HIPAA Gets a Potential Counterpart in HISAA

Americans hear about cybersecurity incidents on a frequent basis. As the adage goes, it is not a matter of “if” a breach or security hack occurs; it is a matter of “when.” At no time was that more evident earlier this year when the healthcare industry was hit with the widespread ransomware attack on Change Healthcare, a subsidiary of the United Health Group. Because of the nature of the Change Healthcare shutdown and its impact across the industry, the U.S. Department of Health & Human Services (HHS) and its HIPAA enforcement arm, the Office for Civil Rights (OCR), conducted investigations and issued FAQ responses for those impacted by the cybersecurity event.

In further response, Senators Ron Wyden (D-OR) and Mark Warner (R-VA) introduced the Health Infrastructure Security and Accountability Act (HISAA) on September 26, 2024. Like HIPAA and HITECH before it, which established minimum levels of protection for healthcare information, HISAA looks to reshape how healthcare organizations address cybersecurity by enacting mandatory minimum security standards to protect healthcare information and by providing initial financial support to facilitate compliance. A copy of the legislative text can be found here, and a one-page summary of the bill can be found here.

To date, HIPAA and HITECH require covered entities and business associates to develop, implement, and maintain reasonable and appropriate “administrative, technical, physical” safeguards to protect electronic Protected Health Information or e-PHI. However, the safeguards do not specify minimum requirements; instead, they prescribe standards intended to be scalable, depending on the specific needs, resources, and capabilities of the respective organization. What this means is that e-PHI stored or exchanged among interconnected networks are subject to systems with often different levels of sophistication or protection.

Given the considerable time, effort, and resources dedicated to HIPAA/HITECH compliance, many consider the current state of voluntary safeguards as inadequate. This is especially the case since regulations under the HIPAA Security Rule have not been updated since 2013. As a result, Senators Wyden and Warner introduced HISAA in an effort to bring the patchwork of healthcare data security standards under one minimum umbrella and to require healthcare organizations to remain on top of software systems and cybersecurity standards.

Key pieces of HISAA, as proposed, include:

  1. Mandatory Cybersecurity Standards—If enacted, the Secretary of HHS, together with the Director of the Cybersecurity and Infrastructure Security Agency (CISA) and the Director of National Intelligence (DNI), will oversee the development and implementation of required standards and the standards will be subject to review and update every two years to counter evolving threats.
  2. Annual Audits and Stress Tests—Like current Security Risk Assessment (SRA) requirements, HISAA will require healthcare organizations to conduct annual cybersecurity audits and document the results. Unlike current requirements, these audits will need to be conducted by independent organizations to assess compliance, evaluate restoration abilities, and conduct stress tests in real-world simulations. While smaller organizations may be eligible for waivers from certain requirements because of undue burden, all healthcare organizations will have to publicly disclose compliance status as determined by these audits.
  3. Increased Accountability and Penalties—HISAA would implement significant penalties for non-compliance and would require healthcare executives to certify compliance on an annual basis. False information in such certifications could result in criminal charges, including fines of up to $1 million and prison time for up to 10 years. HISAA would also eliminate fine caps to allow HHS to impose penalties commiserate with the level needed to deter lax behaviors, especially among larger healthcare organizations.
  4. Financial Support for Enhancements—Because the costs for new standards could be substantial, especially for smaller organizations, HISAA would allocate $1.3 billion to support hospitals for infrastructure enhancements. Of this $1.3 billion, $800 million would be for rural and safety net hospitals over the first two years, and an additional $500 million would be available for all hospitals in succeeding years.
  5. Medicare Payment Adjustments—Finally, HISAA enables the Secretary of HHS to provide accelerated Medicare payments to organizations impacted by cybersecurity events. HHS offered similar accelerated payments during the Change Healthcare event, and HISAA would codify similar authority to HHS for recovery periods related to future cyberattacks.

While HISAA will establish a baseline of cybersecurity requirements, compliance with those requirements will require a significant investment of time and resources in devices and operating systems/software, training, and personnel. Even with the proposed funding, this could result in substantial challenges for smaller and rural facilities to comply. Moreover, healthcare providers will need to prioritize items such as encryption, multi-factor authentication, real-time monitoring, comprehensive response and remediation plans, and robust training and exercises to support compliance efforts.

Finally, at this juncture, the more important issue is for healthcare organizations to recognize their responsibilities in maintaining effective cybersecurity practices and to stay updated on any potential changes to these requirements. Since HISAA was introduced in the latter days of a hectic (and historic) election season, we will monitor its progress as the current Congress winds down in 2024 and the new Congress readies for action with a new administration in 2025.

Congress Passes ADVANCE Act to Accelerate Deployment of Advanced Nuclear Reactors

On June 18, the Senate passed the Accelerating Deployment of Versatile, Advanced Nuclear for Clean Energy (ADVANCE) Act as a section of the Fire Grants and Safety Act (S.B. 870). The Senate approved House amendments to the bill with a vote of 88-2, opposed only by Senators Edward Markey (D-MA) and Bernie Sanders (I-VT). The ADVANCE Act has diverse backing from industry, government, and nonprofit stakeholders, and its passage reflects strong bipartisan support for promoting advanced nuclear reactors, which offer carbon-free dispatchable energy generation for both electricity and industrial applications. The ADVANCE Act now heads to President Biden, who is expected to sign the act into law.
The ADVANCE Act is the latest in a series of recent legislative and regulatory developments aimed at bolstering the development of a technology that may be necessary to meet the nation’s growing energy demand. Advanced reactors promise improvements over conventional, much larger light water reactors. These improvements include additional safety features, lower waste yields, and operational flexibility that can complement integration with intermittent renewable energy or energy storage. One category of advanced reactors, small modular reactors (SMR), is of particular interest; SMRs hold the potential of fitting within the footprint of industrial applications.
In 2019, President Trump signed into law the Nuclear Energy Innovation and Modernization Act (NEIMA), which directed the Nuclear Regulatory Commission (NRC) to streamline its licensing process for advanced reactors and modified the fee structure for traditional and advanced reactors. The passage of the ADVANCE Act builds on NEIMA and provides even more support to deploy advanced nuclear reactors efficiently and successfully.

Key Provisions of the ADVANCE Act

PROMOTING NEW NUCLEAR TECHNOLOGIES

  • Reduced Fees for Advanced Nuclear Reactor Application Reviews. The Act amends NEIMA and sets a specific fee reimbursement rate for NRC’s review of advanced nuclear reactor licensing applications. While applicants are responsible for direct program salaries and benefits for the nuclear reactor safety program, the costs associated with indirect program and agency support expenses will not be passed onto applicants.
  • Prizes for Advanced Nuclear Reactors. To incentivize the successful development and deployment of advanced nuclear reactors, the Act establishes multiple prizes. The first entities to successfully deploy the specified types of advanced nuclear reactors can receive federal funding to cover the licensing and permitting costs associated with deployment.
  • Development, Qualification, and Licensing of Advanced Nuclear Fuel Concepts. The Act directs the NRC to improve its ability to qualify and license advanced nuclear fuel. The NRC must collaborate with the Department of Energy (DOE) to test and demonstrate accident-tolerant fuels and advanced nuclear reactor fuel concepts; operate a knowledge-sharing database for agencies and the private sector; and ensure both NRC and DOE have the technical expertise to support advanced nuclear fuel from the research stage through commercial application. A report detailing these efforts must be submitted to Congress within two years.
  • Licensing and Oversight for Nuclear Facilities on Brownfields and Retired Fossil-Fuel Plant Sites. The Act directs the NRC to identify and report on regulatory, guidance, or policy changes to streamline licensing reviews and oversight for nuclear facilities at brownfields and retired fossil-fuel electric generation sites. Within two years, the NRC must adopt strategies and initiate rulemaking to achieve these efficiency improvements. This provision recognizes the advantage of using existing power grid infrastructure to bring nuclear facilities online and the potential of advanced reactor construction to create more high-paying jobs for former fossil-fuel industry workers.
  • Licensing and Regulation of Microreactors and Nonelectric Applications of Nuclear Technology. The Act directs the NRC to develop strategies and guidance for licensing and regulating microreactors, covering items such as oversight and inspections, emergency preparedness, risk analysis methods, and the transportation of fueled microreactors. Additionally, the Act directs the NRC to submit a report to Congress detailing unique licensing issues or requirements for nonelectric applications of nuclear energy, along with a proposed budget and timeline for implementing regulatory guidance.

