New HIPAA Attestation Form Requirements Begin December 23, 2024

New HIPAA Attestation Form Requirements

A new HIPAA Attestation Form is a reminder that HIPAA compliance remains an important part of compliance efforts for health plans. The new form is related to an update to the HIPAA regulations that, among other changes, add protections around data that might relate to reproductive rights.

Starting December 23, 2024, the new guidance prohibits the use or disclosure of protected health information (PHI) that may relate to legally provided reproductive health care when provided for either of the following purposes:

  • To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where the health care is lawful under the circumstances.
  • The identification of any person for the purpose of conducting such investigation or imposing such liability.

To enforce this new restriction, the HIPAA Attestation Form was created and should be used whenever a request for the use or disclosure of PHI relating to reproductive health care is received. In addition to the new form, the new requirements should be incorporated into your existing training, policies and procedures, and Business Associate Agreements (BAAs). These are not the only changes. For example, by February 2026, virtually all Notices of Privacy Practices (NPPs) must be updated.

What Does This Mean for Health Plans?

All plans should take this as an important reminder to review their HIPAA compliance. The level of detail and number of documents and policies associated with HIPAA, and the level of modifications that may be needed, can vary significantly depending on how your plan is administered and operated. To discuss the changes and what your health plan needs to do to comply, contact a member of our benefits team, and we can help you evaluate how these changes will apply to your plan.

Michigan’s Earned Sick Time Act: Common Questions from Employers

READ THE LATEST ON THE ESTA

Starting February 21, 2025, Michigan’s Earned Sick Time Act (ESTA) will replace the Michigan Paid Medical Leave Act (PMLA), significantly expanding employee eligibility for sick time benefits. To assist employers and human resources professionals, Varnum’s Labor and Employment team has prepared this FAQ primer based on the current version of ESTA. Please note that amendments to the ESTA have been proposed in the Michigan legislature; should any aspect of the law change, Varnum’s Labor & Employment team will provide updates. 

Who is covered by ESTA?

All Michigan employers, except the U.S. government, must adjust or implement policies to comply with ESTA requirements. ESTA applies, regardless of industry, to employers that employ one or more employees in Michigan.

Which employees are eligible to receive earned sick time?

All employees are eligible, regardless of classification. Salaried exempt employees under the Fair Labor Standards Act are presumed to work 40 hours per week or, if their position is based on a weekly schedule of fewer than 40 hours, their regular number of scheduled hours.

If employees are covered by a collective bargaining agreement (CBA), the Act will apply to such employees starting on the CBA’s expiration date, regardless of any provisions extending the CBA’s duration. If a particular CBA is silent as to sick time or PTO benefits, Labor and Economic Opportunity Commission (LEO) has stated that the Act may apply beginning on February 21, 2025.

What is the accrual rate for earned sick time?

Beginning February 21, 2025, or upon the employee’s start date, whichever is later, employees will accrue 1 hour of sick time for every 30 hours worked. Employers may require new employees to wait 90 days after hire to use accrued sick time, but accrual begins immediately upon hire.

How much earned sick time are employees entitled to?

  • Small businesses (fewer than 10 employees as calculated under the statute): Must provide up to 40 hours of paid earned sick time, with an additional 32 hours unpaid.
  • All other employees: Must provide up to 72 hours of paid earned sick time per year.

Does earned sick time carry over?

Yes. All accrued and unused sick time must carry over to the following year. ESTA does not impose a cap on accrual or carryover.

Can employers frontload the earned sick time?

Yes. Employers may frontload the full years’ worth of sick time at the beginning of the benefit year. However, the frontloading method implemented must comply with the ESTA’s accrual, usage, carryover and other provisions.

Does earned sick time have to be paid out?

No. The statute does not require employers to payout unused time. Employers should check and confirm their written policies align with their desired practices concerning payout, as a separate law requires employers to follow the policies they have set forth in writing. 

How should employers transition from their current policies to ESTA compliance?

The transition to ESTA compliance will vary depending on an employer’s current policies, workforce structure, technology, and their priorities related to cost, culture, level of administrative effort, and the like. Employers should first familiarize themselves with ESTA requirements. Then evaluate their existing leave policies and their hierarchy of priorities in comparison with ESTA’s requirements to determine whether a new standalone ESTA policy or modification of existing policies meets their business needs. Employers should then draft new or amended policies that comply with the ESTA, for implementation in accordance with the Act. Employers should also review and confirm that their payroll and recordkeeping systems are equipped for ESTA compliance by the effective date and should train managers and personnel who will have new responsibilities associated with the Act.  

