On June 30, 2025 Connecticut Governor Ned Lamont signed a bill implementing the state budget through June 30, 2027, Public Act No. 25-168 (PA-168).  PA-168, among other things, contains changes to the state’s Certificate of Need (CON) program.

Termination of Services – Effective from Passage

In Connecticut, hospitals generally must obtain CON approval from the Office of Health Strategy (OHS) for a termination of inpatient or outpatient services.  In 2022, the legislature newly defined the term “termination of services” as when services cease for “a period greater than” 180 consecutive days (see our analysis of that legislation here). OHS subsequently sought, on at least one occasion in 2024, to take the position that there had been a termination of services necessitating CON approval where a particular service at a hospital had been closed for more than 180 days cumulatively over the period of a calendar year. The hospital pushed back on OHS’s interpretation of the statute, countering that the definition of that term required the hospital service to be terminated for 180 days consecutively in order to be met (and thus require CON approval).

PA-168 changes the definition of “termination of services” such that the term now encompasses the “cessation of services for a combined total of greater than 180 days within any consecutive two-year period.” This change was specifically sought by OHS in its annual legislative proposal, likely in response to its unsuccessful enforcement position taken in 2024, and now puts the onus on hospitals to closely track any service suspensions, interruptions or closures (regardless of the reason) to ensure compliance with CON program requirements.

Consideration of Cost and Market Impact Review Documents – Effective October 1, 2025

PA-168 also expressly allows the Health Systems Planning Unit (HSPU) of OHS to take into consideration cost and market impact review (CMIR) reports and comments when deciding CON applications for the transfer of ownership of a hospital. Existing law requires OHS to conduct a CMIR for certain CON applications involving the transfer of ownership of a hospital, where the purchaser is a for profit entity, or the purchaser is a hospital or hospital system that had revenue in excess of $1.5 billion in fiscal year 2013. The CMIR is performed by an independent third-party consultant, with the costs for such work borne by the purchaser of a hospital and subject to a cap of $200,000 per application.

Specifically, PA-168 allows the HSPU to consider the following as part of its CON application review:

  • the preliminary CMIR report and the response of the applicant(s) to the preliminary report;
  • the final CMIR report; and
  • any written comments from the parties regarding the reports issued or submitted as part of the review.

Additionally, the law provides that OHS cannot place the preliminary CMIR report into the public record until the transacting parties to the CON have had a chance to respond to such preliminary report. PA-168 does not otherwise change the existing CMIR process.

Takeaways

These changes are the product of a legislative session that robustly debated changes to the CON program. The legislation demonstrates the substantial continued interest in Connecticut in the operations of the state’s CON program, despite the fact that for a second consecutive year the legislature declined to adopt more substantial proposed changes to CON processes. Of note, earlier in the session, Governor Lamont also signed an act establishing an emergency CON process for hospitals in bankruptcy (which we previously analyzed here, a process that has not yet been utilized in the state but is expected to expedite the transfer of ownership of the Prospect Medical hospitals in the state).

For summaries of the other healthcare-related provisions of PA-168, please review the Health Law Diagnosis.

This post was co-authored with Ivy Miller, legal intern at Robinson+Cole. Ivy is admitted to practice in Massachusetts.

On June 25, 2025, Connecticut Governor Ned Lamont signed into law Public Act No. 25-97, “An Act Concerning Various Revisions to the Public Health Statutes” (the Act). The Act includes a wide range of provisions affecting patient confidentiality, hospital and provider licensure, scope of practice, civil penalties, and Connecticut’s statewide health information exchange. Significant provisions of the Act are summarized below.

Changes Affecting Psychologist Patient Confidentiality Rules

Effective October 1, 2025, Connecticut patient confidentiality rules for psychologists will align with those rules in place for psychiatric mental health providers. The Act repeals the previous psychologist-specific confidentiality and privileged communication rules and amends the current rules for psychiatric mental health providers to include psychologists. Under the new rules established by the Act, psychologists may disclose communications and records without a patient’s consent in specific circumstances such as: 1) when such communications and records are necessary for the diagnosis or treatment of the patient and the patient is informed; 2) when the psychologist determines there is a substantial risk of imminent physical injury or to facilitate admission to a mental health facility; 3) to collect fees for services or to contract with the Department of Mental Health and Addiction Services, but such disclosure is limited; and 4) for the purposes of judicial proceedings.

