What Doesn’t The DFPI Regulate?

In the mid 1990s, I had the privilege of serving as Commissioner of Corporations for the State of California. At that time, the DOC was known as a tough securities regulator. However, the times they were a changin’. In 1996, Congress enacted the National Securities Markets Improvement Act (NSMIA) which significantly limits the authority of the states to require qualification/registration of securities transactions. 
During my tenure, the DOC also regulated health care service plans (aka HMOs and PPOs). Historically, these had been primarily nonprofit organizations and the regulatory concern had been with financial soundness. At the time many of these plans were converting to for profit. At the same time, many people were being moved into a managed care model and there was a great deal of public antipathy towards the managed care industry and the DOC’s oversight of that industry. Several years after I left the DOC, the legislature transferred oversight of managed care organizations to a new department – the Department of Managed Healthcare.
During my years in state government, regulation of state chartered financial institution was trifurcated amongst the DOC, the State Banking Department, and the Department of Savings & Loan (before becoming Commission of Corporations, I served as the interim Savings & Loan Commissioner). A significant change occurred on July 1, 2013, when the DOC and the Department of Financial Institutions (DFI) merged to form the Department of Business Oversight (the DBO). As a result, regulation of state chartered depository financial institutions became centralized in the DFI.
In 2021, the Governor and the legislature made the unfortunate decision to rebrand the DFI with the ungainly moniker of Department of Financial Protection and Innovation (DFPI). Currently the DFPI administers and/or enforces the following:
Banks and Credit Unions

Commercial Banks
Industrial Banks
Public Banks (Assembly Bill 857)
Credit Unions
Trust Companies & Departments

Securities and Investment

Securities (Corporate Securities Law of 1968)
Franchises (Franchise Investment Law)
Capital for Businesses (Capital Access Company Law)
Broker-Dealers & Investment Advisers (Corporate Securities Law of 1968)
Digital Financial Assets (Digital Financial Assets Law)

Non-Bank Financial Services

Money Transmitters
Debt Collectors
Check Sellers, Bill Payers & Proraters
Covered Persons (California Consumer Financial Protection Law )

Lending and Borrowing

Consumer & Commercial Loans (California Financing Law)
Payday Lenders (California Deferred Deposit Transaction Law)
Insurance Premium Finance (California Industrial Loan Law)

Home and Property Financing

Residential Mortgage Lenders & Servicers (California Residential Mortgage Lending Act)
Mortgage Loan Originators (California Financing Law and California Residential Mortgage Lending Act)
 Property Assessed Clean Energy (PACE) (AB 1284 (Chapter 475, Statutes of 2017)

Escrow Agents

Escrow Agents (Escrow Law)

Education Financing

Student Loan Servicers (California Student Loan Servicing Act and subsequent enactments)

Make America Healthy Again: New Executive Order Revisits Group Health Plan Price Transparency

Takeaways

Employers who sponsor group health plans should review and revise, as needed, their consumer-facing pricing information for any compliance issues under the Executive Orders and applicable regulations.

Related Links

Making America Healthy Again with Clear, Accurate, and Actionable Healthcare Pricing Information
Fact Sheet: President Donald J. Trump Announces Actions to Make Healthcare Prices Transparent
Executive Order 13877 – “Improving Price and Quality Transparency in American Healthcare to Put Patients First
45 C.F.R. Sections 147.210-212

Article
On February 25, 2025, President Trump signed “Making America Healthy Again with Clear, Accurate, and Actionable Healthcare Pricing Information,” an Executive Order with the stated purpose of making group health plans and health insurance issuers accountable for compliance with price transparency rules implemented during the first Trump administration.
Specifically, during his first administration, President Trump signed Executive Order 13877 – “Improving Price and Quality Transparency in American Healthcare to Put Patients First,” seeking to address what the new Executive Order describes as “opaque healthcare pricing arrangements” and insufficient accountability concerning healthcare pricing practices. Under Executive Order 13877, regulations were created requiring group health plans to:

Post their negotiated rates with providers;
Post out-of-network payments to providers;
Post the actual prices the plan or its pharmacy benefits manager pays for prescription drugs; and
Maintain a “customer-facing” internet tool through which individuals can access price information. 

The new Executive Order referenced an unidentified 2023 economic analysis that estimated full implementation of the regulations might result in as much as $80 million in healthcare savings by 2025 for consumers, employers, and insurers. An unidentified 2024 report was also referenced for the proposition that price transparency could help employers reduce healthcare costs across 500 common healthcare services.
To address what was described as “stalled” progress on price transparency during the intervening administration, the new Executive Order gave the Secretaries of the Treasury, Labor, and Health and Human Services 90 days to act to:

Instead of estimates, require the disclosure of actual prices of items and services;
Ensure pricing information is standardized and easily comparable across health plans and hospitals by issuing updated guidance or proposed regulations; and
Ensure compliance with transparency requirements by issuing guidance or proposed regulations updating enforcement policies.

HHS Cuts Notice-and-Comment Rulemaking for Some Agency Actions

Health and Human Services (HHS) will no longer use notice-and-comment rulemaking procedures for “matters relating to agency management or personnel or to public property, loans, grants, benefits, or contracts,” according to HHS Secretary Robert F. Kennedy, Jr. The policy statement was published in the Federal Register on March 3, 2025.
Usually, agencies must publish proposed rules or notices in the Federal Register, open a time-limited comment period, review and assess those comments, and then publish a final version. This policy statement rescinds the Department’s 1971 “Policy on Public Participation in Rule Making,” known as the “Richardson Waiver.” According to the statement, “Effective immediately, the Richardson Waiver is rescinded and is no longer the policy of the Department. In accordance with the Administrative Procedure Act (APA), ‘matters relating to agency management or personnel or to public property, loans, grants, benefits, or contracts,’ are exempt from the notice and comment procedures,” except “as otherwise required by law. Agencies and offices of the Department have discretion to apply notice and comment procedures to these matters but are not required to do so, except as otherwise required by law.”
Rescinding the Richardson Waiver means that HHS will no longer follow the notice and comment requirements for certain types of rulemakings unless required by the APA or otherwise required by law. HHS will now be able to make changes related to its programs that provide loans, grants, benefits, or contracts with less public awareness and feedback.

McDermott+ Check-Up: March 7, 2025

THIS WEEK’S DOSE

Government Funding Deadline, Healthcare Program Expirations Approach. Congress has until March 14, 2025, to address government funding, and may also address healthcare extenders.
Senate Finance, HELP Committee Ranking Members Hotline Bipartisan December 2024 Health Package. They seek to pass the bicameral, bipartisan health package negotiated in December 2024 via unanimous consent.
Nomination Hearings Continue. Senate committees held hearings for President Trump’s nominees for Office of Management and Budget deputy director, US Food and Drug Administration commissioner, and National Institutes of Health director.
President Trump Gives Joint Address to Congress. Healthcare was not a focus, but he mentioned Make America Healthy Again initiatives and gender-affirming care.
DOJ Drops Idaho EMTALA Case. After the US Department of Justice (DOJ) dropped out of litigation related to the Emergency Medical Treatment and Active Labor Act (EMTALA), an Idaho health system that had also challenged the state law secured a temporary restraining order to prevent Idaho’s abortion ban from taking effect.

