American Hospital Association v. Becerra: U.S. Department of Health and Human Services’ Health Privacy Guidance Vacated by Federal Judge

Positive News for HIPAA-Regulated Entities Using Online Tracking

The ruling in American Hospital Association v. Becerra is good news for HIPAA-regulated entities that utilize third-party online tracking technologies. In short, the U.S. District Court for the Northern District of Texas ordered that by restricting HIPAA-regulated entities’ use of such technologies, the HHS had overstepped its authority. The District Court’s decision marks a victory for health care providers, as it will likely discourage similar litigation brought against HIPAA-regulated entities. However, these entities should still carefully manage their tracking technologies, as uncertainty continues to surround the future of protected health information and its intersection with artificial intelligence.

What Happened in American Hospital Association v. Becerra?

On June 20, 2024, a federal judge in Texas vacated a portion of health privacy guidance issued by the U.S. Department of Health and Human Services (HHS). Specifically, U.S. District Judge Mark Pittman vacated the HHS’s declaration that HIPAA obligations are triggered in: “circumstances where an online technology connects (1) an individual’s IP address with (2) a visit to a[n] [unauthenticated public webpage] addressing specific health conditions or healthcare providers.”

Unauthenticated public webpages are webpages that do not require an individual to log in (i.e., these webpages do not require user verification or login credentials) before the individual may access the webpage. The HHS offered the following example, to demonstrate how a visit to an unauthenticated public webpage can result in the disclosure of protected health information: “[I]f an individual were looking at a hospital’s webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual’s IP address . . . or other identifying information showing their visit to that webpage is a disclosure of [protected health information] to the extent that the information is both identifiable and related to the individual’s health or future health care.”

Initially, the HHS issued the now-vacated guidance out of concern for patient privacy, due to the rise in hospitals’ use of third-party online tracking technologies. The agency’s main concern was that third-party online tracking technologies would reveal individually identifiable health information (IIHI), which is protected under HIPAA. In particular, the HHS argued, the technology would connect an individual’s IP address with that same individual’s online search regarding his or her medical condition. The HHS concluded that the individual’s data would be IIHI in this scenario, and it issued the health privacy guidance in response, requiring providers to protect this “novel” category of information.

Ultimately, Judge Pittman disagreed with the HHS and sided with the plaintiffs, the American Hospital Association, who argued that online tracking technology allows HIPAA-regulated entities to serve patients more effectively. In his order, Judge Pittman ruled that the HHS had exceeded its actual authority, both beyond the scope of HIPAA and beyond the “plain meaning” of IIHI. Put more simply, Judge Pittman ruled that the HHS had unlawfully redefined what is considered protected health information under HIPAA: “[T]his is a case about power. More precisely, it’s a case about our nation’s limits on executive power.” And, Judge Pittman felt that the HHS had overstepped its power in issuing this health privacy guidance, at the expense of hospitals and other entities that are required to comply with HIPAA.

What Happens Now?

First, this vacatur is nationwide. However, Judge Pittman’s order is limited only to the specific portion of the guidance regarding third-party online tracking technologies. Therefore, HIPAA-regulated entities should take care to abide by the remainder of the HHS guidance.

Additionally, Judge Pittman did not issue an injunction against the HHS, and the HHS has no requirement to obtain court approval for future revisions of its guidance. So, the agency is free to revise and/or continue to update its guidance as it sees fit (as long as it does so without violating Judge Pittman’s order). Accordingly, HIPAA-regulated entities should continue to check the HHS website for any updates, in order to ensure continued compliance with HHS guidance. The website currently states that HHS is “evaluating its next steps in light of [Judge Pittman’s] order,” and the agency has until August 19, 2024, to appeal the order, if it chooses to do so.   

In the meantime, HIPAA rules remain the same, and entities should maintain best practices to comply with HIPAA, in addition to closely monitoring any new guidance issued by the HHS. Though HIPAA no longer applies to the now-vacated portion of the HHS guidance, HIPAA-regulated entities must also ensure that they remain compliant with state laws applicable to such tracking technologies. Entities should carefully investigate what data and areas of their business are subject to HIPAA, as well as which are subject to state privacy laws, in order to ensure proper compliance overall. Moreover, entities should be cognizant of additional litigation that arises regarding either the HHS’s health privacy guidance, or the use of online tracking technologies by hospitals and other HIPAA-regulated entities.

