Nonprofit Health Care Mergers – Introduction: With Complexity Comes Opportunity
In the evolving health care landscape, mergers between nonprofit health care organizations are becoming increasingly common. Mergers are often driven by a combination of economic factors, the need to improve quality and efficiency of care, and the desire to create value for patients and communities. As the first post in our nonprofit merger series, we will explore why nonprofit health care entities may consider a merger, analyze the economic pressures influencing such decisions, and discuss the structures of nonprofit transactions, including the differences between member substitutions and true mergers. Forthcoming posts in this series will examine the unique due diligence concerns, regulatory approvals, and financing arrangements involved in nonprofit health care mergers.
The Economic Drivers of Nonprofit Health Care Mergers
1. Cost Efficiency and Scale Economies
It is not unusual to find multiple nonprofit health care organizations serving the same or similar patient community in a given market or region. Although competition within a for-profit industry may be seen as beneficial for consumers, most nonprofit health care organizations are competing for the same sources of government funding and/or charitable donations for their capital needs, which can weaken or inhibit the impact of their work both individually and in the aggregate.
As a result, overlapping nonprofits may realize significant economies of scale and make a substantially greater impact by joining forces and centralizing their efforts through a merger. By combining their operations, two organizations can reduce duplicative costs in areas such as administration, technology, and supply chain management. For example, by consolidating back-office functions such as human resources, billing, and procurement, a merged entity can lower its operational expenses and redirect those savings into improving patient care and expanding services. For smaller entities in particular, the cost of implementing advanced medical technology or transitioning to new electronic health record (EHR) systems can be prohibitive. By merging, organizations may be better equipped to absorb these costs and ensure their long-term financial sustainability.
2. Increased Bargaining Power with Payers and Third Parties
Another economic factor is the increased leverage that a larger health care organization has when negotiating with insurance companies and other payors. Together, a merged organization can exercise more market power and negotiate better reimbursement rates than any of the parties could on their own. Higher reimbursement can significantly improve the financial outlook for a nonprofit health care organization, which must carefully balance its mission with its financial health. Before proceeding with a merger, the parties will often engage a third-party consultant to analyze their current payor arrangements and identify opportunities for improvement.
3. Access to Capital
Nonprofit health care organizations, unlike their for-profit counterparts, do not have access to equity markets to raise capital. Mergers can offer a solution to this challenge. By merging, two organizations can improve their creditworthiness, making it easier to obtain loans and other forms of debt financing for future expansion, facility improvements, or technology upgrades. This is particularly important as health care organizations seek to invest in value-based care models that require significant upfront investment in care coordination, population health management, and IT infrastructure. Lending arrangements for nonprofits are typically quite challenging due to concerns about maintaining tax status, use of funds, and restrictions associated with both. It is not uncommon for organizations to restructure their lending arrangements and partners during a merger process or immediately thereafter.
Improving Delivery of Care
1. Enhancing Quality of Care
One of the key motivations for a nonprofit merger is to improve quality and continuity of care. Smaller health care organizations, particularly those in rural areas, may struggle to provide specialized services or maintain high clinical practice standards due to more limited resources. A merger allows the parties to pool their resources and share best practices to build a more efficient and effective care delivery system, thereby improving patient outcomes and practitioner recruitment efforts.
Additionally, mergers can help organizations streamline care pathways. For instance, a health care system with multiple facilities may create better-integrated care models, improving coordination between primary care, specialty care, and hospital services. This enhances patient outcomes by reducing duplication of services, minimizing delays in care, and ensuring that patients receive the appropriate care in the most efficient setting.
2. Expanding Access to Care
For many nonprofit health care organizations, expanding access to care — especially for underserved populations — is a central part of their mission. Mergers can help organizations achieve this goal by expanding their geographic reach and the range of services that they can provide. For example, a small community hospital may merge with a larger regional health system to provide its patients with access to specialized services that were previously unavailable locally, such as oncology or cardiology.
Furthermore, mergers may enable organizations to better address social determinants of health, which is increasingly recognized as critical to improving population health. For example, a Federally Qualified Health Center (FQHC) with a strong primary care practice may consider merging with a nonprofit community-based behavior health clinic to create an integrated preventative care network specific to the medical and behavioral health needs of its community. The larger, more financially stable merged organization may then be able to invest additional resources in community health initiatives, such as housing support and food security programs.
3. Investing in Innovation
Health care providers, and particularly nonprofits, may find it difficult to keep up with the rapid pace of innovation in the health care sector. Merged organizations are often better positioned to invest in these innovations, particularly in areas like telemedicine, data analytics, precision medicine, and value-based care models. By combining resources and patient base data, nonprofit health care organizations can become more responsive to the health care needs of their patient community, contributing to improved clinical outcomes and, in turn, a more financially stable future.
Value Creation Beyond Economics and Care Delivery
1. Mission Alignment
Nonprofit health care organizations are mission-driven, with the goal of serving their communities and improving health outcomes. When two nonprofit organizations merge, they typically seek to align their missions and values. This alignment is essential for ensuring the new entity remains focused on its core objective — whether that is serving a particular patient population, improving community health, or promoting medical research and education.
This often creates a situation where the two parties to the proposed merger are forced to negotiate a revised set of bylaws better suited for the combined entity post-closing. Important in this negotiation is understanding the terms around board structure, committees, executive officers, and general governance post-closing. It is not uncommon to see an expanded board or some combination of the two boards along with a realignment in officer positions. This is often an area of significant negotiation during the merger process.
2. Organizational Culture and Leadership Stability
In the nonprofit health care sector, where mission and values are paramount, ensuring that the two organizations’ cultures are compatible is essential. A well-executed merger offers a unique opportunity to bring fresh perspectives into leadership while preserving and building upon the parties’ existing strengths. By integrating their boards and leadership teams, merged organizations may foster the environment for more innovative and effective strategies for fulfilling a unified mission.
