As we inch closer to the upcoming change in administration, the Biden Administration has rung in the new year with some substantial rulemakings. There have been 14 rulemakings since the start of 2025 that had some kind of quantifiable economic impact. The major items of the past week or so – from the Departments of Health and Human Services (HHS) and Justice (DOJ) – both happened to focus on data security requirements. Across all rulemakings, agencies published $36.6 billion in total costs but cut 28.4 million annual paperwork burden hours. 

REGULATORY TOPLINES 

• Proposed Rules: 31 

• Final Rules: 85 

• 2025 Total Pages: 2,570 

• 2025 Final Rule Costs: $4.6 billion 

• 2025 Proposed Rule Costs: $32 billion 

NOTABLE REGULATORY ACTIONS

The most significant rulemaking to start off the new year was a proposed rule from HHS entitled “HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information.” As the title suggests, the proposal would “revise existing standards to better protect the confidentiality, integrity, and availability of electronic protected health information (ePHI).” HHS notes that the last substantial update to these standards came in 2013 and that “there have been significant changes to the environment in which health care is provided and how the health care industry operates” in terms of cybersecurity needs.  

The projected costs involved are substantial; the agency expects the proposal to impose $32 billion in total costs over a five-year window. In an interesting twist, HHS also expects this proposed rule’s changes to result in nearly 29 million fewer hours compared to the current baseline of relevant reporting requirements. Given that it is a proposed rule being promulgated at this time, however, its ultimate fate will now fall to the incoming Trump Administration. While one can therefore expect some significant changes, it is worth noting that during Trump’s first term some of the most significant regulatory actions came from rules regarding health care information reporting requirements. As such, it would not be shocking to see the rulemaking continue on in some form. 

The most consequential final rule of the week was DOJ’s rule regarding “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons.” The rule implements “Executive Order 14117 of February 28, 2024 (Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern), by prohibiting and restricting certain data transactions with certain countries or persons.” Affected entities will incur costs from “initial assessments and remediation efforts” and annual “monitoring, compliance audits, reporting, and training” responsibilities. The agency estimates that the “rule may directly financially impact approximately 3,000 companies engaged in data brokerage and an additional 1,500 firms that currently engage in restricted transactions involving government-related data and bulk U.S. sensitive personal data with covered persons,” and result in $459 million in annualized costs (or roughly $4.1 billion in total present value over a 10-year period).

TRACKING THE ADMINISTRATIONS

As we have already seen from executive orders and memos, the Biden Administration has provided plenty of contrasts with the Trump Administration on the regulatory front. And while there have been areas where the current administration has sought to broadly restore Obama-esque regulatory actions, there are also areas where it has charted its own course. Since the AAF RegRodeo data extend back to 2005, it is possible to provide weekly updates on how the top-level trends of President Biden’s regulatory record track with those of his two most recent predecessors. The following table provides the cumulative totals of final rules containing some quantified economic impact from each administration through this point in their respective terms.

Heading into the homestretch here, the Biden Administration saw its final rule cost and paperwork totals rise by roughly $4.6 billion and 415,000 hours, respectively. The DOJ data privacy rule discussed above and the final version of the Federal Trade Commission’s rule on “Trade Regulation Rule on Unfair or Deceptive Fees” were the primary reasons for these increases. The Trump Administration’s start to 2021 saw costs decrease by $1.8 billion but its paperwork total rose by 3.7 million hours to re-take the “lead” in that category. The Trump-era Department of Labor rule on “Independent Contractor Status” drove the cost dip while a series of rules was responsible for the net-hike in paperwork. The Obama Administration shifts were relatively muted with $572 million in new costs and 143,000 hours of paperwork.

As the Biden Administration concludes, AAF will continue this analytical section for the remainder of its term to provide a complete historical record of its agency activity and how it stacked up against the full first terms of the other included administrations – even if the rulemakings finalized in these waning months may be subject to recission under the incoming administration and Congress. As noted during the campaign, there is little reason to believe this Trump Administration’s regulatory policy will be directionally different from that of its first term. Yet given that President-elect Trump now stands to join Grover Cleveland as the only president thus far to have a second non-consecutive term, the exact nature and format of this section may undergo some changes once that second term begins. Stay tuned.

TOTAL BURDENS

Since January 1, the federal government has published $36.6 billion in total net costs (with $4.6 billion in new costs from finalized rules) and 28.4 million hours of net annual paperwork cuts (with roughly 415,000 hours in increases from final rules).