On April 29, 2025, the U.S. Supreme Court issued an opinion upholding the formula the U.S. Department of Health and Human Services (HHS) utilized to calculate Medicare hospitals’ disproportionate share hospital (DSH) payment adjustments, denying a challenge brought by hospitals seeking higher DSH reimbursement. In Advocate Christ Medical Center v. Kennedy, No. 23-715 (S. Ct. Apr. 29, 2025), the Court held, based on a highly technical analysis, that the DSH formula endorsed by HHS was consistent with congressional intent, and accordingly rejected an argument from the hospitals premised on how DSH adjustments are calculated arising from a hospital’s treatment of patients eligible for social security benefits.

Background on Disproportionate Share Hospital Rate Adjustments

Under Medicare, hospitals that treat a disproportionate share of low-income Medicare patients are entitled to a rate adjustment above the fixed Medicare amount for each Medicare patient treated, which is calculated by adding two fractions: the “Medicare fraction” plus the “Medicaid fraction.”

This dispute arose when over 200 hospitals claimed that HHS miscalculated the hospitals’ DSH adjustments from 2006 to 2009 due to the department’s misinterpretation of the “Medicare fraction” calculation. The numerator used to calculate the “Medicare fraction” is defined by statute as “the number of [a] hospital’s patient days’ attributable to patients ‘who (for such days) were entitled to benefits under [Medicare] Part A’ and ‘entitled to supplementary security income [SSI] benefits. . . under subchapter XVI.” HHS interpreted the phrase “entitled to [SSI] benefits” to mean patients who are entitled to receive an SSI payment during the month they were hospitalized.

Conversely, the hospitals argued that the phrase includes all patients enrolled in the SSI system at the time of their hospitalization, even if they were not entitled to an SSI payment during their month of hospitalization. The net result of the hospitals’ position would’ve been to expand the number of patients in that numerator, thus increasing the “Medicare fraction” and correspondingly increasing the DSH rate adjustment for such hospitals.

After the hospitals were repeatedly unsuccessful in administrative challenges and federal district court, the D.C. Circuit Court of Appeals held for HHS, stating that SSI benefits are “about cash payments for needy individuals” and that “it makes little sense to say that individuals are ‘entitled’ to the benefit in months when they are not even eligible for [a payment].”

Supreme Court Analysis and Holding

The Supreme Court upheld the D.C. Circuit ruling in favor of the government, rejecting the hospitals’ position. The Court clarified that the relevant text stipulates that SSI benefits are cash benefits and that eligibility for such benefits is determined monthly. Due to these eligibility requirements, an individual is considered “entitled to [SSI] benefits for purposes of the Medicare fraction when she is eligible for such benefits during the month of [their] hospitalization.”

The Court declined the hospitals’ characterization of SSI benefits as including non-cash benefits such as vocational rehabilitation services and continued Medicaid coverage. In examining the description of an SSI benefit, the Court concluded that non-cash benefits are not identified under subchapter XVI of the Social Security Act. Turning to the hospitals’ inclusion of individuals with continued Medicaid coverage during periods of ineligibility for SSI benefits, the Court determined that this also does not create an SSI benefit but rather aids in administering the Medicaid program.

Notably, two Justices dissented from the Court’s majority holding. They observed that the ultimate goal of the DSH formula is to “provide hospitals that serve the neediest among us with the appropriate level of critical funds” before concluding that the Court’s holding “arbitrarily undercounts a hospital’s low-income patients.”

Takeaways

This decision stops the hospitals’ ability to seek higher reimbursement via an enhanced DSH rate adjustment for the challenged claims. Moreover, HHS methodology for calculating the DSH rate was affirmed; therefore DSH hospitals will receive a DSH rate adjustment based in part on the number of patients treated who are receiving a cash payment under an SSI program during the month of treatment, and not based on the number of such patients who are just eligible for SSI benefits.

Though the provision at issue was highly technical, the impact of this decision is potentially significant for DSH hospitals at a time of funding and reimbursement challenges, as more patients seek access to critical services often provided by such DSH hospitals. We will continue to follow key reimbursement and funding developments for hospitals and other health care providers.

PIH Health, a health care entity located in California, suffered a data breach in June 2019 when 45 employee email accounts were compromised in a targeted phishing campaign. The accounts contained the protected health information (PHI) of 189,763 individuals, including their names, social security numbers, driver’s license numbers, diagnoses, lab tests, medications, treatment, claims, and financial information.

PIH notified the individuals and the Office for Civil Rights (OCR) of the incident in January 2020. OCR launched an investigation and found alleged violations of HIPAA’s privacy, security and breach notification rules.

In addition to the $600,000 settlement payment, PIH entered into a resolution agreement with OCR that required it to:

  • Conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
  • Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis.
  • Develop, maintain, and revise, as necessary, its written policies and procedures to comply with HIPAA rules.
  • Train its workforce members who have access to PHI on HIPAA policies and procedures.