Structures of Nonprofit Health Care Transactions
Nonprofit health care mergers utilize unique transaction structures, primarily because they do not have shareholders and are organized for charitable purposes. Two common structures for combining nonprofit health care organizations include a member substitution and a true merger per state law.
1. Member Substitution
In a member substitution transaction, one nonprofit organization becomes the controlling member of another nonprofit without the two organizations dissolving or fully integrating into a single entity. The sole member (usually the parent organization) gains the authority to appoint the board members of the other organization and effectively controls its governance and operations. Note that a member substitution may not be viable in some states where nonprofit entities are not required or permitted to have members.
Benefits: Member substitution is often viewed as a less disruptive approach compared to a true merger. With a member substitution, the controlled entity retains its legal identity, which can help preserve relationships with donors, the community, and key stakeholders. This structure can also be advantageous for organizations wanting to maintain some degree of autonomy, particularly if they have a strong local presence or identity. Also important is that this structure still maintains separation of liabilities between each entity, i.e., liabilities of the nonprofit relinquishing control do not become the liabilities of the controlling member. A merger between a large health system and a smaller, local hospital may elect this structure in order to minimize disruption to the controlled entity’s local operations.
Challenges: The drawback of a member substitution is that it may not achieve the full benefits of integration, such as cost savings or streamlined operations. There may also be governance challenges if the controlled entity’s leadership or board resists the level of oversight imposed by the parent organization. Administratively, a member substitution can also be challenging because of the multiple levels of board governance.
2. True Merger
In a true merger, two or more nonprofit health care organizations combine into a single legal entity. The merged organization typically has a unified governance structure, leadership team, and operational model. This type of merger represents full integration and can provide the most significant opportunities for cost savings, operational efficiencies, and strategic growth.
Benefits: A true merger allows for complete consolidation of assets, liabilities, and operations. The merged organization can realize the maximum potential for economies of scale, enhanced bargaining power, and operational integration. Additionally, a true merger simplifies governance by creating a single board of directors and a unified executive leadership team.
Challenges: A true merger is more complex and may require regulatory approvals, including from the state attorney general or other regulatory bodies overseeing nonprofit or health care entities. The process can be time-consuming and may involve significant costs associated with legal, financial, and operational integration. A true merger also means that the surviving entity inherits the liabilities of the merged entity, which can result in unforeseen liability and risks for the surviving entity.
Conclusion
Mergers among nonprofit health care organizations are driven by a combination of economic pressures, the need to improve care delivery, and the desire to create long-term value for patients and communities. Whether through a member substitution or a true merger, these transactions can help organizations achieve financial stability, enhance quality of care, and expand access to services. However, nonprofit mergers require careful planning, particularly around governance, cultural integration, and mission alignment, to ensure that the merged organization remains focused on its charitable objectives and continues to serve its community effectively.
For nonprofit health care organizations considering a merger, it is essential to weigh both the financial and operational benefits, as well as the impact on the mission, before moving forward. With the right strategic approach, a merger can both strengthen the financial position of the parties and enhance their ability to serve their patients and communities.
How PPM Health Plans Can Solve the MEWA Problem
While a physician practice management (PPM) structure allows for compliance with corporate practice of medicine laws and ease of administration, it often creates inadvertent health plan issues that should be navigated carefully to avoid compliance issues and/or difficulties with selling PPM entities.
In Depth
MEWA PROBLEM
The PPM structure helpfully allows physicians to focus on the clinical practice of medicine through a physician practice professional corporation (PC), while outsourcing the business of the practice of medicine to a management services organization (MSO, which, together with the PC, is referred to as the PPM). Ideally, employees of the MSO and employees of each PC associated with the PPM structure could be combined and covered under a single group health plan to allow for experience rating of a larger group of employees, which leads to cost savings for the PPM structure and all employees, and simplifies the offering of healthcare coverage administration.
Because the MSO and the PC under the PPM structure typically do not have adequate common ownership – purposefully so to ensure the PPM structure complies with the corporate practice of medicine rules – allowing the PC and MSO entities to participate in the same health plan can create health plan compliance concerns, such as a multiple employer welfare arrangement (MEWA). It is preferable to avoid creation of a MEWA, as MEWA requirements can be burdensome and prohibitive, including exposure to state laws (some of which outlaw self-funded MEWAs) and extensive reporting requirements to certain states and the US Department of Labor. As a result, having a MEWA can result in state and/or federal penalties and the structure presents significant complications when it comes to selling the PPM to a third party.
MEWA ALTERNATIVES
All, however, is not lost. Rather than separately purchasing commercially available group health insurance (e.g., in the small group market, which is expensive and lacking in transparency), MSOs and PCs have several other options to provide group health plan coverage and avoid or accommodate being a MEWA. These include the following:
The MSO and PCs establish “mirror plans,” where each entity maintains a self-funded group health plan but stop-loss insurance may be pooled among entities. Alternatively, the MSO and PCs may use a group captive medical stop-loss structure to manage risk associated with stop-loss insurance for self-funded plans.
The MSO and PCs establish separate “level-funded” plans, where the MSO and PCs establish and maintain their own self-funded group health plans.
The MSO and PCs purchase fully insured group health coverage that is underwritten as a single, large group through a professional employer organization (PEO). While this usually in fact creates a MEWA, MEWA compliance is the responsibility of the PEO provider not the PPM structure.
Key Updates to the Employment Rights Bill
As part of the UK Government’s efforts to boost living standards and following weeks of consultation with business groups and trade unions, the Government has announced a series of proposed changes that the Employment Rights Bill (the “Bill”) plans to implement.
Here is a brief overview of the measures:
Employees will receive new “Day One” rights including being entitled to:
statutory sick pay (at present, this only applies from the third day of sickness absence);
unfair dismissal protection (removing the two-year qualifying employment requirement);
parental leave (removing the 26-weeks continuous service requirement); and
paternity leave entitlement (removing the one-year continuous service requirement).
