This post is co-authored with Paul Palma, legal intern at Robinson+Cole. Paul is not admitted to practice law.

On July 2, 2025, the Department of Health and Human Services Office of Inspector General (OIG) published Advisory Opinion 25-07, which concluded that a pharmaceutical manufacturer’s proposed arrangement to sponsor a free, FDA-approved companion diagnostic test for eligible patients would not implicate the Federal Anti-Kickback Statute (AKS) or the Beneficiary Inducements civil monetary penalties (CMP).

Background

The requestor (a pharmaceutical manufacturer) produces an FDA-approved enzyme inhibitor. Treatment with the inhibitor is only appropriate with specific genetic deficiencies. A clinical laboratory developed an FDA-approved companion diagnostic test which is required to determine patient eligibility for the inhibitor. The two wished to work together.

The Arrangement

Under the parties’ proposed arrangement, the requestor pays the lab a fixed fee for each test performed on an eligible patient, and prohibits the lab from billing any patients, or payors other than the requestor for the testing. The test is offered to patients who: (i) have a prior negative result for a related genetic mutation; (ii) have previously collected tumor samples available for testing; (iii) have not previously received the test; and, in addition, (iv) the test must be used in accordance with FDA labeling. According to the requestor, this arrangement is designed to better identify patients whose deficiency has gone undetected and to determine whether use of the inhibitor would be appropriate.

The requestor certified that the lab is contractually prohibited from: (i) referencing any of the lab’s other products on their “provider facing webpage;” (ii) promoting any of the lab’s or requestor’s other products in any “lab developed communications” to ordering providers or patients; and (iii) communicating with patients regarding the Arrangement unless required by law.

 Additionally, the requestor certified that it would only receive “limited aggregated de-identified date” relating to the test through monthly reports. According to the requestor the reports would include: (i) the number of tests performed under the arrangement; (ii) the cumulative results of all tests performed under the arrangement, and (iii) digital awareness results including the source and number of visits to the the parties’ dedicated website and the clicks on the QR code in pamphlets that were left behind at the provider’s office . The requestor further certified that this data will only be used to: (i) better understand the number of patients with the condition which was missed by  standard testing; (ii)verify the amount invoiced the requestor; and (iii) ensure that the parties’ arrangement is “being conducted in accordance with the terms of the agreement between the lab and the requestor.”

OIG Analysis

Anti-Kickback Statute

The OIG acknowledged that the arrangement could implicate the AKS by offering remuneration (i.e., the free test) that may induce referrals for federally reimbursable items or services and the safe harbor would not apply in this situation. However, OIG concluded that it would not impose sanctions for several reasons:

  • The arrangement presents little risk of overutilization or skewing clinical decision making. The test determines whether the inhibitor would be an appropriate method of treatment for patients and would only be appropriate for patients presenting with the deficiency. The test may also show the drug is not indicated in approximately half the cases.
  • Providers do not receive any remuneration from the requestor for prescribing the drug. Additionally, the requestor’s field personnel are prohibited from discussing the drug in relation to the arrangement.
  • The requestor will only receive de-identified data which it certifies will not be used for sales or marketing purposes including sales targeting or incentives.
  • The agreement prohibits the lab from promoting the arrangement to patients and providers and the requestor certified that it will not provide information about the arrangement to patients or providers directly.
  • There are various safeguards in place to prevent this being used as a marketing or sales tool to steer providers to order any items or services from requestor or the lab, including the drug.

Beneficiary Inducements CMP

OIG also concluded that the parties’ arrangement does not violate the Beneficiary Inducements CMP. Although providing a free test constitutes remuneration, OIG found that the arrangement meets the statutory exception for promoting access to care with a low risk of harm. Specifically, the arrangement:

  • May improve a beneficiary’s ability “to obtain items and services payable by Medicare or Medicaid” in instances when the inhibitor is covered by those programs.
  • Is unlikely to interfere with clinical decision making because the test only confirms whether the inhibitor can be prescribed for a particular patient which a provider may already be considering.
  • Does not raise quality of care or patient safety concerns because it is used to determine whether the inhibitor would be an effective treatment for a specific patient.
  • Is unlikely to increase costs to federal health care programs because the inhibitor may be a life-extending treatment that is already under consideration by the provider. Additionally, the test will determine the appropriateness of prescribing the inhibitor and nearly 50% of patients will be ineligible for the inhibitor after testing. Finally, the arrangement does not incentivize providers to prescribe the inhibitor in any way.

As is standard, OIG cautioned that its advisory opinion is limited to the proposed arrangement only and does not cover any other arrangements. OIG further cautioned that the opinion does not provide any opinion on liability in relation to the False Claims Act and, finally, that the opinion is only binding on the Department of Health and Human Services but no other government agencies.

Takeaways

The advisory opinion provides valuable insight into how OIG evaluates pharmaceutical manufacturer sponsored diagnostic testing programs under the AKS and CMP. By imposing certain structural safeguards including clear eligibility criteria, de-identified data sharing, and marketing restrictions manufacturers may be able to establish programs that increase access to care without implicating the AKS or CMP. The advisory opinion may provide a potential model for other labs and pharmaceutical manufacturers to enter into agreements where the manufacturer would sponsor companion laboratory tests. We will continue to monitor for additional guidance that OIG may issue on this and related topics.

