EnforceMintz — Novel Criminal Charges and Emerging Civil Trends from Opioid Enforcement in 2024
In past years we have discussed how opioid-related enforcement efforts have remained a top federal and state priority (here, here, and here). In 2024, opioid-related enforcement efforts continued across the entire opioid supply chain, and two themes dominated the most significant opioid cases and resolutions of 2024. First, two major settlements from the past year highlight examples of allegations that crossed a line, prompting the government to pursue criminal charges. Second, a number of recent cases against pharmacies involve a common theory of liability based on the Controlled Substances Act (CSA), which served as the basis for civil liability under the False Claims Act (FCA).
Opioid-Related Criminal Resolutions
In February 2024, Endo, a pharmaceutical manufacturer that previously filed for bankruptcy, reached a global resolution of various criminal and civil investigations into the company’s sales and marketing of opioid drugs. The company agreed to pay the government $464.9 million over 10 years (though the actual total payment amount will likely be much lower due to bankruptcy).
To resolve the criminal investigation, Endo agreed to plead guilty to a one-count misdemeanor charge for violations of the federal Food, Drug, and Cosmetic Act (FDCA). That charge related to the company’s marketing of the drug’s purported abuse deterrence, tamper-resistant, or crush-resistant properties to prescribers, despite a lack of supporting clinical data. In the plea agreement, the company admitted responsibility for misbranding its opioid drug by marketing the drug with a label that failed to include adequate directions for its claimed abuse deterrence use, in violation of the FDCA.
More recently, in December 2024, McKinsey & Company, a worldwide management consulting firm, agreed to pay $650 million to resolve criminal and civil investigations related to the firm’s consulting work for Purdue Pharma, the maker of OxyContin. As noted in the government’s press release, the McKinsey resolution was the first time a management consulting firm has been held criminally responsible for its advice resulting in a client’s criminal conduct.
The two-count criminal charging document accused McKinsey of conspiring to misbrand a controlled substance and obstruction of justice. The conspiracy charge related to McKinsey’s work to “turbocharge” OxyContin sales by targeting high-volume opioid prescribers. The obstruction charge arose from the alleged deletion by a senior partner of certain documents related to the company’s work for Purdue. To resolve those charges, McKinsey entered into a five-year deferred prosecution agreement (DPA). Under the DPA, McKinsey agreed not to do any consulting work related to the marketing, sale, or distribution of controlled substances and agreed to implement significant changes to its compliance program. Separately, the former McKinsey senior partner who allegedly destroyed records relating to the company’s work for Purdue was charged with obstruction of justice and agreed to plead guilty to that charge.
These two resolutions are relevant to all entities in the opioid supply chain, from manufacturers to consultants and all stakeholders in between. Sales and marketing practices, or abuse deterrence claims or practices targeting prescribers based on volume, can lead to both civil liability and potential criminal exposure.
Pharmacies Face Potential FCA Liability Based on CSA Violations
On the civil side, three opioid enforcement actions were particularly noteworthy. Three years ago, we highlighted some of the first pharmacy-related resolutions, which showed that pharmacies were “next in line” for opioid related enforcement. In 2024, two substantial settlements involved alleged CSA violations giving rise to FCA liability. A third FCA lawsuit filed in December 2024 against the nation’s largest pharmacy shows that this trend will likely continue in 2025 and beyond.
In July 2024, Rite Aid and its affiliates agreed to settle allegations brought by the government related to its opioid dispensing practices. Rite Aid had previously filed for bankruptcy, so the settlement agreement involved a payment of $7.5 million, plus a general unsecured claim of $401.8 million in the bankruptcy case.
The government alleged that Rite Aid pharmacists dispensed unlawful prescriptions and failed to investigate “red flags” before dispensing opioid prescriptions, then improperly submitted claims to the government for reimbursement of those prescriptions. The government alleged that the company dispensed unlawful prescriptions by (1) filling so-called “trinity” prescriptions, which are a combination of opioid, benzodiazepine, and muscle relaxants; (2) filling excessive quantities of opioid prescriptions; and (3) filling prescriptions written by prescribers previously identified as suspicious by pharmacists.
Similarly, in December 2024, Food City, a regional grocery store and pharmacy based in Virginia agreed to pay $8.48 million to resolve allegations that it dispensed opioids and other controlled substances in violation of the CSA and the FCA. Like the Rite Aid case, the government alleged that these prescriptions were medically unnecessary, lacked a legitimate medical purpose, or were not dispensed pursuant to valid prescriptions. The government alleged that Food City ignored “red flags” including, among other things, (1) prescribers who wrote unusually large opioid prescriptions; (2) early refills of opioids; (3) prescriptions for unusual quantities or combinations of opioids; and (4) patients who were filling prescriptions for someone else, driving long distances to fill prescriptions, or paying cash for prescriptions.
Also in December 2024, the Department of Justice announced that it had intervened in a nationwide lawsuit alleging that CVS Pharmacy filled unlawful prescriptions in violation of the CSA and sought reimbursement for those prescriptions in violation of the FCA. The lawsuit is currently pending. The theory of liability asserted against CVS is similar to the Rite Aid and Food City cases: CVS allegedly filled unlawful prescriptions, ignored “red flags” of abuse and diversion, and sought reimbursement from federal health care programs for unlawful prescriptions in violation of the FCA.
Under the CSA and applicable regulations, pharmacists dispensing controlled substances, like opioids, have a “corresponding responsibility” to ensure that the prescription was issued for a legitimate medical purpose. 21 C.F.R. § 1306.04(a). Exercising that corresponding responsibility requires identifying and resolving “red flags” before filling a prescription. There is no defined list of what the government deems to constitute “red flags” and determining the existence of red flags is often context dependent. Because FCA lawsuits based on alleged CSA violations appear to be a growing trend, these three cases provide helpful guidance for companies seeking to mitigate risk by implementing corporate compliance programs designed to identify and resolve “red flags” related to opioid prescriptions.
California AG Issues AI-Related Legal Guidelines for Developers and Healthcare Entities
The California Attorney General published two legal advisories this week:
Legal Advisory on the Application of Existing California Laws to Artificial Intelligence
Legal Advisory on the Application of Existing California Law to Artificial Intelligence in Healthcare
These advisories seek to remind businesses of consumer rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, CCPA), and to advise developers who create, sell, or use artificial intelligence (AI) about their obligations under the CCPA.
Attorney General Rob Bonta said, “California is an economic powerhouse built in large part on technological innovation. And right alongside that economic might is a strong commitment to economic justice, workers’ rights, and competitive markets. We’re not successful in spite of that commitment — we’re successful because of it [. . .] AI might be changing, innovating, and evolving quickly, but the fifth largest economy in the world is not the wild west; existing California laws apply to both the development and use of AI. Companies, including healthcare entities, are responsible for complying with new and existing California laws and must take full accountability for their actions, decisions, and products.”
Advisory No. 1: Application of Existing California Laws to Artificial Intelligence
This advisory:
Provides an overview of existing California laws (i.e., consumer protection, civil rights, competition, data protection laws, and election misinformation laws) that may apply to companies that develop, sell, or use AI;
Summarizes the new California AI law that went into effect on January 1, 2025, such as:
Disclosure Requirements for Businesses
Unauthorized Use of Likeness
Use of AI in Election and Campaign Materials
Prohibition and Reporting of Exploitative Uses of AI
Advisory No. 2: Application of Existing California Law to Artificial Intelligence in Healthcare
AI tools are used for tasks such as appointment scheduling, medical risk assessment, and medical diagnosis and treatment decisions. This advisory:
Provides guidance under California law, i.e., consumer protection, civil rights, data privacy, and professional licensing laws—for healthcare providers, insurers, vendors, investors, and other healthcare entities that develop, sell, and use AI and other automated decision systems;
Reminds such entities that AI carries harmful risks and that all AI systems must be tested, validated, and audited for safe, ethical, and lawful use;
Informs such entities that they must be transparent about using patient data to train AI systems and alert patients on how they are using AI to make decisions affecting their health and/or care;
This is yet another example of how issues related to the safe and ethical use of AI will likely be at the forefront for many regulators across many industries.