Increasing the maximum period of the protective award for collective redundancy from 90 days to 180 days. Tribunals will be able to grant larger awards to employees for an employer’s failure to meet consultation requirements. Further guidance will be issued on this.
Abolishing the Lower Earnings Limit of £123 weekly to ensure that all employees, irrespective of pay, have access to statutory sick pay (“SSP”). People on wages below £123 weekly will receive either 80% of their average weekly earnings or statutory sick pay (which is currently £116.75), whichever is lowest.
A requirement for employers to take all reasonable steps to prevent sexual harassment and sexual harassment-related disclosures will constitute “protected disclosures”.
Flexible working is set to become the “default” for all workers from their first day with employers only able to refuse a flexible working request if it is “unreasonable” based on a lawful ground (listed in the Bill).
It will be unlawful to dismiss pregnant mothers during their pregnancy and maternity leave (subject to exceptions which are yet to be clarified).
Bereavement leave will be available for those who suffer a pregnancy loss before 24 weeks.
A Modern Framework for Industrial Relations will be created to align trade unions operations with modern work practices.
Time limits for bringing claims in the employment tribunals will be extended from three to six months following the date of the act(s) complained of.
Dismissing an employee who does not agree to a contract variation, or enabling an organisation to employ another person, or re-engaging the same employee under a varied contract to carry out substantially the same duties will be considered unfair dismissal unless the employer can show it could not have reasonably avoided making the variation.
The definition of workers will now include agency workers who should be able to access a contract which reflects the hours they regularly work. The zero-hour contract ban will extend to include agency workers.
Those working for umbrella companies will be given comparable rights and protections as they would have if they were working for a recruitment agency. Enforcement action will be able to be taken against umbrella companies if they do not comply.
The Government will no longer be including a “right to switch off” outside of working hours in the Bill which would have prevented employers contacting staff out-of-hours. However, there have been suggestions that this right may be included in an accompanying code in due course.
The Bill is set to be heard before Parliament over the next few weeks during which further amendments may be made. The Bill is expected to be introduced next Autumn.
Maya Sterrie also contributed to this article.
AI Meets HIPAA Security: Understanding HHS’s Risk Strategies and Proposed Changes
In this final blog post in the Bradley series on the HIPAA Security Rule notice of proposed rulemaking (NPRM), we examine how the U.S. Department of Health and Human Services (HHS) Office for Civil Rights interprets the application of the HIPAA Security Rule to artificial intelligence (AI) and other emerging technologies. While the HIPAA Security Rule has traditionally been technology agnostic, HHS explicitly addresses security measures for these evolving technology advances. The NPRM provides guidance to incorporate AI considerations into compliance strategies and risk assessments.
AI Risk Assessments
In the NPRM, HHS would require a comprehensive, up-to-date inventory of all technology assets that identifies AI technologies interacting with ePHI. HHS clarifies that the Security Rule governs ePHI used in both AI training data and the algorithms developed or used by regulated entities. As such, HHS emphasizes that regulated entities must incorporate AI into their risk analysis and management processes and regularly update their analysis to address changes in technology or operations. Entities must assess how the AI system interacts with ePHI considering the type and the amount of data accessed, how the AI uses or discloses ePHI, and who the recipients are of AI-generated outputs.
HHS expects entities to identify, track, and assess reasonably anticipated risks associated with AI models, including risks related to data access, processing, and output. Flowing from the proposed data mapping safeguards discussed in previous blog posts, regulated entities would document where and how the AI software interacts with or processes ePHI to support risk assessments. HHS would also require regulated entities to monitor authoritative sources for known vulnerabilities to the AI system and promptly remediate them according to their patch management program. This lifecycle approach to risk analysis aims to ensure the confidentiality, integrity, and availability of ePHI as technology evolves.
Integration of AI developers into the Security Risk Analysis
More mature entities typically have built out third-party vendor risk management diligence. If finalized, the NPRM would require all regulated entities contracting with AI developers to formally incorporate Business Associate Agreement (BAA) risk assessments into their security risk analysis. Entities also would need to evaluate BAs based on written security verifications that the AI vendor has documented security controls. Regulated entities should collaborate with their AI vendors to review technology assets, including AI software that interacts with ePHI. This partnership will allow entities to identify and track reasonably anticipated threats and vulnerabilities, evaluate their likelihood and potential impact, and document security measures and risk management.
Getting Started with Current Requirements
Clinicians are increasingly integrating AI into clinical workflows to analyze health records, identify risk factors, assist in disease detection, and draft real-time patient summaries for review as the “human in the loop.” According to the most recent HIMSS cybersecurity survey, most health care organizations permit the use of generative AI with varied approaches to AI governance and risk management. Nearly half the organizations surveyed did not have an approval process for AI, and only 31% report that they are actively monitoring AI systems. As a result, the majority of respondents are concerned about data breaches and bias in AI systems.
The NPRM enhances specificity in the risk analysis process by incorporating informal HHS guidance, security assessment tools, and frameworks for more detailed specifications. Entities need to update their procurement process to confirm that their AI vendors align with the Security Rule and industry best practices, such as the NIST AI Risk Management Framework, for managing AI-related risks, including privacy, security, unfair bias, and ethical use of ePHI.
The proposed HHS requirements are not the only concerns clinicians must consider when evaluating AI vendors. HHS also has finalized a rule under Section 1557 of the Affordable Care Act requiring covered healthcare providers to identify and mitigate discrimination risks from patient care decision support tools. Regulated entities must mitigate AI-related security risks and strengthen vendor oversight in contracts involving AI software that processes ePHI to meet these new demands.
Thank you for tuning into this series of analyzing the Security Rule updates. Please contact us if there are any questions or we can assist with any steps moving forward.
Please visit the HIPAA Security Rule NPRM and the HHS Fact Sheet for additional resources.
Industry Groups Urge Rescission of Proposed HIPAA Security Rule Updates
In February, a coalition of healthcare organizations sent a letter to President Donald J. Trump and the U.S. Department of Health and Human Services (HHS) (the Letter), urging the immediate rescission of a proposed update to the Security Rule under HIPAA. The update is aimed at strengthening safeguards for securing electronic protected health information.
