Below is an excerpt of an article published in the Massachusetts Bar Association’s Section Review.

Recent months have seen a significant shift in how pharmacy benefit managers (PBMs) are regulated at both the state and federal levels. PBMs are hired by health plans to manage administrative and other duties, while also serving as intermediaries by negotiating rates with drug companies. However, unlike most players in the health care system whose financial arrangements are heavily regulated and often subject to public scrutiny, PBMs have historically been permitted to operate with few disclosure or transparency requirements. 

PBMs wield substantial leverage to bargain with drug companies and influence drug prices. One service that PBMs provide is to negotiate rebates that the drug companies pay to health plans. In exchange for a larger rebate, PBMs may offer drug manufacturers a benefit, such as a more favorable position (typically meaning a lower patient copay) on a drug formulary: the list of drugs that the health plan covers, along with the pricing structure for those drugs. PBMs may, in some cases, retain portions of those rebates before passing them on to the health plan. While lower co-pays may, in the short term, be a benefit to patients, high rebates typically result in drug companies raising the list price of the drug over time, which means higher consumer costs.

Read the full article, here.

On April 23, 2026, the HHS Office of Inspector General (OIG) quietly—but pointedly—added two new FAQs to its “General Questions Regarding Certain Fraud and Abuse Authorities.” Although the principles articulated are not new, the timing and clarity of these FAQs reflect OIG’s continued effort to correct common—and risky—misunderstandings in the health care industry regarding the federal Anti‑Kickback Statute (AKS), the physician self‑referral law (“Stark”), and the role of fair market value (FMV) analyses. Together, these FAQs serve as a reminder that technical compliance with Stark or reliance on a fair market benchmark do not, standing alone, insulate an arrangement from AKS scrutiny.

The first new FAQ is FAQ #4: “Could a financial arrangement that satisfies an exception to the physician self-referral law (42 U.S.C. § 1395nn) violate the federal anti-kickback statute?” In its answer, OIG squarely addresses a persistent misconception that satisfying a Stark exception somehow rebuts AKS risk. OIG emphasizes several foundational points:

  • Stark and AKS serve different purposes, prohibit different conduct, and impose different consequences;
  • Stark is a strict liability statute; intent is irrelevant;
  • AKS is an intent‑based statute; knowing and willful intent to induce referrals is the core inquiry; and
  • Compliance with a Stark exception is not evidence that the parties lack AKS intent.

Even where a financial arrangement “fits” squarely within a Stark exception, the arrangement may still violate AKS if one purpose of the remuneration is to induce or reward referrals. To illustrate this point, the OIG provides the “sporting event” example. It pointed out that hospitals, laboratories, or other providers may offer sporting event tickets or entertainment to referring physicians. OIG acknowledges that such arrangements might, depending on facts, technically satisfy the Stark exception for nonmonetary compensation under 42 C.F.R. § 411.357(k). However, OIG warns that these forms of remuneration are “unlikely to receive protection under any safe harbor to the federal anti-kickback statute” and therefore remain subject to totality‑of‑the‑circumstances review, including intent. Importantly, OIG reiterates its long‑standing position that providing remuneration to referral sources can violate AKS regardless of Stark compliance, a theme echoed in enforcement actions and advisory opinions over many years.

The second new FAQ is FAQ #17: “Can fair market value arrangements violate the federal anti-kickback statute?” This FAQ tackles another common compliance belief that fair market value may be the sole compliance cornerstone for AKS purposes. OIG again says no. While confirming that fair market value analyses are important and often one of the elements of a safe harbor, OIG stresses that fair market value is just one element and that compliance with a safe harbor requires meeting each element. As discussed in a prior podcast with the American Health Law Association, there are other factors that are important including commercial reasonableness.

OIG expressly rejects the industry argument that FMV eliminates unlawful remuneration, calling that position inconsistent with (i) the statutory text, (ii) the regulatory safe harbors, and (iii) decades of OIG guidance that OIG characterizes as “consistent and unwavering.”

Why These FAQs Matter Now

Although neither FAQ announces new law, their explicit pairing and contemporaneous release is notable. OIG appears focused on dispelling two closely related myths that continue to surface in enforcement matters:

  1. “We meet Stark, so AKS isn’t a problem.”
  2. “We paid fair market value, so there’s no kickback.”

For entities in the healthcare space, these FAQs signal that you must look at the totality of the arrangement and ask the hard questions surrounding the relationship.

On February 5, 2026, the Massachusetts Health Policy Commission (HPC) published proposed amendments to its Material Change regulations at 958 CMR 7.00 (the Proposed Amendments). Among other things, the Proposed Amendments broaden the HPC’s market review authority by subjecting more transactions to the HPC’s Material Change Notice (MCN) process and provide the HPC greater latitude to conduct Cost and Market Impact Reviews (CMIRs) of proposed transactions. Below, we summarize the background and timing for public hearing and adoption, and major provisions of the Proposed Amendments.

