This post was co-authored with Ivy Miller, legal intern at Robinson+Cole. Ivy is admitted to practice law in Massachusetts.

On June 11, 2025, the Department of Health and Human Services Office of Inspector General (OIG) published Advisory Opinion 25-03 (the Advisory Opinion), in which OIG approved of a proposed arrangement under which a management support organization and a physician-owned professional corporation (the Requestors) would enter into an arrangement involving the leasing of clinical employees and provision of certain administrative services related to payor contracting to support the delivery of telehealth services through online platforms. OIG determined that the proposal was protected by a safe harbor under the federal anti-kickback statute (AKS), and therefore the fees payable between the parties thereunder did not constitute prohibited remuneration under the AKS.

Background

Parties Involved

The Requestors include a management support organization that provides non-clinical support services (Requestor MSO), and a physician-owned professional corporation that maintains provider network participation contracts with commercial, Medicare Advantage, and Medicaid plans (Requestor PC) but does not otherwise employ or engage with clinical staff.

Proposed Telehealth Services Platform Arrangement

Under the proposal (Proposed Arrangement), the Requestors would contract with third-party online telehealth platforms – comprised of management services organizations that furnish management services to telehealth providers (Platform MSOs) and telehealth provider entities (Platform PCs) to lease clinicians from the Platform PCs and obtain certain administrative services from the Platform MSOs. According to the Advisory Opinion, the Proposed Arrangement is intended to expand access to in-network services for patients of the Platform PCs, many of whom are “negatively impacted by limited access to insurance-covered telehealth services furnished by Platform PCs” especially in underserved and rural areas. The Requestor PC would credential the clinicians leased from the Platform PCs, and such leased clinicians would furnish services to their patients under Requestor PC’s contracted plans. In conjunction with this clinical arrangement, the Platform MSOs would provide ancillary administrative services to Requestor PC, including accounting (which OIG characterizes as including the collection of patient cost-sharing amounts for services rendered), marketing, administrative support (e.g., support for scheduling of clinical visits), and IT services (e.g., provision of a HIPAA-compliant online platform for receipt of synchronous telehealth services). Requestor PC would pay hourly fees for the leased clinicians and an administrative fee for the non-clinical administrative services, which would be consistent with fair market value for the services rendered as determined by a third-party valuation consultant.

As part of their request for the Advisory Opinion, Requestor MSO and Requestor PC certified that the Proposed Arrangement would meet all conditions of the AKS safe harbor for personal services and management contracts and outcomes-based payment arrangements, including by noting that the methodology for determining the fees would be set in advance and not take into account volume/value of any referrals or other business generated between the parties. Additionally, the fees would be payable regardless of whether Requestor PC was reimbursed by a payor for the visit.

OIG Analysis

Federal Anti-Kickback Statute

The OIG explained that because the Requestor PC offers and pays remuneration to the Platform PC and/or Platform MSO for services rendered, the AKS is implicated whenever the Platform PC refers a patient to Requestor PC.  The OIG therefore evaluated whether the Proposed Arrangement could violate the AKS, which prohibits offering, paying, accepting, or soliciting remuneration in exchange for referrals of items or services paid for by federal programs, or in exchange for the purchasing, leasing, ordering of, or arranging for the order of any good, facility, service, or item reimbursed under a federal health care program. Remuneration under the AKS can include anything of value, and violators of the AKS are subject to criminal and civil sanctions, including imprisonment, fines, civil monetary penalties, and exclusion from federal health care programs.

AKS Safe Harbor Requirements and Further Structural Safeguards

The broad scope of the AKS is subject to certain statutory and regulatory safe harbors, which establish protections from scrutiny thereunder for arrangements that meet all required criteria of a safe harbor. As OIG notes, safe harbor compliance “is voluntary” and “arrangements that do not comply with a safe harbor are evaluated on a case-by-case basis.”

In this Advisory Opinion, OIG affirmed that the Proposed Arrangement satisfies the requirements of the “personal services and management contracts and outcomes-based payment arrangements” safe harbor codified at 42 C.F.R. § 1001.952(d), after reviewing the key elements of the Proposed Arrangement and the criteria necessary to comply with such safe harbor.