These requirements are essential to a HIPAA compliance program, and this settlement is a reminder for covered entities to update and maintain security risk assessments, analyses, and risk management plans to address risks and vulnerabilities on an ongoing basis.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

This post was authored by Roma Patel, Associate in Robinson+Cole’s Data Privacy + Cybersecurity Team.

We often cover consumer class action complaints against companies regarding the privacy and security of personal information. However, litigation can also arise from alleged breach of contract between two companies. This week, we will analyze a medical diagnostic testing laboratory’s April 2025 complaint against its managed services provider for its alleged failure to satisfy its HIPAA Security Rule and indemnification obligations under the HIPAA Business Associate Agreement (BAA) between the parties.

Complaint Background

According to the complaint, the laboratory – Molecular Testing Labs (MTL) – is a Covered Entity under HIPAA, and Ntirety is its Business Associate. Reportedly, the parties entered into a BAA in September 2018. The BAA’s intent was to “ensure that [Ntirety] will establish and implement appropriate safeguards” for protected health information (PHI) it handles in connection to the functions it performs on behalf of MTL. The complaint points to various provisions of the BAA related to Ntirety’s obligations, including complying with the HIPAA Security Rule. According to MTL, the BAA also includes an indemnification provision that requires Ntirety to indemnify, defend, and hold harmless MTL against losses and expenses due to a breach caused by Ntirety’s negligence.

Alleged HIPAA Violations

MTL asserts that around March 12, 2025, it received information about a material data breach involving data “that was required to have been secured by Ntirety under the BAA.” The complaint is unclear about how or from whom MTL received that information.

The complaint asserts that MTL’s forensic investigation determined that Ntirety had faced a ransomware attack, potentially from Russian threat actors. MTL’s forensic investigation determined that Ntirety had “significant deficiencies, shortcomings, and omissions” in its procedures and practices that enabled the threat actors to access Ntirety’s computer systems and MTL’s confidential information.

In addition, MTL alleges that “Ntirety failed to provide material support to MTL for weeks” and that the support offered was conducted “slowly and incompetently.” Allegedly, Ntirety informed MTL that it would charge MTL for such efforts. MTL argues that under its BAA obligations, Ntirety was required to support MTL in its efforts to respond to and mitigate the security incident’s harmful effects.

Alleged Breach of Contract – Indemnification Demand

MTL also asserts that it has incurred or expects to incur various damages related to “remediation efforts, HIPAA notification requirements, possible legal and regulatory actions, and direct and indirect harm to MTL’s business.” Specifically, MTL claims it has already incurred damages related to the forensic investigation and anticipates further damages associated with fulfilling HIPAA PHI breach notifications and providing credit monitoring services. MTL also expects to suffer harm to its business as a result of the breach and to be subject to lawsuits and regulatory action.

Reportedly, on March 25, 2025, and April 3, 2025, MTL sent formal demands to Ntirety for indemnification under the BAA for losses incurred as a result of the breach, but Ntirety “has provided no substantive response to MTL’s indemnification demands.”

Lessons Learned

After discovering a breach, companies have numerous obligations, such as determining whether data has been corrupted, containing the incident, conducting a forensic investigation, and identifying individuals whose data may have been involved. It can often take weeks or even months to understand the scope and extent of a breach, but companies should also promptly assess their contractual obligations post-breach. Whether in a BAA or another service agreement, companies may be required to let their vendors and other partners know about an incident.

In addition, companies should consider whether to communicate about the incident at a high level to their vendors and partners, even absent contractual requirements, particularly if news about the incident has already leaked. The risk of such communications includes potentially providing premature information that is likely to change as the forensic investigation unfolds. On the flip side, partners might appreciate the transparency and direct acknowledgment. There can be many legal and regulatory consequences of a data breach, but with adherence to contractual obligations and appropriate communication, a breach of contract claim doesn’t have to be one of them.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

The Office for Civil Rights (OCR) announced on April 10, 2025, that it has settled alleged HIPAA Security Rule violations with Northeast Radiology for $350,000.

The investigation followed a breach report by Northeast Radiology to OCR in March 2020 after unauthorized individuals accessed radiology images stored in PAC servers. Northeast Radiology notified 298,532 patients of the breach. The OCR alleges that, during the investigation, Northeast Radiology “failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI in NERAD’s information systems.”

Northeast Radiology agreed to enter into a resolution agreement with OCR that included a settlement payment of $350,000 and a supervised corrective action plan for two years.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

This post is co-authored by Seth Orkand, co-chair of Robinson+Cole’s Government Enforcement and White-Collar Defense Team and Paul Palma, law intern at Robinson+Cole. Paul is not admitted to practice law.

