Latest news with #TheAfternoonDocket
Reuters
10-04-2025
- Business
- Reuters
RealPage goes on the offense in lawsuit against city of Berkeley over AI rent pricing law
Companies April 9 (Reuters) - Is the best defense a strong offense? Consider a move by U.S. property management software firm RealPage, which sued the city of Berkeley, California, in federal court last week, alleging that a new ordinance, opens new tab barring local landlords from using AI-driven pricing algorithms to set residential rents is an unconstitutional ban on free speech. Get a quick look at the days breaking legal news and analysis from The Afternoon Docket newsletter. Sign up here. Given RealPage's current lawsuit load, the move caught my eye. The Richardson, Texas-based company is already battling civil antitrust suits by the U.S. Justice Department and state enforcers over its revenue management software. Prosecutors say RealPage 'subverts competition and the competitive process' by collecting a broad swath of nonpublic rental data from landlords, plugging the combined information into an algorithm and using the results to recommend what to charge for rent, according to the DOJ's complaint, opens new tab pending in U.S. District Court for the Middle District of North Carolina. RealPage also faces sprawling multidistrict litigation by tenants who accuse the company of conspiring with major residential property owners to artificially inflate rents. (How sprawling? In a status report filed in Nashville federal court last week, the signatures of the lawyers involved spanned 22 pages.) You might think another lawsuit would be the last thing RealPage, which is owned by private equity firm Thoma Bravo, would want right now? Then again, the 1st Amendment suit against Berkeley comes as California's second-largest city is weighing a similar ordinance. San Diego city councilmember Sean Elo-Rivera plans to bring forward a policy banning "algorithmic price-fixing software" to the full council next week, his deputy chief Ben Mendoza told me. Elo-Rivera in a statement called his proposed ordinance 'narrowly tailored, legally sound,' and said, 'We won't be intimidated by meritless legal threats.' A spokesperson for RealPage confirmed the suit against Berkeley was the company's first challenge to a local ordinance but did not respond to additional questions, instead referring me to a company website, opens new tab rebutting 'false and misleading claims' about RealPage. Per the website and court papers, RealPage argues that its technology benefits both housing providers and residents by making the rental market more efficient. The purpose of RealPage's software 'is to optimize revenue — not to maximize rents. It makes rental price recommendations in all directions: higher, lower, or at the current rent price,' RealPage says. The real culprit driving high housing costs across multiple markets, RealPage says, is lack of supply, not its rent pricing recommendations, which landlords are free to accept or reject. Will the argument carry the day? It's too soon to tell. Based on the latest docket filings, none of the antitrust cases appears to be near a resolution on the merits. This is where municipal actions come into play. San Francisco was first out of the gate, enacting an ordinance, opens new tab in September 2024. 'Instead of waiting for court processes which may take years to resolve,' the measure states, San Francisco preemptively prohibited 'the sale or use of algorithmic devices for the purpose of setting rents on residential dwelling units' in the city. Philadelphia followed with a similar law a month later, and Berkeley city council members in March approved an ordinance that's slated to go into effect on April 24. It strikes me that there's a certain 'sentence first, verdict afterwards' quality to the moves, as the Queen of Hearts in 'Alice in Wonderland' might say. A judge or jury may find RealPage's conduct doesn't violate any antitrust laws. Berkeley City Attorney Farimah Faiz Brown in an email defended the city's ordinance, arguing that the 118,000-person municipality — home to the University of California's unofficial flagship campus and center of the free speech movement in the 1960s — is within its rights to protect its residents from 'unlawful, predatory conduct.' 'RealPage has no First Amendment right to engage in, or facilitate, unlawful pricing alignment, coordination or fixing,' Brown said via email, adding that the city, represented by Keker, Van Nest & Peters, 'intends to vigorously oppose RealPage's lawsuit.' In its April 2 complaint, opens new tab against Berkeley now pending before U.S. District Judge Jacqueline Scott Corley in San Francisco, RealPage and its lawyers from Gibson, Dunn & Crutcher argue that the ordinance wrongly targets lawful speech about the residential rental market. 'As enacted, the Berkeley Ordinance purports to ban rental advice based on computer analysis of any kind of information,' RealPage said in its complaint, hypothesizing that putting publicly available data into an Excel spreadsheet to calculate a rent would even be prohibited. Even accepting the premise that preventing collusion among competitors and constraining the rate of rent hikes is a compelling government interest, RealPage says, 'there is no evidence that the speech sought to be prohibited by the Ordinance (as opposed to other factors) causes either of these perceived harms.' Corley has scheduled an April 16 hearing on RealPage's motion for a temporary restraining order to stop Berkeley's law from taking effect later this month.
