California Attorney General Issues Two Advisories Summarizing Law Applicable to AI
If you are looking for a high-level summary of California laws regulating artificial intelligence (AI), check out the two legal advisories issued by California Attorney General Rob Bonta. The first advisory is directed at consumers and entities about their rights and obligations under the state’s consumer protection, civil rights, competition, and data privacy laws. The second advisory focuses on healthcare entities.
“AI might be changing, innovating, and evolving quickly, but the fifth largest economy in the world is not the wild west; existing California laws apply to both the development and use of AI.” Attorney General Bonta
The advisories summarize existing California laws that may apply to entities who develop, sell, or use AI. They also address several new California AI laws that went into effect on January 1, 2025.
The first advisory points to several existing laws, such as California’s Unfair Competition Law and Civil Rights Laws, designed to protect consumers from unfair and fraudulent business practices, anticompetitive harm, discrimination and bias, and abuse of their data.
California’s Unfair Competition Law, for example, protects the state’s residents against unlawful, unfair, or fraudulent business acts or practices. The advisory notes that “AI provides new tools for businesses and consumers alike, and also creates new opportunity to deceive Californians.” Under a similar federal law, the Federal Trade Commission (FTC) recently ordered an online marketer to pay $1 million resulting from allegations concerning deceptive claims that the company’s AI product could make websites compliant with accessibility guidelines. Considering the explosive growth of AI products and services, organizations should be revisiting their procurement and vendor assessment practices to be sure they are appropriately vetting vendors of AI systems.
Additionally, the California Fair Employment and Housing Act (FEHA) protects Californians from harassment or discrimination in employment or housing based on a number of protected characteristics, including sex, race, disability, age, criminal history, and veteran or military status. These FEHA protections extend to uses of AI systems when developed for and used in the workplace. Expect new regulations soon as the California Civil Rights Counsel continues to mull proposed AI regulations under the FEHA.
Recognizing that “data is the bedrock underlying the massive growth in AI,” the advisory points to the state’s constitutional right to privacy, applicable to both government and private entities, as well as to the California Consumer Privacy Act (CCPA). Of course, California has several other privacy laws that may need to be considered when developing and deploying AI systems – the California Invasion of Privacy Act (CIPA), the Student Online Personal Information Protection Act (SOPIPA), and the Confidentiality of Medical Information Act (CMIA).
Beyond these existing laws, the advisory also summarizes new laws in California directed at AI, including:
Disclosure Requirements for Businesses
Unauthorized Use of Likeness
Use of AI in Election and Campaign Materials
Prohibition and Reporting of Exploitative Uses of AI
The second advisory recounts many of the same risks and concerns about AI as relevant to the healthcare sector. Consumer protection, anti-discrimination, patient privacy and other concerns all are challenges entities in the healthcare sector face when developing or deploying AI. The advisory provides examples of applications of AI systems in healthcare that may be unlawful, here are a couple:
Denying health insurance claims using AI or other automated decisionmaking systems in a manner that overrides doctors’ views about necessary treatment.
Use generative AI or other automated decisionmaking tools to draft patient notes, communications, or medical orders that include erroneous or misleading information, including information based on stereotypes relating to race or other protected classifications.
The advisory also addresses data privacy, reminding readers that the state’s CMIA may be more protective in some respects than the popular federal healthcare privacy law, HIPAA. It also discusses recent changes to the CMIA that require providers and electronic health records (EHR) and digital health companies enable patients to keep their reproductive and sexual health information confidential and separate from the rest of their medical records. These and other requirements need to be taken into account when incorporating AI into EHRs and related applications.
In both advisories, the Attorney General makes clear that in addition to the laws referenced above, other California laws—including tort, public nuisance, environmental and business regulation, and criminal law—apply to AI. In short:
Conduct that is illegal if engaged in without the involvement of AI is equally unlawful if AI is involved, and the fact that AI is involved is not a defense to liability under any law.
Both advisories provide a helpful summary of laws potentially applicable to AI systems, and can be useful resources when building policies and procedures around the development and/or deployment of AI systems.
Whistleblower Awarded $1.8 Million for Reporting Hospital Admissions Kickback Scheme
Healthcare professionals play a critical role in ensuring the integrity of the industry. However, unlawful kickbacks and fraudulent claims, if left unreported, undermine the quality of patient care and solvency of government-funded healthcare programs. A recent case involving Oroville Hospital highlights not just the consequences of violating regulations such as the False Claims Act and Anti-Kickback Statute but also the importance of whistleblowers in combatting such schemes.
Oroville Hospital Settlement Details
Oroville Hospital has agreed to pay $10.25 million to resolve allegations of participating in an illegal kickback and self-referral scheme. The settlement is divided, with $9,518,954 going to the federal government and $731,046 to the State of California.
The allegations claim that Oroville Hospital:
Paid Illegal Kickbacks to Physicians – Oroville Hospital allegedly incentivized physicians responsible for inpatient admissions by offering bonuses tied to how many patients they admitted. This practice incentivized unnecessary hospital stays, jeopardizing patient welfare and inflating healthcare costs.
Falsely Billed Medicare and Medi-Cal – The hospital allegedly admitted patients who did not need inpatient care. Furthermore, they also allegedly added false diagnosis codes such as systemic inflammatory response syndrome (SIRS) to claims, inflating reimbursements from Medicare and Medicaid (Medi-Cal in California).
The Vital Role of Whistleblowers in Healthcare Compliance
The Oroville Hospital case underscores the critical importance of whistleblowers in protecting healthcare systems from unlawful practices. The allegations in this case were originally brought forward by a private individual under the qui tam provisions of the False Claims Act.
Under the qui tam provision, whistleblowers can file lawsuits on behalf of the government and potentially receive a portion of any monetary recovery resulting from the case. The whistleblower received approximately $1.8 million or about 17% of the settlement for her role in exposing these unlawful activities.
Why Whistleblowers Are Essential
Whistleblowers are often employees or professionals working within the healthcare system who become aware of illegal or unethical practices. Here is why their role is indispensable:
1. Preventing Patient HarmUnethical behavior, such as unnecessary hospitalizations or improper medical diagnoses, can seriously harm patients. Whistleblowers bring attention to these issues and ensure medical practices prioritize patient health over profit.
2. Protecting Government ResourcesFraudulent claims and improper billing practices drain billions of dollars each year from federal programs such as Medicare, Medicaid, TRICARE, and FEHB. Whistleblowers help uncover these schemes, ensuring that taxpayer funds are used effectively and healthcare remains affordable.
3. Encouraging Transparency and AccountabilityBy exposing unlawful actions, whistleblowers hold organizations accountable and encourage others in the industry to comply with regulations such as the Anti-Kickback Statute and the False Claims Act.
4. Facilitating Internal ImprovementsWhen courts order companies to implement Corporate Integrity Agreements or similar oversight measures as a result of whistleblower actions, healthcare organizations are compelled to implement stronger compliance frameworks, reducing the risk of future violations.
New York City Publishes Updated FAQs for Earned Safe and Sick Time Act
On September 26, 2024, New York City published updated frequently asked questions (FAQs) for the New York City Earned Safe and Sick Time Act (ESSTA) in light of the New York City Department of Consumer and Worker Protection’s (DCWP) adoption of the October 2023 amended rules and the January 2024 law creating a private right of action for ESSTA violations.
While the FAQs provide some clarification and guidance regarding the amended rules and processes and procedures in pursuing a private right of action, they also leave some questions unanswered. In addition, the FAQs provide guidance on topics that were not included in the amended rules, including outlining possible additional uses of safe and sick leave that were not explicitly contemplated.
Quick Hits
On September 26, 2024, New York City released updated FAQs for the Earned Safe and Sick Time Act (ESSTA) to address the October 2023 amended rules and the January 2024 law allowing private rights of action for ESSTA violations.
The updated FAQs clarify and provide guidance regarding the amended rules, processes, and procedures in pursuing a private right of action, while also leaving some questions unanswered.
The updated FAQs provide guidance on additional topics regarding written safe and sick leave policies and additional uses of leave for weather-related health conditions and funerals.
Telecommuting and Remote Employees
With the advent of remote work and telecommuting, the amended rules clarify that an employee who is based outside of New York City is eligible to use safe and sick leave if the employee is “expected to regularly perform work in New York City during a calendar year” but only hours worked by such an employee in New York City will count toward the accrual of safe and sick leave. Additionally, the employee can only use accrued safe and sick leave while performing work in New York City.