EnforceMintz — Long Tail of Pandemic Fraud Schemes Will Likely Result in Continued Enforcement for Years to Come
In last year’s edition of EnforceMintz, we predicted that 2024 would bring an increase in False Claims Act (FCA) enforcement activity related to COVID-19 pandemic fraud. Those predictions proved correct. The COVID-19 Fraud Enforcement Task Force (CFETF), in conjunction with five COVID Fraud Enforcement Strike Forces and other government agencies, has resolved many significant criminal and civil pandemic fraud cases over the past year. In April 2024, the CFETF released a COVID-19 Fraud Enforcement Task Force 2024 Report (the CFETF Report) describing the CFETF’s recent efforts and including a plea for more fraud enforcement funding, which suggests that additional enforcement activity is on the horizon. While that funding request has thus far gone unheeded, we expect more civil pandemic fraud enforcement actions (and continuing criminal actions) in 2025.
Civil and Criminal Paycheck Protection Program (PPP) Fraud Enforcement
Since 2020, criminal PPP fraud has dominated COVID-19 fraud enforcement headlines, and 2024 was no different. Criminal fraud schemes have concerned common fact patterns involving fraudsters who (i) obtained funding to which they were not entitled, (ii) submitted false certifications or inaccurate information in a loan application, or (iii) submitted false certifications or inaccurate information in seeking loan forgiveness. However, in the past year, civil PPP fraud enforcement has begun to evolve.
In 2024, criminal PPP fraud enforcement broke up multiple COVID-19 fraud rings involving actors who fraudulently obtained loans for fictitious businesses, packed PPP applications with false documentation (provided in exchange for kickbacks), and falsely certified information regarding the number of employees and payroll expenses that would entitle them to PPP funding. Typical charges in these cases included wire fraud, bank fraud, making false statements to federally insured financial institutions, conspiracy, and money laundering.
On the civil side, PPP fraud enforcement seemed to increase in 2024. Interestingly, some civil PPP fraud cases involved schemes similar to criminal actions. Often the government’s decision to pursue such cases as civil, criminal, or both depends on the evidence of intentional fraud. For example, in January 2024, a clinic and its owners agreed to a $2 million judgment in connection with multiple fraudulent acts, including PPP fraud arising from their certification that they were not engaged in illegal activity and that their business suffered quarterly or year-over-year losses, therefore entitling them to PPP funding. In October 2024, one FCA recovery totaling $399,990 involved a home health agency and its owner who received two PPP loans after certifying that the company would receive only one. More recently, in December 2024, a private asset management company and its owner agreed to pay $680,000 to settle FCA allegations brought by a relator. The company and its owner allegedly falsely certified that PPP loans were economically necessary and included false statements in the information submitted when seeking forgiveness for the loan. Cases of this nature apparently did not rise to the level of criminal wrongdoing, in the government’s view.
A number of civil PPP fraud FCA cases from the past year involved increasingly complex theories and allegations. These more complicated fact patterns require years of investigation and are expensive. As a result, such fraud enforcement actions may have a “long tail” and continue for years to come.
For example, in May 2024, a private lender of PPP loans agreed to resolve allegations that it knowingly awarded inflated and fraudulent loans to maximize its profits, then sold its assets and bankrupted the company. The lawsuit was initiated by whistleblowers (known under the FCA as “relators”), including an accountant and former analyst in the lender’s collection department. As part of the settlement with the lender, the United States received a general unsecured claim in the bankruptcy proceeding of up to $120 million.
More recently, in December 2024, the United States intervened in a complaint against certain former executives of the lender who allegedly violated the FCA by submitting and causing the submission of false claims for loan forgiveness, loan guarantees, and processing fees to the Small Business Administration (SBA) in connection with lender’s participation in the PPP. When we discussed this case previously, we noted that we expected to see similar cases in the future brought against private lenders who failed to safeguard government funds. More broadly, we expect the trend of increasingly complex civil PPP fraud actions will continue in 2025.
Fraud Enforcement Involving Programs Administrated by the Health Resources and Services Administration (HRSA)
Provider Relief Fund (PRF) and Uninsured Program (UIP) fraud enforcement picked up in 2024. As described in the CFETF Report, the CFETF has leveraged an interagency network to make strategic improvements in how it investigates fraud. (Interagency collaboration is another theme from 2024, which we discuss more here.) The CFETF Report also describes a department-wide effort by the Department of Justice (DOJ) to roll out database tools to all US Attorney’s Offices to detect and investigate fraud. According to the CFETF Report, DOJ has analyzed more than 225 million claims paid by HRSA, the entity that dispensed PRF and UIP loans during the height of the pandemic. Closer investigatory scrutiny has led to increased enforcement actions.
PRF Fraud
Criminal PRF fraud enforcement resembled PPP enforcement from prior years, which was often based on theft or misappropriation theories. These enforcement actions often include charges against PRF recipients who either (i) retained funds to which they were not entitled or (ii) used PRF funds for ineligible expenses, like luxury goods. For example, in April 2024, a defendant who operated a primary care clinic pleaded guilty to theft and misappropriation of PRF funds. The defendant had certified that PRF funds would be used by the clinic only to prevent, prepare for, and respond to COVID-19. Despite making this representation, the clinic operator used the PRF funds for personal purposes, including cash withdrawals and the purchase of personal real estate, a luxury vehicle, a boat, and a trailer.
UIP Fraud
There were a number of noteworthy criminal UIP enforcement actions in 2024. In March 2024, a defendant was charged with filing fraudulent COVID-19 testing reimbursement, through the laboratory he managed, for COVID-19 testing that was never provided. The defendant allegedly obtained and used the personal identifying information of incarcerated or deceased individuals in connection with those claims. The indictment alleged that the defendant received $5.6 million in reimbursement and used those UIP funds to purchase property in South Florida.
Enforcement actions involving UIP funds involved significant alleged losses by the government. In February 2024, a defendant pleaded guilty to mail fraud and identity theft charges in what the government called “one of the largest COVID fraud schemes ever prosecuted.” The defendant and her co-conspirators filed more than 5,000 fraudulent COVID-19 unemployment insurance claims using stolen identities to unlawfully obtain more than $30 million in UIP fund benefits. To execute the scheme, the defendant and others created fake employers and employee lists using the personally identifiable information of identity theft victims. The defendant was sentenced to 12 years in prison, and seven co-conspirators have also pleaded guilty in connection with this large fraudulent scheme.
In one major civil FCA resolution, in June 2024, a group of affiliated urgent care providers agreed to pay $12 million to resolve allegations that they submitted or caused the submission of false claims for COVID-19 testing to the HRSA UIP. The government alleged that the providers knew their patients were insured at the time of testing (and in some instances had insurance cards on file for certain patients), yet they submitted claims (and caused laboratories to submit claims) to HRSA’s UIP for reimbursement. The resolution is noteworthy because the providers received a relatively low FCA damages multiplier as credit for cooperating with the government in its investigation under DOJ’s Guidelines for Taking Disclosure, Cooperation, and Remediation into Account in False Claims Act Matters. More information on DOJ’s efforts to encourage voluntary self-disclosure can be found in our related EnforceMintz article here.
Fraud Schemes Involving Respiratory Pathogen Panels
Fraud involving expensive respiratory pathogen panels (RPPs) has been in the spotlight since the beginning of the pandemic. In 2022, the Office of Inspector General for the Department of Health and Human Services (OIG) warned about laboratories with questionably high billing for tests submitted for reimbursement alongside COVID-19 tests, including RPPs. The OIG deemed this scenario as deserving of “further scrutiny.” Medicare reimbursed some outlier laboratories approximately $666 dollars for COVID-19 testing paired with other add-on tests while Medicare reimbursed approximately $89 for this same testing to the majority of laboratories. The trend in RPP fraud enforcement that we discussed last year continued in 2024: enforcement actions involved a mix of criminal and civil RPP fraud cases involving significant damages.
One laboratory owner was criminally charged with submitting $79 million in fraudulent claims to Medicare and Texas Medicaid for medically unnecessary RPP tests. The laboratory owner used the personal information of a physician — without the physician’s knowledge — to submit the claims even though the physician had no prior relationship with the test recipients, was not treating the recipients, and did not use the test results to treat the recipients. The government seized over $15 million in cash from this defendant.