Reuters
07-04-2025
- Health
- Reuters
New legal developments herald big changes for HIPAA compliance in 2025
April 07, 2025 - 2025 could be poised to be the biggest year for health care data yet. The increasingly ubiquitous use of AI and new technological advancements have organizations relying on and investing in data more than ever. However, these developments come with new legal risks and security threats for protected health information (PHI) subject to the Health Insurance Portability and Accountability Act (HIPAA). With responsible data use, patient data rights, data security, and privacy top of mind, the HIPAA compliance landscape is positioned for continued evolution and increased scrutiny. Get a quick look at the days breaking legal news and analysis from The Afternoon Docket newsletter. Sign up here. Here's what to expect and how to prepare in the coming year. The health care industry is gearing up for a data security revamp With a 264% increase in ransomware attacks in 2024, the Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) heavily enforced ransomware incidents last year, settling five ransomware investigations. The OCR also introduced its Risk Analysis Initiative at the end of 2024, focusing OCR enforcement on entities that fail to properly conduct the required periodic security risk analysis (SRA). While there is no required format or method for an SRA under HIPAA, OCR is specifically cracking down on entities that only conduct cursory SRAs that do not thoroughly evaluate and address potential security risks or fail to conduct an SRA at all. Security considerations are further compounded by HHS' proposed rulemaking in January to revamp HIPAA's Security Rule. The proposed changes aim to modernize the Security Rule, addressing technical aspects — such as patching, encryption, multifactor authentication, and penetration testing — and enhancing training and awareness regarding social engineering to mitigate common data breach risks. While these rules reaffirm the OCR's data security efforts, the proposed rule's administrative and technical aspects would be costly and burdensome, particularly for smaller medical practices, self-funded health plans, and health care businesses. Whether or not the proposed updates to the Security Rule are finalized or are materially modified from the current form, organizations must be proactive in keeping their security policies and procedures up to date. This includes implementing training to educate staff on new and emerging security threats and conducting regular, in-depth SRAs, as perfunctory SRAs are becoming an area of increasing enforcement risk. Patient access remains a high priority Patient right to access continues to be an area of significant focus for the OCR. From March to November 2024, the OCR settled five right to access cases, with another enforcement just announced on March 7, 2025. The OCR continues to stress the importance of providing timely record access to patients and their personal representatives. Considering that most of these enforcement actions were triggered by a single incident or patient request, it is evident that widespread patient access issues can be exposed by just one individual, potentially subjecting a covered entity to significant financial and legal risk. This OCR enforcement focus also aligns with one of the core goals of HHS' Information Blocking Rule, which aims to improve the flow of essential electronic health information between necessary parties. Most recently, HHS released two final rules aimed at improving interoperability and addressing information blocking issues. These rules, effective December 2024, provide clarity on when health care providers can share electronic health information, introduce new privacy and security requirements, and expand upon some information blocking exceptions to allow providers to comply with patient requests. Covered entities and business associates should take recent information blocking rule changes as an opportunity to review patient access policies and procedures from both a HIPAA and information blocking perspective and confirm compliance. Responsible data use considerations extend to protected health information The OCR has placed a heavy focus on the potential for unauthorized use or disclosure of PHI through the use of emerging technologies. Thus, enforcement under HIPAA is also likely to evolve in response to the increased emphasis on responsible data use — which has become an essential component of AI's integration into business operations across industries. HHS has not yet released any AI-specific HIPAA requirements, but it has issued other guidance that suggests AI technologies could be scrutinized to the extent they result in an unauthorized use or disclosure. Additionally, the OCR previously issued a bulletin warning of the legal perils of online-tracking technologies that collect information about individuals using webpages and mobile applications of HIPAA-regulated entities. In American Hospital Association v. Becerra, a federal court in the Northern District of Texas struck down a portion of the guidance related to tracking on unauthenticated web pages on the grounds that it exceeded HHS' authority under HIPAA. The guidance, however, still applies and remains in effect for tracking activities on authenticated web pages (i.e., pages that require user log-in). HHS announced that it is "evaluating its next steps" in light of the court's order. While the court limited the scope of the tracking technology guidance, regulated entities should still carefully evaluate how PHI is being used and accessed by third-party AI tools and tracking technologies. In addition to incorporating policies that address responsible data use, entities must be aware of technologies that may inconspicuously gain unauthorized access and use of PHI. Entities should also consider how AI can increase the risk of inadvertent disclosure due to its ability to process and potentially infer PHI from various non-sensitive data points (e.g., reidentification of deidentified data). Reproductive health privacy remains contested Effective Dec. 23, 2024, HHS issued a final rule to protect the privacy of reproductive health care information. Under the final rule, the use or disclosure of an individual's PHI is prohibited for the purpose of conducting criminal, civil, or administrative investigations or for imposing liability on anyone for the act of seeking, obtaining, providing, or facilitating reproductive health care that was lawful at the time it was provided. The rule also mandates that any requests for reproductive health care PHI for specific purposes must include an attestation confirming that the use or disclosure of PHI is not for a prohibited purpose and covered entities must update their notice of privacy practices (NPPs) to reflect the new requirements. Last fall, in State of Texas v. U.S. Department of Health and Human Services, the State of Texas challenged the newly finalized 2024 final rule on reproductive health care information and a privacy rule issued in 2000, which prohibits the disclosure of reproductive health PHI unless the request meets a three-part test. Texas argues that both rules inhibit law enforcement's ability to enforce its laws on abortion. This case is currently pending and unresolved in the federal Northern District of Texas. With the final rule now in effect, providers must comply despite the ongoing legal challenges pending against it. Covered entities should ensure they make appropriate updates to their NPPs by the required Feb. 16, 2026, deadline and update policies and procedures to reflect the rule as it currently stands, while also remaining on top of new legal developments. Not only could the rules be potentially narrowed in scope or struck down by the Texas federal court, but there is also the potential for additional rule changes under the new administration. Conclusion As 2025 unfolds, the evolving health care landscape will continue to drive legal shifts in the areas of data security and patient access and privacy. Covered entities and business associates can stay ahead of the curve by taking proactive compliance and risk-mitigation measures, including rigorous SRAs, evaluation of technical controls, staff training, and review of policies and procedures for effectiveness and consistency with ever-changing legal requirements.
