This post was co-authored with Ivy Miller, legal intern at Robinson+Cole. Ivy is admitted to practice in Massachusetts.

On November 21, 2025, the Centers for Medicare & Medicaid Services (CMS) published the CY 2026 Outpatient Prospective Payment System (OPPS) and Ambulatory Surgical Center Final Rule (the Rule), which includes several significant changes to hospital price transparency regulations. The changes follow from Executive Order 14221, entitled “Making America Healthy Again by Empowering Patients with Clear, Accurate, and Actionable Healthcare Pricing Information,” which directs the Department of Health & Human Services (HHS) to take steps to require more uniform, accurate pricing information from hospitals. Key provisions of the Rule’s new requirements are summarized below. Although these new requirements become effective on January 1, 2026, CMS is delaying enforcement until April 1, 2026.

New MRF Data Reporting Requirements

Allowed Amounts

Currently, where a hospital’s standard charge is based on an algorithm or percentage, CMS requires hospitals to report an “estimated allowed amount” in their machine-readable file (MRF). The Rule removes this requirement and instead requires hospitals to report the following four elements:

  1. Median allowed amount (which replaces estimated allowed amount);
  2. The 10th percentile allowed amount;
  3. The 90th percentile allowed amount; and
  4. The number of allowed amounts used to calculate the prior three amounts.

The median allowed amount and the 10th– and 90th-percentile allowed amounts must be calculated based on amounts the hospital has historically received from a third-party payer (less certain contractual adjustments) over the 12 to 15 months prior to posting the MRF. If an allowed amount falls between two amounts, hospitals are required to report the higher amount. To calculate these data points, hospitals must use electronic data interchange (EDI) 835 electronic remittance advice (ERA), or an equivalent, alternative source of remittance data.

Hospital NPI

The Rule also adds a requirement that hospitals encode in their MRF their organizational (i.e., Type 2) National Provider Identifier or NPI.

Modification of MRF Attestation Statement

Current regulations require each hospital to attest to the accuracy and completeness of the information encoded in its MRF. Beginning January 1, 2026, the Rule replaces the existing affirmation statement with a new, strengthened requirement at 45 C.F.R. § 180.50(a)(3)(iii) (reproduced below).

To the best of its knowledge and belief, this hospital has included all applicable standard charge information in accordance with the requirements of 45 CFR 180.50, and the information encoded is true, accurate, and complete as of the date in the file. This hospital has included all payer-specific negotiated charges in dollars that can be expressed as a dollar amount. For payer-specific negotiated charges that cannot be expressed as a dollar amount in the machine-readable file or not knowable in advance, the hospital attests that the payer-specific negotiated charge is based on a contractual algorithm, percentage or formula that precludes the provision of a dollar amount and has provided all necessary information available to the hospital for the public to be able to derive the dollar amount, including, but not limited to, the specific fee schedule or components referenced in such percentage, algorithm or formula.

The Rule also adds a requirement that hospitals include with the attestation statement the name of the hospital’s CEO, president, or senior official designated to oversee the data encoding process for the MRF.

Changes to Civil Monetary Penalties

Finally, the Rule makes available a 35% reduction to Civil Monetary Penalties (CMP) imposed for certain violations of hospital price transparency requirements, which hospitals can request in exchange for the hospital waiving its right to an administrative hearing. However, the 35% reduction will not apply if the CMP is imposed due to the hospital failing to make its MRF or any shoppable services public.

Conclusion

Hospitals would be well advised to proactively assess their price transparency practices and update their processes and disclosures to align with the enhanced requirements of the new Rule.

The recent government shutdown caused multiple Medicare statutory payment provisions to lapse on October 1, 2025, due to the absence of Congressional action. With the passage of the Continuing Appropriations, Agriculture, Legislative Branch, Military Construction and Veterans Affairs, and Extensions Act, 2026 (Pub. L. 119-37), (discussed here), Congress has retroactively restored many of these provisions. The looming question at the time of the passage was whether there would be retroactive payments. 

On November 21, 2025, Centers for Medicare and Medicaid Services (CMS) issued a Special Edition to clarify retroactive processing of claims.

Telehealth and Acute Hospital Care at Home Claims

  • On November 6, 2025, CMS instructed Medicare Administrative Contractors (MACs) to return certain telehealth claims submitted on or before November 10, 2025, that were previously non-payable after the lapse of statutory provisions. These claims are now payable if they meet all Medicare requirements.
  • Practitioners should resubmit returned claims and any held telehealth claims. Refund any beneficiary payments for services now retroactively covered. The prior instructions to append the “GY “modifier are rescinded.
  • Similarly, beginning November 10, 2025, MACs returned claims for the Acute Hospital Care at Home initiative for dates of service on or after October 1, 2025. Hospitals may resubmit these claims.