Changes Affecting Providers’ and Health Systems’ Operations

Effective October 1, 2025, health systems and providers—including physicians, hospitals (both for-profit and non-profit), hospital-based facilities, freestanding emergency departments, urgent care centers, and any entities affiliated with a hospital or a hospital’s parent organization—will be prohibited from requiring patients to provide bank account information, credit or debit card numbers, or any other form of electronic payment method to keep on file as a prerequisite to providing services. Violation of this new prohibition constitutes an unfair trade practice under the Connecticut Unfair Trade Practices Act (CUTPA). Under CUTPA, courts can award damages and impose civil penalties of up to $5,000 for willful violations. This prohibition does not affect a patient’s obligation to pay for services or prohibit a provider from otherwise requesting or storing payment information.

The Act makes several minor changes to the timing of reports that health care institutions with 50 or more employees must make to the Department of Public Health (DPH), with all changes effective October 1, 2025. Currently, hospitals must report to DPH every six months regarding their ongoing compliance with at least 80% of nurse staffing assignments in their nursing plans. The Act shortens the time period in which hospitals must make this report from two months to within 14 days of the end of the most recent six-month period. Additionally, the Act affects when health care employers must report workplace violence incidents. Under existing law, health care employers must report workplace violence incidents annually to DPH; health care employers can now make this report by February 1 each year instead of January 1. For this reporting requirement, a “health care employer” is any institution with 50 or more full- or part-time employees. This includes, but is not limited to, hospitals, hospice facilities, home health agencies, outpatient clinics, clinical laboratories, facilities for the care or treatment of mental illness or substance use disorders, licensed residential facilities for persons with intellectual disabilities, and community health centers.

The Act increases the maximum civil penalty that the DPH or its licensing boards or commissions may impose against an individual health care provider to $25,000, up from $10,000. The Act does not create any new enforcement procedures for individual providers beyond increasing the maximum penalty cap. For details on updated DPH enforcement measures for DPH-licensed institutions, see our other blog post detailing these updates.

Changes Affecting Licensure and Scope of Practice

The Act removes one requirement for hospitals licensed by the DPH, effective June 25, 2025: such hospitals are no longer required to obtain Department of Children and Families (DCF) licensure to provide either inpatient or outpatient mental health services as part of DCF’s outpatient psychiatric clinic program.

Under the Act, starting July 1, 2025, MRI and radiologic technicians are now able to perform certain oxygen-related patient care activities in hospitals, including: 1) connecting or disconnecting oxygen supply; 2) transporting a portable oxygen source; 3) connecting, disconnecting, or adjusting the oxygen delivery system; and 4) adjusting the oxygen flow rate pursuant to a medical order. Existing law includes these activities within the scope of practice for other licensed health care providers, as well as certified ultrasound, nuclear medicine, and polysomnographic technologists.

Beginning January 1, 2026, Connecticut-licensed physical therapists must complete training on ethics and jurisprudence every two years as part of their existing continuing education requirements.

Finally, the Act expands emergency medical services (EMS) personnel’s authority by permitting EMS personnel to administer epinephrine via any FDA-approved method, including nasal spray, effective July 1, 2025.

Changes Affecting the Statewide Health Information Exchange

The Act includes certain provisions affecting the rollout and scope of Connecticut’s Statewide Health Information Exchange, known as “Connie,” which launched in 2021. Under existing law, Connecticut health care providers (with limited exceptions) must connect to Connie to facilitate ease and simplicity of medical records sharing within the state. Beginning immediately, the Act adds a new directive for the Office of Health Strategy (OHS) to conduct a study into the cost and impact of creating a more granular opt-out system for patients, which would allow patients to opt out of sharing specific types of patient health information and medical records with specific providers. Most health care providers in Connecticut were required to begin connecting with Connie in 2023, but existing law does not require full participation in Connie until OHS promulgates policies and procedures related to such participation. OHS has not yet implemented these policies and procedures and OHS had originally targeted mid-2025 as a publication date, but the study results are not required under the Act until September 30, 2026, which may further delay publication.

Starting October 1, 2025, the Act also includes Connie-related provisions aimed at protecting patient data and increasing transparency. Under the Act, if Connie experiences a breach, ransomware attack, or hacking event, Connie must notify all patients affected by the breach and perform necessary mitigation on behalf of affected providers. The Act also prohibits Connie from disclosing protected health information (as defined under the Health Insurance Portability and Accountability Act) in response to a subpoena unless the disclosure is fully compliant with applicable state and federal law.

This post was co-authored with Ivy Miller, legal intern at Robinson+Cole. Ivy is admitted to practice in Massachusetts.

On June 25, 2025, Connecticut Governor Ned Lamont signed into law Public Act No. 25-96, “An Act Concerning the Department of Public Health’s Recommendations Regarding Various Revisions to the Public Health Statutes” (the Act). The Act includes several new requirements for hospitals, as well as new authority for the Department of Public Health (DPH) to oversee all health care entities. Finally, the Act adds a new licensure status for retired physicians.

