Content Types for Engagement: Mix up your content to keep it fresh and engaging. Some ideas work well as blog posts or LinkedIn articles, while others might be better suited for quick LinkedIn posts, infographics or short videos. Diversifying your formats can attract different types of engagement and keep your audience coming back.
  4. Maintain Consistency: Building trust requires regular engagement. Schedule posts to maintain a steady presence, so your audience knows they can rely on you for frequent, quality insights. Aim to post consistently without overloading your audience, finding a rhythm that balances frequency with quality.
  5. Track What Resonates: Use analytics to monitor which topics receive the most engagement. Pay attention to comments, shares and direct messages to identify themes that resonate, and adapt your content plan accordingly.

50 Content Ideas to Get You Started

Here are 50 content ideas to help you build a strong, consistent presence on your blog, email newsletters, LinkedIn and other social platforms.

  1. Show your workspace: Give a tour of where you work, whether it’s your office, a co-working space or a virtual setup. This humanizes your firm and makes you more relatable.
  2. Introduce your team: Highlight key team members and their roles, showcasing their expertise and contributions to the success of the firm.
  3. Introduce yourself: Share your career path, your expertise and how you’ve helped clients achieve success.
  4. Showcase a service you provide: Explain a service in detail, focusing on its benefits and how it solves problems for your clients.
  5. Client testimonials: Share short video testimonials from clients explaining how you helped them and what impact your services had on their business.
  6. Tell a story: Share success stories of how you’ve helped clients overcome significant challenges in their industries.
  7. A day in the life: Take your audience through a typical day at your company to show what goes on behind the scenes.
  8. Behind the scenes: Show the preparation that goes into a major project, event or client engagement.
  9. Answer frequently asked questions: Provide insights and answers to common questions clients ask about your services and processes.
  10. Share industry trends: Offer commentary or analysis on current trends in your industry and how clients can take advantage of them.
  11. How it started vs. how it’s going: Share the evolution of your business or a significant project, demonstrating your growth and accomplishments.
  12. Repurpose blog posts or articles: Share snippets from articles or blogs you’ve written, summarizing key takeaways for your audience.
  13. How-to videos: Create short videos explaining complex concepts or offering professional tips and advice.
  14. Share client success stories: Highlight case studies or client success stories that show the value your services provide.
  15. Your regular work routine: Share the routines or habits that help you stay productive and successful in your field.
  16. Reality vs. expectations: Compare what clients typically expect versus the reality of working with your firm or consultancy, focusing on positive surprises.
  17. Before and after: Show the impact of your services through before-and-after case studies of client businesses.
  18. Quick tips: Share a few short, actionable tips related to your field, such as best practices in your area of expertise.
  19. Do what people ask for in comments: Engage directly with your audience by answering questions or addressing topics they raise in the comments.
  20. Positive reactions to industry news: Provide your take on relevant news in your field and why it matters to your clients.
  21. Share the tools you use: Talk about the tools and resources your firm or consultancy uses to stay efficient and deliver great results for clients.
  22. Celebrate business milestones: Highlight significant moments in your business, such as anniversaries, major achievements or new partnerships.
  23. Highlight a professional skill: Focus on showcasing a specific skill you offer, explaining how it benefits clients and what problems it solves.
  24. Client interviews: Record short interviews with clients about their experience working with your firm, showcasing their success stories.
  25. Encouraging messages: Share positive, motivational insights related to your industry or business practices.
  26. A sneak peek into a major project: Offer a behind-the-scenes look at an exciting new project you’re working on.
  27. Run a social media contest: Engage with your audience by running a contest related to your services (e.g., offer a free consultation or a business audit).
  28. Explain your core values: Share a story or insight about the core values that drive your business and how they impact your services.
  29. Show your thought process: Walk your audience through how you approach solving a client’s problem, emphasizing your expertise.
  30. Tips for Hiring in Your Field: Offer advice on hiring practices or skills to look for in your industry.
  31. Case study in your niche: Share a detailed case study about a particular challenge you solved for a client, emphasizing the results and impact.
  32. Checklist for the week: Offer a weekly checklist that helps clients stay on top of key tasks in their industry or business.
  33. 5 pros & cons of (your niche): Provide a balanced view on the benefits and challenges of working in your field, demonstrating your in-depth knowledge.
  34. Industry updates: Share the latest trends or changes in regulations that impact your clients, positioning yourself as a thought leader.
  35. Favorite tools you use: Discuss the tools or software you use to increase efficiency and improve results for clients.
  36. Quick hacks for getting results: Share a quick tip or hack that helps clients achieve better outcomes in their business.
  37. How clients got results: Highlight how clients benefited from working with your firm, with a focus on outcomes and results.
  38. Things I wish I knew before starting my business: Offer insights or lessons you’ve learned that can benefit other entrepreneurs or consultants.
  39. Highlight key lessons from industry events: Share top takeaways or insights from industry conferences, webinars or roundtables that your firm attended.
  40. Share Lessons Learned from a Recent Client Project: Highlight a recent client project and share key takeaways or lessons learned. This helps showcase your expertise while providing practical insights that could benefit your audience.
  41. Ask for followers’ suggestions: Engage your audience by asking them for content ideas or business topics they want to learn more about.
  42. Encourage followers to ask questions: Create a post inviting your audience to ask you questions about your services, industry trends or business advice.
  43. Create an “ask me anything” session: Host a session where your audience can ask you anything, whether it’s about business, personal growth or industry insights.
  44. Insights from Recent Conferences: Share takeaways from recent industry events or conferences (with photos!).
  45. Spotlight a client’s journey: Highlight the stages of a client’s experience, from the initial consultation to the final outcome. Break down how your firm guided them through each phase, offering valuable insights along the way.
  46. Share key takeaways from major projects: Highlight insights and lessons learned from significant client projects, showcasing how your firm’s expertise helped achieve successful outcomes. This provides value to your audience while reinforcing your industry knowledge.
  47. Show before and after results: For service-based businesses, showing the impact your consultancy or firm has made can build credibility.
  48. Showcase industry predictions and trends: Share your thoughts on the future of your industry. Highlight key changes you expect over the next 6-12 months and what businesses should do to prepare.
  49. Highlight women in leadership: Showcase women leaders in your firm or industry. Share their journeys, achievements and advice to inspire others and emphasize your firm’s commitment to diversity.
  50. Behind-the-scenes insight: Offer a glimpse into the process behind your firm’s latest project, case or transaction, giving clients a better understanding of how your firm operates.