While the amended rules provide some examples of how this will apply, the FAQs leave unanswered what “regularly perform work” means for purposes of determining eligibility.
Written Safe and Sick Leave Policies
For employers that have general paid time off policies, the FAQs clarify that employers must maintain written safe and sick leave policies in a single writing. Policies are not in a single writing “if they are split up across multiple documents or locations. An employer may supplement a national policy with an NYC-specific policy, provided that the national and local policies are not confusing or contradictory.”
Despite this guidance, the FAQs do not expound on the meaning of “confusing or contradictory.”
DCWP Investigations and Private Right of Action
As employees can now file a civil action in court and file a complaint with the DCWP, the FAQs provide guidance regarding those processes and procedures. As an initial matter, the FAQs clarify that there are no prerequisites to filing a lawsuit in court for ESSTA violations, and are not required to file a complaint with the DCWP first. Should an employee decide to file complaints in court and with the DCWP for the same alleged violations, the DCWP will stay its investigation until it is notified that “such a civil action has been withdrawn or dismissed without prejudice.” After a final judgment or settlement, the DCWP will then dismiss the complaint unless it “determines the complaint alleges a violation not resolved by such judgment or settlement.”
Additional Uses: Health Conditions Related to Weather Events and Funerals
The FAQs provide that employees may be able to use safe and sick leave for weather-related events, when, for example, weather-related conditions impact the health of employees or their family members such as extreme heat or poor air quality or if exposure to certain weather would pose a risk to the employee or family member due to an underlying medical condition.
In addition, the FAQs state that an employee may use safe and sick leave to attend a funeral if an employee is experiencing anxiety or depression or if a family member needs care for a mental or physical health condition.
Exhausting Available Safe and Sick Leave
Under the ESSTA, generally, it is the employee who decides whether to use safe and sick leave and how much accrued safe and sick leave to use. In reaffirming this rule, the FAQs provide that employers are “prohibited from deducting from an employee’s leave bank when the employee does not wish to use safe and sick leave to cover an absence.” Notwithstanding, the FAQs clarify that the ESSTA “does not require an employer to provide unpaid time off when an employee does not wish to use safe and sick leave to cover an absence and is not eligible for other paid leave.” However, the FAQs note that other laws may require an employer to grant unpaid time off.
Pay Statement Requirements and Unlimited Paid Time Off
The ESSTA requires employers to inform employees on their paystubs of the amount of safe and sick leave used during the pay period and the balance of accrued time remaining.
For those employers that offer unlimited safe and sick leave or unlimited paid time off, the FAQs state that “in very limited circumstances,” an employer will not be required to provide documentation showing accrual, use, and balance information each pay period. Whether this exception applies will depend on “the nature of the employer’s written safe and sick leave policy, including whether any restrictions apply, and whether in practice leave is truly unlimited.”
Even if an exception applies, the FAQs clarify that employers must still keep records showing compliance with the ESSTA.
Next Steps
Employers based in or with remote employees in New York City may wish to review their current policies and make any necessary revisions based on the updated FAQs. Employers may also want to review with and train supervisors and human resources professionals to ensure compliance and update existing practices to align with the above updates to minimize the potential for enforcement actions by the DCWP or for lawsuits by employees.
New Year, New Leave Laws – Understanding State Leave Law Updates Effective January 1, 2025
When did you last look at your employee leave policies? As the calendar turns to a new year, new changes often arrive, and 2025 is no exception. Employers should take note of the recent updates to state leave laws that went into effect on January 1, 2025.
Here are some states have implemented new or expanded leave laws as of January 1, 2025:
Connecticut
Employers with 25 or more employees working in the state of Connecticut must provide paid sick leave to all employees. Employees can accrue one hour of paid sick leave for every 30 hours worked, up to a maximum of 40 hours per year. Employers now have the option to frontload the paid sick leave at the beginning of each year, rather than being required to carry over unused leave to the next year. This leave can be used for the diagnosis, care, or treatment of an employee’s or their family member’s illness or injury, or for specific needs related to family violence or sexual assault.
Delaware
Employers with 10 or more employees primarily working in Delaware must begin making payroll deductions for the Delaware Paid Family and Medical Leave Program. Employers are required to contribute 0.8% of wages, and they can require their employees to pay up to 50% of the cost of the program. The first contribution payment is due by April 30, 2025.
Maine
Maine employers are also required to begin making payroll deductions to the state’s Paid Family and Medical Leave Program. Unlike Delaware, the law applies to any employer with at least one employee based in Maine. Employers with 15 or more employees must contribute 1% of wages to the program, with the option to deduct up to 50% of this contribution from employees’ wages. Employers with fewer than 15 employees must contribute 0.5% of wages, and they can deduct the entire contribution from employees’ wages. Employers covered by this law must ensure they are registered in the Maine Leave Contributions Portal to start making payments. The first payment is due by April 30, 2025.
New York
New York now requires employers to provide all employees residing in the state with an additional 20 hours of paid prenatal personal leave for any healthcare services related to pregnancy. This includes services such as physical exams, medical procedures, testing, consultations with healthcare providers, end of pregnancy care, and fertility treatment. This leave is available only to the pregnant employee receiving healthcare services and does not extend to spouses, partners, or other support persons. Pregnant employees using this leave will be paid at their regular rate of pay or the applicable minimum wage rate, whichever is greater. Once the pregnancy concludes, the employee is no longer eligible for this additional leave.
Upcoming Changes in Other States
These are just a few of the state leave laws that took effect at the start of 2025. However, additional changes are on the horizon, including Michigan’s Earned Sick Time Act, effective February 21, 2025; Missouri’s paid sick leave law, effective May 1, 2025; and Nebraska’s paid sick leave law, effective October 1, 2025. As more laws are introduced throughout the year, staying informed about these changes is essential for ensuring compliance and effectively supporting employees.
Listen to this post
EnforceMintz —Could the Supreme Court’s Decision in Jarkesy Mean the End to HHS Civil Monetary Penalty Authorities as We Know Them?
Last June, the Supreme Court issued its decision in Securities and Exchange Commission v. Jarkesy, which holds that the Seventh Amendment entitles a defendant to a jury trial when the Securities and Exchange Commission (SEC) seeks to impose civil monetary penalties (CMPs) for a securities fraud violation. While the Jarkesy decision focused on the SEC’s administrative process, enforcement actions involving CMPs brought by other federal agencies, such as the Department of Health and Human Services (HHS), also proceed through an agency tribunal as opposed to a jury trial. In particular, the Centers for Medicare & Medicaid Services (CMS), which is part of HHS, has the authority to issue CMPs in countless circumstances.
As of the date of this article, we are not aware of any federal court case that specifically challenges HHS’s administrative CMP process, but parties are starting to assert Jarkesy-based arguments in appealing HHS administrative actions. For example, in November, the HHS Departmental Appeals Board (DAB) issued a decision on an appeal filed by a skilled nursing facility (SNF) that raised Jarkesy-based arguments. The SNF had challenged an administrative law judge’s (ALJ) decision to grant summary judgment in favor of CMS in a case where CMS imposed a CMP of $1,103 per day for 109 days of noncompliance with certain Medicare participation requirements. In pertinent part, the SNF moved for the DAB to remand and refund its CMP. The SNF argued that, based on Jarkesy, the ALJ proceeding to review the imposition of CMPs was “void ab initio,” that the ALJ did not have the constitutional authority to conduct its review, and that the CMP appeal should have been heard before a jury.
Ultimately, the DAB vacated the ALJ’s decision and remanded the matter for further proceedings consistent with the DAB’s decision. Notably, however, the DAB rejected the SNF’s Jarkesy arguments because (i) the SNF’s case concerns “an entirely separate statutory authority and regulatory scheme…as administered by [HHS],” (ii) Jarkesy does not apply to the Medicare administrative appeal regime, and (iii) the Supreme Court did not hold that every agency’s attempt to impose and support CMPs necessarily is a suit at common law that must be adjudicated by an Article III court (a point that was key to the Supreme Court’s decision). The DAB also emphasized that it is not the DAB’s role to invalidate any part of the Social Security Act or its implementing regulations. This point was consistent with the DAB’s longstanding approach that ALJs may not declare a statute or regulation to be unconstitutional or refuse to apply or follow a statute or regulation on that basis.