Background & Timing

In January 2025, Massachusetts enacted Chapter 343 of the Acts of 2024, “An Act Enhancing the Market Review Process” (the Act), which expanded the HPC’s health care market oversight role, including by authorizing the agency to review a wider range of transactions. The Act (which we discussed here) aimed to strengthen regulatory oversight of health care market transactions, conferring more authority not just on the HPC, but also on the Center for Health Information and Analysis (CHIA) and the Attorney General’s Office. The Act focuses on transactions involving private equity, pharmacy benefit managers, real estate investment trusts, and management service organizations, in order to expand the types of transactions subject to the MCN requirement.

The Proposed Amendments seek to codify a number of changes included in the HPC’s Bulletin HPC-2025-01 guidance that went into effect on April 8, 2025. The HPC’s Bulletin provided guidance to providers and provider organizations concerning implementation of the Act. The Bulletin included several new categories of transactions subject to the MCN requirement, new definitions affecting MCNs, as well as changes to the review process for MCNs. The Proposed Amendments are consistent with the Bulletin, with some additional clarifications, as described below. When adopted, the Proposed Amendments will supersede Bulletin HPC-2025-01.

The HPC will conduct a virtual public hearing on the Proposed Amendments at 1:00 PM on March 12, 2026. Interested parties are encouraged to submit either oral or written testimony and comments, and parties may request to provide live testimony during the hearing. The HPC will accept testimony and comments until 5:00 PM on March 20, 2026, and is expected to vote on the final adoption of the Proposed Amendments at its board meeting on April 16, 2026.

Proposed Amendments

The major provisions of the Proposed Amendments are as follows:

  1. New definitions: The Proposed Amendments add new definitions, including the following definitions allowing for regular adjustment of monetary filing thresholds by the HPC and establishing the type of investors now subject to the Act and any exceptions thereto:
    • MCN Filing Threshold and Revenue Increase Threshold: Current regulations apply MCN reporting requirements to providers/provider organizations with more than $25 million in Net Patient Service Revenue (NPSR) as well as to certain transactions that would result in an increase of more than $10 million in NPSR. The Proposed Amendments formally define these monetary thresholds, setting $25 million in NPSR as the “MCN Filing Threshold” (applicable to MCN reporting associated with clinical affiliations) and $10 million in NPSR the “Revenue Increase Threshold” (applicable to MCN reporting associated with mergers, acquisitions, certain other affiliations, and significant capacity increases). These monetary thresholds are subject to annual adjustment by the HPC.
    • Private Equity Company and Significant Equity Investor:
      • The Proposed Amendments newly define the term “Private Equity Company” in broad terms to refer to any entity that collects capital investments, however organized, and which purchases directly or through another owned or controlled entity, a direct or indirect ownership share of a provider, provider organization, or management services organization (MSO).
      • The Proposed Amendments separately define “Significant Equity Investor” as a Private Equity Company that holds—or would hold, following a proposed transaction—any financial interest in a provider, provider organization, or MSO; or any investor that holds—or would hold, following a proposed transaction—equity amounting to more than 10 percent of a provider, provider organization, or MSO.
      • Both defined terms include narrow exceptions for venture capital firms exclusively engaged in funding start-ups and early stage businesses; and Significant Equity Investors exclude individual licensed health care providers who practice medicine, dentistry or another health care profession as a full or partial owner of the provider or provider organization.
  2. Expanded scope of MCN-triggering transactions: The Proposed Amendments would clarify the scope of review for transactions currently subject to the MCN process. These transactions include:
    • Mergers or affiliations involving both a provider or provider organization and an insurance carrier, and acquisitions by an insurance carrier of a provider or provider organization (and vice versa).
    • Mergers with or acquisitions of hospitals or hospital systems, or of a provider or provider organization by a hospital or hospital system.
    • Mergers, acquisitions, or affiliations (including corporate affiliations, contracting affiliations, and employment of health care professionals) where: (a) the arrangement is between providers, or involves one of the following: a provider organization, an MSO that establishes contracts with insurance carriers or third-party administrators, or an entity that represents health care providers (including out-of-state providers) in contracting with payers for health care services; and (b) such arrangement would result in an increase in one party’s NPSR equal to or greater than the Revenue Increase Threshold (defined above), or in one party gaining a dominant market share (as such term is defined in these regulations) in a given service area or region.
    • Clinical affiliations between two or more providers or provider organizations that each have a NPSR greater than the MCN Filing Threshold. The Proposed Amendments specify arrangements that explicitly constitute clinical affiliations covered under this requirement, as follows: co-branding, co-located services, complete or substantial staffing of an acute hospital service line, funding EHR interconnectivity, regular and ongoing provision of telemedicine services, preferred provider relationships, and discount arrangements. The Proposed Amendments maintain the pre-existing exclusion for affiliations solely related to clinical trials or graduate medical education programs.
    • Any form of partnership, joint venture, accountable care organization, parent corporation, MSO, or other organizational structure created to administer contracts with insurance carriers, third party administrators, or other contractors.

