*This post was authored with Paul Palma, law intern at Robinson+Cole. Paul is not admitted to practice law.

On March 3, 2025, Connecticut Governor Ned Lamont signed a law establishing a new process for hospitals in bankruptcy to apply for an “emergency certificate of need” (CON) to approve a transfer of ownership. The law, titled  “An Act Concerning An Emergency Certificate Of Need Application Process For Transfers Of Ownership Of Hospitals That Have Filed For Bankruptcy Protection, The Assessment Of Motor Vehicles For Property Taxation, A Property Tax Exemption For Veterans Who Are Permanently And Totally Disabled And Funding Of The Special Education Excess Cost Grant” (the “Act”), was passed by the Connecticut Legislature though its emergency certification process in order to expedite its approval, presumably to allow the law and new process to be available for CON review of the potential sale(s) of Prospect Medical hospitals in Connecticut expected this year.

Emergency CON Process

Under the Act, the emergency CON process is to be available when “(1) the hospital subject to the transfer of ownership has filed for bankruptcy protection in any court of competent jurisdiction, and (2) a potential purchaser for such hospital has been or is required to be approved by a bankruptcy court.”

The Act requires the Office of Health Strategy (OHS) to:

  • Develop an emergency CON application for parties to utilize, and in doing so OHS must “identify any data necessary to analyze the effects of a hospital’s transfer of ownership on health care costs, quality and access in the affected market.”
    • Notably, if the buyer is a for-profit entity, OHS is permitted to require additional information to ensure that the continuing operation of the hospital is in the public interest.
  • Make a “completeness” determination on a submitted application within 3 business days.

Once an emergency CON application is deemed complete, OHS may – but is not required to – hold a public hearing within 30 days thereafter, and if a hearing is held OHS must notify the applicant(s) at least 5 days in advance of the hearing date. The Act provides that a public hearing or other proceeding related to review of an emergency CON is not a “contested case” under the state’s Uniform Administrative Procedure Act, which limits the procedural and appeal rights of the applicant(s). The Act also allows OHS to contract with third-party consultants to analyze the effects of the transfer on cost, access, and quality in the community, with the cost borne by the applicant(s) and not to exceed $200,000.

Emergency CON Decisions and Conditions

The Act requires final decisions on emergency CONs to be issued within 60 days of the application being deemed complete. Importantly, OHS is required to “consider the effect of the hospital’s bankruptcy on the patients and communities served by the hospital and the applicant’s plans to restore financial viability” when issuing the final decision. The Act also permits OHS to “impose any condition on an approval of an emergency” CON, as long as OHS includes its rationale (legal and factual) for imposing the condition and the specific CON criterion that the condition relates to, and that such condition is reasonably tailored in time and scope. The Act also expressly provides that any condition imposed by OHS on the approval of an emergency CON will apply to the applicant(s), including any hospital subject to the transfer of ownership “and any subsidiary or group practice that would otherwise require” a CON under state law that is part of the bankruptcy sale. However, the Act does allow the applicant(s) to request a modification of conditions for good cause, including due to changed circumstances or hardship.

Finally, the Act provides that the final decision on an emergency CON, including any conditions imposed by OHS as part of the decision, is not subject to appeal.

Takeaways

The Act seeks to establish a clear expedited pathway for CON review of hospital (and health system) sales as part of the bankruptcy process.  The specific process, including the form of application, is likely to be rolled out quickly by OHS to be available as part of the resolution of the Prospect Medical bankruptcy process anticipated to occur during 2025. The ultimate efficacy of the process will depend upon the specific data sought as part of the emergency CON process, and on the scope of any conditions imposed by OHS on the sales (which could introduce uncertainty into the bankruptcy sale and approval process), but the establishment of this avenue for review is likely to be welcomed by parties to hospital system bankruptcy actions.

On February 25, 2025, President Donald Trump issued an Executive Order titled “Making America Healthy Again by Empowering Patients with Clear, Accurate, and Actionable Healthcare Pricing Information” (the 2025 Order). The 2025 Order directs federal agencies to take various actions to prioritize enforcement of healthcare price transparency requirements for hospitals and health plans “to support a more competitive, innovative, affordable, and higher quality healthcare system.”

Price Transparency Rules Background

The 2025 Order follows a 2019 Executive Order issued by then-President Trump titled “Executive Order on Improving Price and Quality Transparency in American Healthcare to Put Patients First” (the Price Transparency Order). That 2019 Price Transparency Order resulted in the adoption of regulations commonly called the Hospital Price Transparency Rules. Those Rules, in pertinent part, require hospitals to maintain a consumer-friendly display of pricing information for up to 300 shoppable services and a machine-readable file with negotiated rates for every single service the hospital provides. Read our previous analysis of the 2019 Price Transparency Order here, and our analysis of a 2024 OIG audit of hospital compliance with the Price Transparency Rules here.

2025 Price Transparency Executive Order Requirements

The 2025 Order now tasks the Departments of Treasury, Labor, and Health and Human Services with taking “all necessary and appropriate action” to implement and enforce the Hospital Price Transparency Rules because “hospitals and health plans were not adequately held to account when their price transparency data was incomplete or not even posted at all.”

Specifically, within 90 days of the 2025 Order, the federal agencies must:

(a) require the disclosure of the actual prices of items and services, not estimates; 

(b) issue updated guidance or proposed regulatory action ensuring pricing information is standardized and
easily comparable across hospitals and health plans; and

(c) issue guidance or proposed regulatory action updating enforcement policies designed to ensure
compliance with the transparent reporting of complete, accurate, and meaningful data.

Notably, the phrase “actual prices of items and services” is not defined in the Order, and the express rebuke of pricing “estimates” appears to run counter to the approach taken under the No Surprises Act regulations (requiring the provision of good faith estimates) and certain state laws that require health care providers to furnish estimates to patients upon request. Whether and to what extent the agencies define these terms in subsequent guidance and/or rulemaking will be essential for health care organizations to monitor.

