HHS-OIG Highlights Anti-Fraud Safeguards of Drug Manufacturer’s Free Drug Program for Patients in Financial Need

Highlights

The HHS-OIG released a favorable opinion regarding free drugs offered to patients in financial need for a drug manufactured by the pharmaceutical company offering the assistance
The assistance offered under the proposed arrangement did not satisfy a safe harbor to the Anti-Kickback Statute (AKS)
The agency said the proposed arrangement included factors that limited concerns under the AKS and the civil monetary penalty laws 

The U.S. Department of Health and Human Services’ Office of Inspector General (HHS-OIG) recently released OIG Advisory Opinion 25-01, a favorable opinion regarding the federal Anti-Kickback Statute (AKS) and civil monetary penalty laws (CMP) against beneficiary inducements as applied to a financial assistance program that would provide an intravenous drug at no cost or with no cost-sharing. The program was offered by a pharmaceutical manufacturer to patients who receive an intravenous drug and meet certain objective eligibility criteria.
The HHS-OIG concluded that the financial assistance offered to patients under the proposed arrangement constitutes remuneration under the AKS and the proposed arrangement did not satisfy a safe harbor under the AKS. However, due to sufficient safeguards in place to mitigate the risk of fraud and abuse, the HHS-OIG would not impose sanctions against the pharmaceutical manufacturer.
Further, the HHS-OIG found that the proposed arrangement would not implicate the CMP because pharmaceutical manufacturers are generally not considered “providers, practitioners, or suppliers” and, therefore, the arrangement is not likely to influence an enrollee’s selection of a provider, practitioner, or supplier. Further, the product is available free of charge to a patient, regardless of the patient’s selection of a prescribing provider or infusion provider, and patients are free to change providers at any time.
Background
The pharmaceutical company manufactures the product, which treats a disease and is intended for use in patients with mild cognitive impairment and confirmed presence of amyloid pathology. Patients prescribed the product receive intravenous infusions every two weeks in an outpatient setting, which could be the treating physician’s office, an outpatient location affiliated with the treating physician, or an independent infusion center unaffiliated with the treating physician. There are currently two other drugs available to treat the disease and two additional such drugs are under development.
The Centers for Medicare & Medicaid Services reimburses for both the product and its administration, under certain circumstances, under Medicare Part B with a 20 percent coinsurance for enrollees, and all state Medicaid programs cover the product with various cost-sharing arrangements for patients.
The proposed arrangement provides the product at no cost to patients, including federal healthcare program beneficiaries, who meet the following eligibility criteria:

Reside in the United States
Be at least 18 years old
Be prescribed the product for an on-label indication
Be uninsured, be insured but with no insurance coverage for the product, or have Medicare coverage for the product but attest that they are unable to afford their out-of-pocket costs associated with the product
Have a household income equal to or below 500 percent of the federal poverty level

Patients must work with the patient’s treating physician to complete an application for assistance and submit the application to the pharmaceutical manufacturer. All eligibility determinations are made without regard to the patient’s insurer or insurance plan, prescribing provider, or infusion provider, and patients are free to change physicians or infusion providers at any time without becoming ineligible for the free product.
The provider who administers the free product is permitted to bill Medicare for the administration cost and may bill the patient for any cost sharing related to only the administration cost. If the provider is not able to administer free product to the approved patient, for any reason, the provider is required to return the free product to the manufacturer or certify its disposal pursuant to the manufacturer’s instructions.
Patients must certify that they 1) will not submit a request for payment for the product to any payor, including a federal healthcare program, and 2) understand that no part of the free product or the costs associated with the free product will count toward the patient’s out-of-pocket costs. Further, treating physicians must certify, in writing, that they prescribed the product for an on-label indication, based on the physician’s independent professional judgment of medical necessity taking into account patient safety considerations, and will not submit a request for payment for the free product to any payor and will not seek payment of the free product from the patient.
The facility where the product will be administered must provide an oral acknowledgement that it understands and agrees to follow all requirements associated with receiving the free product, and each shipment includes a letter describing such requirements.
In this request, the manufacturer certified that neither it, nor anyone acting on the manufacturer’s behalf, is permitted to promote the financial assistance program as a reason to prescribe the product to patients, and the manufacturer does not promote the program through direct-to-consumer advertising. Under the proposed arrangement, healthcare professionals may only learn about the program through 1) approved printed materials for general awareness or 2) reimbursement personnel who do not receive sales-based incentive compensation and are permitted to educate pharmacists, physicians, and physician office staff about the program.
Further, the manufacturer certified that it expects patients to learn about the program from 1) the patient’s treating physician, 2) the manufacturer’s patient support hub, or 3) the manufacturer’s patient support website.
The HHS-OIG’s Findings
The HHS-OIG found that the free product constituted remuneration to both patients and administering providers under the AKS, but relied on the following factors in determining that this posed little risk of fraud and abuse:

There are safeguards in place to avoid inappropriately increasing costs to federal healthcare programs. The only cost that could be billed to a federal healthcare program is the administration fee for the infusion, and only where Medicare could have otherwise been billed for the product. In addition, the requestor intends to offer the assistance program indefinitely to patients who continue to meet the eligibility criteria, even if Medicare were to cover the product in the future without the current limitations, so no product will be billed to Medicare for patients who attest that they cannot afford the cost-sharing amounts of the product.
There is a low risk that the program will interfere with clinical decision-making. The treating physician is not permitted to submit a request for payment of the free product to any payor, including but not limited to any federal healthcare program. Although the administering provider may charge the administration fee for patients where Medicare would otherwise reimburse for the product and there is a cost-sharing component for patients, there is a low risk that the administration fee would induct treating physicians to select the product over another product.
The program does not steer patients to a particular provider, practitioner, or insurance plan. Patients are free to change their treating physician or infusion provider at any time without impacting their eligibility for free product.

Ultimately, the HHS-OIG found that the arrangement poses low risk of fraud and abuse due to the safeguards, and the patient eligibility criteria.
Key Takeaways
This advisory opinion may be of significant interest to drug manufacturers of new pharmaceutical products. Notably, the HHS-OIG identified the risk that the arrangement could serve as a problematic “seeding” program for the product but determined it would not impose sanctions in part because there is no barrier to the patient switching to competing products and that eligibility for the free product is not contingent on past, present, or future purchases of the product.

New Ohio Transparency Pricing Rules for Hospitals Comes with Limits to Targeted Advertising

Starting April 3, Ohio hospitals will have to navigate new requirements under House Bill 173. This law mandates greater transparency in healthcare pricing. It also includes rules for selling or targeted advertising related to personal information hospitals collect from price estimator tools (discussed in more detail below). The law applies to hospitals in Ohio, which is any facility providing inpatient medical services for periods longer than twenty-four hours.
Transparent pricing for services
HB 173 requires hospitals to provide consumers with public pricing information for all hospital items and services. Hospitals need to create a digital list of all standard charges for their services. This list must be easy to access, free of charge, and cannot require any personal information from the user. These provisions are designed to help patients understand how much they will have to pay for medical services. Hospitals also have to offer information about “shoppable services” e.g., – services that can be scheduled in advance.
To meet this transparency requirement, hospitals either must provide a list of shoppable services, or provide an internet-based price estimator tool that helps patients estimate costs for these types of procedures.
Targeted advertising
For hospitals that decide to use a price estimator tool, there are restrictions on how personal information the tool collects can be used. Specifically, the law prohibits hospitals from using personal information collected from the use of the tool for targeted advertising. The law defines targeted advertising as displaying an ad that is selected based on personal data obtained from the use of a hospital’s internet-based price estimator tool by a person in Ohio. This means that hospitals cannot show consumers specific ads based on the information a person provides to estimate healthcare costs. Hospitals are also not allowed to sell personal information collected from price estimator tools. While “sell” is not defined under the law it is most likely to be interpreted closer to HIPAA definitions than state consumer privacy laws. Sell under HIPAA means direct or indirect renumeration in exchange for PHI.
The law provides specific exclusions for what is considered targeted advertising. Hospitals can still advertise based on a user’s direct request for information or their activities on the hospital’s own websites. Ads that are shown based on the context of a user’s search or visit are also excluded. Additionally, using data to measure how effective ads are is not considered targeted advertising. However, covered entities must continue to be mindful of OCR’s guidance with respect to the use of tracking technologies as well.
Putting it into Practice: Hospitals in Ohio may need to adopt new practices to remain compliant with the law. This includes making sure their websites provide easy-to-find pricing information for patients. Additionally, hospitals should confirm personal information from price estimator tools isn’t used for targeted advertising. 