New Requirements for Hospitals

The Act requires a hospital to notify DPH within two hours of the hospital declaring an “emergency department diversion,” which the Act defines as a hospital rerouting an incoming ambulance to another hospital because the diverting hospital lacks medical capability. The Act does not define the term “medical capability.” DPH will be providing the form and manner of such notice. Additionally, the Act adds the requirement that hospitals’ chief medical officers and chief nursing officers be licensed in their respective professions in Connecticut. Each of these new requirements become effective October 1, 2025.

DPH’s Authority to Oversee and Enforce

The Act expands DPH’s ability to waive inspections for licensure renewals for all DPH-licensed institutions, other than nursing homes and nursing home facilities, that are certified Medicare or Medicaid providers, starting October 1, 2025. Previously, DPH could waive inspections of institutions such as hospitals and home health agencies if the institution was a certified Medicare or Medicaid provider or had been certified within the past year. Once the Act becomes effective, an institution must be certified at the time of its renewal application for DPH to waive the inspection requirement. Because Medicare and Medicaid also conduct inspections, this change may alleviate some duplicative obligations for DPH-licensed institutions that participate in Medicare and Medicaid.

The Act also broadens the set of statutes and regulations under which DPH may take disciplinary action against DPH-licensed institutions. Effective from passage, DPH can take action against institutions that substantially fail to comply with a wider range of requirements, including those specific to institution licensing statutes and regulations but also the public health statutes generally (Title 19a of the Connecticut General Statutes). This includes, for example, failure to report on opioid overdoses, failure to promptly transfer electronic health records (i.e., information blocking), and other requirements of Title 19a that were not previously within DPH’s enforcement authority. The Act does not change the options at DPH’s disposal for disciplinary action. Types of disciplinary action still include license suspension or revocation, probation, corrective action plans, or civil penalties of up to $25,000.

Retired Physician License Status

Finally, the Act allows retired physicians, beginning January 1, 2026, to renew or reinstate their licenses for a reduced fee, allowing them to return to practice as a volunteer physician providing unpaid services. The Act directs DPH to set parameters around what defines “retirement” for the purposes of this reduced fee, as well as the specific scope of practice for this new licensure type.

This post was co-authored with Ivy Miller, legal intern at Robinson+Cole. Ivy is admitted to practice law in Massachusetts.

On June 11, 2025, the Department of Health and Human Services Office of Inspector General (OIG) published Advisory Opinion 25-03 (the Advisory Opinion), in which OIG approved of a proposed arrangement under which a management support organization and a physician-owned professional corporation (the Requestors) would enter into an arrangement involving the leasing of clinical employees and provision of certain administrative services related to payor contracting to support the delivery of telehealth services through online platforms. OIG determined that the proposal was protected by a safe harbor under the federal anti-kickback statute (AKS), and therefore the fees payable between the parties thereunder did not constitute prohibited remuneration under the AKS.

Background

Parties Involved

The Requestors include a management support organization that provides non-clinical support services (Requestor MSO), and a physician-owned professional corporation that maintains provider network participation contracts with commercial, Medicare Advantage, and Medicaid plans (Requestor PC) but does not otherwise employ or engage with clinical staff.

Proposed Telehealth Services Platform Arrangement

Under the proposal (Proposed Arrangement), the Requestors would contract with third-party online telehealth platforms – comprised of management services organizations that furnish management services to telehealth providers (Platform MSOs) and telehealth provider entities (Platform PCs) to lease clinicians from the Platform PCs and obtain certain administrative services from the Platform MSOs. According to the Advisory Opinion, the Proposed Arrangement is intended to expand access to in-network services for patients of the Platform PCs, many of whom are “negatively impacted by limited access to insurance-covered telehealth services furnished by Platform PCs” especially in underserved and rural areas. The Requestor PC would credential the clinicians leased from the Platform PCs, and such leased clinicians would furnish services to their patients under Requestor PC’s contracted plans. In conjunction with this clinical arrangement, the Platform MSOs would provide ancillary administrative services to Requestor PC, including accounting (which OIG characterizes as including the collection of patient cost-sharing amounts for services rendered), marketing, administrative support (e.g., support for scheduling of clinical visits), and IT services (e.g., provision of a HIPAA-compliant online platform for receipt of synchronous telehealth services). Requestor PC would pay hourly fees for the leased clinicians and an administrative fee for the non-clinical administrative services, which would be consistent with fair market value for the services rendered as determined by a third-party valuation consultant.