Takeaways for Health Care Organizations

Prior to the 2025 Order, the Centers for Medicaid and Medicare Services (CMS) had already issued civil monetary penalties for non-compliance with the Hospital Price Transparency Rules, and the 2025 Order appears intended to ramp up that type of enforcement action.

Hospitals, health plans, and providers should expect further guidance and enforcement information from these federal agencies during the 90-day period, which ends May 26, 2025. Regardless, health care organizations would be well-advised to review their price transparency processes and information available for consumers, as well as their policies to prepare for closer scrutiny of pricing disclosure practices. Additional information about the current Hospital Price Transparency Rules is available from CMS here.

This post is co-authored with Health Care Enforcement + False Claims Act Litigation team members Theresa Lane, Edward Heath, and Seth Orkand.

In a much-anticipated decision, the First Circuit unanimously ruled the government and relators must prove that a violation of the federal Anti-Kickback Statute (AKS) was the “but-for” cause of a false claim under the False Claims Act (FCA). By adopting the more stringent “but-for” causation standard, the First Circuit now joins the Sixth and Eighth Circuits, forming a majority regarding the applicable causation standard.

A victory for laboratories and healthcare entities, this decision sets a higher standard for relators and the government to prove FCA claims predicated on AKS violations. Notably, the First Circuit’s decision affirms the causation standard Judge Patti B. Saris recently applied in OMNI Healthcare, Inc. et al. v. MD Spine Solutions LLC when granting the defendant’s summary judgment motion.[1] Robinson+Cole represented MD Spine Solutions LLC.

In U.S. v. Regeneron Pharmaceuticals, Inc., the government alleged Regeneron improperly funneled over 60 million dollars to the Chronic Disease Fund (CDF) to subsidize patient copays for Eylea, a drug manufactured by Regeneron.[2] Specifically, the government argued that the CDF payments were meant to incentivize physicians to write more prescriptions of Eylea, which Regeneron would submit for reimbursement under the Medicare Part B program.[3] The government claimed Regeneron’s purported kickback scheme caused false claim submissions.[4] On summary judgment, Chief Judge Dennis F. Saylor concluded that “but-for” causation was the proper standard to determine whether the government could show that Regeneron’s donations resulted in false claims, creating a split among judges in the District of Massachusetts.[5]

On appeal, the First Circuit was asked to determine the proper standard of causation required to turn an AKS violation into a per se false claim under the FCA, thus resolving the intra-district split. In dispute was the meaning “resulting from” as used in the 2010 amendment to the AKS.[6] The 2010 amendment states that “a claim [for payment by a federal healthcare program] that includes items or services resulting from a violation of [the AKS] constitutes a false or fraudulent claim for purposes of” the FCA.[7]

The government urged the First Circuit to follow the Third Circuit and adopt the less stringent causation standard. In 2018, the Third Circuit hadf interpreted “resulting from” to mean a plaintiff must show a “causal link” between an illegal remuneration and a subsequent reimbursement claim.[8] Regeneron asserted that “resulting from” required the plaintiff to prove that a kickback actually caused a healthcare provider to prescribe a different treatment, therefore submitting a false claim.[9]

In a 28-page decision released February 18, 2025, the First Circuit agreed with Regeneron and affirmed the district court’s ruling that the government must prove that an AKS violation was the “but-for” cause of the false claim.[10] In reaching this decision, the First Circuit rejected the government’s contention that this issue had already been decided in the circuit.. In Guilfoile v. Shields, [11] the court had stated that “if there is a sufficient causal connection between an AKS violation and [a] claim submitted to the federal government, that the claim is false within the meaning of the FCA” in reference to the 2010 amendment.[12] The government highlighted that the Guilfoile Court cited the Third Circuit’s opinion when making this statement.[13] However, the First Circuit found that its prior dicta in Guilfoile did not control because the court explicitly asserted that “the issue before us is not the standard for proving an FCA violation based on the AKS, but rather the requirements for pleading an FCA retaliation claim.”[14] By determining that Guilfoile did not guide its decision, the First Circuit analyzed the statutory text of the phrase “resulting from” and found that “there is no language in the 2010 amendment that by itself runs counter to the presumption that ‘resulting from’ calls for but-for causation.”[15]

The government next argued that the absence of a required causation standard to establish criminal AKS liability suggested that minimal causation should be required to prove civil AKS liability.[16] Again, the First Circuit remained unpersuaded and concluded that “the criminal provisions of the AKS serve a different purpose than the provisions of linking an AKS violation to FCA falsity.”[17] The court stated, “[c]riminal liability under the AKS exists to protect patients from doctors whose medical judgments might be clouded by improper financial considerations,” whereas “the chief purpose of the FCA’s civil penalties is to provide for restitution to the government of money taken by fraud.”[18] Additionally, the First Circuit noted that because the FCA creates a civil cause of action for private citizens, “it makes sense for the 2010 amendment to render a claim false (for FCA purposes) only when a kickback is the cause of that claim’s submission to the government.”[19]

Finally, the First Circuit indicated that, despite adopting the stricter “but-for” causation standard, plaintiffs are not barred from bringing an FCA case premised on AKS violations when based on a “false certification theory.” Under this theory, it is not the AKS violation that renders the claim false; it is the false representation that there is no AKS violation.[20] The First Circuit clarified the distinction between the separate types of false claims by stating, “[p]ut simply, claims under the 2010 amendment run a separate track than do claims under a false-certification theory.”[21]

The First Circuit’s interpretation of the phrase “resulting from” has significant implications for the government and relators who routinely bring civil actions for damages under the FCA based on AKS violations. In fiscal year 2023, the government settled or had judgments under the FCA exceeding $1.8 billion.[22] Federal agencies recovered over $3.4 billion in restitution and compensatory damages, with relators receiving over $462 million.[23] With the federal appellate courts split (the majority favoring the “but-for” causation standard) and the possibility of the government seeking certiorari from the Supreme Court of the United States in Regeneron, it is likely that, moving forward, the government and relators will heavily rely on the false certification theory in AKS cases rather than attempting to prove the “but-for” causation standard.