These content ideas can help you stay consistent with your social media presence and maintain visibility within your industry. By using content that speaks directly to your audience and showcases your expertise, you’ll keep your firm connected and top of mind for potential clients.

Copyright © 2024, Stefanie M. Marrone. All Rights Reserved.
For more on Law Office Management, visit the NLR Law Office Management section

What Happened: Policy and Politics

Baseline: The future of the Inflation Reduction Act (IRA), signed in 2022 to boost US clean energy with new tax incentives, hangs in the balance. President-elect Trump and some Republicans in Congress have threatened to repeal all or part of it because they don’t agree with the policy, and they need the revenue savings to offset their 2017 Tax Cuts and Jobs Act (TCJA) extensions. The processing of a tax bill next year provides a rare opening for taxpayers who are dissatisfied with the IRA or with the Biden administration tax regulations which implement the IRA.

Pulse Check: Much depends on whether Republicans gain control of both chambers of Congress, enabling them to tap into the vaunted congressional budget reconciliation process and easing their path to legislative change.

What to Monitor: Expect IRA supporters to spend time educating administration officials and congressional offices about the valuable economic and other benefits provided by these tax provisions, particularly in GOP-represented congressional districts and states. Meanwhile, industries from biofuels to hydropower are lobbying for new tax credits in the 2025 tax bill, aiming to secure a place in the complex tax landscape that lies ahead.

Voters delivered a sweeping victory to Donald Trump on Tuesday, setting him up to be the 47th President, and the first since Grover Cleveland in 1892 to be elected to a second non-consecutive term. After a surprise electoral college victory in 2016 and a narrow defeat in 2020, Trump won an outright majority of the national popular vote, the first Republican to do so since George W. Bush in 2004. While his victory helped propel a pickup of at least four Senate seats, wresting back control of the chamber from Democrats, the fate of the House remains uncertain pending the counting of outstanding California mail ballots that could drag out for a week or more.

The victory was driven by disproportionate gains among key demographics and subgroups that will become clear as the dust settles, but the overall pattern was unmistakable: Trump made significant gains coast-to-coast, in urban, suburban, and rural areas, and among virtually every cohort of the electorate. His improvement in the key battlegrounds was actually dwarfed by his gains in the nation’s bluest states, with double-digit swings in places like New York, Maryland and California. In addition to avenging his 2020 loss, the President-elect can now credibly claim a popular mandate for his policies, and quite possibly the congressional majorities to pursue them legislatively.

The restoration of President-elect Trump represents a return to 2016-17, with many of the same conditions seen seven years ago: the potential for a unified Republican government, and a clear commitment from the new administration to roll back the regulatory agenda of the previous administration and institute “America-first” policies when it comes to energy, immigration and trade. The key difference is that while the outcome of the 2016 election caught even the Trump apparatus flat-footed, preparations for President-elect Trump’s second term have been underway for the past three years. Expect a second Trump administration to be savvier and more focused in carrying out its goals, installing key personnel, and implementing policy.

The expectation is that strong policy decisions are ready for implementation on Inauguration Day through Executive Orders that will clearly lay out the regulatory and policy framework for rescinding and replacing the Biden administration agenda. Examination of the Inflation Reduction Act and Infrastructure Investment and Jobs Act mechanisms will certainly occur. President-elect Trump has made clear his intentions to leverage American foreign policy through trade and tariffs rather than military means. Particularly in the energy space, President-elect Trump has pledged a return to American energy dominance backed by a foundation and focus on leveraging domestic traditional energy resources. As observed in his first term, separating campaign rhetoric from implanted policy will continue to be a critical exercise. It is a guarantee that President-elect Trump intends to staff up quickly with political loyalists who have experience in navigating the proclivities of both a Trump administration and Washington bureaucracy, one that he has yet again pledged to dismantle.