In another case involving both criminal and civil charges, a Georgia-based laboratory and its owner agreed to pay $14.3 million to resolve claims that they paid independent contractor sales representatives volume-based commissions to recommend RPP testing to senior communities interested only in COVID-19 testing. The independent sales contractors used forged physician signatures and sham diagnosis codes to add RPP testing to requisition forms ordering only COVID-19 testing. The whistleblower in this case — the laboratory’s manager — is set to receive $2.86 million of the recovery.
As the government continues to deploy data analytics to identify outlier cases, we suspect enforcement actions involving COVID-19 companion testing will continue.
Future of COVID-19 Enforcement
Over four years from the enactment of the CARES Act, COVID-19 fraud enforcement continues to evolve. Since the beginning, the government has consistently pursued criminal cases involving misused or fraudulently obtained funds, fake COVID cures, and fake COVID testing. In 2022, the government extended the statute of limitations for PPP fraud from five to ten years, recognizing that more time was needed to investigate and prosecute fraud on these programs.
This past year, a broader range of pandemic fraud schemes were prosecuted criminally and civilly. These often data-heavy or analytics-based cases require a significant investment of time and resources. Recognizing the resources required for these more complicated matters, the CFETF called for increased funding and an extension of the statute of limitations for all pandemic-related fraud in the CFETF Report. As of the date of this publication, that request has not yet been answered. It thus appears the funding request will be determined by the new administration.
Despite uncertainty around future funding for COVID-19 fraud enforcement, we anticipate more criminal and high-dollar civil enforcement actions in 2025. The CFETF Report described 1,200 civil pandemic fraud matters pending as of April 1, 2024, for which DOJ had obtained more than 400 judgments or settlements totaling over $100 million. This leaves approximately 800 pending civil matters, and untold billions in fraudulently obtained funds still in the hands of fraudsters. Despite uncertainty around future fraud enforcement funding, as a general matter, fraud enforcement has bipartisan support. Either way, employees, related parties, and patient relators — with the support of sophisticated relator’s counsel — will likely continue to bring pandemic fraud cases in the coming years. Overall, COVID-19 fraud enforcement is unlikely to slow down in 2025.
EnforceMintz — Medicare Advantage and Part D Programs to Remain in the Enforcement Spotlight in 2025
As government scrutiny and enforcement targeting the Medicare Advantage (Medicare Part C) program continued in 2024, the industry’s response to agency actions escalated. Last year also resulted in the first sizable Part D False Claims Act settlement. Year over year, as the number of enrollees in Medicare Advantage plans and Part D plans has steadily increased, the total federal spending on Medicare Advantage and Part D has likewise risen and the spotlight on these programs and those who participate in them has intensified.
As seen in years past, the Department of Justice (DOJ) as well as the two agencies that regulate Medicare Advantage Organizations (MAOs) and Part D plan sponsors (PDP Sponsors), the Centers for Medicare & Medicaid Services (CMS), and the Office of Inspector General for the Department of Health and Human Services (OIG), focused much of their attention on risk adjustment activities. DOJ remained in active litigation against many of the largest MAOs in the country while CMS and the OIG began conducting risk adjustment audits subject to extrapolation. Throughout 2024, the industry challenged CMS’s regulatory actions relating to Star Ratings and rules for communicating with Medicare beneficiaries who are considering Medicare Advantage and Part D plans. Finally, On December 9, 2024, CMS also finalized its updated Overpayment Rule for MAOs and PDP Sponsors in the 2025 Physician Fee Schedule Rule.
With Medicare Advantage expected to remain a top enforcement priority in 2025 and Part D enforcement growing, we anticipate that DOJ and CMS will continue to target the actions not only MAOs and PDP Sponsors, but also vendors and third-party entities that touch the Part C and D programs. In 2025, we will also be closely watching for court decisions in ongoing litigation matters that will undoubtedly influence future theories of liability and test the strength of defenses raised by MAOs, PDP Sponsors, and their vendors.
Recent Settlements Demonstrate that DOJ’s Enforcement Interest Spans the Industry
In 2024, DOJ settled two notable False Claims Act (FCA) matters relating to Medicare Advantage, which demonstrate that DOJ’s enforcement interests are not limited to MAOs, but also include vendors and other third-party entities engaged in risk adjustment practices and more. Plus, DOJ settled a large Part D matter relating to how drug costs are reported to and impact Medicare Part D payments from CMS.
Last year, Principal Deputy Assistant Attorney General Brian M. Boynton underscored DOJ’s “commitment to holding accountable third parties that cause the submission of false claims” and the government’s intention to “expand its focus on the Medicare Part C Program to include an examination of the role that vendors and providers play in the diagnoses that are submitted to the government.” DOJ made good on this promise.
For example, DOJ targeted entities involved in marketing efforts to Medicare Advantage patients. In September, Oak Street Health (Oak Street) agreed to pay $60 million to resolve the government’s allegations that it paid kickbacks to third-party insurance agents in exchange for recruiting Medicare beneficiaries to Oak Street’s primary care clinics in violation of the FCA. More specifically, DOJ alleged that Oak Street violated the Anti-Kickback Statute when, in exchange for referring Medicare beneficiaries to Oak Street, Oak Street paid insurance agents (who were acting as agents for MAOs) $200 per beneficiary referred or recommended to Oak Street’s primary care clinics. DOJ further alleged that the insurance agents delivered targeted messages to eligible seniors designed to generate interest in Oak Street and that the payments received incentivized those agents to base their referrals and recommendations on the financial motivations of Oak Street rather than the best interests of seniors. The complaint was filed by a relator who partnered with insurance agents and was contacted by Oak Street, and DOJ intervened in September for purposes of settlement. Although this settlement was with a provider organization (as explained further in), the conduct focused on Medicare Advantage members and their interactions with agents and brokers. CMS similarly highlighted its concerns regarding misleading communications to Medicare beneficiaries in its updated Medicare Advantage and Part D communication rules discussed below.
DOJ also reached a settlement agreement with a risk adjustment coding vendor this December. DOJ kicked off the holiday season by announcing the long-awaited settlement with MAO Independent Health Association, its wholly owned subsidiary and risk adjustment vendor DxID, and DxID’s former CEO, totaling up to $100 million across the three defendants. The government alleged that DxID improperly coded diagnoses from member medical records to inflate Medicare’s payments to Independent Health, including by coding from improper sources, coding conditions for which patients were not treated, and sending addenda to providers months or years after the service occurred. The parties have seemingly been engaged in settlement discussions for years, jointly requesting continual extensions of time for defendants to answer DOJ’s complaint since 2023.
Under this settlement structured based on Independent Health’s ability to pay, Independent Health will make guaranteed payments of $34.5 million and contingent payments of up to $63.5 million on behalf of itself and DxID, which ceased operations in 2021. DxID’s CEO, Betsy Gaffney, will independently pay $2 million. While Independent Health did not admit fault under the settlement agreement, the MAO also entered into a five-year Corporate Integrity Agreement (CIA) with HHS-OIG requiring that Independent Health hire an Independent Review Organization to annually review a sample of its Medicare Advantage beneficiary medical records and its internal controls to help ensure appropriate risk adjustment payments.
Additionally, following years of CMS voicing concerns over Part D Direct and Indirect Remuneration (DIR) and beneficiary protections, DOJ for the first time settled a significant matter relating to Part D DIR reporting. In July, DOJ entered into a settlement agreement with Elixir Insurance Company (Part D plan sponsor), Rite Aid Corporation (Parent Organization), and Elixir Rx Solutions (PBM) for a total of $121 million to resolve allegations that the defendants failed to appropriately report drug rebates through the Medicare Part D DIR reporting mechanism that is used by CMS to reconcile and calculate payments to Part D plan sponsors. Because Rite Aid Corporation, the parent organization, had declared bankruptcy, a portion of the settlement ($20 million) was granted as an allowed, unsubordinated, general unsecured claim in Rite Aid’s bankruptcy case in the District of New Jersey.
This is the first substantial Part D settlement focusing on Part D DIR, and it aligns with a theory of liability that DOJ has been considering for almost a decade. DOJ alleged that amounts that should have been reported as DIR (and therefore would have reduced the amount of revenue the government would pay a PDP Sponsor) were instead falsely reported as fees that do not qualify as DIR, and therefore the PDP Sponsor received and retained government payments to which it was not entitled.