On March 14, 2025, as part of a spending bill to avert a federal government shutdown, Congress extended COVID-era telehealth “waivers” applicable to Medicare until September 30, 2025.  These were originally scheduled to end March 31, 2025.

This is welcome news for health care organizations who have relied on the flexibility offered by these waivers to extend access to telehealth services for Medicare beneficiaries and other patients nationwide since the COVID-19 pandemic. However, this represents another short-term extension by the government and poses questions on whether all or some of the telehealth flexibilities will be codified into law.

As a reminder, a set of key waivers to Medicare telehealth payment restrictions were enacted under the Social Security Act temporarily in connection with COVID-19 pandemic measures. These statutory waivers have now been extended by act of Congress multiple times, and this latest extension will have the following impacts related to telehealth:

  • Telehealth at Home: Medicare patients will continue to be able to receive telehealth services in their homes and in any other location in the country through at least September 30, 2025. 
    • In the absence of this extension, Medicare beneficiaries would have only been permitted to receive telehealth services in certain approved health care facilities in rural locations (outside of metropolitan statistical areas) as of April 1, 2025.
    • Note that the Social Security Act does include a narrow exception that permits telehealth services in the home (or other locations) for patients in specific circumstances approved by law or regulation, including patients being treated for acute stroke symptoms, patients with a substance use disorder diagnosis, or patients with a mental health disorder (but see the additional in-person requirement for mental health telehealth treatment noted below), and patients on home dialysis for related clinical assessments.
  • Audio-Only Telehealth: Telehealth services can continue to be provided via audio-only communications systems.
    • Without the extension, telehealth services would no longer have been available via audio-only systems as of April 1, 2025, and to be reimbursed for telehealth services would require the use of approved interactive telecommunications systems only (which are defined generally to refer to audio/video equipment allowing for two-way real-time interactive communications between the patient and provider, except in narrow exceptions for store-and-forward technology under telemedicine demonstration programs).
  • Telehealth Providers: Medicare patients can continue to receive telehealth services from all types of approved Medicare-enrolled providers (the waiver permits qualified occupational therapists, physical therapists, speech-language pathologists, and audiologists to furnish services via telehealth and be paid by Medicare for doing so).
  • FQHC/RHC Telehealth: Federally qualified health centers (FQHCs) and rural health clinics (RHCs) can continue to provide telehealth services to patients in other locations.

Additionally, the legislation extends until October 1, 2025, the effective date of a requirement for reimbursement by Medicare of telehealth services to a Medicare beneficiary for purposes of diagnosis, evaluation, or treatment of a mental health disorder that:

  1. the provider must have furnished a Medicare-covered item or service to the beneficiary in-person (without the use of telehealth) within the prior 6 months before furnishing such telehealth services, and
  2. the provider must continue to furnish Medicare-covered items or services in-person (without the use of telehealth) to the beneficiary at least once a year following each subsequent telehealth service.
    1. The annual in-person follow-up is not required if the provider and beneficiary agree the risks of an in-person service outweigh the benefits.

Once required, the foregoing in-person visit requirement could also be fulfilled by another provider of the same specialty in the same group as the provider furnishing the telehealth service if the telehealth provider is not available to do so.

Despite this temporary reprieve to sustain current telehealth waivers through September 30, 2025, health care organizations should start preparing now for the potential end of the waivers and additional restrictions on telehealth services as soon as October 1, 2025. Moreover, health care organizations should also be aware that additional flexibilities and waivers tied to the COVID-19 era remain in place but are scheduled to expire at the end of 2025, including DEA tele-prescribing flexibilities previously discussed here.

*This post was authored with Paul Palma, law intern at Robinson+Cole. Paul is not admitted to practice law.

On March 3, 2025, Connecticut Governor Ned Lamont signed a law establishing a new process for hospitals in bankruptcy to apply for an “emergency certificate of need” (CON) to approve a transfer of ownership. The law, titled  “An Act Concerning An Emergency Certificate Of Need Application Process For Transfers Of Ownership Of Hospitals That Have Filed For Bankruptcy Protection, The Assessment Of Motor Vehicles For Property Taxation, A Property Tax Exemption For Veterans Who Are Permanently And Totally Disabled And Funding Of The Special Education Excess Cost Grant” (the “Act”), was passed by the Connecticut Legislature though its emergency certification process in order to expedite its approval, presumably to allow the law and new process to be available for CON review of the potential sale(s) of Prospect Medical hospitals in Connecticut expected this year.

Emergency CON Process

Under the Act, the emergency CON process is to be available when “(1) the hospital subject to the transfer of ownership has filed for bankruptcy protection in any court of competent jurisdiction, and (2) a potential purchaser for such hospital has been or is required to be approved by a bankruptcy court.”