[1] OMNI Healthcare, Inc. et al. v. MD Spine Solutions LLC, No. 18-cv-12558, 2025 WL 32676, at *8-9 (D. Mass. Jan. 6, 2025) (concluding that the phrase “resulting from” in the 2010 amendment of the AKS requires a showing of but-for causation).

[2] U.S. v. Regeneron Pharmaceuticals, Inc., No. 20-11217-FDS, 2023 WL 6296393, at *1 (D. Mass. Sept. 27, 2023).

[3] Id.

[4] Id.

[5] Id. at *10-11; cf. U.S. v. Teva Pharmaceuticals USA, Inc., 682 F. Supp. 3d 142, 148 (2023) (rejecting the “but-for” causation standard and holding if there is sufficient casual connection between an AKS violation and a claim submitted to the federal government, that claim is false within the meaning of the FCA).

[6] 42 U.S.C. § 1320a-7b; see U.S. v. Regeneron Pharmaceuticals, Inc., No. 23-2086, at *3 (1st Cir. Feb. 18, 2025).

[7] 31 U.S.C. § 3729-33.

[8]  U.S. ex rel. Greenfield v. Medco Health Sols. Inc., 880 F. 3d 89, 100 (3d Cir. 2018).

[9] Regeneron Pharmaceuticals, Inc., No. 23-2086, at  *7.

[10] Id. at *8.

[11] Guilfoile v. Shields, 913 F.3d 178 (1st Ct. 2019).

[12] Id. at 190.

[13] Regeneron Pharmaceuticals, Inc., No. 23-2086, at *9.

[14] Id. at *9-10. See also Guilfoile, 913 F.3d at 190.

[15] Regeneron Pharmaceuticals, Inc., No. 23-2086, at *14.

[16] Id. at *17.

[17] Id. at *18.

[18] Id.

[19] Id.

[20] Id. at *20.

[21] Id. at *23.

[22] U.S. Department of Justice and U.S. Department of Health and Human Services, Annual Report of the Departments of Health and Human Services and Justice Health Care Fraud and Abuse Control Program FY 2023, available at  https://oig.hhs.gov/documents/hcfac/10087/HHS%20OIG%20FY%202023%20HCFAC.pdf

[23] Id.

This post is co-authored by Seth Orkand, co-chair of Robinson+Cole’s Government Enforcement and White-Collar Defense Team.

Massachusetts has expanded regulatory oversight of health care transactions by imposing False Claims Act liability on health care owners and investors for changes including failure to disclose violations. On January 8, 2025, Governor Maura Healey signed into law H.5159, An Act enhancing the market review process (the Act). Among other matters, the Act aims to strengthen oversight of private equity investors and related entities in the health care industry, including the expansion of the investigatory and enforcement powers of the Massachusetts Attorney General as they relate to health care activities. The Act also intends to fill perceived gaps in regulatory oversight, that many view as contributors to the Steward Health Care bankruptcy and related hospital closures across Massachusetts, by directly addressing regulation of for-profit health care entities and private equity ownership.

The following Act provisions expand the authority of the Massachusetts Health Policy Commission (HPC), Center for Health Information and Analysis (CHIA), and Attorney General’s Office (AGO) to oversee private equity investors and related entities, including through expansions of HPC’s existing oversight authority and extension of the Commonwealth’s state False Claims Statute (MA FCA) to owners and investors of violators. The Act also contains myriad changes impacting the health care industry. It strengthens regulatory oversight over private equity, pharmacy benefit managers, real estate investment trusts (REITs), management service organizations (MSOs), and other industry participants.

Expansions of HPC and AGO authority under the Act:

  • Establish new definitions for entities involved in, or related to, private equity operations [1]:
    • “Health care real estate investment trust,” a real estate investment trust, as defined by 26 U.S.C § 856, whose assets consist of real property held in connection with the use or operations of a provider or provider organization.
    • “Private equity company,” any company that collects capital investments from individuals or entities and purchases, as a parent company or through another entity that the company completely or partially owns or controls, a direct or indirect ownership share of a provider, provider organization or management services organization; provided, however, that “private equity company” shall not include venture capital firms exclusively funding startups or other early-stage businesses.
    • “Significant equity investor,” (i) any private equity company with a financial interest in a provider, provider organization, or management services organization; or (ii) an investor, group of investors, or other entity with a direct or indirect possession of equity in the capital, stock, or profits totaling more than ten percent of a provider, provider organization, or management services organization; provided, however, that “significant equity investor” shall not include venture capital firms exclusively funding startups or other early-stage businesses.
    • “Management services organization,” a corporation that provides management or administrative services to a provider or provider organization for compensation.
  • Revise the composition, necessary expertise, and responsibility for appointments to the HPC Board [2]. While the Board will continue to consist of 11 members, the Commissioner of Insurance is now a required member, as are appointed individuals with expertise in representing hospitals and hospital systems and in health care innovation, including pharmaceuticals, biotechnology, or medical devices. However, the HPC will no longer require membership of the Secretary for Administration and Finance, a Primary Care Physician, and an individual with expertise as a health insurance purchaser representing management. Finally, the auditor is no longer responsible for appointments to the HPC Board; all members, other than the Secretary of Health and Human Services and Commissioner of Insurance, will now be appointed solely by the Governor or Attorney General. These changes may reflect a shift in priorities for regulatory oversight of hospital administration, health care innovation, and health care insurance.
  • Expand the HPC Notice of Material Change process [3]. As previously required, every provider or provider organization must provide notice of a “material change” not less than 60 days before the date of the proposed change. 
    • The previous statutory Notice of Material Change reporting requirements only covered:
      • mergers or acquisitions of hospitals or hospital systems;
      • a corporate merger, acquisition or affiliation of a provider or provider organization and a carrier;
      • an acquisition of insolvent provider organizations; and
      • mergers or acquisitions of provider organizations which will result in a provider organization having a near-majority of market share in a given service or region [4].
    • The Act expands the above-referenced statute mandating the reporting of “material change” requiring notice to the applicable government agencies to also include the following: 
      • significant expansions in a provider or provider organization’s capacity;
      • transactions involving a significant equity investor which result in a change of ownership or control of a provider or provider organization;
      • significant acquisitions, sales, or transfers of assets including, but not limited to, real estate sale lease-back arrangements; and
      • conversion of a provider or provider organization from a non-profit entity to a for-profit entity.
    • The Act also changes the current material change reporting threshold for mergers or acquisitions of a provider organization, which will result in a provider organization having a near-majority market share in a given service or region to a “dominant” market share in a given service or region.
    • Adoption of implementing regulations. While the Act does not include financial thresholds for reporting, the Act does direct the HPC to adopt regulations for administering the section, conduct cost and market impact reviews, and allow filing thresholds to be adopted in the regulations, subject to annual adjustments based on inflation [5]. 
  • Expands the HPC Cost and Market Impact Review process as follows:
    • HPC may now require significant equity investors, as well as other parties involved, in a given transaction to submit documents and information in connection with a Notice of Material Change or Cost and Market Impact Review [6].
    • HPC may require submitting certain information regarding the significant equity investor’s capital structure, general financial condition, ownership and management structure, and audited financial statements.
    • HPC may require submitting certain post-transaction data and information for up to five years following the material change date. Such data collection significantly expands the power and task, including the ability to assess post-transaction impacts. 
    • Expands the factors HPC may consider as part of the Cost and Market Impact Review by also reviewing [7]:
      • the size and market share of any corporate affiliates or significant equity investors of the provider or provider organization;
      • the inventory of health care resources maintained by the DPH; and
      • any related data or reports from the Office of Health Resource Planning.
  • Expands the scope of the HPC’s examination of costs, prices, and cost trends, as follows [7]:
    • The HPC cost trends hearings will include an examination of any relevant impacts of significant equity investors, health care REITs, and MSOs on costs, prices, and cost trends. Stakeholders from these organizations associated with a provider organization will now be required to testify at the HPC’s annual cost trends hearing concerning: “health outcomes, prices charged to insurers and patients, staffing levels, clinical workflow, financial stability and ownership structure of an associated provider or provider organization, dividends paid out to investors, compensation including, but not limited to, base salaries, incentives, bonuses, stock options, deferred compensations, benefits and contingent payments to officers, managers and directors of provider organizations in the commonwealth acquired, owned or managed, in whole or in part, by said significant equity investors, health care real estate investment trusts or management services organizations.”
    • The HPC will utilize new data collected as part of the Registered Provider Organization process. The Act revised this process to require submissions from significant equity investors, health care real estate investment trusts, and management services organizations regarding ownership, governance, and organizational information.

Given the broad, sweeping nature of the changes, additional regulations and guidance should be expected. Our team will continue to monitor such activity to help provider organizations transacting in Massachusetts to prepare for the implementation of the statute and forthcoming regulations.

[1] To be codified at M.G.L. c. 6D, §. 1.

[2] To be codified at M.G.L. c. 6D, §. 2.

[3] To be codified at M.G.L. c. 6D, § 13.

[4] To be codified at M.G.L. c. 6D, § 13.

[5] To be codified at M.G.L. c. 6D, § 13.

[6] To be codified at M.G.L. c. 6D, § 13.

[7] To be codified at M.G.L. c. 6D, §§ 13, 8.

This post is co-authored by Seth Orkand, co-chair of Robinson+Cole’s Government Enforcement and White-Collar Defense Team.

Under a new 2025 law, Massachusetts is one of the first in the nation to broaden its state False Claims Act (FCA) to require disclosures by investors and owners of health care entities. On January 8, 2025, Governor Maura Healey signed into law H.5159, An Act enhancing the market review process (the Act), significantly changing Massachusetts’s regulatory and enforcement landscape. As discussed in further detail here, the law imposes FCA liability against investors and focuses on private equity and corporate ownership in health care. While this Act appears to be the first direct codification of FCA liability, it is consistent with the Department of Justice (DOJ) and Office of the Inspector General, U.S. Department of Health and Human Services’ (HHS-OIG) recent focus on private equity and the impact on health care.[1] While the DOJ has focused on private equity firms that allegedly knew of misconduct at portfolio companies and failed to stop it through their involvement in the operations of those companies, the MA FCA goes further by imposing liability on health care investors for merely being aware of misconduct and failing to report it to the state.

H. 5159 expands the scope of the MA FCA enforced by the Commonwealth’s Attorney General[2] to apply to any person who has an “ownership or investment interest” and any person who violates the false claim statute that “knowingly” or “knows” about the violation[3] and fails to disclose the violation to the government within 60 days of identifying the violation. This is a significant expansion of the traditional protections afforded by the corporate veil and appears to be designed to hold private equity and other owners liable if they become aware of any MA FCA violations and fail to take action. 