If you have any questions or concerns about the ruling of American Hospital Association v. Becerra and its potential effects on your business, or about maintaining compliance as a HIPAA-regulated entity, please reach out to one of Varnum’s data privacy attorneys. Additionally, if you are interested in discussing the use of artificial intelligence in health care, please reach out to a member of our Health Care AI Task Force.

2024 summer associate Rebecca Krasity contributed to this advisory. Rebecca is currently a student at the University of Wisconsin Law School.

Impact of Chevron Decision on Compliance Risk Under Data Protection Regimes

Overturning of Chevron Shifts Authority on Data Privacy Regulation

A recent pivotal Supreme Court decision marks a significant shift in the authority of federal agencies to interpret regulations related to data privacy and security as well as the influence of judicial review over ambiguities in the same. This shift poses new challenges and uncertainties for agencies’ ability to regulate and meaningfully govern purported insufficiencies in privacy and data security programs.

1984 Chevron Decision

In its landmark 1984 decision, Chevron v. Natural Resources Defense Council, 467 U.S. 837, the Supreme Court established a framework for judicial review of federal agency interpretations of statutes. This framework, known as “Chevron deference,” dictated that when a statute is ambiguous, courts should defer to a federal agency’s reasonable interpretation of the law. For the past 40 years, Chevron deference has been applied to thousands of cases, significantly shaping the regulatory landscape.

Recent Decision Overturning Chevron

The U.S. Supreme Court recently issued a ruling (Loper Bright v. Raimondo, together with Relentless v. Dept. of Commerce) overturning the Chevron decision. The Court ruled that, under the Administrative Procedures Act, courts can no longer defer to federal agencies’ interpretations of statutes. Instead, courts must rely on their own interpretation of ambiguous laws. The facts underlying Loper Bright and Relentless involved fishermen challenging the National Marine Fishery Service’s interpretation of the Magnuson-Stevens Fishery Conservation and Management Act of 1976, which required them to pay for monitors onboard their vessels. While the underlying facts concerned fishery management, the implications of this ruling span across all federal agencies, as they will no longer receive deference from courts when their rulemaking is challenged. Consequently, courts will now play a more critical role in interpreting statutes and assessing whether agencies have properly applied the law or exceeded statutory limits.

Impact on Federal Agencies Regulating Data Privacy and Cybersecurity Laws

The full extent of the impact this decision will have on the rulemaking capabilities of federal agencies that have historically held significant authority over the interpretation of laws related to the collection, sharing, and protection of personal information, such as the Federal Trade Commission (FTC) and U.S. Department of Health and Human Services (US DHHS), remains unclear. Indeed, FTC representatives have stated that this change will have little effect on key issues related to data privacy. Further, this change will not impact settlements and consent decrees that are already in place.

Nonetheless, heightened scrutiny of agency actions stemming from interpretations of unclear elements of data protection laws over which they have historically had authority is expected. For example, in its rulemaking on data privacy and cybersecurity, the FTC has relied on Section 5 of the FTC Act, a relatively ambiguous statute authorizing the FTC to address “unfair or deceptive acts or practices.” In these scenarios, the FTC has previously utilized its authority under Section 5 of the FTC Act to allege that data collection and disclosure practices of various companies have been conducted in a manner that could be deemed to be unfair or deceptive. Similarly, the FTC has exercised authority under the Gramm-Leach-Bliley Act (GLBA) and US DHSS has exercised similar authority under the Health Insurance Portability and Accountability Act (HIPAA), each to assess what companies fall within the scope of the two laws given the broad but at times ambiguous nature of the definitions of “financial institutions” and “business associates,” respectively. Another commonly discussed area of ambiguity would be the security components of GLBA, 15 USC 6801, and HIPAA, 45 CFR 164.306, where in-scope entities are mandated to protect the more sensitive personal information within the purview of each of those laws by implementing appropriate technical and security measures.

While the FTC and others argue that the ambiguity under each of these data protection laws are intentionally designed to accommodate evolving technologies and business practices, it is this vagueness and broadly construed language that may now lead to more judicial scrutiny in the absence of Chevron deference. For example, it is likely no longer within the FTC’s authority to definitively assess whether a financial institution subject to GLBA has implemented appropriate or sufficient technical and organizational measures. This would now be a question to be decided by the courts.