As part of their request for the Advisory Opinion, Requestor MSO and Requestor PC certified that the Proposed Arrangement would meet all conditions of the AKS safe harbor for personal services and management contracts and outcomes-based payment arrangements, including by noting that the methodology for determining the fees would be set in advance and not take into account volume/value of any referrals or other business generated between the parties. Additionally, the fees would be payable regardless of whether Requestor PC was reimbursed by a payor for the visit.

OIG Analysis

Federal Anti-Kickback Statute

The OIG explained that because the Requestor PC offers and pays remuneration to the Platform PC and/or Platform MSO for services rendered, the AKS is implicated whenever the Platform PC refers a patient to Requestor PC.  The OIG therefore evaluated whether the Proposed Arrangement could violate the AKS, which prohibits offering, paying, accepting, or soliciting remuneration in exchange for referrals of items or services paid for by federal programs, or in exchange for the purchasing, leasing, ordering of, or arranging for the order of any good, facility, service, or item reimbursed under a federal health care program. Remuneration under the AKS can include anything of value, and violators of the AKS are subject to criminal and civil sanctions, including imprisonment, fines, civil monetary penalties, and exclusion from federal health care programs.

AKS Safe Harbor Requirements and Further Structural Safeguards

The broad scope of the AKS is subject to certain statutory and regulatory safe harbors, which establish protections from scrutiny thereunder for arrangements that meet all required criteria of a safe harbor. As OIG notes, safe harbor compliance “is voluntary” and “arrangements that do not comply with a safe harbor are evaluated on a case-by-case basis.”

In this Advisory Opinion, OIG affirmed that the Proposed Arrangement satisfies the requirements of the “personal services and management contracts and outcomes-based payment arrangements” safe harbor codified at 42 C.F.R. § 1001.952(d), after reviewing the key elements of the Proposed Arrangement and the criteria necessary to comply with such safe harbor.

OIG described the following structural safeguards of the Proposed Arrangement that are compliant with the safe harbor:

  • The Proposed Arrangement will be memorialized in a written agreement signed by the parties, will have a term of at least one year, and the agreement will clearly describe the duties of, and services provided by all parties involved;
  • The payments—both for the services of the leased clinicians from each Platform PC, and for the administrative services provided by Platform MSO—are fixed in advance and in line with fair market value, not determined based on volume or value of any referrals or other business generated between the parties, and are payable regardless of whether the Requestor PC is reimbursed by payors for services rendered; and
  • The Proposed Arrangement would be commercially reasonable even if no referrals resulted from the Proposed Arrangement, the services contracted for are reasonably necessary to accomplish the purpose of the Proposed Arrangement, and the parties are not involved in counseling or promoting any business activity that would violate federal or state law.

The OIG cautioned that this Advisory Opinion is limited to the Proposed Arrangement only, and does not cover additional arrangements or referrals outside of the Proposed Arrangement that may exist between the Platform PC, Platform MSO, Requestor PC and Requestor MSO. The OIG further cautioned that the Advisory Opinion is binding only on the Department of Health and Human Services and not on other government agencies (e.g., the Department of Justice).

Takeaways

The Advisory Opinion is notable for the complexity of the Proposed Arrangement and potentially broad scope of its impact given the reported scope of Platform PC’s payor contracting activities (exceeding 400 payor contracts that cover 80% of all commercially covered lives and 65% of Medicare Advantage covered lives). The Advisory Opinion also acknowledges the role played by management services and support organizations in connection with care delivery, and particularly telehealth services delivered in connection with the Proposed Arrangement. The Advisory Opinion’s conclusion is also noteworthy because OIG did not determine that the arrangement could result in prohibited remuneration, but OIG would exercise discretion not to pursue it due to safeguards present, as OIG often concludes in Advisory Opinions under the AKS. OIG instead went further and determined that there was no prohibited remuneration because it met the safe harbor. It accordingly may provide a potential model for other management services and care delivery organizations to consider for arrangements. We will continue to monitor any guidance or additional advisory opinions that OIG issues on these topics.

On June 9, 2025, Connecticut Governor Ned Lamont signed into law Public Act No. 25-28, “An Act Concerning Access to Reproductive Health Care” (the Act). The Act codifies under Connecticut state law the ability of minors to access reproductive health care services without the need to obtain parental consent, including services related to pregnancy and pregnancy prevention. While minors were previously not explicitly prohibited from receiving such services without parental permission, state law was silent on the issue. The Act now provides an assurance to minors and to health care providers that minor patients in Connecticut are permitted to consent to certain reproductive health care services without the involvement of a parent or guardian.