The Act requires the Office of Health Strategy (OHS) to:

  • Develop an emergency CON application for parties to utilize, and in doing so OHS must “identify any data necessary to analyze the effects of a hospital’s transfer of ownership on health care costs, quality and access in the affected market.”
    • Notably, if the buyer is a for-profit entity, OHS is permitted to require additional information to ensure that the continuing operation of the hospital is in the public interest.
  • Make a “completeness” determination on a submitted application within 3 business days.

Once an emergency CON application is deemed complete, OHS may – but is not required to – hold a public hearing within 30 days thereafter, and if a hearing is held OHS must notify the applicant(s) at least 5 days in advance of the hearing date. The Act provides that a public hearing or other proceeding related to review of an emergency CON is not a “contested case” under the state’s Uniform Administrative Procedure Act, which limits the procedural and appeal rights of the applicant(s). The Act also allows OHS to contract with third-party consultants to analyze the effects of the transfer on cost, access, and quality in the community, with the cost borne by the applicant(s) and not to exceed $200,000.

Emergency CON Decisions and Conditions

The Act requires final decisions on emergency CONs to be issued within 60 days of the application being deemed complete. Importantly, OHS is required to “consider the effect of the hospital’s bankruptcy on the patients and communities served by the hospital and the applicant’s plans to restore financial viability” when issuing the final decision. The Act also permits OHS to “impose any condition on an approval of an emergency” CON, as long as OHS includes its rationale (legal and factual) for imposing the condition and the specific CON criterion that the condition relates to, and that such condition is reasonably tailored in time and scope. The Act also expressly provides that any condition imposed by OHS on the approval of an emergency CON will apply to the applicant(s), including any hospital subject to the transfer of ownership “and any subsidiary or group practice that would otherwise require” a CON under state law that is part of the bankruptcy sale. However, the Act does allow the applicant(s) to request a modification of conditions for good cause, including due to changed circumstances or hardship.

Finally, the Act provides that the final decision on an emergency CON, including any conditions imposed by OHS as part of the decision, is not subject to appeal.

Takeaways

The Act seeks to establish a clear expedited pathway for CON review of hospital (and health system) sales as part of the bankruptcy process.  The specific process, including the form of application, is likely to be rolled out quickly by OHS to be available as part of the resolution of the Prospect Medical bankruptcy process anticipated to occur during 2025. The ultimate efficacy of the process will depend upon the specific data sought as part of the emergency CON process, and on the scope of any conditions imposed by OHS on the sales (which could introduce uncertainty into the bankruptcy sale and approval process), but the establishment of this avenue for review is likely to be welcomed by parties to hospital system bankruptcy actions.

On February 25, 2025, President Donald Trump issued an Executive Order titled “Making America Healthy Again by Empowering Patients with Clear, Accurate, and Actionable Healthcare Pricing Information” (the 2025 Order). The 2025 Order directs federal agencies to take various actions to prioritize enforcement of healthcare price transparency requirements for hospitals and health plans “to support a more competitive, innovative, affordable, and higher quality healthcare system.”

Price Transparency Rules Background

The 2025 Order follows a 2019 Executive Order issued by then-President Trump titled “Executive Order on Improving Price and Quality Transparency in American Healthcare to Put Patients First” (the Price Transparency Order). That 2019 Price Transparency Order resulted in the adoption of regulations commonly called the Hospital Price Transparency Rules. Those Rules, in pertinent part, require hospitals to maintain a consumer-friendly display of pricing information for up to 300 shoppable services and a machine-readable file with negotiated rates for every single service the hospital provides. Read our previous analysis of the 2019 Price Transparency Order here, and our analysis of a 2024 OIG audit of hospital compliance with the Price Transparency Rules here.

2025 Price Transparency Executive Order Requirements

The 2025 Order now tasks the Departments of Treasury, Labor, and Health and Human Services with taking “all necessary and appropriate action” to implement and enforce the Hospital Price Transparency Rules because “hospitals and health plans were not adequately held to account when their price transparency data was incomplete or not even posted at all.”

Specifically, within 90 days of the 2025 Order, the federal agencies must:

(a) require the disclosure of the actual prices of items and services, not estimates; 

(b) issue updated guidance or proposed regulatory action ensuring pricing information is standardized and
easily comparable across hospitals and health plans; and

(c) issue guidance or proposed regulatory action updating enforcement policies designed to ensure
compliance with the transparent reporting of complete, accurate, and meaningful data.

Notably, the phrase “actual prices of items and services” is not defined in the Order, and the express rebuke of pricing “estimates” appears to run counter to the approach taken under the No Surprises Act regulations (requiring the provision of good faith estimates) and certain state laws that require health care providers to furnish estimates to patients upon request. Whether and to what extent the agencies define these terms in subsequent guidance and/or rulemaking will be essential for health care organizations to monitor.