CONGRESS

Government Funding Deadline, Healthcare Program Expirations Approach. Following recent House and Senate passage of their competing budget resolutions, Congress’ attention has now turned to the March 14, 2025, government funding deadline. The most likely course of action is for Congress to pass another continuing resolution (CR), likely through the end of the fiscal year, September 30, 2025. While Republican and Democratic appropriators have been negotiating on final spending bills for 2025, matters have been complicated by the intense political climate that has marked the first months of the new Trump Administration. As a result, House Republicans are likely to bring the next CR to the floor without a formal agreement from Democrats, which may require Speaker Johnson to pass the bill with minimal (if any) Democratic support in the House. In the Senate, where Republicans hold a 53 – 47 majority, Democratic support will be necessary to clear the 60-vote threshold to overcome a filibuster. This situation is fluid, and a government shutdown of some duration cannot be ruled out, although neither party wants to appear responsible for such a shutdown.
The most recent CR also extended several healthcare programs, such as extending Medicare telehealth flexibilities, avoiding cuts to Medicaid disproportionate share hospital payments, and maintaining community health center funding, which are set to expire on March 31, 2025. Other programs expired at the end of 2024. The forthcoming CR is the most likely opportunity for Congress to temporarily extend or reinstate these programs, although the extension would likely be for a short period of time only, as most pay-fors are being saved for use in the budget reconciliation process.
Senate Finance, HELP Committee Ranking Members Hotline Health Package. In related news, Senate Finance Committee Ranking Member Wyden (D-OR) and Senate Health, Education, Labor, and Pensions (HELP) Committee Ranking Member Sanders (I-VT) introduced the bipartisan, bicameral health package negotiated in December 2024 (S. 891, the Bipartisan Health Care Act) and hotlined the bill (i.e., move via unanimous consent unless an objection is noted). This comprehensive package not only addresses the aforementioned health extenders, but also includes pharmacy benefit manager reforms, patent reforms, a limited Medicare site neutral policy, a five-year extension of the hospital at home program, Medicaid home- and community-based services policies, and an offset to the scheduled Medicare physician fee schedule reduction. The package was ultimately left out of the December 2024 CR because of Republican pushback about the overall bill’s size.
Nomination Hearings Continue. The Senate HELP Committee held its nomination hearing for National Institutes of Health (NIH) director nominee Jayanta Bhattacharya, MD, PhD. During the hearing, Democrats focused on how Bhattacharya would approach grant funding cuts, and Republicans’ conversation honed in on the culture at NIH. Bhattacharya emphasized the importance of transparency and NIH’s role in regaining the public’s trust. Chair Cassidy (R-LA) also facilitated discussion about the extent to which the government should encourage focus on research topics that have been extensively studied already, such as the link between vaccines and autism.
The Senate HELP Committee also held a hearing for US Food and Drug Administration (FDA) commissioner nominee Martin Makary, at which members underscored the importance of transparency in FDA processes and the need to rebuild public trust in health and science agencies. Democrats expressed concerns about the cancellation of the annual vaccine advisory committee meeting and emphasized the safety of mifepristone. Republicans stated their disagreement with the FDA’s decision to no longer enforce in-person dispensing for mifepristone. They also stressed the importance of addressing the impact of preservatives and chemicals in food on children’s health.
The Senate Budget Committee held the second nomination hearing for Dan Bishop to serve as deputy director of the Office of Management and Budget. Discussion predominately focused on the Impoundment Control Act, federal workforce cuts, and balancing the budget. Health-related topics included fraudulent payments and Medicaid cuts.
ADMINISTRATION

President Trump Gives Joint Address to Congress. Healthcare was not a focus of the speech; however, President Trump highlighted US Department of Health and Human Services (HHS) Secretary Kennedy’s efforts related to chronic conditions and called on him to determine the cause of the rise in autism cases. President Trump also discussed his executive order on limiting federal funding to institutions that provide gender-affirming care for individuals under 19 years of age and called on Congress to pass a bill criminalizing gender-affirming surgery for minors.
COURTS

DOJ Drops Idaho EMTALA Case. The DOJ announced that it will drop litigation first brought by former President Biden’s DOJ against Idaho’s abortion ban. The Biden administration argued that the ban violated EMTALA because it did not adequately protect the right to an abortion in a medical emergency. However, an Idaho-based health system that had also challenged the ban stepped up in DOJ’s place and secured a temporary restraining order barring the prosecution of providers who provide abortions in medical emergencies in Idaho.
QUICK HITS

CMS Rescinds Guidance on Health Equity. The Centers for Medicare & Medicaid Services (CMS) released a short informational bulletin rescinding previous guidance on health-related social needs. The bulletin stated that CMS will continue to consider states’ applications to cover these services on a case-by-case basis.
HHS Secretary Kennedy Writes Op-Ed on Measles. The op-ed encouraged parents to consult with their providers about the MMR vaccine and touted vitamin A as a treatment to reduce mortality. This comes as a measles outbreak sweeps through Texas and New Mexico, with 198 confirmed cases and two fatalities so far.
CCSQ Releases Memo on Gender-Affirming Care. To further implement the sections of President Trump’s gender-affirming care executive order that remain in effect, the Center for Clinical Standards and Quality (CCSQ) released a memo alerting providers that CCSQ “may begin taking steps in the future to align policy . . . to protect children from harmful, often irreversible mutilation, including sterilization practices.”
HRSA Memo on Gender-Affirming Care. The Health Resources and Services Administration (HRSA) sent a memo similar to the one from CCSQ to “Hospital Administrators, Colleagues and Grant Recipients” that specifically notes review of the Children’s Hospitals Graduate Medical Education Program funding.
CBO Outlines Mandatory Spending, Excluding Medicare, in Energy & Commerce Committee Jurisdiction. In response to a Democratic inquiry, the Congressional Budget Office (CBO) issued a letter highlighting the predominance of Medicaid as a potential source of savings in reconciliation. While the inquiry specifically requested that CBO exclude Medicare from the analysis, the committee has jurisdiction over Medicare, and nothing prevents the committee from considering Medicare savings, including site neutral policies. That said, it makes the point that $880 billion in savings from the committee would most certainly include Medicaid cuts.
Senators Send Letter to CMS About Agency Layoffs. Sens. Wyden (D-OR) and King (I-ME) requested that CMS Acting Administrator Carlton respond with information related to the job functions of laid-off workers.
NIH Issues News Release on Grant Review Process Proposal. The release announces plans to centralize peer review of all applications for grants, cooperative agreements, and research and development contracts within the agency’s Center for Scientific Review. The proposal is now under review with implementation pending external review, which includes review by HHS and OMB, providing Congress with a 15-day notification period, and issuing a Federal Register notice.
HRSA Opens Applications for OPTN Board of Directors. As part of the Organ Procurement and Transplantation Network (OPTN) modernization initiative, HRSA released the application for new members to join the OPTN Board of Directors. Applications are due April 4, 2025.
JCT Clarifies Tax Scoring. There is an ongoing discussion among Congressional Republicans about using a “current policy baseline” for scoring tax cuts in reconciliation, which would mean that extending the 2017 Trump tax cuts would have no score. In a response to an inquiry from Sens. Warren (D-MA), Cortez Masto (D-NV), Warner (D-VA), Bennet (D-CO), and Welch (D-VT), the Joint Committee on Taxation (JCT) clarified that, if Congress utilizes this approach to bring down the score of extending the 2017 tax cuts to $0, then the cost of extending the Affordable Care Act’s advanced premium tax credits would be $0 as well.
MedPAC Hosts March Public Meeting. The Medicare Payment Advisory Commission (MedPAC) agenda included sessions on physician fee schedule updates, beneficiary cost-sharing for outpatient services at critical access hospitals, Medicare insurance agents, Medigap, payment for ground ambulance services, Medicare Advantage utilization, and institutional special needs plans.

NEXT WEEK’S DIAGNOSIS

The House and Senate will be in session next week, and most of their attention will be on a government funding bill ahead of the March 14 deadline. The Senate will continue to advance President Trump’s nominees, including HELP Committee votes on the NIH and FDA nominees, and a HELP Committee hearing for Centers for Disease Control and Prevention director nominee Dave Weldon, MD. Several committees will hold other healthcare hearings, including a House Oversight and Government Reform Government Operations Subcommittee hearing on improper payments and fraud, a Senate Special Committee on Aging hearing on senior loneliness, and a House Ways and Means Health Subcommittee hearing on post-acute care.

Colorado: Proposed Expanded Medical Care Transaction Oversight – What Providers and Investors Need to Know

On March 5, 2025, two Senators and one Representative introduced SB 25-198 (the Bill), designed to enhance transparency in transactions involving health care entities. The Bill seeks to impose notification and reporting requirements on mergers, acquisitions, and affiliations that materially change the ownership, operations, or governance structure of health care entities, long-term care entities, and veterinary care entities.
Legislative Background and Evolution of SB 25-198
The Bill reflects a growing national trend toward heightened scrutiny of health care consolidation and its impact on competition, patient access, and pricing. Before the Bill’s formal introduction, discussions were held between the Attorney General’s Office, Bill sponsors, and various stakeholders from the health care industry. These discussions prompted certain technical changes to the informally circulated draft of the Bill but were largely unsuccessful in derailing its introduction.
Definitions
Health care entities are broadly defined to include any entities that provide services relating to the prevention, cure, or treatment of an illness, injury, condition, or disease, including medical, surgical, chiropractic, hospital, optometric, podiatric, dental, pharmaceutical, ambulance, mental health, substance use disorder, therapeutic, preventive, diagnostic, curative, rehabilitative, and palliative services.
Long-term care entities are defined as any entities that provide services and support to members of all ages with functional limitations and chronic illnesses who need assistance to perform routine daily activities.
Increased Oversight
The Bill would significantly increase regulatory oversight by:

Requiring parties to material change transactions (defined below) to submit a notice to the Attorney General at least 60 days before the transaction’s effective date.
Increasing financial reporting obligations for transactions involving entities having aggregate annual revenue in excess of US$80 million.
Allowing the Attorney General to assess whether a proposed transaction is contrary to the public interest and take action to enjoin or unwind transactions deemed harmful.
Granting the Attorney General authority to convert a transaction review into an antitrust investigation.