OIG described the following structural safeguards of the Proposed Arrangement that are compliant with the safe harbor:

  • The Proposed Arrangement will be memorialized in a written agreement signed by the parties, will have a term of at least one year, and the agreement will clearly describe the duties of, and services provided by all parties involved;
  • The payments—both for the services of the leased clinicians from each Platform PC, and for the administrative services provided by Platform MSO—are fixed in advance and in line with fair market value, not determined based on volume or value of any referrals or other business generated between the parties, and are payable regardless of whether the Requestor PC is reimbursed by payors for services rendered; and
  • The Proposed Arrangement would be commercially reasonable even if no referrals resulted from the Proposed Arrangement, the services contracted for are reasonably necessary to accomplish the purpose of the Proposed Arrangement, and the parties are not involved in counseling or promoting any business activity that would violate federal or state law.

The OIG cautioned that this Advisory Opinion is limited to the Proposed Arrangement only, and does not cover additional arrangements or referrals outside of the Proposed Arrangement that may exist between the Platform PC, Platform MSO, Requestor PC and Requestor MSO. The OIG further cautioned that the Advisory Opinion is binding only on the Department of Health and Human Services and not on other government agencies (e.g., the Department of Justice).

Takeaways

The Advisory Opinion is notable for the complexity of the Proposed Arrangement and potentially broad scope of its impact given the reported scope of Platform PC’s payor contracting activities (exceeding 400 payor contracts that cover 80% of all commercially covered lives and 65% of Medicare Advantage covered lives). The Advisory Opinion also acknowledges the role played by management services and support organizations in connection with care delivery, and particularly telehealth services delivered in connection with the Proposed Arrangement. The Advisory Opinion’s conclusion is also noteworthy because OIG did not determine that the arrangement could result in prohibited remuneration, but OIG would exercise discretion not to pursue it due to safeguards present, as OIG often concludes in Advisory Opinions under the AKS. OIG instead went further and determined that there was no prohibited remuneration because it met the safe harbor. It accordingly may provide a potential model for other management services and care delivery organizations to consider for arrangements. We will continue to monitor any guidance or additional advisory opinions that OIG issues on these topics.

On June 9, 2025, Connecticut Governor Ned Lamont signed into law Public Act No. 25-28, “An Act Concerning Access to Reproductive Health Care” (the Act). The Act codifies under Connecticut state law the ability of minors to access reproductive health care services without the need to obtain parental consent, including services related to pregnancy and pregnancy prevention. While minors were previously not explicitly prohibited from receiving such services without parental permission, state law was silent on the issue. The Act now provides an assurance to minors and to health care providers that minor patients in Connecticut are permitted to consent to certain reproductive health care services without the involvement of a parent or guardian.

The Act is effective as of its passage, and includes the following specific provisions:

Minor Consent for Reproductive Health Care

Individuals under the age of 18 in Connecticut may now give consent for services, examination, or treatment related to pregnancy and pregnancy prevention without the consent or notification of the minor’s parent or guardian. The services that the Act allows a minor to consent to without parental/guardian consent or notification are all services, examinations, or treatment related to pregnancy and pregnancy prevention, which include but are not limited to contraceptive counseling and services, prenatal care, and appropriate care and pain management during labor and delivery (including without limitation epidural administration). However, the Act expressly carves out and does not include an allowance for a minor to consent to sterilization thereunder.

Privacy Protections

The Act provides that if a minor patient consents to contraceptive or pregnancy-related care, physicians and other health care providers are prohibited from sharing information about such services with the minor’s parent or guardian without the minor patient’s express consent, including by sending a bill for the services to the parent or guardian. This privacy protection under the Act aligns with federal privacy regulations under HIPAA, which stipulate that where a minor patient is permitted by state law to consent to a health care service, health information related to such service cannot be disclosed to the minor’s parent or guardian without the patient’s authorization.

Provider Reporting Obligations Remain

The Act expressly states that it does not affect a physician’s or other health care provider’s reporting obligations under state law, such as mandatory reporting to the Connecticut Departments of Public Health or Children and Families. 

No Parental Liability for Cost of Services

The Act further states that where a minor patient consents to reproductive health care under the Act, and the minor’s parent or guardian is not informed of the provision of such care, the parent or guardian will not be liable for the costs of such care.