Should we implement new policies now?

ESTA is scheduled to take effect on February 21, 2025. Although major changes are not currently expected ongoing legislative action between now and the effective date could lead to some changes in the act’s requirements. For most employers, the appropriate course may be to prepare for compliance by the deadline while staying informed about potential changes, and to implement on the Act’s actual effective date rather than sooner.

Navigating ESTA’s requirements can be complex. Varnum’s labor and employment attorneys have prepared a comparison chart between the PMLA and ESTA to help guide you through the transition. Contact us with any questions or for assistance in achieving ESTA compliance.

Upcoming Telephone Consumer Protection Act (TCPA) Changes in 2025

FCC's New TCPA Rules for 2025

The Telephone Consumer Protection Act (TCPA), enacted in 1991, protects consumers from unwanted telemarketing calls, robocalls, and texts.

New FCC Consent Rule

On January 27, 2025, the Federal Communications Commission’s (FCC) new consent rule for robocalls and robotexts will take effect. The FCC aims to close the “lead generator loophole” by requiring marketers to obtain “one-to-one” consumer consent to receive telemarketing texts and auto-dialed calls. While the rule primarily targets lead generators, it could affect any business that relies on consumer consent for such communications or purchases leads from third parties.

Under the rule, businesses must clearly and conspicuously request and obtain written consumer consent for robocalls and robotexts from each individual company. Companies can no longer rely on a single instance of consumer consent that links to a list of multiple sellers and partners. Instead, individual written consent will be required for each marketer. Additionally, any resulting communication must be “logically and topically related” to the website where the consent was obtained.

To meet this requirement, businesses may allow consumers to affirmatively select which sellers they consent to hear from or provide links to separate consent forms for each business requesting permission to contact them.

New Consent Revocation Rules

Another change takes effect on April 11, 2025, when the FCC’s new consent revocation rules for robocalls and robotexts are implemented. These rules allow consumers to revoke prior consent through any reasonable method, and marketers may not designate an exclusive means for revocation. Reasonable methods include replying “stop,” “quit” or similar terms to incoming texts, using automated voice or opt-out replies, or submitting a message through a website provided by the caller.

Marketers must honor revocation requests within a reasonable timeframe, not exceeding 10 business days. After that period, no further robocalls or robotexts requiring consent may be sent to the consumer.

Preparing for Compliance

To comply with the January 27, 2025, one-to-one consent rule and the April 11, 2025, consent revocation rule, lead generators and businesses that use or facilitate robocall and robotext communications should:

  • Review their current consent and revocation practices.
  • Ensure compliance by updating policies before the deadlines.
  • Examine where consumer leads are being obtained and adjust policies for using this information to meet the new requirements.

This advisory provides only a summary of the upcoming changes to the Telephone Consumer Protection Act. Contact a member of Varnum’s Data Privacy and Cybersecurity Practice Team to discuss how these changes impact your business and how to help ensure compliance.

Navigating Children’s Online Privacy Protections: Primary Legislative Objectives of KOSA

Kids Online Safety Act (KOSA): Key Legislative Updates

As digital platforms place greater emphasis on younger users, legislators are calling for stricter measures to safeguard children and teens online. The first installment of this two-part advisory series provided an in-depth analysis of the Children’s Online Privacy Protection Act (COPPA 2.0), and how its proposed updates will strengthen protections relating to the collection, use and disclosure of children’s personal information online. This second installment examines the Kids Online Safety Act (KOSA) and how it aims to actively mitigate potential harm to children by including design features and providing parents with tools to manage kids’ online activity.

The Senate initially passed KOSA in July 2024 with overwhelming support. More recently, KOSA was advanced by the House Committee on Energy and Commerce (the “Committee”) in September. Although there was pessimism around whether KOSA would even make it to a full House vote due to certain concerns around the burden KOSA would place on businesses to police their content, the bill ultimately saw some last-minute changes before receiving sufficient support in the Committee to proceed to a vote on the House floor. 