Reporting Requirements
The Bill defines a reportable “material change transaction” to include mergers, acquisitions, and certain contractual affiliations that alter ownership, governance, or operational control.
Financial thresholds dictate the levels of notice requirements:

Transactions involving an entity with an average annual revenue of at least US$80 million, or those projected to result in an entity with such revenue, are subject to the most extensive disclosure obligations.
Transactions involving an entity with an average annual revenue of at least US$30 million, or those projected to result in an entity with such revenue, have reduced, but still significant, notice requirements.
Transactions below US$30 million are still subject to basic disclosure obligations.

EPA Reopens Comment Period on Proposed Risk Management Rule for PV29

On March 4, 2025, the U.S. Environmental Protection Agency (EPA) announced that it is reopening the comment period for the January 2025 proposed rule to address the unreasonable risk of injury to human health presented by Color Index (C.I.) Pigment Violet 29 (PV29) under its conditions of use (COU) as documented in EPA’s January 2021 risk evaluation and September 2022 revised risk determination. 90 Fed. Reg. 11142. Comments are due April 29, 2025.
As reported in our January 27, 2025, memorandum, EPA proposes, under Section 6(a) of the Toxic Substances Control Act (TSCA), to:

Require use of assigned protection factor (APF) 50 respirators and equipment and area cleaning to address the risk from inhalation exposure to dry powder PV29 (also referred to as regulated PV29), where dry powder PV29 is expected to be present, for the following COUs:
 

Domestic manufacture;
 
Import;
 
Incorporation into formulation, mixture, or reaction products in paints and coatings;
 
Incorporation into formulation, mixture, or reaction products in plastic and rubber products;
 
Intermediate in the creation or adjustment of color of other perylene pigments;
 
Recycling;
 
Industrial and commercial use in automobile (original equipment manufacturer (OEM) and refinishing) paints and coatings;
 
Industrial and commercial use in coatings and basecoats paints and coatings;
 
Industrial and commercial use in merchant ink for commercial printing; and
 
Disposal.
 

Require manufacturers (including importers), processors, and distributors in commerce of regulated PV29 to provide downstream notification of the requirements.
 
Require recordkeeping.

2025 Picks Up Steam with Increased Scrutiny of Health Care Transactions and Corporate Structures

A new year brings about new legislation.
Given the recent trend of health care transactions coming under increased scrutiny at the state level, EBG has released its map summarizing states that already have laws regulating health care transactions. As legislatures reconvene around the country, there continues to be regulatory scrutiny of health care transactions and private equity investment in health care. Below is a brief summary of recently proposed legislation.
California
On February 12, 2025, the California Senate introduced SB 351, which is remarkably similar to AB 3129, a bill the EBG team wrote about extensively in 2024 and that Governor Gavin Newsom vetoed in September 2024. The proposed legislation has three key components: (i) it adds new defined terms, including “hedge fund” and “private equity group,” in an attempt to capture all parties involved with Management Service Organizations (“MSOs”) and Dental Service Organizations (“DSOs”); (ii) it provides a list of prohibitions for any “private equity group” or “hedge fund” that is “involved in any manner with a physician or dental practice doing business in the state; and (iii) it contains a provision that restates existing California law on restrictive covenants and California’s prohibition on restrictions barring a provider from competing with a practice in the event of termination or resignation. Whether this bill advances and is ultimately signed remains unclear. EBG is actively monitoring this legislation.
Connecticut
Connecticut is no stranger to bills targeting private equity in health care and the 2025 legislative session is no different. Below is a brief summary of the proposed bills:

SB 261 – This bill is intended to “limit the ability for private equity firms to purchase medical care facilities and further protect health care clinicians from the corporate practice of medicine.” The bill would impose restrictions on private equity firms’ ability to lease property back to a hospital after purchasing land rights and would also add restrictions that would prevent any direct or indirect interference with a clinician’s independent practice authority and the exercise of their professional judgment.
SB 469 – This bill is intended to “improve public health in the state” by restricting the acquisition of hospitals by private equity firms, prohibiting hospitals from participating in real estate investment trust and requiring physician-led ownership for medical groups and ambulatory surgical centers.
SB 567 – This bill would expand the authority of the state attorney general (“AG”) and Commissioner of Health Strategy to regulate private equity ownership of certain health care facilities and restrict self-dealing property transactions.
SB 837 – This bill is intended to “promote health care industry competition and better health care quality in the state” by amending Connecticut’s material transaction notification statute by requiring notification of any group practice’s transaction with a private equity company. It also removes the “presumption” in favor of approving certificate of needs applications for the transfer of ownership of a large group practice.
HB 6570 – This bill is aimed at preventing the consolidation of health care services by nonmedical entities and safeguarding patient access to quality health care. It would: (i) prohibit a private equity firm from acquiring ownership or control of a health care provider’s practice or health care facility, and (ii) require the administrator of each health care provider practice and health care facility to disclose the ownership structure of the provider or facility.
HB 6873 – This would strengthen the notice requirements that parties to a material change health care transaction must give to the AG, within 60 days instead of 30. The AG shall review the notice, evaluate the transaction’s compliance with antitrust laws, and, if the transaction would not otherwise require a certificate of need, consult with the Office of Health Strategy regarding the effect of the transaction on access, quality, and affordability of health care in the parties’ primary service areas.