Surely, this proceeding will not be the last time the agency encounters a Jarkesy-based argument. It is only a matter of time before the question of whether and how Jarkesy applies to HHS’s CMP authorities finds its way before the courts. If such a challenge were to succeed, it could upend the agency’s enforcement process as we know it and lead to seismic shifts in the types of enforcement matters HHS prioritizes and pursues. For now, we imagine that HHS (and other agencies) are likely reviewing their CMP procedures and reliance on ALJs to oversee these proceedings for Jarkesy-related vulnerabilities.
EnforceMintz — Novel Criminal Charges and Emerging Civil Trends from Opioid Enforcement in 2024
In past years we have discussed how opioid-related enforcement efforts have remained a top federal and state priority (here, here, and here). In 2024, opioid-related enforcement efforts continued across the entire opioid supply chain, and two themes dominated the most significant opioid cases and resolutions of 2024. First, two major settlements from the past year highlight examples of allegations that crossed a line, prompting the government to pursue criminal charges. Second, a number of recent cases against pharmacies involve a common theory of liability based on the Controlled Substances Act (CSA), which served as the basis for civil liability under the False Claims Act (FCA).
Opioid-Related Criminal Resolutions
In February 2024, Endo, a pharmaceutical manufacturer that previously filed for bankruptcy, reached a global resolution of various criminal and civil investigations into the company’s sales and marketing of opioid drugs. The company agreed to pay the government $464.9 million over 10 years (though the actual total payment amount will likely be much lower due to bankruptcy).
To resolve the criminal investigation, Endo agreed to plead guilty to a one-count misdemeanor charge for violations of the federal Food, Drug, and Cosmetic Act (FDCA). That charge related to the company’s marketing of the drug’s purported abuse deterrence, tamper-resistant, or crush-resistant properties to prescribers, despite a lack of supporting clinical data. In the plea agreement, the company admitted responsibility for misbranding its opioid drug by marketing the drug with a label that failed to include adequate directions for its claimed abuse deterrence use, in violation of the FDCA.
More recently, in December 2024, McKinsey & Company, a worldwide management consulting firm, agreed to pay $650 million to resolve criminal and civil investigations related to the firm’s consulting work for Purdue Pharma, the maker of OxyContin. As noted in the government’s press release, the McKinsey resolution was the first time a management consulting firm has been held criminally responsible for its advice resulting in a client’s criminal conduct.
The two-count criminal charging document accused McKinsey of conspiring to misbrand a controlled substance and obstruction of justice. The conspiracy charge related to McKinsey’s work to “turbocharge” OxyContin sales by targeting high-volume opioid prescribers. The obstruction charge arose from the alleged deletion by a senior partner of certain documents related to the company’s work for Purdue. To resolve those charges, McKinsey entered into a five-year deferred prosecution agreement (DPA). Under the DPA, McKinsey agreed not to do any consulting work related to the marketing, sale, or distribution of controlled substances and agreed to implement significant changes to its compliance program. Separately, the former McKinsey senior partner who allegedly destroyed records relating to the company’s work for Purdue was charged with obstruction of justice and agreed to plead guilty to that charge.
These two resolutions are relevant to all entities in the opioid supply chain, from manufacturers to consultants and all stakeholders in between. Sales and marketing practices, or abuse deterrence claims or practices targeting prescribers based on volume, can lead to both civil liability and potential criminal exposure.
Pharmacies Face Potential FCA Liability Based on CSA Violations
On the civil side, three opioid enforcement actions were particularly noteworthy. Three years ago, we highlighted some of the first pharmacy-related resolutions, which showed that pharmacies were “next in line” for opioid related enforcement. In 2024, two substantial settlements involved alleged CSA violations giving rise to FCA liability. A third FCA lawsuit filed in December 2024 against the nation’s largest pharmacy shows that this trend will likely continue in 2025 and beyond.
In July 2024, Rite Aid and its affiliates agreed to settle allegations brought by the government related to its opioid dispensing practices. Rite Aid had previously filed for bankruptcy, so the settlement agreement involved a payment of $7.5 million, plus a general unsecured claim of $401.8 million in the bankruptcy case.
The government alleged that Rite Aid pharmacists dispensed unlawful prescriptions and failed to investigate “red flags” before dispensing opioid prescriptions, then improperly submitted claims to the government for reimbursement of those prescriptions. The government alleged that the company dispensed unlawful prescriptions by (1) filling so-called “trinity” prescriptions, which are a combination of opioid, benzodiazepine, and muscle relaxants; (2) filling excessive quantities of opioid prescriptions; and (3) filling prescriptions written by prescribers previously identified as suspicious by pharmacists.
Similarly, in December 2024, Food City, a regional grocery store and pharmacy based in Virginia agreed to pay $8.48 million to resolve allegations that it dispensed opioids and other controlled substances in violation of the CSA and the FCA. Like the Rite Aid case, the government alleged that these prescriptions were medically unnecessary, lacked a legitimate medical purpose, or were not dispensed pursuant to valid prescriptions. The government alleged that Food City ignored “red flags” including, among other things, (1) prescribers who wrote unusually large opioid prescriptions; (2) early refills of opioids; (3) prescriptions for unusual quantities or combinations of opioids; and (4) patients who were filling prescriptions for someone else, driving long distances to fill prescriptions, or paying cash for prescriptions.
Also in December 2024, the Department of Justice announced that it had intervened in a nationwide lawsuit alleging that CVS Pharmacy filled unlawful prescriptions in violation of the CSA and sought reimbursement for those prescriptions in violation of the FCA. The lawsuit is currently pending. The theory of liability asserted against CVS is similar to the Rite Aid and Food City cases: CVS allegedly filled unlawful prescriptions, ignored “red flags” of abuse and diversion, and sought reimbursement from federal health care programs for unlawful prescriptions in violation of the FCA.
Under the CSA and applicable regulations, pharmacists dispensing controlled substances, like opioids, have a “corresponding responsibility” to ensure that the prescription was issued for a legitimate medical purpose. 21 C.F.R. § 1306.04(a). Exercising that corresponding responsibility requires identifying and resolving “red flags” before filling a prescription. There is no defined list of what the government deems to constitute “red flags” and determining the existence of red flags is often context dependent. Because FCA lawsuits based on alleged CSA violations appear to be a growing trend, these three cases provide helpful guidance for companies seeking to mitigate risk by implementing corporate compliance programs designed to identify and resolve “red flags” related to opioid prescriptions.
California AG Issues AI-Related Legal Guidelines for Developers and Healthcare Entities
The California Attorney General published two legal advisories this week:
Legal Advisory on the Application of Existing California Laws to Artificial Intelligence
Legal Advisory on the Application of Existing California Law to Artificial Intelligence in Healthcare
These advisories seek to remind businesses of consumer rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, CCPA), and to advise developers who create, sell, or use artificial intelligence (AI) about their obligations under the CCPA.
Attorney General Rob Bonta said, “California is an economic powerhouse built in large part on technological innovation. And right alongside that economic might is a strong commitment to economic justice, workers’ rights, and competitive markets. We’re not successful in spite of that commitment — we’re successful because of it [. . .] AI might be changing, innovating, and evolving quickly, but the fifth largest economy in the world is not the wild west; existing California laws apply to both the development and use of AI. Companies, including healthcare entities, are responsible for complying with new and existing California laws and must take full accountability for their actions, decisions, and products.”
Advisory No. 1: Application of Existing California Laws to Artificial Intelligence
This advisory:
Provides an overview of existing California laws (i.e., consumer protection, civil rights, competition, data protection laws, and election misinformation laws) that may apply to companies that develop, sell, or use AI;
Summarizes the new California AI law that went into effect on January 1, 2025, such as:
Disclosure Requirements for Businesses
Unauthorized Use of Likeness
Use of AI in Election and Campaign Materials
Prohibition and Reporting of Exploitative Uses of AI
Advisory No. 2: Application of Existing California Law to Artificial Intelligence in Healthcare
AI tools are used for tasks such as appointment scheduling, medical risk assessment, and medical diagnosis and treatment decisions. This advisory:
Provides guidance under California law, i.e., consumer protection, civil rights, data privacy, and professional licensing laws—for healthcare providers, insurers, vendors, investors, and other healthcare entities that develop, sell, and use AI and other automated decision systems;
Reminds such entities that AI carries harmful risks and that all AI systems must be tested, validated, and audited for safe, ethical, and lawful use;
Informs such entities that they must be transparent about using patient data to train AI systems and alert patients on how they are using AI to make decisions affecting their health and/or care;
This is yet another example of how issues related to the safe and ethical use of AI will likely be at the forefront for many regulators across many industries.