KOSA is designed to address the broader safety risks children face online, including harmful content and exploitation. The requirements outlined in the bill apply to a “covered platform” which is defined as an “online platform, online video game, messaging application, or video streaming service that connects to the internet and that is used, or is reasonably likely to be used, by a minor.” There are certain exceptions outlined in the bill, including internet service providers, email services and educational institutions. The bill grants enforcement powers to state attorneys general and the Federal Trade Commission (FTC) under section 18(a)(1)(B) of the FTC Act, regulating unfair or deceptive acts or practices. Key elements of KOSA include:

  • Duty of Care: KOSA introduces a duty of care requirement for covered platforms, mandating that platforms act in the best interests of minors under the age of 17 to protect them from a variety of online harms. Specifically, platforms must take reasonable steps to prevent and mitigate risks of exposure to content that could negatively impact minors’ mental or physical well-being. The list of harms that covered platforms must protect against are promulgated in the bill, however, this list is one of the more contested elements. In order to garner sufficient support to advance through the Committee, the promulgated list of harms was minimized. While the removal of some harms by the Committee has been seen as gutting the purpose of the bill, the inclusion of others is seen as potentially having unintended consequences. This list is likely to be debated further before this bill passes.

  • Design Requirements: KOSA requires that covered platforms adhere to a variety of design requirements, including enabling default safeguard settings for minors and providing parents with tools to manage and monitor their children’s online activity.

  • Reports and Audits: Under KOSA, covered platforms must issue an annual public report describing reasonably foreseeable risks of material harms to minors and assessing the prevention and mitigation measures they are taking to address said risks. In drafting the report, covered platforms must undergo an independent, third-party audit.

While KOSA has garnered bipartisan support, it has also faced significant criticism, particularly from privacy advocates and civil liberties groups. Some critics argue that the bill could lead to increased surveillance and censorship, as platforms might over-moderate content to avoid liability, potentially infringing on free speech rights. The bill’s broad definition of “harm” has also raised concerns, as it could lead to overreach by the FTC and state attorneys general, who would be responsible for enforcing the law. These enforcement powers, critics warn, could be used to target content based on political or ideological grounds, raising the risk of censorship. Industry leaders have also raised concerns about the feasibility of implementing KOSA’s requirements, particularly for smaller platforms. On November 18, 2024, more than 30 state attorneys general wrote a letter to federal lawmakers urging them to back this legislation in order to “act to aid [their] state-level efforts” to bolster youth online safety.

Varnum’s Data Privacy and Cybersecurity team is closely monitoring these legislative developments and stands ready to guide clients through the complexities of the new regulations. Should these laws be enacted, businesses will need to swiftly adapt to avoid legal risks and ensure they are effectively protecting the rights and safety of younger users.

2024 Salary Basis Regulation Struck Down Nationwide – Minimum Salary Requirements Revert to Prior Levels

Advisory

Update November, 15, 2024: Today, the Federal District Court for the Eastern District of Texas issued a ruling striking down the United States Department of Labor’s 2024 regulation that had increased the minimum required salary levels required to support exempt status under the Fair Labor Standards Act (FLSA). The Judge’s order invalidates the rule nationwide. The order further invalidates the entire 2024 rule, a portion of which went into effect for most of the country in July 2024.

The Department of Labor could choose to appeal this decision, but the likelihood and long-term impact of any such action is uncertain given the upcoming change of presidential administration. Employers should continue to monitor this issue.  For the time being, employers should note that, absent further developments:

  • The upcoming additional increase of the minimum weekly salary amount to $58,656, which had been scheduled for January 1, 2025, will no longer go into effect; and
  • The applicable minimum salary requirement for exempt status reverts back to the level stated in the 2019 version of the rule: $684 per week ($35,568 annually). 

Other elements covered in the 2024 rule likewise revert to the terms as stated in the 2019 version.

The U.S. Department of Labor (DOL) has issued a final rule that significantly raises the required salary threshold for many salaried exempt employees starting July 1, 2024. Under this final rule, issued on April 23, 2024, the guaranteed salary that most employees must receive to qualify as exempt from the overtime rules will increase dramatically over the next nine months. Effective July 1, it will jump from $35,568 per year to $43,888 per year; and then just six short months later, on January 1, 2025, it will jump to $58,656 per year.

Under the Fair Labor Standards Act, employees who work in executive, administrative, professional, and certain computer positions must generally meet both the salary basis test and the job duty requirements to be classified as exempt from the overtime rules. In addition to being paid on a salary basis (which means there can be no deductions from salary, subject to certain limited exceptions), the threshold salary is currently $684 a week, amounting to $35,568 annually. The final rule raises the threshold for salaried employees significantly, according to the following schedule:

      • Effective July 1, 2024: $844 per week (equivalent to $43,888 per year)

      • Effective January 1, 2025: $1,128 per week (equivalent to $58,656 per year)

      • Effective July 1, 2027, and every three years thereafter: To be determined based on available earnings data

    In addition, the new rule increases the total annual compensation threshold for highly compensated employees from $107,432 per year to $132,964 per year effective July 1, followed by yet another increase to $151,164 per year effective January 1, 2025. This will result in an increase of nearly $44,000 per year to the salary threshold necessary to qualify for the highly compensated employee exemption.