The Proposed Amendments would also add new categories of transactions subject to MCN review:

  • Any significant increase to a provider or provider organization’s capacity, including:
    • Any increase to capacity that would trigger the Determination of Need (DoN) process due to a Substantial Capital Expenditure (as defined in the DoN regulations at 105 CMR 100.000) or any other basis meeting the monetary criteria for a Substantial Capital Expenditure, and any increase to capacity that would result in an increase to the provider’s NPSR equal to or greater than the Revenue Increase Threshold (set at $10 million currently) based on expected revenue from the planned capacity (e.g., any increases to operational capacity that do not meet the DoN monetary thresholds for Substantial Capital Expenditures but will result in NPSR increasing at least $10 million).
  • Any transaction involving a Significant Equity Investor, including a Private Equity Company (as each are defined above), that results in a partial or complete change of ownership or control of a provider, provider organization, or MSO.
  • A significant acquisition, sale, or transfer of provider/provider organization assets, including real estate lease-backs involving the sale of real property used to deliver healthcare services.
  • Any conversion of a provider or provider organization from a non-profit entity to a for-profit entity.
  1. Additional CMIR authority: The Proposed Amendments would additionally allow the HPC to conduct a CMIR if a proposed material change is “likely to have a significant impact” on the competitive market or on the Commonwealth’s ability to meet its financial goals pursuant to the Health Care Cost Growth Benchmark, a metric for cost containment established and updated annually by the HPC. The Proposed Amendments would also give the HPC discretion to conduct a CMIR on any provider organization that exceeded the Health Care Cost Growth Benchmark in the previous year, as reported by CHIA.
  2. Expanded review and enforcement authority relevant to the MCN and CMIR processes: Under the Proposed Amendments, the HPC would have expanded authority to request information from parties to a transaction and certain other market participants. While the authority to request documents and other materials is not new, the Proposed Amendments add Significant Equity Investors to those from whom information may be requested, including information about the entity’s capital structure, general financial condition, ownership and management, and audited financial statements. HPC may also request information from payers related to a particular MCN.
  3. Post-transaction review of material changes: The Proposed Amendments would allow the HPC to conduct post-transaction reviews of material changes for up to five years, at its discretion. Under its post-transaction review authority, the HPC would be able to require parties to a material change to submit any data and information it deems necessary to assess the post-transaction impacts, and to make referrals to the Attorney General or other state or federal agencies as appropriate.

Key Takeaways

For health care organizations, the Proposed Amendments reinforce the significantly expanded authority of the HPC to oversee healthcare market transactions and arrangements, and will require close vetting to ensure future transactions and arrangements are appropriately reported. The Proposed Amendments also shed light on how the HPC might exercise its authority to review transactions, particularly those transactions involving private equity investors and MSOs, and those meeting certain financial thresholds. Stakeholders are encouraged to provide public comments on the Proposed Amendments as soon as practicable, and before March 20, 2026, in order to be heard prior to the HPC’s vote on the Proposed Amendments. We will continue to monitor the HPC’s rulemaking and guidance, as well as its implementation of the Proposed Amendments (once approved) and any resulting changes to the MCN process.

The Consolidated Appropriations Act of 2026, HR 7148 (the Act), just signed into law on February 3, 2026, ended a brief government shutdown and includes multiple provisions with a critical impact on health care organizations. We have previously covered the Act’s renewal and extension through 2027 of COVID-era Medicare telehealth flexibilities and its revisions to pending rate cuts and reporting deadlines for certain clinical laboratories.

Health care organizations should be aware of another section of the Act that newly imposes mandatory attestation and National Provider Identifier (NPI) requirements on off-campus outpatient departments of Medicare-enrolled hospitals (i.e., HOPD(s)) by January 1, 2028. This new requirement is likely to pose a significant compliance burden and may foreshadow additional scrutiny on off-campus hospital sites of outpatient services.