According to The HIPAA Journal, the data breach trend in the healthcare industry over the past 14 years is up, not down. This is the case despite the HIPAA Security Rule having been in effect since 2005.
The HIPAA Journal goes on to provide some sobering statistics:
Between October 21, 2009, when OCR first started publishing summaries of data breach reports on its “Wall of Shame”, and and December 31, 2023, 5,887 large healthcare data breaches have been reported. On January 22, 2023, the breach portal listed 857 data breaches as still; under investigation. This time last year there were 882 breaches listed as under investigation, which shows OCR has made little progress in clearing its backlog of investigations – something that is unlikely to change given the chronic lack of funding for the department.
There have been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015. The move to digital record keeping, more accurate tracking of electronic devices, and more widespread adoption of data encryption have been key in reducing these data breaches. There has also been a downward trend in improper disposal incidents and unauthorized access/disclosure incidents, but data breaches continue to increase due to a massive increase in hacking incidents and ransomware attacks. In 2023, OCR reported a 239% increase in hacking-related data breaches between January 1, 2018, and September 30, 2023, and a 278% increase in ransomware attacks over the same period. In 2019, hacking accounted for 49% of all reported breaches. In 2023, 79.7% of data breaches were due to hacking incidents.
The letter, signed by numerous healthcare organizations, outlines several key concerns regarding the proposed HIPAA Security Rule update, including:
Financial and Operational Burdens: The letter argues that the proposed regulation would impose significant financial and operational burdens on healthcare providers, particularly those in rural areas. The unfunded mandates associated with the new requirements could strain the resources of hospitals and healthcare systems, leading to higher healthcare costs for patients and reduced investment in other critical areas.
Conflict with Existing Law: The Letter points to an amendment to the Health Information Technology for Economic and Clinical Health (HITECH) Act, arguing the proposed enhancements to the Security Rule conflict with the HITECH Act amendment. However, the HITECH Act amendment sought to incentivize covered entities to adopt “recognized security practices” that might minimize (not necessarily eliminate) remedies for HIPAA Security Rule violations and the length and extent of audits and investigations.
Timeline and Feasibility: The letter highlights concerns about the timeline for implementing the proposed requirements. The depth and breadth of the new mandates, combined with an unreasonable timeline, present significant challenges for healthcare providers.
No doubt, the Trump Administration is intent on reducing regulation on business. However, it will be interesting to see whether it softens or even eliminates the proposed rule in response to the Letter, despite the clear trend of more numerous and damaging data breaches in the healthcare sector, and an increasing threat landscape facing all U.S. businesses.
What to Watch in Nevada’s 2025 Legislative Session: Key Employment-Related Bills
On February 3, 2025, the Nevada state legislature kicked off its latest legislative session, and state lawmakers are poised to consider several bills that could impact employers and employees, from last day pay provisions to paid leave and work restrictions for minors. Here is a recap from the first month in session.
Quick Hits
The Nevada state legislature commenced its latest legislative session on February 3, 2025.
State lawmakers are considering multiple bills that could impact employment law in the Nevada.
Employers may want to take note of these legislative developments, which, if passed and enacted, could result in significant changes to Chapters 608 and 613 of the Nevada Revised Statutes (NRS).
Here is a breakdown of some of the key bills in this legislative session.
SB 198: Changes to Last Day Pay Provisions
Senate Bill (SB) 198 would revise the last day pay provisions under NRS 608.030. Under existing law, employers are required to pay discharged employees their earned and unpaid wages immediately. Similarly, employees placed on nonworking status must be paid immediately, and those who resign or quit must be paid by their next regular payday or within seven days, whichever is earlier. Penalties for the failure to pay final wages and compensation do not attach for three days from the date the wages and compensation are due, which is commonly referred to as the “three day grace period.”
The new bill would expand the definition of compensation to include fringe benefits and increase penalties for noncompliance. Further, the bill would eliminate the “three day grace period.” Instead, employers would only have until 5:00 p.m. the day following the date wages and compensation are due to the employee. The bill would also increase the penalties to an amount equal to eight hours of work at 1.5 times the employee’s hourly wage for each day the payment is delayed, up to thirty days. The bill would also mandate that cannabis establishments comply with all federal and state labor laws, with violations resulting in license revocation.
AB 112: Sick Leave Policy Changes
Assembly Bill (AB) 112 would remove the exemption for employees covered by a collective bargaining agreement (CBA) from the provisions of NRS 608.01975. Under current law, employers are not required to allow employees covered by a CBA to use accrued sick leave for family medical needs. The bill would eliminate that exemption, making the requirement applicable to all employers, regardless of CBA coverage. However, the changes would not apply during the current term of any CBA entered into before October 1, 2025. Still, they would apply to any extensions, renewals, or new agreements made on or after that date.
AB 166: Work Hour Restrictions for Minors
AB 166 would extend the limitations on the number of hours workers under the age of sixteen are allowed to work to workers under the age of eighteen and reduce the number of allowable work hours from forty-eight hours in a week to forty hours in a week. The bill would maintain the daily limit of eight hours. Additionally, the bill would prohibit minors enrolled in school from working before 5:00 a.m. on school days and after 10:00 p.m. on nights preceding school days. Exceptions would remain for work as performers in motion pictures and work on farms.
AB 179: Extension of Paid Leave Statute
Nevada’s existing paid leave statute requires private employers with fifty or more employees in the state to provide at least 0.01923 hours of paid leave for each hour worked, but it does not apply to employers that provide such a paid leave policy “pursuant to a contract, policy, collective bargaining agreement or other agreement.” AB 179 would eliminate that exception to the statute. Further, the bill clarifies specific actions that would constitute unlawful “retaliation” under the statute against an employee who takes paid leave.