The Act is effective as of its passage, and includes the following specific provisions:

Minor Consent for Reproductive Health Care

Individuals under the age of 18 in Connecticut may now give consent for services, examination, or treatment related to pregnancy and pregnancy prevention without the consent or notification of the minor’s parent or guardian. The services that the Act allows a minor to consent to without parental/guardian consent or notification are all services, examinations, or treatment related to pregnancy and pregnancy prevention, which include but are not limited to contraceptive counseling and services, prenatal care, and appropriate care and pain management during labor and delivery (including without limitation epidural administration). However, the Act expressly carves out and does not include an allowance for a minor to consent to sterilization thereunder.

Privacy Protections

The Act provides that if a minor patient consents to contraceptive or pregnancy-related care, physicians and other health care providers are prohibited from sharing information about such services with the minor’s parent or guardian without the minor patient’s express consent, including by sending a bill for the services to the parent or guardian. This privacy protection under the Act aligns with federal privacy regulations under HIPAA, which stipulate that where a minor patient is permitted by state law to consent to a health care service, health information related to such service cannot be disclosed to the minor’s parent or guardian without the patient’s authorization.

Provider Reporting Obligations Remain

The Act expressly states that it does not affect a physician’s or other health care provider’s reporting obligations under state law, such as mandatory reporting to the Connecticut Departments of Public Health or Children and Families. 

No Parental Liability for Cost of Services

The Act further states that where a minor patient consents to reproductive health care under the Act, and the minor’s parent or guardian is not informed of the provision of such care, the parent or guardian will not be liable for the costs of such care.

Takeaways

The Act is likely to provide welcome clarity for health care providers and facilities in the state, as well as for minor patients, as to when minors are permitted to consent to treatment and services related to reproductive health care.

The Act also expands the circumstances recognized under Connecticut law in which a minor patient may consent to the receipt of certain treatment or services, which prior to the Act’s passage included without limitation treatment of sexually transmitted diseases, alcohol and drug treatment, HIV testing and HIV/AIDs treatment, abortion and abortion counseling, and outpatient mental health treatment if certain criteria are met.

This post was co-authored with Ivy Miller, legal intern at Robinson+Cole. Ivy is admitted to practice law in Massachusetts.

The Department of Justice has launched a number of enforcement actions targeting pharmacies for alleged violations of the False Claims Act (FCA). Recently, Walgreens has been the subject of two noteworthy government settlements related to alleged FCA violations.

Allegations Related to Medicaid Billing for Generic Medications

In the first, on March 27, 2025, the U.S. Attorney’s Office for the District of Massachusetts announced that it had reached a $2.8 million settlement with Walgreens concerning allegations that the company overbilled Medicaid programs in Massachusetts and Georgia. Relators filed the qui tam case in 2019 and the government intervened for settlement purposes. The United States, Massachusetts, and Georgia alleged that, from 2008 to 2023, Walgreens submitted claims to MassHealth (Massachusetts’ Medicaid program) and Georgia Medicaid for certain generic medications that were higher than the customary price point for those drugs. Doing so, the government alleged, violated the federal FCA, as well as the states’ respective False Claims Acts.

Medicaid programs reimburse pharmacies for dispensing generic medications using the lowest of four reporting price points, one of which is the pharmacy’s “usual and customary price” as determined by the pharmacy. In this case, Walgreens submitted a higher price for the generic medications and failed to report the correct “usual and customary price,” causing the states’ Medicaid programs to overpay for those generic medications. Instead of the standard retail price (which is typically used to calculate the usual and customary price), Walgreens allegedly submitted the “gross amount due” when it was higher than the standard retail price. The extensive list of medications at issue included both over the counter and prescription generic medications. Notably, the claims against Walgreens in this case are similar to those brought in a pair of whistleblower FCA suits against retail drug pharmacies that reached the U.S. Supreme Court in 2023, a case we previously analyzed here that established the current scienter (knowledge) standard for potential liability under the FCA.

Of the $2.8 million settlement, roughly $1.4 million will go to the federal government, Georgia will receive $352,000, and Massachusetts will receive $1.1 million.

Allegations Related to Prescriptions of Controlled Substances

Less than a month later, on April 21, 2025, the government announced the second settlement. Under this settlement agreement, Walgreens will pay the federal government $300 million, with an additional $50 million owed if the company (or a significant portion of its assets) is sold, merged, or transferred to a non-affiliated entity before 2032. The settlement resolves allegations that, from 2012 to 2023, Walgreens filled millions of unlawful controlled substance prescriptions in violation of the Controlled Substances Act, and then sought payment for those prescriptions from federal programs in violation of the FCA.