Takeaways

The Act is likely to provide welcome clarity for health care providers and facilities in the state, as well as for minor patients, as to when minors are permitted to consent to treatment and services related to reproductive health care.

The Act also expands the circumstances recognized under Connecticut law in which a minor patient may consent to the receipt of certain treatment or services, which prior to the Act’s passage included without limitation treatment of sexually transmitted diseases, alcohol and drug treatment, HIV testing and HIV/AIDs treatment, abortion and abortion counseling, and outpatient mental health treatment if certain criteria are met.

This post was co-authored with Ivy Miller, legal intern at Robinson+Cole. Ivy is admitted to practice law in Massachusetts.

The Department of Justice has launched a number of enforcement actions targeting pharmacies for alleged violations of the False Claims Act (FCA). Recently, Walgreens has been the subject of two noteworthy government settlements related to alleged FCA violations.

Allegations Related to Medicaid Billing for Generic Medications

In the first, on March 27, 2025, the U.S. Attorney’s Office for the District of Massachusetts announced that it had reached a $2.8 million settlement with Walgreens concerning allegations that the company overbilled Medicaid programs in Massachusetts and Georgia. Relators filed the qui tam case in 2019 and the government intervened for settlement purposes. The United States, Massachusetts, and Georgia alleged that, from 2008 to 2023, Walgreens submitted claims to MassHealth (Massachusetts’ Medicaid program) and Georgia Medicaid for certain generic medications that were higher than the customary price point for those drugs. Doing so, the government alleged, violated the federal FCA, as well as the states’ respective False Claims Acts.

Medicaid programs reimburse pharmacies for dispensing generic medications using the lowest of four reporting price points, one of which is the pharmacy’s “usual and customary price” as determined by the pharmacy. In this case, Walgreens submitted a higher price for the generic medications and failed to report the correct “usual and customary price,” causing the states’ Medicaid programs to overpay for those generic medications. Instead of the standard retail price (which is typically used to calculate the usual and customary price), Walgreens allegedly submitted the “gross amount due” when it was higher than the standard retail price. The extensive list of medications at issue included both over the counter and prescription generic medications. Notably, the claims against Walgreens in this case are similar to those brought in a pair of whistleblower FCA suits against retail drug pharmacies that reached the U.S. Supreme Court in 2023, a case we previously analyzed here that established the current scienter (knowledge) standard for potential liability under the FCA.

Of the $2.8 million settlement, roughly $1.4 million will go to the federal government, Georgia will receive $352,000, and Massachusetts will receive $1.1 million.

Allegations Related to Prescriptions of Controlled Substances

Less than a month later, on April 21, 2025, the government announced the second settlement. Under this settlement agreement, Walgreens will pay the federal government $300 million, with an additional $50 million owed if the company (or a significant portion of its assets) is sold, merged, or transferred to a non-affiliated entity before 2032. The settlement resolves allegations that, from 2012 to 2023, Walgreens filled millions of unlawful controlled substance prescriptions in violation of the Controlled Substances Act, and then sought payment for those prescriptions from federal programs in violation of the FCA.

In its complaint, the government alleged that Walgreens pharmacy staff knew that many of these prescriptions were likely to be unlawful (because they were not issued in the usual course of professional practice, or were not issued for a legitimate medical purpose, or both), and some had been issued by practitioners known to regularly prescribe controlled substances in an unlawful manner. The complaint alleged that Walgreens filled such prescriptions “without resolving the significant concerns those prescriptions raised.” For example, according to the government, many of the prescriptions were for opioids prescribed in excessive quantities, filled too early, or prescribed in a dangerous and commonly abused combination with other drugs – i.e., the “trinity” of drugs (which term refers to the combination of an opioid, a benzodiazepine, and a muscle relaxant, and which is viewed as a prescribing “red flag” by the government). Walgreens allegedly “systematically pressured” pharmacy staff to fill these prescriptions quickly, without allowing them sufficient time to verify their legitimacy and necessity and doing so despite “clear red flags.” The complaint described a corporate culture “wherein pharmacists who diligently observed their responsibility to verify the legitimacy of controlled-substance prescriptions were subject to reprimand.” Further, Walgreens compliance officials allegedly prevented these practices being curtailed by withholding prescriber information from pharmacists which would have allowed them to identify patterns of unlawful prescribing and warn one another about problematic practitioners.