Ongoing Litigation is Likely to Shape Risk Adjustment Enforcement in 2025 and Beyond
As previewed in last year’s report, DOJ continued to litigate three large FCA risk adjustment-focused cases last year against United Healthcare, Kaiser Foundation Health Plans and their affiliated medical groups, and Anthem. Because DOJ’s regulatory expectations of MAOs are often borne out through enforcement actions, judicial instruction on this topic is likely to shape future government actions and exemplify the standard of due diligence MAOs are expected to uphold when engaging in risk adjustment coding activities.
We summarized the current status and next steps for these three key cases below:
UnitedHealthcare. Litigation continued last year between the country’s largest MAO and DOJ in US ex rel. Poehling v. UnitedHealth Group, Inc. et al. (C.D. Cal.), reaching a key milestone this summer when the parties filed cross motions for summary judgment. In its Complaint in Intervention filed back in 2017, DOJ alleged that United failed to delete inaccurate diagnosis codes that it knew were unsupported by the medical records and thus resulted in overpayments. As one of the few Medicare Advantage lawsuits to reach this stage of litigation, we are watching closely for a summary judgment decision in the new year focused on the elements required to prove liability under the FCA’s reverse false claims provision.
Anthem. The government raised similar allegations against Anthem in United States v. Anthem, Inc. (S.D.N.Y), arguing that Anthem failed to identify and remove inaccurate diagnosis codes as part of its chart review program. DOJ and Anthem spent 2024 litigating discovery disputes and are set to remain in discovery through 2026.
Kaiser. DOJ also remained in active discovery with Kaiser in the lawsuit US ex rel. Osinek v. Kaiser Permanente (N.D. Cal.). The government’s Complaint in Intervention, filed in 2021, focuses on Kaiser’s use of addenda in medical records. DOJ alleges that Kaiser pressured physicians to create addenda often months after the patient encounter to retroactively add unsupported diagnoses, and that Kaiser used “data mining” programs to identify missed diagnoses and create the addenda. Following the denial of Kaiser’s motion to dismiss, the parties spent 2024 litigating discovery disputes before a magistrate judge. The case will remain in the discovery phase at least through 2025, with dispositive motions not scheduled until 2026, and a trial date currently set over two years out in 2027.
CMS and The OIG Take Active Role in Regulating Medicare Advantage and Part D with New Rules and the Impact of Extrapolation
Similar to DOJ’s expanded enforcement approach discussed above, both CMS and the OIG continued to focus on risk adjustment activities while CMS also began more heavily regulating agents and brokers who communicate with Medicare beneficiaries.
Risk Adjustment, RADV Audits, and Overpayment Rule: As it relates to risk adjustment, the OIG issued a second report concerning MAOs’ alleged use of in-home health risk assessments (IH-HRAs) to drive up payments. IH-HRAs are exams conducted by health care providers (typically nurse practitioners) in a member’s home to collect information regarding that patient’s health. In its report, the OIG identified 20 MAOs that it believes are outliers for their use of IH-HRAs as a tool to report diagnoses of their members to CMS. The OIG published a similar report in 2021 concluding that IH-HRAs and chart reviews are vulnerable to misuse by MAOs, which has likely driven DOJ enforcement action targeting these practices since.
CMS and the OIG regularly conduct audits of the diagnosis codes that MAOs submitted for their members. Critically, in 2024, the OIG finalized and CMS initiated risk adjustment audits that reached Payment Year (PY) 2018, which is the first year that extrapolation under the CMS final rule applies. Under this rule (42 C.F.R. 422.310(e)) which was finalized in February 2023, CMS has the authority to extrapolate risk adjustment audit findings covering diagnosis codes MAOs submitted in PY 2018 and forward. For years prior to PY 2018, MAOs have only had to repay overpayments identified in the actual sample that CMS or the OIG reviewed.
Last year CMS selected the MAOs that will be subject to PY 2018 Risk Adjustment Data Validation (RADV) Audits and has initiated that process with the selected MAOs. The OIG has already completed certain audits that include PY 2018 and the monetary impact of extrapolation of the findings is immediately apparent. For example, Humana’s final report for diagnosis-targeted audits imposed an overpayment obligation of just $274,000 for diagnoses audited from PY 2017 (no extrapolation) as compared to over $6.5 million in estimated overpayments for diagnosis codes audited from PY 2018 (with extrapolation). Similarly, Health Assurance of Pennsylvania’s final report auditing diagnosis codes in PYs 2018 and 2019 with extrapolation totaled $4.2 million in overpayments.
Additionally, in early December, CMS finalized the Overpayment Rule that requires MAOs and Part D plan sponsors to report and return overpayments within 60 days of an identification. The Rule was initially adopted in 2014 and held MAOs and Part D plan sponsors to a “reasonable diligence” standard when determining when an overpayment had been “identified.” The “reasonable diligence” standard was struck down in United Healthcare Insurance Company v. Azar when the district court held that the standard was impermissibly being used to establish False Claims Act liability. The updated Overpayment Rule, proposed in December 2022, has now replaced the “reasonable diligence” standard with the knowledge standard from the False Claims Act. An MAO is now considered to have “identified” an overpayment when it knowingly (either with actual knowledge, or through reckless disregard or deliberate ignorance) receives or retains an overpayment.
Medicare Advantage and Part D Communication Rules: CMS adopted changes to the Medicare Advantage and Part D Communication regulations for 2025 that, according to CMS, seek to increase transparency and protect Medicare beneficiaries from receiving misleading information about coverage options. CMS expressed concern that agents and brokers who were contracted with MAOs and Part D plan sponsors were enrolling beneficiaries into plans based on which plans paid the agents and brokers the most money, rather than the plan that was in each beneficiary’s best interests.
To address this concern, the revised regulations: (1) prohibit MAOs and Part D plan sponsors from having contract provisions that could directly or indirectly create an incentive that would reasonably be expected to inhibit an agent or broker’s ability to objectively assess and recommend which plan best fits the health care needs of the beneficiary, (2) recognize that MAOs and Part D plan sponsors may pay agents and brokers and Third-Party Marketing Organizations (TPMOs) for certain administrative and overhead expenses but limit the payment for such services to $100 per member enrolled by the agent, broker, or TPMO, previously there was no express limit other than that the values of such payments must not exceed those within the market), and (3) adopt more stringent consent requirements needed in order for a beneficiary’s information to be shared by a TPMO with a third party, including related third parties. As described further below, many entities that provide agent and broker services, referred to as field marketing organizations, or FMOs, sued CMS over these rule changes.
Following these regulatory changes and DOJ actions against brokers and agents, the OIG also weighed in when in December it issued a Special Fraud Alert warning the industry regarding its perceived risks of marketing arrangements between MAOs and health care providers or between providers and agents and brokers for MAOs. We discuss this alert further in our article here.
Industry Actions are on the Rise following the Demise of Chevron Deference
As has been widely reported, the US Supreme Court issued in June a landmark decision in Loper Bright Enterprises v. Raimondo, which struck down the longstanding doctrine of so-called “Chevron deference” to federal agency interpretation of ambiguous statutes and substantially expanded judicial review of such statutes. As expected, Loper Bright has already led to increased scrutiny of, and challenges to, agency action, including in the Medicare space. While “enforcement” against agencies is not typical government “enforcement,” it affects government enforcement matters because it impacts how agencies can take enforcement actions and what rules are enforceable.
In May 2024, certain FMOs sued CMS in the United States District Court for the Northern District of Texas, seeking to invalidate certain portions of the 2025 Medicare Advantage and Part D Communications regulations. The FMOs argued that the provision of these rules, summarized above in the Medicare Advantage and Part D Communication Rules section, violated the Administrative Procedure Act (APA). They argued that the rule was arbitrary and capricious under the APA, claiming that CMS finalized the rule based on “pure speculation,” ignored objections from the public, and failed to acknowledge reliance interests of brokers. The FMOs further contended that the rule failed to properly adhere to the notice and comment procedural requirements because CMS relied upon evidence not presented during notice and comment rulemaking. Less than a week after the Loper Bright decision, the court granted the FMOs’ request for a preliminary injunction relating to the regulation that restricted contract terms and limited administrative fee payments, finding that the rules were not reasonable.