STRENGTHENING THE NUCLEAR WORKFORCE, FUEL CYCLE, SUPPLY CHAIN, AND INFRASTRUCTURE

  • Nuclear Energy Traineeship Program. The Act directs the NRC to coordinate with trade schools and institutions of higher education to establish a competitive nuclear energy traineeship program. The program must provide training that meets the critical mission needs of the NRC and nuclear workforce needs.
  • NRC Hiring and Compensation Improvements. The Act includes provisions to ensure the NRC is prepared to review licenses safely and successfully should the demand for NRC licensing and oversight services increase. Specifically, the Act empowers the NRC Chair to appoint up to 120 exceptionally well-qualified individuals into the excepted service and up to 20 exceptionally well-qualified individuals into term-limited positions during each fiscal year. In addition, the Act allows the NRC to determine the compensation for these positions without regard to the General Schedule classification and pay rates, subject to some limitations. The NRC may also award hiring bonuses and performance bonuses.
  • Biennial Reporting on Spent Nuclear Fuel and High-Level Radioactive Waste. The Act requires the Secretary of Energy to submit a report to Congress no later than January 1, 2026, and biennially thereafter, that describes spending related to (1) breaches of contract under the Nuclear Waste Policy Act of 1982 and (2) storage, management, and disposal of spent nuclear fuel and high-level radioactive waste (including the projected lifecycle costs for such activities). The report must also describe mechanisms and recommendations to improve accounting of liabilities and lifecycle costs for spent fuel and radioactive waste. Additionally, the report must describe any activities taken in the previous fiscal year by DOE with respect to interim storage and the development and deployment of technologies that enhance the safe transportation and storage of spent nuclear fuel or high-level radioactive waste.
  • Report on Advanced Manufacturing and Construction Methods. The Act directs the NRC to submit a report to Congress within 180 days on advanced manufacturing and construction techniques for nuclear energy projects. The report must, among other things, assess licensing issues, identify safety standard gaps, and provide recommendations to use the existing regulatory framework or engage in new rulemaking to support advanced manufacturing and construction methods.

IMPROVING NRC EFFICIENCY AND EFFECTIVENESS

  • Updated NRC Mission Statement. The Act provides that the NRC must update its mission within a year to include that licensing and regulation will be conducted “in a manner that is efficient and does not unnecessarily limit” the civilian use of radioactive materials, the benefits of civilian use of radioactive materials, or the benefits of nuclear energy technology to society.
  • Periodic Review of Performance Metrics and Milestones. The Act amends NEIMA and directs the NRC to review its performance metrics and milestones at least once every three years and to revise them as necessary to reflect the most efficient metrics and milestones reasonably achievable.
  • Nuclear Licensing Efficiency. The Act mandates that the NRC establish techniques and guidance for evaluating nuclear reactor license applications that support efficient, timely, and predictable regulatory reviews and the safe use of nuclear reactors.
  • Modernization of Environmental Reviews. To streamline the approval of new nuclear reactor license applications, the Act directs the NRC to improve the efficiency, timeliness, and predictability of NEPA environmental reviews through the expanded use of categorical exclusions, environmental assessments, and generic environmental impact statements. The NRC must submit a report on these efforts to Congress within 180 days.
  • Report on Oversight and Inspection Program Improvements. The Act requires the NRC to provide a report to Congress within a year that identifies potential improvements to NRC’s oversight and inspection programs for nuclear reactors and materials. The report must assess options to maximize program efficiency through the use of risk-informed, performance-based procedures; information technologies; staff training; improved planning; and licensee innovations that may advance nuclear reactor operational efficiency and safety.

ADVANCING INTERNATIONAL NUCLEAR LEADERSHIP

  • Export and Innovation Activities. The Act directs the NRC to support interagency and international coordination related to nuclear reactor import and export licensing. Specifically, the Act directs the NRC to engage in international coordination to promote (1) international technical standards for licensing and regulating nuclear reactor design, construction, and operation; (2) competent nuclear regulatory organizations and frameworks in countries seeking to develop civil nuclear industries; and (3) exchange programs and training for foreign countries to improve their regulation and oversight of nuclear reactors and radioactive materials. The Act empowers the NRC to establish an “International Nuclear Export and Innovation Branch” to support these efforts.
  • DOE Global Nuclear Energy Assessment. The Act directs the Secretary of Energy to conduct a study in consultation with the Secretary of State, Secretary of Commerce, the Administrator of the Environmental Protection Agency, and the NRC that evaluates the global status of the civilian nuclear energy industry and its supply chains. The study must provide recommendations to strengthen the United States’ engagement with nuclear energy in foreign policy and modernize regulatory requirements to improve domestic supply chains of civilian nuclear energy.
  • Prohibitions on Russian and Chinese Enriched Uranium. The Act prohibits possession and ownership of enriched uranium fuel fabricated by an entity in Russia or China. A person may obtain a license to possess or own such fuel, but the Act provides that the NRC may only issue such a license in consultation with the Secretaries of Energy and State.
  • Foreign Ownership of Nuclear Facilities. Under the Atomic Energy Act, nuclear reactor licenses could not be issued to foreign corporations and other entities. The Act modifies this restriction and allows the NRC to issue licenses to governments, corporations, citizens, and foreign nationals of Organization of Economic Cooperation and Development member countries and India if issuance is not contrary to national security or public health and safety.

Other Recent Developments

  • DOE Funding for Small Modular Reactors. On June 17, DOE issued a Notice of Intent to distribute $900 million to support the deployment of small modular reactors (SMRs). Part of the funding comes from President Biden’s Bipartisan infrastructure Law.
  • Reappointment of NRC Chair. On June 18, the current Chairman of the NRC, Christopher Hanson, was sworn in for a second term – running through 2029. In his confirmation hearings, Senators pressed him to work harder on NRC reform.
  • NRC Rulemaking for Advanced Reactors. In response to NEIMA, the NRC has drafted proposed revisions to create a risk-informed, performance-based, and technology-inclusive framework for advanced reactors. An analysis by Van Ness Feldman lawyers found that the NRC has substantial headroom within its Congressional safety mandate to reduce the risk aversion and restrictiveness in its licensing and permitting process.
 