EnforceMintz — Long Tail of Pandemic Fraud Schemes Will Likely Result in Continued Enforcement for Years to Come
In last year’s edition of EnforceMintz, we predicted that 2024 would bring an increase in False Claims Act (FCA) enforcement activity related to COVID-19 pandemic fraud. Those predictions proved correct. The COVID-19 Fraud Enforcement Task Force (CFETF), in conjunction with five COVID Fraud Enforcement Strike Forces and other government agencies, has resolved many significant criminal and civil pandemic fraud cases over the past year. In April 2024, the CFETF released a COVID-19 Fraud Enforcement Task Force 2024 Report (the CFETF Report) describing the CFETF’s recent efforts and including a plea for more fraud enforcement funding, which suggests that additional enforcement activity is on the horizon. While that funding request has thus far gone unheeded, we expect more civil pandemic fraud enforcement actions (and continuing criminal actions) in 2025.
Civil and Criminal Paycheck Protection Program (PPP) Fraud Enforcement
Since 2020, criminal PPP fraud has dominated COVID-19 fraud enforcement headlines, and 2024 was no different. Criminal fraud schemes have concerned common fact patterns involving fraudsters who (i) obtained funding to which they were not entitled, (ii) submitted false certifications or inaccurate information in a loan application, or (iii) submitted false certifications or inaccurate information in seeking loan forgiveness. However, in the past year, civil PPP fraud enforcement has begun to evolve.
In 2024, criminal PPP fraud enforcement broke up multiple COVID-19 fraud rings involving actors who fraudulently obtained loans for fictitious businesses, packed PPP applications with false documentation (provided in exchange for kickbacks), and falsely certified information regarding the number of employees and payroll expenses that would entitle them to PPP funding. Typical charges in these cases included wire fraud, bank fraud, making false statements to federally insured financial institutions, conspiracy, and money laundering.
On the civil side, PPP fraud enforcement seemed to increase in 2024. Interestingly, some civil PPP fraud cases involved schemes similar to criminal actions. Often the government’s decision to pursue such cases as civil, criminal, or both depends on the evidence of intentional fraud. For example, in January 2024, a clinic and its owners agreed to a $2 million judgment in connection with multiple fraudulent acts, including PPP fraud arising from their certification that they were not engaged in illegal activity and that their business suffered quarterly or year-over-year losses, therefore entitling them to PPP funding. In October 2024, one FCA recovery totaling $399,990 involved a home health agency and its owner who received two PPP loans after certifying that the company would receive only one. More recently, in December 2024, a private asset management company and its owner agreed to pay $680,000 to settle FCA allegations brought by a relator. The company and its owner allegedly falsely certified that PPP loans were economically necessary and included false statements in the information submitted when seeking forgiveness for the loan. Cases of this nature apparently did not rise to the level of criminal wrongdoing, in the government’s view.
A number of civil PPP fraud FCA cases from the past year involved increasingly complex theories and allegations. These more complicated fact patterns require years of investigation and are expensive. As a result, such fraud enforcement actions may have a “long tail” and continue for years to come.
For example, in May 2024, a private lender of PPP loans agreed to resolve allegations that it knowingly awarded inflated and fraudulent loans to maximize its profits, then sold its assets and bankrupted the company. The lawsuit was initiated by whistleblowers (known under the FCA as “relators”), including an accountant and former analyst in the lender’s collection department. As part of the settlement with the lender, the United States received a general unsecured claim in the bankruptcy proceeding of up to $120 million.
More recently, in December 2024, the United States intervened in a complaint against certain former executives of the lender who allegedly violated the FCA by submitting and causing the submission of false claims for loan forgiveness, loan guarantees, and processing fees to the Small Business Administration (SBA) in connection with lender’s participation in the PPP. When we discussed this case previously, we noted that we expected to see similar cases in the future brought against private lenders who failed to safeguard government funds. More broadly, we expect the trend of increasingly complex civil PPP fraud actions will continue in 2025.
Fraud Enforcement Involving Programs Administrated by the Health Resources and Services Administration (HRSA)
Provider Relief Fund (PRF) and Uninsured Program (UIP) fraud enforcement picked up in 2024. As described in the CFETF Report, the CFETF has leveraged an interagency network to make strategic improvements in how it investigates fraud. (Interagency collaboration is another theme from 2024, which we discuss more here.) The CFETF Report also describes a department-wide effort by the Department of Justice (DOJ) to roll out database tools to all US Attorney’s Offices to detect and investigate fraud. According to the CFETF Report, DOJ has analyzed more than 225 million claims paid by HRSA, the entity that dispensed PRF and UIP loans during the height of the pandemic. Closer investigatory scrutiny has led to increased enforcement actions.
PRF Fraud
Criminal PRF fraud enforcement resembled PPP enforcement from prior years, which was often based on theft or misappropriation theories. These enforcement actions often include charges against PRF recipients who either (i) retained funds to which they were not entitled or (ii) used PRF funds for ineligible expenses, like luxury goods. For example, in April 2024, a defendant who operated a primary care clinic pleaded guilty to theft and misappropriation of PRF funds. The defendant had certified that PRF funds would be used by the clinic only to prevent, prepare for, and respond to COVID-19. Despite making this representation, the clinic operator used the PRF funds for personal purposes, including cash withdrawals and the purchase of personal real estate, a luxury vehicle, a boat, and a trailer.
UIP Fraud
There were a number of noteworthy criminal UIP enforcement actions in 2024. In March 2024, a defendant was charged with filing fraudulent COVID-19 testing reimbursement, through the laboratory he managed, for COVID-19 testing that was never provided. The defendant allegedly obtained and used the personal identifying information of incarcerated or deceased individuals in connection with those claims. The indictment alleged that the defendant received $5.6 million in reimbursement and used those UIP funds to purchase property in South Florida.
Enforcement actions involving UIP funds involved significant alleged losses by the government. In February 2024, a defendant pleaded guilty to mail fraud and identity theft charges in what the government called “one of the largest COVID fraud schemes ever prosecuted.” The defendant and her co-conspirators filed more than 5,000 fraudulent COVID-19 unemployment insurance claims using stolen identities to unlawfully obtain more than $30 million in UIP fund benefits. To execute the scheme, the defendant and others created fake employers and employee lists using the personally identifiable information of identity theft victims. The defendant was sentenced to 12 years in prison, and seven co-conspirators have also pleaded guilty in connection with this large fraudulent scheme.
In one major civil FCA resolution, in June 2024, a group of affiliated urgent care providers agreed to pay $12 million to resolve allegations that they submitted or caused the submission of false claims for COVID-19 testing to the HRSA UIP. The government alleged that the providers knew their patients were insured at the time of testing (and in some instances had insurance cards on file for certain patients), yet they submitted claims (and caused laboratories to submit claims) to HRSA’s UIP for reimbursement. The resolution is noteworthy because the providers received a relatively low FCA damages multiplier as credit for cooperating with the government in its investigation under DOJ’s Guidelines for Taking Disclosure, Cooperation, and Remediation into Account in False Claims Act Matters. More information on DOJ’s efforts to encourage voluntary self-disclosure can be found in our related EnforceMintz article here.
Fraud Schemes Involving Respiratory Pathogen Panels
Fraud involving expensive respiratory pathogen panels (RPPs) has been in the spotlight since the beginning of the pandemic. In 2022, the Office of Inspector General for the Department of Health and Human Services (OIG) warned about laboratories with questionably high billing for tests submitted for reimbursement alongside COVID-19 tests, including RPPs. The OIG deemed this scenario as deserving of “further scrutiny.” Medicare reimbursed some outlier laboratories approximately $666 dollars for COVID-19 testing paired with other add-on tests while Medicare reimbursed approximately $89 for this same testing to the majority of laboratories. The trend in RPP fraud enforcement that we discussed last year continued in 2024: enforcement actions involved a mix of criminal and civil RPP fraud cases involving significant damages.
One laboratory owner was criminally charged with submitting $79 million in fraudulent claims to Medicare and Texas Medicaid for medically unnecessary RPP tests. The laboratory owner used the personal information of a physician — without the physician’s knowledge — to submit the claims even though the physician had no prior relationship with the test recipients, was not treating the recipients, and did not use the test results to treat the recipients. The government seized over $15 million in cash from this defendant.
In another case involving both criminal and civil charges, a Georgia-based laboratory and its owner agreed to pay $14.3 million to resolve claims that they paid independent contractor sales representatives volume-based commissions to recommend RPP testing to senior communities interested only in COVID-19 testing. The independent sales contractors used forged physician signatures and sham diagnosis codes to add RPP testing to requisition forms ordering only COVID-19 testing. The whistleblower in this case — the laboratory’s manager — is set to receive $2.86 million of the recovery.