Takeaways for Health Care Organizations

Prior to the 2025 Order, the Centers for Medicaid and Medicare Services (CMS) had already issued civil monetary penalties for non-compliance with the Hospital Price Transparency Rules, and the 2025 Order appears intended to ramp up that type of enforcement action.

Hospitals, health plans, and providers should expect further guidance and enforcement information from these federal agencies during the 90-day period, which ends May 26, 2025. Regardless, health care organizations would be well-advised to review their price transparency processes and information available for consumers, as well as their policies to prepare for closer scrutiny of pricing disclosure practices. Additional information about the current Hospital Price Transparency Rules is available from CMS here.

This post is co-authored with Health Care Enforcement + False Claims Act Litigation team members Theresa Lane, Edward Heath, and Seth Orkand.

In a much-anticipated decision, the First Circuit unanimously ruled the government and relators must prove that a violation of the federal Anti-Kickback Statute (AKS) was the “but-for” cause of a false claim under the False Claims Act (FCA). By adopting the more stringent “but-for” causation standard, the First Circuit now joins the Sixth and Eighth Circuits, forming a majority regarding the applicable causation standard.

A victory for laboratories and healthcare entities, this decision sets a higher standard for relators and the government to prove FCA claims predicated on AKS violations. Notably, the First Circuit’s decision affirms the causation standard Judge Patti B. Saris recently applied in OMNI Healthcare, Inc. et al. v. MD Spine Solutions LLC when granting the defendant’s summary judgment motion.[1] Robinson+Cole represented MD Spine Solutions LLC.

In U.S. v. Regeneron Pharmaceuticals, Inc., the government alleged Regeneron improperly funneled over 60 million dollars to the Chronic Disease Fund (CDF) to subsidize patient copays for Eylea, a drug manufactured by Regeneron.[2] Specifically, the government argued that the CDF payments were meant to incentivize physicians to write more prescriptions of Eylea, which Regeneron would submit for reimbursement under the Medicare Part B program.[3] The government claimed Regeneron’s purported kickback scheme caused false claim submissions.[4] On summary judgment, Chief Judge Dennis F. Saylor concluded that “but-for” causation was the proper standard to determine whether the government could show that Regeneron’s donations resulted in false claims, creating a split among judges in the District of Massachusetts.[5]

On appeal, the First Circuit was asked to determine the proper standard of causation required to turn an AKS violation into a per se false claim under the FCA, thus resolving the intra-district split. In dispute was the meaning “resulting from” as used in the 2010 amendment to the AKS.[6] The 2010 amendment states that “a claim [for payment by a federal healthcare program] that includes items or services resulting from a violation of [the AKS] constitutes a false or fraudulent claim for purposes of” the FCA.[7]

The government urged the First Circuit to follow the Third Circuit and adopt the less stringent causation standard. In 2018, the Third Circuit hadf interpreted “resulting from” to mean a plaintiff must show a “causal link” between an illegal remuneration and a subsequent reimbursement claim.[8] Regeneron asserted that “resulting from” required the plaintiff to prove that a kickback actually caused a healthcare provider to prescribe a different treatment, therefore submitting a false claim.[9]

In a 28-page decision released February 18, 2025, the First Circuit agreed with Regeneron and affirmed the district court’s ruling that the government must prove that an AKS violation was the “but-for” cause of the false claim.[10] In reaching this decision, the First Circuit rejected the government’s contention that this issue had already been decided in the circuit.. In Guilfoile v. Shields, [11] the court had stated that “if there is a sufficient causal connection between an AKS violation and [a] claim submitted to the federal government, that the claim is false within the meaning of the FCA” in reference to the 2010 amendment.[12] The government highlighted that the Guilfoile Court cited the Third Circuit’s opinion when making this statement.[13] However, the First Circuit found that its prior dicta in Guilfoile did not control because the court explicitly asserted that “the issue before us is not the standard for proving an FCA violation based on the AKS, but rather the requirements for pleading an FCA retaliation claim.”[14] By determining that Guilfoile did not guide its decision, the First Circuit analyzed the statutory text of the phrase “resulting from” and found that “there is no language in the 2010 amendment that by itself runs counter to the presumption that ‘resulting from’ calls for but-for causation.”[15]

The government next argued that the absence of a required causation standard to establish criminal AKS liability suggested that minimal causation should be required to prove civil AKS liability.[16] Again, the First Circuit remained unpersuaded and concluded that “the criminal provisions of the AKS serve a different purpose than the provisions of linking an AKS violation to FCA falsity.”[17] The court stated, “[c]riminal liability under the AKS exists to protect patients from doctors whose medical judgments might be clouded by improper financial considerations,” whereas “the chief purpose of the FCA’s civil penalties is to provide for restitution to the government of money taken by fraud.”[18] Additionally, the First Circuit noted that because the FCA creates a civil cause of action for private citizens, “it makes sense for the 2010 amendment to render a claim false (for FCA purposes) only when a kickback is the cause of that claim’s submission to the government.”[19]