Next Steps for Providers
Facilities, practitioners, and suppliers should expect a return to normal processing operations soon.

This post is co-authored with Paul Palma, legal intern at Robinson+Cole. Paul is not admitted to practice law.

On July 2, 2025, the Department of Health and Human Services Office of Inspector General (OIG) published Advisory Opinion 25-07, which concluded that a pharmaceutical manufacturer’s proposed arrangement to sponsor a free, FDA-approved companion diagnostic test for eligible patients would not implicate the Federal Anti-Kickback Statute (AKS) or the Beneficiary Inducements civil monetary penalties (CMP).

Background

The requestor (a pharmaceutical manufacturer) produces an FDA-approved enzyme inhibitor. Treatment with the inhibitor is only appropriate with specific genetic deficiencies. A clinical laboratory developed an FDA-approved companion diagnostic test which is required to determine patient eligibility for the inhibitor. The two wished to work together.

The Arrangement

Under the parties’ proposed arrangement, the requestor pays the lab a fixed fee for each test performed on an eligible patient, and prohibits the lab from billing any patients, or payors other than the requestor for the testing. The test is offered to patients who: (i) have a prior negative result for a related genetic mutation; (ii) have previously collected tumor samples available for testing; (iii) have not previously received the test; and, in addition, (iv) the test must be used in accordance with FDA labeling. According to the requestor, this arrangement is designed to better identify patients whose deficiency has gone undetected and to determine whether use of the inhibitor would be appropriate.

The requestor certified that the lab is contractually prohibited from: (i) referencing any of the lab’s other products on their “provider facing webpage;” (ii) promoting any of the lab’s or requestor’s other products in any “lab developed communications” to ordering providers or patients; and (iii) communicating with patients regarding the Arrangement unless required by law.

 Additionally, the requestor certified that it would only receive “limited aggregated de-identified date” relating to the test through monthly reports. According to the requestor the reports would include: (i) the number of tests performed under the arrangement; (ii) the cumulative results of all tests performed under the arrangement, and (iii) digital awareness results including the source and number of visits to the the parties’ dedicated website and the clicks on the QR code in pamphlets that were left behind at the provider’s office . The requestor further certified that this data will only be used to: (i) better understand the number of patients with the condition which was missed by  standard testing; (ii)verify the amount invoiced the requestor; and (iii) ensure that the parties’ arrangement is “being conducted in accordance with the terms of the agreement between the lab and the requestor.”

OIG Analysis

Anti-Kickback Statute

The OIG acknowledged that the arrangement could implicate the AKS by offering remuneration (i.e., the free test) that may induce referrals for federally reimbursable items or services and the safe harbor would not apply in this situation. However, OIG concluded that it would not impose sanctions for several reasons:

  • The arrangement presents little risk of overutilization or skewing clinical decision making. The test determines whether the inhibitor would be an appropriate method of treatment for patients and would only be appropriate for patients presenting with the deficiency. The test may also show the drug is not indicated in approximately half the cases.
  • Providers do not receive any remuneration from the requestor for prescribing the drug. Additionally, the requestor’s field personnel are prohibited from discussing the drug in relation to the arrangement.
  • The requestor will only receive de-identified data which it certifies will not be used for sales or marketing purposes including sales targeting or incentives.
  • The agreement prohibits the lab from promoting the arrangement to patients and providers and the requestor certified that it will not provide information about the arrangement to patients or providers directly.
  • There are various safeguards in place to prevent this being used as a marketing or sales tool to steer providers to order any items or services from requestor or the lab, including the drug.

Beneficiary Inducements CMP

OIG also concluded that the parties’ arrangement does not violate the Beneficiary Inducements CMP. Although providing a free test constitutes remuneration, OIG found that the arrangement meets the statutory exception for promoting access to care with a low risk of harm. Specifically, the arrangement:

  • May improve a beneficiary’s ability “to obtain items and services payable by Medicare or Medicaid” in instances when the inhibitor is covered by those programs.
  • Is unlikely to interfere with clinical decision making because the test only confirms whether the inhibitor can be prescribed for a particular patient which a provider may already be considering.
  • Does not raise quality of care or patient safety concerns because it is used to determine whether the inhibitor would be an effective treatment for a specific patient.
  • Is unlikely to increase costs to federal health care programs because the inhibitor may be a life-extending treatment that is already under consideration by the provider. Additionally, the test will determine the appropriateness of prescribing the inhibitor and nearly 50% of patients will be ineligible for the inhibitor after testing. Finally, the arrangement does not incentivize providers to prescribe the inhibitor in any way.