CFIUS Determines it Lacks Jurisdiction to Review Chinese Land Acquisition

In 2022, Fufeng USA, a subsidiary of Chinese company Fufeng Group, purchased 370 acres near Grand Forks, North Dakota, with the intention of developing the land to build a plant for wet corn milling and biofermentation,[1] prompting opposition from federal and state politicians.[2] North Dakota Senators, North Dakota’s Governor, and Senator Marco Rubio urged the Committee on Foreign Investment in the United States (CFIUS) to review the acquisition as a potential national security risk for being located within 12 miles from the Grand Forks Air Force Base, which is home to military drone technology and a space networking center.[3] Following CFIUS’ review of Fufeng’s notice submission, CFIUS determined that it lacked jurisdiction over the transaction. This post summarizes the public information about that CFIUS case and provides observations about the responses by North Dakota and CFIUS in the wake of Fufeng’s proposed investment.

CFIUS Review and Determination

1. Procedural History

In conjunction with rising public opposition to its land acquisition, public reports show that Fufeng USA submitted a declaration to CFIUS on July 27, 2022.[4] North Dakota local news outlet Valley News Live obtained a copy of the CFIUS closing letter to that declaration filing, which stated that CFIUS determined on August 31, 2022 that it lacked sufficient information to assess the transaction and requested that the parties file a full notice.[5] (CFIUS has the option under the regulations to request a full notice filing at the conclusion of the abbreviated 30-day review of a declaration filing.) Based on the CFIUS closing letter to that subsequent notice filing, which was likewise obtained and published by Valley News Live, Fufeng USA submitted a notice on October 17, 2022, and CFIUS subsequently concluded that it lacked jurisdiction to review the transaction in December 2022.[6]

2. Why CFIUS did not Review under its Part 802 Covered Real Estate Authority

According the CFIUS Letter released by Fufeng to Valley News Live, Fufeng submitted its notice pursuant to 31 C.F.R. Part 800 (“Part 800”), which pertains to covered transaction involving existing U.S. businesses.[7] The closing letter made no reference to the transaction being reviewed as a “covered real estate transaction” under 31 C.F.R. Part 802 (“Part 802”).[8] A reason for this could be that, at the time the case was before CFIUS, the land acquisition by Fufeng USA was not within any of the requisite proximity thresholds and, thus, did not fall within Part 802 authority. Under Part 802, CFIUS has authority over certain real estate transactions involving property in specific maritime ports or airports, or within defined proximity thresholds to identified “military installations” listed in Appendix A to Part 802. Grand Forks Air Force Base was not included in Appendix A at that time, nor was the acquired land within the defined proximity of any other listed military installation. Accordingly, the only way for CFIUS to extend authority would be under its Part 800 authority relating to certain acquisitions of U.S. businesses.

3. CFIUS Determined It Lacked Jurisdiction Under its Part 800 Covered Transaction Authority

CFIUS’ closing letter to Fufeng stated that “CFIUS has concluded that the Transaction is not a covered transaction and therefore CFIUS does not have jurisdiction under 31 C.F.R. Part 800.”[9] Part 800 provides CFIUS with authority to review covered control transactions (i.e., those transactions that could result in control of a U.S. business by a foreign person) or covered investment transactions (i.e., certain non-controlling investments directly or indirectly by a foreign person in U.S. businesses involved with critical technology, critical infrastructure, or the collection and maintaining of US citizen personal data). Greenfield investments, however, inherently do not involve an existing U.S. business. As such, greenfield investments would be outside of CFIUS’ jurisdiction under Part 800. Although the justification underlying CFIUS’ determination regarding Fufeng’s acquisition is not publicly available, CFIUS might have determined that it lacked authority under Part 800 because Fufeng’s purchase of undeveloped land was not an acquisition of a U.S. business, but more likely a greenfield investment.

State and Federal Response

Under state and federal pressure, the City of Grand Forks, which initially approved Fufeng’s development of the corn milling facility, “officially decided to terminate the development agreement between the city and Fufeng USA Inc.” on April 20, 2023.[10] This decision was largely impacted by the U.S. Air Force’s determination that “the proposed project presents a significant threat to national security with both near- and long-term risks of significant impacts to our operations in the area.”[11] As of today, the land appears to still be under the ownership of Fufeng USA.[12]

CFIUS’ determination that it lacked authority drew sharp criticism from state and federal politicians. North Dakota Senator Cramer purported that CFIUS may have determined the jurisdictional question too narrowly and indicated that the determination may prompt federal legislative action.[13] Senator Marco Rubio (R-Florida) concurred, issuing a statement that permitting the transaction was “dangerous and dumb.”[14] In response to the determination, the Governor of South Dakota announced plans for “legislation potentially limiting foreign purchases of agricultural land” by investigating “proposed purchases of ag land by foreign interests and recommend either approval or denial to the Governor.”[15]

On April 29, 2023, North Dakota Governor Doug Burgum signed Senate Bill No. 2371 into law, which prohibits local development and ownership of real property by foreign adversaries and related entities, effective August 1, 2023. Notably, these entities include businesses with a principal executive offices located in China, as well as businesses with a controlling Chinese interest or certain non-controlling Chinese interest.

On May 5, 2023, the U.S. Department of Treasury, the agency tasked with administering CFIUS, also took steps to expand its authority to cover more real property acquisitions. It published a Proposed Rule that would expand CFIUS covered real estate transaction authority over real restate located with 99 miles of the Grand Forks Air Force Base and seven other facilities located in Arizona, California, Iowa, and North Dakota. See a summary of that Proposed Rule and related implications at this TradePractition.com blog post.

FOOTNOTES

[1] See, Alix Larsen, CFIUS requesting Fufeng USA give more information on corn mill development, Valley News Live (Sep. 1, 2022), https://www.valleynewslive.com/2022/09/01/cfius-requesting-fufeng-usa-give-more-information-corn-mill-development/.

[2] See Letter from Gov. Doug Burgum to Secretaries Janet Yellen and Lloyd Austin (Jul. 25, 2022), https://www.governor.nd.gov/sites/www/files/documents/Gov.%20Burgum%20letter%20urging%20expedited%20CFIUS%20review%2007.25.2022.pdf; Letter from Senators Marco rubio, John Hoeven, and Kevin Cramer to Secretaries Janet Yellen and Lloyd Austin (Jul. 14, 2022), https://senatorkevincramer.app.box.com/s/2462nafbszk2u6yosy77chz9rpojlwtl.

[3] See id; Eamon Javers, Chinese Company’s Purchase of North Dakota Farmland Raises National Security Concerns in Washington, CNBC, July 1, 2022, https://www.cnbc.com/2022/07/01/chinese-purchase-of-north-dakota-farmland-raises-national-security-concerns-in-washington.html.

[4] See, Alix Larsen, CFIUS requesting Fufeng USA give more information on corn mill development (Sep. 1, 2022), https://www.valleynewslive.com/2022/09/01/cfius-requesting-fufeng-usa-give-more-information-corn-mill-development/.

[5] See id.

[6] See Stacie Van Dyke, Fufeng moving forward with corn milling plant in Grand Forks (Dec. 13, 2022), https://www.valleynewslive.com/2022/12/14/fufeng-moving-forward-with-corn-milling-plant-grand-forks/.

[7] See id.

[8] Id.

[9] See id.

[10] Bobby Falat, Grand Forks officially terminates Fufeng Deal (Apr. 20, 2023), https://www.valleynewslive.com/2023/04/20/grand-forks-officially-terminates-fufeng-deal/.

[11] News Release, Senator John Hoeven, Hoeven, Cramer: Air Force Provides Official Position on Fufeng Project in Grand Forks, (Jan. 31, 2023), https://www.hoeven.senate.gov/news/news-releases/hoeven-cramer-air-force-provides-official-position-on-fufeng-project-in-grand-forks.