President-elect Trump re-assumes the White House with a certain Republican majority in the US Senate and a likely slim majority in the US House of Representatives, providing the ability to implement legislative initiatives while ensuring a full swath of Cabinet-level and senior-level appointees. Legislative action will be necessary for targeting provisions of the Inflation Reduction Act, and while the notion of full repeal exists in rhetoric, it is more likely that Republicans use a more precise approach, preserving legacy provisions that tend to benefit traditional energy sources and targeting those that are more renewable energy focused. However, the slim majorities in each chamber complicate the full breadth of legislation that Republicans can expect to implement. The focus in the early days of Congress will be on the aforementioned Senate confirmation process and resolutions of disapproval under the Congressional Review Act to repeal Biden administration regulations finalized in the last 60 days of the previous Congress, which are both likely to be comfortable party-aligned exercises. The tools of congressional oversight will be trained on assisting the Trump administration in implementing regulatory changes and building a record toward federal agency reforms – such as permitting, federal workforce, and agency re-organization.

© 2024 Bracewell LLP
For more on the 2024 General Election, visit the NLR Election Law Legislative News section

No More Fraud Vampires: Whistleblowers Put a Stake in Phlebotomy Unlawful Kickback Scheme

31 October 2024. Two whistleblowers “stopped the bleeding” caused by an alleged kickback scheme perpetrated by a mobile phlebotomy service based in California. Veni-Express, Inc. and its owners have agreed to pay $135,000 to settle allegations of violating the Anti-Kickback Statute and False Claims Act. While the award for the two whistleblowers has not yet been determined, False Claims Act qui tam whistleblowers may be rewarded between 15-25% of the settlement.

Overview of the Case

According to the allegations, from 2015 to 2019, Veni-Express allegedly submitted false claims to federal health care programs for services that were not actually performed. These services included venipuncture procedures during homebound patient visits and non-reimbursable travel mileage claims for the visits. The fraudulent activities were reportedly conducted with the oversight of the company’s owners, Myrna and Sonny Steinbaum.

Additionally, between July 2014 and June 2015, Veni-Express allegedly paid unlawful kickbacks to Altera Laboratories, also known as Med2U Healthcare LLC, to market their services. These kickbacks were disguised as a percentage of company revenue.

Unlawful Kickbacks and Phantom Billing

The Anti-Kickback Statute (AKS) is a federal law that prohibits healthcare providers from offering, soliciting, or receiving anything of value to induce or reward referrals for services covered by federally funded healthcare programs, such as Medicare and Medicaid. When providers violate the AKS, they compromise patient care by prioritizing financial gain over medical necessity, which can lead to unnecessary, costly, or substandard treatments. Phantom billing, which involves charging Medicare and Medicaid for services never provided, drains funds that could otherwise be used for essential care for beneficiaries. It leads to increased healthcare costs, putting a strain on federally funded healthcare programs and potentially causing cuts or restrictions in services. This fraudulent practice also erodes trust in the healthcare system, which can prevent beneficiaries from seeking the care they need. As the Special Agent in Charge for the Department of Health and Human Services Office of the Inspector General said about the case, “Improper incentives and billing Medicare for services never actually provided divert taxpayer funding meant to pay for medically necessary services for Medicare enrollees.”

Settlement Details

The settlement agreement is based upon the parties’ ability to pay, requiring Veni-Express to pay $100,000, with additional payments contingent upon the sale of company property. Myrna Steinbaum will pay $25,000, while Sonny Steinbaum will contribute $10,000.

Whistleblower Involvement

The whistleblowers in the qui tam actions were a former phlebotomist and a laboratory technical director. The qui tam provision in the False Claims Act allows private citizens with knowledge of fraud to report fraud schemes to the government and share in the government’s recovery.

Implications for Healthcare Professionals

This whistleblower settlement serves as a cautionary tale for healthcare professionals, emphasizing the need for strict adherence to regulatory standards. It underscores the power industry insiders have to speak up and put an end to fraud schemes that taint the healthcare profession.

© 2024 by Tycko & Zavareei LLP
For more on Whistleblowers, visit the NLR Criminal Law Business Crimes section.

Let’s Circle Back (and eFile) after the Holidays

The Consumer Product Safety Commission launched its eFiling Beta Pilot a little over a year ago. Non-pilot participants were invited to participate in voluntary eFiling last summer, and the CPSC extended this stage to October 10, as it continued to work on a revised rule. The CPSC had anticipated completing a final rulemaking by the end of its fiscal year, which would have meant a full system implementation around January 1, 2025 – but regardless of when the final rule is published, the CPSC has proposed that the requirements go in effect 120 days after publication in the Federal Register.