Illinois
SB 1998 – Introduced February 6, 2025, as drafted this bill would amend the Illinois Antitrust Act, which already requires health care facilities or provider organizations to provide notice to the state AG regarding “covered transactions.” These are defined as mergers, acquisitions, or contracting affiliations between two or more health care facilities or provider organizations not previously under common ownership or contracting affiliation. Under the proposed amendment, the Illinois AG must provide written consent to a covered transaction if a private equity group or hedge fund provides any financing. Notably, under the proposed amendment, only notice is required if the transaction does not include private equity or hedge fund financing.
Indiana
In March 2024, Indiana amended its state law, effective July 1, 2024, to require written notice of health care entities’ mergers and acquisitions (see our prior post). The latest bill is HB 1666, which the Indiana House of Representatives passed on February 13, 2025, would remove the existing $10 million threshold and thereby expand reporting requirements to cover any merger or acquisition between an Indiana health care entity and another health care entity. Under the proposed amendment, the notice would be sent to a statutorily created “merger approval board,” which would retain the ability to approve or deny the proposed transaction subject to criteria detailed in HB 1666. In addition to the notice and approval obligation, HB1666 would require health care entities to file annual reports and disclose ownership information to specified state agencies. The bill is currently in the Indiana Senate and is expected to pass in some form.
New Mexico
SB 14 – As drafted this bill, would enact the Health Care Consolidation and Transparency Act, which would provide—with a number of exceptions—oversight of mergers and acquisitions and other transactions involving direct or indirect changes of control or assets of health care entities. As drafted the bill contains notice requirements; would provide for preliminary and comprehensive reviews of proposed transactions by the Office of Superintendent of Insurance; and would require approval, approval with conditions, or disapproval of proposed transactions by that office. The legislation further contains reporting requirements with respect to disclosure of health care entity ownership and control.
New York
In 2023, New York enacted N.Y. Pub. Health Law § 4550-4552 requiring health care entities to submit to the state Department of Health written notice of proposed material transactions, including: (i) the anticipated impact of the material transaction on cost, quality, access, health equity, and competition in the impacted markets; and (ii) any commitments by the health care entity to address anticipated impacts. Governor Kathy Hochul’s 2026 budget proposal (Part S) would amend Section 4552 to strengthen material transactions reporting requirements changing the notice deadline to 60 days before the closing date of the transaction (as opposed to 30).
The amended law would also require a statement as to whether any party to the transaction (including a controlling person or parent company), owns any other health care entity that within the past three years has closed operations, is in the process of closing operations, or has experienced a substantial reduction in services; and a statement as to whether a sale-leaseback agreement, mortgage or lease, or other payments associated with real estate are a component of the proposed transaction.
The department would conduct a preliminary review of all proposed transactions, which may consist of a full cost and market impact review (“CMIR”). If a CMIR is required, the department may require parties to delay the proposed transaction closing until the CMIR is completed, but in no event shall the closing be delayed more than 180 days from the date of the preliminary review of the proposed transaction. Further, parties to a material transaction would be required to notify the department annually—for a five-year period—of factors and metrics to assess the impacts of the transaction.
Notably, under the Governor’s proposed budget, the changes to N.Y. Pub. Health Law § 4550-4552 would not require Department of Health approval for any material transactions but simply notice consistent with the requirements set forth in the proposed amendment.
Oregon
SB 951 –As drafted this bill would prohibit an MSO, an individual who works as an independent contractor with an MSO, or a shareholder, director, officer or employee of an MSO from owning or controlling shares in, serving as a director or officer of, being an employee of, working as an independent contractor with, or otherwise managing, directing the management of or participating in managing a professional medical entity with which the MSO has a contract for services. The current draft of the bill specifies what conduct constitutes ownership or control of a professional medical entity; voids noncompetition agreements, nondisclosure agreements, and nondisparagement agreements between certain business entities and medical professionals, with specified exceptions, and prohibits retaliation.
Texas
HB 2747 – As drafted this bill would require certain health care entities, including providers, facilities, and provider organizations (which includes MSOs) to submit notice of material change transactions to the state AG not less than 90 days before the transaction; and grants the AG authority to conduct certain related studies on health care markets, imposing civil and administrative penalties.
Vermont
H 71 – Relating to health care entity transaction oversight and clinical decision making, as drafted this bill would require health care entities to provide notice to a board and state AG before entering into certain proposed transactions. The board, in consultation with the AG, would review, approve, approve with conditions, or disapprove the proposals. The measure would also: 1) prohibit corporations from practicing medicine or otherwise interfering with health care providers’ professional judgment and clinical decision making, and 2) require public reporting on ownership and control of certain health care entities.
Washington
HB 1881/SB 5704 – This legislation would enhance requirements regarding notice for material changes to the operations and governance structure of participants in the health care marketplace.
SB 5387 – As drafted this bill would generally prohibits the corporate practice of health care by deeming it unlawful for an individual, corporation, partnership, or other entity without a license to practice a health care profession, own a health care practice, employ licensed providers, etc. The current version of the bill sets forth requirements for licensed health care providers establishing and owning a health care practice and limits certain activities of shareholders, directors, or officers of a health care practice; and generally prohibits those without a license from interfering with/controlling the professional judgment or ultimate clinical decisions of a licensed health provider in various settings. It also sets forth conditions constituting unprofessional conduct by license holders.
Massachusetts
HB 5159 – As EBG wrote in January 2025, Massachusetts recently passed a sweeping health care market oversight bill that takes effect April 8, 2025. Among other things, HB 5159 extends the authority of the state’s Health Policy Commission (“HPC”) regarding Notices of Material Change to indirect owners and affiliates of health care providers, such as private equity companies, significant equity investors, MSOs, and health care REITs. The law also broadens the transactions that are subject to the HPC’s Material Change requirements to include: (i) significant expansions in capacity of a provider or provider organization; (ii) transactions involving a significant equity investor resulting in a change of ownership or control of a provider or provider organization; (iii) real estate sale lease-back arrangements and other significant acquisitions, sales, or transfers of assets; and (iv) conversions of a provider or provider organization from a nonprofit to a for-profit. The HPC will be authorized to require the submission of information from significant equity investors.
Notably, legislation has been introduced in the Massachusetts General Court (SD.1910) which seeks to update the months old legislation.

The BR Privacy & Security Download: March 2025

STATE & LOCAL LAWS & REGULATIONS
Virginia Legislature Passes Bill Regulating High-risk AI: The Virginia legislature passed HB 2094, the High-Risk Artificial Intelligence Developer and Deployer Act (the “Act”). Using a similar approach to the Colorado AI Act passed in 2023 and California’s proposed regulations for automated decision-making technology, the Act defines “high-risk AI systems” as AI systems that make consequential decisions, which are decisions that have material legal or similarly significant effects on a consumer’s ability to obtain things such as housing, healthcare services, financial services, access to employment, and education. The Act would require developers to use reasonable care to prevent algorithmic discrimination and to provide detailed documentation on an AI system’s purpose, limitations, and risk mitigation measures. Deployers of AI systems would be required to implement risk management policies, conduct impact assessments before deploying high-risk AI systems, disclose AI system use to consumers, and provide opportunities for correction and appeal. The bill is currently with Virginia Governor Glenn Youngkin, and it is unclear if he will sign it. 
Connecticut Introduces AI Bill: After an effort to pass AI legislation stalled last year in the Connecticut House of Representatives, another AI bill was introduced in the Connecticut Senate in February. SB-2 would establish regulations for the development, integration, and deployment of high-risk AI systems designed to prevent algorithmic discrimination and promote transparency and accountability. SB-2 would specifically regulate high-risk AI systems, defined as AI systems making consequential decisions affecting areas like employment, education, and healthcare. The bill includes similar requirements as the Connecticut AI bill considered in 2024 and would require developers to use reasonable care to prevent algorithmic discrimination and provide documentation on an AI system’s purpose, limitations, and risk mitigation measures. Deployers of high-risk AI systems would be required to implement risk management policies, conduct impact assessments before deployment of high-risk AI systems, disclose AI system use to consumers, and provide opportunities for appeal and correction.
New York Governor Signs Several Privacy Bills: New York Governor Kathy Hochul signed a series of bills expanding compliance obligations for social media platforms, debt collectors who use social media platforms, and dating applications. Senate Bill 895B—effective 180 days after becoming law—requires social media platforms operating in New York to post terms of service explaining how users may flag content they believe violates the platform’s terms. Senate Bill 5703B—effective immediately—prohibits the use of social media platforms for debt collection purposes. Senate Bill 2376B—effective 90 days after becoming law—expands the scope of New York’s identity theft protection law by including in its scope the theft of medical and health insurance information. Finally, Senate Bill 1759B—effective 60 days after becoming law—requires online dating services to notify individuals who were contacted by members who were banned for using a false identity, providing them with specific information to help users prevent being defrauded. Importantly, the New York Health Information Privacy Act, which would significantly expand the obligations of businesses that may collect broadly defined “health information” through their websites, has not yet been signed.
California Reintroduces Bill Requiring Browser-Based Opt-Out Preference Signals: For the second year in a row, the California Legislature has introduced a bill requiring browsers and mobile operating systems to provide a setting that enables a consumer to send an opt-out preference signal to businesses with which the consumer interacts through the browser or mobile operating system. The California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), provides California residents with the ability to opt out of the sale or sharing of their personal data, including through an opt-out preference signal. AB 566 would amend the CCPA to ensure that consumers have the ability to do so. AB 566 requires the opt-out preference signal setting to be easy for a reasonable person to locate and configure. The bill further gives the California Privacy Protection Agency (“CPPA”), the agency charged with enforcing the CCPA, the authority to adopt regulations to implement and administer the bill. The CPPA has sponsored AB 566.
Virginia Senate Passes Amendments to Virginia Consumer Protection Act: Virginia’s Senate Bill 1023 (“SB 1023”) amends the Virginia Consumer Data Protection Act by banning the sale of precise geolocation data. The bill defines precise location data as anything that can locate a person within 1,750 feet. Introduced by Democratic State Senator Russet Perry, the bill has garnered bipartisan support in the Virginia Senate, passing with a 35-5 vote on February 4, 2025. Perry stated that the type of data the bill intends to ban has been used to target people in domestic violence and stalking cases, as well as for scams. 
Task Force Publishes Recommendations for Improvement of Colorado AI Act: The Colorado Artificial Intelligence Impact Task Force published its Report of Recommendations for Improvement of the Colorado AI Act. The Act, which was signed into law in May 2024, has faced significant pushback from a broad range of interest groups regarding ambiguity in its definitions, scope, and obligations. The Report is designed to help lawmakers identify and implement amendments to the Act prior to its February 1, 2026, effective date. The Report does not provide substantive recommendations regarding content but instead categorizes topics of potential changes based on how likely they are to receive consensus. The report identified four topics in which consensus “appears achievable with additional time,” four topics where “achieving consensus likely depends on whether and how to implement changes to multiple interconnected sections,” and seven topics facing “firm disagreement on approach where creativity will be needed.” These topics range from key definitions under the Act to the scope of its application and exemptions.
AI Legislation on Kids Privacy and Bias Introduced in California: California Assembly Member Bauer-Kahan introduced yet another California bill targeting Artificial Intelligence (“AI”). The Leading Ethical AI Development for Kids Act (“LEAD Act”) would establish the LEAD for Kids Standards Board in the Government Operations Agency. The Board would then be required to adopt regulations governing—among other things—the criteria for conducting risk assessments for “covered products.” Covered products include an artificial intelligence system that is intended to, or highly likely to, be used by children. The Act would also require covered developers to conduct and submit risk assessments to the board. Finally, the Act would authorize a private right of action for parents and guardians of children to recover actual damages resulting from breaches of the law.