As is standard, OIG cautioned that its advisory opinion is limited to the proposed arrangement only and does not cover any other arrangements. OIG further cautioned that the opinion does not provide any opinion on liability in relation to the False Claims Act and, finally, that the opinion is only binding on the Department of Health and Human Services but no other government agencies.

Takeaways

The advisory opinion provides valuable insight into how OIG evaluates pharmaceutical manufacturer sponsored diagnostic testing programs under the AKS and CMP. By imposing certain structural safeguards including clear eligibility criteria, de-identified data sharing, and marketing restrictions manufacturers may be able to establish programs that increase access to care without implicating the AKS or CMP. The advisory opinion may provide a potential model for other labs and pharmaceutical manufacturers to enter into agreements where the manufacturer would sponsor companion laboratory tests. We will continue to monitor for additional guidance that OIG may issue on this and related topics.

This was was authored by Edward J. Heath, co-chair of Robinson+Cole’s Enforcement, Investigations + Litigation in Health Care team.

Since January, there have been almost daily media reports about federal government agents conducting operations intended to sweep up individuals who are in the U.S. illegally. The primary agency responsible for these activities is Immigration and Customs Enforcement (ICE). “ICE raids,” as they have come to be called, have caused a great deal of confusion and anxiety for health care entities, including clinical laboratories, who struggle to balance cooperation with law enforcement on the one hand, and respecting the right of their employees and patients on the other.

Historically, the concept of a law enforcement “raid” has arisen in the context of search warrants. Search warrants are judge-signed orders that allow agents to enter a particularly designated place to search for and seize a particularly identified thing or things. In the prototypical example of a search warrant raid, multiple dark vans or SUVs pull up in front of the laboratory site, numerous agents in bulletproof vests and jackets emblazoned with “FBI” pour out of those vehicles and rush into the building, causing panic as they charge into offices and storage rooms, grabbing technology and paper. If federal agents appear with a valid warrant, laboratory personnel cannot physically stand in their way. Any obstruction is likely to result in criminal charges.  

As a result of policy changes by the new presidential administration, however, the “raid” concept that now comes to mind are “ICE raids.” ICE was created in 2003 in a merging of the investigative and interior enforcement elements of the former U.S. Customs Service and the Immigration and Naturalization Services.  ICE is now a division of the U.S. Department of Homeland Security, and it has a budget of approximately $8 billion and workforce of roughly 20,000 personnel. Its scope of operations includes enforcement of the laws governing immigration, border control, customs, and trade. ICE Within ICE, the unit or “directorate” responsible for the recent “raids” is known as Enforcement and Removal Operations.

It is important to understand that ICE agents are essentially federal police officers. They are not the military operating unrestricted in a war zone. Like FBI agents, their powers are limited by the U.S. Constitution and federal law more generally. ICE agents usually appear with an administrative warrant signed by an immigration judge; these warrants do not grant agents the broad powers of a search warrant. Absent a valid search warrant signed by a United States District Court judge, ICE agents appearing with an administrative warrant or subpoena still generally need the consent of the laboratory to enter into private places to search for and take documents or property—or to seize individual persons. This raises some key questions about circumstances where there is no search warrant involved:

Do we have to let them come into our facilities?  ICE agents have the right to enter into any part of a lab’s facility, like a waiting room, that is open to the general public. ICE agents are not, however, authorized to enter into any non-public areas within the facility without permission. Importantly, permission to enter private areas can be expressly given or even implied from circumstances, so it is important that lab personnel understand clearly which areas of the facility are public and which are private. It is critical that personnel know precisely what to say to explicitly decline an ICE agent’s demand to access a non-public area.  

Do we have to answer their questions?  Although ICE agents are free to ask questions about the lab’s operations, employees, and patients, there is no obligation to answer those questions. Additionally, protected health information (PHI) is protected from disclosure under HIPAA and a number of state laws, just as is personnel information about any of the lab’s employees. Again, it is important that personnel have been instructed how to respectfully decline to answer questions from agents.

Do we have to show them records or give them copies?  As with questions seeking information, there is no obligation to produce documents for ICE’s review or seizure. Moreover, documentation with PHI and personnel information should not be made available to government agents without a subpoena or search warrant. Beyond that, when agents on are site, employees should take care not to have electronic or paper document in plain sight where they may be viewed by agents.