This was was authored by Edward J. Heath, co-chair of Robinson+Cole’s Enforcement, Investigations + Litigation in Health Care team.

Since January, there have been almost daily media reports about federal government agents conducting operations intended to sweep up individuals who are in the U.S. illegally. The primary agency responsible for these activities is Immigration and Customs Enforcement (ICE). “ICE raids,” as they have come to be called, have caused a great deal of confusion and anxiety for health care entities, including clinical laboratories, who struggle to balance cooperation with law enforcement on the one hand, and respecting the right of their employees and patients on the other.

Historically, the concept of a law enforcement “raid” has arisen in the context of search warrants. Search warrants are judge-signed orders that allow agents to enter a particularly designated place to search for and seize a particularly identified thing or things. In the prototypical example of a search warrant raid, multiple dark vans or SUVs pull up in front of the laboratory site, numerous agents in bulletproof vests and jackets emblazoned with “FBI” pour out of those vehicles and rush into the building, causing panic as they charge into offices and storage rooms, grabbing technology and paper. If federal agents appear with a valid warrant, laboratory personnel cannot physically stand in their way. Any obstruction is likely to result in criminal charges.  

As a result of policy changes by the new presidential administration, however, the “raid” concept that now comes to mind are “ICE raids.” ICE was created in 2003 in a merging of the investigative and interior enforcement elements of the former U.S. Customs Service and the Immigration and Naturalization Services.  ICE is now a division of the U.S. Department of Homeland Security, and it has a budget of approximately $8 million and workforce of roughly 20,000 personnel. Its scope of operations includes enforcement of the laws governing immigration, border control, customs, and trade. ICE Within ICE, the unit or “directorate” responsible for the recent “raids” is known as Enforcement and Removal Operations.

It is important to understand that ICE agents are essentially federal police officers. They are not the military operating unrestricted in a war zone. Like FBI agents, their powers are limited by the U.S. Constitution and federal law more generally. ICE agents usually appear with an administrative warrant signed by an immigration judge; these warrants do not grant agents the broad powers of a search warrant. Absent a valid search warrant signed by a United States District Court judge, ICE agents appearing with an administrative warrant or subpoena still generally need the consent of the laboratory to enter into private places to search for and take documents or property—or to seize individual persons. This raises some key questions about circumstances where there is no search warrant involved:

Do we have to let them come into our facilities?  ICE agents have the right to enter into any part of a lab’s facility, like a waiting room, that is open to the general public. ICE agents are not, however, authorized to enter into any non-public areas within the facility without permission. Importantly, permission to enter private areas can be expressly given or even implied from circumstances, so it is important that lab personnel understand clearly which areas of the facility are public and which are private. It is critical that personnel know precisely what to say to explicitly decline an ICE agent’s demand to access a non-public area.  

Do we have to answer their questions?  Although ICE agents are free to ask questions about the lab’s operations, employees, and patients, there is no obligation to answer those questions. Additionally, protected health information (PHI) is protected from disclosure under HIPAA and a number of state laws, just as is personnel information about any of the lab’s employees. Again, it is important that personnel have been instructed how to respectfully decline to answer questions from agents.

Do we have to show them records or give them copies?  As with questions seeking information, there is no obligation to produce documents for ICE’s review or seizure. Moreover, documentation with PHI and personnel information should not be made available to government agents without a subpoena or search warrant. Beyond that, when agents on are site, employees should take care not to have electronic or paper document in plain sight where they may be viewed by agents.

Should we physically stop ICE agents who are attempting, without our consent, to enter into a private area in the lab or to take documents or property?  No.  Any physical interference, particularly physical contact, with an ICE agent is likely to be met with an arrest and ensuing federal criminal charges.

The appearance of federal agents will be a stressful situation for almost all lab personnel. The stakes are high, so it is important to seek guidance from legal counsel in these situations.  Nonetheless, it is also worthwhile to consider working with legal counsel to develop in advance a straightforward written policy for employees to reference at the moment ICE arrives on site.  Such a policy would be designed to minimize anxiety while ensuring legally appropriate outcomes.

This post is co-authored by Julianna M. Charpentier, a member of Robinson+Cole’s Enforcement, Investigations + Litigation in Health Care team.

Earlier this year, a Florida jury fully acquitted two owners of an independent clinical laboratory located in San Antonio, Texas accused of conspiring to commit health care fraud and wire fraud. Defendants Diego Sanchez Chocron and Gregory “Milo” Caskey were charged alongside their laboratory co-owner Enrique Perez-Paris and two patient recruiters to whom they were accused of paying kickbacks. The Department of Justice alleged that Sanchez Chocron, Caskey, and Perez-Paris conspired to falsely bill Medicare and the Health Resources and Services Administration (HRSA) COVID-19 Uninsured Program $44 million for COVID-19 and genetic testing during the COVID-19 pandemic. Prosecutors alleged that the laboratory owner defendants paid kickbacks, that the tests were medically unnecessary, and that the defendants billed for tests not approved by the US Food and Drug Administration (FDA) for emergency-use authorization. Perez-Paris (and the two alleged kickback recipients) pleaded guilty to conspiracy to commit health care fraud in the weeks leading up to the trial and he testified against his former partners.