As the government continues to deploy data analytics to identify outlier cases, we suspect enforcement actions involving COVID-19 companion testing will continue.
Future of COVID-19 Enforcement
Over four years from the enactment of the CARES Act, COVID-19 fraud enforcement continues to evolve. Since the beginning, the government has consistently pursued criminal cases involving misused or fraudulently obtained funds, fake COVID cures, and fake COVID testing. In 2022, the government extended the statute of limitations for PPP fraud from five to ten years, recognizing that more time was needed to investigate and prosecute fraud on these programs.
This past year, a broader range of pandemic fraud schemes were prosecuted criminally and civilly. These often data-heavy or analytics-based cases require a significant investment of time and resources. Recognizing the resources required for these more complicated matters, the CFETF called for increased funding and an extension of the statute of limitations for all pandemic-related fraud in the CFETF Report. As of the date of this publication, that request has not yet been answered. It thus appears the funding request will be determined by the new administration.
Despite uncertainty around future funding for COVID-19 fraud enforcement, we anticipate more criminal and high-dollar civil enforcement actions in 2025. The CFETF Report described 1,200 civil pandemic fraud matters pending as of April 1, 2024, for which DOJ had obtained more than 400 judgments or settlements totaling over $100 million. This leaves approximately 800 pending civil matters, and untold billions in fraudulently obtained funds still in the hands of fraudsters. Despite uncertainty around future fraud enforcement funding, as a general matter, fraud enforcement has bipartisan support. Either way, employees, related parties, and patient relators — with the support of sophisticated relator’s counsel — will likely continue to bring pandemic fraud cases in the coming years. Overall, COVID-19 fraud enforcement is unlikely to slow down in 2025.
EnforceMintz — Medicare Advantage and Part D Programs to Remain in the Enforcement Spotlight in 2025
As government scrutiny and enforcement targeting the Medicare Advantage (Medicare Part C) program continued in 2024, the industry’s response to agency actions escalated. Last year also resulted in the first sizable Part D False Claims Act settlement. Year over year, as the number of enrollees in Medicare Advantage plans and Part D plans has steadily increased, the total federal spending on Medicare Advantage and Part D has likewise risen and the spotlight on these programs and those who participate in them has intensified.
As seen in years past, the Department of Justice (DOJ) as well as the two agencies that regulate Medicare Advantage Organizations (MAOs) and Part D plan sponsors (PDP Sponsors), the Centers for Medicare & Medicaid Services (CMS), and the Office of Inspector General for the Department of Health and Human Services (OIG), focused much of their attention on risk adjustment activities. DOJ remained in active litigation against many of the largest MAOs in the country while CMS and the OIG began conducting risk adjustment audits subject to extrapolation. Throughout 2024, the industry challenged CMS’s regulatory actions relating to Star Ratings and rules for communicating with Medicare beneficiaries who are considering Medicare Advantage and Part D plans. Finally, On December 9, 2024, CMS also finalized its updated Overpayment Rule for MAOs and PDP Sponsors in the 2025 Physician Fee Schedule Rule.
With Medicare Advantage expected to remain a top enforcement priority in 2025 and Part D enforcement growing, we anticipate that DOJ and CMS will continue to target the actions not only MAOs and PDP Sponsors, but also vendors and third-party entities that touch the Part C and D programs. In 2025, we will also be closely watching for court decisions in ongoing litigation matters that will undoubtedly influence future theories of liability and test the strength of defenses raised by MAOs, PDP Sponsors, and their vendors.
Recent Settlements Demonstrate that DOJ’s Enforcement Interest Spans the Industry
In 2024, DOJ settled two notable False Claims Act (FCA) matters relating to Medicare Advantage, which demonstrate that DOJ’s enforcement interests are not limited to MAOs, but also include vendors and other third-party entities engaged in risk adjustment practices and more. Plus, DOJ settled a large Part D matter relating to how drug costs are reported to and impact Medicare Part D payments from CMS.
Last year, Principal Deputy Assistant Attorney General Brian M. Boynton underscored DOJ’s “commitment to holding accountable third parties that cause the submission of false claims” and the government’s intention to “expand its focus on the Medicare Part C Program to include an examination of the role that vendors and providers play in the diagnoses that are submitted to the government.” DOJ made good on this promise.
For example, DOJ targeted entities involved in marketing efforts to Medicare Advantage patients. In September, Oak Street Health (Oak Street) agreed to pay $60 million to resolve the government’s allegations that it paid kickbacks to third-party insurance agents in exchange for recruiting Medicare beneficiaries to Oak Street’s primary care clinics in violation of the FCA. More specifically, DOJ alleged that Oak Street violated the Anti-Kickback Statute when, in exchange for referring Medicare beneficiaries to Oak Street, Oak Street paid insurance agents (who were acting as agents for MAOs) $200 per beneficiary referred or recommended to Oak Street’s primary care clinics. DOJ further alleged that the insurance agents delivered targeted messages to eligible seniors designed to generate interest in Oak Street and that the payments received incentivized those agents to base their referrals and recommendations on the financial motivations of Oak Street rather than the best interests of seniors. The complaint was filed by a relator who partnered with insurance agents and was contacted by Oak Street, and DOJ intervened in September for purposes of settlement. Although this settlement was with a provider organization (as explained further in), the conduct focused on Medicare Advantage members and their interactions with agents and brokers. CMS similarly highlighted its concerns regarding misleading communications to Medicare beneficiaries in its updated Medicare Advantage and Part D communication rules discussed below.
DOJ also reached a settlement agreement with a risk adjustment coding vendor this December. DOJ kicked off the holiday season by announcing the long-awaited settlement with MAO Independent Health Association, its wholly owned subsidiary and risk adjustment vendor DxID, and DxID’s former CEO, totaling up to $100 million across the three defendants. The government alleged that DxID improperly coded diagnoses from member medical records to inflate Medicare’s payments to Independent Health, including by coding from improper sources, coding conditions for which patients were not treated, and sending addenda to providers months or years after the service occurred. The parties have seemingly been engaged in settlement discussions for years, jointly requesting continual extensions of time for defendants to answer DOJ’s complaint since 2023.
Under this settlement structured based on Independent Health’s ability to pay, Independent Health will make guaranteed payments of $34.5 million and contingent payments of up to $63.5 million on behalf of itself and DxID, which ceased operations in 2021. DxID’s CEO, Betsy Gaffney, will independently pay $2 million. While Independent Health did not admit fault under the settlement agreement, the MAO also entered into a five-year Corporate Integrity Agreement (CIA) with HHS-OIG requiring that Independent Health hire an Independent Review Organization to annually review a sample of its Medicare Advantage beneficiary medical records and its internal controls to help ensure appropriate risk adjustment payments.
Additionally, following years of CMS voicing concerns over Part D Direct and Indirect Remuneration (DIR) and beneficiary protections, DOJ for the first time settled a significant matter relating to Part D DIR reporting. In July, DOJ entered into a settlement agreement with Elixir Insurance Company (Part D plan sponsor), Rite Aid Corporation (Parent Organization), and Elixir Rx Solutions (PBM) for a total of $121 million to resolve allegations that the defendants failed to appropriately report drug rebates through the Medicare Part D DIR reporting mechanism that is used by CMS to reconcile and calculate payments to Part D plan sponsors. Because Rite Aid Corporation, the parent organization, had declared bankruptcy, a portion of the settlement ($20 million) was granted as an allowed, unsubordinated, general unsecured claim in Rite Aid’s bankruptcy case in the District of New Jersey.
This is the first substantial Part D settlement focusing on Part D DIR, and it aligns with a theory of liability that DOJ has been considering for almost a decade. DOJ alleged that amounts that should have been reported as DIR (and therefore would have reduced the amount of revenue the government would pay a PDP Sponsor) were instead falsely reported as fees that do not qualify as DIR, and therefore the PDP Sponsor received and retained government payments to which it was not entitled.
Ongoing Litigation is Likely to Shape Risk Adjustment Enforcement in 2025 and Beyond
As previewed in last year’s report, DOJ continued to litigate three large FCA risk adjustment-focused cases last year against United Healthcare, Kaiser Foundation Health Plans and their affiliated medical groups, and Anthem. Because DOJ’s regulatory expectations of MAOs are often borne out through enforcement actions, judicial instruction on this topic is likely to shape future government actions and exemplify the standard of due diligence MAOs are expected to uphold when engaging in risk adjustment coding activities.