McDermott+ Check-Up: March 21, 2025

THIS WEEK’S DOSE

Government Is Funded, Congress at Home for the Week. The continuing resolution signed by President Trump last Saturday funds the government through the rest of the fiscal year.
Senate Finance Committee Holds CMS Administrator Nomination Hearing. Centers for Medicare & Medicaid Services (CMS) administrator nominee Mehmet Oz, MD, testified.
President Trump Issues EO on Domestic Preparedness. Implementation of this executive order (EO) will likely have implications for drug supply chains and pandemic preparedness.

CONGRESS

Government Is Funded, Congress at Home for the Week. On March 15, 2025, President Trump signed a continuing resolution (CR) into law that funds the government and provides short-term extensions of certain healthcare programs and provisions, including Medicare telehealth flexibilities and community health center funding, through September 30, 2025, the end of the fiscal year. The CR did not include a Medicare physician payment fix. Instead, Republican leadership committed to include a fix in the upcoming budget reconciliation bill to secure votes from the GOP Doctors Caucus. Given the timeline of a potential reconciliation bill, it is uncertain whether Congress will consider any mitigation to the 2025 Medicare physician payment cut that is currently in effect. The House passed the CR mostly along party lines in a 217 – 213 vote. In the Senate, after much internal debate, 10 Democrats joined all but one Republican in a 62 – 38 vote to advance the CR to a final vote, ultimately allowing Republicans to pass it with a simple majority. Congress then went home for a recess week. Both the House and Senate return on March 24, 2025, for a three-week stint until they hit a two-week April recess around the Easter and Passover holidays.
Senate Finance Committee Holds CMS Administrator Nomination Hearing. In the hearing on March 14, 2025, members from both parties discussed concerns about access to care in rural areas as well as high prior authorization and upcoding usage by Medicare Advantage (MA) insurers. Mehmet Oz, MD, agreed with members and stated that he would seek to address upcoding in MA as CMS administrator – which is notable in light of his previous outspoken endorsements of the program. Republicans focused on the insights Oz can bring to CMS as a physician, while Democrats pressed to see if Oz supports reforming or cutting Medicaid, including through work requirements.
ADMINISTRATION

President Trump Issues EO on Domestic Preparedness. The “Achieving Efficiency Through State and Local Preparedness” EO seeks to expand the role of states and localities in preparedness, which will likely have impacts on drug supply chain issues and future pandemic response. The EO directs the Assistant to the President for National Security Affairs, in coordination with other relevant agencies, to:

Publish a national resilience strategy within 90 days
Review critical infrastructure policies, including the following EOs, and recommend a risk-informed approach within 180 days:

EO 14017, “America’s Supply Chains”
EO 14123, “White House Council on Supply Chain Resilience”

Review all national continuity policies, including the following, and recommend options to modernize and streamline the current approach within 180 days:

National Security Memorandum 32, National Continuity Policy

Review the findings of the Federal Emergency Management Agency Council and provide recommendations to edit policies, including the following, to reformulate the process and metrics for federal responsibility within 240 days:

Presidential Policy Directive 8, National Preparedness

Create a National Risk Register within 240 days

The EO also directs the secretary of homeland security to propose policy changes to improve federal-state communication. A fact sheet can be found here.
QUICK HITS

House Democrats Launch Congressional Doctors Caucus. The Congressional Doctors Caucus will work to advance “pragmatic healthcare policy.” This caucus joins the long-established and larger GOP Doctors Caucus in the House. The new Democratic caucus comprises:

Ami Bera, MD (CA) – internal medicine
Herb Conaway, Jr., MD (NJ) – internal medicine
Maxine Dexter, MD (OR) – pulmonary and critical care
Kelly Morrison, MD (MN) – obstetrics and gynecology
Raul Ruiz, MD (CA) – emergency medicine
Kim Schrier, MD (WA) – pediatrics