Perez-Paris pleaded guilty in February 2025 to one count of the superseding indictment that he “knowingly and willfully combined, conspired, confederated, and agreed with others, in violation of Title 18, United States Code, Section 1349, to commit health care fraud….including Medicare and the COVID-19 Claims Reimbursement to Health Care Providers and Facilities for Testing, Treatment and Vaccine Administration for the Uninsured Program (“HRSA COVID-19 Uninsured Program”).”

Unlike Perez-Paris, Sanchez Chocron and Caskey proceeded to trial. While their acquittals may be relatively rare, particularly in light of their alleged co-conspirator’s guilty plea and testimony, the jury’s verdict was foreshadowed by a pair of rulings from the bench.

First, Judge Rodolfo A. Ruiz II granted in part the two defendants’ motion to strike certain portions of the superseding indictment, agreeing with the defendants that HRSA did not incorporate Medicare coverage rules requiring provider authorization for a COVID-19 test, and holding that “the Government may not argue that a failure to procure authorization from a healthcare provider for a COVID-19 test automatically constitutes a violation of the HRSA Terms and Conditions.”  Judge Ruiz further held that “failure to procure authorization from a healthcare provider for a COVID-19 test under the HRSA Terms and Conditions does not automatically establish a violation of the criminal statutes set forth in the Superseding Indictment.” Judge Ruiz was careful to note that the government could use the fact that tests were not ordered by a healthcare provider as evidence of defendants’ knowledge and intent, as well as in connection with the materiality of defendants’ alleged representations to the HRSA uninsured program.

Second, Judge Ruiz also granted the defendants’ motion for acquittal on charges that they conspired to pay kickbacks and commit money laundering.  

The jury appears to have agreed with the arguments made by defense counsel who argued that the evidence presented established their clients’ good faith beliefs that their actions were legal, and that the tests were not medically unnecessary, as demonstrated by the defendants’ actions in consulting with counsel and other experts. 

The full acquittal of Sanchez Chocron and Caskey underscores the importance of the intent elements of the Anti-Kickback Statute and other fraud statutes.  Despite the government’s reliance on co-defendant testimony and allegations of widespread misconduct, the jury found the evidence insufficient to convict. Key rulings by Judge Rodolfo A. Ruiz II—particularly those limiting the government’s interpretation of HRSA requirements and dismissing kickback and money laundering charges—significantly shaped the trial’s trajectory. Ultimately, the verdict affirms that, even in high-stakes federal prosecutions, defendants who act in good faith and seek appropriate legal guidance can prevail when they have the facts and the law on their side.

As payer audits become more frequent and complex, laboratories and healthcare providers must be equipped to respond effectively. Labs are especially vulnerable due to high-cost services and billing complexity. Triggers include but are not limited to sudden spikes in service volume, changes in test panels or clientele, use of uncommon codes or modifiers, and high denial rates or billing patterns that differ from peers.

Being proactive is the most effective way to manage audit risk. Laboratories should begin by implementing regular internal audits to identify and correct documentation or billing issues before they escalate. Monitoring the Medicare Administrative Contractors (MACs) audit lists is also essential, as these lists highlight services that may be targeted for review. Every year, a report is issued that reflects the total Medicare Part B spending on lab tests.  Earlier this summer, the OIG added to its work plan a review of “Medicare Payments for Clinical Diagnostic Tests in 2024” to analyze the top 25 laboratory tests by expenditures which is expected to be released in 2026. The report issued at the end of 2024 for the review of 2023, showed an overall decrease of spending on clinical diagnostic laboratory testing but reflected a steady increase on genetic tests.  Genetic testing spending has risen to $1.8 billion, a 32% increase from 2022 to 2023.  These reports and the focus on the top 25 tests provide insight to laboratories as to which tests may be more scrutinized for utilization.

While laboratories can rely on the ordering provider’s determination of medical necessity, laboratories still play a role in ensuring medical necessity.  As such, laboratories and providers must collaborate to ensure that documentation is thorough and consistent. Laboratories may want to verify that all claims include clear medical necessity documentation. Enhancing requisition forms can help ensure that all necessary information is captured upfront, reducing the likelihood of denials. Staying informed is equally important. Laboratories should routinely review and stay up to date on payor policies, which can change frequently and vary between Medicare, Medicaid, and private insurers.

When an audit occurs, laboratories should prepare all requested documentation carefully and include any supplemental materials that support the claim. It is important to review everything before submission, communicate early and often with auditors, and request extensions if needed. Laboratories may want to consider consulting with knowledgeable legal counsel to ensure compliance and strategy alignment.

This post is co-authored with Paul Palma, legal intern at Robinson+Cole. Paul is not admitted to practice law.