Should we physically stop ICE agents who are attempting, without our consent, to enter into a private area in the lab or to take documents or property?  No.  Any physical interference, particularly physical contact, with an ICE agent is likely to be met with an arrest and ensuing federal criminal charges.

The appearance of federal agents will be a stressful situation for almost all lab personnel. The stakes are high, so it is important to seek guidance from legal counsel in these situations.  Nonetheless, it is also worthwhile to consider working with legal counsel to develop in advance a straightforward written policy for employees to reference at the moment ICE arrives on site.  Such a policy would be designed to minimize anxiety while ensuring legally appropriate outcomes.

This post is co-authored by Julianna M. Charpentier, a member of Robinson+Cole’s Enforcement, Investigations + Litigation in Health Care team.

Earlier this year, a Florida jury fully acquitted two owners of an independent clinical laboratory located in San Antonio, Texas accused of conspiring to commit health care fraud and wire fraud. Defendants Diego Sanchez Chocron and Gregory “Milo” Caskey were charged alongside their laboratory co-owner Enrique Perez-Paris and two patient recruiters to whom they were accused of paying kickbacks. The Department of Justice alleged that Sanchez Chocron, Caskey, and Perez-Paris conspired to falsely bill Medicare and the Health Resources and Services Administration (HRSA) COVID-19 Uninsured Program $44 million for COVID-19 and genetic testing during the COVID-19 pandemic. Prosecutors alleged that the laboratory owner defendants paid kickbacks, that the tests were medically unnecessary, and that the defendants billed for tests not approved by the US Food and Drug Administration (FDA) for emergency-use authorization. Perez-Paris (and the two alleged kickback recipients) pleaded guilty to conspiracy to commit health care fraud in the weeks leading up to the trial and he testified against his former partners.

Perez-Paris pleaded guilty in February 2025 to one count of the superseding indictment that he “knowingly and willfully combined, conspired, confederated, and agreed with others, in violation of Title 18, United States Code, Section 1349, to commit health care fraud….including Medicare and the COVID-19 Claims Reimbursement to Health Care Providers and Facilities for Testing, Treatment and Vaccine Administration for the Uninsured Program (“HRSA COVID-19 Uninsured Program”).”

Unlike Perez-Paris, Sanchez Chocron and Caskey proceeded to trial. While their acquittals may be relatively rare, particularly in light of their alleged co-conspirator’s guilty plea and testimony, the jury’s verdict was foreshadowed by a pair of rulings from the bench.

First, Judge Rodolfo A. Ruiz II granted in part the two defendants’ motion to strike certain portions of the superseding indictment, agreeing with the defendants that HRSA did not incorporate Medicare coverage rules requiring provider authorization for a COVID-19 test, and holding that “the Government may not argue that a failure to procure authorization from a healthcare provider for a COVID-19 test automatically constitutes a violation of the HRSA Terms and Conditions.”  Judge Ruiz further held that “failure to procure authorization from a healthcare provider for a COVID-19 test under the HRSA Terms and Conditions does not automatically establish a violation of the criminal statutes set forth in the Superseding Indictment.” Judge Ruiz was careful to note that the government could use the fact that tests were not ordered by a healthcare provider as evidence of defendants’ knowledge and intent, as well as in connection with the materiality of defendants’ alleged representations to the HRSA uninsured program.

Second, Judge Ruiz also granted the defendants’ motion for acquittal on charges that they conspired to pay kickbacks and commit money laundering.  

The jury appears to have agreed with the arguments made by defense counsel who argued that the evidence presented established their clients’ good faith beliefs that their actions were legal, and that the tests were not medically unnecessary, as demonstrated by the defendants’ actions in consulting with counsel and other experts. 

The full acquittal of Sanchez Chocron and Caskey underscores the importance of the intent elements of the Anti-Kickback Statute and other fraud statutes.  Despite the government’s reliance on co-defendant testimony and allegations of widespread misconduct, the jury found the evidence insufficient to convict. Key rulings by Judge Rodolfo A. Ruiz II—particularly those limiting the government’s interpretation of HRSA requirements and dismissing kickback and money laundering charges—significantly shaped the trial’s trajectory. Ultimately, the verdict affirms that, even in high-stakes federal prosecutions, defendants who act in good faith and seek appropriate legal guidance can prevail when they have the facts and the law on their side.