In its complaint, the government alleged that Walgreens pharmacy staff knew that many of these prescriptions were likely to be unlawful (because they were not issued in the usual course of professional practice, or were not issued for a legitimate medical purpose, or both), and some had been issued by practitioners known to regularly prescribe controlled substances in an unlawful manner. The complaint alleged that Walgreens filled such prescriptions “without resolving the significant concerns those prescriptions raised.” For example, according to the government, many of the prescriptions were for opioids prescribed in excessive quantities, filled too early, or prescribed in a dangerous and commonly abused combination with other drugs – i.e., the “trinity” of drugs (which term refers to the combination of an opioid, a benzodiazepine, and a muscle relaxant, and which is viewed as a prescribing “red flag” by the government). Walgreens allegedly “systematically pressured” pharmacy staff to fill these prescriptions quickly, without allowing them sufficient time to verify their legitimacy and necessity and doing so despite “clear red flags.” The complaint described a corporate culture “wherein pharmacists who diligently observed their responsibility to verify the legitimacy of controlled-substance prescriptions were subject to reprimand.” Further, Walgreens compliance officials allegedly prevented these practices being curtailed by withholding prescriber information from pharmacists which would have allowed them to identify patterns of unlawful prescribing and warn one another about problematic practitioners.

The settlement stipulates several terms of payment, including one aimed at preventing employee bonuses from being used as a method of evading payment of the settlement with the government: If bonuses cumulatively exceed $400 million in a given year, the excess amount factors into the calculation of Walgreens’ annual payment amount. In addition to the settlement payment, Walgreens has agreed to several monitoring and oversight requirements going forward, including an agreement with the DEA to implement and maintain certain compliance measures for the next seven years. This agreement with the DEA requires Walgreens to establish and maintain policies requiring pharmacists to validate prescriptions for controlled substances and dispense them appropriately, provide annual training to pharmacy employees regarding their legal obligations relating to controlled substances and ensure appropriate pharmacy staffing.  As part of the settlement, Walgreens is also under a five-year Corporate Integrity Agreement with HHS-OIG, which further requires a corporate compliance program.

Conclusion

These cases underscore the government’s focus on using the FCA to police fraud and abuse in pharmacy pricing and prescribing practices. It also continues to highlight a prudent approach for companies to monitor red flags and outliers and have a robust compliance program. We will continue to monitor pharmacy-related enforcement actions.

On May 22, 2025, the Centers for Medicare & Medicaid Services (CMS) took a series of actions to promote enhanced price transparency compliance by hospitals and identify challenges thereto, in order to inform future price transparency enforcement activities and policies. These actions were taken in furtherance of the President’s February 2025 Executive Order No. 14221 (which we previously analyzed here), and include the following actions of particular relevance for hospitals:

  • CMS issued updated Price Transparency Guidance here emphasizing that:
    • Hospitals must include dollar amounts in their machine-readable files (MRFs) (if they can be calculated) in order to make hospital pricing more transparent, “including the amount negotiated for the item or service, the base rate negotiated for a service package, and a dollar amount if the standard charge is based on a percentage of a known fee schedule”; and
    • Hospitals should no longer include the code “999999999 (nine 9s)” in MRFs for estimated allowed amounts and “should instead encode an actual dollar amount.”
  • CMS issued a Request for Information here (RFI) that is intended to “identify challenges and improve compliance and enforcement processes” related to hospital price transparency efforts, and specifically in connection with concerns regarding the “accuracy and completeness of” standard charge information in hospital MRFs.

The RFI seeks information from stakeholders in response to the following questions from CMS:

  • Should CMS specifically define the terms “accuracy of data” and “completeness of data” in the context of HPT requirements, and, if yes, then how?
    • What are your concerns about the accuracy and completeness of the HPT MRF data? Please be as specific as possible.
    • Do concerns about accuracy and completeness of the MRF data affect your ability to use hospital pricing information effectively? For example, are there additional data elements that could be added, or others modified, to improve your ability to use the data? Please provide examples.
    • Are there external sources of information that may be leveraged to evaluate the accuracy and completeness of the data in the MRF? If so, please identify those sources and how they can be used.
    • What specific suggestions do you have for improving the HPT compliance and enforcement processes to ensure that the hospital pricing data is accurate, complete, and meaningful? For example, are there any changes that CMS should consider making to the CMS validator tool, which is available to hospitals to help ensure they are complying with HPT requirements, so as to improve accuracy and completeness?
    • Do you have any other suggestions for CMS to help improve the overall quality of the MRF data?