Notably, the National Association of Manufacturers submitted comments regarding the rulemaking, highlighting issues with the proposed rules, including the scope of the filing system, technical and financial burdens for implementing the system, and the feasibility of complying with the proposed 120-day effective date window. It remains to be seen whether the CPSC will take these comments into consideration when the staff releases the updated package in the coming weeks, with a commission vote expected before the end of the year.

The eFiling program is the CPSC’s initiative to enable importers of regulated consumer products to file certain data from Certificates of Conformity (COC) electronically with Customs and Border Protection (CBP).This is not merely emailing existing COCs to CPSC or CBP, but digitizing individual data elements of the COC either directly into CBP’s Automated Commercial Environment (ACE) or through CPSC’s Product Registry.

There are many misconceptions related to the new rule and eFiling process and CPSC has created a broad resource library to help importers of record, the parties ultimately responsible for eFiling, comply with the new requirements. Any product that requires a COC today (whether a General Certificate of Conformity or a Children’s Product Certificate) will require eFiling under the new rule. However, the CPSC intends to honor enforcement discretions applied to certain products before the implementation of the eFiling program.

Internal business conversations between import compliance personnel, customs teams, product compliance teams, and brokers to discuss digitizing COC data and developing methods to manage trade parties, such as implementing identification mechanisms within testing programs, should begin, if they haven’t already. The CPSC also has an eFiling newsletter that is published quarterly and is due for another installment in the next month.

Once the final rule is published, eFiling will be a mandatory. So, to ensure compliance, the seamless import of goods, fewer holds at port, fewer targeted shipments, and reduced costs – implicated parties should get familiar and quickly for this fast approaching requirement.

eFiling is a CPSC initiative under which importers of regulated consumer products will electronically file (eFile) data elements from a certificate of compliance with U.S. Customs and Border Protection (CBP), via a Partner Government Agency (PGA) Message Set.

©1994-2024 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.
For more news on the CPSC eFiling Beta Pilot, visit the NLR Consumer Protection section.

IRS Announces 2025 Retirement Plan Limits

The Internal Revenue Service (“IRS”) has announced the following dollar limits applicable to tax-qualified plans for 2025:

  • The limit on the maximum amount of elective contributions that a person may make to a 401(k) plan, a 403(b) tax-sheltered annuity, or a 457(b) eligible deferred compensation plan increased from $23,000 to $23,500.
  • The limit on “catch-up contributions” to a 401(k) plan, a 403(b) tax-sheltered annuity, or a 457(b) eligible deferred compensation plan for persons age 50 and older is unchanged for 2025 at $7,500.
  • As a result of change made by SECURE 2.0, for 2025, employees aged 60, 61, 62, and 63 who participate in a 401(k) plan, a 403(b) tax-sheltered annuity, or a 457(b) eligible deferred compensation have a higher catch-up contribution limit, which for 2025 is $11,250 instead of $7,500.
  • The dollar limit on the maximum permissible allocation under 401(k) and other defined contribution plans is increased from $69,000 to $70,000.
  • The maximum annual benefit under a defined benefit plan is increased from $275,000 to $280,000.
  • The maximum amount of annual compensation that may be taken into account on behalf of any participant under a qualified plan will go from $345,000 to $350,000.
  • The dollar amount used to identify “highly compensated employees” is increased from $155,000 to $160,000.

Additional information regarding benefit plan dollar limits can be obtained in Notice 2024-80, 2025 Amounts Relating to Retirement Plans and IRAs, as Adjusted for Changes in Cost-of-Living.

© 2024 Blank Rome LLP
For more on the IRS, visit the NLR Tax section

Office Politics: The Basics for Private Employers

In case you haven’t noticed the yard signs popping up like mushrooms, the constant barrage of television and radio advertisements, or the unsolicited text messages from unknown numbers, we are in the homestretch of election season. For those employers with questions on how to handle political speech in the workplace, especially during the last few days before (and hopefully not much beyond) Election Day, here is a refresher on the basics for private employers.

The First Amendment to the U.S. Constitution prevents the government from enacting laws to prohibit the free exercise of speech and assembly, among other liberties. It does not apply to private employers. Where there is no state action involved, there is no unfettered right to free speech in a private place of employment. Quite simply, a private employer can enact rules to keep political expression from its workplace. Some employers prohibit political speech in the workplace to avoid potential disruptions to business operations, customer relations, or employee morale.

If an employer adopts a policy concerning political expression and messaging, it must do so fairly and consistently, and it should be inclusive and consistent to avoid the perception of favoritism or discrimination. In other words, if an employer requires Meghan to remove her Kamala button, it should also direct Dennis not to wear his Trump t-shirt. Remote workers are still “in the workplace” when they participate in virtual meetings, so there are no separate rules for them.

When enacting rules about political expression and messaging in the workplace, private employers should of course remain aware of the National Labor Relations Act (NLRA), which applies to both union and non-union settings, and among other things protects employees’ ability to engage in concerted activity or to discuss the terms and conditions of their employment. Therefore, private employers must be mindful of a potential nexus or overlap between employees’ political speech and discussion of working conditions. Under the NLRA, for instance, employees may distribute information during non-working time about a candidate’s stance on a particular issue that may also constitute a complaint about the employees’ working conditions.

