The Office for Civil Rights of the Department of Health and Human Services (OCR) was busy negotiating and settling enforcement actions in November and early December. Since October 31, 2024, the OCR has settled five separate cases of alleged HIPAA violations. The settlements include resolution agreements and civil monetary penalties.

One of the settlements and resolution agreements continues to show OCR’s emphasis on patients’ rights to access their protected health information. That settlement, dated November 19, 2024, was against Rio Hondo Community Mental Health Center in California required the covered entity to pay the OCR $100,000.

On November 26, 2024, the OCR settled with Holy Redeemer Family Medicine over the disclosure of a patient’s protected health information, including reproductive health information, to the patient’s prospective employer without her consent. The OCR alleged that the patient provided consent for the covered entity to send the results of one test that had no relevance to her reproductive health to the prospective employer. Instead, the covered entity sent “her surgical history, gynecological history, obstetric history, and other sensitive health information concerning reproductive health care” to the prospective employer. Holy Redeemer paid $325,581 and agreed to a corrective action plan with monitoring by the OCR for two years.

On December 3, 2024, the OCR imposed a $1.19 million penalty against Gulf Coast Pain Consultants (GCPC) for alleged violations of the HIPAA Security Rule. The OCR started an investigation against GCPC after a data breach notification. OCR’s investigation found that impermissible access to patients’ protected health information occurred on three occasions when a former contractor of GCPC accessed GCPC’s “electronic medical system to retrieve PHI for use in potential fraudulent Medicare claims.” The impermissible access affected 34,310 patients, including their names, addresses, dates of birth, Social Security numbers, insurance information, and primary care information.

On December 5, 2024, the OCR imposed a penalty against Children’s Hospital Colorado for $548,265 for alleged HIPAA Privacy and Security Rules violations. According to the OCR, Children’s Hospital Colorado notified the OCR following two breaches of email accounts following phishing attacks. In the first phishing attack, an email account containing the personal health information (PHI) of 3,370 individuals occurred because multi-factor authentication was disabled on the email account. Three email accounts containing 10,840 individuals’ PHI were compromised in the second incident. The OCR found that employees gave up their credentials to the threat actor in the attack, allowing unauthorized access to the email accounts.

On December 10, 2024, the OCR settled with Health Care Clearinghouse and Inmediata Health Group over allegations that they left PHI unsecured on the internet. According to the OCR, between May 2016 and January 2019, 1,565,338 individuals’ PHI “was made publicly available online.” The PHI included names, dates of birth, addresses, Social Security numbers, claims information, and treatment information. During its investigation, the OCR found “multiple potential HIPAA Security Rule Violations,” including failing to conduct a compliant risk analysis and to monitor and review the health information systems’ activity; the entities agreed to pay the OCR $250,000. They previously agreed to implement corrective actions with 33 states that addressed OCR’s findings. All of these actions and settlements provide clues to covered entities about the OCR’s priorities and conduct it finds violative of HIPAA. It has been an active two months for enforcement. We will continue to follow the OCR’s enforcement actions and see what the new year brings regarding its enforcement priorities.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

*This post was co-authored by Paul Palma, legal intern at Robinson+Cole. Paul is not admitted to practice law.

In November 2024, the Department of Health and Human Services Office of Inspector General (OIG) published the results of its audit assessing hospital compliance with the federal Hospital Price Transparency Rule (HPT Rule). OIG determined that 37 out of the 100 hospitals sampled failed to comply with some element of the HPT Rule’s publicly available charges requirements.

As a reminder, the HPT Rule requires hospitals to make certain pricing information publicly available and easily accessible on their websites to increase competition and reduce the cost of health care. The HPT Rule is enforced by the Centers for Medicare & Medicaid Services (CMS).