The impact of Loper Bright on other aspects of FTC rulemaking and enforcement are less clear. The relatively underutilized Section 18 rulemaking, which empowers the FTC to prescribe rules that define “unfair or deceptive acts or practices” within the purview of Section 5 of the FTC Act, is already subject to more rigorous procedural hurdles, such as public consultation and advance notice to Congress, and arguably has not relied on Chevron deference. One such rule promulgated pursuant to Section 18 of the FTC Act is the Children’s Online Privacy Protection Act (COPPA) Rule, which requires websites and online services to get parental consent before collecting, using, or disclosing personal information from children under 13.  It is arguable that both prior to and post-Loper Bright, ambiguity in a rule promulgated under Section 18 would be subject to judicial review and not entitled to Chevron deference, although that point remains unclear. Additionally, FTC enforcement actions resolved by settlements (generally in the form of consent orders) were never reliant on Chevron deference as courts have historically considered these actions to “lack the force of law,” making them ineligible for such deference. However, while the overturning of Chevron deference may not directly impact the FTC’s ability to enter into consent decrees, it could diminish the agency’s leverage in persuading companies to agree to such orders, as the lack of judicial deference may weaken the agency’s perceived authority.

Conclusion

The strategic approach a company takes as it develops a comprehensive privacy program often requires the company to assess the risks associated with the development of each component of the program. This includes interpretating applicable data protection and security laws that are high-level in nature and generally less prescriptive to assess what that company has to do to achieve better compliance hygiene. This recent Supreme Court ruling should undoubtedly be taken into consideration when assessing those risks.

If you have any questions or want to learn more about how the recent Supreme Court rulings may impact your business or the development of your privacy program, please contact a member of Varnum’s Data Privacy and Cybersecurity Team. Our team can leverage our years of practical experience in operationalizing privacy programs to help you find pragmatic approaches on the path to compliance.

Michigan Adopts the Uniform Power of Attorney Act

Michigan Adopts the Uniform Power of Attorney Act

Powers of Attorney (POA) in Michigan are subject to a new law which went into effect on July 1, 2024. If you have executed (or are considering executing) a POA to give a trusted individual the ability to access your financial accounts or sign documents on your behalf, whether in case of emergency or simply for convenience, you should review that POA to confirm its execution complies with the new law and to ensure you can take full advantage of the benefits of the new law.

By executing a POA, you grant someone else important powers to act on your behalf. The person you appoint is called your “Agent.” A POA can be “Durable” or “Non-Durable.” A Durable POA can be particularly useful because, unlike a Non-Durable POA, your Agent’s authority to act on your behalf will not be terminated even if you are incapacitated.

As of July 1, 2024, the new law, titled the Uniform Power of Attorney Act (UPOAA), provides increased accessibility, effectiveness, and standardization for POAs. Given the increased mobility of the population and modernization of technology, the UPOAA codifies state legislative trends across the United States and creates a cohesive set of best practices for drafting and utilizing POAs. To date, a version of the UPOAA has been enacted in 31 states.

The UPOAA accomplishes several important objectives:

  • It promotes uniform acceptance of notarized POAs. No longer will third parties be permitted to refuse to accept a validly executed POA simply because the document didn’t clear the entity’s legal department. The UPOAA provides sanctions for persons or entities who refuse to accept an acknowledged POA. “Acknowledged” means verified before a notary public (or other individual authorized to take acknowledgements).
  • It provides protection for third parties who rely on notarized POAs. The UPOAA is designed to protect third parties who accept a notarized POA in good faith, and also provides clear circumstances where acceptance of a POA can and should be denied. If there is any doubt, the third party can request a certification or opinion of counsel as to the validity of the POA within a seven-day window of the presentment of the document. 
  • It provides a series of default rules for POAs. If the POA is executed in compliance with certain requirements, the POA will automatically be durable under the UPOAA. This is a change from former Michigan law which mandated that there be an affirmative statement as to durability in the POA. There are other helpful default rules in the UPOAA including provisions regarding the determination of incapacity, and the coordination of co-agents’ authority, successor agents, and court-appointed guardians and conservators.
  • It promotes accessibility and frees up judicial resources. Michigan has had a statutory form Will and statutory form Designation of Patient Advocate for some time. Now, there is a statutory form Power of Attorney. The purpose of the form is to give the public easy access to creating POAs, which will decrease the necessity of guardianships and conservatorships. However, as clearly stated on the form, because of the important authority granted in POAs, individuals should use caution in preparing these important forms without the assistance of counsel.

