Department of Labor Confirms Key Rulemaking Initiatives

Posted by Steve Alder

The U.S. Department of Labor has recently shared insights into the key actions being taken by the department to ensure safety and health in the workplace while reducing unnecessary burdens on employers and employees.

New regulations are important to ensure that Americans have a safe and healthful working environment, especially in hazardous working environments such as indoor and outdoor settings where workers may be exposed to extreme heat. While there is a clear need for further regulations in some areas to ensure that employers adequately protect their workers, some existing regulations are placing unnecessary burdens on employers with little benefit provided to employees.

The announcement follows the Trump Administration’s semiannual Unified Agenda of Regulatory and Deregulatory Actions, which details the actions currently being taken or under consideration. For the Department of Labor, that includes more than 100 areas of rulemaking, including new rules and rule changes that will ensure that U.S. workers are properly protected, while supporting business growth and advancing the Trump Administration’s goal of putting American workers and businesses first.

“Eliminating red tape and crafting smart regulations that spur job creation will bring us even closer to reaching the Golden Age of the American Worker,” said U.S. Secretary of Labor Lori Chavez-DeRemer. “The Department of Labor is committed to helping President Trump and the entire Administration implement this bold regulatory agenda, which focuses on flexibility, transparency, and common-sense reform to ensure every hardworking family has a fair shot at achieving the American Dream.”

On April 15, 2025, President Trump signed an executive order – Lowering Drug Prices by Once Again Putting Americans First – that seeks to reduce the prices Americans pay for prescription drugs. One aspect of that executive order concerns pharmacy benefit managers (PMBs) – the prescription drug middlemen that negotiate prices with drug companies.

Under the Biden Administration, the Federal Trade Commission (FTC) launched an inquiry into PMBs in June 2022. The interim report, published by the FTC in July 2024, found that PMBs may be contributing to higher out-of-pocket costs for patients. The FTC has recently filed a lawsuit against three major PMBs alleging they are enriching themselves by manipulating the drug supply chain. The Department of Labor has confirmed it is looking at ways to improve transparency around the direct and indirect compensation PMBs receive from employer-sponsored health plans and is looking at ways to improve market transparency in pricing and cost-sharing information for consumers.

An area where further regulation may be required concerns heat illness and injury prevention in indoor and outdoor work settings. The Occupational Safety and Health Administration (OSHA) has been considering implementing a heat safety standard for some time, and in July 2024, OSHA proposed a new rule that would apply to all employers and would be triggered when employees are exposed to temperatures of 80º F for more than fifteen minutes in any given sixty-minute period. This was an area where OSHA was expected to row back on further regulation. Public hearings on the proposed rule took place over the summer, and OSHA has confirmed that it is “continuing to examine how to establish standards specifically related to heat-related injury and illness prevention.”

Since 2021, the Department of Labor has had no regulatory guidance addressing joint employer liability under the Fair Labor Standards Act (FLSA). A rule was proposed to address this in 2020, although it was blocked by a court decision. The department is continuing to look at the circumstances under which businesses can be held liable as a joint employer. Also under the FLSA, the Department of Labor is looking at the circumstances under which a worker should be classified as an employee or independent contractor for the purpose of federal wage and hour requirements, and will be defining and delimiting exemptions for executive, administrative, professional, outside sales, and computer employees, including whether salaried employees are exempt from FLSA minimum wage and overtime requirements.

Under the H-2A program, employers in the agricultural industry are permitted to hire foreign workers for temporary or seasonal jobs when domestic workers are unavailable. Under the Biden administration, a final rule was issued in June 2024 to improve protections for these workers; however, the rule was suspended in June 2025. The Department of Labor has proposed to rescind some of the burdensome requirements for growers using the program for agricultural labor. The Department of Labor is also considering updates to the Adverse Effect Wage Rate Methodology for calculating the prevailing wage for H-2A workers, which has been criticized for exceeding the actual local market wages.

“This regulatory agenda reflects our steadfast commitment to restoring economic opportunity by fostering innovation and reducing unnecessary burdens on employers,” said Deputy Secretary of Labor Keith Sonderling. “By modernizing outdated rules and prioritizing clarity and efficiency, we’re building a more agile, worker-centered labor policy framework that fuels economic growth and prosperity. Under President Trump’s leadership, the Department of Labor is delivering the regulatory certainty that American workers and businesses need to thrive.”

The post Department of Labor Confirms Key Rulemaking Initiatives appeared first on The HIPAA Journal.