AB 255: Prohibiting Repayment Obligations in Employment Contracts
AB 255 would prohibit employers from requiring an employee or independent contractor to repay the employer any sums if the employee terminates employment before a specified period of time expires. This could include training expenses, relocation expenses, or sign-on bonuses with repayment obligations, which are tied to an employee or independent contractor satisfying a length of service first. AB 255 could be enforced by the labor commissioner or the attorney general, and would also create a private right of action.
SB 160: Realignment of Nevada Equal Rights Commission and Enhance Scope of Authority
SB 160 would remove the Nevada Equal Rights Commission (NERC) from the Department of Employment, Training and Rehabilitation, and move it to the Office of the Attorney General. It permits NERC to consider “historical data” related to the employer’s discriminatory practices. There is declarative language in this legislation about nondiscrimination being a public policy of the state, which could open the door to wrongful termination in violation of public policy claims based on discriminatory acts, which is not currently the law. The bill also details a penalties structure for employers that are deemed to have committed “willful” violations of the statute.
First Circuit Joins Other Circuits in Adopting Stricter Causation Standard in FCA Cases Based on Anti-Kickback Statute
On February 18, 2025, the First Circuit joined the Sixth and Eighth Circuits in adopting a “but for” causation standard in cases involving per se liability under the federal Anti-Kickback Statute (AKS) and the False Claims Act (FCA). In U.S. v. Regeneron Pharmaceuticals, the First Circuit held that for an AKS violation to automatically result in FCA liability, the government must show that the false claims would not have been submitted in the absence of the unlawful kickback scheme. The decision is the latest salvo in the battle over what it means for a false claim to “result from” a kickback, as discussed in our False Claims Act: 2024 Year in Review.
With the fight becoming increasingly one-sided — the Third Circuit remains the only circuit that has adopted a less stringent causation standard — the government may look at alternative theories to link the AKS and FCA.
Key Issues and the Parties’ Positions
As outlined in our previous posts on the issue, the legal dispute revolves around the interpretation of the 2010 amendment to the AKS, which states that claims “resulting from” a kickback constitute false or fraudulent claims under the FCA.
In this case, the government accused Regeneron of violating the AKS by indirectly covering Medicare copayments for its drug, Eylea, through donations to a third-party foundation. The government’s key argument relied on the Third Circuit’s Greenfield decision, the AKS’s statutory structure, and the 2010 amendment’s legislative history to argue that a stringent causation standard would defeat the amendment’s purpose. It urged the court to find that once a claim is tied to an AKS violation, it should automatically be considered false under the FCA — without the need to prove that the violation directly influenced the claim.
Regeneron, on the other hand, argued that an FCA violation only occurs if the kickback was the determining factor in the submission of the claim. Relying on the Eighth and Sixth Circuits’ decisions, prior Supreme Court precedent, and a textual reading of the amendment, Regeneron contended that the phrase “resulting from” could only mean actual causation and nothing less.
The Court’s Decision
The First Circuit sided with Regeneron. It found that, given the Supreme Court’s prior interpretation of “resulting from” phrase as requiring but-for causation, this should be the default assumption when a statute uses that language. While acknowledging that statutory context could, in some cases, suggest a different standard, the court concluded that the government failed to provide sufficient contextual justification for a departure from but-for causation.
The court rejected the government’s argument that, in the broader context of the AKS statutory scheme, it would be counterintuitive for Congress to impose a more stringent causation standard for civil AKS violations than for criminal AKS violations, which require no proof of causation. The court also dismissed the government’s legislative history argument — specifically, the claim that a but-for causation standard would undermine the impetus for the amendment.
Implication: False Certification Theories May Become More Prominent
The First Circuit was careful to distinguish between the per se liability at issue in this case and liability under a false certification theory. While the government must show but-for causation for an AKS violation to automatically give rise to FCA liability, the court said that the same is not true for false certification claims.
Any entity that submits claims for payment under federal healthcare programs certifies — either explicitly or implicitly — that it has complied with the AKS. The court noted that nothing in the 2010 amendment requires proof of but-for causation in a false certification case. The government may take this as a cue to pivot toward false certification claims as a means of linking the AKS and FCA, potentially leaving the 2010 amendment argument behind.
Final Thoughts
The First Circuit’s decision in U.S. v. Regeneron Pharmaceuticals further cements the dominance of the “but for” causation standard in linking AKS violations to FCA liability, making it increasingly difficult for the government to pursue claims under a per se liability theory. With three circuits now aligned on this interpretation and only the Third Circuit standing apart, the tide appears to be turning in favor of a stricter causation requirement.
However, as the court acknowledged, this ruling may not foreclose other avenues for FCA liability — particularly false certification claims, which at least this court has found do not require the same level of causal proof. Given this, the government may shift its focus toward alternative enforcement strategies to maintain the strength of its anti-kickback enforcement efforts. As the legal landscape continues to evolve, healthcare entities and compliance professionals should remain vigilant, as new litigation trends and regulatory responses may reshape the interplay between the AKS and FCA in the years to come.
Listen to this post
HHS Reverses Its Longstanding Policy and Limits Public Participation in Rulemaking
On March 3, 2025, the Secretary of Health and Human Services published a policy statement in the Federal Register that reverses a policy adopted over 50 years ago that was intended to expand public participation in the process of rulemaking at the Department of Health and Human Services (the “Department”). 90 Fed. Reg. 11029 (2025).
This action is at odds with the “radical transparency” that Secretary Kennedy had promised previously, and may affect many programs and financial relationships between individuals, organizations, and others that interact with Health and Human Services (“HHS”).
Regulatory agencies such as HHS and its components, including the Centers for Medicare and Medicaid Services (“CMS”), the Food and Drug Administration (“FDA”), and the National Institutes of Health (“NIH”) must follow rulemaking procedures set out in the Administrative Procedure Act (“APA”) when they formulate and publish regulations that are intended to implement a statute and have the force of law. Those procedures include offering the public an opportunity to be notified of proposed regulations and to submit comments to the agency. The APA also contains several exceptions to the notice and comment requirement, including one for matters relating to “public property, loans, grants, benefits, or contracts.” Nevertheless, HHS and several other federal departments adopted policies that voluntarily waived these exceptions.