FEDERAL LAWS & REGULATIONS
House Committee Working Group Organized to Discuss Federal Privacy Law: Congressman Brett Guthrie, Chairman of the House Committee on Energy and Commerce (the “Committee”), and Congressman John Joyce, M.D., Vice Chairman of the Committee, announced the establishment of a working group to explore comprehensive data privacy legislation. The working group is made up entirely of Republican members and is the first action in this new Congressional session on comprehensive data privacy legislation. 
Kids Off Social Media Act Advances to Senate Floor: The Senate Commerce Committee advanced the Kids Off Social Media Act. The Act would prohibit social media platforms from allowing children under 13 to create accounts, prohibit platforms from algorithmically recommending content to teens under 17, and require schools to limit social media use on their networks as a condition of receiving certain funding. The Act is facing significant pushback from digital rights groups, including the Electronic Frontier Foundation and the American Civil Liberties Union, which claim that the Act would violate the First Amendment.
Business Groups Oppose Proposed Updates to HIPAA Security Rule: As previously reported, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) issued a Notice of Proposed Rulemaking (“NPRM”) to amend the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule to strengthen cybersecurity protections for electronic protected health information (“ePHI”). See Blank Rome’s Client Alert on the proposed rule. A coalition of business groups, including the College of Healthcare Information Management Executives, America’s Essential Hospitals, American Health Care Association, Association of American Medical Colleges, Federation of American Hospitals, Health Innovation Alliance, Medical Group Management Association and National Center for Assisted Living, have written to President Trump and HHS Secretary Robert F. Kennedy, Jr. opposing the proposed rule. The business groups argue that the proposed rule imposes great financial burdens on the healthcare sector, including on rural hospitals, which would divert attention and funds away from other critical areas. The business groups also argue that the proposed rule contradicts Public Law 116-321, which explicitly requires HHS to consider a regulated entity’s adoption of recognized security practices when enforcing the HIPAA Security Rule, by not addressing or incorporating this legal requirement.
National Artificial Intelligence Advisory Committee Adopts List of 10 AI Priorities: The National Artificial Intelligence Advisory Committee (“NAIC”), which was established under the 2020 National Artificial Intelligence Initiative Act, approved a draft report for the Trump administration with 10 recommendations to address AI policy issues. The recommendations cover AI issues in employment, AI awareness and literacy, and AI in education, science, health, government, and law enforcement, as well as recommendations for empowering small businesses and AI governance and supporting AI innovation in a way that would benefit Americans.
CFPB Acting Director Instructs Agency Staff to Stop Work: Consumer Financial Protection Bureau (“CFPB”) Acting Director Russel Vought instructed agency staff to “stand down” and refrain from doing any work. The communication to CFPB employees followed an instruction to suspend regulatory activities and halt CFPB rulemaking. Vought also suspended CFPB’s supervision and examination activities. This freeze would impact the CFPB’s rule on its oversight of digital payment apps as well as the CFPB’s privacy rule that created a right of data portability for customers of financial institutions.

U.S. LITIGATION
First Washington My Health My Data Lawsuit Filed: Amazon is facing a class action lawsuit alleging violations of Washington’s My Health My Data Act (“MHMDA”), along with federal wiretap laws and state privacy laws. The suit is the first one brought under MHMDA’s private right of action and centers on Amazon’s software development kit (“SDK”) embedded in third-party mobile apps. The plaintiff’s complaint alleges Amazon collected location data of users without their consent for targeted advertising. The complaint also alleges that the SDK collected time-stamped location data, mobile advertising IDs, and other information that could reveal sensitive health details. According to the lawsuit, this data could expose insights into a user’s health status, such as visits to healthcare facilities or health behaviors, without users knowing Amazon was also obtaining and monetizing this data. The lawsuit seeks injunctive relief, damages, and disgorgement of profits related to the alleged unlawful behavior. The outcome could clarify how broadly courts interpret “consumer health data” under the MHMDA.
NetChoice Files Lawsuit to Challenge Maryland Age-Appropriate Design Act: NetChoice—a tech industry group—filed a complaint in federal court in Maryland challenging the Maryland Age-Appropriate Design Code Act as violating the First Amendment. The Act was signed into law in May and became effective in October 2024. It requires online services that are likely to be accessed by children under the age of 18 to provide enhanced safeguards for, and limit the collection of data from, minors. In its Complaint, NetChoice alleges that the Act will not meaningfully improve online safety and will burden online platforms with the “impossible choice” of either proactively censoring categories of constitutionally protected speech or implementing privacy-invasive age verification systems that create serious cybersecurity risks. NetChoice has been active in challenging similar Acts across the country, including in California, where it has successfully delayed the implementation of the eponymous California Age-Appropriate Design Code Act.
Kochava Settles Privacy Class Action; Unable to Dismiss FTC Lawsuit: Kochava Inc. (“Kochava”), a mobile app analytics provider and data broker, has settled the class action lawsuits alleging Kochava collected and sold precise geolocation data of consumers that originated from mobile applications. The settlement requires Kochava to pay damages of up to $17,500 for the lead plaintiffs and attorneys’ fees of up to $1.5 million. Among other changes to its privacy practices Kochava must make, the settlement requires Kochava to implement a feature aimed at blocking the sharing or use of raw location data associated with health care facilities, schools, jails, and other sensitive venues. Relatedly, U.S. District Judge B. Lynn Winmill of the District of Idaho denied Kochava’s motion to dismiss the lawsuit brought by the Federal Trade Commission (“FTC”) for Kochava’s alleged violations of Section 5 of the FTC Act. The FTC alleges that Kochava’s data practices are unfair and deceptive under Section 5 of the FTC Act, as it sells the sensitive personal information collected through its Mobile Advertising ID system (“MAIDs”) to its customers, providing customers a “360-degree perspective” on consumers’ behavior through subscriptions to its data feeds, without the consumer’s knowledge or consent. In the order denying Kochava’s motion to dismiss, Winmill rejected Kochava’s argument that Section 5 of the FTC Act is limited to tangible injuries and wrote that the “FTC has plausibly pled that Kochava’s practices are unfair within the meaning of the FTC Act.”
Texas District Court Blocks Enforcement of Texas SCOPE Act: The U.S. District Court for the Western District of Texas (“Texas District Court”) granted a preliminary injunction blocking enforcement of Texas’ Securing Children Online through Parental Empowerment Act (“SCOPE Act”). The SCOPE Act requires digital service providers to protect children under 18 from harmful content and data collection practices. In Students Engaged in Advancing Texas v. Paxton, plaintiffs sued the Texas Attorney General to block enforcement of the SCOPE Act, arguing the law is an unconstitutional restriction of free speech. The Texas District Court ruled that the SCOPE Act is a content-based statute subject to strict scrutiny, and that with respect to certain of the SCOPE Act’s monitoring-and-filtering, targeted advertising and content monitoring and age-verification requirements, the law’s restrictions on speech failed strict scrutiny and should be facially invalidated. Accordingly, the Texas District Court issued a preliminary injunction halting the enforcement of such provisions. The remaining provisions of the law remain in effect.
California Attorney General Agrees to Narrowing of Its Social Media Law: The California Attorney General has agreed to not enforce certain parts of AB 587, now codified in the Business & Professions Code, sections 22675-22681, which set forth content moderation requirements for social media platforms (the “Social Media Law”). X Corp. (“X”) filed suit against the California Attorney General, alleging that the Social Media Law was unconstitutional, censoring speech based on what the state sees as objectionable. While the U.S. District Court for the Eastern District of California (“California District Court”) initially denied X’s request for a preliminary injunction to block the California Attorney General from enforcing the Social Media Law, the Ninth Circuit overturned that decision, holding that certain provisions of the law regarding extreme content failed the strict-scrutiny test for content-based restrictions on speech, violating the First Amendment. X and the California Attorney General have asked the California District Court to enter a final judgment based on the Ninth Circuit decision. The California Attorney General has also agreed to pay $345,576 in attorney fees and costs.