    It is widely expected that various business and industry groups may file suit to attempt to block these changes from taking effect. Many employers may remember that a similar scenario occurred in 2016, when the DOL under the Obama Administration proposed a large increase in the salary threshold for these white collar exemptions, before that increase was blocked by court action. If the final rule issued by the DOL is not blocked through court action, it will mean significant changes for employers in compensation structure, as more employees nationwide will qualify for overtime pay unless their salaries are increased over the new threshold.

    Employers should immediately review their workforces to determine what changes, if any, may be necessary if the final rule takes effect. Possible considerations include:

        • Raising the annual salary of employees who meet the duties test to at least $43,888 as of July 1, and $58,656 as of January 1, 2025, to retain their exempt status;

        • Converting employees to non-exempt status and paying the overtime premium of one-and-one half times the employees’ regular rate of pay for all overtime hours worked; or

        • Converting employees to non-exempt status and eliminating or reducing the amount of overtime hours worked by such employees.

      Similar considerations should be undertaken with highly compensated employees. While it is wise to review pay practices proactively and identify potential changes that may become necessary, employers may wish to continue to monitor legal developments prior to actually implementing such changes. As employers will recall from 2016, significant changes can occur between the announcement of a final rule and the date on which it is scheduled to become effective.

      Employers are encouraged to consult with legal counsel to discuss their options and strategies for implementing these changes, if necessary. Varnum’s Labor and Employment Practice Team stands ready to assist employers with any questions or concerns they may have about this new rule.

      This advisory was originally published on April 24, 2024.

      Navigating Children’s Online Privacy Protections: Key Legislative Priorities Under COPPA 2.0

      Children's Online Privacy Protections: Key Legislative Priorities Under COPPA 2.0

      As digital platforms increasingly cater to younger audiences, lawmakers are pushing for stronger protections for children and teens online. This advisory series examines two proposed laws that may change the landscape for children’s privacy online. This first installment will offer an in-depth look at the Children and Teens’ Online Privacy Protection Act (COPPA 2.0) and its potential impact on privacy standards.

      COPPA 2.0 was initially passed in the Senate with overwhelming support back in July. More recently, the bill was advanced by the House Committee on Energy and Commerce (the “Committee”) in September. If enacted, this law could have a significant impact on businesses operating online platforms.

      COPPA 2.0 is an update to the original Children’s Online Privacy Protection Act, which was enacted in 1998. The new version significantly expands the scope of protections and imposes stricter requirements on companies with online platforms. The key provisions of COPPA 2.0 include:

          • Age Expansion: COPPA 2.0 extends the law’s protections to include not just children under 13, but also teens under the age of 17. Many businesses that were confident they were not targeting children under 13 with their services, and therefore less concerned with COPPA, may have more difficulty committing to such an assessment now that the scope of the law has expanded.

            • Data Minimization: The law introduces a “data minimization” requirement, which mandates that companies collect only the information that is necessary for the functioning of their services. This provision aims to reduce the amount of personal data collected from minors, thereby limiting the potential for misuse. This is a concept many businesses have already been grappling with in light of requirements under various comprehensive data protection laws. However, given the national reach of this law, businesses will need to be more intentional in how data is mapped across the enterprise (regardless of the state of residence of the data subject) to ensure it is meeting this obligation.

              • Prohibition on Targeted Ads: COPPA 2.0 places a ban on targeted advertising to minors without explicit consent from their parents or guardians. Businesses that rely heavily on advertising revenue would need to develop new strategies that comply with these restrictions while still reaching their target audiences effectively.

                • Right to Erasure: The law grants minors and their parents the right to request the deletion of any personal data that has been collected. This “right to erasure” is designed to give young users more control over their digital footprints. Businesses would need to establish clear and accessible processes for handling these requests. Similar to data minimization, businesses that already have processes in place for compliance with other laws will still potentially need to expand what they are covering under their current processes.

                  • Parental Rights: The law would allow parents to obtain information about their child’s use of social media platforms directly from platform operators without their child’s consent, ultimately giving parents significant oversight into what their child or teen is doing online. This particular change was one of the additions made in the Committee and has been faced with some scrutiny from House Democrats who feel this change would undermine the privacy of a minor and may be the subject of continued debate.

                Despite the changes in the Committee, the legislation still has bipartisan support, reflecting a shared concern across party lines about the need for enhanced protections for children and teens online. Given this support, the bill is expected to pass the House, although the timeline for its passage and the likelihood of any additional modifications remains uncertain.