Responses to the CMS RFI are due by midnight on July 21, 2025, and must be submitted on that same webpage. CMS is interested in feedback from a variety of stakeholders who interact with MRFs and/or rely on the price transparency tools, including hospitals, payers, employers, innovators, and consumers.

We will continue to monitor oversight and enforcement of federal price transparency laws, and the impact these activities may have on hospitals and other health care organizations.

On April 29, 2025, the U.S. Supreme Court issued an opinion upholding the formula the U.S. Department of Health and Human Services (HHS) utilized to calculate Medicare hospitals’ disproportionate share hospital (DSH) payment adjustments, denying a challenge brought by hospitals seeking higher DSH reimbursement. In Advocate Christ Medical Center v. Kennedy, No. 23-715 (S. Ct. Apr. 29, 2025), the Court held, based on a highly technical analysis, that the DSH formula endorsed by HHS was consistent with congressional intent, and accordingly rejected an argument from the hospitals premised on how DSH adjustments are calculated arising from a hospital’s treatment of patients eligible for social security benefits.

Background on Disproportionate Share Hospital Rate Adjustments

Under Medicare, hospitals that treat a disproportionate share of low-income Medicare patients are entitled to a rate adjustment above the fixed Medicare amount for each Medicare patient treated, which is calculated by adding two fractions: the “Medicare fraction” plus the “Medicaid fraction.”

This dispute arose when over 200 hospitals claimed that HHS miscalculated the hospitals’ DSH adjustments from 2006 to 2009 due to the department’s misinterpretation of the “Medicare fraction” calculation. The numerator used to calculate the “Medicare fraction” is defined by statute as “the number of [a] hospital’s patient days’ attributable to patients ‘who (for such days) were entitled to benefits under [Medicare] Part A’ and ‘entitled to supplementary security income [SSI] benefits. . . under subchapter XVI.” HHS interpreted the phrase “entitled to [SSI] benefits” to mean patients who are entitled to receive an SSI payment during the month they were hospitalized.

Conversely, the hospitals argued that the phrase includes all patients enrolled in the SSI system at the time of their hospitalization, even if they were not entitled to an SSI payment during their month of hospitalization. The net result of the hospitals’ position would’ve been to expand the number of patients in that numerator, thus increasing the “Medicare fraction” and correspondingly increasing the DSH rate adjustment for such hospitals.

After the hospitals were repeatedly unsuccessful in administrative challenges and federal district court, the D.C. Circuit Court of Appeals held for HHS, stating that SSI benefits are “about cash payments for needy individuals” and that “it makes little sense to say that individuals are ‘entitled’ to the benefit in months when they are not even eligible for [a payment].”

Supreme Court Analysis and Holding

The Supreme Court upheld the D.C. Circuit ruling in favor of the government, rejecting the hospitals’ position. The Court clarified that the relevant text stipulates that SSI benefits are cash benefits and that eligibility for such benefits is determined monthly. Due to these eligibility requirements, an individual is considered “entitled to [SSI] benefits for purposes of the Medicare fraction when she is eligible for such benefits during the month of [their] hospitalization.”

The Court declined the hospitals’ characterization of SSI benefits as including non-cash benefits such as vocational rehabilitation services and continued Medicaid coverage. In examining the description of an SSI benefit, the Court concluded that non-cash benefits are not identified under subchapter XVI of the Social Security Act. Turning to the hospitals’ inclusion of individuals with continued Medicaid coverage during periods of ineligibility for SSI benefits, the Court determined that this also does not create an SSI benefit but rather aids in administering the Medicaid program.

Notably, two Justices dissented from the Court’s majority holding. They observed that the ultimate goal of the DSH formula is to “provide hospitals that serve the neediest among us with the appropriate level of critical funds” before concluding that the Court’s holding “arbitrarily undercounts a hospital’s low-income patients.”

Takeaways

This decision stops the hospitals’ ability to seek higher reimbursement via an enhanced DSH rate adjustment for the challenged claims. Moreover, HHS methodology for calculating the DSH rate was affirmed; therefore DSH hospitals will receive a DSH rate adjustment based in part on the number of patients treated who are receiving a cash payment under an SSI program during the month of treatment, and not based on the number of such patients who are just eligible for SSI benefits.

Though the provision at issue was highly technical, the impact of this decision is potentially significant for DSH hospitals at a time of funding and reimbursement challenges, as more patients seek access to critical services often provided by such DSH hospitals. We will continue to follow key reimbursement and funding developments for hospitals and other health care providers.