HOPDs: Attestation and NPI Requirements

Subject to specific regulatory conditions, departments of a Medicare-enrolled hospital provider that are “off campus,” i.e., generally more than 250 yards from the provider’s main campus or a remote location, are allowed to bill as provider-based departments of the hospital. For many years, whether a particular off-campus location met all regulatory requirements for provider-based status was the subject of an honor system for Medicare enrollment purposes, with organizations having the option to submit an attestation of provider-based status to the Centers for Medicare and Medicaid Services (CMS) (through the assigned CMS Medicare Administrative Contractor). These submissions were voluntary and offered the advantage of potentially reducing liability for overpayments if a location was determined not to meet the applicable requirements, but not all hospitals elected to submit them for their HOPDs.

Now, § 6225 of the Act removes the previous optionality by imposing two additional requirements for off-campus outpatient departments of a hospital to continue receiving payment from Medicare for services furnished as provider-based on or after January 1, 2028:

  1. Attestation. Under the Act, each off-campus HOPD location must now submit an attestation of compliance with the provider-based regulatory requirements. The provider (i.e., main hospital) of an off-campus department must submit an initial attestation for existing departments before January 1, 2028. Providers must also submit subsequent attestations according to a timeframe and process to be determined by the Secretary of the Department of Health and Human Services (DHHS) through future regulations. Initial attestations will also be subject to the DHHS’ future process, but the statute permits providers to use the current attestation process for the initial attestation until the new process has been established. The uncertain regulatory process and timing for new attestation requirements in advance of the January 1, 2028, deadline creates additional uncertainty for hospitals nationwide.
  2. NPI. Starting January 1, 2028, each off-campus provider-based department must obtain and bill under its own NPI number rather than continue to bill under its provider’s NPI number.

Assessing and Strengthening Departmental and Provider Regulatory Compliance

Providers should assess whether their current off-campus department locations independently meet all applicable CMS regulatory requirements. Of note, certain Medicare Administrative Contractors offer checklists that can be used to compare against current provider-based status requirements, but organizations would also be well-advised to anticipate additional guidance from CMS.

Preparing for Enhanced Government Scrutiny

The Act directs DHHS to engage in rulemaking to determine the methods to review and determine compliance with the NPI and attestation requirements. Although site visits and remote audits are cited as potential methods for verifying compliance, the Act gives DHHS discretion to use other means “as determined appropriate.” This directive, in combination with the upcoming NPI requirement, may indicate a broader trend toward increased scrutiny of providers and more dynamic enforcement in the future. Providers should proactively prepare for potential investigations and ensure their attestations continue to be comprehensive and defensible, minimizing the risk of enforcement actions as the standards continue to evolve.

On February 17, 2026, the Health Resources and Services Administration (HRSA) issued a Request for Information (RFI) regarding the use of rebates within the 340B Program. After an unsuccessful first attempt at deploying a rebate model late last year (as we previously wrote about here and here), HRSA is now seeking “input from interested parties regarding the potential use of rebates” by drug manufacturers, “including the standards and procedures” that HRSA should use in implementing rebates for purchases of certain drugs by 340B hospitals and other providers.

Background and Precipitating Litigation

Under HRSA’s 340B Program, drug manufacturers must sell their products to certain safety-net health care providers at a discount, also known as the 340B ceiling price. Until last year, HRSA’s decades-long practice had been to require that discounts be offered to providers upfront (i.e., applied to the purchase price for the product). But in August 2025, HRSA proposed to change course starting in 2026, launching a 340B Rebate Model Pilot Program (the “Rebate Program”), under which qualifying drug manufacturers could charge 340B covered entities a higher price upfront and offer the difference between that price and the 340B ceiling price as a rebate.

The initial rollout of the Rebate Program prompted litigation. In December 2025, several trade groups and safety-net providers sued the federal government, alleging that the Rebate Program’s launch bypassed certain requirements under the federal Administrative Procedure Act (APA), including by failing to reasonably explain the basis and design of the Rebate Program. As we wrote about here and here, the Rebate Program was put on pause pursuant to a preliminary injunction just three days before it was set to begin, and the District Court ultimately granted the parties’ joint motion to vacate and remand the Rebate Program back to HRSA for reconsideration.

HRSA’s Request for Information

The RFI, published promptly following conclusion of the suit described above, shows HRSA’s continued interest in implementing a rebate program that is “in the public’s interest” for 340B drug purchases. Importantly, the RFI invites comments by stakeholders on a wide range of issues, including:

  • “[A]dministrative, operational, financial, and medication access concerns” that rebates may cause;
  • Whether and to what extent 340B covered entities have “reasonable . . . reliance interests” in maintaining an upfront discount structure;
  • Cash-flow implications of rebate payment timing for 340B covered entities; and
  • Any “proposed alternatives and scope-limiting measures” that may “promote the integrity of the 340B Program” and avoid issues with duplicate discounts, particularly in light of the Medicare Drug Price Negotiation Program’s launch on January 1, 2026.