Given these sweeping changes promulgated by the UPOAA, it’s a good time to revisit your POA. The UPOAA applies to all POAs, even those executed prior to July 1, 2024. As long as your POA was validly executed at the time it was signed, your POA is still valid under the new law – but you may want to confirm that your POA is notarized. Many individuals executed legal documents during the pandemic when it may have been difficult to obtain a notary. If your POA is not notarized, you may want to re-execute the document before a notary to garner the additional protections that the UPOAA provides to acknowledged POAs.

This advisory was originally published on November 20, 2023.

HIPAA and Employee Benefits: The Basics of Compliance

HIPAA Compliance: Essential Steps for Companies Offering Health Benefits

Every company providing health benefits should periodically review how the Health Insurance Portability and Accountability Act (HIPAA) applies to their benefit plans. HIPAA applies to employer provided medical benefits, and may also apply to dental and vision benefits, depending on plan design. The increasing popularity of self-funded medical benefits has made HIPAA compliance more important than ever before. Here are a few current HIPAA compliance considerations for companies with medical benefits.

  • A key HIPAA principle is to obtain, use, and disclose the minimum amount of protected health information (or PHI) possible. PHI is individually identifiable health information subject to HIPAA. Service providers often need certain elements of PHI to fulfill their contracts and provide benefits to your employees, but by drafting documents appropriately, your plan can minimize the amount of PHI it receives and uses itself. This helps ensure compliance and minimize risk.
  • Employers should never use PHI from its health plans to make or take employment-related actions.
  • Employers must provide HIPAA notices to participants which include a summary of the employer’s privacy and security practices and a description of how PHI may be used or disclosed.
  • Employers should ensure they have an executed and updated Business Associate Agreement (or BAA) with any other entity that uses, accesses, or discloses any PHI. A BAA is a short agreement that states what each party will do to ensure HIPAA compliance, and may also include other terms regarding responsibilities and indemnification.
  • Risk assessments and risk reduction is also an important part of HIPAA compliance. Depending on the amount of PHI your plan receives, the scope and tyle of a risk assessment may vary. Regardless of plan design, employers should document that a risk assessment is being done and that appropriate action is being taken after the risk assessment is completed.
  • HIPAA documentation is an important part of compliance. Beyond the notices, BAAs and risk assessments, employers should ensure their plans include necessary language and should maintain reasonable and appropriate HIPAA policies and procedures.
  • Plan for potential problems by having a procedure in place for determining if there is a HIPAA violation or breach of PHI. Often bad actors or service providers are at fault. The best way to be prepared is to know how you will determine if there is a problem as well as who and how a response will be prepared. This is often part of a company’s larger disaster, emergency or contingency planning.
  • Watch for changes. There are changes to HIPAA requirements going into effect in 2025 and additional changes are working through the courts. For more information, see our recent HIPAA advisory.

HIPAA compliance is important and is best done annual enrollment. By refreshing your HIPAA compliance now, updated documents can be effective for and integrated with your next open enrollment process. Contact a member of our benefits or health care teams to discuss how HIPAA impacts your business and how to help ensure compliance.

Federal Court Confirms that Failing to Accommodate an Employee’s Religious Objections to a Vaccine Requirement Can Violate Title VII

Sixth Circuit Issues Important Religious Discrimination Ruling

On June 12, 2024, the United States Court of Appeals for the Sixth Circuit confirmed that, under certain circumstances, an employer may commit religious discrimination by enforcing a vaccination mandate against an employee/job applicant who has refused vaccinations for religious reasons. Lucky v. Landmark Medical of Michigan, P.C., Case No. 23-2030 (6th Cir. June 12, 2024). Najean Lucky, a non-denominational Christian, applied for a management position with an in-home medical provider. During the interview, the employer asked her if she had been vaccinated for COVID-19. Lucky responded that she had not, because of her religious beliefs. The employer immediately ended the interview, stating that it would not make any accommodation to its vaccination requirement for Lucky’s religious beliefs.

Lucky sued for religious discrimination under Title VII. Although the trial court initially dismissed her suit, the Court of Appeals reinstated it. In doing so, the Court held that Lucky’s allegations, if true, established a claim of religious discrimination. The Court emphasized that Lucky had asserted that her refusal to take the COVID-19 vaccine was “an aspect of her religious observance or practice or belief” and that courts cannot “question the centrality of particular beliefs or practices to a faith, or the validity of particular litigants’ interpretation of those creeds.” The Court sent the case back to the trial court for discovery and, perhaps, trial.