                Varnum’s Data Privacy and Cybersecurity team is closely monitoring these legislative developments and stands ready to guide clients through the complexities of the new regulations. Should laws like COPPA 2.0 be enacted, businesses will need to swiftly adapt to avoid legal risks and ensure they are effectively protecting the rights and safety of younger users. Stay tuned for the follow up advisory that will discuss the Kids Online Safety Act (KOSA) and its potential changes.

                When Is the Best Time to Start Planning Your Estate?

                When is the Best Time to Start Planning Your Estate?

                The optimal time to begin estate planning is now. It is easiest to make these important decisions before a crisis occurs. Therefore, schedule a meeting with an estate planning attorney at your earliest convenience. Your attorney will assist in guiding you through discussions with the individuals you wish to designate as your trustee or the guardian of your minor children.  If meeting with an estate planning attorney is not feasible due to budget constraints or time limitations, there are three simple, free actions you can take to better organize your affairs.

                • Review all the beneficiaries listed on your retirement accounts and life insurance policy to ensure they are accurate, up-to-date and aligned with your wishes.
                • Compile a list of all your assets and securely store it. Also, inform the person overseeing your estate about the location of the list.
                • Assign a legacy contact on your iPhone or an inactive account manager for Android users. This grants the designated person access to the data on your phone, containing crucial information about your estate.

                Update your plan anytime you have a major life change or if there is a legal amendment requiring an update. Major life changes can include celebratory occasions such as having a child, getting married or adding a grandchild to your family.  They can also include events such as divorce or the death of a loved one, especially if they are named in your plan for a specific role or as a beneficiary. Another good reason to update your plan is if you acquire a new asset. It is crucial to update the ownership of your new asset to align with your estate plan and integrate it seamlessly.

                Consider reviewing or updating your plan every few years even if you have no major changes. For instance, we proactively reach out to our clients every three years to assess if any updates are needed. Regularly reviewing your plan keeps it aligned with your goals and helps ensure future success.

                Contact Varnum’s Estate Planning Team to start or update your estate plan today.

                2025 Cost of Living Adjustments

                The Internal Revenue Service has announced the 2025 cost of living adjustments to various limits. The adjusted amounts generally apply for plan years beginning in 2025. Some of the adjusted amounts, however, apply to calendar year 2025. Please click for a printer-friendly version of the table below.

                Employee Benefits Plan

                Plan Year
                2025
                2024
                401(k), 403(b), 457 deferral limit
                $23,500
                $23,000
                Catch-up contribution limit (age 50 or older by end of year)
                $7,500
                $7,500
                Catch-up contribution limit (age 60, 61, 62, or 63 by end of year)
                $11,250
                N/A
                Annual compensation limit
                $350,000
                $345,000
                Annual benefits payable under defined benefit plans
                $280,000
                $275,000
                Annual allocations to accounts in defined contribution plans
                $70,000 (but not more than 100% of compensation)
                $69,000 (but not more than 100% of compensation)
                Highly compensated employee
                Compensation more than $155,000 in 2024 plan year
                Compensation more than $150,000 in 2023 plan year

                Health Savings Accounts

                Calendar Year
                2025
                2024
                Maximum contribution
                Family
                Self
                $8,550
                $4,300
                $8,300
                $4,150
                Catch-up contribution limit (age 55 or older by end of plan year)
                $1,000
                $1,000
                Minimum deductible
                Family
                Self
                $3,300
                $1,650
                $3,200
                $1,600
                Maximum out-of-pocket
                Family
                Self
                $16,600
                $8,300
                $16,100
                $8,050

                Social Security

                Calendar Year
                2025
                2024
                Taxable wage base
                $176,100
                $168,600
                Maximum earnings without loss of benefits
                Under full retirement age
                Year you reach full retirement age
                $1,950/mo. ($23,400/yr.)

                $5,180/mo. up to mo. of full retirement age ($62,160/yr.)
                $1,860/mo. ($22,320/yr.)

                $4,960/mo. up to mo. of full retirement age ($59,520/yr.)

                Social Security Retirement Age

                Year of Birth
                Retirement Age
                Prior to 1938
                Age 65
                1938
                65 and 2 months
                1939
                65 and 4 months
                1940
                65 and 6 months
                1941
                65 and 8 months
                1942
                65 and 10 months
                1943 – 1954
                66
                1955
                66 and 2 months
                1956
                66 and 4 months
                1957
                66 and 6 months
                1958
                66 and 8 months
                1959
                66 and 10 months
                1960 and later
                67