NYS DOH Cybersecurity Regulation Deadline Fast Approaching

Posted by Steve Alder

Next month, the New York State Department of Health (DOH) cybersecurity regulation for general hospitals comes into force, and all covered hospitals will be required to comply with all the new requirements. The cybersecurity regulation (10 NYCRR 405.46) took effect on October 2, 2024, and with immediate effect, general hospitals had to implement policies and procedures for reporting a material cybersecurity incident to the New York Department of Health’s Surge Operations Center (SOC) within 72 hours. Covered hospitals were given a year to implement compliance programs covering the other new requirements, and the deadline for compliance is now less than a month away. The compliance deadline is October 2, 2025.

Cybersecurity Requirements for General Hospitals

Hospitals in New York State already need to comply with the HIPAA Security Rule, but the cybersecurity regulation introduces many new requirements. Simply being HIPAA-compliant is no longer enough. Hospitals in the state, under HIPAA, are required to implement safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information; however, the cybersecurity regulation takes things further, as the requirements apply to electronic nonpublic information. The definition is broader than HIPAA, and applies to personally identifiable information (PII), which is information that could be used to identify a natural person, not just patients, as well as business-related records.

General hospitals are required to implement a cybersecurity program based on the hospital’s risk assessment. The cybersecurity regulation stipulates several required elements that go above and beyond those specified by HIPAA. The cybersecurity program must identify internal and external risks that may threaten the security or integrity of nonpublic information within the hospital’s systems and that may threaten the continuity of the hospital’s business and operations. Policies and procedures must be implemented to protect information systems and any nonpublic information stored within those systems from unauthorized access and other malicious acts. Defensive infrastructure is required, and systems must be in place for detecting and responding to cybersecurity events, which will allow the recovery of normal operations and services.

Policies and protocols must be implemented for limiting user access privileges to systems containing nonpublic information, and there must be regular reviews of access privileges. There is a new requirement for measures to mitigate the threat of email-based attacks, such as spoofing, phishing, and fraud, and regular reviews of email controls must be conducted to ensure they continue to be effective.

Security measures and controls include encryption of data at rest and in transit, and there are data minimization requirements. Policies and procedures are required for the secure disposal of nonpublic information that is no longer required. Multifactor authentication, risk-based authentication, or other compensating controls are required to protect against unauthorized access to nonpublic information.

In contrast to HIPAA, which requires regular risk analyses, hospitals are required to conduct an annual risk assessment to identify risks and vulnerabilities to nonpublic information, and the cybersecurity program must be assessed annually to ensure it remains effective. Testing is required, including annual penetration tests by a qualified internal or external party. Hospitals must have an incident response plan for dealing with cybersecurity incidents, and documentation demonstrating compliance must be maintained for six years.

Hospitals are required to appoint a Chief Information Security Officer (CISO), who must be a qualified senior or executive-level staff member with proper training, experience, and expertise, and the cybersecurity program must be managed by qualified cybersecurity personnel or a third-party service provider.

New Cybersecurity Requirements Likely to Be Rigorously Enforced

The HIPAA Journal has spoken with information governance strategist Matthew Bernstein, who has over 20 years’ experience helping organizations analyze risks, transform written policy into day-to-day practice, and make their data findable, compliant, and secure. Hospitals rely on his firm, Bernstein Data, to integrate retention schedules, discovery and classification, and defensible disposition into one operating model that meets HIPAA and state mandates while trimming storage costs and shrinking the ransomware “attack surface”.

Bernstein has warned that hospitals believing they are compliant with the new requirements because they are HIPAA compliant could be in for a shock, and any hospital waiting to implement the changes until the DOH starts enforcing the cybersecurity regulation could well end up paying a considerable financial penalty. The language of the regulation closely mirrors the NYS Department of Financial Services (DFS) requirements, and penalties for noncompliance can run from $1 million to $5 million.

“It’s clear that the NYS Dept of Health is taking a leaf from the NYS Department of Financial Services’ book, and that should be concerning to hospitals.  The DFS has been an aggressive regulator about cybersecurity shortcomings of NYS companies, including healthcare providers with a “financial services” business, such as its recent $2 million settlement with Healthplex,” explained Bernstein. “There are significant commonalities between the new DOH regulation and the infamous 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies, and these requirements present new challenges for hospitals. It’s not just about a small set of defined PHI and making sure breaches are reported; there’s an expansive set of “personal” and “business-related” information to protect, and new risk assessment and mitigation operations to be adopted.”

With the compliance deadline fast approaching, hospitals need to ensure they have the policies, procedures, and protocols in place to comply with the new requirements. “New York hospitals don’t need to solve everything overnight, but they do need to demonstrate governance and intent,” Bernstein said. “Drafting a preliminary compliance roadmap with specific roles, accountability structures, and implementation priorities can go a long way in signaling good faith to regulators, board members, and insurers. Think of it as the scaffolding on which everything else will be built.”

The post NYS DOH Cybersecurity Regulation Deadline Fast Approaching appeared first on The HIPAA Journal.