[12] See, Meghan Arbegast, Fufeng Group owes Grand Forks County more than $2,000 in taxes for first half of 2022 (Apr. 5, 2023), https://www.grandforksherald.com/news/local/fufeng-group-owes-grand-forks-county-more-than-2-000-in-taxes-for-first-half-of-2022.

[13] See Josh Meny, Senator Cramer discusses latest on Fufeng in Grand Forks (Dec. 27, 2022), https://www.kxnet.com/news/kx-conversation/senator-cramer-discusses-latest-on-fufeng-in-grand-forks/.

[14] Press Release, Senator Marco Rubio, Rubio Slams CFIUS’s Refusal to Take Action Regarding Fufeng Farmland Purchase (Dec. 14, 2022) https://www.rubio.senate.gov/public/index.cfm/2022/12/rubio-slams-cfius-s-refusal-to-take-action-regarding-fufeng-farmland-purchase.

[15] Jason Harward, Gov. Kristi Noem takes aim at potential Chinese land purchases in South Dakota (Dec. 13, 2022),https://www.grandforksherald.com/news/south-dakota/gov-kristi-noem-takes-aim-at-potential-chinese-land-purchases-in-south-dakota.

© Copyright 2023 Squire Patton Boggs (US) LLP

For more Global Legal news, click here to visit the National Law Review. 

Does the “Patent Eligibility Restoration Act of 2023” Revive Diagnostic Claims?

On June 22, Senator Chris Coons, along with Thom Tillis introduced the “Patent Eligibility Restoration Act of 2023” (hereinafter “the Act”) to amend 35 USC s. 101 to clarify the scope of patent-eligible subject matter. Section 101(b) would be amended to delete “includes a new use of a known process” and insert “includes a use, application, or method of manufacture of a known or naturally occurring process.” A section (k) would be added to define the term “useful” as meaning that the invention or discovery has a “specific and practical utility” from the perspective of a POSA. So far, so good. The use of a naturally occurring process can be read to cover the use of a naturally occurring correlation, an “If A then B” claim. The recognition of the discovery of the utility of a naturally occurring correlation, which leads to a diagnostic conclusion would seem to be included in this broad language.

But now things get a bit sketchy. The Act would abolish all the current judicial, e.g. Chakrabarty, exclusions but would add a set of statutory exclusions that overlap the judicial exclusions in some places. The exclusions include “an unmodified human gene”—good-bye Myriad—and an unmodified natural material as that material exists in nature, e.g., water. This exclusion would not jeopardize diagnostic claims since a per se is not being claimed.

More troublesome, Section C of the exclusions would include a process that “occurs in nature wholly independent of, and prior to, any human activity.” Diagnostic claims are process claims that are based on the recognition of the utility of a correlation that takes place in the body. The utility of the diagnostic claim lies solely in the recognition of the utility of the correlation. If a man has an elevated level of PSA he is at risk of developing, or may already have, prostate cancer. But isn’t the relationship between PSA levels and cancer/no cancer a process that occurs in nature wholly independent of, and prior to, any human activity, such as sampling and measuring the level of PSA in the blood? Please read the Act and tell me why I am wrong.

© 2023 Schwegman, Lundberg & Woessner, P.A. All Rights Reserved.

For more Intellectual Property Legal News, click here to visit the National Law Review.

How a Zero-Day Flaw in MOVEit Led to a Global Ransomware Attack

In an era where our lives are ever more intertwined with technology, the security of digital platforms is a matter of national concern. A recent large-scale cyberattack affecting several U.S. federal agencies and numerous other commercial organizations emphasizes the criticality of robust cybersecurity measures.

The Intrusion

On June 7, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) identified an exploit by “Threat Actor 505” (TA505), namely, a previously unidentified (zero-day) vulnerability in a data transfer software called MOVEit. MOVEit is a file transfer software used by a broad range of companies to securely transfer files between organizations. Darin Bielby, the managing director at Cypfer, explained that the number of affected companies could be in the thousands: “The Cl0p ransomware group has become adept at compromising file transfer tools. The latest being MOVEit on the heels of past incidents at GoAnywhere. Upwards of 3000 companies could be affected. Cypfer has already been engaged by many companies to assist with threat actor negotiations and recovery.”

CISA, along with the FBI, advised that “[d]ue to the speed and ease TA505 has exploited this vulnerability, and based on their past campaigns, FBI and CISA expect to see widespread exploitation of unpatched software services in both private and public networks.”

Although CISA did not comment on the perpetrator behind the attack, there are suspicions about a Russian-speaking ransomware group known as Cl0p. Much like in the SolarWinds case, they ingeniously exploited vulnerabilities in widely utilized software, managing to infiltrate an array of networks.

Wider Implications

The Department of Energy was among the many federal agencies compromised, with records from two of its entities being affected. A spokesperson for the department confirmed they “took immediate steps” to alleviate the impact and notified Congress, law enforcement, CISA, and the affected entities.

This attack has ramifications beyond federal agencies. Johns Hopkins University’s health system reported a possible breach of sensitive personal and financial information, including health billing records. Georgia’s statewide university system is investigating the scope and severity of the hack affecting them.

Internationally, the likes of BBC, British Airways, and Shell have also been victims of this hacking campaign. This highlights the global nature of cyber threats and the necessity of international collaboration in cybersecurity.

The group claimed credit for some of the hacks in a hacking campaign that began two weeks ago. Interestingly, Cl0p took an unusual step, stating that they erased the data from government entities and have “no interest in exposing such information.” Instead, their primary focus remains extorting victims for financial gains.

Still, although every file transfer service based on MOVEit could have been affected, that does not mean that every file transfer service based on MOVEit was affected. Threat actors exploiting the vulnerability would likely have had to independently target each file transfer service that employs the MOVEit platform. Thus, companies should determine whether their secure file transfer services rely on the MOVEit platform and whether any indicators exist that a threat actor exploited the vulnerability.

A Flaw Too Many

The attackers exploited a zero-day vulnerability that likely exposed the data that companies uploaded to MOVEit servers for seemingly secure transfers. This highlights how a single software vulnerability can have far-reaching consequences if manipulated by adept criminals. Progress, the U.S. firm that owns MOVEit, has urged users to update their software and issued security advice.

Notification Requirements

This exploitation likely creates notification requirements for the myriad affected companies under the various state data breach notification laws and some industry-specific regulations. Companies that own consumer data and share that data with service providers are not absolved of notification requirements merely because the breach occurred in the service provider’s environment. Organizations should engage counsel to determine whether their notification requirements are triggered.

A Call to Action

This cyberattack serves as a reminder of the sophistication and evolution of cyber threats. Organizations using the MOVEit software should analyze whether this vulnerability has affected any of their or their vendors’ operations.

With the increasing dependency on digital platforms, cybersecurity is no longer an option but a necessity in a world where the next cyberattack is not a matter of “if” but “when;” it’s time for a proactive approach to securing our digital realms. Organizations across sectors must prioritize cybersecurity. This involves staying updated with the latest security patches and ensuring adequate protective measures and response plans are in place.

© 2023 Bradley Arant Boult Cummings LLP

For cybersecurity legal news, click here to visit the National Law Review.