U.S. ENFORCEMENT
Arkansas Attorney General Sues Automaker over Data Privacy Practices: Arkansas Attorney General Tim Griffin announced that his office filed a lawsuit against General Motors (“GM”) and its subsidiary OnStar for allegedly deceiving Arkansans and selling data collected through OnStar from more than 100,000 Arkansas drivers’ vehicles to third parties, who then sold the data to insurance companies that used the data to deny insurance coverage and increase rates. The lawsuit alleges that GM advertised OnStar as offering the benefits of better driving, safety, and operability of its vehicles, but violated the Arkansas Deceptive Trade Practices Act by misleading consumers about how driving data was used. The lawsuit was filed in the Circuit Court of Phillips County, Arkansas.
Healthcare Companies Settle FCA Claims over Cybersecurity Requirements: Health Net and its parent company, Centene Corp. (collectively, “Health Net”), have settled with the United States Department of Justice (“DOJ”) for allegations that Health Net falsely certified compliance with cybersecurity requirements under a U.S. Department of Defense contract. Health Net had contracted with the Defense Health Agency of the U.S. Department of Defense (“DHA”) to provide managed healthcare support services for DHA’s TRICARE health benefits program. The DOJ alleged that Health Net failed to comply with its contractual obligations to implement and maintain certain federal cybersecurity and privacy controls. The DOJ alleged that Health Net violated the False Claims Act by falsely stating its compliance in related annual certifications to the DHA. The DOJ further alleged that Health Net ignored reports from internal and third-party auditors about cybersecurity risks on its systems and networks. Under the settlement, Health Net must pay the DOJ and DHA $11.25 million.
Eyewear Provider Fined $1.5M for HIPAA Violations: The U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) imposed a $1,500,000 civil money penalty against Warby Parker for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule. The penalty resulted from a cyberattack involving unauthorized access to customer accounts, affecting nearly 200,000 individuals. An OCR investigation resulted from a 2018 security incident. Between September 25, 2018, and November 30, 2018, third parties accessed customer accounts using usernames and passwords obtained from breaches of other websites, a method known as “credential stuffing.” The compromised data included names, addresses, email addresses, payment card information, and eyewear prescriptions. OCR found that Warby Parker failed to conduct an accurate risk analysis, implement sufficient security measures, and regularly review information system activity.
CPPA Finalizes Sixth Data Broker Registration Enforcement Action: The California Privacy Protection Agency announced that it is seeking a $46,000 penalty against Jerico Pictures, Inc., d/b/a National Public Data, a Florida-based data broker, for allegedly failing to register and pay an annual fee as required by the California Delete Act. The Delete Act requires data brokers to register and pay an annual fee that funds the California Data Broker Registry. This action comes following a 2024 data breach in which National Public Data reportedly exposed 2.9 billion records, including names and Social Security Numbers. This is the sixth action taken by the CPPA against data brokers, with the first five actions resulting in settlements.

INTERNATIONAL LAWS & REGULATIONS
First EU AI Act Provisions Become Effective; Guidelines on Prohibited AI Adopted: The first EU AI Act (the “Act”) provisions to become effective came into force on February 2, 2025. The Act’s provisions prohibiting certain types of AI systems deemed to pose an unacceptable risk and rules on AI literacy are now applicable in the EU. Prohibited AI systems are those that present unacceptable risks to the fundamental rights and freedoms of individuals and include social scoring for public and private purposes, exploitation of vulnerable individuals with subliminal techniques, biometric categorization of natural persons based on biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs or sexual orientation, and emotion recognition in the workplace and education institutions, unless for medical or safety reasons, among other uses. The new AI literacy obligations will require organizations to put in place robust AI training programs to ensure a sufficient level of AI literacy for their staff and other persons working with AI systems. Certain obligations related to general-purpose AI models will become effective August 2, 2025. Most other obligations under the Act will become effective August 2, 2026.
UK Introduces AI Cyber Code of Practice: The UK government has introduced a voluntary Code of Practice to address cybersecurity risks in AI systems, with the aim of establishing a global standard via the European Telecommunications Standards Institute (“ETSI”). This code is deemed necessary due to the unique security risks associated with AI, such as data poisoning and prompt injection. It offers baseline security requirements for stakeholders in the AI supply chain, emphasizing secure design, development, deployment, maintenance, and end-of-life. The Code of Practice is intended as an addendum to the Software Code of Practice. It provides guidelines for developers, system operators, data custodians, end-users, and affected entities involved in AI systems. Principles within the code include raising awareness of AI security threats, designing AI systems for security, evaluating and managing risks, and enabling human responsibility for AI systems. The code also emphasizes the importance of documenting data, models, and prompts, as well as conducting appropriate testing and evaluation.
CJEU Issues Opinion on Pseudonymized Data: The Court of Justice of the European Union (“CJEU”) issued a decision in a case involving an appeal by the European Data Protection Supervisor (“EDPS”) against a General Court decision that annulled the EDPS’s decision regarding the processing of personal data by the Single Resolution Board (“SRB”) during the resolution of Banco Popular Español SA during insolvency proceedings. The case reviewed whether data transmitted by the SRB to Deloitte constituted personal data. Personal data consisted of comments from parties interested in the proceedings that had been pseudonymized by assigning a random alphanumeric code, as well as aggregated and filtered, so that individual comments could not be distinguished within specific commentary themes. Deloitte did not have access to the codes or the original database. The court held that the data was personal data in the hands of the SRB. However, the court ruled that the EDPS was incorrect in determining that the pseudonymized data was personal data to Deloitte without analyzing whether it was reasonably possible that Deloitte could identify individuals from the data. As a takeaway, the CJEU left open the possibility that pseudonymized data could be organized and protected in such a way as to remove any reasonable possibility of re-identification with respect to a particular party, resulting in the data not constituting personal data under the GDPR.
European Commission Withdraws AI Liability Directive from Consideration; European Parliament Committee Votes to Press On: The European Commission announced it plans to withdraw the proposed EU AI Liability Directive, a draft legislation for addressing harms caused by artificial intelligence. The decision was announced in the Commission’s 2025 Work Program stating that there is no foreseeable agreement on the legislation. However, the proposed legislation has not yet been officially withdrawn. Despite the announcement, members of the European Parliament on the body’s Internal Market and Consumer Protection Committee voted to keep working on liability rules for artificial intelligence products. It remains to be seen whether the European Parliament and the EU Council can make continued progress in negotiating the proposal in the coming year.
Additional Authors: Daniel R. Saeedi, Rachel L. Schaller, Gabrielle N. Ganze, Ana Tagvoryan, P. Gavin Eastgate, Timothy W. Dickens, Jason C. Hirsch, Adam J. Landy, Amanda M. Noonan and Karen H. Shin.

Warby Parker Settles Data Breach Case with OCR for $1.5M

Eyeglass manufacturer and retailer Warby Parker recently settled a 2018 data breach investigation by the Office for Civil Rights (OCR) for $1.5 million. According to OCR’s press release, Warby Parker self-reported that between September and November of 2018, unauthorized third parties had access to customer accounts following a credential stuffing attack. The names, mailing and email addresses, payment card information, and prescription information of 197,986 patients was compromised.
Following the OCR’s investigation, it alleged three violations of the HIPAA Security Rule, “including a failure to conduct an accurate and thorough risk analysis to identify the potential risks and vulnerabilities to ePHI in Warby Parker’s systems, a failure to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level, and a failure to implement procedures to regularly review records of information system activity.” The settlement reiterates the importance of conducting an annual security risk assessment and implementing a risk management program.