CVS Health Faces HIPAA Probe Over Alleged Use of Patient Data for Lobbying and Political Advocacy

Posted by Steve Alder

CVS Health is facing a probe into potential HIPAA violations related to the alleged use of patient data for lobbying purposes to prevent the passing of a Louisiana state bill that could affect its business interests. The bill in question, House Bill 358 (HB 358), proposes several amendments to current pharmacy laws in Louisiana. One of the proposed amendments is prohibiting providers in the state from operating as both pharmacy benefit managers (PBMs) and individual pharmacies.

A pharmacy benefit manager is an intermediary between drug companies and pharmacies that negotiates prices with the drug companies on behalf of employers and health plans. They often also manage pharmacy networks and operate mail-order pharmacies. PMBs are facing increased scrutiny over their business practices. The Federal Trade Commission (FTC) alleged that major PBMs have inflated drug prices to increase company profits, negotiating lower prices from drug companies, then marking up the drug prices at their pharmacies. According to an FTC report earlier this year, between 2017 and 2022, UnitedHealth Group’s Optum, CVS Health’s CVS Caremark, and Cigna’s Express Scripts increased the prices of medications for heart disease, cancer, and HIV at their affiliated pharmacies, boosting revenues by $7.3 billion in excess of the acquisition costs of the medications.

Several states have passed laws to rein in PMBs and limit their influence on drug pricing, and reducing the costs of medications is a key priority for the Trump administration. CVS Health and Cigna have filed lawsuits attempting to overturn a law implemented in Arkansas to this effect, and CVS Health is alleged to have engaged in lobbying to prevent HB 358 from being passed in Louisiana. If the bill is signed into law, it would have serious implications for CVS Health, which operates as the PBM CVS Caremark, as well as 119 CVS pharmacies in the state of Louisiana.

Louisiana Attorney General Liz Murrill launched an investigation of CVS Health earlier this year after receiving reports alleging CVS Health had sent large numbers of text messages to state employees and their families to lobby against the proposed legislation. One of the texts informed the recipients that if the bill is signed into law, their CVS Pharmacy could close, medication costs could rise, and their pharmacist could lose their job.

The texts included a link to a draft letter to lawmakers calling for them to reject the legislation. “The proposed legislation would take away my and other Louisiana patients’ ability to get our medications shipped right to our homes,” the letter read. “They would also ban the pharmacies that serve patients suffering from complex diseases requiring specialty pharmacy care to manage their life-threatening conditions, like organ transplants or cancer. These vulnerable patients cannot afford any disruption to their care – the consequences would be dire.” CVS Health has been accused of lying and using scare tactics to oppose the bill, which CVS Health denies.

In late June, AG Murrill filed three lawsuits against CVS Health alleging unfair, deceptive, and unlawful practices, which have harmed Louisiana patients, independent pharmacies, and the public at large. According to CVS Health spokesperson Any Thibault, the bill was proposed with no public hearing. “We believe we had a responsibility to inform our customers of misguided legislation that sought to shutter their trusted pharmacy, and we acted accordingly,” Thibault said. “Our communication with our customers, patients and members of our community was consistent with law.”

Now, a probe has been launched by two Republican lawmakers in response to the allegations that patient data was used for lobbying purposes, potentially in violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. House Committee on Oversight and Government Reform Chairman James Comer (R-KY) and Subcommittee on Federal Law Enforcement Chairman Clay Higgins (R-LA) wrote to CVS Health President and CEO David Joyner, demanding answers about how patient data has been used.

“This text message campaign raises ethical and potential legal issues if indeed CVS Pharmacy used confidential patient information, obtained through a state contract, to lobby against H.B. 358,” wrote the lawmakers. “The inflammatory and misleading text messages—which included threats of pharmacy location closures, increased prescription costs, and loss of service providers—sought to encourage CVS Pharmacy customers to contact Louisiana lawmakers to oppose the bill. This is concerning because CVS Pharmacy must comply with the Health Insurance Portability and Accountability Act (HIPAA) to access confidential patient information.”

The lawmakers explained in the letter that the HIPAA Privacy Rule does not expressly permit the use of patient data for political advocacy or lobbying, and that patient authorization would be required for such uses, pointing out that it appears that the mass texting capabilities used by CVS Health pharmacies for notifying patients about prescription updates and other individualized patient information has been used in a matter that may have violated HIPAA.

The lawmakers have requested documentation and copies of communications related to the use of patient and customer personal health information for the purposes of political advocacy or lobbying in Louisiana and all other states from January 1, 2020, to the present. They require a response by September 18, 2025.

The post CVS Health Faces HIPAA Probe Over Alleged Use of Patient Data for Lobbying and Political Advocacy appeared first on The HIPAA Journal.