Permitting Reform Package Passes as Part of Debt Ceiling Deal

The past year’s long wrangling between Republicans, Democrats, and the White House on permitting reform finally made progress this month when Congress enacted significant reforms to the National Environmental Policy Act (“NEPA”) as part of the legislation to increase the debt ceiling. Prior to this legislation, the core statutory framework of NEPA had remained relatively unchanged for 50 years. Building from Rep. Garrett Graves’ (R-LA., 6th Dist.) “Building United States Infrastructure through Limited Delays and Efficient Reviews” (“BUILDER”) Act of 2023, the permitting reform title of the Fiscal Responsibility Act of 2023 (“FRA” or “legislation”) tackles four key areas:

(1) reforming NEPA to make the federal environmental review process simpler and quicker;

(2) directing a study of the existing capacity of our transmission grid to reliably transfer electric energy between distinct regions and subsequent recommendations to improve interregional transfer capabilities within the grid;

(3) streamlining permitting for energy storage projects; and

(4) congressional ratification of the Mountain Valley Pipeline.

Several of the reforms to NEPA codify changes to the Council on Environmental Quality (“CEQ”) NEPA implementing regulations made during the Trump Administration.

While these provisions are intended to yield significant benefits for projects requiring federal approvals or funding, the actual impact will depend substantially on how the reforms are implemented, and there remains considerable interest in other aspects of permitting and siting reform making further legislative action likely.

Key NEPA Reforms

The FRA includes numerous changes to NEPA. We have highlighted several key changes here.

Narrowing the Scope of “Major Federal Action”

The term “major Federal action” is the trigger for requiring environmental review under NEPA – federal actions that qualify as a “major Federal action” must be considered under NEPA. The new legislation narrows the definition of what constitutes a “major Federal action” by limiting the term to actions that the lead agency deems are “subject to substantial Federal control and responsibility.” The legislation does not define this phrase, leaving substantial room for agency interpretation. Building on this general concept, the amendments codify the regulatory definition of a “major Federal action,” with modifications. As now defined, certain federal actions will be excluded from the scope of a major federal action, including:

  • non-federal actions (i.e., private or state actions) “with no or minimal Federal funding”;
  • non-federal actions (i.e., private or state actions) “with no or minimal Federal involvement where a Federal agency cannot control the outcome of the project”;
  • funding assistance consisting exclusively of general revenue sharing funds, where the federal agency does not have “compliance or enforcement responsibility” over the use of those funds;
  • “loans, loan guarantees, or other forms of financial assistance where a Federal agency does not exercise sufficient control and responsibility over the subsequent use of such financial assistance or the effect of the action”;
  • Small Business Act business loan guarantees under section 7(a) or (b) of the Small Business Act or title V of the Small Business Investment Act of 1958;
  • federal agency activities or decisions with effects located entirely outside of the jurisdiction of the United States; and
  • non-discretionary activities or decisions that are made in accordance with the agency’s statutory authority.

The meaning and application of these exclusions to specific actions will be subject to interpretation and likely litigation going forward. For example, what constitutes minimal funding—a threshold dollar amount or a percentage of the federal funding contribution in relation to overall project cost—is not clearly identified under the revisions. Resolution of this question will be critical to determining what actions are subject to NEPA review going forward. Given the recent dramatic increase in federal funding opportunities from the Inflation Reduction Act and Infrastructure Investment and Jobs Act, determining what actions are subject to NEPA review based on the level of federal funds involved is likely to become a more frequent and important question.

Scope of Review

When an agency action constitutes a “major Federal action,” the FRA also focuses and limits the scope of the NEPA review in two key ways.

First, the legislation modifies the statute’s existing, broad language requiring that “major Federal actions” significantly affecting the quality of the human environment include a detailed statement on the “environmental impact of the proposed action.” The revised language statutorily limits environmental review of environmental effects to those that are “reasonably foreseeable.” This change follows from a provision of the Trump Administration’s 2020 NEPA rule—later removed by the Biden Administration—which sought to eliminate long-used concepts of direct, indirect, and cumulative effects and instead focus on effects that are reasonably foreseeable and that have “a reasonably close causal relationship to” the proposed action or alternatives. Although the new statutory language does not go as far as the Trump Administration’s rule, which required a “close causal relationship,” it does follow the trend in case law to only require evaluation of reasonably foreseeable impacts. What project-specific impacts are “reasonably foreseeable” is still likely to be the subject of litigation.

Second, the FRA also makes changes regarding the alternatives analysis, often considered the heart of NEPA review. The legislation clarifies that agencies are to consider a “reasonable range” of alternatives to the proposed agency action, and that such alternatives must both be “technically and economically feasible” and “meet the purpose and need of the proposal.” This seems to codify long-standing guidance from CEQ contained in its 40 Most Asked Questions Concerning CEQ’s NEPA Regulations. In addition, it directs that, in assessing the no action alternative, agencies must include an analysis of any negative environmental impacts of not implementing the proposed action. Whether an agency has met its obligations under NEPA to consider “alternatives to the proposed action” is a frequent source of controversy and litigation, particularly for the authorization of large infrastructure and energy projects.

These changes should both help focus environmental reviews and reduce costs and delays associated with challenges to agencies’ alternative analyses and emphasize the importance of properly defining the “purpose and need” of a proposed action.

Data Standards and Requirements

The FRA includes several provisions related to data. First, it clarifies that in making a determination on the appropriate level of review (Environmental Impact Statement (“EIS”), Environmental Assessment (“EA”), or categorical exclusion), the lead agency can make use of any reliable data source—and that “new scientific or technical research [is not required] unless the new scientific or technical research is essential to a reasoned choice among alternatives, and the overall costs and time frame of obtaining it are not unreasonable.” It is unclear whether this will be applied beyond the determination of what level of review is required. This change has the potential to limit delays due to agencies undertaking or requesting additional studies from project proponents. What is deemed “essential” and what costs and timeframe are “not unreasonable,” however, remain undefined.

Second, the legislation requires that the action agency “ensure the professional integrity, including scientific integrity, of the discussion and analysis in an environmental document.” The practical implications and scope of this scientific integrity mandate are unclear—and is likely to be a subject of agency guidance and, potentially, future litigation.

Efficiency Measures

The FRA further codifies several less controversial changes from the Trump Administration 2020 NEPA rule, which the recent Biden rulemaking had left in place. These changes include expressly recognizing and establishing regulations for EAs. Additionally, these changes include setting page limits for EISs—150 pages generally and 300 pages for agency actions “of extraordinary complexity”—and EAs—75 pages—excluding citations and appendices. Additionally, the changes codify the regulatory presumptive deadlines for completion of NEPA reviews—two years for EISs and one year for EAs. The legislation goes beyond existing regulations by creating the right to judicial review when an agency fails to meet a deadline. Under the new legislation, if an agency misses the deadline, the delayed project’s sponsor may seek a court order requiring the agency to act as soon as practicable, which is not to exceed 90 days from the date on which the order was issued unless the court determines that additional time is needed to comply with applicable law.

Further, the legislation clarifies the role of the NEPA lead agency, specifying that the lead agency must develop a schedule, in cooperation with each cooperating agency, the applicant, and other appropriate entities, for the completion of the environmental review and any permit or authorization required to carry out the proposed agency action. This mirrors provisions previously adopted as part of Title 41 of the Fixing America’s Surface Transportation Act (“FAST-41”) in 2015, which has demonstrated success in requiring coordination and improving the permitting and authorization processes for certain large infrastructure projects. Although the FRA expressly contemplates extensions to the schedule, just having a schedule in place can be a helpful tool in the timely completion of NEPA reviews.

In addition, the legislation authorizes project applicants to hire independent consultants to prepare EISs and EAs, subject to the independent review of the lead agency. This provision can provide project applicants with a path to minimize delays caused by a lack of staff and resources at federal agencies.