The settlement stipulates several terms of payment, including one aimed at preventing employee bonuses from being used as a method of evading payment of the settlement with the government: If bonuses cumulatively exceed $400 million in a given year, the excess amount factors into the calculation of Walgreens’ annual payment amount. In addition to the settlement payment, Walgreens has agreed to several monitoring and oversight requirements going forward, including an agreement with the DEA to implement and maintain certain compliance measures for the next seven years. This agreement with the DEA requires Walgreens to establish and maintain policies requiring pharmacists to validate prescriptions for controlled substances and dispense them appropriately, provide annual training to pharmacy employees regarding their legal obligations relating to controlled substances and ensure appropriate pharmacy staffing.  As part of the settlement, Walgreens is also under a five-year Corporate Integrity Agreement with HHS-OIG, which further requires a corporate compliance program.

Conclusion

These cases underscore the government’s focus on using the FCA to police fraud and abuse in pharmacy pricing and prescribing practices. It also continues to highlight a prudent approach for companies to monitor red flags and outliers and have a robust compliance program. We will continue to monitor pharmacy-related enforcement actions.

On May 22, 2025, the Centers for Medicare & Medicaid Services (CMS) took a series of actions to promote enhanced price transparency compliance by hospitals and identify challenges thereto, in order to inform future price transparency enforcement activities and policies. These actions were taken in furtherance of the President’s February 2025 Executive Order No. 14221 (which we previously analyzed here), and include the following actions of particular relevance for hospitals:

  • CMS issued updated Price Transparency Guidance here emphasizing that:
    • Hospitals must include dollar amounts in their machine-readable files (MRFs) (if they can be calculated) in order to make hospital pricing more transparent, “including the amount negotiated for the item or service, the base rate negotiated for a service package, and a dollar amount if the standard charge is based on a percentage of a known fee schedule”; and
    • Hospitals should no longer include the code “999999999 (nine 9s)” in MRFs for estimated allowed amounts and “should instead encode an actual dollar amount.”
  • CMS issued a Request for Information here (RFI) that is intended to “identify challenges and improve compliance and enforcement processes” related to hospital price transparency efforts, and specifically in connection with concerns regarding the “accuracy and completeness of” standard charge information in hospital MRFs.

The RFI seeks information from stakeholders in response to the following questions from CMS:

  • Should CMS specifically define the terms “accuracy of data” and “completeness of data” in the context of HPT requirements, and, if yes, then how?
    • What are your concerns about the accuracy and completeness of the HPT MRF data? Please be as specific as possible.
    • Do concerns about accuracy and completeness of the MRF data affect your ability to use hospital pricing information effectively? For example, are there additional data elements that could be added, or others modified, to improve your ability to use the data? Please provide examples.
    • Are there external sources of information that may be leveraged to evaluate the accuracy and completeness of the data in the MRF? If so, please identify those sources and how they can be used.
    • What specific suggestions do you have for improving the HPT compliance and enforcement processes to ensure that the hospital pricing data is accurate, complete, and meaningful? For example, are there any changes that CMS should consider making to the CMS validator tool, which is available to hospitals to help ensure they are complying with HPT requirements, so as to improve accuracy and completeness?
    • Do you have any other suggestions for CMS to help improve the overall quality of the MRF data?

Responses to the CMS RFI are due by midnight on July 21, 2025, and must be submitted on that same webpage. CMS is interested in feedback from a variety of stakeholders who interact with MRFs and/or rely on the price transparency tools, including hospitals, payers, employers, innovators, and consumers.

We will continue to monitor oversight and enforcement of federal price transparency laws, and the impact these activities may have on hospitals and other health care organizations.