Key Takeaways

Lucky confirms that, under certain circumstances, Title VII may require employers to accommodate an employees’ refusal to become vaccinated if that refusal is connected to the employer’s religious beliefs. However, this does not mean that an accommodation is necessary in all circumstances. Lucky coexists with the Supreme Court’s recent decision in Groff v. DeJoy, 600 U.S. 447 (2023), which holds that an employer need not accommodate a religious belief if doing so “would result in substantial increased costs in relation to the conduct of its particular business.” Whether this standard is met depends on “all relevant factors in the case at hand, including the particular accommodations at issue and their practical impact in light of the nature, size and operating cost of an employer.” 

Thus, employers must take a nuanced, comprehensive approach to decide whether an accommodation for an employee’s religious belief is appropriate. This includes when the religious belief results in a refusal to become vaccinated. But because courts will not second-guess the sincerity of the employee’s belief, neither should the employer when deciding the accommodation request.

Lucky also illustrates the need for proactive measures if an employer believes that a vaccination mandate is necessary for its business operations. If the employer’s policy does not include a religious exception, the employer must be able to articulate why a religious exception would result in substantial increased costs in relation to the conduct of its particular business.

Employers are encouraged to consult with legal counsel to discuss their options and strategies if an employee seeks a religious accommodation or if the employer imposes a vaccination requirement. Varnum’s Labor and Employment Practice Team stands ready to assist employers with any questions or concerns they may have about these issues.

Supreme Court Overturns “Chevron” Doctrine and Rejects Continued Court Deference to Federal Agencies

Advisory

In a groundbreaking decision, Loper Bright Enterprises v. Raimondo, the United States Supreme Court has eliminated the deference previously granted to federal agencies to interpret the laws that they administer. Under a previous decision, Chevron U. S. A. Inc. v. Natural Resources Defense Council, Inc. (1984), the United States Supreme Court (SCOTUS) had required courts to exercise deference to agencies regarding the interpretation of ambiguity in the statutes that they administer. Under the “Chevron doctrine,” if a court determined that any federal statute was unclear or ambiguous, it was required to defer to an agency’s reasonable construction of that statute—even if the court ultimately disagreed with that agency’s interpretation. In practice, the Chevron doctrine often required courts to uphold agency regulations that far exceeded the scope of the authority or direction provided by Congress.

The Supreme Court’s most recent decision in Loper Bright overruled Chevron, holding that the “Administrative Procedure Act requires courts to exercise their independent judgment in deciding whether an agency has acted within its statutory authority, and courts may not defer to an agency interpretation of the law simply because a statute is ambiguous.” Unrestrained by Chevron, courts are now free to reject agency actions that stray too far afield from the express statutory authority or intent of federal statutes. The Loper Bright decision is expected to have a major impact on any number of agency regulations, and most notably on the United States Environmental Protection Agency (EPA). The EPA has often clashed with industry, mining and agricultural groups over its attempts to promulgate far-reaching environmental regulations or implement agency policies that are premised on dubious or controversial interpretations of the Clean Air Act and Clean Water Act. We expect the Loper Bright decision to have profound impact on both agency rulemaking and enforcement. Industry groups will be able to mount challenges to agency actions on a level playing field since the EPA and other agencies will no longer have the benefit of playing with a “loaded deck.”

A Deep Dive Into the FTC Ban on Non-Compete Agreements

Comprehensive Analysis: The FTC's Ban on Non-Compete Agreements

Update July 8, 2024: A federal district court in Texas has issued a preliminary injunction preventing the FTC from enforcing its rule banning most non-compete agreements against a Texas-based tax firm and a group of business associations. The court’s preliminary injunction does not prevent the FTC from enforcing the rule against other U.S. companies. Thus, for now, the FTC rule banning most non-compete agreements is still scheduled to take effect on September 4, 2024. However, the Texas court ruled that the pending legal case is “likely to succeed on the merits,” and promised a ruling on those merits by August 30. 