As payer audits become more frequent and complex, laboratories and healthcare providers must be equipped to respond effectively. Labs are especially vulnerable due to high-cost services and billing complexity. Triggers include but are not limited to sudden spikes in service volume, changes in test panels or clientele, use of uncommon codes or modifiers, and high denial rates or billing patterns that differ from peers.

Being proactive is the most effective way to manage audit risk. Laboratories should begin by implementing regular internal audits to identify and correct documentation or billing issues before they escalate. Monitoring the Medicare Administrative Contractors (MACs) audit lists is also essential, as these lists highlight services that may be targeted for review. Every year, a report is issued that reflects the total Medicare Part B spending on lab tests.  Earlier this summer, the OIG added to its work plan a review of “Medicare Payments for Clinical Diagnostic Tests in 2024” to analyze the top 25 laboratory tests by expenditures which is expected to be released in 2026. The report issued at the end of 2024 for the review of 2023, showed an overall decrease of spending on clinical diagnostic laboratory testing but reflected a steady increase on genetic tests.  Genetic testing spending has risen to $1.8 billion, a 32% increase from 2022 to 2023.  These reports and the focus on the top 25 tests provide insight to laboratories as to which tests may be more scrutinized for utilization.

While laboratories can rely on the ordering provider’s determination of medical necessity, laboratories still play a role in ensuring medical necessity.  As such, laboratories and providers must collaborate to ensure that documentation is thorough and consistent. Laboratories may want to verify that all claims include clear medical necessity documentation. Enhancing requisition forms can help ensure that all necessary information is captured upfront, reducing the likelihood of denials. Staying informed is equally important. Laboratories should routinely review and stay up to date on payor policies, which can change frequently and vary between Medicare, Medicaid, and private insurers.

When an audit occurs, laboratories should prepare all requested documentation carefully and include any supplemental materials that support the claim. It is important to review everything before submission, communicate early and often with auditors, and request extensions if needed. Laboratories may want to consider consulting with knowledgeable legal counsel to ensure compliance and strategy alignment.

This post is co-authored with Paul Palma, legal intern at Robinson+Cole. Paul is not admitted to practice law.

On November 12, 2025, President Trump signed H.R. 5371 the “Continuing Appropriations, Agriculture, Legislative Branch, Military Construction, and Veterans Affairs and Extensions Act, 2026” (the Act). The Act ended the federal government shutdown by providing necessary funding; it also extends key Medicare telehealth flexibilities to January 30, 2026. While a welcome development for health care organizations, this represents another short-term extension of Medicare telehealth flexibilities that will again need to be revisited in January 2026. Additionally, despite its passage, questions remain regarding the ability of providers to be paid for telehealth services furnished during the recent shutdown because the Act does not specifically provide for retroactive reimbursement. 

Medicare Telehealth Flexibilities Extended by the Act

  • Geographic and Originating Site flexibilities: Medicare beneficiaries may continue to receive telehealth services in any location through January 30, 2026.
  • Expanded Practitioner Eligibility: Occupational therapists, physical therapists, speech-language pathologists, and audiologists may continue providing Medicare-covered services via telehealth through January 30, 2026.
  • Telehealth for FQHCs and RHCs: Federally qualified health centers (FQHCs) and rural health clinics (RHCs) may continue providing telehealth services through January 30, 2026, including the provision of mental health visits via telehealth to Medicare beneficiaries without needing to meet annual in-person service requirements.
  • Audio Only Telehealth: Telehealth services can continue to be provided via audio-only communications systems through January 30, 2026.
  • In-Person Requirement for Mental Health Visits: Medicare patients receiving services for the diagnosis, evaluation, or treatment of a mental health disorder via telehealth may continue to do so without having received a Medicare-covered in person item or service through January 30, 2026.
  • Telehealth for the Recertification of Hospice Care: Hospice physicians and nurse practitioners may continue having face-to-face encounters to recertify a patient’s eligibility to remain on hospice via telehealth through January 30, 2026.

It is expected that the Centers for Medicare and Medicaid Services (CMS) will provide  guidance regarding the submission of claims, eligibility for retroactive payments, and how to address claims that have been on hold, following up on prior guidance offered in connection with telehealth services and the government shutdown.

While this extension provides temporary relief for providers and patients, health care organizations could face the same telehealth dilemma in a few months absent a long-term fix. As such, organizations should remain prepared to comply with additional telehealth restrictions (which we previously discussed here) and to transition some services back to in-person where necessary.  We will continue to monitor this issue and legislative updates closely.                                                                                                                                     

This post is co-authored with Lauren Ludwig, legal intern at Robinson+Cole. Lauren is not admitted to practice law.