In 1971, then-Secretary of Health, Education, and Welfare Elliot Richardson issued a policy statement announcing that the Department would voluntarily follow notice and comment procedures for regulations relating to public property, loans, grants, benefits, or contracts (the “Richardson Waiver”). That notice explained that the waiver would allow for greater participation by the public in the rulemaking process, and that the additional burden on the Department was outweighed by the public benefit. The policy also instructed that although the APA allows for rulemaking procedures to be waived when good cause exists, that exception should be used “sparingly.”
HHS’s New Policy Limiting Rulemaking and Potential Safeguards
The new HHS policy statement sweeps away the 1971 policy. Its impact may vary depending on the issue and component of HHS. For example, for research funded by the NIH or other projects funded by agencies within HHS, the new policy could allow a granting or contracting agency to amend financial terms without public participation. This exact issue is currently in the spotlight as courts actively evaluate the legality of the NIH’s recent Supplemental Guidance to the 2024 NIH Grants Policy Statement: Indirect Cost Rates (NOT-OD-25-068))(“Supplemental Guidance”), issued by the Office of the Director of the National Institutes of Health on February 7, 2025, which attempted to impose an across-the-board 15% cap on Indirect Cost (“IDC’) rates for all new grants as well as for existing grants awarded to Institutions of Higher Education. The District Court of Massachusetts has imposed a nationwide preliminary injunction (“PI”) prohibiting the Secretary and NIH from taking any steps to implement or enforce the Supplemental Guidance. Commonwealth of Massachusetts, et al. v. National Institutes of Health, et al., No. 25-CV-10338 (D. Mass. Mar. 5, 2025). The court concluded that the plaintiffs would be irreparably harmed by the Supplemental Guidance and agreed that the Supplemental Guidance was a legislative rule that failed to comply with the notice and comment requirements of the APA. It relied in part on the argument that under the Richardson Waiver, the Secretary could not change the IDC rate unilaterally. The timing of the Department’s policy reversing the Richardson Waiver might be viewed as directly responsive to this disputed point in the ongoing litigation.
In other areas, the policy statement may have little or no impact if there is a separate statutory requirement for rulemaking. In the Medicare statute, for example, Congress mandated in Section 1871(a)(2) of the Social Security Act that HHS must engage in notice and comment rulemaking for any “substantive legal standard governing the scope of benefits, the payment for services, or the eligibility of individuals, entities, or organizations to furnish or receive services or benefits . . . .” Should Congress decide to limit the scope of the new HHS policy, this statute could be a template for legislation.
The impact of the new policy on the Medicaid program is less clear. While there is no similar statutory requirement for rulemaking under the Medicaid program as there is for Medicare, the federal government also has more limited control over the direction of each individual State’s Medicaid program offering. However, there are areas where HHS has sought public comment on changes to state Medicaid program requirements in the past, such as changes proposed by States through Medicaid program waivers that the federal government has to approve. This new policy may be signaling that HHS will choose not to seek comments on those proposed changes in the future.
Returning to the IDC rate litigation, there arguably exists both statutory and regulatory grounding for applying grantees’ existing negotiated indirect cost rates, documented in the negotiated indirect cost rate agreement (“NICRA”) entered into between the government and grantee institutions. First, a provision in the annual appropriations act since 2018 has limited Congress’ ability to impose any type of across-the-board cap. See Further Consolidated Appropriations Act, 2024, P.L. 118-47, Title II, § 224. This was adopted in response to the first Trump administration’s attempt to impose an across-the-board cap of 10% in 2017. Second, in the HHS regulations applicable to IDC rates, there is an explicit requirement that the negotiated rates must be “accepted by all Federal awarding agencies.” 45 C.F.R. § 75.414(c)(1). This regulatory exception, and alleged noncompliance with the APA’s rulemaking requirement, is at the core of the ongoing IDC rate litigation. As such, there are arguably continued bases for the objection to the NIH Supplemental Guidance notwithstanding the recent reversal of the Richardson Waiver.
Does HHS’s New Policy Signal a Wider Use of the “Good Cause” Exception?
Another part of the new HHS policy to watch carefully involves the exception in the APA that allows agencies to dispense with notice and comment rulemaking when there is good cause that a notice and comment period is impractical or contrary to the public interest. The new HHS policy states that agencies may rely on the good cause exception “in appropriate circumstances” rather than “sparingly” but provides no further clarification.
Courts have interpreted this exception narrowly; for example, they have upheld good cause exceptions when agencies have responded to epidemics and natural disasters, but have rejected exceptions claimed by agencies due to statutory deadlines, economic concerns, or a need to implement a political goal rapidly. In addition, a 2012 report published by the General Accountability Office criticized the frequent use of the good cause exception to avoid public comments on rules. Therefore, it remains to be seen how and when HHS relies on this exception, and whether the reasons offered justify the exception or would stand up to judicial review.
OSHA Terminates COVID-19 Emergency Temporary Standard for Healthcare Workers
Is COVID-19 still a thing, and does OSHA care about it? Yes and yes. We all know that COVID-19 is still around. On the OSHA front, the agency seems to be focused less exclusively on COVID-19 and plans to take a broader approach.
Refresher on OSHA’s Work During the Pandemic
On June 21, 2021, OSHA issued an Emergency Temporary Standard (ETS) to protect healthcare workers from COVID-19. The ETS also served as a proposed rule for a permanent standard to address COVID-19 exposure in healthcare settings. OSHA submitted a draft final rule to the Office of Management and Budget in December 2022. However, the COVID-19 pandemic evolved, and the resources needed to finalize a separate COVID-19 standard grew, which resulted in a House Joint Resolution terminating the national emergency and OSHA terminating the rulemaking.
Now What?