First Circuit Adopts But-For Causation Standard for Kickback-Premised False Claims Act Actions

On 18 February 2025, the First Circuit Court of Appeals issued its decision in United States v. Regeneron Pharmaceuticals, Inc., determining that “but-for” causation is the proper standard for False Claims Act (FCA) actions premised on kickback and referral schemes under the Anti-Kickback Statute (AKS). This issue has divided circuits in recent years, with the Third Circuit requiring merely some causal connection, and the Sixth Circuit and Eighth Circuit requiring the more defendant-friendly proof of but-for causation between an alleged kickback and a claim submitted to the government for payment. 
This issue has major implications for healthcare providers, pharmaceutical manufacturers, and other entities operating in the healthcare environment. Both the government and qui tam relators have frequently brought FCA actions premised on alleged kickback schemes, and these actions pose significant potential liability. A higher but-for standard for proving causation represents a key tool for FCA defendants to defend against such actions. There is a good chance that the government petitions the US Supreme Court to review the First Circuit’s decision, and, given the growing split, there is certainly a possibility that this becomes the next issue in FCA jurisprudence that finds itself before the high court. 
Background on AKS-Premised FCA Actions and the Growing Circuit Split
To establish falsity in an AKS-premised FCA action, a plaintiff has historically needed to show that the defendant (1) knowingly and willfully, (2) offered or paid remuneration, (3) to induce the purchase or ordering of products or items for which payment may be made under a federal healthcare program. In 2010, Congress added the following language to the AKS at 42 U.S.C. § 1320a-7b(g): “a claim that includes items or services resulting from a violation of [the AKS] constitutes a false or fraudulent claim for purposes of [the FCA].” (Emphasis added). Courts have generally agreed that the AKS, therefore, imposes an additional causation requirement for FCA claims premised on AKS violations. However, courts have been divided on how to define “resulting from” and the applicable standard for proving causation.
In 2018, the Third Circuit was faced with this issue and explicitly declined to adopt a but-for causation standard. Relying on the legislative history, the Third Circuit determined that a defendant must demonstrate “some connection” between a kickback and a subsequent reimbursement claim to prove causation. 
Four years later, the Eighth Circuit declined to follow the Third Circuit and instead adopted a heightened but-for standard based on its interpretation of the statute. The court noted that the US Supreme Court had previously interpreted the nearly identical phrase “results from” in the Controlled Substances Act to require but-for causation. In April 2023, the Sixth Circuit joined the circuit split, siding with the Eighth Circuit and adopting a but-for causation standard. 
Eyes Turn Toward the First Circuit
In mid-2023, two judges in the US District Court for the District of Massachusetts ruled on this causation issue as it related to two different co-pay arrangements, landing on opposite sides of the split. In the first decision, United States v. Teva Pharmaceuticals USA, Inc., the district court adopted the Third Circuit’s “some connection” standard. The court indicated it was following a prior First Circuit decision—Guilfoile v. Shields—though Guilfoile had only addressed the question of whether a plaintiff had adequately pled an FCA retaliation claim, as opposed to an FCA violation. In the second decision, Regeneron, the district court declined to follow Guilfoile (given Guilfoile dealt with the requirements for pleading an FCA retaliation claim); instead, the district court in Regeneron followed the Sixth Circuit and Eighth Circuit in applying a but-for standard. These dueling decisions set the stage for the First Circuit to weigh in on the circuit split.
First Circuit Adopts But-For Standard 
On 18 February 2025, the First Circuit issued its opinion in Regeneron, affirming the district court’s decision and following the Sixth Circuit and Eighth Circuit in adopting a but-for standard. The court first determined that Guilfoile neither guided nor controlled the meaning of the phrase “resulting from” under the AKS. Turning to an interpretation of the statute, the First Circuit noted that “resulting from” will generally require but-for causation, but the court may deviate from that general rule if the statute provides “textual or contextual indications” for doing so. After a thorough analysis of the textual language and its legislative history, the First Circuit concluded that nothing warranted deviation from interpreting “resulting from” to require but-for causation. The court also rejected the government’s contention that requiring proof of but-for causation would be such a burden to FCA plaintiffs that the 2010 amendments to the AKS would have no practical effect.
Notably, the First Circuit made clear that its decision was limited to FCA actions premised on AKS violations under the 2010 amendments to the AKS. The court distinguished such actions from FCA actions premised on false certifications, where a plaintiff asserts that an FCA defendant has falsely represented its AKS compliance in certifications submitted to the government.
Takeaways

The growing confusion and disagreement among district and circuit courts over this issue, coupled with the issue’s import to FCA jurisprudence, creates the potential that this could be the next FCA issue decided by the US Supreme Court.
Until this split is resolved, FCA practitioners must pay close attention to the choice of venue for AKS-premised FCA actions.
But-for causation presents an important tool for FCA defendants in AKS-premised FCA actions. But-for causation may allow a defendant to argue that even if it had acted with an intent to induce referrals, no actual referrals resulted from the conduct, which would allow a defendant to avoid FCA liability altogether. Alternatively, but-for causation may allow a defendant to argue that FCA damages are lower than the total referrals made where the plaintiff is unable to prove all referrals “resulted from” the improper arrangement.
While this is a significant win for FCA defendants, its impact may be somewhat limited for FCA actions that are not premised on AKS violations. It also remains to be seen whether the government and relators will begin bringing FCA actions premised on alleged false certifications of compliance with the AKS (rather than solely relying on an alleged AKS violation itself).

The firm’s Federal, State, and Local False Claims Act practice group practitioners will continue to closely monitor developments on this issue, and we are able to assist entities operating in the healthcare environment that are dealing with AKS-premised FCA actions.