On November 12, 2025, President Trump signed H.R. 5371 the “Continuing Appropriations, Agriculture, Legislative Branch, Military Construction, and Veterans Affairs and Extensions Act, 2026” (the Act). The Act ended the federal government shutdown by providing necessary funding; it also extends key Medicare telehealth flexibilities to January 30, 2026. While a welcome development for health care organizations, this represents another short-term extension of Medicare telehealth flexibilities that will again need to be revisited in January 2026. Additionally, despite its passage, questions remain regarding the ability of providers to be paid for telehealth services furnished during the recent shutdown because the Act does not specifically provide for retroactive reimbursement. 

Medicare Telehealth Flexibilities Extended by the Act

  • Geographic and Originating Site flexibilities: Medicare beneficiaries may continue to receive telehealth services in any location through January 30, 2026.
  • Expanded Practitioner Eligibility: Occupational therapists, physical therapists, speech-language pathologists, and audiologists may continue providing Medicare-covered services via telehealth through January 30, 2026.
  • Telehealth for FQHCs and RHCs: Federally qualified health centers (FQHCs) and rural health clinics (RHCs) may continue providing telehealth services through January 30, 2026, including the provision of mental health visits via telehealth to Medicare beneficiaries without needing to meet annual in-person service requirements.
  • Audio Only Telehealth: Telehealth services can continue to be provided via audio-only communications systems through January 30, 2026.
  • In-Person Requirement for Mental Health Visits: Medicare patients receiving services for the diagnosis, evaluation, or treatment of a mental health disorder via telehealth may continue to do so without having received a Medicare-covered in person item or service through January 30, 2026.
  • Telehealth for the Recertification of Hospice Care: Hospice physicians and nurse practitioners may continue having face-to-face encounters to recertify a patient’s eligibility to remain on hospice via telehealth through January 30, 2026.

It is expected that the Centers for Medicare and Medicaid Services (CMS) will provide  guidance regarding the submission of claims, eligibility for retroactive payments, and how to address claims that have been on hold, following up on prior guidance offered in connection with telehealth services and the government shutdown.

While this extension provides temporary relief for providers and patients, health care organizations could face the same telehealth dilemma in a few months absent a long-term fix. As such, organizations should remain prepared to comply with additional telehealth restrictions (which we previously discussed here) and to transition some services back to in-person where necessary.  We will continue to monitor this issue and legislative updates closely.                                                                                                                                     

This post is co-authored with Lauren Ludwig, legal intern at Robinson+Cole. Lauren is not admitted to practice law.

The Joint Commission (TJC) and Coalition for Health AI (CHAI) recently published the Guidance on the Responsible Use of Artificial Intelligence in Healthcare (Guidance), which outlines strategies for health care organizations to optimize their integration of health AI tools. The Guidance defines health AI tools broadly as clinical, administrative, or operational solutions that apply algorithmic methods to tasks involved in direct or indirect patient care, care support services, and care-relevant operations and administrative services. Given this inclusive definition, the Guidance identifies a wide range of potential AI-related risks, including errors, lack of transparency, threats to data privacy and security, and the overreliance on AI tools. To address these concerns, the Guidance outlines suggested practices that health care organizations can undertake in implementing AI tools. These practices are organized into seven elements, which are summarized below. While the Guidance is not limited to health care delivery organizations, the Guidance focuses primarily on these organizations. It is also important to note that the Guidance is not binding on health care organizations, although TJC indicates that a voluntary “Responsible Use of AI” certification program is forthcoming.

The Seven Elements of Responsible Use of AI Tools for Health Care Organizations:

  1. AI Policies and Governance Structures. The Guidance recommends that organizations establish formal AI-usage policies and a governance structure. According to TJC and CHAI, the policies should set expectations, including rules or procedures on the use of AI, and the governance committee should be composed of qualified individuals, including representatives from compliance, IT, clinical programs, operations, and data privacy. The Guidance also suggests regular reporting on AI usage to the organization’s board of directors or other fiduciary governing body.
  2. Patient Privacy and Transparency. Organizations are encouraged to adopt specific policies on data access, use, and transparency consistent with applicable laws and regulations. To promote transparency, organizations should inform patients about AI’s role in their care, including how their data may be used and how AI may benefit their care. Organizations may also need to secure informed consent to use AI tools, if applicable. The Guidance reminds organizations that transparency with staff members on the use of AI tools cannot be overlooked.
  3. Data Security and Data Use Protections. The Guidance stresses that all uses of patient data with AI tools must comply with HIPAA. Providers can support compliance by leveraging current data protection strategies, including encrypting patient data, limiting data access, regularly assessing security risks, and developing an incident response plan. TJC and CHAI recommend that organizations enter into data use agreements that outline permitted uses, minimize data exports, prohibit re-identification, require third parties to comply with the organization’s security and privacy policies, and provide the organization with audit rights.
  4. Ongoing Quality Monitoring. In addition to privacy risks, the Guidance advises organizations to regularly monitor AI quality by looking for changes in outcomes and testing the AI tools against known standards. Externally developed AI tools may not receive consistent review, and the dynamic nature of AI renders it prone to “drift” from its intended purpose; therefore, the Guidance calls for an internal reporting system to identify risks and maintain quality of care. TJC and CHAI suggest a risk-based approach to monitoring AI tools, such that AI tools that inform or drive clinical decisions should be prioritized. Additionally, the Guidance advises that organizations create a process to report adverse events to leadership and relevant vendors.
  5. Voluntary Reporting. The Guidance urges organizations to establish a process for confidential, anonymous reporting of AI safety incidents to an independent organization. By reporting through confidential channels to third parties, such as federally listed Patient Safety Organizations, voluntary reporting may improve the quality of AI usage without compromising patient privacy.
  6. Risk and Bias Assessment. The Guidance also recommends that organizations implement processes for categorizing and documenting AI bias or risk. In clinical use, AI may be unable to generalize diseases to certain populations, leading to misdiagnosis and inefficient care. TJC and CHAI recommend that organizations verify whether AI tools are appropriately tuned to the population to which they are applied and that the AI tools were developed using representative, unbiased data sets.
  7. Education and Training. Finally, to ensure that AI benefits the organization, the Guidance advocates for education and training of health care providers and staff on the use of AI tools, including any limitations on, and risks of, their use. The Guidance directs organizations to limit AI tool access to specific roles on a need-to-use basis, and to advise all staff where to find relevant information about AI tools and organizational policies and procedures.