OSHA determined that a more effective strategy would be to create a broader infectious diseases standard for healthcare workers. This new standard will cover multiple infectious diseases, including COVID-19, offering more comprehensive protections for healthcare workers. As a result, effective January 15, 2025, OSHA has decided to terminate its COVID-19 rulemaking and focus instead on this broader infectious diseases standard, rather than a disease-specific approach. On February 5, 2025, OSHA issued a memorandum that it will not enforce the COVID-19 recordkeeping and reporting requirements.
Listen to this post
This Week in 340B: February 25 – March 3, 2025
Find this week’s updates on 340B litigation to help you stay in the know on how 340B cases are developing across the country. Each week we comb through the dockets of more than 50 340B cases to provide you with a quick summary of relevant updates from the prior week in this industry-shaping body of litigation.
Issues at Stake: Antitrust; Contract Pharmacy; HRSA Audit Process; Rebate Model
In an antitrust class action case, the court granted the defendant’s motion to dismiss.
In an appealed case challenging a proposed state law governing contract pharmacy arrangements, a group of amici filed an amicus brief in support of appellees.
In an appealed case challenging a proposed state law governing contract pharmacy arrangements, defendants-appellants filed an opening brief.
In a Freedom of Information Act (FOIA) case, the plaintiff filed a reply in support of its motion to strike the government’s motion for summary judgment.
In one Health Resources and Services Administration (HRSA) audit process case, the plaintiff filed a supplemental brief in support of the plaintiff’s motion for preliminary injunction.
A group of 340B covered entities filed a complaint against a group of commercial payors, alleging that the payors were in breach of their contracts by failing to pay the proper amounts for 340B-acquired drugs.
In three cases challenging a proposed state law governing contract pharmacy arrangements in Missouri, the court denied in part and granted in part two separate motions to dismiss and denied plaintiff’s motion for a preliminary injunction in a third case.
In two cases against HRSA alleging that HRSA unlawfully refused to approve drug manufacturers’ proposed rebate models:
In one such case, a group of amici filed an amicus brief in support of defendants.
In one such case, a group of amici moved for leave to file an amicus brief in support of plaintiffs’ motion for summary judgment.
Additional Authors: Kelsey Reinhardt and Nadine Tejadilla
California’s AI Revolution: Proposed CPPA Regulations Target Automated Decision Making
On November 8, 2024, the California Privacy Protection Agency (the “Agency” or the “CPPA”) Board met to discuss and commence formal rulemaking on several regulatory subjects, including California Consumer Privacy Act (“CCPA”) updates (“CCPA Updates”) and Automated Decisionmaking Technology (ADMT).
Shortly thereafter, on November 22, 2024, the CPPA published several rulemaking documents for public review and comment that recently ended February 19, 2025. If adopted, these proposed regulations will make California the next state to regulate AI at a broad and comprehensive scale, in line with Colorado’s SB 24-205, which contains similar sweeping consumer AI protections. Upon consideration of review and comments received, the CPPA Board will decide whether to adopt or further modify the regulations at a future Board meeting. This post summarizes the proposed ADMT regulations, that businesses should review closely and be prepared to act to ensure future compliance.
Article 11 of the proposed ADMT regulations outlines actions intended to increase transparency and consumers’ rights related to the application of ADMT. The proposed rules define ADMT as “any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking.” The regulations further define ADMT as a technology that includes software or programs, uses the output of technology as a key factor in a human’s decisionmaking (including scoring or ranking), and includes profiling. ADMT does not include technologies that do not execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking (this includes web hosting, domain registration, networking, caching, website-loading, data storage, firewalls, anti-virus, anti-malware, spam and robocall-filtering, spellchecking, calculators, databases, spreadsheets, or similar technologies). The proposed ADMT regulations will require businesses to notify consumers about their use of ADMT, along with their rationale for its implementation. Businesses also would have to provide explanations on ADMT output in addition to a process for consumers to request to opt-out from such ADMT use.
It is important to note that the CCPA Updates will be applicable to organizations that meet the thresholds of California civil codes 1798.140(d)(1)(A), (B) and (C). These civil codes apply to organizations that: (A) make more than $25,000,000 in gross annual revenues; (B) alone or in combination, annually buy, sell, or share the personal information of 100,000 or more consumers or households; and (C) derive 50% or more of its annual revenues from selling or sharing a consumers’ personal information. While not exhaustive of the extensive rules and regulations described in the proposed CCPA Updates, the following are the notable changes and potential business obligations under the new ADMT regulations.
Scope of Use
Businesses that use ADMT for making significant decisions concerning consumers must comply with the requirements of Article 11. “Significant decisions” include decisions that affect financial or lending services, housing, insurance, education, employment, healthcare, essential goods services, or independent contracting. “Significant decisions” may also include ADMT used for extensive profiling (including, among others, profiling in work, education, or for behavioral advertising), and for specifically training AI systems that might affect significant decisions or involve profiling.
Providing a Pre-Use Notice
Businesses that use ADMT must provide consumers with a pre-use notice that informs consumers about the use of ADMT, including its purpose, how ADMT works, and their CCPA consumer rights. The notice must be easy-to-read, available in languages the business customarily provides documentation to consumers, and accessible to those with disabilities. Business must also clearly present the notice to the consumer in the way which the business primarily interacts with the consumer, and they must do so before they use any ADMT to process the consumer’s personal information. Exceptions to these requirements will apply to ADMT used for security, fraud prevention, or safety, where businesses may omit certain details.
According to Section 7220 of the CCPA Updates, pre-use notice must contain:
A plain language explanation of the business’s purpose for using ADMT.
A description of the consumer’s right to opt-out of ADMT, as well as directions for submitting an opt-out request.
A description of the consumer’s right to access ADMT, including information on how the consumer can request access the business’ ADMT.
A notice that the business may not retaliate against a consumer who exercises their rights under the CPPA.
Any additional information (via a hyperlink or other simple method), in plain language, that discusses how the ADMT works.