Also, last fall four of the largest MAOs, UnitedHealthcare, Centene, Elevance, and Humana, all challenged how CMS calculated their specific Star Ratings, and, more recently, at least two Blues plans have also sued CMS. Star Ratings is the system that CMS uses to rate the performance of MAO and PDP plan sponsors. A plan’s Star Rating impacts how and when it can be marketed, and in Medicare Advantage, impacts how the plan is paid and when CMS can terminate a plan’s contract. United and Centene’s cases were relatively similar, focusing on how CMS evaluated and calculated a certain call center measure. Humana and Elevance each had arguments specific to their circumstances, and also included broader complaints regarding how CMS calculates Stars. Humana specifically challenged CMS’s unwillingness to share industry data with MAOs to ensure appropriate calculations. On November 22, 2024, the Eastern District of Texas granted summary judgment for UnitedHealthcare and ordered CMS to recalculate the MAO’s Star Rating by removing the one call center measure in dispute. In early December, Centene reported that CMS recalculated its Star Rating for 2025 following its challenge. The other cases are ongoing.
The challenges to Star Ratings are an important enforcement development because these lawsuits may force CMS to rethink how it operates the Star Ratings program and may impact whether CMS can terminate contracts that CMS believes are low performing.
Conclusion
Following another year of intense scrutiny, the Medicare Advantage industry is set to remain a government enforcement priority in 2025, and PDP plan sponsors will likely attract similar scrutiny. Both MAOs as well as third-party entities involved in the Part C program should continue to monitor DOJ enforcement activity and decisions in ongoing litigation to evaluate their risk adjustment practices. Moreover, with the danger of extrapolation of risk adjustment audits evident, MAOs must be mindful to engage in robust compliance efforts and to review published OIG reports and related guidance to mitigate enforcement risk. PDP Sponsors and their vendors should expect increased scrutiny following the Elixir settlement, the continued rollout of the Inflation Reduction Act and the intense national discussion regarding prescription drug costs. We will continue to monitor the evolving enforcement actions against MAOs and PDP Sponsors and watch closely for updated guidance whether via agency regulations and reports or court decisions in 2025 and beyond.
DOL: Employers Cannot Mandate PTO Use with State/Local Paid Leave Benefits During FMLA
The U.S. Department of Labor Wage and Hour Division (“WHD”) has issiued an opinion letter stating that employers cannot require employees to substtute accrued paid time off during a Family and Medical Leave Act (“FMLA”) leave where the employee is also receiving benefits under a state or local paid family or medical leave program.
The opinion letter – which does not have the force of law but sets forth the agency’s enforcement position – answers a longstanding open question around the interplay between the FMLA, state/local paid leave programs, and accrued paid time off.
A Quick Refresher: FMLA and State Family/Medical Leave Programs
The federal FMLA entitles eligible employees of covered employers to up to 12 weeks (or in limited cases, 26 weeks) of unpaid, job-protected leave per 12-month period for specified family and medical reasons. Covered reasons for FMLA leave include an employee’s own serious health condition, caring for a parent, spouse or child with a serious health condition, and caring for a new child following birth, adoption or foster placement.
Since the FMLA’s enactment in 1993, numerous states (including New York, California, Massachusetts, Connecticut, and others) have instituted family and/or medical leave programs that provide partially paid leave (usually based on a percentage of the employee’s wages, up to a set cap) for personal medical, family care and/or parental leave reasons. Likewise, certain local governments have implemented paid family and medical leave programs specifically for their municipal employees. Many of these programs permit leave for reasons that are also qualifying reasons for leave under the FMLA. However, state/local paid leave programs often include benefits that differ from or exceed what the FMLA provides, such as longer leave periods or additional covered reasons for leave.
What Do the FMLA Regulations Say About Substitution of PTO?
While FMLA leave is unpaid, the governing regulations allow an employee to elect, or an employer to require the employee, to “substitute” accrued employer-provided paid time off (e.g., paid vacation, paid sick leave, etc.) for any part of an unpaid FMLA period – that is, the accrued paid time off may be used concurrently with FMLA leave to enable the employee to receive full pay during an otherwise unpaid leave period. However, the regulations further state that, during any part of an FMLA leave where an employee is receiving disability or workers’ compensation benefits, neither the employer nor the employee can require substitution of paid time off because such leave is not unpaid. Rather, when disability or workers’ compensation benefits are being received, the employer and the employee may only mutually agree (where state law permits) that accrued paid time off will be used to supplement such benefits.
EXAMPLE: John tells his employer he requires 12 weeks of leave to recover from a serious back surgery. John’s employer designates the 12 weeks as FMLA leave. John also applies and is approved for 12 weeks of disability benefits under his employer’s short-term disability program, pursuant to which he will receive a benefit equal to two-thirds of his regular wages. John’s employer cannot require John to substitute his accrued vacation time because he is receiving disability benefits and therefore his FMLA is not unpaid. However, John and his employer agree to use one-third of his available vacation time each week to supplement his disability pay so John receives 100% pay during the leave.
How Does the Opinion Letter Impact Substitution of PTO During FMLA?
Because they have only more recently come into existence, state and local paid family or medical leave programs are not directly addressed in the FMLA regulations. However, the opinion letter now makes clear that “the same principles apply to such programs as apply to disability plans and workers compensation programs.”
First, the opinion letter emphasizes that “where an employee takes leave under a state or local paid family or medical leave program, if the leave is covered by the FMLA, it must be designated as FMLA leave[.]” The opinion letter then goes on to state:
[W]here an employee, during leave covered by the FMLA, receives compensation from a state or local family or medical leave program, the FMLA substitution provision does not apply to the portion of leave that is compensated. Because the substitution provision does not apply, neither the employee nor the employer may use the FMLA substitution provision to unilaterally require the concurrent use of employer-provided paid leave during the portion of the leave that is compensated by the state or local program. [However], if the employee is receiving compensation through state or local paid family or medical leave that does not fully compensate the employee for their FMLA covered leave, and the employee also has available employer-provided paid leave, the employer and the employee may agree, where state law permits, to use the employee’s employer-provided accrued paid leave to supplement the payments under a state or local leave program.
The opinion letter also notes that if an employee’s leave under a state or local paid family or medical leave program ends before the employee has exhausted their full FMLA leave entitlement and the leave therefore becomes unpaid, the FMLA substitution provision would then apply and the employee would be able to elect, or the employer would be able to require the employee, to substitute accrued paid time off.
EXAMPLE: Jane tells her employer she requires 12 weeks of leave to care for her husband while he recovers from a serious back surgery. Jane’s employer designates the 12 weeks as FMLA leave. Jane also applies and is approved for 8 weeks of paid family care benefits under her state’s paid family and medical leave program, pursuant to which she will receive a benefit equal to two-thirds of her regular wages. Jane’s employer cannot require Jane to substitute her accrued vacation time during the 8 weeks of her FMLA leave where she is concurrently receiving state family care benefits because her FMLA during that time is not unpaid. However, Jane and her employer agree to use one-third of her available vacation time each week during the first 8 weeks to supplement her state family care benefit so Jane receives 100% pay during that time. Beginning on week 9, Jane is no longer eligible for state family care benefits and her FMLA leave is now unpaid, so pursuant to its FMLA policy Jane’s employer requires her to substitute her remaining accrued vacation time during the FMLA leave until it is exhausted.
Implications and Action Steps for Employers
The opinion letter clarifies what has been a gray area around the interplay between the FMLA, state/local paid leave programs, and accrued paid time off. For example, the regulations governing the New York Paid Family Leave Law (“NYPFL”) state that “[a]n employer covered by the FMLA . . . that designates a concurrent period of family leave under [the NYPFL] may charge an employee’s accrued paid time off in accordance with the provisions of the FMLA.” However, it had previously been unclear whether this language in fact permitted employers to require substitution of accrued paid time off during a concurrent FMLA and NYPFL leave. It is now clear that such a requirement is impermissible, though employers and employees may agree to use paid time off to supplement NYPFL benefits.
Employers should now review their leave policies and practices to ensure that any provisions around the use of accrued paid time off during FMLA leave comport with the WHD’s interpretation of the requirements of the law. To the extent that any such policies require employees to substitute accrued paid time off during an FMLA leave where an employee is concurrently receiving disability, workers’ compensation or state/local paid family or medical leave benefits, the policies should be revised to provide that paid time off may only be used to supplement such other payments and only if both the employer and the employee agree.