PIH Health, a health care entity located in California, suffered a data breach in June 2019 when 45 employee email accounts were compromised in a targeted phishing campaign. The accounts contained the protected health information (PHI) of 189,763 individuals, including their names, social security numbers, driver’s license numbers, diagnoses, lab tests, medications, treatment, claims, and financial information.

PIH notified the individuals and the Office for Civil Rights (OCR) of the incident in January 2020. OCR launched an investigation and found alleged violations of HIPAA’s privacy, security and breach notification rules.

In addition to the $600,000 settlement payment, PIH entered into a resolution agreement with OCR that required it to:

  • Conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
  • Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis.
  • Develop, maintain, and revise, as necessary, its written policies and procedures to comply with HIPAA rules.
  • Train its workforce members who have access to PHI on HIPAA policies and procedures.

These requirements are essential to a HIPAA compliance program, and this settlement is a reminder for covered entities to update and maintain security risk assessments, analyses, and risk management plans to address risks and vulnerabilities on an ongoing basis.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

This post was authored by Roma Patel, Associate in Robinson+Cole’s Data Privacy + Cybersecurity Team.

We often cover consumer class action complaints against companies regarding the privacy and security of personal information. However, litigation can also arise from alleged breach of contract between two companies. This week, we will analyze a medical diagnostic testing laboratory’s April 2025 complaint against its managed services provider for its alleged failure to satisfy its HIPAA Security Rule and indemnification obligations under the HIPAA Business Associate Agreement (BAA) between the parties.

Complaint Background

According to the complaint, the laboratory – Molecular Testing Labs (MTL) – is a Covered Entity under HIPAA, and Ntirety is its Business Associate. Reportedly, the parties entered into a BAA in September 2018. The BAA’s intent was to “ensure that [Ntirety] will establish and implement appropriate safeguards” for protected health information (PHI) it handles in connection to the functions it performs on behalf of MTL. The complaint points to various provisions of the BAA related to Ntirety’s obligations, including complying with the HIPAA Security Rule. According to MTL, the BAA also includes an indemnification provision that requires Ntirety to indemnify, defend, and hold harmless MTL against losses and expenses due to a breach caused by Ntirety’s negligence.

Alleged HIPAA Violations

MTL asserts that around March 12, 2025, it received information about a material data breach involving data “that was required to have been secured by Ntirety under the BAA.” The complaint is unclear about how or from whom MTL received that information.

The complaint asserts that MTL’s forensic investigation determined that Ntirety had faced a ransomware attack, potentially from Russian threat actors. MTL’s forensic investigation determined that Ntirety had “significant deficiencies, shortcomings, and omissions” in its procedures and practices that enabled the threat actors to access Ntirety’s computer systems and MTL’s confidential information.

In addition, MTL alleges that “Ntirety failed to provide material support to MTL for weeks” and that the support offered was conducted “slowly and incompetently.” Allegedly, Ntirety informed MTL that it would charge MTL for such efforts. MTL argues that under its BAA obligations, Ntirety was required to support MTL in its efforts to respond to and mitigate the security incident’s harmful effects.

Alleged Breach of Contract – Indemnification Demand

MTL also asserts that it has incurred or expects to incur various damages related to “remediation efforts, HIPAA notification requirements, possible legal and regulatory actions, and direct and indirect harm to MTL’s business.” Specifically, MTL claims it has already incurred damages related to the forensic investigation and anticipates further damages associated with fulfilling HIPAA PHI breach notifications and providing credit monitoring services. MTL also expects to suffer harm to its business as a result of the breach and to be subject to lawsuits and regulatory action.

Reportedly, on March 25, 2025, and April 3, 2025, MTL sent formal demands to Ntirety for indemnification under the BAA for losses incurred as a result of the breach, but Ntirety “has provided no substantive response to MTL’s indemnification demands.”

Lessons Learned

After discovering a breach, companies have numerous obligations, such as determining whether data has been corrupted, containing the incident, conducting a forensic investigation, and identifying individuals whose data may have been involved. It can often take weeks or even months to understand the scope and extent of a breach, but companies should also promptly assess their contractual obligations post-breach. Whether in a BAA or another service agreement, companies may be required to let their vendors and other partners know about an incident.

In addition, companies should consider whether to communicate about the incident at a high level to their vendors and partners, even absent contractual requirements, particularly if news about the incident has already leaked. The risk of such communications includes potentially providing premature information that is likely to change as the forensic investigation unfolds. On the flip side, partners might appreciate the transparency and direct acknowledgment. There can be many legal and regulatory consequences of a data breach, but with adherence to contractual obligations and appropriate communication, a breach of contract claim doesn’t have to be one of them.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.