The Joint Commission (TJC) and Coalition for Health AI (CHAI) recently published the Guidance on the Responsible Use of Artificial Intelligence in Healthcare (Guidance), which outlines strategies for health care organizations to optimize their integration of health AI tools. The Guidance defines health AI tools broadly as clinical, administrative, or operational solutions that apply algorithmic methods to tasks involved in direct or indirect patient care, care support services, and care-relevant operations and administrative services. Given this inclusive definition, the Guidance identifies a wide range of potential AI-related risks, including errors, lack of transparency, threats to data privacy and security, and the overreliance on AI tools. To address these concerns, the Guidance outlines suggested practices that health care organizations can undertake in implementing AI tools. These practices are organized into seven elements, which are summarized below. While the Guidance is not limited to health care delivery organizations, the Guidance focuses primarily on these organizations. It is also important to note that the Guidance is not binding on health care organizations, although TJC indicates that a voluntary “Responsible Use of AI” certification program is forthcoming.

The Seven Elements of Responsible Use of AI Tools for Health Care Organizations:

  1. AI Policies and Governance Structures. The Guidance recommends that organizations establish formal AI-usage policies and a governance structure. According to TJC and CHAI, the policies should set expectations, including rules or procedures on the use of AI, and the governance committee should be composed of qualified individuals, including representatives from compliance, IT, clinical programs, operations, and data privacy. The Guidance also suggests regular reporting on AI usage to the organization’s board of directors or other fiduciary governing body.
  2. Patient Privacy and Transparency. Organizations are encouraged to adopt specific policies on data access, use, and transparency consistent with applicable laws and regulations. To promote transparency, organizations should inform patients about AI’s role in their care, including how their data may be used and how AI may benefit their care. Organizations may also need to secure informed consent to use AI tools, if applicable. The Guidance reminds organizations that transparency with staff members on the use of AI tools cannot be overlooked.
  3. Data Security and Data Use Protections. The Guidance stresses that all uses of patient data with AI tools must comply with HIPAA. Providers can support compliance by leveraging current data protection strategies, including encrypting patient data, limiting data access, regularly assessing security risks, and developing an incident response plan. TJC and CHAI recommend that organizations enter into data use agreements that outline permitted uses, minimize data exports, prohibit re-identification, require third parties to comply with the organization’s security and privacy policies, and provide the organization with audit rights.
  4. Ongoing Quality Monitoring. In addition to privacy risks, the Guidance advises organizations to regularly monitor AI quality by looking for changes in outcomes and testing the AI tools against known standards. Externally developed AI tools may not receive consistent review, and the dynamic nature of AI renders it prone to “drift” from its intended purpose; therefore, the Guidance calls for an internal reporting system to identify risks and maintain quality of care. TJC and CHAI suggest a risk-based approach to monitoring AI tools, such that AI tools that inform or drive clinical decisions should be prioritized. Additionally, the Guidance advises that organizations create a process to report adverse events to leadership and relevant vendors.
  5. Voluntary Reporting. The Guidance urges organizations to establish a process for confidential, anonymous reporting of AI safety incidents to an independent organization. By reporting through confidential channels to third parties, such as federally listed Patient Safety Organizations, voluntary reporting may improve the quality of AI usage without compromising patient privacy.
  6. Risk and Bias Assessment. The Guidance also recommends that organizations implement processes for categorizing and documenting AI bias or risk. In clinical use, AI may be unable to generalize diseases to certain populations, leading to misdiagnosis and inefficient care. TJC and CHAI recommend that organizations verify whether AI tools are appropriately tuned to the population to which they are applied and that the AI tools were developed using representative, unbiased data sets.
  7. Education and Training. Finally, to ensure that AI benefits the organization, the Guidance advocates for education and training of health care providers and staff on the use of AI tools, including any limitations on, and risks of, their use. The Guidance directs organizations to limit AI tool access to specific roles on a need-to-use basis, and to advise all staff where to find relevant information about AI tools and organizational policies and procedures.

Implications

In the absence of comprehensive federal laws governing AI, the Guidance (along with existing resources such as the National Institute of Standards and Technology (NIST) AI Risk Management Framework and the Bipartisan House Task Force Report on Artificial Intelligence) may help health care organizations evaluate and implement AI tools in a safe and compliant manner. 

Similar to the NIST RMF AI Playbook, TJC and CHAI plan to release a series of practical “playbooks” to operationalize recommended practices in the Guidance. Health care institutions seeking actionable guidance may want to take note of these playbooks because they will inform TJC’s future AI certification program.