Under the HPT Rule, hospitals are obligated to (1) publish a comprehensive machine-readable file that includes a list of standard charges for all items and services and (2) display a list of CMS-specified shoppable services in a consumer-friendly format; this requirement may be met by using an online price estimator tool allowing consumers to obtain free estimates for up to 300 shoppable services. The 37 noncompliant hospitals identified in the audit failed to comply with either one or both of the foregoing requirements.

Specifically, OIG found that:

  • “34 hospitals did not comply with one or more of the requirements associated with publishing comprehensive machine-readable files;” and
  • “14 hospitals did not comply with one or more of the requirements associated with displaying shoppable services in a consumer-friendly manner.”

Based on the audit results, OIG estimates “that 46% of the 5879 hospitals that were required to comply with the HPT rule did not comply with the requirements to make information on their standard charges available to the public.”

In response to its findings, OIG provided CMS with specific recommendations on increasing compliance with the HPT Rule. The report indicated that CMS concurred with all recommendations and proposed corrective actions. The recommendations included the following:

  • Reviewing the specific hospitals identified by OIG as potentially noncompliant and pursuing enforcement measures if CMS determines such hospitals are out of compliance with the HPT Rule;
  • Considering changes proposed by hospitals to clarify aspects of the HPT Rule, such as providing written guidance on the definition of “shoppable services” and developing training and compliance programs tailored for small hospitals; and
  • Continuing to strengthen internal CMS controls, including allocating sufficient internal resources to monitor hospital compliance with the HPT Rule.

This OIG audit report and its affirmative direction to CMS to step up enforcement efforts demonstrates that HPT Rule enforcement remains a priority of regulators. According to the report, CMS has already initiated compliance reviews of certain hospitals included in OIG’s sample. Hospitals would, therefore, be well-advised to review the report closely, to assess their current compliance with the HPT Rule, and to consider proactive efforts to ensure continued compliance with the HPT Rule’s requirements. Notably, CMS created an online tool to aid hospitals in determining if their files are compliant with the HPT rule.

As part of its 2025 Physician Fee Schedule Final Rule (PFS Rule), the Centers for Medicare & Medicaid Services (CMS) finalized two crucial updates to federal Medicare overpayments regulations (sometimes referred to as the “60-Day Rule”) that (1) align the standard for when an overpayment is identified with the applicable standard under the False Claims Act (FCA), and (2) give health care providers up to 180 days to conduct good faith investigations to determine the existence of related overpayments after identifying an overpayment, respectively. 

These two changes address areas of significant uncertainty for health care organizations in recent years. Previously, there was uncertainty concerning the standard for “reasonable diligence” for identifying overpayments and how that standard squared with the FCA’s knowledge (scienter) requirement for liability thereunder. In addition, the changes also indicate the expectation by the government that, upon identifying an overpayment, health care organizations conduct timely good faith investigations to determine the existence of related overpayments to fulfill their 60-Day Rule obligations.

Medicare Overpayments Rule & Reasonable Diligence Standard

As a reminder, the 60-Day Rule was established as part of the Affordable Care Act (ACA) and requires a health care provider that receives an overpayment to report and return the overpayment by the later of (i) 60 days after the provider identifies the overpayment or (ii) the date any corresponding cost report is due. Failure to report and return an overpayment in a timely manner subjects the provider to significant potential liability under the FCA for a so-called “reverse false claim” for wrongful retention of the overpayment. However, the ACA did not define when an overpayment has been “identified.” This issue was addressed in rulemaking by CMS in 2014 (for Medicare Parts C and D) and 2016 (for Medicare Parts A and B), wherein CMS indicated that a provider “identifies” an overpayment when it determines, or should have determined, that the provider received an overpayment (this exercise is referred to as the “reasonable diligence” standard).

In 2018, a federal court overturned the reasonable diligence standard for Medicare Parts C and D in response to litigation brought by Medicare Advantage organizations. The court held that the reasonable diligence standard impermissibly established FCA liability for “mere negligence” and noted that the FCA had a specifically-defined knowledge standard that does not encompass negligence.