On April 29, 2025, the U.S. Supreme Court issued an opinion upholding the formula the U.S. Department of Health and Human Services (HHS) utilized to calculate Medicare hospitals’ disproportionate share hospital (DSH) payment adjustments, denying a challenge brought by hospitals seeking higher DSH reimbursement. In Advocate Christ Medical Center v. Kennedy, No. 23-715 (S. Ct. Apr. 29, 2025), the Court held, based on a highly technical analysis, that the DSH formula endorsed by HHS was consistent with congressional intent, and accordingly rejected an argument from the hospitals premised on how DSH adjustments are calculated arising from a hospital’s treatment of patients eligible for social security benefits.

Background on Disproportionate Share Hospital Rate Adjustments

Under Medicare, hospitals that treat a disproportionate share of low-income Medicare patients are entitled to a rate adjustment above the fixed Medicare amount for each Medicare patient treated, which is calculated by adding two fractions: the “Medicare fraction” plus the “Medicaid fraction.”

This dispute arose when over 200 hospitals claimed that HHS miscalculated the hospitals’ DSH adjustments from 2006 to 2009 due to the department’s misinterpretation of the “Medicare fraction” calculation. The numerator used to calculate the “Medicare fraction” is defined by statute as “the number of [a] hospital’s patient days’ attributable to patients ‘who (for such days) were entitled to benefits under [Medicare] Part A’ and ‘entitled to supplementary security income [SSI] benefits. . . under subchapter XVI.” HHS interpreted the phrase “entitled to [SSI] benefits” to mean patients who are entitled to receive an SSI payment during the month they were hospitalized.

Conversely, the hospitals argued that the phrase includes all patients enrolled in the SSI system at the time of their hospitalization, even if they were not entitled to an SSI payment during their month of hospitalization. The net result of the hospitals’ position would’ve been to expand the number of patients in that numerator, thus increasing the “Medicare fraction” and correspondingly increasing the DSH rate adjustment for such hospitals.

After the hospitals were repeatedly unsuccessful in administrative challenges and federal district court, the D.C. Circuit Court of Appeals held for HHS, stating that SSI benefits are “about cash payments for needy individuals” and that “it makes little sense to say that individuals are ‘entitled’ to the benefit in months when they are not even eligible for [a payment].”

Supreme Court Analysis and Holding

The Supreme Court upheld the D.C. Circuit ruling in favor of the government, rejecting the hospitals’ position. The Court clarified that the relevant text stipulates that SSI benefits are cash benefits and that eligibility for such benefits is determined monthly. Due to these eligibility requirements, an individual is considered “entitled to [SSI] benefits for purposes of the Medicare fraction when she is eligible for such benefits during the month of [their] hospitalization.”

The Court declined the hospitals’ characterization of SSI benefits as including non-cash benefits such as vocational rehabilitation services and continued Medicaid coverage. In examining the description of an SSI benefit, the Court concluded that non-cash benefits are not identified under subchapter XVI of the Social Security Act. Turning to the hospitals’ inclusion of individuals with continued Medicaid coverage during periods of ineligibility for SSI benefits, the Court determined that this also does not create an SSI benefit but rather aids in administering the Medicaid program.

Notably, two Justices dissented from the Court’s majority holding. They observed that the ultimate goal of the DSH formula is to “provide hospitals that serve the neediest among us with the appropriate level of critical funds” before concluding that the Court’s holding “arbitrarily undercounts a hospital’s low-income patients.”

Takeaways

This decision stops the hospitals’ ability to seek higher reimbursement via an enhanced DSH rate adjustment for the challenged claims. Moreover, HHS methodology for calculating the DSH rate was affirmed; therefore DSH hospitals will receive a DSH rate adjustment based in part on the number of patients treated who are receiving a cash payment under an SSI program during the month of treatment, and not based on the number of such patients who are just eligible for SSI benefits.

Though the provision at issue was highly technical, the impact of this decision is potentially significant for DSH hospitals at a time of funding and reimbursement challenges, as more patients seek access to critical services often provided by such DSH hospitals. We will continue to follow key reimbursement and funding developments for hospitals and other health care providers.

PIH Health, a health care entity located in California, suffered a data breach in June 2019 when 45 employee email accounts were compromised in a targeted phishing campaign. The accounts contained the protected health information (PHI) of 189,763 individuals, including their names, social security numbers, driver’s license numbers, diagnoses, lab tests, medications, treatment, claims, and financial information.