© Copyright Babst, Calland, Clements and Zomnir, P.C.
For more on Political Speech, visit the NLR Constitutional Law section.

8 Things to Know About AFFF Lawsuits

Thousands of individual lawsuits have been consolidated into multidistrict litigation (MDL) against the corporations that make aqueous film forming foam (AFFF), a type of firefighting foam that was filled with per- and poly-fluoroalkyl substances (PFAS), synthetic chemicals that are now known to be dangerous to human health.

Here are 8 things that you should know about the AFFF firefighting foam lawsuits, according to mass tort lawyer Dr. Nick Oberheiden.

1. AFFF Caused Lots of Chemical Contamination

AFFF is one of the types of foam that firefighters use to put out flames. There are two classes of AFFF firefighting foam:

  1. Class A, which is used for combustible fires, like for wood or paper
  2. Class B, which is used for ignitable liquids like oil, gas, or jet fuel

Class A firefighting foams rely primarily on the water in the foam to put out the flames, though they are still substantially more effective than just using straight water. They have far fewer chemicals in them and are used more often than Class B foams.

Of Class B foams, there are two types:

  1. Foams that have fluorine in them
  2. Foams that do not have fluorine in them

Both foams work the same basic way: By blanketing flammable liquids, they prevent the fuel from catching fire and extinguish any lit fuels by suffocating the flames of the oxygen that they need in order to keep burning. This works far better than water for these types of fires, as the flaming liquids are lighter than water and would float on its surface and continue to burn.

AFFF, however, is a fluorinated type of foam. That fluorine comes in the form of a PFAS compound. There are hundreds of types of these compounds, but they are all based on one of the strongest chemical bonds in organic chemistry; the one between fluorine and carbon.

2. PFAS Chemicals are Everywhere

While PFAS chemicals have been used in firefighting foam since the 1970s, when the U.S. Navy worked in collaboration with the giant chemical corporation 3M to produce a foam that could quickly put out fires on vessels, PFAS compounds have been used in a wide variety of other capacities since the 1940s. A very versatile chemical compound, PFAS chemicals were used to:

  • Prevent or remove stains
  • Suppress or resist heat
  • Waterproof materials or make them water resistant
  • Contain grease or oil

As a result, PFAS chemicals have been added to a huge array of consumer products that span nearly every industry, including:

  • Food packaging and wrapping
  • Pizza boxes
  • Raincoats
  • Water resistant clothing and shoes
  • Non-stick cookware
  • Carpeting
  • Paint
  • Wood stain, varnish, and lacquer

In recent decades, though, researchers have noticed that the sheer ubiquity of these chemicals could pose a threat: The carbon-fluorine bond that these synthetic compounds are based on does not break down naturally, leading to PFAS being dubbed “forever chemicals.” Every piece of PFAS that is produced will continue to be a PFAS until something is done to break it down artificially, like putting the chemical into water and then superheating the water well past its boiling point.

3. PFAS Chemicals are Dangerous

It was not until relatively recently that the public learned two things about these PFAS chemicals:

  1. They had contaminated soil and groundwater across the country, and
  2. They were connected to numerous different medical conditions, including several types of cancers.

The strong chemical bond between carbon and fluorine that was fundamental to PFAS meant that, as it was used or disposed of, it would not break down. Instead, PFAS chemicals would just build up in the soil where they were dumped or would contaminate the groundwater in that soil. Eventually, PFAS chemicals found their way into drinking water and water for crops and animals. From there, it got into the food system.

It was not until the 2000s that this became apparent to the public. By then, there had been nearly 60 years of PFAS buildup.

Around this time, medical researchers also discovered that exposure to PFAS chemicals could lead to PFAS contamination in the bloodstream, which could cause a host of serious medical conditions. While research is still being done to find out what, exactly, PFAS chemicals does in the human body and which medical conditions it can cause, PFAS contamination has been linked to increased risks for:

  • Pregnancy issues, including:
    • Fetal death
    • Birth deformities
    • Hypertension
    • Preeclampsia
    • Low birth weight
    • Developmental delays in young children
  • Liver damage
  • Liver cancer
  • Testicular cancer
  • Thyroid cancer
  • Kidney cancer
  • Prostate cancer
  • Fertility problems
  • A dysfunctional immune system, including decreased effectiveness of vaccines
  • Hormonal imbalances
  • Obesity
  • High cholesterol

These are some serious medical conditions that could end up being fatal. Anyone who was exposed to PFAS chemicals, including those in AFFF, are at risk of developing them and can talk to an AFFF lawyer about filing an AFFF firefighting foam lawsuit.

4. These Cases Involve Yet Another Corporate Cover-Up

As lawsuits over PFAS exposure started to get filed in the 2000s, it quickly became clear that the large corporations who had filled our world with PFAS-heavy products had long known the risks associated with them.