We summarized the current status and next steps for these three key cases below:
UnitedHealthcare. Litigation continued last year between the country’s largest MAO and DOJ in US ex rel. Poehling v. UnitedHealth Group, Inc. et al. (C.D. Cal.), reaching a key milestone this summer when the parties filed cross motions for summary judgment. In its Complaint in Intervention filed back in 2017, DOJ alleged that United failed to delete inaccurate diagnosis codes that it knew were unsupported by the medical records and thus resulted in overpayments. As one of the few Medicare Advantage lawsuits to reach this stage of litigation, we are watching closely for a summary judgment decision in the new year focused on the elements required to prove liability under the FCA’s reverse false claims provision.
Anthem. The government raised similar allegations against Anthem in United States v. Anthem, Inc. (S.D.N.Y), arguing that Anthem failed to identify and remove inaccurate diagnosis codes as part of its chart review program. DOJ and Anthem spent 2024 litigating discovery disputes and are set to remain in discovery through 2026.
Kaiser. DOJ also remained in active discovery with Kaiser in the lawsuit US ex rel. Osinek v. Kaiser Permanente (N.D. Cal.). The government’s Complaint in Intervention, filed in 2021, focuses on Kaiser’s use of addenda in medical records. DOJ alleges that Kaiser pressured physicians to create addenda often months after the patient encounter to retroactively add unsupported diagnoses, and that Kaiser used “data mining” programs to identify missed diagnoses and create the addenda. Following the denial of Kaiser’s motion to dismiss, the parties spent 2024 litigating discovery disputes before a magistrate judge. The case will remain in the discovery phase at least through 2025, with dispositive motions not scheduled until 2026, and a trial date currently set over two years out in 2027.
CMS and The OIG Take Active Role in Regulating Medicare Advantage and Part D with New Rules and the Impact of Extrapolation
Similar to DOJ’s expanded enforcement approach discussed above, both CMS and the OIG continued to focus on risk adjustment activities while CMS also began more heavily regulating agents and brokers who communicate with Medicare beneficiaries.
Risk Adjustment, RADV Audits, and Overpayment Rule: As it relates to risk adjustment, the OIG issued a second report concerning MAOs’ alleged use of in-home health risk assessments (IH-HRAs) to drive up payments. IH-HRAs are exams conducted by health care providers (typically nurse practitioners) in a member’s home to collect information regarding that patient’s health. In its report, the OIG identified 20 MAOs that it believes are outliers for their use of IH-HRAs as a tool to report diagnoses of their members to CMS. The OIG published a similar report in 2021 concluding that IH-HRAs and chart reviews are vulnerable to misuse by MAOs, which has likely driven DOJ enforcement action targeting these practices since.
CMS and the OIG regularly conduct audits of the diagnosis codes that MAOs submitted for their members. Critically, in 2024, the OIG finalized and CMS initiated risk adjustment audits that reached Payment Year (PY) 2018, which is the first year that extrapolation under the CMS final rule applies. Under this rule (42 C.F.R. 422.310(e)) which was finalized in February 2023, CMS has the authority to extrapolate risk adjustment audit findings covering diagnosis codes MAOs submitted in PY 2018 and forward. For years prior to PY 2018, MAOs have only had to repay overpayments identified in the actual sample that CMS or the OIG reviewed.
Last year CMS selected the MAOs that will be subject to PY 2018 Risk Adjustment Data Validation (RADV) Audits and has initiated that process with the selected MAOs. The OIG has already completed certain audits that include PY 2018 and the monetary impact of extrapolation of the findings is immediately apparent. For example, Humana’s final report for diagnosis-targeted audits imposed an overpayment obligation of just $274,000 for diagnoses audited from PY 2017 (no extrapolation) as compared to over $6.5 million in estimated overpayments for diagnosis codes audited from PY 2018 (with extrapolation). Similarly, Health Assurance of Pennsylvania’s final report auditing diagnosis codes in PYs 2018 and 2019 with extrapolation totaled $4.2 million in overpayments.
Additionally, in early December, CMS finalized the Overpayment Rule that requires MAOs and Part D plan sponsors to report and return overpayments within 60 days of an identification. The Rule was initially adopted in 2014 and held MAOs and Part D plan sponsors to a “reasonable diligence” standard when determining when an overpayment had been “identified.” The “reasonable diligence” standard was struck down in United Healthcare Insurance Company v. Azar when the district court held that the standard was impermissibly being used to establish False Claims Act liability. The updated Overpayment Rule, proposed in December 2022, has now replaced the “reasonable diligence” standard with the knowledge standard from the False Claims Act. An MAO is now considered to have “identified” an overpayment when it knowingly (either with actual knowledge, or through reckless disregard or deliberate ignorance) receives or retains an overpayment.
Medicare Advantage and Part D Communication Rules: CMS adopted changes to the Medicare Advantage and Part D Communication regulations for 2025 that, according to CMS, seek to increase transparency and protect Medicare beneficiaries from receiving misleading information about coverage options. CMS expressed concern that agents and brokers who were contracted with MAOs and Part D plan sponsors were enrolling beneficiaries into plans based on which plans paid the agents and brokers the most money, rather than the plan that was in each beneficiary’s best interests.
To address this concern, the revised regulations: (1) prohibit MAOs and Part D plan sponsors from having contract provisions that could directly or indirectly create an incentive that would reasonably be expected to inhibit an agent or broker’s ability to objectively assess and recommend which plan best fits the health care needs of the beneficiary, (2) recognize that MAOs and Part D plan sponsors may pay agents and brokers and Third-Party Marketing Organizations (TPMOs) for certain administrative and overhead expenses but limit the payment for such services to $100 per member enrolled by the agent, broker, or TPMO, previously there was no express limit other than that the values of such payments must not exceed those within the market), and (3) adopt more stringent consent requirements needed in order for a beneficiary’s information to be shared by a TPMO with a third party, including related third parties. As described further below, many entities that provide agent and broker services, referred to as field marketing organizations, or FMOs, sued CMS over these rule changes.
Following these regulatory changes and DOJ actions against brokers and agents, the OIG also weighed in when in December it issued a Special Fraud Alert warning the industry regarding its perceived risks of marketing arrangements between MAOs and health care providers or between providers and agents and brokers for MAOs. We discuss this alert further in our article here.
Industry Actions are on the Rise following the Demise of Chevron Deference
As has been widely reported, the US Supreme Court issued in June a landmark decision in Loper Bright Enterprises v. Raimondo, which struck down the longstanding doctrine of so-called “Chevron deference” to federal agency interpretation of ambiguous statutes and substantially expanded judicial review of such statutes. As expected, Loper Bright has already led to increased scrutiny of, and challenges to, agency action, including in the Medicare space. While “enforcement” against agencies is not typical government “enforcement,” it affects government enforcement matters because it impacts how agencies can take enforcement actions and what rules are enforceable.
In May 2024, certain FMOs sued CMS in the United States District Court for the Northern District of Texas, seeking to invalidate certain portions of the 2025 Medicare Advantage and Part D Communications regulations. The FMOs argued that the provision of these rules, summarized above in the Medicare Advantage and Part D Communication Rules section, violated the Administrative Procedure Act (APA). They argued that the rule was arbitrary and capricious under the APA, claiming that CMS finalized the rule based on “pure speculation,” ignored objections from the public, and failed to acknowledge reliance interests of brokers. The FMOs further contended that the rule failed to properly adhere to the notice and comment procedural requirements because CMS relied upon evidence not presented during notice and comment rulemaking. Less than a week after the Loper Bright decision, the court granted the FMOs’ request for a preliminary injunction relating to the regulation that restricted contract terms and limited administrative fee payments, finding that the rules were not reasonable.
Also, last fall four of the largest MAOs, UnitedHealthcare, Centene, Elevance, and Humana, all challenged how CMS calculated their specific Star Ratings, and, more recently, at least two Blues plans have also sued CMS. Star Ratings is the system that CMS uses to rate the performance of MAO and PDP plan sponsors. A plan’s Star Rating impacts how and when it can be marketed, and in Medicare Advantage, impacts how the plan is paid and when CMS can terminate a plan’s contract. United and Centene’s cases were relatively similar, focusing on how CMS evaluated and calculated a certain call center measure. Humana and Elevance each had arguments specific to their circumstances, and also included broader complaints regarding how CMS calculates Stars. Humana specifically challenged CMS’s unwillingness to share industry data with MAOs to ensure appropriate calculations. On November 22, 2024, the Eastern District of Texas granted summary judgment for UnitedHealthcare and ordered CMS to recalculate the MAO’s Star Rating by removing the one call center measure in dispute. In early December, Centene reported that CMS recalculated its Star Rating for 2025 following its challenge. The other cases are ongoing.