Nonprofit Health Care Mergers – Introduction: With Complexity Comes Opportunity

In the evolving health care landscape, mergers between nonprofit health care organizations are becoming increasingly common. Mergers are often driven by a combination of economic factors, the need to improve quality and efficiency of care, and the desire to create value for patients and communities. As the first post in our nonprofit merger series, we will explore why nonprofit health care entities may consider a merger, analyze the economic pressures influencing such decisions, and discuss the structures of nonprofit transactions, including the differences between member substitutions and true mergers. Forthcoming posts in this series will examine the unique due diligence concerns, regulatory approvals, and financing arrangements involved in nonprofit health care mergers.
The Economic Drivers of Nonprofit Health Care Mergers
1. Cost Efficiency and Scale Economies
It is not unusual to find multiple nonprofit health care organizations serving the same or similar patient community in a given market or region. Although competition within a for-profit industry may be seen as beneficial for consumers, most nonprofit health care organizations are competing for the same sources of government funding and/or charitable donations for their capital needs, which can weaken or inhibit the impact of their work both individually and in the aggregate.
As a result, overlapping nonprofits may realize significant economies of scale and make a substantially greater impact by joining forces and centralizing their efforts through a merger. By combining their operations, two organizations can reduce duplicative costs in areas such as administration, technology, and supply chain management. For example, by consolidating back-office functions such as human resources, billing, and procurement, a merged entity can lower its operational expenses and redirect those savings into improving patient care and expanding services. For smaller entities in particular, the cost of implementing advanced medical technology or transitioning to new electronic health record (EHR) systems can be prohibitive. By merging, organizations may be better equipped to absorb these costs and ensure their long-term financial sustainability.
2. Increased Bargaining Power with Payers and Third Parties
Another economic factor is the increased leverage that a larger health care organization has when negotiating with insurance companies and other payors. Together, a merged organization can exercise more market power and negotiate better reimbursement rates than any of the parties could on their own. Higher reimbursement can significantly improve the financial outlook for a nonprofit health care organization, which must carefully balance its mission with its financial health. Before proceeding with a merger, the parties will often engage a third-party consultant to analyze their current payor arrangements and identify opportunities for improvement.
3. Access to Capital
Nonprofit health care organizations, unlike their for-profit counterparts, do not have access to equity markets to raise capital. Mergers can offer a solution to this challenge. By merging, two organizations can improve their creditworthiness, making it easier to obtain loans and other forms of debt financing for future expansion, facility improvements, or technology upgrades. This is particularly important as health care organizations seek to invest in value-based care models that require significant upfront investment in care coordination, population health management, and IT infrastructure. Lending arrangements for nonprofits are typically quite challenging due to concerns about maintaining tax status, use of funds, and restrictions associated with both. It is not uncommon for organizations to restructure their lending arrangements and partners during a merger process or immediately thereafter.
Improving Delivery of Care
1. Enhancing Quality of Care
One of the key motivations for a nonprofit merger is to improve quality and continuity of care. Smaller health care organizations, particularly those in rural areas, may struggle to provide specialized services or maintain high clinical practice standards due to more limited resources. A merger allows the parties to pool their resources and share best practices to build a more efficient and effective care delivery system, thereby improving patient outcomes and practitioner recruitment efforts.
Additionally, mergers can help organizations streamline care pathways. For instance, a health care system with multiple facilities may create better-integrated care models, improving coordination between primary care, specialty care, and hospital services. This enhances patient outcomes by reducing duplication of services, minimizing delays in care, and ensuring that patients receive the appropriate care in the most efficient setting.
2. Expanding Access to Care
For many nonprofit health care organizations, expanding access to care — especially for underserved populations — is a central part of their mission. Mergers can help organizations achieve this goal by expanding their geographic reach and the range of services that they can provide. For example, a small community hospital may merge with a larger regional health system to provide its patients with access to specialized services that were previously unavailable locally, such as oncology or cardiology.
Furthermore, mergers may enable organizations to better address social determinants of health, which is increasingly recognized as critical to improving population health. For example, a Federally Qualified Health Center (FQHC) with a strong primary care practice may consider merging with a nonprofit community-based behavior health clinic to create an integrated preventative care network specific to the medical and behavioral health needs of its community. The larger, more financially stable merged organization may then be able to invest additional resources in community health initiatives, such as housing support and food security programs.
3. Investing in Innovation
Health care providers, and particularly nonprofits, may find it difficult to keep up with the rapid pace of innovation in the health care sector. Merged organizations are often better positioned to invest in these innovations, particularly in areas like telemedicine, data analytics, precision medicine, and value-based care models. By combining resources and patient base data, nonprofit health care organizations can become more responsive to the health care needs of their patient community, contributing to improved clinical outcomes and, in turn, a more financially stable future.
Value Creation Beyond Economics and Care Delivery
1. Mission Alignment
Nonprofit health care organizations are mission-driven, with the goal of serving their communities and improving health outcomes. When two nonprofit organizations merge, they typically seek to align their missions and values. This alignment is essential for ensuring the new entity remains focused on its core objective — whether that is serving a particular patient population, improving community health, or promoting medical research and education.
This often creates a situation where the two parties to the proposed merger are forced to negotiate a revised set of bylaws better suited for the combined entity post-closing. Important in this negotiation is understanding the terms around board structure, committees, executive officers, and general governance post-closing. It is not uncommon to see an expanded board or some combination of the two boards along with a realignment in officer positions. This is often an area of significant negotiation during the merger process.
2. Organizational Culture and Leadership Stability
In the nonprofit health care sector, where mission and values are paramount, ensuring that the two organizations’ cultures are compatible is essential. A well-executed merger offers a unique opportunity to bring fresh perspectives into leadership while preserving and building upon the parties’ existing strengths. By integrating their boards and leadership teams, merged organizations may foster the environment for more innovative and effective strategies for fulfilling a unified mission.
Structures of Nonprofit Health Care Transactions
Nonprofit health care mergers utilize unique transaction structures, primarily because they do not have shareholders and are organized for charitable purposes. Two common structures for combining nonprofit health care organizations include a member substitution and a true merger per state law.
1. Member Substitution
In a member substitution transaction, one nonprofit organization becomes the controlling member of another nonprofit without the two organizations dissolving or fully integrating into a single entity. The sole member (usually the parent organization) gains the authority to appoint the board members of the other organization and effectively controls its governance and operations. Note that a member substitution may not be viable in some states where nonprofit entities are not required or permitted to have members.

Benefits: Member substitution is often viewed as a less disruptive approach compared to a true merger. With a member substitution, the controlled entity retains its legal identity, which can help preserve relationships with donors, the community, and key stakeholders. This structure can also be advantageous for organizations wanting to maintain some degree of autonomy, particularly if they have a strong local presence or identity. Also important is that this structure still maintains separation of liabilities between each entity, i.e., liabilities of the nonprofit relinquishing control do not become the liabilities of the controlling member. A merger between a large health system and a smaller, local hospital may elect this structure in order to minimize disruption to the controlled entity’s local operations.
Challenges: The drawback of a member substitution is that it may not achieve the full benefits of integration, such as cost savings or streamlined operations. There may also be governance challenges if the controlled entity’s leadership or board resists the level of oversight imposed by the parent organization. Administratively, a member substitution can also be challenging because of the multiple levels of board governance.

2. True Merger
In a true merger, two or more nonprofit health care organizations combine into a single legal entity. The merged organization typically has a unified governance structure, leadership team, and operational model. This type of merger represents full integration and can provide the most significant opportunities for cost savings, operational efficiencies, and strategic growth.

Benefits: A true merger allows for complete consolidation of assets, liabilities, and operations. The merged organization can realize the maximum potential for economies of scale, enhanced bargaining power, and operational integration. Additionally, a true merger simplifies governance by creating a single board of directors and a unified executive leadership team.
Challenges: A true merger is more complex and may require regulatory approvals, including from the state attorney general or other regulatory bodies overseeing nonprofit or health care entities. The process can be time-consuming and may involve significant costs associated with legal, financial, and operational integration. A true merger also means that the surviving entity inherits the liabilities of the merged entity, which can result in unforeseen liability and risks for the surviving entity.

Conclusion
Mergers among nonprofit health care organizations are driven by a combination of economic pressures, the need to improve care delivery, and the desire to create long-term value for patients and communities. Whether through a member substitution or a true merger, these transactions can help organizations achieve financial stability, enhance quality of care, and expand access to services. However, nonprofit mergers require careful planning, particularly around governance, cultural integration, and mission alignment, to ensure that the merged organization remains focused on its charitable objectives and continues to serve its community effectively.
For nonprofit health care organizations considering a merger, it is essential to weigh both the financial and operational benefits, as well as the impact on the mission, before moving forward. With the right strategic approach, a merger can both strengthen the financial position of the parties and enhance their ability to serve their patients and communities.

How PPM Health Plans Can Solve the MEWA Problem

While a physician practice management (PPM) structure allows for compliance with corporate practice of medicine laws and ease of administration, it often creates inadvertent health plan issues that should be navigated carefully to avoid compliance issues and/or difficulties with selling PPM entities.

In Depth

MEWA PROBLEM
The PPM structure helpfully allows physicians to focus on the clinical practice of medicine through a physician practice professional corporation (PC), while outsourcing the business of the practice of medicine to a management services organization (MSO, which, together with the PC, is referred to as the PPM). Ideally, employees of the MSO and employees of each PC associated with the PPM structure could be combined and covered under a single group health plan to allow for experience rating of a larger group of employees, which leads to cost savings for the PPM structure and all employees, and simplifies the offering of healthcare coverage administration.
Because the MSO and the PC under the PPM structure typically do not have adequate common ownership – purposefully so to ensure the PPM structure complies with the corporate practice of medicine rules – allowing the PC and MSO entities to participate in the same health plan can create health plan compliance concerns, such as a multiple employer welfare arrangement (MEWA). It is preferable to avoid creation of a MEWA, as MEWA requirements can be burdensome and prohibitive, including exposure to state laws (some of which outlaw self-funded MEWAs) and extensive reporting requirements to certain states and the US Department of Labor. As a result, having a MEWA can result in state and/or federal penalties and the structure presents significant complications when it comes to selling the PPM to a third party.
MEWA ALTERNATIVES
All, however, is not lost. Rather than separately purchasing commercially available group health insurance (e.g., in the small group market, which is expensive and lacking in transparency), MSOs and PCs have several other options to provide group health plan coverage and avoid or accommodate being a MEWA. These include the following:

The MSO and PCs establish “mirror plans,” where each entity maintains a self-funded group health plan but stop-loss insurance may be pooled among entities. Alternatively, the MSO and PCs may use a group captive medical stop-loss structure to manage risk associated with stop-loss insurance for self-funded plans.
The MSO and PCs establish separate “level-funded” plans, where the MSO and PCs establish and maintain their own self-funded group health plans.
The MSO and PCs purchase fully insured group health coverage that is underwritten as a single, large group through a professional employer organization (PEO). While this usually in fact creates a MEWA, MEWA compliance is the responsibility of the PEO provider not the PPM structure.