Implications

In the absence of comprehensive federal laws governing AI, the Guidance (along with existing resources such as the National Institute of Standards and Technology (NIST) AI Risk Management Framework and the Bipartisan House Task Force Report on Artificial Intelligence) may help health care organizations evaluate and implement AI tools in a safe and compliant manner. 

Similar to the NIST RMF AI Playbook, TJC and CHAI plan to release a series of practical “playbooks” to operationalize recommended practices in the Guidance. Health care institutions seeking actionable guidance may want to take note of these playbooks because they will inform TJC’s future AI certification program.

Overall, the Guidance’s strategies can help health care organizations minimize AI risks and foster an adaptive health care environment.

This post is co-authored with Paul Palma, legal intern at Robinson+Cole. Paul is not admitted to practice law.

Healthcare providers are again confronted with the potential termination of telehealth services unless Congress acts to extend the Medicare flexibilities implemented during the COVID-19 pandemic. If no legislative action is taken before September 30, 2025, those providers and patients who have depended on expanded telehealth options will encounter substantial limitations in access beginning October 1, 2025.  

As a reminder, in March of this year the healthcare industry faced the imminent end of a number of COVID-era telehealth flexibilities, at which time Congress extended the flexibilities as part of a spending bill until September 30, 2025 (which we previously discussed here). Health care providers and their patients are now in the same position of looking to Congress to act to further extend those flexibilities to protect continued access to telehealth services.

On September 16, 2025, H.R. 5371 the “Continuing Appropriations and Extensions Act, 2026” (“the Bill”) was introduced in Congress The Bill primarily concerns federal funding, but if enacted, it would also extend the telehealth waivers established during the COVID-19 pandemic—which are currently scheduled to end on September 30, 2025—through November 21 (or November 22 as noted below), 2025. The Bill’s short-term extension comes after two separate bills seeking two-year extensions of the telehealth flexibilities had been proposed but not moved forward in recent weeks.

A summary of the existing telehealth waivers and their newly proposed expiration dates is included below.

Key Telehealth Provisions Proposed to be Extended

  • Geographic and Originating Site Flexibility:
    • If the “cliff” is averted and the Bill passes: Medicare patients would be allowed to continue receiving telehealth services in any location through November 21, 2025
      • Without another extension, beginning October 1, 2025, Medicare beneficiaries may only receive telehealth services in approved health care facilities in rural locations (outside of metropolitan statistical areas)
      • Note that the Social Security Act contains exceptions that would permit telehealth services at home (or other locations) for patients in specific circumstances approved by law or regulation, including patients being treated for: (1) symptoms of acute stroke; (2) substance use disorder; or (3) patients with mental health disorder; and (4) patients on home dialysis.
  • Expanded Practitioner Eligibility
    • If the “cliff” is averted: Medicare patients would be allowed to receive care from approved Medicare-enrolled providers, which under the prior COVID-era waiver includes occupational therapists, physical therapists, speech-language pathologists, and audiologists through November 21,2025.
    • If the “cliff” is not averted: Medicare beneficiaries will lose access to telehealth services provided by PTs, Ots, SLPs, and audiologists, all of whom play a key role in rehabilitation.
  • Telehealth for FQHCs and RHCs
    • If the “cliff” is averted: Federally qualified health centers (FQHCs) and rural health clinics (RHCs) would be allowed to continue providing telehealth services to patients in other locations through November 21, 2025
  • Audio-Only Telehealth
    • If the “cliff” is averted: Telehealth services could continue to be provided via audio-only communications systems through November 21, 2025
    • If the “cliff” is not averted: Substantial limitation on coverage for audio-only services and providers must be technically capable of using audio-video technology.
  • In-Person Requirement for Mental Health Visits
    • If the “cliff” is averted: Medicare patients may continue to receive mental health services from FQHCs and RHCs via telehealth through November 22, 2025
    • If the “cliff” is averted: Medicare patients receiving services for the diagnosis, evaluation, or treatment of a mental health disorder may continue to do so without receiving in-person care through November 22, 2025
      • If the “cliff” is not averted:  providers are required to furnish a Medicare-covered item to the beneficiary in-person at least 6 months prior to furnishing telehealth services. Additionally, the provider must furnish a Medicare-covered item in person at least once a year following each subsequent telehealth service. Note that the annual in-person follow-up requirement may be waived if the provider and beneficiary agree that the risks of receiving an in-person service outweigh the benefits
  • Telehealth for the Recertification of Hospice Care
    • If the “cliff” is averted: Hospice physicians or nurse practitioners may continue having face-to-face encounters to recertify a patient’s eligibility to remain on hospice via telehealth through November 21,2025