As part of the expansion, the Act defines “ownership or investment interest” as any: (1) direct or indirect possession of equity in the capital, stock, or profits totaling more than ten percent of an entity; (2) interest held by an investor or group of investors who engages in the raising or returning of capital and who invests, develops, or disposes of specified assets; or (3) interest held by a pool of funds by investors, including a pool of funds managed or controlled by private limited partnerships, if those investors or the management of that pool or private limited partnership employ investment strategies of any kind to earn a return on that pool of funds. This amendment clearly expands MA FCA liability to private equity investors and appears to codify the Massachusetts Attorney General’s approach in an October 2021 settlement with a private equity firm and former executives of South Bay Mental Health Center, Inc. for allegedly causing the submission of false claims submitted to MA’s Medicaid program.[4] 

Additional enforcement mechanisms codified in the Act include expanding the Attorney General’s authority to obtain information as part of a civil investigative demand from significant equity investors, health care real estate investment trusts, or management services organizations.[5]

We will continue to monitor this activity and any resulting litigation and its possible impact on organizations transacting business in Massachusetts.

[1] https://www.mass.gov/news/private-equity-firm-and-former-mental-health-center-executives-pay-25-million-over-alleged-false-claims-submitted-for-unlicensed-and-unsupervised-patient-care.

[2] To be codified at MGL 12, s. 11N.

[3] For example, see Justice Department, Federal Trade Commission and Department of Health and Human Services Issue Request for Public Input as Part of Inquiry into Impacts of Corporate Ownership Trend in Health Care, available at https://www.justice.gov/opa/pr/justice-department-federal-trade-commission-and-department-health-and-human-services-issue; see also, https://www.hhs.gov/about/news/2025/01/15/hhs-releases-report-consolidation-private-equity-health-care-markets.html

[4] To be codified at MGL 12, §§ 5A and 5B. 

[5] The Act clarifies that “knowing,” “knowingly,” or “knows” all mean “possessing actual knowledge of relevant information, acting with deliberate ignorance of the truth or falsity of the information or acting in reckless disregard of the truth or falsity of the information; provided, however, that no proof of specific intent to defraud shall be required.”

At the close of 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (the Proposed Rule) to amend the Security Rule regulations established for protecting electronic health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The updated regulations would increase cybersecurity protection requirements for electronic protected health information (ePHI) maintained by covered entities and their business associates to combat rising cyber threats in the health care industry.

The Proposed Rule seeks to strengthen the HIPAA Security Rule requirements in various ways, including:

  • Removing the “addressable” standard for security safeguard implementation specifications and making all implementation specifications “required.”
    • This, in turn, will require written documentation of all Security Rule policies and encryption of all ePHI, except in narrow circumstances.
  • Requiring the development or revision of technology asset inventories and network maps to illustrate the movement of ePHI throughout electronic information system(s) on an ongoing basis, to be addressed not less than annually and in response to updates to an entity’s environment or operations potentially affecting ePHI.
  • Setting forth specific requirements for conducting a risk analysis, including identifying all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI, identifying potential vulnerabilities, and assigning a risk level for each threat and vulnerability identified.
  • Requiring prompt notification (within 24 hours) to other healthcare providers or business associates with access to an entity’s systems of a change or termination of a workforce member’s access to ePHI; in other words, entities will now be obligated to immediately communicate changes if an employee’s or contractor’s access to patient data is altered or revoked to mitigate the risk of unauthorized access to ePHI.
  • Establishing written procedures on how the entity will restore the loss of relevant electronic information systems and data within 72 hours.
  • Testing and revising written security incident response plans.
  • Requiring encryption of ePHI at rest and in transit.
  • Requiring specific security safeguards on workstations with access to ePHI and/or storage of ePHI, including anti-malware software, removal of extraneous software from ePHI systems, and disabling network ports pursuant to the entity’s risk analysis.
  • Requiring the use of multi-factor authentication (with limited exceptions).
  • Requiring vulnerability scanning at least every six (6) months and penetration testing at least once every year.
  • Requiring network segmentation.

The Proposed Rule notably includes some requirements specific to business associates only. These include a proposed new requirement for business associates to notify covered entities (and subcontractors to notify business associates) within 24 hours of activating their contingency plans. Business associates would also be required to verify, at least once a year, to their covered entity customers that the business associate has deployed the required technical safeguards to protect ePHI. This must be conducted by a subject matter expert who provides a written analysis of the business associate’s relevant electronic information systems and a written certification that the analysis has been performed and is accurate.

The Proposed Rule even includes a specific requirement for group health plans, requiring such plans to include in their plan documents requirements for their group health plan sponsors to comply with the administrative, physical, and technical safeguards of the Security Rule, requiring any agent to whom they provide ePHI to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans no more than 24 hours after activation of their contingency plans.

Ultimately, the Proposed Rule seeks to implement a comprehensive update of mandated security protections and protocols for covered entities and business associates, reflecting the significant changes in health care technology and cybersecurity in recent years. The Proposed Rule’s changes are also a tacit acknowledgment that current Security Rule standards have not kept up with threats or operational changes.

The government is soliciting comments on the Proposed Rule, and all public comments are due by March 7, 2025. Given the scope of the proposed changes and the heightened obligations for all individuals and entities subject to HIPAA, there will likely be many comments from various stakeholders. We will continue to follow the Proposed Rule and reactions thereto. The Proposed Rule is available here.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

*This post was authored by Nicole Benevento, law intern at Robinson+Cole. Nicole is not admitted to practice law.

The Food and Drug Administration (FDA) is being sued in two lawsuits after releasing its Final Rule on Laboratory Developed Tests (LDTs). The Final Rule requires laboratories to adhere to the same preapproval and post-marketing requirements of mass-produced medical devices.

In its Final Rule, the FDA emphasizes that the agency has always had the discretion to enforce legal requirements concerning LDTs. However, the FDA refrained from exercising this authority under the Medical Device Amendments of 1976, since LDTs were initially manufactured by specialized personnel in smaller volumes for a local patient population. Now that the landscape is riskier since LDTs are manufactured nationwide for diverse populations, the FDA holds that it may enforce these other applicable legal requirements.