To inform these priorities, HRSA asks for detailed and specific information from stakeholders. Such information includes current and projected costs of upfront versus rebate discounts, how stakeholders interact with contract pharmacies and third-party vendors, and what data collection practices stakeholders use. HRSA also asks commenters to weigh in on balancing concerns from stakeholders “across the continuum of the drug supply chain,” how to gather and generate data for future analysis, and how to promote transparency within the rebate model.

Key Takeaways

In its RFI, HRSA appears set on addressing the Rebate Program deficiencies under the APA as identified in the litigation mentioned above – affirming its intention to “undertak[e] a methodical and deliberate approach” in crafting a new rebate model, including “analyzing the comments received prior to pursuing the implementation” of a new rebate model.

HRSA will be accepting comments on the RFI until March 19, 2026. Covered entities under the 340B Program and other stakeholders are encouraged to comment reflecting their organizations’ experiences, challenges, and cost estimates in response to the specific questions above.

We will continue to monitor the comments and the future of rebates under the 340B Program.

This post was co-authored by Paul Palma, legal intern at Robinson+Cole. Paul is not admitted to practice law.

On February 3, 2026, President Trump signed HR 7148, the Consolidated Appropriations Act, 2026 (“the Act”) ending the 4-day partial government shutdown. The Act, part of a broader fiscal year (FY) 2026 spending package, includes a further extension of Medicare telehealth flexibilities that recently expired on January 31, 2026. Originally introduced as temporary pandemic-era measures, these telehealth policies have been repeatedly sustained through short term legislative extensions. Here’s what the latest development means for the future of telehealth care.

Medicare Telehealth Flexibilities Extended by the Act

  • Geographic and Originating Site flexibilities: Medicare beneficiaries may continue to receive telehealth services in any location through December 31, 2027.
  • Expanded Practitioner Eligibility: Occupational therapists, physical therapists, speech-language pathologists, and audiologists may continue providing Medicare-covered services via telehealth through December 31, 2027.
  • Telehealth for FQHCs and RHCs: Federally qualified health centers (FQHCs) and rural health clinics (RHCs) may continue providing telehealth services through December 31, 2027, including the provision of mental health visits via telehealth to Medicare beneficiaries without needing to meet annual in-person service requirements.
  • Audio-Only Telehealth: Telehealth services can continue to be provided via audio-only communications systems through December 31,2027.
  • In-Person Requirement for Mental Health Visits: Medicare patients receiving services for the diagnosis, evaluation, or treatment of a mental health disorder via telehealth may continue to do so without having received a Medicare-covered in person item or service through January 1, 2028.
  • Telehealth for the Recertification of Hospice Care: Hospice physicians and nurse practitioners may continue having face-to-face encounters to recertify a patient’s eligibility to remain on hospice via telehealth through December 31,2027.

While this bill once again provides temporary relief for telehealth services, Congress is currently considering legislation that would make the current telehealth flexibilities permanent. Notably, H.R. 4206 and S. 1261, the house and senate versions of the CONNECT for Health Act of 2025, were introduced in early 2025. Although progress on those bills has been limited since their introduction, they continue to enjoy strong bipartisan back with H.R. 4206 obtaining 212 cosponsors and S. 1261 obtaining 71 co-sponsors. We will continue to monitor the progress of these and other telehealth related bills and provide updates as they arise.

After uncertainty over the last few months, the last few weeks saw potential changes to the Protecting Access to Medicare Act of 2014 (PAMA) under section 6226 of the Consolidated Appropriations Act of 2026. On January 20, 2026, the House Appropriations Committee released the Consolidated Appropriations Act 2026, which included several healthcare extenders, among them revisions to the upcoming PAMA rate cuts and reporting deadlines. The Senate passed the bill on January 30, 2026, and went back to the House on February 3, 2026, at which point it has been set for President Trump’s signature.  

First, there are no additional Clinical Laboratory Fee Schedule (CLFS) rate cuts scheduled for 2026.  The act then extends the phase-in of the rate reductions for an additional year, delaying this until 2027, 2028, and 2029. The act also updates the data collection period to use 2025 rather than 2019 data, and shifts the reporting period to May 1, 2026, through July 31, 2026. 

While there is still possibility around the Reforming and Enhancing Sustainable Updates to Laboratory Testing Services Act (RESULTS) which was introduced in September 2025, it has not yet passed. As such, laboratories must prepare for PAMA with the changes implemented by the passage of the Continuing Resolution.