Updated Knowledge Standard for Identifying Overpayments

In response to the federal court’s ruling, and to promote consistency across Medicare programs, in December 2022, CMS proposed updating its 60-Day Rule regulations to align the knowledge standard for identifying an overpayment with the standard under the FCA (please see here for our previous discussion of that proposed rule).

In the PFS Final Rule, CMS has finalized its proposal without changes. As of January 1, 2025, under the 60-Day Rule, a person has identified an overpayment when the person:

  1. Has actual knowledge of an overpayment;
  2. Acts in deliberate ignorance of the truth or falsity of information regarding the overpayment; or
  3. Acts in reckless disregard of the truth or falsity of information regarding the overpayment.

Updated Reporting Deadline to Permit Good Faith Investigation of Related Overpayments

In the PFS Final Rule, CMS also provides additional guidance and finalizes regulations concerning providers’ potential obligation to determine the existence of related overpayments upon identifying an overpayment. CMS acknowledges the challenge in determining when the 60-day “clock” starts for reporting and returning an overpayment. 

CMS states that the 60-day period begins when a provider “has actual knowledge of the overpayment” or if the provider “acts in deliberate ignorance or reckless disregard of the existence of the overpayment,” that period starts when the provider “acted in deliberate ignorance or reckless disregard of the truth or falsity of information regarding the overpayment.”

A lingering question for many health care organizations has been whether, upon discovering a single overpayment, the organization has an obligation under the 60-Day Rule to investigate whether an underlying compliance issue could have resulted in other overpayments. CMS responds affirmatively in the PFS Final Rule, stating “we agree… that where a single overpayment is found and other related overpayments are suspected, the provider or supplier should investigate and calculate the aggregate overpayment prior to its return.”

Consequently, CMS is finalizing a related regulation under the 60-Day Rule, which “suspends the 60-day report and return obligation for up to 180 days, to allow persons time to complete a good-faith investigation to determine the existence of related overpayments that may arise from the same or similar cause or reason as the initially identified overpayment.” In other words, the 60-day clock can be delayed for up to 180 days to allow providers time to conduct a good faith investigation of potential related overpayments to ensure a comprehensive reporting and returning of overpayments.

Conclusion

The 60-Day Rule updates in the PFS Final Rule provide important guidance and assurances to health care organizations regarding the standard for identifying overpayments and the government’s expectations for providers to proactively investigate, identify, and return such overpayments. Health care organizations should carefully review the final 60-Day Rule regulations and preamble commentary guidance from CMS and update their compliance processes accordingly in order to mitigate the potential risk of FCA liability and whistleblower lawsuits for reverse false claims. 

If you have any questions regarding the PFS Rule and 60-Day Rule overpayment regulations, please do not hesitate to reach out to the authors or your contact at Robinson & Cole LLP for specific guidance.

In a highly anticipated decision on an issue facing courts across the country, the Massachusetts Supreme Judicial Court held in late October that Massachusetts hospitals’ use of online tracking technologies that collect and transmit browsing activities of website visitors does not violate the Massachusetts Wiretap Law. 

The Court determined that online interactions between visitors and the hospitals’ websites did not unambiguously qualify as a “wire communication” subject to the wiretap law, and therefore, the hospitals merited the benefit of the doubt under the “rule of lenity.” The Court accordingly reversed the trial court’s denial of the hospital-defendants’ motions to dismiss the complaints.

The case was brought as a class action alleging that two Massachusetts hospitals violated the Massachusetts Wiretap Law by “aiding… third-party software providers” in unlawfully intercepting communications involving the individuals. The communications in the complaint were the browsing activities of each individual on the hospitals’ websites, including obtaining information about specific doctors and conditions, as well as accessing medical records through a patient portal. The plaintiffs alleged that the hospitals’ collection of information on website users (such as URLs, IP addresses, and device characteristics) and third-party tracking software to monitor user activities on the websites constituted impermissible interceptions under the Massachusetts Wiretap Law. The plaintiffs sought civil remedies under that law. Notably, the allegations mirrored similar actions brought against other hospitals in Massachusetts (under the same state law) and hospitals in different states (often under those states’ analogous wiretap laws).