As of September 25, 2025, the Bill has passed the House but has failed to pass the Senate, where it must receive a minimum of 60 votes. A motion to reconsider was granted and the Bill has once again been placed on the Senate legislative calendar. Congress is in recess through September 26, 2025, and will only have 2 days to pass this or another bill containing similar provisions before the existing waivers expire.

With the expiration date for the existing telehealth waivers looming, health care organizations should prepare to comply with additional telehealth restrictions beginning on October 1, 2025. Even if this stop-gap is passed, providers will soon be facing the same dilemma within a short period of time. We will continue to monitor this issue closely and will provide additional updates as soon as they become available.

This post was co-authored with Ivy Miller, legal intern at Robinson+Cole. Ivy is admitted to practice in Massachusetts.

On September 10, 2025, the U.S. Court of Appeals for the Fifth Circuit dismissed an appeal of the federal court ruling vacating key provisions of the HIPAA reproductive health care regulations, which appears to signal the end of the Purl case (previously discussed here) and to confirm the end of provisions of the HIPAA reproductive health care regulations which had afforded heightened protection to protected health information (PHI) related to the receipt of lawful reproductive health care services.

In a June 2025 ruling in Purl v. Department of Health & Human Services, the  district court for the Northern District of Texas vacated provisions of the Biden-era Reproductive Health Privacy Rule (the Rule) which established new HIPAA regulations with heightened privacy protections and processes related to uses and disclosures of PHI involving reproductive health care. The federal government subsequently declined to appeal that ruling, but a group of proposed intervenors (specifically, the cities of Columbus, Ohio, and Madison, Wisconsin, as well as Doctors for America), filed a notice of appeal to potentially step in to defend the Rule’s requirements. However, the proposed intervenors subsequently reversed course and voluntarily moved to dismiss their appeal, and the Fifth Circuit granted that motion, leaving in place the district court’s vacating of the Rule’s reproductive health care regulations.

Background

In 2024, under the Biden administration, HHS promulgated the “HIPAA Privacy Rule To Support Reproductive Health Care Privacy,” which sought to better protect reproductive health records under HIPAA following the 2022 ruling in Dobbs v. Jackson Women’s Health Organization. The Rule’s stated intent was in part to protect and preserve reproductive care performed lawfully, as well as to protect the provider-patient trust that facilitates that care.  The Rule therefore set forth specific protections for PHI related to the lawful receipt of reproductive health care and implemented a new attestation requirement for certain uses and disclosures of PHI involving reproductive health care.

In late 2024, a physician and sole owner of a family medicine clinic challenged the Rule in  federal court in Texas, alleging that the requirements under the Rule were inconsistent with state child abuse and neglect reporting laws, therefore preventing providers from complying with both at the same time. As the suit progressed (with the district court having granted a preliminary injunction against enforcement of the Rule), the proposed intervenors—sensing a potential loss and foreseeing little likelihood that the new administration would defend the Rule—moved to intervene in the case to defend their interests in the Rule’s continued existence.

In June 2025, the district court vacated key provisions of the Rule related to reproductive health care (while permitting other provisions related to Notices of Privacy Practices to remain in effect), finding that HHS exceeded its authority in promulgating the Rule. Around the same time, the district court denied the motion to intervene, which the proposed intervenors swiftly appealed to the Fifth Circuit. As discussed below, however, that appeal has been dismissed.

Appeal of Vacatur and Subsequent Motion to Dismiss

After the June decision vacating the Rule’s reproductive health care provisions, HHS declined to file an appeal by the August 18, 2025, deadline. As that deadline neared, the proposed intervenors filed an appeal on August 15, 2025, seeking to reverse the District Court’s grant of summary judgment to the plaintiffs and seeking the denial of defendants’ motion to dismiss in the Fifth Circuit, pending resolution of their appeal regarding the motion to intervene. In a September 2, 2025, letter to the Fifth Circuit, the government confirmed, that it has no plans to appeal the ruling.

The proposed intervenors subsequently moved to dismiss their pending appeals in the Fifth Circuit on September 4, 2025. The motion indicated that “[HHS has] chosen not to appeal the District Court’s Summary Judgment Orders, and [the proposed intervenors] have concluded that the resources of the parties and the courts would be best conserved by dismissing this appeal.” The Fifth Circuit granted the motion and dismissed the case on September 10, 2025.

Implications

The dismissal of the appeal, and the government’s election to not further challenge the district court’s ruling in Purl, appear to end the reproductive health care protections under HIPAA that had been promulgated under the Rule. HHS has indicated that it continues to review the ruling and implications for its HIPAA rulemaking, but it appears likely that HHS will issue updated guidance and/or revoke the HIPAA reproductive health care regulations. We will continue to monitor HIPAA rulemaking and legislative developments related to the delivery of reproductive health care, privacy, and security.