PIH notified the individuals and the Office for Civil Rights (OCR) of the incident in January 2020. OCR launched an investigation and found alleged violations of HIPAA’s privacy, security and breach notification rules.

In addition to the $600,000 settlement payment, PIH entered into a resolution agreement with OCR that required it to:

  • Conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
  • Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis.
  • Develop, maintain, and revise, as necessary, its written policies and procedures to comply with HIPAA rules.
  • Train its workforce members who have access to PHI on HIPAA policies and procedures.

These requirements are essential to a HIPAA compliance program, and this settlement is a reminder for covered entities to update and maintain security risk assessments, analyses, and risk management plans to address risks and vulnerabilities on an ongoing basis.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

This post was authored by Roma Patel, Associate in Robinson+Cole’s Data Privacy + Cybersecurity Team.

We often cover consumer class action complaints against companies regarding the privacy and security of personal information. However, litigation can also arise from alleged breach of contract between two companies. This week, we will analyze a medical diagnostic testing laboratory’s April 2025 complaint against its managed services provider for its alleged failure to satisfy its HIPAA Security Rule and indemnification obligations under the HIPAA Business Associate Agreement (BAA) between the parties.

Complaint Background

According to the complaint, the laboratory – Molecular Testing Labs (MTL) – is a Covered Entity under HIPAA, and Ntirety is its Business Associate. Reportedly, the parties entered into a BAA in September 2018. The BAA’s intent was to “ensure that [Ntirety] will establish and implement appropriate safeguards” for protected health information (PHI) it handles in connection to the functions it performs on behalf of MTL. The complaint points to various provisions of the BAA related to Ntirety’s obligations, including complying with the HIPAA Security Rule. According to MTL, the BAA also includes an indemnification provision that requires Ntirety to indemnify, defend, and hold harmless MTL against losses and expenses due to a breach caused by Ntirety’s negligence.

Alleged HIPAA Violations

MTL asserts that around March 12, 2025, it received information about a material data breach involving data “that was required to have been secured by Ntirety under the BAA.” The complaint is unclear about how or from whom MTL received that information.

The complaint asserts that MTL’s forensic investigation determined that Ntirety had faced a ransomware attack, potentially from Russian threat actors. MTL’s forensic investigation determined that Ntirety had “significant deficiencies, shortcomings, and omissions” in its procedures and practices that enabled the threat actors to access Ntirety’s computer systems and MTL’s confidential information.

In addition, MTL alleges that “Ntirety failed to provide material support to MTL for weeks” and that the support offered was conducted “slowly and incompetently.” Allegedly, Ntirety informed MTL that it would charge MTL for such efforts. MTL argues that under its BAA obligations, Ntirety was required to support MTL in its efforts to respond to and mitigate the security incident’s harmful effects.

Alleged Breach of Contract – Indemnification Demand

MTL also asserts that it has incurred or expects to incur various damages related to “remediation efforts, HIPAA notification requirements, possible legal and regulatory actions, and direct and indirect harm to MTL’s business.” Specifically, MTL claims it has already incurred damages related to the forensic investigation and anticipates further damages associated with fulfilling HIPAA PHI breach notifications and providing credit monitoring services. MTL also expects to suffer harm to its business as a result of the breach and to be subject to lawsuits and regulatory action.

Reportedly, on March 25, 2025, and April 3, 2025, MTL sent formal demands to Ntirety for indemnification under the BAA for losses incurred as a result of the breach, but Ntirety “has provided no substantive response to MTL’s indemnification demands.”

Lessons Learned

After discovering a breach, companies have numerous obligations, such as determining whether data has been corrupted, containing the incident, conducting a forensic investigation, and identifying individuals whose data may have been involved. It can often take weeks or even months to understand the scope and extent of a breach, but companies should also promptly assess their contractual obligations post-breach. Whether in a BAA or another service agreement, companies may be required to let their vendors and other partners know about an incident.