After the Final Rule, two cases were filed challenging it. In American Clinical Laboratory Association et al v. U.S. Food and Drug Administration et al. (ACLA) and Association for Molecular Pathology and Michael Laposata v. U.S. Food and Drug Administration et al. (AMP), the plaintiffs argue that forcing labs to require the FDA to regulate professional laboratory testing will be a massive setback for the medical community, hindering medical innovation, reducing competition, imposing billions of dollars in regulatory mandates, and jeopardizing the health of millions of Americans. Both cases have been consolidated under ACLA and are pending in the United States District Court, Eastern District of Texas.

The now consolidated complaint asserts that the FDA has exceeded its statutory authority. Citing the Congressional Record, the plaintiffs argue that Congress authorized the FDA to regulate medical devices, specifically distinguishing between mass-produced medical devices manufactured for third-party use and customized LDTs, which are developed and performed by highly trained health care professionals working within a licensed and accredited facility. The complaint adds that Congress has not provided the FDA with the appropriate resources to implement this authority over thousands of testing services. The plaintiffs further contend that LDTs have already been subject to a distinct regulatory regime under the Clinical Laboratory Improvement Amendments (CLIA.) 

The plaintiffs filed a motion for summary judgment earlier this year, and the FDA filed a cross-motion for summary judgment and in opposition to the plaintiffs’  motion for summary judgment. On December 23, 2024, the plaintiffs filed their reply in the case, completing the briefing.

Docket Timeline

  • September 20, 2024:­ The motion to consolidate both lawsuits under ACLA was granted.
  • September 27, 2024: AMP plaintiffs submitted a summary judgment motion.
  • October 7, 2024: The Association for Diagnostics & Laboratory Medicine, American Association of Bioanalysts, American Society for Clinical Pathology, American Society for Microbiology, and the Infectious Disease Society of America filed an amicus brief supporting the plaintiffs’ position that the FDA’s final LDT rule exceeds the agency’s statutory authority. The brief urges the court to strike down the rule to avoid patient harm.
  • October 25, 2024: The defendants jointly respond to plaintiffs’ briefs.
  • November 25, 2024: Plaintiffs’ closing briefs filed.
  • December 23, 2024: Defendants’ closing brief in support of their cross-motion is filed.
  • Q1 2025: Oral argument before the court is anticipated.
  • May 6, 2025: Labs expected to comply with Final Rule Phase 1 requirements unless the challenge is successful or otherwise changed.

Plaintiffs’ Motion for Summary Judgement

ACLA’s September 2024 motion for summary judgment urged the court to vacate the Final Rule and enjoin the defendants from its enforcement. ACLA argued in principle that (1) the FDA faces a heavy burden to justify its classification of laboratory testing services as medical devices; (2) Congress did not grant the FDA authority to regulate professional laboratory-developed testing services in light of the major questions doctrine and statutory construction; and (3) the FDA lacks justification.

Similarly, AMP’s motion for summary judgment urges the court to vacate the Final Rule and enjoin the defendants from enforcement. AMP argues that (1) the Federal Food, Drug, and Cosmetic Act (FDCA) does not authorize the FDA to regulate LDTs as medical devices, and (2) the Final Rule is arbitrary and capricious.

The plaintiffs collectively assert that Congress only authorized the FDA to regulate devices (defined as tangible goods) to provide premarket review and postmarket action against misbranded or adulterated devices. As defined by Congress, LDTs are neither tangible goods nor commercially distributed. Under CLIA, LDTs are not devices, but as AMP noted, “multi-step, protocol-based procedures developed and performed by highly trained professionals within a laboratory.” Further, the FDA has never exercised oversight, and even when Congress strengthened CLIA’s regulatory framework in 1988, it refrained from extending laboratory oversight. The amended regulations imposed stringent quality and performance standards while allowing laboratories the flexibility needed to meet patient demand. The plaintiffs argue that per CLIA, laboratories’ biennial certification process is designed to continuously improve testing procedures.

In contrast, the FDA’s quality requirements are designed to keep commercial devices “static” and only monitor for adverse events. The motion also notes that, since 1976, the FDA has never formally expressed its belief that LDTs fall under the agency’s regulatory authority, nor at any point did Congress identify the agency as a regulator. Both plaintiffs argue that the FDA may not attempt to assert power under decades-old legislation after Congress has repeatedly declined to grant the agency that power. As a result, this is a “major questions” issue for the court to interpret.

The AMP motion also highlights that the FDCA clearly prohibits the FDA from interfering with or limiting the authority of a health care practitioner to prescribe any legally marketed device to a patient.

AMP also asserted that the Final Rule is arbitrary and capricious. AMP argues that the Final Rule mischaracterizes anecdotal reports the FDA used to justify the rule’s implementation. For instance, the FDA argues its “concerns” about LDTs have worsened over time; however, of the 160,800 LDTs currently in use, it has only identified 52 concerns since 2008. In response, AMP maintains that subjecting LDTs to the FDA’s enforcement process is not based on reasoned agency thinking and will instead incur billions per year in compliance costs, reduce competition, close laboratories, stifle innovation, and harm patients.

Both ACLA and AMP rely on the 2024 headline case of the Loper Bright Enterprises v. Raimondo decision to argue against the discretion given to the FDA. The Loper Bright ruling limited the extent to which federal agencies may interpret vague laws passed by Congress. In the motions, plaintiffs urge the court not to defer to an agency interpretation of a vague law but to rather “exercise its own independent judgment” and decide “whether the FDCA clearly and unambiguously authorizes FDA to regulate LDTs.”

FDA/DOJ Closing Reply Brief

The defendants’ closing reply brief,  asked that the court not order universal vacatur and, if the court rules against the defendants, to allow for further briefing on the subject of an appropriate remedy. In defense of their position, the defendants focused on: (1) the Final Rule did not implicate the major questions doctrine or the rule of lenity; (2) the FDA has “unambiguous” statutory authority over LDT testing; and (3) the Final Rule is not arbitrary and capricious.