This post is co-authored with Paul Palma, legal intern at Robinson+Cole. Paul is not admitted to practice law.

On July 14, 2025, the Centers for Medicare and Medicaid Services (CMS) issued the calendar year (CY) 2026 physician fee schedule (PFS) proposed rule, which in pertinent part proposes several changes affecting the delivery and reimbursement of telehealth services under the Medicare program. Specifically, the proposed rule includes changes to the Medicare Telehealth Services List review process, telehealth service frequency limitations, and changes to the definition of direct supervision. Comments on the proposed rule are due to CMS by September 12, 2025, and can be submitted electronically (through regulations.gov) or by mail.

The following is an overview of the key telehealth-related provisions in the proposed rule:

  • The Social Security Act requires the Secretary of Health and Human Services to establish a process for adding or deleting Medicare telehealth services on an annual basis, and CMS annually publishes its Medicare Telehealth Services list which sets forth the HCPCS codes for telehealth services eligible for Medicare reimbursement. CMS currently implements a 5-step review process when determining whether to add or delete telehealth services from the list. Under the proposed rule, CMS seeks to simplify this annual review process by removing current steps 4[1] and 5.[2] CMS explains in the proposed rule that it has determined those steps are no longer necessary because CMS believes that “the complex professional judgment of the physician or practitioner is sufficient to ensure a service can be safely furnished via telehealth and that the service will be clinically beneficial to the beneficiary” and, accordingly, this change “will better allow practitioners to determine if telehealth is appropriate for that specific Medicare beneficiary and that specific clinical scenario.”   CMS explains further that the change is consistent with its “intent to simplify and reduce the administrative burden” associated with annual submission and review of Medicare telehealth services.
  • CMS also proposes to no longer designate services on the list as either “permanent” or “provisional” and instead to consider all services on the list to be permanent (but still subject to removal in the future where warranted in accordance with its process). This change aligns with the proposal to remove steps 4 and 5 from the current review process, because the “provisional” designation had been used for services that met steps 1 through 3 but not 4 and 5 during prior years, and would no longer be applicable.
  • The proposed rule also evaluates a number of services to be added to the Medicare telehealth services list for CY 2026, including: (1) multiple-family group psychotherapy; (2) group behavioral counseling for obesity; (3) infectious disease; (4) Auditory Osseointegrated Sound Processor; (5) dialysis related to review of medical records, history and revising treatment plans; (6) Home INR monitoring; (7) and Telemedicine E/M Services (CPT codes 98000-98015)
    • Of the services reviewed, CMS proposes to add the following for CY 2026: Multiple-Family Group Psychotherapy (CPT Code 90849); Group Behavioral Counseling for Obesity (CPT code G0437); Infectious Disease Add-On (CPT Code G0545); and Auditory Osseointegrated Sound Processor (CPT Codes 92622 and 92623).
    • Also, CMS proposes to not add the following services: Dialysis (CPT codes 90935, 90937, 90945, and 90947), Home INR Monitoring (HCPCS Code G0248), and Telemedicine E/M Services (CPT codes 98000-98015).
  • The proposed rule again clarifies that digital mental health treatment (DMHT), remote physiologic monitoring (RPM), and remote therapeutic monitoring (RTM) services do not meet the definition of telehealth services under the Social Security Act and Medicare regulations because they “are inherently non-face-to-face” and accordingly are not subject to Medicare’s telehealth rules and requirements.
  • Previously, when adding certain services to the Medicare telehealth services list, CMS has imposed limitations on how frequently those services could be furnished via telehealth. Under the proposed rule, CMS would remove frequency limitations for critical care consultations and subsequent inpatient and nursing facility visits, which would codify the approach taken by CMS during the COVID-19 pandemic and subsequently continued following the end of the public health emergency.
  • Medicare Part B currently requires certain services to be furnished under a minimum level of supervision (divided into general, direct, and personal supervision). Most incident-to services, pulmonary and cardiac rehabilitation services, many diagnostic tests, and some hospital outpatient services currently require direct supervision. During the COVID-19 pandemic, CMS revised the definition of “direct supervision” to allow for it to include supervision through a virtual presence utilizing audio/video real-time communications technologies, and to provide that it requires a supervising practitioner to be “immediately available” but not to require the practitioner’s in-person physical presence. The proposed rule now seeks to expand upon the approach taken during the COVID-19 pandemic and incremental changes made in subsequent years to allow direct supervision to be furnished virtually for certain services. The proposed rule seeks comment on “whether to adopt a definition of direct supervision that allows ‘immediate availability’ of the supervising practitioner using audio/video real-time communications technology (excluding audio-only), for all services described under [42 C.F.R.] § 410.26, except for services that have a 000, 010, or 090 global surgery indicator.”  In addition, under the proposed rule, CMS seeks to permanently revise the definition of direct supervision to state that the “presence of the physician (or other practitioner) required for direct supervision may include virtual presence through audio/video real-time communications technology (excluding audio-only) for services without a 010 or 090 global surgery indicator.” CMS stressed in the proposed rule that, “As always, the physician or practitioner should use his or her complex professional judgment to determine the appropriate supervision modality on a case-by-case basis.”
  • Additionally, CMS notes that the proposed rule would no longer allow teaching physicians to have a virtual presence when billing for services furnished by residents in a teaching setting. Teaching physicians would once again be required to maintain a physical presence during resident-furnished services to be eligible for reimbursement.