However, employers are reminded that, as noted above, there may be situations where employees are eligible for benefits under state/local paid leave laws that are not also covered by the FMLA. As such, employers should also take note of what an applicable state/local paid family or medical leave law may permit (or not permit) around the substitution of paid time off and apply those rules during any leave period that does not run concurrently with the FMLA.
Recent Developments in Health Care Cybersecurity and Oversight: 2024 Wrap Up and 2025 Outlook
As Cyberattacks targeting the health care sector have continued to intensify over the past year, including ransomware attacks that have resulted in major data breaches impacting health care organizations, the protection of health data has gained the focus of regulators and prompted bipartisan legislative efforts to strengthen cybersecurity requirements in the health care sector.
OIG Report on OCR’s HIPAA Audit Program
Under the Health Information Technology for Economic and Clinical Health Act (HITECH), the HHS Office for Civil Rights (OCR) is required to perform periodic audits of covered entities and business associates (collectively, Regulated Entities) to assess compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules (collectively, “HIPAA Rules”).
Last month, the HHS Office of Inspector General (OIG) released a new report assessing OCR’s HIPAA audit program, raising concerns about the effectiveness of current oversight and the need for enhanced measures to address growing cybersecurity risks in the sector. In its assessment of OCR’s HIPAA audit program, OIG reviewed OCR’s final HIPAA audit reports of Regulated Entities, guidance, and enforcement activities from January 2016 to December 2020.
Although OIG found that OCR fulfilled its obligations under HITECH to conduct periodic audits of Regulated Entities, the report also highlighted several critical issues. First, OCR’s HIPAA audits of Regulated Entities were found to be narrowly scoped, covering only a small fraction of the required protections under the HIPAA Rules. Of the 180 requirements in the HIPAA Rules, OCR’s audits assessed only eight requirements – two Security Rule administrative safeguards (Risk Analysis and Risk Management), three Privacy Rule provisions (Notice of Privacy Practices and Content Requirements, Provision of Notice, and Right of Access), three Breach Notification Rule provisions (Timeliness of Notification, Content of Notification, and Notification by a Business Associate), and zero physical or technical safeguard requirements under the Security Rule.
Second, OIG found that OCR’s HIPAA audit program did not effectively address compliance issues discovered during these narrowly scoped audits of Regulated Entities. For example, OIG highlighted the absence of corrective action requirements following audits that raised concerns about the program’s ability to drive improvements in cybersecurity protections following audits of Regulated Entities.
In response to these findings, OIG made several recommendations to OCR, including:
Expanding the scope of HIPAA audits to assess Regulated Entities’ compliance with physical and technical safeguards under the Security Rule;
Implementing standards and guidance to ensure deficiencies identified during HIPAA audits are corrected in a timely manner;
Establishing criteria for determining when issues discovered during audits should lead to the initiation of a compliance review; and
Defining metrics for monitoring the effectiveness of OCR’s HIPAA audit program in improving audited Regulated Entities’ protections of electronic PHI.
Recent Regulatory and Legislative Efforts to Address Health care Cybersecurity
OIG’s report is timely and comes amid broader regulatory and bipartisan legislative efforts to strengthen cybersecurity protections across the health care sector, including:
Proposed Regulatory Updates to the HIPAA Security Rule, issued by OCR on January 6, 2025. The proposed regulation is aimed at strengthening the existing requirements under HIPAA Security Standards for the Protection of Electronic Health Information (the “Proposed Rule”), including addressing deficiencies OCR states it has observed during investigations of Regulated Entities. Among other updates, the Proposed Rule eliminates the distinction between “required” and “addressable” specifications (a change OCR says reflects its current view that all specifications in the existing Security Rule are effectively required) and expands existing documentation requirements. The comment period for the Proposed Rule closes on March 7, 2025.
Health Infrastructure Security and Accountability Act of 2024 (5218) (HISAA), a bipartisan bill introduced by Senators Ron Wyden and Mark Warner. For information about this bill, visit our recent blog post summarizing HISAA’s key provisions.
Health Care Cybersecurity and Resiliency Act of 2024 (5390), a bipartisan bill introduced by Senators Bill Cassidy, Mark Warner, John Cornyn and Maggie Hassan. The legislation aims to modernize HIPAA to better address cybersecurity threats facing health care entities. Key provisions include the development of a cybersecurity incident response plan by HHS and the creation of training programs for health care workers in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA).
Healthcare Cybersecurity Improvement Act (R.10455), introduced by Representative Robin Kelly. If passed, the bill would require hospitals to establish basic cybersecurity standards as a Medicare Condition of Participation. It would also allocate $100 million in grants to small and medium-sized hospitals to enhance cybersecurity measures and create liability protection for larger health care systems that provide smaller health care organizations access to cybersecurity resources.
Takeaways
The OIG’s findings, along with regulatory and bipartisan legislative efforts, highlight that Covered Entities and Business Associates will face increased scrutiny of their cybersecurity practices. In particular, OCR’s HIPAA audit program may expand in scope in response to OIG’s report and in light of the Proposed Rule, with a greater focus on evaluating technical and physical safeguards under the Security Rule. In addition, new legislative measures, if passed, will impose more stringent cybersecurity requirements across the health care sector.
As organizations grapple with the potential increase in oversight and regulatory obligations, it is important to note, as we highlighted in our previous post, the HITECH safe harbor that requires the Secretary of HHS to consider a Regulated Entity’s adoption of “recognized cybersecurity practices” in making determinations related to fines, audits, and mitigation remedies. Now more than ever, it is essential for healthcare organizations to ensure they have established and implemented a recognized cybersecurity framework. Organizations that have not yet effectively assessed and documented their current practices, particularly with respect to technical and physical safeguards, should consider doing so.
DOJ Reports Substantial Procurement Fraud Recoveries in FY 2024
The Department of Justice (DOJ) recently announced that it obtained more than $2.9 billion in False Claims Act (FCA) settlements and judgments in the fiscal year ending Sept. 30, 2024.
DOJ reports that matters that involved the healthcare industry comprised the largest portion of these FCA recoveries in FY 2024, but that “procurement fraud” recoveries, once again, were significant for DOJ this past year.
Among the more notable procurement fraud recoveries from the past year were:
A large government contractor paid $428 million to resolve allegations that it knowingly provided false cost and pricing data when negotiating with the Department of Defense for numerous government contracts and double billed on a weapons maintenance contract, leading to the company receiving profits in excess of negotiated rates. This is the second largest government procurement fraud recovery under the False Claims Act in history.
A large federal contractor paid $70 million to resolve allegations they overcharged the U.S. Navy for spare parts and materials needed to repair and maintain the primary aircraft used to train naval aviators. The government alleged that these entities, which were owned by the same parent company, entered into an improper subcontract that resulted in the Navy paying inflated costs for parts.
A federal contractor paid $811,259 to resolve allegations that it knowingly supplied valves that did not meet military specifications. The government alleged that, under a U.S. Navy contract, the company invoiced for military-grade valves to be installed on certain combat ships when the company knew the valves had not met the testing requirements to be deemed military grade.
DOJ brought claims against a federal contractor and an individual estate of the founder, majority owner and chief operating officer of the company for allegedly causing the submission of false claims to the Department of Defense under contracts to provide Army combat uniforms. The government alleged that the company and the founder falsified the results of the insect repellant testing to conceal failing test results, including by inappropriately combining results from different rounds of testing, re-labeling test samples to hide the true origin of the samples, and performing re-tests of uniforms in excess of what the contract permitted.
A government contractor paid $55.1 million to satisfy a judgment that it made knowingly false claims to the United States when it misrepresented its commercial sales practices during the negotiation and subsequent performance of a General Services Administration (GSA) contract. The court found that the false disclosures induced GSA to accept and then continue to pay higher prices than it would have had it known of the company’s actual commercial pricing practices. The court also found that the company continuously violated the Price Reduction Clause, “a standard term in these types of contracts that requires the contractor throughout performance of the contract to maintain GSA’s price position in relation to an identified customer or category of customer agreed upon in contract negotiations.”
The City of Los Angeles paid $38.2 million to resolve allegations that it failed to meet federal accessibility requirements when it sought and used Department of Housing and Urban Development (HUD) grant funds for multifamily affordable housing. The government alleged that the city failed to make its affordable multifamily housing program accessible to people with disabilities. The government also alleged that the city failed to maintain a publicly available list of accessible units and their accessibility features, and the city, on an annual basis, falsely certified to HUD that it complied with related grant requirements.