PFAS manufacturer DuPont, one of the largest chemical producers on the planet, instructed its workers to only handle PFAS chemicals with extreme care as early as 1961. PFAS manufacturer 3M had discovered that the company’s PFAS chemicals were inside fish that swam in the water near one of its plants in the 1970s. In the 1980s, DuPont suddenly moved all of its female employees out of the production facility that handled PFAS chemicals – several female DuPont employees in the facility had given birth to children with serious deformities.

In spite of these warning signs, these major corporations continued to dispose of PFAS materials however they wanted to – whether that meant dumping it into the water, burying it in the ground, or burning it into the air. They also continued making new products with PFAS chemicals in them, including AFFF firefighting foam in the 1970s, which was then used by military and civilian firefighters both to put out real fuel fires and to train in putting them out. This continued for three decades, with firefighters pumping PFAS-heavy foam onto airport tarmacs and training areas on military bases across the country, deeply contaminating the soil and nearby waterways and exposing the firefighters to dangerous amounts of PFAS chemicals.

The corporate cover-up would have continued, if it were not for two things. First, in 1998, the U.S. Environmental Protection Agency (EPA) learning of an internal study at one of the major PFAS manufacturers that had found that the offspring of pregnant lab rats who had been exposed to PFAS chemicals were almost guaranteed to die within days. Second, the first class action against the PFAS manufacturer Chemours reached a temporary settlement for $71 million and funding for the C8 Science Panel to research the dangers posed by PFAS chemicals. When the Panel started to publish its findings, Chemours quickly settled the case permanently for $671 million.

5. Other PFAS Lawsuits Have Recovered Billions, and That is Just for Clean Up 

Since that first class action settled, many, many more lawsuits have been filed over PFAS contamination. These lawsuits have targeted the major corporations that have manufactured PFAS products, including:

  • 3M
  • DuPont
  • Chemours
  • BAFS

All told, these MDLs and class actions have settled for over $11 billion. There are two things about these PFAS lawsuits are important to know:

  1. They are confined to compensating for cleanup and decontamination costs, and
  2. They apply to general PFAS products, not specifically to AFFF.

This first point is crucial. The plaintiffs in these huge lawsuits have been water districts that have demanded compensation for the costs of upgrading their filtration equipment and the decontamination of their water and soil. None of the $11 billion is earmarked for the inevitable medical conditions that all of that prior PFAS contamination will cause.

6. AFFF Firefighting Foam: Class Action or MDL? AFFF Lawsuits the First to Allege Personal Injuries and Losses

Now, though, an AFFF firefighting foam MDL includes personal injury claims for medical and financial losses by victims of AFFF exposure for the first time. So you have time to file an AFFF lawsuit and join the MDL.

MDL No. 2873 consolidated hundreds of these AFFF firefighting foam cases in the U.S. District Court for South Carolina in January, 2019. This MDL covers individual victims who have suffered from one of the medical conditions associated with PFAS exposure, who need medical monitoring after being exposed to the chemicals, or who have suffered a financial loss for the diminution in the value of their property due to PFAS contamination. The cases are limited to PFAS exposure from contaminated groundwater near military bases, airports, and other industrial sites due to the use of AFFF that contain either of the two main types of PFAS chemicals used in AFFF:

  1. Perfluorooctanoic acid (PFOA)
  2. Perfluorooctane sulfonate (PFOS)

When it was first consolidated into an MDL, there were around 500 cases. Since then, it has exploded to over 9,000 claims by July, 2024, with much of the growth coming in recent months.

7. Status and Future of the AFFF MDL

MDLs like this one have become the preferred way to handle mass tort situations: Cases where the misconduct of one or a small handful of companies have led to hundreds or thousands of people suffering in similar or identical ways. By consolidating all of the cases together for pre-trial procedures, like the gathering of evidence and summary judgment motions, the cases can move forward far more efficiently than if they were all on their own.

Even though the MDL was formed over two years ago now, the AFFF litigation is still in its early stages. The defendant corporations, all of whom manufactured and sold AFFF firefighting foams, will advance numerous legal defenses to avoid accountability for their conduct or to at least mitigate the damage of a judgment or the amount of a settlement. Some of the defenses that we will likely hear are:

  • The medical condition a particular person suffered was caused by something else
  • Some other AFFF manufacturer was responsible for a particular area of contamination
  • Plaintiffs waited too long to file their claims and the statute of limitations has expired
  • The company’s version of AFFF has less PFAS chemicals in it than others

In the meantime, a growing body of medical literature is connecting PFAS exposure and contamination to serious medical issues. We may even see new medical conditions getting linked to AFFF and the toxic chemicals in it.

As evidence is gathered, settlement talks will begin. If these prove to be fruitless, the court will schedule bellwether trials. These are individual cases that are representative of the rest of the cases in the MDL that are brought through a jury trial. The outcome of those trials are then used to inform further settlement discussions, which nearly always resolve the MDL outside of the courtroom.