The proposed rule from CMS signals a continued shift towards permanently integrating certain telehealth flexibilities into routine care delivery, and to codifying certain telehealth delivery practices and policies that were implemented in response to the COVID-19 pandemic and have been determined not to pose significant program risks. Providers and health care organizations should review the proposed rule closely and consider submitting comments to help shape the final rule. Of note, the viability of continued flexibility for the delivery of telehealth services will depend in part upon necessary legislative proposals expected in the upcoming weeks and months. We will continue to monitor this and other CMS proposals and will provide future updates as they become available.

[1] Step 4 requires CMS to “consider whether the service elements of the requested service map to the service elements of services on the list that has a permanent status described in previous final rulemaking.”

[2] Step 5 requires CMS to “consider whether there is evidence of clinical benefit analogous to the clinical benefit of the in-person service when the patient, who is located at a telehealth originating site, receives a service furnished by a physician or practitioner located at a distant site using an interactive telecommunications system.”

This post is co-authored by Seth Orkand, co-chair of Robinson+Cole’s Government Enforcement + White-Collar Defense Team and Ivy Miller, legal intern at Robinson+Cole. Ivy is admitted to practice law in Massachusetts.

On August 25, 2025, the Department of Health and Human Services Office of Inspector General (OIG) issued a new report (Report) highlighting trends in remote patient monitoring (RPM) Medicare billing, recommending stronger oversight to ensure compliance in billing for RPM services. The Report builds on OIG’s September 2024 report, which also called for increased oversight for RPM billing. OIG’s new Report highlights the rapid growth of RPM: in 2024, Medicare payments for RPM services exceeded $500 million—a 31% increase from 2023—with nearly one million Medicare beneficiaries receiving RPM services.

OIG’s Findings

The use of RPM for Medicare enrollees has grown substantially and continuously since 2019, when Medicare began widely covering RPM services. In 2019, Medicare payments for RPM were just $15 million, growing to $536 million by 2024. Just between 2023 and 2024, the number of Medicare enrollees receiving RPM services increased by 27%. Approximately 4,600 medical practices routinely billed for RPM in 2024.

The OIG Report identified trends signaling a need for improved RPM billing oversight. Certain medical practices, for example, billed for over 100 new enrollees each month, compared to an average practice’s five new enrollees per month. The Report recommended program integrity measures to better monitor the potential for fraud and abuse, and recommended that the Centers for Medicare and Medicaid Services (CMS), Medicare Advantage Organizations (MAOs), and other entities involved in auditing adopt these measures.

OIG’s Recommended Program Integrity Measures

OIG first recommended that CMS and MAOs monitor medical practices that bill for large numbers of Medicare enrollees with no prior history of a patient-provider relationship. Before a medical practice can bill for RPM services for a patient, the medical practice must have established a patient relationship through either an in-person or telehealth service (with an exception for RPM services provided without a prior patient relationship during the COVID-19 public health emergency). However, the OIG Report found 45 practices that did not have a prior medical relationship with over 80% of patients for whom they billed RPM services. OIG determined whether the patient had an established relationship with the provider by looking at the date of the first RPM service billed in 2024, and then looking back to January 1, 2021, to determine whether the enrollee had seen a provider (either in person or via telehealth) prior to the first billed RPM service. If not, OIG found that there was no prior patient-provider history.

OIG also recommended monitoring the rates at which practices bill for treatment management—a service in which a provider spends at least 20 minutes per month assessing an enrollee’s RPM data to adjust their treatment plan. Most practices were compliant, with fewer than 1% of most practices’ enrollees never receiving treatment management. However, a small number of practices never billed treatment management for 75% or more of their enrollees, suggesting an alarming lack of oversight. OIG further noted that in some cases, some enrollees were receiving RPM services from two or more medical practices simultaneously, raising concerns about medically unnecessary and duplicative care. To that end, OIG recommended that CMS and MAOs monitor how regularly a practice is billing for the same enrollees as other practices.

Finally, OIG discussed billing practices for multiple monitoring devices per enrollee. Generally, practices may only bill Medicare for one RPM device—such as a blood pressure cuff or connected weight scale—per month. But OIG found that a small number of practices were billing for two or more devices per month per enrollee. OIG suggested that this pattern may indicate double billing or billing for medically unnecessary services.

Implications and Conclusion

OIG’s Report signals that regulators may be taking a fresh look at RPM billing for Medicare enrollees. Given RPM’s meteoric growth in the past five years, it is not surprising that OIG is recommending increased scrutiny of potentially problematic billing practices. Providers should proactively review internal billing practices for RPM services and implement policies to better comply with RPM billing requirements. We will continue to monitor CMS and MAO adoption of OIG’s recommendations.