Finally, the First Circuit indicated that, despite adopting the stricter “but-for” causation standard, plaintiffs are not barred from bringing an FCA case premised on AKS violations when based on a “false certification theory.” Under this theory, it is not the AKS violation that renders the claim false; it is the false representation that there is no AKS violation.[20] The First Circuit clarified the distinction between the separate types of false claims by stating, “[p]ut simply, claims under the 2010 amendment run a separate track than do claims under a false-certification theory.”[21]

The First Circuit’s interpretation of the phrase “resulting from” has significant implications for the government and relators who routinely bring civil actions for damages under the FCA based on AKS violations. In fiscal year 2023, the government settled or had judgments under the FCA exceeding $1.8 billion.[22] Federal agencies recovered over $3.4 billion in restitution and compensatory damages, with relators receiving over $462 million.[23] With the federal appellate courts split (the majority favoring the “but-for” causation standard) and the possibility of the government seeking certiorari from the Supreme Court of the United States in Regeneron, it is likely that, moving forward, the government and relators will heavily rely on the false certification theory in AKS cases rather than attempting to prove the “but-for” causation standard.


[1] OMNI Healthcare, Inc. et al. v. MD Spine Solutions LLC, No. 18-cv-12558, 2025 WL 32676, at *8-9 (D. Mass. Jan. 6, 2025) (concluding that the phrase “resulting from” in the 2010 amendment of the AKS requires a showing of but-for causation).

[2] U.S. v. Regeneron Pharmaceuticals, Inc., No. 20-11217-FDS, 2023 WL 6296393, at *1 (D. Mass. Sept. 27, 2023).

[3] Id.

[4] Id.

[5] Id. at *10-11; cf. U.S. v. Teva Pharmaceuticals USA, Inc., 682 F. Supp. 3d 142, 148 (2023) (rejecting the “but-for” causation standard and holding if there is sufficient casual connection between an AKS violation and a claim submitted to the federal government, that claim is false within the meaning of the FCA).

[6] 42 U.S.C. § 1320a-7b; see U.S. v. Regeneron Pharmaceuticals, Inc., No. 23-2086, at *3 (1st Cir. Feb. 18, 2025).

[7] 31 U.S.C. § 3729-33.

[8]  U.S. ex rel. Greenfield v. Medco Health Sols. Inc., 880 F. 3d 89, 100 (3d Cir. 2018).

[9] Regeneron Pharmaceuticals, Inc., No. 23-2086, at  *7.

[10] Id. at *8.

[11] Guilfoile v. Shields, 913 F.3d 178 (1st Ct. 2019).

[12] Id. at 190.

[13] Regeneron Pharmaceuticals, Inc., No. 23-2086, at *9.

[14] Id. at *9-10. See also Guilfoile, 913 F.3d at 190.

[15] Regeneron Pharmaceuticals, Inc., No. 23-2086, at *14.

[16] Id. at *17.

[17] Id. at *18.

[18] Id.

[19] Id.

[20] Id. at *20.

[21] Id. at *23.

[22] U.S. Department of Justice and U.S. Department of Health and Human Services, Annual Report of the Departments of Health and Human Services and Justice Health Care Fraud and Abuse Control Program FY 2023, available at  https://oig.hhs.gov/documents/hcfac/10087/HHS%20OIG%20FY%202023%20HCFAC.pdf

[23] Id.

This post is co-authored by Seth Orkand, co-chair of Robinson+Cole’s Government Enforcement and White-Collar Defense Team.

Massachusetts has expanded regulatory oversight of health care transactions by imposing False Claims Act liability on health care owners and investors for changes including failure to disclose violations. On January 8, 2025, Governor Maura Healey signed into law H.5159, An Act enhancing the market review process (the Act). Among other matters, the Act aims to strengthen oversight of private equity investors and related entities in the health care industry, including the expansion of the investigatory and enforcement powers of the Massachusetts Attorney General as they relate to health care activities. The Act also intends to fill perceived gaps in regulatory oversight, that many view as contributors to the Steward Health Care bankruptcy and related hospital closures across Massachusetts, by directly addressing regulation of for-profit health care entities and private equity ownership.

The following Act provisions expand the authority of the Massachusetts Health Policy Commission (HPC), Center for Health Information and Analysis (CHIA), and Attorney General’s Office (AGO) to oversee private equity investors and related entities, including through expansions of HPC’s existing oversight authority and extension of the Commonwealth’s state False Claims Statute (MA FCA) to owners and investors of violators. The Act also contains myriad changes impacting the health care industry. It strengthens regulatory oversight over private equity, pharmacy benefit managers, real estate investment trusts (REITs), management service organizations (MSOs), and other industry participants.