PAMA requires independent, hospital outreach, and physician office laboratories to report private payor rate information and volumes every three years (or annually for Advance Diagnostic Laboratory Tests). CMS used this data to calculate rates under the Clinical Laboratory Fee Schedule (CLFS) to align Medicare payment with commercial market rates by developing a weighted median of the reported private payor rates. Due to underreporting (less than one percent of all laboratories reported data) and underrepresentation of key segments such as hospital outreach and physician office labs, the initial reporting cycle resulted in steeper payment cuts between 2018 and 2020 for laboratories than anticipated. Current rates are based on 2016 data that was reported in 2017. Congress has postponed reporting six times, and with the passage of the CR, the next reporting cycle will be May 1, 2026, through July 31, 2026, resetting the time period for applicable data and relieving labs from the burden (or near impossibility) of reporting 2019 data.

What you need to know about PAMA

Who must report?

“Applicable laboratories” must report private payor rates to CMS. Applicable laboratory means a laboratory under 42 C.F.R. § 493.2 (the Clinical Laboratory Improvement Amendments definition of a laboratory) that:

  • Bills Medicare Part B under its own NPI or for hospital outreach laboratories, bills Medicare Part B on the Form CMS-1450 under type of bill (TOB) 14x;
  • Meets the “majority of Medicare revenue” threshold in a data collection period. Meaning that the laboratory receives more than 50% of its Medicare revenue (Parts A, B, & D including any applicable co-pays/deductibles) under the CLFS and/or Medicare Physician Fee Schedule; and
  • Receives at least $12,500 in CLFS revenue during the data collection period.

Entities that do not meet the definition of “applicable laboratory” are not permitted to report.

Who is a private payor?

A private payor includes any of the following:

  • A health insurance issuer as defined in § 2791(b)(2) of the Public Health Service (PHS) Act;
  • A group health plan as defined in § 2791(a)(1) of the PHS Act;
  • A Medicare Advantage Plan under Part C as defined in § 1859(b)(1) of the Social Security Act (SSA); or
  • A Medicaid Managed Care Organization as defined in § 1903(m) of the SSA.

What is reported?

An applicable laboratory must collect and report “applicable information” received during the data collection period for each laboratory test code subject to the data collection requirements.

Applicable information includes: 1) the specific Healthcare Common Procedure Coding System (HCPCS) code for the test; 2) each private payor rate for which final payment has been made during the data collection period; and 3) the associated volume tests performed for each private payor rate.

“Zero dollars,” payments that cannot be identified at the HCPCS level (i.e., bundled payments), payments that were under appeal during the data collection period, and tests billed with miscellaneous/NOC code are not to be reported.

How to report?

CMS has released a list of applicable HCPCS codes that are subject to PAMA’s data reporting and collection requirements. Additionally, CMS has released a spreadsheet template that an applicable laboratory may use to collect and report the applicable information for each test subject to reporting. The spreadsheet includes information on the HCPCS code, payment rate, volume at the payment rate, and NPI. This spreadsheet may be uploaded to the CMS Enterprise Portal.

What happens if an applicable laboratory fails to report?

If the Secretary determines that an applicable laboratory has failed to report or has made a misrepresentation or omission of reporting information, the Secretary may apply a civil monetary penalty of up to $10,000 per day for each failure to report or each misrepresentation or omission.

Beyond civil money penalties, failure to accurately report can negatively impact the weighted median of private payor rates leading to disproportionate CLFS rate cuts.

Important Dates

Data Reporting Period: May 1 – July 31, 2026

With the reporting period fast approaching, laboratories should determine whether they are an applicable laboratory and begin preparing the required 2025 private payor data carefully. As the reporting period approaches, CMS plans to issue additional fact sheets to assist labs in the data submission. Laboratories may want to consider consulting with knowledgeable legal counsel to ensure compliance and strategy alignment.

February 16, 2026, is the deadline for each HIPAA covered entity to update its Notice of Privacy Practices (NPP) to incorporate new regulatory requirements enacted in 2024. Specifically, HIPAA-covered entities (including health care providers and health plans) are required to review and revise their NPPs as necessary to ensure compliance with a 2024 federal rulemaking related to records of treatment and referral for substance use disorder services under 42 C.F.R. Part 2 (Part 2 Records). 

We previously discussed the 2024 Part 2 Records regulatory changes here, and the HIPAA regulatory rule addressing NPP updates and reproductive health care here (note that the reproductive health care regulations were subsequently vacated, as discussed here, but the NPP changes were upheld).