Programmatic Reviews and Categorical Exclusions

The FRA also codifies the current agency practice of preparing and relying on programmatic environmental documents to streamline the review process for subsequent actions that implement the evaluated program. The legislation provides that programmatic review can be relied on for five years without additional review, and after five years if the agency reevaluates the analysis. Although this change promotes further use of programmatic reviews, the five-year period presumption and reevaluation process could present challenges in certain cases given the extensive resources and time required to undertake a programmatic review and tiered reviews.

The FRA also seeks to facilitate the use of categorical exclusions in the NEPA process by authorizing agencies to adopt a categorical exclusion established by another agency. The legislation lays out a process for consulting with the agency that established the exclusion to determine whether adoption is appropriate, notifying the public of the plan to use the categorical exclusion, and documenting adoption of the categorical exclusion. Though dependent upon agencies taking advantage of this new flexibility, this could have the effect of enabling some types of projects to forgo detailed environmental review.

Other Provisions

In addition to the NEPA reforms, the FRA includes several other important permitting provisions. The legislation seeks to streamline and accelerate permitting for “energy storage” projects by adding energy storage to the list of “covered projects” under FAST-41.

Additionally, the legislation provides a clear path for the completion of the much-delayed Mountain Valley Pipeline project. The legislation finds the timely completion of the project is in the national interest, and congressionally approves and ratifies the various federal authorizations required for the project. Further, the legislation bars judicial review of federal agency actions with respect to the project.

Finally, the legislation requires the North American Electric Reliability Corporation (“NERC,” the entity responsible for setting reliability standards for the nation’s electric grid) to undertake a study within a year and a half on whether more transfer capacity is needed between existing transmission planning regions—including recommendations on measures to increase the amount of energy that can be reliably moved between the studied regions. The Federal Energy Regulatory Commission will thereafter have a year to seek and consider public comments on the study and file a report with Congress detailing any recommendations for statutory changes. This study provision was in lieu of a larger set of transmission-related actions that are of key interest to Democratic lawmakers that will be the subject of future legislative efforts.

Implications

Although the provisions in FRA are not a silver bullet to solve every NEPA woe experienced by project applicants, it is a significant step in the right direction. The codification of key concepts within the NEPA statute itself (rather than regulation, guidance, or case law) will have a durable, long-lasting impact on implementation of environmental reviews because it limits the regulation issuance/withdrawal cycle that we have witnessed with the recent administration changes.

Looking forward, we can expect a rulemaking by CEQ to align the existing regulations with the revised statutory language, as well as additional rulemakings by other agencies to harmonize their NEPA implementing regulations with the revised law. For the last year, we have awaited the Phase 2 NEPA rulemaking from CEQ, as explained in our previous alert. With this new legislation, it seems likely that CEQ will pause and further revise its proposed regulations to capture these new reforms before issuing additional regulations. We can also expect future guidance—and eventual litigation—on several ambiguous provisions in the new legislation as agencies begin to implement them.

While the intention behind the legislation is to speed and ease what has become a very lengthy, expensive, and perilous environmental review process—far exceeding the original intent of NEPA—whether these goals are achieved will depend on whether federal agencies embrace them or look for ways to interpret the reforms to continue “business as usual.”

For example, to meet the new timelines, it is possible that federal agencies will require applicants to provide all documentation needed for the environmental review before starting the clock. This approach would have the effect of undermining the statutory timeframes as well as the efficacy of the public engagement process. Similarly, while the legislation seeks to curtail the extent of the analysis through page limits, it is foreseeable that relatively short EISs and EAs could be weighed down with thousands of pages of analysis contained in the appendices.

It also remains to be seen how courts will interpret these reforms. The “hard look” standard developed by courts to evaluate the adequacy of environmental review documents may have the effect of ballooning the analyses again despite Congress’ intent to streamline the process.

Finally, while these reforms are substantial, Congress continues to discuss and debate additional reforms to address unresolved federal siting and permitting concerns—particularly with respect to energy infrastructure projects. Notably absent from the legislation was transmission permitting reform language of interest to Democratic lawmakers as well as provisions to support oil and gas leasing on federal lands and to facilitate the siting and permitting of mining projects to boost domestic supplies of critical minerals essential for existing and developing clean energy technologies.

© 2023 Van Ness Feldman LLP

For more environmental legal news, click here to visit the National Law Review. 

No More Surprise Medical Bills: Providers Score More Victories in First Year of No Surprises Act Arbitrations, But Claims Backlog Otherwise Complicates Implementation

In the year following the implementation of the arbitration process established under the federal No Surprises Act (NSA), more than 330,000 disputes have been submitted for resolution. This figure far outpaces the predictions of the US Departments of Health and Human Services (HHS), Labor, and the Treasury (the Departments), and complicates the implementation of the NSA.

*This is the eighth article in a series analyzing the No Surprises Act and its implementation. To view the entire series, click here.

As background, Congress passed the NSA in 2020, effective in 2022, to curb so-called “surprise” medical bills — balance bills received by patients in situations where they have no control over who is involved in their care. Frequently, patients incur these bills when they obtain emergency care from out-of-network facilities or non-emergency services at in-network facilities where at least one member of the care team is out-of-network. In these situations, the NSA forbids out-of-network providers from balance billing the patients to collect the difference between billed charges and what the patient’s health insurance actually paid. Instead, to protect patients and ensure that reasonable payments are made to providers, the NSA establishes an alternative dispute resolution process, allowing eligible parties to submit disputed claims to independent dispute resolution entities (IDREs) to determine appropriate out-of-network payment rates.

Dispute resolution was intended to be streamlined and efficient, but IDREs have been inundated with submissions in the year since the NSA became effective. The volume of claims has created a significant backlog, hindering providers’ ability to obtain timely and appropriate reimbursement for the services they rendered. In an effort to promote transparency, the Departments recently issued a “status update” on the arbitration process. The report revealed several key findings regarding the volume, eligibility, and outcomes of claims submitted under the NSA to date.

Key Findings of the Status Update Report

First, the report provided insight into the overall numbers of claims that have been filed since the NSA became effective. Since the federal claims submission portal first went live in April 2022, disputing parties have initiated more than 330,000 arbitration submissions. This figure is nearly 14 times greater than the Departments’ initial estimates. The sheer volume of claims has drastically slowed the adjudication of claims submitted under the NSA.

Second, the report states that IDREs have rendered determinations in favor of one party or the other in only a small fraction of cases, with approximately 42,000 disputes decided as of March 31, 2023. Of these, initiating parties (typically health care providers) have prevailed approximately 71% of the time.

Third, to date, IDREs have closed more cases than they have decided. Overall, more than 100,000 claims,  – more than four times the amount anticipated by the Departments, have been closed. There are various reasons for this. Some claims were closed following successful negotiations between the parties. Others were closed due to one or both parties failing to submit the required fees mandated under the NSA. A large number — nearly 40,000 — were closed for eligibility reasons. Non-initiating parties have challenged the eligibility of more than a third of claims submitted for arbitration, balking at approximately 120,000 disputes. Non-initiating parties frequently object that claims are not eligible for arbitration under the NSA for multiple reasons, including lack of timely negotiation or arbitration submission, or because the disputed claims involve insurance programs outside the scope of the NSA.

In addition to the objections lodged by non-initiating parties, the IDREs have an independent duty to confirm that all claims submitted for arbitration are eligible under the NSA. These determinations require IDREs to engage in what can be a complex and time-consuming analysis of each claim, frequently requiring the submission of additional information from the parties. The report finds that these eligibility determinations represent the primary cause for the delays in processing arbitration submissions.