The defendants continue to assert that they have unambiguous authority to implement the Final Rule and that they “did not make [their] own policy judgment that [they] should have jurisdiction over laboratory-made IVD tests. Rather, the agency simply implemented Congress’s plain textual directive that it does.”[1] The FDA significantly challenged the plaintiffs’ interpretation and analogies of the statutory language and impact and argues that the plaintiffs’ statutory interpretation is “artificially narrow.” The FDA further argued that there is no conflict with CLIA and that it is empowered to ensure there are clinically valid results to protect patients’ safety and the efficacy of treatments relying on the results. Finally, the defendants argue that the action was not arbitrary and capricious because the FDA considered the laboratory industry’s current interests and weighed that interest against problematic testing.

Next Steps

The case is now fully briefed before the court. Whether or not the plaintiffs will be successful is yet to be seen. So far, no other changes have been announced. We will continue to monitor this and any other updates related to the Final Rule.

[1] Defendants’ Reply Brief, available at https://www.amp.org/AMP/assets/File/advocacy/DOJ_ClosingBrief_12_23_2024.pdf?pass=40

The Office for Civil Rights of the Department of Health and Human Services (OCR) was busy negotiating and settling enforcement actions in November and early December. Since October 31, 2024, the OCR has settled five separate cases of alleged HIPAA violations. The settlements include resolution agreements and civil monetary penalties.

One of the settlements and resolution agreements continues to show OCR’s emphasis on patients’ rights to access their protected health information. That settlement, dated November 19, 2024, was against Rio Hondo Community Mental Health Center in California required the covered entity to pay the OCR $100,000.

On November 26, 2024, the OCR settled with Holy Redeemer Family Medicine over the disclosure of a patient’s protected health information, including reproductive health information, to the patient’s prospective employer without her consent. The OCR alleged that the patient provided consent for the covered entity to send the results of one test that had no relevance to her reproductive health to the prospective employer. Instead, the covered entity sent “her surgical history, gynecological history, obstetric history, and other sensitive health information concerning reproductive health care” to the prospective employer. Holy Redeemer paid $325,581 and agreed to a corrective action plan with monitoring by the OCR for two years.

On December 3, 2024, the OCR imposed a $1.19 million penalty against Gulf Coast Pain Consultants (GCPC) for alleged violations of the HIPAA Security Rule. The OCR started an investigation against GCPC after a data breach notification. OCR’s investigation found that impermissible access to patients’ protected health information occurred on three occasions when a former contractor of GCPC accessed GCPC’s “electronic medical system to retrieve PHI for use in potential fraudulent Medicare claims.” The impermissible access affected 34,310 patients, including their names, addresses, dates of birth, Social Security numbers, insurance information, and primary care information.

On December 5, 2024, the OCR imposed a penalty against Children’s Hospital Colorado for $548,265 for alleged HIPAA Privacy and Security Rules violations. According to the OCR, Children’s Hospital Colorado notified the OCR following two breaches of email accounts following phishing attacks. In the first phishing attack, an email account containing the personal health information (PHI) of 3,370 individuals occurred because multi-factor authentication was disabled on the email account. Three email accounts containing 10,840 individuals’ PHI were compromised in the second incident. The OCR found that employees gave up their credentials to the threat actor in the attack, allowing unauthorized access to the email accounts.

On December 10, 2024, the OCR settled with Health Care Clearinghouse and Inmediata Health Group over allegations that they left PHI unsecured on the internet. According to the OCR, between May 2016 and January 2019, 1,565,338 individuals’ PHI “was made publicly available online.” The PHI included names, dates of birth, addresses, Social Security numbers, claims information, and treatment information. During its investigation, the OCR found “multiple potential HIPAA Security Rule Violations,” including failing to conduct a compliant risk analysis and to monitor and review the health information systems’ activity; the entities agreed to pay the OCR $250,000. They previously agreed to implement corrective actions with 33 states that addressed OCR’s findings. All of these actions and settlements provide clues to covered entities about the OCR’s priorities and conduct it finds violative of HIPAA. It has been an active two months for enforcement. We will continue to follow the OCR’s enforcement actions and see what the new year brings regarding its enforcement priorities.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

*This post was co-authored by Paul Palma, legal intern at Robinson+Cole. Paul is not admitted to practice law.

In November 2024, the Department of Health and Human Services Office of Inspector General (OIG) published the results of its audit assessing hospital compliance with the federal Hospital Price Transparency Rule (HPT Rule). OIG determined that 37 out of the 100 hospitals sampled failed to comply with some element of the HPT Rule’s publicly available charges requirements.

As a reminder, the HPT Rule requires hospitals to make certain pricing information publicly available and easily accessible on their websites to increase competition and reduce the cost of health care. The HPT Rule is enforced by the Centers for Medicare & Medicaid Services (CMS).

Under the HPT Rule, hospitals are obligated to (1) publish a comprehensive machine-readable file that includes a list of standard charges for all items and services and (2) display a list of CMS-specified shoppable services in a consumer-friendly format; this requirement may be met by using an online price estimator tool allowing consumers to obtain free estimates for up to 300 shoppable services. The 37 noncompliant hospitals identified in the audit failed to comply with either one or both of the foregoing requirements.

Specifically, OIG found that:

  • “34 hospitals did not comply with one or more of the requirements associated with publishing comprehensive machine-readable files;” and
  • “14 hospitals did not comply with one or more of the requirements associated with displaying shoppable services in a consumer-friendly manner.”

Based on the audit results, OIG estimates “that 46% of the 5879 hospitals that were required to comply with the HPT rule did not comply with the requirements to make information on their standard charges available to the public.”