In the meantime, legal challenges to the FTC’s ban on non-competes are pending in other courts. Thus, there remains a great deal of uncertainty what will happen to the FTC’s attempt to outlaw most non-compete agreements. The FTC’s rule might go into effect on September 4, it might be blocked in other limited cases, or it might be struck down entirely. Employers and businesses are encouraged to monitor developments closely over the summer.  Varnum’s Corporate and Labor and Employment Practice Teams stand ready to assist businesses with any questions or concerns they may have, and will issue updates as soon as they are available.

Update May 7, 2024: The new FTC rule banning most non-compete agreements was published in the Federal Register on May 7, 2024, and thus will take effect 120 days later on September 4, 2024.

On April 23, 2024, following a 90-day public comment period generating more than 26,000 comments, the Federal Trade Commission (FTC) voted to adopt a final rule banning non-compete agreements for most workers in the United States. The final rule, set to take effect 120 days from the date it is published in the Federal Register, will have broad implications on businesses and an estimated 30 million U.S. employees and independent contractors alike.

The final rule provides that it is an unfair method of competition, and therefore a violation of Section 5 of the Federal Trade Commission Act (the “Act”), for employers to enter into non-compete agreements with workers and to enforce existing non-compete agreements with most workers. The rule requires that employers rescind most existing non-compete agreements and restrictions on workers, and it prohibits businesses from entering into non-compete agreements with workers in the future.

In the wake of the FTC’s announcement, countless questions arise for those businesses struggling to better understand the implications of the new rule. The deep dive summary below follows a comprehensive review of the FTC’s 570-page release accompanying the final rule.

What the New FTC Ban Requires

Upon the effective date of the rule, businesses generally will no longer be able to do the following:

  • Enter into or attempt to enter into non-compete agreements or clauses;

  • Enforce or attempt to enforce existing non-compete agreements or clauses (except as to a very narrow group of “senior executives” as defined in more detail below.); or

  • Represent to a worker that the worker is subject to a non-compete agreement (except as to “senior executives”).

Employers are required to notify any workers and former workers with existing non-compete agreements that the agreements are no longer valid under the new rule and that the non-compete provision has been rescinded. Notice must be delivered in writing via letter, email, or text message no later than the rule’s effective date. The FTC rule provides a model notice that can be used for this purpose.

The effective date of the new rule is 120 days after it is officially published in the Federal Register.  It is anticipated that the rule will be published in the Federal Register sometime within the next 30 days or so. The FTC currently expects the rule to take effect in early September 2024.

Covered Workers

The FTC takes the position that non-competes are largely exploitative and coercive and has banned almost all non-compete agreements and clauses between employers and workers. The rule clarifies that the term “worker” broadly includes any employee, independent contractor, extern, intern, volunteer, apprentice, or sole proprietor, whether the individual presently works for or previously worked for the business and whether the individual was paid or unpaid.

However, the FTC created an exception from the rule for existing non-compete agreements with “senior executives.” Existing non-compete agreements with such personnel are enforceable, to the extent they are enforceable under applicable state law. To qualify as a “senior executive,” a worker must pass both an earnings test and a job duties test. Specifically, the worker must earn total annual compensation of at least $151,164 and be in a “policy-making position.” A “policy-making position” includes a president, CEO, or someone else with authority to make policy decisions for the entire company. A worker must pass both tests to qualify for the exception for “senior executives” — one alone will not suffice.

Jurisdictional Limitations for Certain Non-Profits

Congress empowered the FTC to “prevent persons, partnerships, or corporations” from engaging in unfair methods of competition. To qualify as a “corporation” under the Act, an entity must be “organized to carry on business for its own profit or that of its members.” Through FTC precedent and judicial decisions, this language has been consistently interpreted to mean that while the FTC has jurisdiction over for-profit entities in nearly all industries (other than some businesses expressly outside the FTC’s jurisdiction such as most financial institutions, common carriers, and air carriers), the FTC lacks jurisdiction to regulate Section 5 violations by a corporation not organized to carry on business for its own profit. Thus, in addition to certain for-profit entities as noted above, the FTC ban on non-compete agreements does not apply to non-profit entities, as defined by the FTC.

However, not all entities claiming tax-exempt status as non-profits fall outside the FTC’s jurisdiction. To qualify as a non-profit entity for purposes of application of the Act, the FTC looks to both “the source of the income, i.e., to whether the corporation is organized for and actually engaged in business for only charitable purposes, and to the destination of the income, i.e., to whether either the corporation or its members derive a profit.” A non-profit that passes this two-part test is considered outside the FTC’s jurisdiction and will not be impacted by the new rule banning non-compete agreements.