The Court undertook a statutory construction analysis of the specific terms in the Massachusetts Wiretap Law. It concluded that the interactions between a user and the website were not unambiguously “communications” accepted under the wiretap law (e.g., person-to-person communications). The Court observed that when visiting a website, the “user is not communicating with another person but instead interfacing with pre-generated information on a website” and that a website visitor is not “engaging in a conversation but accessing published information and databases.” The Court noted that although the Wiretap Law dates to 1968 —long before the internet age — it contains a “forward-looking mandate” concerning its applicability to new technologies, citing a 2013 decision affirming the applicability to cell phone calls and text messages. However, the Court was unwilling to expose the hospitals to potential civil and criminal penalties for “activities that do not capture such person-to-person communications or messaging” because “the text of the wiretap act is inconclusive at best as to whether website browsing is a “communication” protected by the act.”

The decision has been welcomed by hospitals and health care organizations in Massachusetts, many of whom have litigated similar allegations under the same state law – while also seeking to align with changing federal guidance on tracking technologies – for several years. Nonetheless, health care organizations should strongly consider the use and disclosures associated with website tracking technologies since the Court acknowledged the alleged conduct “raises serious concerns” and could potentially “violate various other statutes and give rise to common-law causes of action” involving protecting confidential medical information. Moreover, the decision included a lengthy dissent from one judge , who strongly disputed the majority holding and criticized the hospitals’ activities.

*This post was co-authored by Paul Palma, legal intern at Robinson+Cole. Paul is not admitted to practice law.

On November 15, 2024, the Drug Enforcement Administration (DEA) and the Department of Health & Human Services (HHS) jointly announced an extension of current COVID-era tele-prescribing flexibilities for another year – through December 31, 2025 – via a Third Temporary Rule. Accordingly, health care practitioners will continue to be allowed to establish relationships with patients involving the prescription of controlled substances via telemedicine, even if the practitioner has not conducted an in-person medical evaluation of the patient, through the end of 2025.

In the Third Temporary Rule, the DEA and HHS continue to work on finalizing permanent tele-prescribing rules that appropriately balance public health and access issues with the potential diversion risks associated with telemedicine. The Second Temporary Rule (discussed below) had been scheduled to expire on December 31, 2024, and the agencies jointly determined it was necessary to issue another one-year extension to provide more time to finalize new regulations.

The DEA and HHS intend to provide “a smooth transition for patients and practitioners that have come to rely on the availability of telemedicine for controlled medication prescriptions” by considering stakeholder input and giving practitioners and patients sufficient time to comply with the new regulations once they are finalized.

As a reminder for health care organizations and industry stakeholders, please find a summary of the prior temporary rules below:

  • On February 24, 2023, the DEA issued a set of proposed rules (previously discussed here) to make certain “telemedicine flexibilities” established during the COVID-19 pandemic permanent prior to the scheduled end of the COVID-19 public health emergency on May 11, 2023. The proposed rules were more restrictive than the COVID-era telemedicine flexibilities and notably sought to end the tele-prescribing of certain narcotics without an in-person medical evaluation.
    • The DEA received over 38,000 comments on these proposals, with several opposing the sudden end of tele-prescribing flexibilities involving the prescription of certain controlled substances.
  • On May 9, 2023, the DEA issued the First Temporary Rule (discussed here), extending all COVID-19 flexibilities for the prescription of controlled substances through November 11, 2023, and allowing practitioners to continue forming new relationships involving the prescription of controlled substances via telemedicine without requiring an in-person medical evaluation.
    • The First Temporary Rule was issued in lieu of finalizing the previously proposed rules, and it also provided a one-year grace period allowing practitioner-patient relationships established as of November 11, 2023, to continue via telemedicine until November 11, 2024, before requiring an in-person visit to continue prescribing controlled substances via telemedicine.
  • On October 10, 2023, the DEA issued a Second Temporary Rule (discussed here), waiving the grace period established by the First Temporary Rule and extending the period during which practitioner-patient relationships involving the prescription of controlled substances could be formed via telemedicine through December 31, 2024.
    • The Third Temporary Rule now further extends that period until December 31, 2025.