In response to its findings, OIG provided CMS with specific recommendations on increasing compliance with the HPT Rule. The report indicated that CMS concurred with all recommendations and proposed corrective actions. The recommendations included the following:

  • Reviewing the specific hospitals identified by OIG as potentially noncompliant and pursuing enforcement measures if CMS determines such hospitals are out of compliance with the HPT Rule;
  • Considering changes proposed by hospitals to clarify aspects of the HPT Rule, such as providing written guidance on the definition of “shoppable services” and developing training and compliance programs tailored for small hospitals; and
  • Continuing to strengthen internal CMS controls, including allocating sufficient internal resources to monitor hospital compliance with the HPT Rule.

This OIG audit report and its affirmative direction to CMS to step up enforcement efforts demonstrates that HPT Rule enforcement remains a priority of regulators. According to the report, CMS has already initiated compliance reviews of certain hospitals included in OIG’s sample. Hospitals would, therefore, be well-advised to review the report closely, to assess their current compliance with the HPT Rule, and to consider proactive efforts to ensure continued compliance with the HPT Rule’s requirements. Notably, CMS created an online tool to aid hospitals in determining if their files are compliant with the HPT rule.

As part of its 2025 Physician Fee Schedule Final Rule (PFS Rule), the Centers for Medicare & Medicaid Services (CMS) finalized two crucial updates to federal Medicare overpayments regulations (sometimes referred to as the “60-Day Rule”) that (1) align the standard for when an overpayment is identified with the applicable standard under the False Claims Act (FCA), and (2) give health care providers up to 180 days to conduct good faith investigations to determine the existence of related overpayments after identifying an overpayment, respectively. 

These two changes address areas of significant uncertainty for health care organizations in recent years. Previously, there was uncertainty concerning the standard for “reasonable diligence” for identifying overpayments and how that standard squared with the FCA’s knowledge (scienter) requirement for liability thereunder. In addition, the changes also indicate the expectation by the government that, upon identifying an overpayment, health care organizations conduct timely good faith investigations to determine the existence of related overpayments to fulfill their 60-Day Rule obligations.

Medicare Overpayments Rule & Reasonable Diligence Standard

As a reminder, the 60-Day Rule was established as part of the Affordable Care Act (ACA) and requires a health care provider that receives an overpayment to report and return the overpayment by the later of (i) 60 days after the provider identifies the overpayment or (ii) the date any corresponding cost report is due. Failure to report and return an overpayment in a timely manner subjects the provider to significant potential liability under the FCA for a so-called “reverse false claim” for wrongful retention of the overpayment. However, the ACA did not define when an overpayment has been “identified.” This issue was addressed in rulemaking by CMS in 2014 (for Medicare Parts C and D) and 2016 (for Medicare Parts A and B), wherein CMS indicated that a provider “identifies” an overpayment when it determines, or should have determined, that the provider received an overpayment (this exercise is referred to as the “reasonable diligence” standard).

In 2018, a federal court overturned the reasonable diligence standard for Medicare Parts C and D in response to litigation brought by Medicare Advantage organizations. The court held that the reasonable diligence standard impermissibly established FCA liability for “mere negligence” and noted that the FCA had a specifically-defined knowledge standard that does not encompass negligence.

Updated Knowledge Standard for Identifying Overpayments

In response to the federal court’s ruling, and to promote consistency across Medicare programs, in December 2022, CMS proposed updating its 60-Day Rule regulations to align the knowledge standard for identifying an overpayment with the standard under the FCA (please see here for our previous discussion of that proposed rule).

In the PFS Final Rule, CMS has finalized its proposal without changes. As of January 1, 2025, under the 60-Day Rule, a person has identified an overpayment when the person:

  1. Has actual knowledge of an overpayment;
  2. Acts in deliberate ignorance of the truth or falsity of information regarding the overpayment; or
  3. Acts in reckless disregard of the truth or falsity of information regarding the overpayment.

Updated Reporting Deadline to Permit Good Faith Investigation of Related Overpayments

In the PFS Final Rule, CMS also provides additional guidance and finalizes regulations concerning providers’ potential obligation to determine the existence of related overpayments upon identifying an overpayment. CMS acknowledges the challenge in determining when the 60-day “clock” starts for reporting and returning an overpayment. 

CMS states that the 60-day period begins when a provider “has actual knowledge of the overpayment” or if the provider “acts in deliberate ignorance or reckless disregard of the existence of the overpayment,” that period starts when the provider “acted in deliberate ignorance or reckless disregard of the truth or falsity of information regarding the overpayment.”

A lingering question for many health care organizations has been whether, upon discovering a single overpayment, the organization has an obligation under the 60-Day Rule to investigate whether an underlying compliance issue could have resulted in other overpayments. CMS responds affirmatively in the PFS Final Rule, stating “we agree… that where a single overpayment is found and other related overpayments are suspected, the provider or supplier should investigate and calculate the aggregate overpayment prior to its return.”

Consequently, CMS is finalizing a related regulation under the 60-Day Rule, which “suspends the 60-day report and return obligation for up to 180 days, to allow persons time to complete a good-faith investigation to determine the existence of related overpayments that may arise from the same or similar cause or reason as the initially identified overpayment.” In other words, the 60-day clock can be delayed for up to 180 days to allow providers time to conduct a good faith investigation of potential related overpayments to ensure a comprehensive reporting and returning of overpayments.

Conclusion

The 60-Day Rule updates in the PFS Final Rule provide important guidance and assurances to health care organizations regarding the standard for identifying overpayments and the government’s expectations for providers to proactively investigate, identify, and return such overpayments. Health care organizations should carefully review the final 60-Day Rule regulations and preamble commentary guidance from CMS and update their compliance processes accordingly in order to mitigate the potential risk of FCA liability and whistleblower lawsuits for reverse false claims. 

If you have any questions regarding the PFS Rule and 60-Day Rule overpayment regulations, please do not hesitate to reach out to the authors or your contact at Robinson & Cole LLP for specific guidance.