A federal contractor paid $26.8 million to resolve allegations that Hahn Air failed to remit to the United States certain travel fees collected from commercial airline passengers flying into or within the United States.
A government contractor paid $18.4 million to resolve allegations that it billed for time not worked at the National Nuclear Security Administration’s Pantex Site near Amarillo, Texas.
A large federal contractor paid $11.8 million to resolve allegations that it submitted false claims to the Federal Emergency Management Agency for the replacement of certain educational facilities located in Louisiana that were damaged by Hurricane Katrina. The government alleged that the contractor submitted to FEMA fraudulent requests for disaster assistance funds and did not correct applications that included materially false design, damage and replacement eligibility descriptions. Combined with settlements with other entities involved in the alleged conduct, the government recovered over $25 million in connection with the disaster assistance applications prepared by the contractor.
Listen to this post
Congress Declines to Extend HDHP First-Dollar Telehealth Coverage Relief
After Congress declined to extend certain relief allowing first-dollar coverage of telehealth services by high-deductible health plans (HDHPs), health plan sponsors may need to make immediate changes to preserve employees’ health savings account (HSA) eligibility.
Quick Hits
Due to the expiration of certain relief that allowed pre-deductible coverage of telehealth, employers offering HDHPs with first-dollar telehealth coverage may need to amend their plans by January 1, 2025 (for calendar year plans) to ensure employees remain eligible to contribute to their HSAs.
In connection with this change, plan sponsors may also need to update their HDHP participant communications to reflect changes in cost sharing for telehealth services.
As mentioned in our December 3, 2024, article on HDHP plan amendments, the CARES Act of 2020, which was extended through the Consolidated Appropriations Act, 2023, allowed, but did not require, HDHPs to provide first-dollar coverage of telehealth without negatively affecting participants’ HSA eligibility. The extension expired at the end of the 2024 plan year (December 31, 2024, for calendar year plans), and Congress’s year-end spending bill, the American Relief Act, 2025, did not include an extension of the HDHP telehealth relief.
Accordingly, an employer that provides HDHP health plan coverage will need to amend its HDHP if it includes first-dollar telehealth coverage. Since the prior relief was not extended, individuals who are covered by an HDHP that covers telehealth services before the deductible will not be eligible to contribute to an HSA for some or all of 2025.
Effective January 1, 2025 (for a calendar year plan), to preserve employees’ HSA eligibility, an HDHP that covers telehealth services may not cover such services until the employee has met the annual deductible. Employers with non–calendar year plans will have until the end of the plan year that began in 2024 to make the change. In either case, employers will want to confirm that their plan documents, summary plan descriptions, and summaries of benefits and coverage are updated to reflect any changes to participant cost sharing for telehealth services.
Second Circuit Revives New York Reproductive Health Bias Law’s Notice Requirement for Employee Handbooks
On January 2, 2024, the U.S. Court of Appeals for the Second Circuit reinstated the New York Reproductive Health Bias Law’s requirement that New York State employers include a notice in their employee handbooks regarding the law’s prohibition on discrimination and retaliation based on employees’ reproductive health care choices.
Quick Hits
The Second Circuit has revived a requirement that New York employers include in employee handbooks a notice informing employees of their right to be free from discrimination or retaliation based on their [the employees’] or their dependents’ reproductive health decisions.
The ruling also revived a First Amendment challenge by religious organizations to New York’s Reproductive Health Bias Law (New York Labor Law Section 203-e), impacting how employers may address expressive association claims in the employment context.
In CompassCare v. Hochul, three religious groups—CompassCare, the National Institute of Family and Life Advocates (NIFLA), and First Bible Baptist Church—challenged the constitutionality of New York Labor Law Section 203-e, which went into effect in November 2019.
The law prohibits employers from accessing personal information regarding employees’ or their dependents’ reproductive health decision making without the employees’ “prior informed affirmative written consent.” The law also prohibits employers from discriminating or retaliating against employees based on their reproductive health decisions, “including, but not limited to, a decision to use or access a particular drug, device, or medical service.” Importantly, the law included a notice provision requiring employers to inform employees of their rights and remedies under the law in employee handbooks.
On March 29, 2022, the U.S. District Court for the Northern District of New York entered a permanent injunction blocking the State of New York from enforcing the requirement that employers that issue employee handbooks “include in the handbook notice of employee rights and remedies under [Section 203-e].” The district court found that the notice provision of Section 203-e violated the First Amendment because it compelled speech that was contrary to the religious organizations’ religious beliefs as they related to reproductive choices.
The Second Circuit reversed that permanent injunction, finding the notice requirement “a content-based regulation of speech” that “is subject to … rational basis review.” Under that review, the Second Circuit found that the notice requirement did “not interfere with [the] [p]laintiffs’ greater message and mission” and that “the required disclosure of the existence and basic nature of an otherwise-valid statute” was a simple expression of employee rights, similar to many other required employment rights notices and postings.
Additionally, the Second Circuit remanded the case to the district court for reconsideration in light of the Second Circuit’s 2023 decision in Slattery v. Hochul, which held that an employer may have an associational rights claim if the law “forces [the employer] to employ individuals who act or have acted against the very mission of its organization.” (Emphasis in the original.)
The Second Circuit stated that to sustain such a claim, an employer must show that it does not simply hold particular views or interests but that an association threatens the “very mission” of the employer “in the context of a specific employment decision.” This showing would be based on an assessment of whether (1) a position at issue is client-facing or involves expressing the particular views of the employer, and (2) the conduct or specific attribute of an employee “renders the employment of that person, in that position, a threat to the employer’s mission,” the court stated.
Next Steps
As a result of this ruling, New York employers must immediately comply with the notice provision of Section 203-e. Thus, employers with New York employees that issue employee handbooks must include a notification to employees of their rights and remedies under Section 203-e in their employee handbooks or in an addendum containing New York–specific employment policies.
This requirement includes informing employees of their rights to make reproductive health decisions and not be discriminated against or retaliated against for such decisions.
With respect to the expressive association claim, employers, particularly those with specific missions or religious affiliations, may have grounds to challenge laws that they believe force them to employ individuals whose actions conflict with their organizational missions. However, such claims must be specific and demonstrate how the law threatens the organization’s mission in the context of particular employment decisions.
HHS-OCR’s Proposed Rule and HIPAA Security Risk Assessment
On December 27, 2024, in the midst of the holiday season, the U.S. Department of Health and Human Services (HHS) deployed a proposed rule that would significantly modify the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Specifically, the proposed new rule includes express requirements for Covered Entities when conducting a Security Risk Assessment (SRA).
New requirements would include a written assessment that contains, among other things:
A review of the technology asset inventory and network map
Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI
Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems
An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
Notably, while the “new” requirements have yet to be finalized or take effect, HHS’s Office of Civil Rights (HHS-OCR) has already begun to enforce these requirements on Covered Entities including the imposition of fines and penalties against Covered Entities whose failure to implement the proposed requirements result in a data breach affecting its patients’ protected health information (PHI).
For some time, HHS-OCR has acknowledged that the HIPAA Security Rule does not prescribe a specific risk analysis methodology, and it has recognized that methods of conducting a SRA will vary depending on the size, complexity, and capabilities of the organization. Further, HHS-OCR Guidance on Risk Analysis does not endorse or recommend any particular risk analysis or risk management model. While HHS-OCR provides a free proprietary tool for small to medium-size organizations to use when conducting a SRA, its product contains a disclaimer that use of the tool does not guarantee compliance with federal, state, or local laws.
Covered entities are therefore left to their own devices in discerning what methodologies and management models are appropriate for their organization when conducting a SRA. At the same time, the adopted methodology that an organization chooses may not be considered insufficient under HHS-OCR’s undisclosed standards. A Covered Entity with no SRA or an insufficient SRA may face significant fines and penalties in the event they are subject to a data breach and subsequent HIPAA compliance audit.
While Covered Entities may turn to third-party vendors that market themselves as specialists in providing HIPAA compliance services, including conducting SRAs, there is no guarantee this will satisfy the requirements under HIPAA. Recently, HHS-OCR has regarded SRAs performed by these vendors as deficient without providing any specific guidance to the Covered Entity as to exactly what aspects of their SRA were noncompliant with HIPAA.