In addition, companies should consider whether to communicate about the incident at a high level to their vendors and partners, even absent contractual requirements, particularly if news about the incident has already leaked. The risk of such communications includes potentially providing premature information that is likely to change as the forensic investigation unfolds. On the flip side, partners might appreciate the transparency and direct acknowledgment. There can be many legal and regulatory consequences of a data breach, but with adherence to contractual obligations and appropriate communication, a breach of contract claim doesn’t have to be one of them.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

The Office for Civil Rights (OCR) announced on April 10, 2025, that it has settled alleged HIPAA Security Rule violations with Northeast Radiology for $350,000.

The investigation followed a breach report by Northeast Radiology to OCR in March 2020 after unauthorized individuals accessed radiology images stored in PAC servers. Northeast Radiology notified 298,532 patients of the breach. The OCR alleges that, during the investigation, Northeast Radiology “failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI in NERAD’s information systems.”

Northeast Radiology agreed to enter into a resolution agreement with OCR that included a settlement payment of $350,000 and a supervised corrective action plan for two years.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

This post is co-authored by Seth Orkand, co-chair of Robinson+Cole’s Government Enforcement and White-Collar Defense Team and Paul Palma, law intern at Robinson+Cole. Paul is not admitted to practice law.

On March 14, 2025, as part of a spending bill to avert a federal government shutdown, Congress extended COVID-era telehealth “waivers” applicable to Medicare until September 30, 2025.  These were originally scheduled to end March 31, 2025.

This is welcome news for health care organizations who have relied on the flexibility offered by these waivers to extend access to telehealth services for Medicare beneficiaries and other patients nationwide since the COVID-19 pandemic. However, this represents another short-term extension by the government and poses questions on whether all or some of the telehealth flexibilities will be codified into law.

As a reminder, a set of key waivers to Medicare telehealth payment restrictions were enacted under the Social Security Act temporarily in connection with COVID-19 pandemic measures. These statutory waivers have now been extended by act of Congress multiple times, and this latest extension will have the following impacts related to telehealth:

  • Telehealth at Home: Medicare patients will continue to be able to receive telehealth services in their homes and in any other location in the country through at least September 30, 2025. 
    • In the absence of this extension, Medicare beneficiaries would have only been permitted to receive telehealth services in certain approved health care facilities in rural locations (outside of metropolitan statistical areas) as of April 1, 2025.
    • Note that the Social Security Act does include a narrow exception that permits telehealth services in the home (or other locations) for patients in specific circumstances approved by law or regulation, including patients being treated for acute stroke symptoms, patients with a substance use disorder diagnosis, or patients with a mental health disorder (but see the additional in-person requirement for mental health telehealth treatment noted below), and patients on home dialysis for related clinical assessments.
  • Audio-Only Telehealth: Telehealth services can continue to be provided via audio-only communications systems.
    • Without the extension, telehealth services would no longer have been available via audio-only systems as of April 1, 2025, and to be reimbursed for telehealth services would require the use of approved interactive telecommunications systems only (which are defined generally to refer to audio/video equipment allowing for two-way real-time interactive communications between the patient and provider, except in narrow exceptions for store-and-forward technology under telemedicine demonstration programs).
  • Telehealth Providers: Medicare patients can continue to receive telehealth services from all types of approved Medicare-enrolled providers (the waiver permits qualified occupational therapists, physical therapists, speech-language pathologists, and audiologists to furnish services via telehealth and be paid by Medicare for doing so).
  • FQHC/RHC Telehealth: Federally qualified health centers (FQHCs) and rural health clinics (RHCs) can continue to provide telehealth services to patients in other locations.

Additionally, the legislation extends until October 1, 2025, the effective date of a requirement for reimbursement by Medicare of telehealth services to a Medicare beneficiary for purposes of diagnosis, evaluation, or treatment of a mental health disorder that:

  1. the provider must have furnished a Medicare-covered item or service to the beneficiary in-person (without the use of telehealth) within the prior 6 months before furnishing such telehealth services, and
  2. the provider must continue to furnish Medicare-covered items or services in-person (without the use of telehealth) to the beneficiary at least once a year following each subsequent telehealth service.
    1. The annual in-person follow-up is not required if the provider and beneficiary agree the risks of an in-person service outweigh the benefits.

Once required, the foregoing in-person visit requirement could also be fulfilled by another provider of the same specialty in the same group as the provider furnishing the telehealth service if the telehealth provider is not available to do so.