Because some non-profit healthcare organizations may fall outside the FTC’s jurisdiction under this two-part test, and thus would escape the FTC’s ban on non-competes, while other healthcare organizations would remain within the FTC’s jurisdiction and therefore would remain subject to the ban, the FTC considered whether to exempt all healthcare organizations, or at least a broader class of healthcare organizations, from the ban. Ultimately, however, the FTC concluded that it “is not persuaded that the healthcare industry is uniquely situated in a way that justifies an exemption from the final rule.” Despite arguments from commentators relating to the equal treatment of nonprofit and for-profit healthcare organizations, patient hardship, increased costs for employers, and decreased incentive for employee training, the FTC steadfastly declined to exempt the healthcare industry from the rule. The FTC clarified that healthcare entities claiming tax-exempt status will be met with the same level of scrutiny as other organizations under its adopted two-part test for non-profit entity status if challenged in administrative or judicial proceedings. Learn more about the affects to the health care industry in our advisory, Healthcare Implications of the FTC’s Non-Compete Ban.

Other Forms of Restrictive Covenants May be Permissible

While non-compete language is strictly prohibited, the final rule does not categorically prohibit other types of employment agreements that contain restrictive covenants, such as non-disclosure or confidentiality agreements, training repayment agreement provisions, and non-solicitation agreements. The FTC noted that these types of agreements do not by their terms ordinarily prohibit a worker from or penalize a worker for seeking or accepting other employment or starting their own business after they leave their current position, and thus are permissible.

However, if an employer adopts a term or condition that is so broad in scope that it has the same functional effect as a term or condition prohibiting or penalizing a worker from seeking or accepting other work, or from starting a business after they leave a position, such a term will be viewed as an impermissible non-compete clause. Thus, other restrictive covenants such as non-disclosure and non-solicitation agreements must be carefully drafted to ensure that they do not run afoul of the FTC’s ban on non-competes.

Limited Exceptions

As noted above, the FTC’s ban on non-compete agreements does not apply to existing non-compete agreements with “senior executives.”  In addition, the final rule carves out three other specific scenarios where the ban does not apply:

  • First, the rule does not apply to non-competes entered into by a person pursuant to a bona fide sale of a business entity. The FTC considers a bona fide sale to be one that is made between two independent parties at arm’s length, in which the seller has a reasonable opportunity to negotiate the terms of the sale. The FTC noted that, pursuant to this “bona fide” condition, any “springing” non-compete (in which a worker must agree when hired to a non-compete in the event of a future sale) and repurchase rights, mandatory stock redemption programs, or similar stock-transfer schemes are prohibited by the rule. Additionally, the FTC clarified that, while a seller can agree to a noncompete individually, this sale-of-business exception does not extend to the business entity’s workers who are not sellers. Moreover, because the rule requires the sale of a business entity, including by way of asset sale, this exception does not apply to the sale of a sole proprietorship or assets of a business that has not been incorporated.

  • Second, the rule does not apply where a cause of action related to a non-compete agreement or clause accrued prior to the rule’s effective date. According to the FTC, this means that employers may still enforce a claim that a noncompete was breached before the effective date.

  • Lastly, the rule provides that it is not an unfair method of competition to enforce or attempt to enforce a non-compete or to make representations about a non-compete where a person has a good-faith basis to believe that the FTC’s rule banning non-competes is inapplicable to the situation.

Litigation to Block the FTC’s New Rule

Legal challenges to the FTC’s new rule banning almost all non-compete agreements have already been filed. On April 23, 2024 — the same day the rule was issued — an initial challenge was filed in the U.S. District Court for the Northern District of Texas.  The next day, on April 24, 2024, the U.S. Chamber of Commerce filed a complaint in the U.S. District Court for the Eastern District of Texas. Both cases argue that the FTC lacks the constitutional and statutory authority to advance this sweeping regulation and seek to block implementation of the rule. These cases are likely just the beginning of the flood of litigation that will arise in response to the FTC’s new rule.

Conclusion

Businesses and professionals are encouraged to consult with legal counsel to discuss their options and strategies for addressing the FTC’s final rule, including possible revisions to existing restrictive covenant agreements, the required notices under the rule, and updates on the status of the pending litigation. Varnum’s Labor and Employment Practice Team and Business and Corporate Practice Team stand ready to assist businesses with any questions or concerns they may have.