The Third Temporary Rule’s text is available here. It will be published in the federal register on November 19, 2024.

On October 22, 2024, Microsoft issued a threat trend research report entitled “US Healthcare at risk: Strengthening resilience against ransomware attacks.” In it, Microsoft declares that ransomware attacks against the healthcare sector are “emerging as one of the most significant” cybersecurity threats to healthcare organizations. The attack surface of hospitals “grows more complex” with digital operations, which heightens “their vulnerability to attacks.”

According to the report, “the healthcare/public health sector was one of the top 10 most impacted industries in the second quarter of 2024.” Further, “ransomware attacks have surged” against health care organizations “by 300% since 2015.” In 2024, “389 U.S. healthcare institutions were hit by ransomware, causing network shutdowns, offline systems, delays in critical medical procedures, and rescheduled appointments,” with one estimate “showing healthcare organizations lose up to $900,000 per day on downtime alone.” The average ransom paid by organizations surveyed was $4.4 million.

The report declares that these attacks have a “grave impact on patient care,” as ransomware attacks can “severely impact the ability to effectively treat patients.” The effect of such attacks includes “increased emergency department patient volume, longer wait times, and additional strain on resources, particularly in time-sensitive care like stroke treatment.”

The report outlines four case studies that illustrate how ransomware attacks had “far-reaching effects” on different types of healthcare organizations.

The reason healthcare organizations are getting hit so hard by ransomware attacks include the fact that they have a reputation for paying ransoms, have limited budgets for implementing security measures, have outdated legacy systems in place, and there is an expanding attack surface to try to protect. According to Microsoft, “email remains one of the largest vectors for delivering malware and phishing attacks for ransomware attacks.” The report urges the healthcare sector to adopt better cybersecurity strategies and defenses, investing in the ability to quickly restore operations following an attack, and “building a security-first workforce,” which includes robust education and training of users. Although the report outlines the same lessons we have advocated for years, the statistics this year on the rise of ransomware attacks against healthcare organizations, and that the number one way threat actors are successful in deploying ransomware is still phishing emails, should be proof enough that education and awareness should be a top priority in defending against these attacks. Spend the time and resources to develop and implement a robust cybersecurity training program and keep users apprised of the new tricks and trades of threat actors.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

The Office for Civil Rights of the Department of Health and Human Services (OCR) announced on September 26, 2024, that it had entered a settlement with Cascade Eye and Skin Centers (together, Cascade) for $250,000 following an investigation of a ransomware attack against them.

This is the fourth settlement against a victim of a ransomware attack. According to the OCR’s press release, “Ransomware and hacking are the primary cyber-threats in health care. Since 2018, there has been a 264% increase in large breaches reported to OCR involving ransomware attacks.”

The OCR’s investigation found that 291,000 files were affected by the attack. During its investigation, it alleges that Cascade potentially violated HIPAA by failing to conduct a risk analysis and to have sufficient monitoring of its systems to prevent a cyber-attack.

The settlement is a stark reminder to covered entities and business associates that even if you are a victim of a criminal attack, you are still required to follow HIPAA. Having a robust HIPAA compliance program in place is essential to protecting against threats and possible enforcement actions. Many HIPAA-regulated entities are reviewing their HIPAA compliance programs at this time to address the recent amendment to HIPAA regarding reproductive health information. For instance, Notice of Privacy Practices are required to be updated by December 2024. Now is the time to review and update your HIPAA compliance program.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

*This post was co-authored by Paul Palma, legal intern at Robinson+Cole. Paul is not admitted to practice law.

