Last week there were only six rulemakings that contained some measurable costs or paperwork estimate. One-third of those, however, went past the billion-dollar threshold. That pair of rules included a notable new set of ozone regulations from the Environmental Protection Agency (EPA) and the Department of Health and Human Services (HHS) removing its COVID-19 vaccination mandate for certain health care facilities. Across all rulemakings, agencies published $7.5 billion in total costs but cut 841,100 annual paperwork burden hours.

REGULATORY TOPLINES

• Proposed Rules: 36
• Final Rules: 76
• 2023 Total Pages: 37,909
• 2023 Final Rule Costs: $56.9 billion
• 2023 Proposed Rule Costs: $312.7 billion

NOTABLE REGULATORY ACTIONS

The most significant rulemaking of the week was EPA’s rule regarding the “Federal ‘Good Neighbor Plan’ for the 2015 Ozone National Ambient Air Quality Standards.” The rule “finalizes Federal Implementation Plan requirements to address 23 states’ obligations to eliminate significant contribution to nonattainment, or interference with maintenance, of the 2015 ozone National Ambient Air Quality Standards in other states.” In particular, “With respect to fossil fuel-fired power plants in 22 states, this action will prohibit those emissions by implementing an allowance-based trading program beginning in the 2023 ozone season.” Covered states include: “Alabama, Arkansas, Illinois, Indiana, Kentucky, Louisiana, Maryland, Michigan, Minnesota, Mississippi, Missouri, Nevada, New Jersey, New York, Ohio, Oklahoma, Pennsylvania, Texas, Utah, Virginia, West Virginia, and Wisconsin.” EPA estimates that the rule’s provisions will impose $9.4 billion in present value costs, or $770 million on an annualized basis.

The other main item of the week was HHS’s rule regarding “Policy and Regulatory Changes to the Omnibus COVID-19 Health Care Staff Vaccination Requirements.” As the title implies, the agency is making a series of changes to the protocols it established in prior rulemakings regarding COVID-19 vaccination status. Perhaps the most significant change is HHS withdrawing its “staff vaccination IFC [interim final rule with comment]” that required most facilities participating in Medicare and/or Medicaid “to include requirements regarding development and implementation of policies and procedures to ensure COVID–19 vaccination of staff.” As such, HHS estimates that this mandate’s withdrawal eliminates the roughly $690 million in costs and 866,580 hours of paperwork that they expected such providers to face in maintaining the “staff vaccination IFC” in a given year.

TRACKING THE ADMINISTRATIONS

As we have already seen from executive orders and memos, the Biden Administration will surely provide plenty of contrasts with the Trump Administration on the regulatory front. And while there is a general expectation that the current administration will seek to broadly restore Obama-esque regulatory actions, there will also be areas where it charts its own course. Since the AAF RegRodeo data extend back to 2005, it is possible to provide weekly updates on how the top-level trends of President Biden’s regulatory record track with those of his two most recent predecessors. The following table provides the cumulative totals of final rules containing some quantified economic impact from each administration through this point in their respective terms.

The primary action for the Biden Administration in terms of final rules came from the rules discussed above. As such, the administration’s final rule cost total increased by a net $7.3 billion while its paperwork total fell by roughly 800,000 hours. There was, however, notable activity across the other administrations covered here. The Trump Administration saw its costs and paperwork totals both spike by $2.2 billion and 3 million hours, respectively. Rules regarding the “Veterans Community Care Program” and visas for “Diversity Immigrants” were the primary drivers of those trends. Meanwhile, the Obama Administration saw its paperwork total decline by 1.9 million hours, due mostly to a rule seeking “to improve and streamline OSHA [Occupational Safety and Health Administration] standards.”

THIS WEEK’S REGULATORY PICTURE

This week, the Federal Trade Commission (FTC) proposes updates on how apps are supposed to handle breaches in users’ “personal health records” (PHRs).
Source: Photo by Franck on Unsplash

Back in 2009, the American Recovery and Reinvestment Act (“Recovery Act”) directed FTC to promulgate regulations regarding the protocol for PHR breaches for “entities that are not covered by the Health Insurance Portability and Accountability Act (HIPAA).” In particular, that rule required: “(1) notice to consumers whose unsecured PHR identifiable health information has been breached; (2) notice to the Commission; and (3) notice to prominent media outlets [6] serving a State or jurisdiction, in cases where 500 or more residents are confirmed or reasonably believed to have been affected by a breach.” In the intervening years, however, there have been dramatic technological changes including the introduction of countless apps that track and record personal health data that were not necessarily covered under those original Recovery Act PHR regulations.

As a part of its 10-year review of the rule in 2020, FTC began gathering input on how to move forward in the new landscape. In the interim, the agency has relied on informal “Policy Statements” and enforcement actions. With this proposed rule, it seeks to formally revise the relevant regulatory provisions to further encompass a broader array of entities. In particular, the proposal would refine the term “‘health care services or supplies’ to include any online service, such as a website, mobile application, or internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.”

In examining the regulatory update’s costs, FTC estimates that this would extend to roughly 170,000 entities. The agency finds that there would likely only be, on average, 71 data breaches per year that required the sort of notifications under this program. Despite that relatively small number of incidents, FTC estimates that the program would involve roughly $50 million in costs annually, between $720,000 in labor costs to identify that a breach has occurred and $49.5 million in associated costs to develop the requisite notification.

Interested parties have until August 8, 2023, to submit comments.

TOTAL BURDENS

Since January 1, the federal government has published $369.5 billion in total net costs (with $56.9 billion in new costs from finalized rules) and 146.5 million hours of net annual paperwork burden increases (with 9.9 million hours in increases from final rules).