Consumer Opt-Out Rights
Consumers must be able to opt-out of ADMT use for significant decisions, extensive profiling, or training purposes. Exceptions to opt-out rights include where businesses use ADMT for safety, security, or fraud prevention or for admission, acceptance, or hiring decisions, so long as it is necessary, and its efficacy has been evaluated to ensure it works as intended. Businesses must provide consumers at least two methods of opting out, one of which should reflect the way the business mainly interacts with consumers (e.g., email, internet hyperlink etc.). Any opt-out method must be easy to execute and should require minimal steps that do not involve creating accounts or providing unnecessary info. Businesses must process opt-out requests within 15 business days, and they may not retaliate against consumers for opting out. Businesses must wait at least 12 months before asking consumers who have opted out of ADMT to consent again for its use.
Providing Information on the ADMT’s Output
Consumers have the right to access information about the output of a business’s ADMT. The CPPA regulations do not define “output,” but the term likely includes outcomes produced by ADMT and the key factors influencing them.
When consumers request access to ADMT, businesses must provide information on how they use the output concerning the consumer and any key parameters affecting it. If they use the output to make significant decisions about the consumer, the business must disclose the role of the output and any human involvement. For profiling, businesses must explain the output’s role in the evaluation.
Output information includes predictions, content, recommendations, and aggregate statistics. Depending on the ADMT’s purpose, intended results, and the consumer’s request, the information provided can vary. Businesses must carefully consider these nuances to avoid over-disclosure.
Human Appeal Exception
The CPPA proposes a “human appeal exception,” by which consumers may appeal a decision to a human reviewer who has the authority to overturn the ADMT decision. Business can choose to offer a human appeal exception in lieu of providing the ability to opt out when using ADMT to make a significant decision concerning access to, denial, or provision of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or independent contracting opportunities or compensation, healthcare services, or essential goods or services.
To take advantage of the human appeal exception, the business must designate a human reviewer who is able to understand the significant decision the consumer is appealing and the effects of the decision on the consumer. The human reviewer must consider the relevant information provided by the consumer in their appeal and may also consider any other relevant source of information. The business must design a method of appeal that is easy for consumers to execute, requiring minimal steps, and that it clearly describes to the consumer. Communications and disclosures with appealing consumers must be easy to read and understand, written in the applicable language, and reasonably accessible.
Risk Assessments
Under the CPPA’s proposed rules, every business that processes consumer personal information must conduct a risk assessment before initiating that processing, especially if the business is using ADMT to make significant decisions concerning a consumer or for extensive profiling. Businesses must conduct risk assessments to determine whether the risks to consumers’ privacy outweigh the benefits to consumers, the business, and other stakeholders.
When conducting a risk assessment, businesses must identify and document: the categories of personal information to be processed and whether they include sensitive personal information; the operational elements of its ADMT processing (e.g., collection methods, length of collection, number of consumers affected, parties who can access this information, etc.); the benefits that this processing provides to the business, its consumers, other stakeholders, and the public at large; the negative impacts to consumers’ privacy; the safeguards that it plans to implement to address said negative impacts; information on the risk assessment itself and those who conducted it; and whether the business will initiate the use of ADMT despite the identified risks.
A business will have 24 months from the effective date of these new regulations to submit the results of their risk assessment conducted from the effective date of these regulations to the date of submission. After completing its first submission, a business must submit subsequent risk assessments every calendar year. In addition, a business must review and update risk assessments to ensure accuracy at least once every three years, and it should convey updates through the required annual submission. If there is any material change to a business’ processing activity, it must immediately conduct a risk assessment. A business should retain all information collected of a business’ risk assessments for as long as the processing continues, or for five years after the completion of the assessment, whichever is later.
What Businesses Should Do Now
The CPPA’s proposed ADMT regulations under the CCPA emphasize the importance of transparency and consumer rights. By requiring businesses to disclose how they use ADMT outputs and the factors influencing the outputs, the regulations aim to ensure that consumers are well-informed, and safeguards exist to protect against discrimination. As businesses incorporate ADMT, including AI tools, for employment decision making, they should follow the proposed regulations’ directive to conduct adequate risk assessments. Regardless of the form in which these regulations go into effect, preparing a suitable AI governance program and risk assessment plan will protect the business’s interests and foster employee trust.
Please note that the information provided in the above summary is only a portion of the rules and regulations proposed by the CCPA Updates. Now that the comment period closed, the CPPA will deliberate and finalize the CCPA Updates within the year. Evidently, these proposed regulations will require more action by businesses to remain compliant. While waiting for the CPPA’s finalized update, it is important to use this time to plan and prepare for these regulations in advance.
Raw Milk: State Legislative Updates and Challenges
Several states have recently introduced or passed legislation related to raw milk, reflecting a growing interest in unpasteurized milk despite the fact that raw milk can carry harmful bacteria such as Salmonella, E.coli, and Listeria, posing serious health risks. The U.S. Food and Drug Administration (FDA) and the Centers for Disease Control (CDC) strongly advise against consuming raw milk due to these dangers and have implemented regulations to limit its sale.
Despite the long-standing position at both agencies, the new Secretary of the Department of Health and Human Services (HHS) Robert F. Kennedy Jr., has been a vocal advocate for raw milk promoting its benefits and criticizing regulatory restrictions. His support has brought renewed attention to the raw milk movement, influencing legislative efforts.
Arkansas Bill HB 1048: This bill would allow the sale of raw goat milk, sheep milk, and whole milk directly to consumers at the farm, at farmer’s markets, or via delivery by the farm.
Utah Bill HB414: This bill has passed the House and is now before the Senate. This bill establishes enforcement steps for raw milk suspected in foodborne illness outbreaks, aiming to protect consumers.
Other states’ Legislation: States including Iowa, Minnesota, West Virginia, Maryland, Rhode Island, Oklahoma, New York, Missouri, and Hawaii have introduced various raw milk-related bills with efforts ranging from expanding sales to implementing stricter safety regulations.