Overall, the Guidance’s strategies can help health care organizations minimize AI risks and foster an adaptive health care environment.

This post is co-authored with Paul Palma, legal intern at Robinson+Cole. Paul is not admitted to practice law.

Healthcare providers are again confronted with the potential termination of telehealth services unless Congress acts to extend the Medicare flexibilities implemented during the COVID-19 pandemic. If no legislative action is taken before September 30, 2025, those providers and patients who have depended on expanded telehealth options will encounter substantial limitations in access beginning October 1, 2025.  

As a reminder, in March of this year the healthcare industry faced the imminent end of a number of COVID-era telehealth flexibilities, at which time Congress extended the flexibilities as part of a spending bill until September 30, 2025 (which we previously discussed here). Health care providers and their patients are now in the same position of looking to Congress to act to further extend those flexibilities to protect continued access to telehealth services.

On September 16, 2025, H.R. 5371 the “Continuing Appropriations and Extensions Act, 2026” (“the Bill”) was introduced in Congress The Bill primarily concerns federal funding, but if enacted, it would also extend the telehealth waivers established during the COVID-19 pandemic—which are currently scheduled to end on September 30, 2025—through November 21 (or November 22 as noted below), 2025. The Bill’s short-term extension comes after two separate bills seeking two-year extensions of the telehealth flexibilities had been proposed but not moved forward in recent weeks.

A summary of the existing telehealth waivers and their newly proposed expiration dates is included below.

Key Telehealth Provisions Proposed to be Extended

  • Geographic and Originating Site Flexibility:
    • If the “cliff” is averted and the Bill passes: Medicare patients would be allowed to continue receiving telehealth services in any location through November 21, 2025
      • Without another extension, beginning October 1, 2025, Medicare beneficiaries may only receive telehealth services in approved health care facilities in rural locations (outside of metropolitan statistical areas)
      • Note that the Social Security Act contains exceptions that would permit telehealth services at home (or other locations) for patients in specific circumstances approved by law or regulation, including patients being treated for: (1) symptoms of acute stroke; (2) substance use disorder; or (3) patients with mental health disorder; and (4) patients on home dialysis.
  • Expanded Practitioner Eligibility
    • If the “cliff” is averted: Medicare patients would be allowed to receive care from approved Medicare-enrolled providers, which under the prior COVID-era waiver includes occupational therapists, physical therapists, speech-language pathologists, and audiologists through November 21,2025.
    • If the “cliff” is not averted: Medicare beneficiaries will lose access to telehealth services provided by PTs, Ots, SLPs, and audiologists, all of whom play a key role in rehabilitation.
  • Telehealth for FQHCs and RHCs
    • If the “cliff” is averted: Federally qualified health centers (FQHCs) and rural health clinics (RHCs) would be allowed to continue providing telehealth services to patients in other locations through November 21, 2025
  • Audio-Only Telehealth
    • If the “cliff” is averted: Telehealth services could continue to be provided via audio-only communications systems through November 21, 2025
    • If the “cliff” is not averted: Substantial limitation on coverage for audio-only services and providers must be technically capable of using audio-video technology.
  • In-Person Requirement for Mental Health Visits
    • If the “cliff” is averted: Medicare patients may continue to receive mental health services from FQHCs and RHCs via telehealth through November 22, 2025
    • If the “cliff” is averted: Medicare patients receiving services for the diagnosis, evaluation, or treatment of a mental health disorder may continue to do so without receiving in-person care through November 22, 2025
      • If the “cliff” is not averted:  providers are required to furnish a Medicare-covered item to the beneficiary in-person at least 6 months prior to furnishing telehealth services. Additionally, the provider must furnish a Medicare-covered item in person at least once a year following each subsequent telehealth service. Note that the annual in-person follow-up requirement may be waived if the provider and beneficiary agree that the risks of receiving an in-person service outweigh the benefits
  • Telehealth for the Recertification of Hospice Care
    • If the “cliff” is averted: Hospice physicians or nurse practitioners may continue having face-to-face encounters to recertify a patient’s eligibility to remain on hospice via telehealth through November 21,2025

As of September 25, 2025, the Bill has passed the House but has failed to pass the Senate, where it must receive a minimum of 60 votes. A motion to reconsider was granted and the Bill has once again been placed on the Senate legislative calendar. Congress is in recess through September 26, 2025, and will only have 2 days to pass this or another bill containing similar provisions before the existing waivers expire.