Expansions of HPC and AGO authority under the Act:

  • Establish new definitions for entities involved in, or related to, private equity operations [1]:
    • “Health care real estate investment trust,” a real estate investment trust, as defined by 26 U.S.C § 856, whose assets consist of real property held in connection with the use or operations of a provider or provider organization.
    • “Private equity company,” any company that collects capital investments from individuals or entities and purchases, as a parent company or through another entity that the company completely or partially owns or controls, a direct or indirect ownership share of a provider, provider organization or management services organization; provided, however, that “private equity company” shall not include venture capital firms exclusively funding startups or other early-stage businesses.
    • “Significant equity investor,” (i) any private equity company with a financial interest in a provider, provider organization, or management services organization; or (ii) an investor, group of investors, or other entity with a direct or indirect possession of equity in the capital, stock, or profits totaling more than ten percent of a provider, provider organization, or management services organization; provided, however, that “significant equity investor” shall not include venture capital firms exclusively funding startups or other early-stage businesses.
    • “Management services organization,” a corporation that provides management or administrative services to a provider or provider organization for compensation.
  • Revise the composition, necessary expertise, and responsibility for appointments to the HPC Board [2]. While the Board will continue to consist of 11 members, the Commissioner of Insurance is now a required member, as are appointed individuals with expertise in representing hospitals and hospital systems and in health care innovation, including pharmaceuticals, biotechnology, or medical devices. However, the HPC will no longer require membership of the Secretary for Administration and Finance, a Primary Care Physician, and an individual with expertise as a health insurance purchaser representing management. Finally, the auditor is no longer responsible for appointments to the HPC Board; all members, other than the Secretary of Health and Human Services and Commissioner of Insurance, will now be appointed solely by the Governor or Attorney General. These changes may reflect a shift in priorities for regulatory oversight of hospital administration, health care innovation, and health care insurance.
  • Expand the HPC Notice of Material Change process [3]. As previously required, every provider or provider organization must provide notice of a “material change” not less than 60 days before the date of the proposed change. 
    • The previous statutory Notice of Material Change reporting requirements only covered:
      • mergers or acquisitions of hospitals or hospital systems;
      • a corporate merger, acquisition or affiliation of a provider or provider organization and a carrier;
      • an acquisition of insolvent provider organizations; and
      • mergers or acquisitions of provider organizations which will result in a provider organization having a near-majority of market share in a given service or region [4].
    • The Act expands the above-referenced statute mandating the reporting of “material change” requiring notice to the applicable government agencies to also include the following: 
      • significant expansions in a provider or provider organization’s capacity;
      • transactions involving a significant equity investor which result in a change of ownership or control of a provider or provider organization;
      • significant acquisitions, sales, or transfers of assets including, but not limited to, real estate sale lease-back arrangements; and
      • conversion of a provider or provider organization from a non-profit entity to a for-profit entity.
    • The Act also changes the current material change reporting threshold for mergers or acquisitions of a provider organization, which will result in a provider organization having a near-majority market share in a given service or region to a “dominant” market share in a given service or region.
    • Adoption of implementing regulations. While the Act does not include financial thresholds for reporting, the Act does direct the HPC to adopt regulations for administering the section, conduct cost and market impact reviews, and allow filing thresholds to be adopted in the regulations, subject to annual adjustments based on inflation [5]. 
  • Expands the HPC Cost and Market Impact Review process as follows:
    • HPC may now require significant equity investors, as well as other parties involved, in a given transaction to submit documents and information in connection with a Notice of Material Change or Cost and Market Impact Review [6].
    • HPC may require submitting certain information regarding the significant equity investor’s capital structure, general financial condition, ownership and management structure, and audited financial statements.
    • HPC may require submitting certain post-transaction data and information for up to five years following the material change date. Such data collection significantly expands the power and task, including the ability to assess post-transaction impacts. 
    • Expands the factors HPC may consider as part of the Cost and Market Impact Review by also reviewing [7]:
      • the size and market share of any corporate affiliates or significant equity investors of the provider or provider organization;
      • the inventory of health care resources maintained by the DPH; and
      • any related data or reports from the Office of Health Resource Planning.
  • Expands the scope of the HPC’s examination of costs, prices, and cost trends, as follows [7]:
    • The HPC cost trends hearings will include an examination of any relevant impacts of significant equity investors, health care REITs, and MSOs on costs, prices, and cost trends. Stakeholders from these organizations associated with a provider organization will now be required to testify at the HPC’s annual cost trends hearing concerning: “health outcomes, prices charged to insurers and patients, staffing levels, clinical workflow, financial stability and ownership structure of an associated provider or provider organization, dividends paid out to investors, compensation including, but not limited to, base salaries, incentives, bonuses, stock options, deferred compensations, benefits and contingent payments to officers, managers and directors of provider organizations in the commonwealth acquired, owned or managed, in whole or in part, by said significant equity investors, health care real estate investment trusts or management services organizations.”
    • The HPC will utilize new data collected as part of the Registered Provider Organization process. The Act revised this process to require submissions from significant equity investors, health care real estate investment trusts, and management services organizations regarding ownership, governance, and organizational information.