Accordingly, by February 16, 2026, HIPAA-covered entities are obligated to update NPPs to address the protections afforded to Part 2 Records that may be created, received, or disclosed by HIPAA covered entities (including those who may have Part 2 programs as components of their organization). The required changes include, without limitation:

  • For uses or disclosures that are prohibited or materially limited by Part 2, the NPP description of such use or disclosure must reflect the more stringent legal requirement;
  • NPPs must include a statement to put individuals on notice of the potential that, once information is disclosed pursuant to the NPP, it may be subject to redisclosure by the recipient and no longer subject to HIPAA protection;
  • NPPs must explain that Part 2 Records may now be used or disclosed pursuant to a single consent for treatment, payment, and health care operations purposes consistent with HIPAA (but subject to limited exceptions);
  • NPPs must add a statement indicating that Part 2 Records (and testimony regarding such Records) cannot be used or disclosed in civil, criminal administrative or legislative proceedings without individual written consent, or pursuant to a court order after notice and an opportunity to be heard is given to the individual or the holder of the Records, and any such court order must be accompanied by a subpoena or other legal requirement compelling disclosure before the Records can be used or disclosed; and
  • NPPs must explain that, for covered entities that create or maintain Part 2 Records and intended to use such Records for fundraising purposes, each individual patient must be given the opportunity to opt out of fundraising communications in advance.

Now is the time for all HIPAA covered entities to review and confirm that their NPPs comply with federal law and, if not, to reach out to advisors to make the necessary changes. We are available to assist covered entities with all matters related to HIPAA, including NPP drafting and compliance.

This post was co-authored by Paul Palma, legal intern at Robinson+Cole. Paul is not admitted to practice law.

Introduction

On January 28, 2026, the U.S. Department of Health and Human Services Office of Inspector General (OIG) released a new report analyzing Medicare Part B (Part B) spending on laboratory tests in 2024. The Protecting Access to Medicare Act of 2014 (PAMA) requires OIG to publish an annual report detailing the top 25 clinical lab tests by expenditure. Each year, OIG evaluates Part B claims data for tests covered under the clinical laboratory fee schedule (CLFS). Below is a breakdown of the key trends highlighted in the 2024 report. Most notably, 2024 showed a significant rise in genetic and infectious Polymerase Chain Reaction (PCR) disease testing. 

Overall Part B Spending and Enrollment

Part B spending on clinical laboratory tests reached a peak of $7.9 billion in 2021 during the COVID-19 public health emergency, then declined to $7.8 billion by 2023. In a notable shift, spending rose again in 2024, increasing 5% to $8.4 billion, despite there being no changes to the CLFS since 2020.

Strikingly, while overall spending increased, the number of Part B enrollees receiving lab tests fell by 15%, dropping from 27.7 million in 2018 to 23.4 million in 2024. According to OIG, this decline may reflect a broader migration of beneficiaries from Medicare Part B to Medicare Advantage (Part C) enrollment.

“Genetic” Testing Continues to Rise

The OIG report broadly defines “genetic” testing to include: (a) analysis of genetic material to monitor for genetic variations, mutations or other markers associated with disease or hereditary risk; and (b) analysis of genetic material from pathogens for bacteria or viruses. With the industry seeing an increase of PCR testing for infectious disease and detailed genetic antibiotic resistance testing, Medicare spending significantly increased in 2024.

Historically, spending on non-genetic tests such as complete blood counts, metabolic panels, lipid panels, and thyroid tests have far exceeded spending on genetic tests relating to conditions such as cancer, fungal infection, and epilepsy. In 2018, genetic testing accounted for 18% of Part B spending on laboratory tests while 82% went to non-genetic tests.  By 2024, that gap had significantly narrowed with 43% of Part B spending on laboratory tests attributed to genetic testing compared to 57% for non-genetic testing. Over just one year (from 2023 to 2024), Part B spending on genetic testing increased by 20% from $3 billion to $3.6 billion.

Utilization trends reflect this same shift. In 2018, 2.4 million Part B enrollees received at least one genetic test, out of the seven million total genetic tests performed that year. By 2024, the number of enrollees receiving at least one genetic test increased by 85% to 4.5 million while the total number of genetic tests performed that year increased by 160% to 18 million. In 2024, the average Part B enrollee received four genetic tests at a cost of $794 per enrollee, and 16 non-genetic tests at a cost of $207 per enrollee.

In 2024, genetic testing related to infectious disease totaled $1.4 billion, up from $1.2 billion in 2023, and hereditary/disease genetic testing increased from $1.8 billion in 2023 to $2.2 billion in 2024. In 2024, a total of 346 laboratories received over $1M in reimbursement for “genetic” testing. Among them, 55 received over $10M in reimbursement for genetic testing.

Top 25 Lab Tests

So, now ranking at the top of the chart of all tests paid under Part B spending is CPT 87798 for infectious disease. Also ranking in the top 15 is CPT 87481. 