With the expiration date for the existing telehealth waivers looming, health care organizations should prepare to comply with additional telehealth restrictions beginning on October 1, 2025. Even if this stop-gap is passed, providers will soon be facing the same dilemma within a short period of time. We will continue to monitor this issue closely and will provide additional updates as soon as they become available.

This post was co-authored with Ivy Miller, legal intern at Robinson+Cole. Ivy is admitted to practice in Massachusetts.

On September 10, 2025, the U.S. Court of Appeals for the Fifth Circuit dismissed an appeal of the federal court ruling vacating key provisions of the HIPAA reproductive health care regulations, which appears to signal the end of the Purl case (previously discussed here) and to confirm the end of provisions of the HIPAA reproductive health care regulations which had afforded heightened protection to protected health information (PHI) related to the receipt of lawful reproductive health care services.

In a June 2025 ruling in Purl v. Department of Health & Human Services, the  district court for the Northern District of Texas vacated provisions of the Biden-era Reproductive Health Privacy Rule (the Rule) which established new HIPAA regulations with heightened privacy protections and processes related to uses and disclosures of PHI involving reproductive health care. The federal government subsequently declined to appeal that ruling, but a group of proposed intervenors (specifically, the cities of Columbus, Ohio, and Madison, Wisconsin, as well as Doctors for America), filed a notice of appeal to potentially step in to defend the Rule’s requirements. However, the proposed intervenors subsequently reversed course and voluntarily moved to dismiss their appeal, and the Fifth Circuit granted that motion, leaving in place the district court’s vacating of the Rule’s reproductive health care regulations.

Background

In 2024, under the Biden administration, HHS promulgated the “HIPAA Privacy Rule To Support Reproductive Health Care Privacy,” which sought to better protect reproductive health records under HIPAA following the 2022 ruling in Dobbs v. Jackson Women’s Health Organization. The Rule’s stated intent was in part to protect and preserve reproductive care performed lawfully, as well as to protect the provider-patient trust that facilitates that care.  The Rule therefore set forth specific protections for PHI related to the lawful receipt of reproductive health care and implemented a new attestation requirement for certain uses and disclosures of PHI involving reproductive health care.

In late 2024, a physician and sole owner of a family medicine clinic challenged the Rule in  federal court in Texas, alleging that the requirements under the Rule were inconsistent with state child abuse and neglect reporting laws, therefore preventing providers from complying with both at the same time. As the suit progressed (with the district court having granted a preliminary injunction against enforcement of the Rule), the proposed intervenors—sensing a potential loss and foreseeing little likelihood that the new administration would defend the Rule—moved to intervene in the case to defend their interests in the Rule’s continued existence.

In June 2025, the district court vacated key provisions of the Rule related to reproductive health care (while permitting other provisions related to Notices of Privacy Practices to remain in effect), finding that HHS exceeded its authority in promulgating the Rule. Around the same time, the district court denied the motion to intervene, which the proposed intervenors swiftly appealed to the Fifth Circuit. As discussed below, however, that appeal has been dismissed.

Appeal of Vacatur and Subsequent Motion to Dismiss

After the June decision vacating the Rule’s reproductive health care provisions, HHS declined to file an appeal by the August 18, 2025, deadline. As that deadline neared, the proposed intervenors filed an appeal on August 15, 2025, seeking to reverse the District Court’s grant of summary judgment to the plaintiffs and seeking the denial of defendants’ motion to dismiss in the Fifth Circuit, pending resolution of their appeal regarding the motion to intervene. In a September 2, 2025, letter to the Fifth Circuit, the government confirmed, that it has no plans to appeal the ruling.

The proposed intervenors subsequently moved to dismiss their pending appeals in the Fifth Circuit on September 4, 2025. The motion indicated that “[HHS has] chosen not to appeal the District Court’s Summary Judgment Orders, and [the proposed intervenors] have concluded that the resources of the parties and the courts would be best conserved by dismissing this appeal.” The Fifth Circuit granted the motion and dismissed the case on September 10, 2025.

Implications

The dismissal of the appeal, and the government’s election to not further challenge the district court’s ruling in Purl, appear to end the reproductive health care protections under HIPAA that had been promulgated under the Rule. HHS has indicated that it continues to review the ruling and implications for its HIPAA rulemaking, but it appears likely that HHS will issue updated guidance and/or revoke the HIPAA reproductive health care regulations. We will continue to monitor HIPAA rulemaking and legislative developments related to the delivery of reproductive health care, privacy, and security.