Given the broad, sweeping nature of the changes, additional regulations and guidance should be expected. Our team will continue to monitor such activity to help provider organizations transacting in Massachusetts to prepare for the implementation of the statute and forthcoming regulations.


[1] To be codified at M.G.L. c. 6D, §. 1.

[2] To be codified at M.G.L. c. 6D, §. 2.

[3] To be codified at M.G.L. c. 6D, § 13.

[4] To be codified at M.G.L. c. 6D, § 13.

[5] To be codified at M.G.L. c. 6D, § 13.

[6] To be codified at M.G.L. c. 6D, § 13.

[7] To be codified at M.G.L. c. 6D, §§ 13, 8.

This post is co-authored by Seth Orkand, co-chair of Robinson+Cole’s Government Enforcement and White-Collar Defense Team.

Under a new 2025 law, Massachusetts is one of the first in the nation to broaden its state False Claims Act (FCA) to require disclosures by investors and owners of health care entities. On January 8, 2025, Governor Maura Healey signed into law H.5159, An Act enhancing the market review process (the Act), significantly changing Massachusetts’s regulatory and enforcement landscape. As discussed in further detail here, the law imposes FCA liability against investors and focuses on private equity and corporate ownership in health care. While this Act appears to be the first direct codification of FCA liability, it is consistent with the Department of Justice (DOJ) and Office of the Inspector General, U.S. Department of Health and Human Services’ (HHS-OIG) recent focus on private equity and the impact on health care.[1] While the DOJ has focused on private equity firms that allegedly knew of misconduct at portfolio companies and failed to stop it through their involvement in the operations of those companies, the MA FCA goes further by imposing liability on health care investors for merely being aware of misconduct and failing to report it to the state.

H. 5159 expands the scope of the MA FCA enforced by the Commonwealth’s Attorney General[2] to apply to any person who has an “ownership or investment interest” and any person who violates the false claim statute that “knowingly” or “knows” about the violation[3] and fails to disclose the violation to the government within 60 days of identifying the violation. This is a significant expansion of the traditional protections afforded by the corporate veil and appears to be designed to hold private equity and other owners liable if they become aware of any MA FCA violations and fail to take action. 

As part of the expansion, the Act defines “ownership or investment interest” as any: (1) direct or indirect possession of equity in the capital, stock, or profits totaling more than ten percent of an entity; (2) interest held by an investor or group of investors who engages in the raising or returning of capital and who invests, develops, or disposes of specified assets; or (3) interest held by a pool of funds by investors, including a pool of funds managed or controlled by private limited partnerships, if those investors or the management of that pool or private limited partnership employ investment strategies of any kind to earn a return on that pool of funds. This amendment clearly expands MA FCA liability to private equity investors and appears to codify the Massachusetts Attorney General’s approach in an October 2021 settlement with a private equity firm and former executives of South Bay Mental Health Center, Inc. for allegedly causing the submission of false claims submitted to MA’s Medicaid program.[4] 

Additional enforcement mechanisms codified in the Act include expanding the Attorney General’s authority to obtain information as part of a civil investigative demand from significant equity investors, health care real estate investment trusts, or management services organizations.[5]

We will continue to monitor this activity and any resulting litigation and its possible impact on organizations transacting business in Massachusetts.


[1] https://www.mass.gov/news/private-equity-firm-and-former-mental-health-center-executives-pay-25-million-over-alleged-false-claims-submitted-for-unlicensed-and-unsupervised-patient-care.

[2] To be codified at MGL 12, s. 11N.

[3] For example, see Justice Department, Federal Trade Commission and Department of Health and Human Services Issue Request for Public Input as Part of Inquiry into Impacts of Corporate Ownership Trend in Health Care, available at https://www.justice.gov/opa/pr/justice-department-federal-trade-commission-and-department-health-and-human-services-issue; see also, https://www.hhs.gov/about/news/2025/01/15/hhs-releases-report-consolidation-private-equity-health-care-markets.html

[4] To be codified at MGL 12, §§ 5A and 5B. 

[5] The Act clarifies that “knowing,” “knowingly,” or “knows” all mean “possessing actual knowledge of relevant information, acting with deliberate ignorance of the truth or falsity of the information or acting in reckless disregard of the truth or falsity of the information; provided, however, that no proof of specific intent to defraud shall be required.”