Despite this temporary reprieve to sustain current telehealth waivers through September 30, 2025, health care organizations should start preparing now for the potential end of the waivers and additional restrictions on telehealth services as soon as October 1, 2025. Moreover, health care organizations should also be aware that additional flexibilities and waivers tied to the COVID-19 era remain in place but are scheduled to expire at the end of 2025, including DEA tele-prescribing flexibilities previously discussed here.

*This post was authored with Paul Palma, law intern at Robinson+Cole. Paul is not admitted to practice law.

On March 3, 2025, Connecticut Governor Ned Lamont signed a law establishing a new process for hospitals in bankruptcy to apply for an “emergency certificate of need” (CON) to approve a transfer of ownership. The law, titled  “An Act Concerning An Emergency Certificate Of Need Application Process For Transfers Of Ownership Of Hospitals That Have Filed For Bankruptcy Protection, The Assessment Of Motor Vehicles For Property Taxation, A Property Tax Exemption For Veterans Who Are Permanently And Totally Disabled And Funding Of The Special Education Excess Cost Grant” (the “Act”), was passed by the Connecticut Legislature though its emergency certification process in order to expedite its approval, presumably to allow the law and new process to be available for CON review of the potential sale(s) of Prospect Medical hospitals in Connecticut expected this year.

Emergency CON Process

Under the Act, the emergency CON process is to be available when “(1) the hospital subject to the transfer of ownership has filed for bankruptcy protection in any court of competent jurisdiction, and (2) a potential purchaser for such hospital has been or is required to be approved by a bankruptcy court.”

The Act requires the Office of Health Strategy (OHS) to:

  • Develop an emergency CON application for parties to utilize, and in doing so OHS must “identify any data necessary to analyze the effects of a hospital’s transfer of ownership on health care costs, quality and access in the affected market.”
    • Notably, if the buyer is a for-profit entity, OHS is permitted to require additional information to ensure that the continuing operation of the hospital is in the public interest.
  • Make a “completeness” determination on a submitted application within 3 business days.

Once an emergency CON application is deemed complete, OHS may – but is not required to – hold a public hearing within 30 days thereafter, and if a hearing is held OHS must notify the applicant(s) at least 5 days in advance of the hearing date. The Act provides that a public hearing or other proceeding related to review of an emergency CON is not a “contested case” under the state’s Uniform Administrative Procedure Act, which limits the procedural and appeal rights of the applicant(s). The Act also allows OHS to contract with third-party consultants to analyze the effects of the transfer on cost, access, and quality in the community, with the cost borne by the applicant(s) and not to exceed $200,000.

Emergency CON Decisions and Conditions

The Act requires final decisions on emergency CONs to be issued within 60 days of the application being deemed complete. Importantly, OHS is required to “consider the effect of the hospital’s bankruptcy on the patients and communities served by the hospital and the applicant’s plans to restore financial viability” when issuing the final decision. The Act also permits OHS to “impose any condition on an approval of an emergency” CON, as long as OHS includes its rationale (legal and factual) for imposing the condition and the specific CON criterion that the condition relates to, and that such condition is reasonably tailored in time and scope. The Act also expressly provides that any condition imposed by OHS on the approval of an emergency CON will apply to the applicant(s), including any hospital subject to the transfer of ownership “and any subsidiary or group practice that would otherwise require” a CON under state law that is part of the bankruptcy sale. However, the Act does allow the applicant(s) to request a modification of conditions for good cause, including due to changed circumstances or hardship.

Finally, the Act provides that the final decision on an emergency CON, including any conditions imposed by OHS as part of the decision, is not subject to appeal.

Takeaways

The Act seeks to establish a clear expedited pathway for CON review of hospital (and health system) sales as part of the bankruptcy process.  The specific process, including the form of application, is likely to be rolled out quickly by OHS to be available as part of the resolution of the Prospect Medical bankruptcy process anticipated to occur during 2025. The ultimate efficacy of the process will depend upon the specific data sought as part of the emergency CON process, and on the scope of any conditions imposed by OHS on the sales (which could introduce uncertainty into the bankruptcy sale and approval process), but the establishment of this avenue for review is likely to be welcomed by parties to hospital system bankruptcy actions.