This advisory was originally published on April 26, 2024.

New FTC Rule Bans Most Non-Compete Agreements

FTC Bans Noncompete Agreements

Update July 8, 2024:  A federal district court in Texas has issued a preliminary injunction preventing the FTC from enforcing its rule banning most non-compete agreements against a Texas-based tax firm and a group of business associations.  The court’s preliminary injunction does not prevent the FTC from enforcing the rule against other U.S. companies.  Thus, for now, the FTC rule banning most non-compete agreements is still scheduled to take effect on September 4, 2024.  However, the Texas court ruled that the pending legal case is “likely to succeed on the merits,” and promised a ruling on those merits by August 30. 

In the meantime, legal challenges to the FTC’s ban on non-competes are pending in other courts.  Thus, there remains a great deal of uncertainty what will happen to the FTC’s attempt to outlaw most non-compete agreements.  The FTC’s rule might go into effect on September 4, it might be blocked in other limited cases, or it might be struck down entirely.  Employers and businesses are encouraged to monitor developments closely over the summer.  Varnum’s Corporate and Labor and Employment Practice Teams stand ready to assist businesses with any questions or concerns they may have, and will issue updates as soon as they are available.

Update May 7, 2024: The new FTC rule banning most non-compete agreements was published in the Federal Register on May 7, 2024, and thus will take effect 120 days later on September 4, 2024.

Update April 26, 2024: Please see our advisory A Deep Dive Into the FTC Ban on Non-Compete Agreements for more information on this rule.

Update April 24, 2024: A complaint has been filed in the Federal District Court for the Northern District of Texas challenging the FTC’s new Final Rule and seeking to block implementation.

In a major development, the Federal Trade Commission (FTC) voted today, April 23, 2024, to implement a new rule that will ban non-compete agreements for most American workers. This rule, set to take effect 120 days from the date it is published in the Federal Register, could impact as many as 30 million U.S. workers — both employees and independent contractors — who are subject to non-compete restrictions. The rule requires that businesses rescind most existing non-compete agreements and restrictions on workers, and it prohibits businesses from entering into non-compete agreements with workers in the future.

The U.S. Chamber of Commerce has already announced plans to sue the FTC over this new rule. Litigation to block the rule could be filed as soon as Wednesday, April 24.

Key features of the rule are as follows:

  • Businesses will no longer be able to enter into or attempt to enter into non-compete agreements or clauses, to maintain existing non-compete agreements or clauses, or to represent to a worker that the worker is subject to a non-compete agreement, subject to a few very limited exceptions.
  • Workers covered by the rule include employees, independent contractors, interns, volunteers, apprentices, and sole proprietors, whether the person presently works for or previously worked for the business.
  • Non-disclosure/confidentiality agreements and non-solicitation agreements may be permissible, unless they are so broad in scope that they essentially function as a non-compete agreement.
  • For those workers with existing non-compete agreements that are no longer valid under the new rule, businesses must notify them that the non-compete provision has been rescinded. Notices must be delivered in writing via letter, email, or text message, no later than the rule’s effective date. The FTC rule provides a model notice that can be used for this purpose. 
  • Existing non-compete agreements with “senior executives” remain in effect and will be enforceable to the extent they are currently enforceable under applicable state law. The term “senior executive” is defined to mean persons who are in policy-making positions (such as president, CEO, or similar officer) and have total annual compensation of at least $151,164 per year. Businesses may not enter into new non-compete agreements with existing or future “senior executives,” regardless of whether they make policy decisions or how much they are paid.
  • The ban on non-compete agreements does not apply to a non-compete that is entered into by a person pursuant to the bona fide sale of a business entity or such person’s ownership interest in a business entity, regardless of the percentage interest of such person in the business entity. However, this exception does not apply to the sale of a sole proprietorship or assets of a business that has not been incorporated.

The new rule is scheduled to take effect within 120 days of its publication in the Federal Register.

Varnum will be following up this brief advisory with a more in-depth look at the FTC’s new rule in the coming days, and will continue to monitor legal developments. In the meantime, businesses are encouraged to consult with legal counsel to discuss their options and strategies for addressing this new rule. Varnum’s Corporate and Labor and Employment Practice Teams stand ready to assist businesses with any questions or concerns they may have.

This advisory was originally published on April 23, 2024.