Finally, in an effort to help resolve delays, the status update includes that the Departments have begun to require initiating parties to submit additional information to assist IDREs in evaluating the eligibility of claims. The Departments have also modified the arbitration portal to require the input of additional information to enable non-initiating parties to identify disputed claims. These are among the “ongoing technical and operational improvements” the report states the Departments have been making over the last year.

Looking Ahead: Additional Legislation and Ongoing Court Challenges

The report highlights a series of problems that have hampered the implementation of the NSA, including larger-than-expected dispute volume, complex eligibility determinations, and technical issues. Collectively, these problems have left many parties awaiting arbitration awards and payment.

Meanwhile, the legal challenges to the Departments’ implementing regulations under the NSA continue, and HHS Secretary Xavier Bacerra recently testified before Congress regarding the implementation of the NSA. These developments have fueled speculation that Congress may step in and pass additional legislation to streamline the arbitration process. While these events play out, providers should continue to submit timely open negotiation notices and IDR initiation forms to preserve their rights under the NSA.

A copy of CMS’s report can be found here.

© 2023 ArentFox Schiff LLP

For more Healthcare Legal News, click here to visit the National Law Review.

As White House Loses House Majority, what is Next for H-1B Visa Program?

The H-1B is a popular and highly-sought-after visa category for skilled foreign workers seeking to work in the United States. It has been the subject of much debate and controversy over the years, and recent changes in the political landscape have added new uncertainties and challenges to the H-1B visa process. This blog post explores the impact of the Biden administration on changes to the H-1B visa, as well as the role of the new Republican majority in the House of Representatives in shaping the future of the H-1B visa program.

What is the H-1B Visa?

The H-1B is a temporary, nonimmigrant visa category that allows employers to petition on behalf of highly-educated foreign professionals who work in specialty occupations that require at least a bachelor’s degree. These jobs are generally in the fields of science, technology, engineering, and mathematics (“STEM”), enhancing American competitiveness in the global economy. In fact, in an effort to be even more competitive, the Biden administration recently expanded eligible fields of study that qualify under the program, as described in greater detail on this blog.

The H-1B visa allows U.S. employers to fill critically important jobs in the United States with foreign workers.  While many critics of the H-1B argue that it potentially limits job opportunities for U.S. workers, many others suggest that H-1B workers offer critical support to the U.S. economy. In fact, according to the American Immigration Counsel, H-1B recipients provided critical assistance during the COVID-19 pandemic, with many doctors, scientists, and nurses present in the U.S. on the H-1B visa, including individuals who assisted with the development of vaccines.

Biden Administration and its Relationship with Immigration Reform

One of the key priorities of the Biden administration has been to modernize and improve the U.S. immigration system, including the H-1B visa program. To this end, the Biden administration has taken steps to make the H-1B visa process more accessible and efficient for skilled foreign workers, including increasing the number of visas available, increasing transparency and consistency in the lottery process, and streamlining the application process.

According to a recent article by Forbes, Senator Richard Durbin (D-IL) and Senator Alex Padilla (D-CA) are expected to return as Senate Judiciary Committee chair and immigration subcommittee chair, respectively. It is expected that Sen. Chuck Grassley (R-IA) will no longer be ranking member on the Senate Judiciary; Sen. Lindsey Graham (R-SC) likely will hold that position. Just last year, Senator Grassley blocked an exemption from green card limits for certain foreign nationals with PhDs in STEM fields – a move that frustrated employers and universities alike.

Although Democrats hold the majority in the Senate, the House now features a Republican majority, which may complicate immigration reform efforts on Capitol Hill.

Republicans on Capitol Hill Seek to Counter Democratic Efforts on Immigration

The new Republican majority in the House of Representatives may pose a challenge to the Biden administration’s efforts to reform the H-1B visa program. Republicans have traditionally been more critical program and have pushed for reforms that would restrict the number of visas available and make it more difficult for foreign workers to come to the United States.

Sen. Tom Cotton (R-AR) has been a vocal critic of the H-1B program, stating that it is used to hire cheap foreign labor at the expense of American workers. Similarly, Sen. Grassley has expressed concerns about the impact of the program on American workers, claiming that while the visa was intended to help American businesses recruit the best and brightest talent from around the world, it’s too often been used to import cheaper foreign labor and displace American workers.

Given these differing perspectives, the future of the H-1B visa program will likely continue to be a source of political debate and controversy in the United States. However, it is clear that both sides of the political aisle agree that it needs to be reformed in some way, whether to make it more accessible and efficient for skilled foreign workers, or to better protect the interests of American workers.

Currently, the H-1B process in the United States is in a state of flux, with the Biden administration taking steps to modernize and improve the program, while the new Republican majority in the House of Representatives raises concerns about its impact on American workers. Whether the program will ultimately be reformed to better serve the interests of foreign workers, American workers, or both remains to be seen, but clearly this issue will continue to be a major source of political debate and controversy in the United States for the foreseeable future.

Article By Raymond G. Lahoud of Norris McLaughlin P.A.

For more immigration legal news, click here to visit the National Law Review.

©2023 Norris McLaughlin P.A., All Rights Reserved

SECURE 2.0 Act Brings Slate of Changes to Employer-Sponsored Retirement Plans

In December, the SECURE 2.0 Act of 2022 (“SECURE 2.0”) was passed, a package of retirement provisions providing comprehensive updates and changes to the SECURE Act of 2019. The legislation includes some key changes that affect employer-sponsored defined contribution plans, such as profit-sharing plans, 401(k) plans, 403(b) plans and stock bonus plans. While some of the changes are effective immediately upon the law’s enactment, most required changes are not effective before the plan year beginning on or after January 1, 2024, so employer sponsors have time to prepare for compliance.

Required Changes

Mandatory automatic enrollment in new plans.

Plan sponsors are currently allowed to provide for automatic enrollment and automatic escalation in 401(k) and 403(b) plans. SECURE 2.0 requires new 401(k) and 403(b) plans to automatically enroll participants at a new default rate, and to escalate participants’ deferral rate each year, up to a maximum of 15%, with some exceptions for new and small businesses. This provision applies to new plans with initial plan years beginning after December 31, 2024.

Changes to long-term part-time employee participation requirements.

The Act currently requires 401(k) plans to permit participation in the deferral part of the plan only by an employee who worked at least 500 hours (but less than 1000 hours) per year for three consecutive years. SECURE 2.0 changes this participation requirement by long-term part-time employees working more than 500, but less than 1000, hours per year to two consecutive years instead of three. However, this two-year provision does not take effect until January 1, 2025, which means the original SECURE Act three-year provision still applies for 2024. Employers should start tracking hours for part-time employees to determine whether they will be eligible in 2024 or 2025 under this provision. For vesting purposes, pre-2021 service is disregarded, just as service is disregarded for eligibility purposes. This provision is applicable to 401(k) plans and 403(b) plans that are subject to ERISA and does not apply to collectively bargained plans. This provision applies to plan years beginning after December 31, 2024.

Changes to catch-up contributions limits.

If a defined contribution plan permits participants who have attained age 50 to make catch-up contributions, the catch-up contributions are now required to be made on a Roth basis for participants who earn at least $145,000 (indexed after 2024) or more in the prior year. This provision is effective for taxable years beginning after December 31, 2023.

Changes to the required minimum distribution (RMD) age.