The challenges to Star Ratings are an important enforcement development because these lawsuits may force CMS to rethink how it operates the Star Ratings program and may impact whether CMS can terminate contracts that CMS believes are low performing.
Conclusion
Following another year of intense scrutiny, the Medicare Advantage industry is set to remain a government enforcement priority in 2025, and PDP plan sponsors will likely attract similar scrutiny. Both MAOs as well as third-party entities involved in the Part C program should continue to monitor DOJ enforcement activity and decisions in ongoing litigation to evaluate their risk adjustment practices. Moreover, with the danger of extrapolation of risk adjustment audits evident, MAOs must be mindful to engage in robust compliance efforts and to review published OIG reports and related guidance to mitigate enforcement risk. PDP Sponsors and their vendors should expect increased scrutiny following the Elixir settlement, the continued rollout of the Inflation Reduction Act and the intense national discussion regarding prescription drug costs. We will continue to monitor the evolving enforcement actions against MAOs and PDP Sponsors and watch closely for updated guidance whether via agency regulations and reports or court decisions in 2025 and beyond.
DOL: Employers Cannot Mandate PTO Use with State/Local Paid Leave Benefits During FMLA
The U.S. Department of Labor Wage and Hour Division (“WHD”) has issiued an opinion letter stating that employers cannot require employees to substtute accrued paid time off during a Family and Medical Leave Act (“FMLA”) leave where the employee is also receiving benefits under a state or local paid family or medical leave program.
The opinion letter – which does not have the force of law but sets forth the agency’s enforcement position – answers a longstanding open question around the interplay between the FMLA, state/local paid leave programs, and accrued paid time off.
A Quick Refresher: FMLA and State Family/Medical Leave Programs
The federal FMLA entitles eligible employees of covered employers to up to 12 weeks (or in limited cases, 26 weeks) of unpaid, job-protected leave per 12-month period for specified family and medical reasons. Covered reasons for FMLA leave include an employee’s own serious health condition, caring for a parent, spouse or child with a serious health condition, and caring for a new child following birth, adoption or foster placement.
Since the FMLA’s enactment in 1993, numerous states (including New York, California, Massachusetts, Connecticut, and others) have instituted family and/or medical leave programs that provide partially paid leave (usually based on a percentage of the employee’s wages, up to a set cap) for personal medical, family care and/or parental leave reasons. Likewise, certain local governments have implemented paid family and medical leave programs specifically for their municipal employees. Many of these programs permit leave for reasons that are also qualifying reasons for leave under the FMLA. However, state/local paid leave programs often include benefits that differ from or exceed what the FMLA provides, such as longer leave periods or additional covered reasons for leave.
What Do the FMLA Regulations Say About Substitution of PTO?
While FMLA leave is unpaid, the governing regulations allow an employee to elect, or an employer to require the employee, to “substitute” accrued employer-provided paid time off (e.g., paid vacation, paid sick leave, etc.) for any part of an unpaid FMLA period – that is, the accrued paid time off may be used concurrently with FMLA leave to enable the employee to receive full pay during an otherwise unpaid leave period. However, the regulations further state that, during any part of an FMLA leave where an employee is receiving disability or workers’ compensation benefits, neither the employer nor the employee can require substitution of paid time off because such leave is not unpaid. Rather, when disability or workers’ compensation benefits are being received, the employer and the employee may only mutually agree (where state law permits) that accrued paid time off will be used to supplement such benefits.
EXAMPLE: John tells his employer he requires 12 weeks of leave to recover from a serious back surgery. John’s employer designates the 12 weeks as FMLA leave. John also applies and is approved for 12 weeks of disability benefits under his employer’s short-term disability program, pursuant to which he will receive a benefit equal to two-thirds of his regular wages. John’s employer cannot require John to substitute his accrued vacation time because he is receiving disability benefits and therefore his FMLA is not unpaid. However, John and his employer agree to use one-third of his available vacation time each week to supplement his disability pay so John receives 100% pay during the leave.
How Does the Opinion Letter Impact Substitution of PTO During FMLA?
Because they have only more recently come into existence, state and local paid family or medical leave programs are not directly addressed in the FMLA regulations. However, the opinion letter now makes clear that “the same principles apply to such programs as apply to disability plans and workers compensation programs.”
First, the opinion letter emphasizes that “where an employee takes leave under a state or local paid family or medical leave program, if the leave is covered by the FMLA, it must be designated as FMLA leave[.]” The opinion letter then goes on to state:
[W]here an employee, during leave covered by the FMLA, receives compensation from a state or local family or medical leave program, the FMLA substitution provision does not apply to the portion of leave that is compensated. Because the substitution provision does not apply, neither the employee nor the employer may use the FMLA substitution provision to unilaterally require the concurrent use of employer-provided paid leave during the portion of the leave that is compensated by the state or local program. [However], if the employee is receiving compensation through state or local paid family or medical leave that does not fully compensate the employee for their FMLA covered leave, and the employee also has available employer-provided paid leave, the employer and the employee may agree, where state law permits, to use the employee’s employer-provided accrued paid leave to supplement the payments under a state or local leave program.
The opinion letter also notes that if an employee’s leave under a state or local paid family or medical leave program ends before the employee has exhausted their full FMLA leave entitlement and the leave therefore becomes unpaid, the FMLA substitution provision would then apply and the employee would be able to elect, or the employer would be able to require the employee, to substitute accrued paid time off.
EXAMPLE: Jane tells her employer she requires 12 weeks of leave to care for her husband while he recovers from a serious back surgery. Jane’s employer designates the 12 weeks as FMLA leave. Jane also applies and is approved for 8 weeks of paid family care benefits under her state’s paid family and medical leave program, pursuant to which she will receive a benefit equal to two-thirds of her regular wages. Jane’s employer cannot require Jane to substitute her accrued vacation time during the 8 weeks of her FMLA leave where she is concurrently receiving state family care benefits because her FMLA during that time is not unpaid. However, Jane and her employer agree to use one-third of her available vacation time each week during the first 8 weeks to supplement her state family care benefit so Jane receives 100% pay during that time. Beginning on week 9, Jane is no longer eligible for state family care benefits and her FMLA leave is now unpaid, so pursuant to its FMLA policy Jane’s employer requires her to substitute her remaining accrued vacation time during the FMLA leave until it is exhausted.
Implications and Action Steps for Employers
The opinion letter clarifies what has been a gray area around the interplay between the FMLA, state/local paid leave programs, and accrued paid time off. For example, the regulations governing the New York Paid Family Leave Law (“NYPFL”) state that “[a]n employer covered by the FMLA . . . that designates a concurrent period of family leave under [the NYPFL] may charge an employee’s accrued paid time off in accordance with the provisions of the FMLA.” However, it had previously been unclear whether this language in fact permitted employers to require substitution of accrued paid time off during a concurrent FMLA and NYPFL leave. It is now clear that such a requirement is impermissible, though employers and employees may agree to use paid time off to supplement NYPFL benefits.
Employers should now review their leave policies and practices to ensure that any provisions around the use of accrued paid time off during FMLA leave comport with the WHD’s interpretation of the requirements of the law. To the extent that any such policies require employees to substitute accrued paid time off during an FMLA leave where an employee is concurrently receiving disability, workers’ compensation or state/local paid family or medical leave benefits, the policies should be revised to provide that paid time off may only be used to supplement such other payments and only if both the employer and the employee agree.
However, employers are reminded that, as noted above, there may be situations where employees are eligible for benefits under state/local paid leave laws that are not also covered by the FMLA. As such, employers should also take note of what an applicable state/local paid family or medical leave law may permit (or not permit) around the substitution of paid time off and apply those rules during any leave period that does not run concurrently with the FMLA.
Recent Developments in Health Care Cybersecurity and Oversight: 2024 Wrap Up and 2025 Outlook
As Cyberattacks targeting the health care sector have continued to intensify over the past year, including ransomware attacks that have resulted in major data breaches impacting health care organizations, the protection of health data has gained the focus of regulators and prompted bipartisan legislative efforts to strengthen cybersecurity requirements in the health care sector.