8. How This Will Likely End

PFAS lawsuits have been equated to the Big Tobacco Settlement, when cigarette companies settled a class action against them for huge sums. In both cases, the large corporations knew that the products that they were selling were likely to cause life-threatening medical conditions, but continued to sell them and took affirmative actions to cover up evidence that there was any risk.

In the end, though, the most important factor will be the solvency of the defendant corporations that make AFFF. Some of them are substantially larger than others and will be better able to pay the huge settlements that we are likely to see. According to mass tort lawyer Dr. Nick Oberheiden, founding partner of the national law firm Oberheiden P.C. and leading attorney on AFFF cases“As evidence is gathered, it will become more and more clear what the defendant corporations owe. If they are not able to pay it, they are more likely to extend this MDL to the bellwether trial stage in a risky attempt to avoid settling and try to beat it, altogether. Another option that they would have in this situation is to file for bankruptcy and create a victim’s trust fund, much like asbestos companies did in order to resolve the class action against them for causing mesothelioma.”

Oberheiden P.C. © 2024
For more news on Aqueous Film Forming Foam Litigation, visit the NLR Health Law & Managed Care  section.

PRIVACY ON ICE: A Chilling Look at Third-Party Data Risks for Companies

An intelligent lawyer could tackle a problem and figure out a solution. But a brilliant lawyer would figure out how to prevent the problem to begin with. That’s precisely what we do here at Troutman Amin. So here is the latest scoop to keep you cool. A recent case in the United States District Court for the Northern District of California, Smith v. Yeti Coolers, L.L.C., No. 24-cv-01703-RFL, 2024 U.S. Dist. LEXIS 194481 (N.D. Cal. Oct. 21, 2024), addresses complex issues surrounding online privacy and the liability of companies who enable third parties to collect and use consumer data without proper disclosures or consent.

Here, Plaintiff alleged that Yeti Coolers (“Yeti”) used a third-party payment processor, Adyen, that collected customers’ personal and financial information during transactions on Yeti’s website. Plaintiff claimed Adyen then stored this data and used it for its own commercial purposes, like marketing fraud prevention services to merchants, without customers’ knowledge or consent. Alarm bells should be sounding off in your head—this could signal a concerning trend in data practices.

Plaintiff sued Yeti under the California Invasion of Privacy Act (“CIPA”) for violating California Penal Code Sections 631(a) (wiretapping) and 632 (recording confidential communications). Plaintiff also brought a claim under the California Constitution for invasion of privacy. The key question here was whether Yeti could be held derivatively liable for Adyen’s alleged wrongful conduct.

So, let’s break this down step by step.

Under the alleged CIPA Section 631(a) violation, the court found that Plaintiff plausibly alleged Adyen violated this Section by collecting customer data as a third-party eavesdropper without proper consent. In analyzing whether Yeti’s Privacy Policy and Terms of Use constituted enforceable agreements, it applied the legal frameworks for “clickwrap” and “browsewrap” agreements.

Luckily, my Contracts professor during law school here in Florida was remarkable, Todd J. Clark, now the Dean of Widner University Delaware Law School. For those who snoozed out during Contracts class during law school, here is a refresher:

Clickwrap agreements present the website’s terms to the user and require the user to affirmatively click an “I agree” button to proceed. Browsewrap agreements simply post the terms via a hyperlink at the bottom of the webpage. For either type of agreement to be enforceable, the Court explained that a website must provide 1) reasonably conspicuous notice of the terms and 2) require some action unambiguously manifesting assent. See Oberstein v. Live Nation Ent., Inc., 60 F.4th 505, 515 (9th Cir. 2023).

The Court held that while Yeti’s pop-up banner and policy links were conspicuous, they did not create an enforceable clickwrap agreement because “Defendant’s pop-up banner does not require individuals to click an “I agree” button, nor does it include any language to imply that by proceeding to use the website, users reasonably consent to Defendant’s terms and conditions of use.” See Smith, 2024 U.S. Dist. LEXIS 194481, at *8. The Court also found no enforceable browsewrap agreement was formed because although the policies were conspicuously available, “Defendant’s website does not require additional action by users to demonstrate assent and does not conspicuously notify them that continuing to use to website constitutes assent to the Privacy Policy and Terms of Use.” Id. at *9.

What is more, the Court relied on Nguyen v. Barnes & Noble Inc., 763 F.3d 1171, 1179 (9th Cir. 2014), which held that “where a website makes its terms of use available via a conspicuous hyperlink on every page of the website but otherwise provides no notice to users nor prompts them to take any affirmative action to demonstrate assent, even close proximity of the hyperlink to relevant buttons users must click on—without more—is insufficient to give rise to constructive notice.” Here, the Court found the pop-up banner and link on Yeti’s homepage presented the same situation as in Nguyen and thus did not create an enforceable browsewrap agreement.

Thus, the Court dismissed the Section 631(a) claim due to insufficient allegations that Yeti was aware of Adyen’s alleged violations.