Currently, required minimum distributions must begin at age 72 for participants who have terminated employment. SECURE 2.0 increases the age to age 73 starting on January 1, 2023, and to age 75 starting on January 1, 2033. This means that participants who turn 72 in 2023 are not required to take an RMD for 2023; instead, they will be required to start taking RMDs for calendar year 2024, the year in which they turn 73. This provision is effective for distributions made after December 31, 2022, for individuals who turn 72 after that date.

Early withdrawal tax exemption for emergency withdrawal expenses.

SECURE 2.0 provides for an exception from the 10% early withdrawal tax on emergency expenses, defined as certain unforeseeable or immediate financial needs, on a limited basis (once per year, up to $1000). Plans may allow an optional three-year payback period, and participants are restricted from taking another emergency withdrawal within three years of any unpaid amount on a previous withdrawal. This provision is effective for plan years beginning on or after January 1, 2024.

Changes to automatic enrollment for new plans.

Almost all new defined contribution plans will be required to auto-enroll employees upon hire (existing plans are exempt from this provision). This provision is applicable for plan years beginning on or after January 1, 2025.

Optional Changes

Additional catch-up contribution opportunities.

Currently, the catch-up contribution limits for certain plans are indexed for inflation and apply to employees who have reached the age of 50. SECURE 2.0 increases catch-up contribution limits for individuals aged 60-63 to the greater of: (1) $10,000 (indexed for inflation), or (2) 50% more than the regular catch-up amount in effect for 2024. This provision is effective for plan years beginning on or after January 1, 2025.

Additional employer contributions to SIMPLE IRA plans.

Current law requires employers with SIMPLE IRA plans to make employer contributions to employees of either 2% of compensation or 3% of employee elective deferral contributions. SECURE 2.0 allows employers to make additional contributions to each employee of a SIMPLE plan in a uniform manner, provided the contribution does not exceed the lesser of up to 10 percent of compensation or $5,000 (indexed). This provision is effective for taxable years beginning after December 31, 2023.

Replacing SIMPLE IRA plans with safe harbor 401(k) plans.

The new law also permits an employer to elect to replace a SIMPLE IRA plan with a safe harbor 401(k) plan at any time during the year, provided certain criteria are met. The current law prohibits the replacement of a SIMPLE IRA plan with a 401(k) plan mid-year. This provision also includes a waiver of the two-year rollover limitation in SIMPLE IRAs converting to a 401(k) or 403(b) plan. This change is effective for plan years beginning after December 31, 2023.

Increasing involuntary cash-out threshold.

Currently plans may automatically cash-out a vested participant’s benefit that is between $1,000 and $5,000 and roll this amount over to an IRA. SECURE 2.0 allows plans to increase the $5,000 involuntary cash-out limit amount to $7,000. This provision of the law is effective for distributions made after December 31, 2023.

Relaxation of discretionary amendment deadline.

Under current law, a discretionary plan amendment must be adopted by the end of the plan year in which it is effective. SECURE 2.0 allows plans to make discretionary plan amendments to increase benefits until the employer’s tax filing deadline for the immediately preceding taxable year in which the amendment is effective. This applies to stock bonus, pension, profit-sharing or annuity plans to increase benefits for the preceding plan year. This provision is effective for plan years beginning after December 31, 2023.

Elimination of unnecessary plan notices to unenrolled participants.

SECURE 2.0 eases the administrative burden on plan sponsors by eliminating unnecessary plan notices to unenrolled participants. Under the amended law, plan sponsor notices to unenrolled participants may consist solely of an annual notice of eligibility to participate during the annual enrollment period, as opposed to numerous notices from the plan sponsor. This provision is effective for plan years beginning after December 31, 2022.

Crediting of student loan payments as elective deferrals for purposes of matching contributions.

Under SECURE 2.0, student loan payments may be treated as elective deferrals for the purposes of matching contributions to a retirement plan. This provision is available for plan years beginning on or after January 1, 2024.

Matching contributions designated as Roth contributions.

Previously, employer matching contributions could not be made as Roth contributions. Effective on the date of the enactment of SECURE 2.0, 401(a), 403(b), or governmental 457(b) plans may allow employees the option to designate matching contributions as Roth contributions.

Expansion of the Employee Plans Compliance Resolution System (EPCRS).

Currently, EPCRS contains procedures to self-correct certain limited, operational failures that are insignificant and corrected within a three-year period. SECURE 2.0 expands this, generally permitting any inadvertent failure to be self-corrected under EPCRS within a reasonable period after the failure is identified, without a submission to the IRS, subject to some exceptions. This provision went into effect on the date of enactment.

Recoupment of overpayments.

Currently, fiduciaries for plans that have mistakenly overpaid a participant must take reasonable steps to recoup the overpayment (for example, by collecting it from the participant or employer) to maintain the tax-qualified status of the plan and comply with ERISA. Under SECURE 2.0, 401(a), 403(a), 403(b), and governmental plans (not including 457(b) plans) will not lose tax qualification merely because the plan fails to recover an “inadvertent benefit overpayment” or otherwise amends the plan to permit this increased benefit. In certain cases, the overpayment is also treated as an eligible rollover distribution. This provision became effective upon enactment with certain retroactive relief for prior good faith interpretations of existing guidance.

Simplified plan designs for “starter” 401(k) and 403(b) plans.

Effective for plan years beginning after December 31, 2023, SECURE 2.0 creates two new plan designs for employers who do not sponsor a retirement plan: a “starter 401(k) deferral-only arrangement” and a “safe harbor 403(b) plan.” These plans would generally require that all employees be enrolled in the plan with a deferral rate of three percent to 15 percent of compensation.

Financial incentives for contributions.

SECURE 2.0 allows participants to receive de minimis financial incentives (not paid for with plan assets) for contributing to a 401(k) or 403(b) plan. Previously, plans were prohibited from offering financial incentives (other than matching contributions) to employees for contributing to a plan. This provision became effective for plan years starting after the date of enactment.

When do employers need to amend their plans for the SECURE Act, CARES Act, and SECURE 2.0 (“the Acts”)?

If a retirement plan operates in accordance with the Acts, plan amendments must be made by the end of the 2025 plan year (or 2027 for governmental and collectively bargained plans). (The amendment deadlines for SECURE and CARES were extended late last year.)

© 2023 Varnum LLP

Congress Votes to Impose Bargaining Agreement to Avoid Nationwide Railroad Strike

Both the House and Senate have passed legislation under the Railway Labor Act to avoid a railroad strike by imposing the bargaining agreement brokered by President Joe Biden in September 2022.

The House already voted in favor of the legislation. (For details of the bill, see our article, President Biden Calls on Congress to Avoid Mass Railroad Strike.) With the Senate also voting to pass the main bill, by an 80-15 vote, the threat of a strike has been averted. The legislation moves to the president for his signature. Biden has indicated he will sign the bill.

While the House voted in favor of the separate, additional piece of legislation that would have added seven paid sick leave days annually for the rail workers, the Senate did not have enough votes to pass that bill. President Biden vowed in a separate statement to seek paid leave in the future not just for rail workers, but for all workers.

What was passed by Congress in its joint resolution was short and succinct. The three-page joint resolution stated that all tentative agreements entered into by the rail carriers and the unions were considered in effect as if they had been ratified. The exact terms of each collective bargaining agreement vary by union and were not part of the bill that was passed. This is a result of the special powers given to Congress under the Railway Labor Act.

All contracts contained generous wage increases: roughly 24 percent over four to five years with one extra day of leave. However, the other detailed terms will vary across the dozen national craft unions.

Jackson Lewis P.C. © 2022