OIG Report on OCR’s HIPAA Audit Program
Under the Health Information Technology for Economic and Clinical Health Act (HITECH), the HHS Office for Civil Rights (OCR) is required to perform periodic audits of covered entities and business associates (collectively, Regulated Entities) to assess compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules (collectively, “HIPAA Rules”).
Last month, the HHS Office of Inspector General (OIG) released a new report assessing OCR’s HIPAA audit program, raising concerns about the effectiveness of current oversight and the need for enhanced measures to address growing cybersecurity risks in the sector. In its assessment of OCR’s HIPAA audit program, OIG reviewed OCR’s final HIPAA audit reports of Regulated Entities, guidance, and enforcement activities from January 2016 to December 2020.
Although OIG found that OCR fulfilled its obligations under HITECH to conduct periodic audits of Regulated Entities, the report also highlighted several critical issues. First, OCR’s HIPAA audits of Regulated Entities were found to be narrowly scoped, covering only a small fraction of the required protections under the HIPAA Rules. Of the 180 requirements in the HIPAA Rules, OCR’s audits assessed only eight requirements – two Security Rule administrative safeguards (Risk Analysis and Risk Management), three Privacy Rule provisions (Notice of Privacy Practices and Content Requirements, Provision of Notice, and Right of Access), three Breach Notification Rule provisions (Timeliness of Notification, Content of Notification, and Notification by a Business Associate), and zero physical or technical safeguard requirements under the Security Rule.
Second, OIG found that OCR’s HIPAA audit program did not effectively address compliance issues discovered during these narrowly scoped audits of Regulated Entities. For example, OIG highlighted the absence of corrective action requirements following audits that raised concerns about the program’s ability to drive improvements in cybersecurity protections following audits of Regulated Entities.
In response to these findings, OIG made several recommendations to OCR, including:
Expanding the scope of HIPAA audits to assess Regulated Entities’ compliance with physical and technical safeguards under the Security Rule;
Implementing standards and guidance to ensure deficiencies identified during HIPAA audits are corrected in a timely manner;
Establishing criteria for determining when issues discovered during audits should lead to the initiation of a compliance review; and
Defining metrics for monitoring the effectiveness of OCR’s HIPAA audit program in improving audited Regulated Entities’ protections of electronic PHI.
Recent Regulatory and Legislative Efforts to Address Health care Cybersecurity
OIG’s report is timely and comes amid broader regulatory and bipartisan legislative efforts to strengthen cybersecurity protections across the health care sector, including:
Proposed Regulatory Updates to the HIPAA Security Rule, issued by OCR on January 6, 2025. The proposed regulation is aimed at strengthening the existing requirements under HIPAA Security Standards for the Protection of Electronic Health Information (the “Proposed Rule”), including addressing deficiencies OCR states it has observed during investigations of Regulated Entities. Among other updates, the Proposed Rule eliminates the distinction between “required” and “addressable” specifications (a change OCR says reflects its current view that all specifications in the existing Security Rule are effectively required) and expands existing documentation requirements. The comment period for the Proposed Rule closes on March 7, 2025.
Health Infrastructure Security and Accountability Act of 2024 (5218) (HISAA), a bipartisan bill introduced by Senators Ron Wyden and Mark Warner. For information about this bill, visit our recent blog post summarizing HISAA’s key provisions.
Health Care Cybersecurity and Resiliency Act of 2024 (5390), a bipartisan bill introduced by Senators Bill Cassidy, Mark Warner, John Cornyn and Maggie Hassan. The legislation aims to modernize HIPAA to better address cybersecurity threats facing health care entities. Key provisions include the development of a cybersecurity incident response plan by HHS and the creation of training programs for health care workers in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA).
Healthcare Cybersecurity Improvement Act (R.10455), introduced by Representative Robin Kelly. If passed, the bill would require hospitals to establish basic cybersecurity standards as a Medicare Condition of Participation. It would also allocate $100 million in grants to small and medium-sized hospitals to enhance cybersecurity measures and create liability protection for larger health care systems that provide smaller health care organizations access to cybersecurity resources.
Takeaways
The OIG’s findings, along with regulatory and bipartisan legislative efforts, highlight that Covered Entities and Business Associates will face increased scrutiny of their cybersecurity practices. In particular, OCR’s HIPAA audit program may expand in scope in response to OIG’s report and in light of the Proposed Rule, with a greater focus on evaluating technical and physical safeguards under the Security Rule. In addition, new legislative measures, if passed, will impose more stringent cybersecurity requirements across the health care sector.
As organizations grapple with the potential increase in oversight and regulatory obligations, it is important to note, as we highlighted in our previous post, the HITECH safe harbor that requires the Secretary of HHS to consider a Regulated Entity’s adoption of “recognized cybersecurity practices” in making determinations related to fines, audits, and mitigation remedies. Now more than ever, it is essential for healthcare organizations to ensure they have established and implemented a recognized cybersecurity framework. Organizations that have not yet effectively assessed and documented their current practices, particularly with respect to technical and physical safeguards, should consider doing so.
DOJ Reports Substantial Procurement Fraud Recoveries in FY 2024
The Department of Justice (DOJ) recently announced that it obtained more than $2.9 billion in False Claims Act (FCA) settlements and judgments in the fiscal year ending Sept. 30, 2024.
DOJ reports that matters that involved the healthcare industry comprised the largest portion of these FCA recoveries in FY 2024, but that “procurement fraud” recoveries, once again, were significant for DOJ this past year.
Among the more notable procurement fraud recoveries from the past year were:
A large government contractor paid $428 million to resolve allegations that it knowingly provided false cost and pricing data when negotiating with the Department of Defense for numerous government contracts and double billed on a weapons maintenance contract, leading to the company receiving profits in excess of negotiated rates. This is the second largest government procurement fraud recovery under the False Claims Act in history.
A large federal contractor paid $70 million to resolve allegations they overcharged the U.S. Navy for spare parts and materials needed to repair and maintain the primary aircraft used to train naval aviators. The government alleged that these entities, which were owned by the same parent company, entered into an improper subcontract that resulted in the Navy paying inflated costs for parts.
A federal contractor paid $811,259 to resolve allegations that it knowingly supplied valves that did not meet military specifications. The government alleged that, under a U.S. Navy contract, the company invoiced for military-grade valves to be installed on certain combat ships when the company knew the valves had not met the testing requirements to be deemed military grade.
DOJ brought claims against a federal contractor and an individual estate of the founder, majority owner and chief operating officer of the company for allegedly causing the submission of false claims to the Department of Defense under contracts to provide Army combat uniforms. The government alleged that the company and the founder falsified the results of the insect repellant testing to conceal failing test results, including by inappropriately combining results from different rounds of testing, re-labeling test samples to hide the true origin of the samples, and performing re-tests of uniforms in excess of what the contract permitted.
A government contractor paid $55.1 million to satisfy a judgment that it made knowingly false claims to the United States when it misrepresented its commercial sales practices during the negotiation and subsequent performance of a General Services Administration (GSA) contract. The court found that the false disclosures induced GSA to accept and then continue to pay higher prices than it would have had it known of the company’s actual commercial pricing practices. The court also found that the company continuously violated the Price Reduction Clause, “a standard term in these types of contracts that requires the contractor throughout performance of the contract to maintain GSA’s price position in relation to an identified customer or category of customer agreed upon in contract negotiations.”
The City of Los Angeles paid $38.2 million to resolve allegations that it failed to meet federal accessibility requirements when it sought and used Department of Housing and Urban Development (HUD) grant funds for multifamily affordable housing. The government alleged that the city failed to make its affordable multifamily housing program accessible to people with disabilities. The government also alleged that the city failed to maintain a publicly available list of accessible units and their accessibility features, and the city, on an annual basis, falsely certified to HUD that it complied with related grant requirements.
A federal contractor paid $26.8 million to resolve allegations that Hahn Air failed to remit to the United States certain travel fees collected from commercial airline passengers flying into or within the United States.
A government contractor paid $18.4 million to resolve allegations that it billed for time not worked at the National Nuclear Security Administration’s Pantex Site near Amarillo, Texas.
A large federal contractor paid $11.8 million to resolve allegations that it submitted false claims to the Federal Emergency Management Agency for the replacement of certain educational facilities located in Louisiana that were damaged by Hurricane Katrina. The government alleged that the contractor submitted to FEMA fraudulent requests for disaster assistance funds and did not correct applications that included materially false design, damage and replacement eligibility descriptions. Combined with settlements with other entities involved in the alleged conduct, the government recovered over $25 million in connection with the disaster assistance applications prepared by the contractor.
Listen to this post