This conundrum has recently dismayed a number of Covered Entities that are now facing fines and penalties in light of HHS-OCR’s recent HIPAA Security Risk Assessment enforcement initiative, which it has relentlessly pursued since October of 2024. It’s not yet clear whether the proposed requirements will make compliance with HIPAA’s Security Rule easier or create further confusion.
This Week in 340B: January 7 – 13, 2025
Find this week’s updates on 340B litigation to help you stay in the know on how 340B cases are developing across the country. Each week we comb through the dockets of more than 50 340B cases to provide you with a quick summary of relevant updates from the prior week in this industry-shaping body of litigation.
Issues at Stake: Contract Pharmacy; Other
In two appealed cases challenging a proposed Louisiana law governing contract pharmacy arrangements, the appellants filed their opening brief.
In a breach of contract case related to the Medicare 340B cuts, the court terminated the action without prejudice.
Matt David, associate in McDermott’s Los Angeles office, also contributed to this blog post.
December 2024 Bounty Hunter Plaintiff Claims
California’s Proposition 65 (“Prop. 65”), the Safe Drinking Water and Toxic Enforcement Act of 1986, requires, among other things, sellers of products to provide a “clear and reasonable warning” if use of the product results in a knowing and intentional exposure to one of more than 900 different chemicals “known to the State of California” to cause cancer or reproductive toxicity, which are included on The Proposition 65 List. For additional background information, see the Special Focus article, California’s Proposition 65: A Regulatory Conundrum.
Because Prop. 65 permits enforcement of the law by private individuals (the so-called bounty hunter provision), this section of the statute has long been a source of significant claims and litigation in California. It has also gone a long way in helping to create a plaintiff’s bar that specializes in such lawsuits. This is because the statute allows recovery of attorney’s fees, in addition to the imposition of civil penalties as high as $2,500 per day per violation. Thus, the costs of litigation and settlement can be substantial.
The purpose of Keller and Heckman’s latest publication, Prop 65 Pulse, is to provide our readers with an idea of the ongoing trends in bounty hunter activity.
In December of 2024, product manufacturers, distributors, and retailers were the targets of 394 new Notices of Violation (“Notices”) and amended Notices, alleging a violation of Prop. 65 for failure to provide a warning for their products. This was based on the alleged presence of the following chemicals in these products. Noteworthy trends and categories from Notices sent in December 2024 are excerpted and discussed below. A complete list of Notices sent in December 2024 can be found on the California Attorney General’s website, located here: 60-Day Notice Search.
Food and Drug
Product Category
Notice(s)
Alleged Chemicals
Fruits, Vegetables, and Mushrooms: Notices include farro porcini mushrooms, chopped spinach, capers, chili mango, flavored sunflower seeds, shiitake mushrooms, kale chips, flax seeds, artichoke quarters in brine, moringa, dried apricot, madras lentils, cactus chips, bamboo shoots, and stuffed manzanilla olives
38 Notices
Lead and Lead Compounds, and Cadmium and Cadmium Compounds
Prepared Foods: Notices include soup bowls, noodle bowls, salt & vinegar potato chips, bundt cake mix, flatbread mix, granola bars, crackers, nut butter, vegetable biryani, vegan chips, mushroom ravioli, gluten-free tortilla wraps, and plant-based ground meat
36 Notices
Lead and Lead Compounds, Cadmium, and Mercury
Seafood: Notices include Alaska pink salmon, tuna salad, mackerel in olive oil, sardines, seasoned squid, dried seaweed, fried anchovy, dried mackerel, ground shrimp, dried sea mustard seaweed, raw seaweed, and shrimp paste
32 Notices
Lead and Lead Compounds, Cadmium and Cadmium Compounds, and Mercury
Dietary Supplements: Notices include plant-based protein shakes, green powder superfood, greens, protein powder, electrolyte formula beverages, pre-workout beverages, ginkgo biloba powder and tea, and spirulina powder
26 Notices
Cadmium, Lead and Lead Compounds, Mercury and Mercury Compounds, and Perfluorooctanoic Acid (PFOA)
THC-containing Products: Notices include gummies, chocolates, soft gels, flavored beverages, and candies
13 Notices
Delta-9-tetrahydrocannabinol
Sauces: Notices include red mole, aged balsamic vinegar, sundried tomato paste, and basil pesto sauce
4 Notices
Lead and Lead Compounds
Packaged Liquids: Notices include vegetable stock and fruit-flavored beverages, and canned coconut water
4 Notices
Perfluorononanoic Acid (PFNA) and its salts, Perfluorooctanoic Acid (PFOA), and Bisphenol A (BPA)
Cosmetics and Personal Care
Product Category
Notice(s)
Alleged Chemicals
Personal Care Items: Notices include hair color, aloe vera lotions, skin toners, spot treatments, face masks, vitamin C serum, enzyme scrub, body cleaners, eye serums and creams, hair color treatments, hair gels, body wash and foaming cleansers, pain relief cream, body glow, and squirt blood
66 Notices
Diethanolamine
Cosmetics: Notices include mascara, cream makeup, matte lipstick, eyeliner pens, concealers, face primer, and cake makeup
36 Notices
Diethanolamine
Personal Care Products: Notices include shave gel, shave foam, and volumizing foam
3 Notices
Nitrous Oxide
Consumer Products
Product Category
Notice(s)
Alleged Chemicals
Plastic Pouches, Bags, and Accessories: Notices include children’s bags, beauty bags, bento bags, fanny packs, backpacks, wallets, picking bags, weight stabilizing bags, travel bags, rescuer guide packs, shoe covers, and cases for wheel sets
26 Notices
Di(2-ethylhexyl)phthalate (DEHP), Diisononyl phthalate (DINP), and Di-n-butyl phthalate (DBP)
Miscellaneous Consumer Products: Notices include orthodontic kits, keychains, back scratchers, safety flags, vinyl banners, engraved wax sealers, steering wheel covers, lamps, stethoscopes, salt and pepper shakers with PVC components, luggage tag, and vinyl roll holders
26 Notices
Di(2-ethylhexyl)phthalate (DEHP), Diisononyl phthalate (DINP), Di-n-butyl phthalate (DBP), and Lead
Hardware and Home Improvement Products: Notices include long handle hooks, garden hose splitters, coatings and paints, soldering wire, tools with PVC grips, pressure gauge, thermocouples, wing nuts, pop-up drains, propane tank adapter, and thread tape
23 Notices
Lead and Lead Compounds, Di(2-ethylhexyl)phthalate (DEHP), Diisononyl phthalate (DINP), and Perfluorooctanoic Acid (PFOA)
Clothing and Shoes: Notices include gloves made with leather, bucket hats, sandals with PVC components, golf gloves, weatherproof jackets, slides, fuzzy socks, and ski pants
22 Notices
Di(2-ethylhexyl)phthalate (DEHP), Chromium (hexavalent compounds), Perfluorooctanoic Acid (PFOA),
and Bisphenol A (BPA)
Glassware, Metals, and Ceramics: Notices include mugs, glass sets, blue multi-colored glass, metal and glass organizers, spoon rests, shakers, and soap dispenser/sponge holders
19 Notices
Lead and Lead Compounds
Miscellaneous Consumer Products: Notices include shower curtains, tablecloths, pillows, pet beds, athletic bandages, and outdoor cushions
10 Notices
Perfluorooctanoic Acid (PFOA)
Hobby Items: Notices include artist paste paints, art panels, lens mounts, pickleball paddles, jump rope, molding cream, and golf storage boot
8 Notices
Di(2-ethylhexyl)phthalate (DEHP), Di-n-butyl phthalate (DBP), Lead, Diethanolamine, and Perfluorooctanoic Acid (PFOA)
Coal Tar Epoxy
1 Notice
Bisphenol A (BPA), Epichlorohydrin, Ethylbenzene, soots, tar and mineral oils (coal tar)
There are numerous defenses to Prop. 65 claims, and proactive measures that industry can take prior to receiving a Prop. 65 Notice in the first place. Keller and Heckman attorneys have extensive experience in defense of Prop. 65 claims and in all aspects of Prop. 65 compliance and risk management. We provide tailored Proposition 65 services to a wide range of industries, including food and beverage, personal care, consumer products, chemical products, e-vapor and tobacco products, household products, plastics and rubber, and retail distribution.