On September 30, 2024, Judge Kathryn Kimball Mizelle of the U.S. District Court for the Middle District of Florida issued an order in United States ex rel. Clarissa Zafirov v. Florida Medical Associates, LLC, holding that the qui tam provision of the False Claims Act (FCA) is unconstitutional. Judge Mizelle’s holding reasoned that the authority given to private citizens under the qui tam provision of the FCA violates the Appointments Clause of the U.S. Constitution. This ruling comes after Supreme Court Justices Barrett, Kavanaugh, and Thomas questioned last year whether the qui tam provision violated Article II of the U. S. Constitution (see United States ex rel. Polansky v. Executive. Health Res., Inc., 599 U.S. 419 (2023)).

 As a reminder, the FCA’s qui tam provision authorizes private citizens or whistleblowers ­­– referred to as “relators” – to file FCA cases on behalf of the United States. After a relator files a complaint, the government may choose to intervene and take over prosecution of the action. The government may also choose to decline to intervene, at which point the relator may proceed to litigate the matter as they see fit. Whistleblowers and other relators often use qui tam lawsuits under the FCA to seek damages for allegedly false or fraudulent claims knowingly submitted to federal health care programs by health care providers and health care entities.

 Here, the relator (Zafirov) alleged that her employer violated the FCA by misrepresenting patients’ medical conditions to Medicare. The United States declined to intervene in the case, and Zafirov has pursued the case on its behalf for five years until recently, when the defendants moved for judgment on the pleadings challenging the constitutionality of the qui tam provision. The government continued to not intervene, instead filing a statement of interest to also contest the constitutional arguments.

The defendants argued that the qui tam provision violates the Take Care and Vesting Clauses of Article II. The defendants also argued that the qui tam provision violates the Appointments Clause of Article II. The district court agreed with the defendants’ second argument (and therefore reasoned it did not need to come to a conclusion on the Take Care and Vesting Clauses), dismissing the case and holding that FCA relators are officers of the United States and they are not properly appointed under the Appointments Clause, making the qui tam provision unconstitutional.

Judge Mizelle concluded that qui tam relators are officers of the United States under Supreme Court precedent because they “exercise[s] significant authority pursuant to the laws of the United States” and occupy a “continuing position established by law.” Thus, according to the Appointments Clause, as officers, qui tam relators must be “appointed by the President alone, in the Courts of Law, or in the Heads of Departments.”

 It remains to be seen what the immediate effect of this ruling will be and whether other defendants will have similar success with such arguments, given that this is a District Court ruling and, therefore, non-binding. The case will likely be appealed to the Eleventh Circuit as the government already expressed interest in defending the constitutionality of the FCA’s qui tam provision. If the Eleventh Circuit affirms the District Court judgment, it would create a circuit split since multiple other circuits have previously rejected similar constitutional challenges. This could potentially lead to the Supreme Court granting certiorari, where multiple justices have expressed skepticism about the constitutionality of the qui tam provision.            

We will continue to monitor for any similar decisions or appellate reviews of this decision and provide related updates.

On September 28, 2024, California Governor Gavin Newsom vetoed California Assembly Bill 3129 (the Bill). The Bill, if enacted, would have imposed new notice and consent requirements for private equity investors involved in healthcare transactions. Governor Newsom’s veto statement clarifies the Bill’s vetoing, stating that the Office of Health Care Affordability (OHCA) “was created as the responsible state entity to review proposed health care transactions, and it would be more appropriate for the OHCA to oversee these consolidation issues as it is already doing much of this work.” A summary of the Bill’s requirements is included below.

The Bill, if enacted, would have required a private equity group, or a hedge fund, to provide written notice of, and obtain the written consent of, the California Attorney General (CA AG) before certain health care transactions could become effective. This approval would have been required for any transaction in which a private equity group or hedge fund is either indirectly or directly acquiring “more than 15 percent of the market value or ownership shares of the health care facility, provider group, or provider;” or, obtaining “rights significant enough to constitute a change in control, including, but not limited to, supermajority rights, veto rights, exclusivity provisions, and similar provisions.”