The top 25 lab tests accounted for $4.1 billion, nearly 50% of all Part B laboratory spending in 2024. Among these, ten were genetic/PCR infectious disease tests, totaling $1.5 billion in Part B spending, while the remaining 15 were non-genetic tests totaling $2.6 billion in Part B spending. Notably, six of the ten genetic tests in 2024 showed at least a 30% increase in Part B spending compared to 2023. The OIG report focused on the fact that the average amount that Medicare Part B paid per enrollee for “genetic” tests approached $800, a 26% increase since 2023. Some of the largest growth was seen for tests billed under procedure CPT 87798, which reached $443 million in Part B spending, representing a 51% increase between 2023 and 2024.

Takeaways

The 2024 OIG report provides context for the increase in audits around the primarily used codes for infectious disease testing of 87798 and 87481. It also highlights the fact that genetic and PCR infectious disease testing is reshaping the Medicare Part B laboratory spending landscape. These types of testing, once a small share of the Part B landscape, now accounts for nearly half of all spending and continues to grow at a significant rate year after year. The impact of genetic and PCR infectious disease testing on Part B spending is highlighted by the increase in costs despite the decreased utilization.  

Laboratories should recognize that genetic and PCR infectious disease testing has become a central driver of Part B costs which is resulting in a shift of audits and likely enforcement priorities by OIG to ensure that labs performing this type of testing are remaining compliant with all Medicare billing policies.

Plaintiffs’ firms are adapting the California Invasion of Privacy Act (CIPA), a 1960s-era wiretapping statute, to modern web technologies such as pixels, chatbots, and session replay tools. For laboratories, the practical problem is not only the legal uncertainty, but also that small website implementation details, including when tags fire, what free-text inputs are captured, and what vendors are allowed to do with the collected data, can drive massive exposure, including class actions and arbitrations.

CIPA prohibits the intentional eavesdropping on, or recording of, confidential communications without the consent of all parties. Although the law was drafted for telephone calls and physical recording devices, plaintiffs’ attorneys are using it to challenge modern digital engagement tooling on laboratory websites. In practice, complaints often try to characterize routine patient web interactions as “confidential communications,” then allege that third-party tools captured, or received, those communications without proper consent. The exposure can scale quickly because CIPA provides for statutory damages of up to $5,000 per violation and each alleged interception can be pleaded as a separate violation.

Major diagnostic laboratories have been targeted by class actions alleging that third-party tracking pixels “intercept” patient communications without consent. Plaintiffs are increasingly alleging that routine web tracking tools, including cookies and IP tracking beacons, function as illegal “pen registers” or “trap and trace” devices. The practical effect is that plaintiffs focus on routing data such as IP addresses and device IDs, not just substantive content.

However, courts are divided. Some courts have rejected the theory that routine analytics function as criminal pen registers, while others have allowed the plaintiffs to overcome a motion to dismiss. Even with some favorable decisions, there is still a split amongst jurisdictions that creates uncertainty.

Additionally, there is a big increase in claims focusing on on-site search bar functionality. The allegation is that a user’s test inquiry, for example “HIV test” or “cancer screening,” is a confidential communication and that trackers share it with third parties. Further, there is another trend in these CIPA allegations that, as laboratories adopt AI chats for service and navigation, plaintiffs are filing claims alleging that AI systems “listen” to or repurpose patient inputs without consent.

Although CIPA is a California statute, plaintiffs are filing against laboratories with limited California connections beyond having websites accessible to California residents. To combat these claims—and avoid them entirely—laboratories should consider adding robust consent banners with true pre-consent blocking of tracking technologies (especially for California-based IP addresses). Additionally, laboratories can update website privacy policy disclosures to clearly describe what is being tracked, why it is collected, and which third parties receive it. In these cases, plaintiffs often quote privacy language against defendants. Misalignment between disclosures and tag behavior creates unnecessary risk.

For now, we’ll continue to track plaintiffs’ investment in pen register and trap-and-trace theories, focus on search terms in URLs, and expanded scrutiny of AI chat deployments. We’ll also continue to watch whether legislative activity reemerges after the failure of California’s SB 690 in 2025, but it is unlikely that any relief will take effect until at least 2027.

In the meantime, laboratories can reduce CIPA exposure by treating web data flows as a compliance issue, not just a marketing or IT function. A practical 2026 playbook is to inventory every tag and vendor on patient-facing pages, minimize or disable collection of free-text inputs and search terms, confirm that chat tools are configured to avoid sharing or retaining sensitive content, and implement consent that actually controls when third-party technologies load. Aligning real-world site behavior with privacy disclosures, and documenting those controls through periodic technical testing, will put laboratories in the best position to prevent claims and, if you receive a complaint, to quickly demonstrate that no “confidential communications” were intercepted without consent as these theories continue to evolve.