However, the Court held that to establish Yeti’s derivative liability for “aiding” Adyen under Section 631(a), Plaintiff had to allege facts showing Yeti acted with both knowledge of Adyen’s unlawful conduct and the intent or purpose to assist it. It found Plaintiff’s allegations that Yeti was “aware of the purposes for which Adyen collects consumers’ sensitive information because Defendant is knowledgeable of and benefitting from Adyen’s fraud prevention services” and “assists Adyen in intercepting and indefinitely storing this sensitive information” were too conclusory. Smith, 2024 U.S. Dist. LEXIS 194481, at *13. It reasoned: “Without further information, the Court cannot plausibly infer from Defendant’s use of Adyen’s fraud prevention services alone that Defendant knew that Adyen’s services were based on its allegedly illegal interception and storing of financial information, collected during Adyen’s online processing of customers’ purchases.” Id.

Next, the Court similarly found that Plaintiff plausibly alleged Adyen recorded a confidential communication without consent in violation of CIPA Section 632. A communication is confidential under this section if a party “has an objectively reasonable expectation that the conversation is not being overheard or recorded.” Flanagan v. Flanagan, 27 Cal. 4th 766, 776-77 (2002). It explained that “[w]hether a party has a reasonable expectation of privacy is a context-specific inquiry that should not be adjudicated as a matter of law unless the undisputed material facts show no reasonable expectation of privacy.” Smith, 2024 U.S. Dist. LEXIS 194481, at *18-19. At the pleading stage, the Court found Plaintiff’s allegation that she reasonably expected her sensitive financial information would remain private was sufficient.

However, as with the Section 631(a) claim, the Court held that Plaintiff did not plead facts establishing Yeti’s derivative liability under the standard for aiding and abetting liability. Under Saunders v. Superior Court, 27 Cal. App. 4th 832, 846 (1994), the Court explained a defendant is liable if they a) know the other’s conduct is wrongful and substantially assist them or b) substantially assist the other in accomplishing a tortious result and the defendant’s own conduct separately breached a duty to the plaintiff. The Court found that the Complaint lacked sufficient non-conclusory allegations that Yeti knew or intended to assist Adyen’s alleged violation. See Smith, 2024 U.S. Dist. LEXIS 194481, at *16.

Lastly, the Court analyzed Plaintiff’s invasion of privacy claim under the California Constitution using the framework from Hill v. Nat’l Coll. Athletic Ass’n, 7 Cal. 4th 1, 35-37 (1994). For a valid invasion of privacy claim, Plaintiff had to show 1) a legally protected privacy interest, 2) a reasonable expectation of privacy under the circumstances, and 3) a serious invasion of privacy constituting “an egregious breach of the social norms.” Id.

The Court found Plaintiff had a protected informational privacy interest in her personal and financial data, as “individual[s] ha[ve] a legally protected privacy interest in ‘precluding the dissemination or misuse of sensitive and confidential information.”‘ Smith, 2024 U.S. Dist. LEXIS 194481, at *17. It also found Plaintiff plausibly alleged a reasonable expectation of privacy at this stage given the sensitivity of financial data, even if “voluntarily disclosed during the course of ordinary online commercial activity,” as this presents “precisely the type of fact-specific inquiry that cannot be decided on the pleadings.” Id. at *19-20.

Conversely, the Court found Plaintiff did not allege facts showing Yeti’s conduct was “an egregious breach of the social norms” rising to the level of a serious invasion of privacy, which requires more than “routine commercial behavior.” Id. at *21. The Court explained that while Yeti’s simple use of Adyen for payment processing cannot amount to a serious invasion of privacy, “if Defendant was aware of Adyen’s usage of the personal information for additional purposes, this may present a plausible allegation that Defendant’s conduct was sufficiently egregious to survive a Motion to Dismiss.” Id. However, absent such allegations about Yeti’s knowledge, this claim failed.

In the end, the Court dismissed Plaintiff’s Complaint but granted leave to amend to correct the deficiencies, so this case may not be over. The Court’s grant of “leave to amend” signals that if Plaintiff can sufficiently allege Yeti’s knowledge of or intent to facilitate Adyen’s use of customer data, these claims could proceed. As companies increasingly rely on third parties to handle customer data, we will likely see more litigation in this area, testing the boundaries of corporate liability for data privacy violations.

So, what is the takeaway? As a brilliant lawyer, your company’s goal should be to prevent privacy pitfalls before they snowball into costly litigation. Key things to keep in mind are 1) ensure your privacy policies and terms of use are properly structured as enforceable clickwrap or browsewrap agreements, with conspicuous notice and clear assent mechanisms; 2) conduct thorough due diligence on third-party service providers’ data practices and contractual protections; 3) implement transparent data collection and sharing disclosures for informed customer consent; and 4) stay abreast of evolving privacy laws.

In essence, taking these proactive steps can help mitigate the risks of derivative liability for third-party misconduct and, most importantly, foster trust with your customers.

© 2024 Troutman Amin, LLP
For more news on Companies’ Consumer Data Risks, visit the NLR Consumer Protection section.