The Bill provided a narrow exception from the consent requirement where all of the following apply: (1) the private equity group or hedge fund has not been involved in any healthcare acquisitions in the preceding seven years; (2) the group consists of fewer than 10 providers; and (3) the group’s gross annual revenue is less than $25 million, although notice may still be required.

The Bill would have required that the private equity group or hedge fund submit notice to the CA AG at the same time that any other state or federal agency is notified pursuant to state or federal law and otherwise at least 90 days before the transaction. The Bill would also have authorized the CA AG to extend that 90-day period under certain circumstances. The Bill does not specify the documents that would have to be submitted with the notice filing, but it does require the submission of information sufficient for the CA AG to determine whether approval is appropriate. The documents to be submitted would likely have included (at a minimum) deal documents and related information that communicate the nature of the transaction and its likely impact on competition, costs, and access to healthcare services.

At the end of the 90-day period, the Bill would have authorized the CA AG to consent to, give conditional consent to, or not consent to a transaction between a private equity group or hedge fund and a health care facility, provider group, or provider if the transaction “may have a substantial likelihood of anticompetitive effects, including a substantial risk of lessening competition or of tending to create a monopoly, or may create a significant effect on the access or availability of health care services to the affected community.”

Additionally, the Bill would have prohibited a private equity group or hedge fund involved in any manner with a physician, psychiatric, or dental practice doing business in California from interfering with the professional judgment of physicians, psychiatrists, or dentists in making health care decisions, among other things. Lastly, the Bill would also have authorized the CA AG to adopt regulations and contract with state agencies, experts, or consultants to implement its requirements, as specified.

The Bill follows a broader national trend of heightened notice and consent requirements for health care transactions involving private equity investors. We will continue to monitor the evolution of this trend and provide related updates.

*This post was co-authored by Paul Palma, legal intern at Robinson+Cole. Paul is not admitted to practice law.

On September 18, 2024, the Department of Justice (DOJ) announced a settlement with Dunes Surgical Hospital and United Surgical Partners International, Inc. (USPI), an entity holding a partial ownership interest in Dunes, in connection with alleged violations of the federal False Claims Act (FCA), Anti-Kickback Statute (AKS), and Physician Self-Referral Law (commonly referred to as the “Stark Law”). The settlement arises from the self-disclosure by Dunes and USPI of alleged improper arrangements following an internal compliance review and an independent investigation. As part of the settlement, the defendants agreed to pay the federal government $12.76 million for claims related to federal health care programs as well as $1.37 million to the states of South Dakota, Iowa, and Nebraska, respectively, for state Medicaid related claims.

According to DOJ, Dunes allegedly made “significant financial contributions” (of approximately $300-375k per year) between 2014 and 2019 to a non-profit entity affiliated with a physician group that made patient referrals to Dunes. DOJ alleged the financial contributions were made in exchange for patient referrals, as they funded salaries of employees in a position to refer to the physician group and Dunes. Additionally, DOJ alleged that Dunes provided a separate physician group with below fair market value office space, staff, and supplies. DOJ alleged that these payments and arrangements violated the AKS and the Stark Law, and accordingly claims submitted in connection with the arrangements could violate the FCA.

Notably, the defendants were given credit by the government for self-reporting the arrangements, and the “significant steps” the defendants took in doing so, including an internal compliance review, an independent investigation, and providing the government with a detailed written disclosure while also cooperating with the investigation.

This settlement is a reminder of the risk for hospitals and other health care organizations in entering into financial relationships with referral sources, and the need to vet all arrangements closely (including those with affiliated non-profit organizations). Additionally, the settlement and DOJ’s comments accompanying the settlement indicate that it is intended to incentivize cooperation and self-disclosure of potentially unlawful arrangements, and the potential benefits of doing so, in connection with ongoing compliance activities.