CMS Announces Manufacturer Participation in Current Round of Medicare Drug Price Negotiation. CMS stated that agreements have been signed with the manufacturers of the 15 drugs chosen for participation in the second cycle of Medicare drug negotiations.
FDA Study Shows Impact of E-Cigarette Prevention Campaign. The US Food and Drug Administration (FDA) study found that “The Real Cost” campaign successfully prevented 450,000 new youth e-cigarette users between 2023 and 2024. Read the press release here.
HHS Renews Opioid Crisis PHE Declaration. US Department of Health & Human Services (HHS) Secretary Kennedy renewed the opioid crisis public health emergency (PHE) declaration for another 90 days. The PHE was set to expire on March 21, 2025, and allows more federal coordination efforts and flexibilities.
HHS, FDA Announce Operation Stork Speed. This initiative seeks to address the safety, reliability, and nutrition of infant formula by starting the statutorily required nutrient review, increasing testing for heavy metals, and extending the personal importation policy. HHS Secretary Kennedy was outspoken in support of these steps.
OCR Takes Action Against Maine for Alleged Title IX Violation. Following an investigation, the HHS Office for Civil Rights (OCR) stated that Maine’s Department of Education and other entities in the state are in violation of President Trump’s “Keeping Men out of Women’s Sports” EO because they allegedly allowed transgender female students to play in women’s sports. OCR’s letter to the entities requires them to voluntarily commit to resolve the matter within 10 days or risk referral to the US Department of Justice. Read the press release here.
FTC Requests Stay of Noncompete Rule, Citing New Administration. The Federal Trade Commission (FTC) filed motions requesting a 120-day stay of the agency’s appeal of district court decisions blocking the Biden-era FTC proposed ban on noncompete agreements. This is a signal that FTC’s new leadership is rethinking the agency’s defense of the proposed rule. FTC Chairman Ferguson also released a memo creating the Joint Labor Task Force, which will evaluate policy options related to noncompete agreements.

NEXT WEEK’S DIAGNOSIS

Congress will return to session on Monday to continue work on budget reconciliation. While each body has passed a budget resolution, they must now agree to and pass a unified budget resolution through both bodies in order for reconciliation to proceed. The House Veterans’ Affairs Health Subcommittee will hold a hearing on healthcare access and a markup of several healthcare-related bills, and the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade will hold a hearing on online safety. On the regulatory side, we await the release of the inpatient prospective payment system proposed rule.

Employment Law Update: New Compensation Limits and Statutory Payment Rates

Under the Employment Rights (Increase of Limits) Order 2025 (the “Employment Order”), there will be changes to the compensation limits that apply to certain awards that Employment Tribunals can make and other amounts payable under employment legislation with effect from 6 April 2025. The Employment Order applies to England, Wales and Scotland.
The new limits will apply where the ‘appropriate date’ for the cause of action occurs on or after 6 April 2025. For example, in the case of unfair dismissal, the rates apply to all dismissals where the effective date of termination falls on or after this date. If the appropriate date (e.g., the date of dismissal) falls before 6 April 2025, the previous limits mentioned below will apply irrespective of the date on which the compensation is awarded. 
Here is a brief overview of the changes which will take effect from 6 April 2025 under the Employment Order:

the maximum compensatory award for unfair dismissal is increasing from £115,115 to £118,223 (the upper limit remains the lower of a year’s salary or the maximum statutory limit of £118,223);
the maximum amount of a ‘week’s pay’ (for the purpose of calculating statutory redundancy payments and the basic award for unfair dismissal) is increasing from £700 to £719;
the limit on the compensatory award for failure to allocate and pay tips fairly is increasing from £5,000 to £5,135;
guarantee daily pay is increasing from £38 to £39; and
the minimum basic award in cases where a dismissal is unfair because of reasons to do with health and safety, working time, employee representative, trade union, or occupational pension trustees is increasing from £8,533 to £8,763.

Additionally, the Social Security Benefits Up-rating Order 2025 (the “Social Security Order”) will increase the rate of payment for a range of statutory leave entitlements, also with effect from 6 April 2025. Most of the statutory benefits will increase by 1.7% from the previous year’s rates, in line with inflation. These changes are part of the UK Government’s reforms seeking to greater support those in financial need.
Here is a brief overview of the changes which will take effect from 6 April 2025 under the Social Security Order:

Statutory sick pay is increasing from £116.75 to £118.75 per week.
The below payments are all increasing from £184.03 to £187.18 per week or 90% of the employee’s average weekly earnings, whichever is lower:

statutory maternity pay (after the first six weeks);
statutory adoption pay (after the first six weeks up to thirty nine weeks);
statutory paternity pay (up to two weeks from the date agreed with the employee);
statutory shared parental pay (up to thirty seven weeks); 
statutory parental bereavement pay (up to two weeks per bereavement); and
maternity allowance (although the payment increase for maternity allowance will only apply from 7 April 2025).

The earnings threshold to be eligible for all the above payments is also increasing slightly from £123 to £125 weekly.

Maya Sterrie, trainee in the Employment Litigation practice, contributed to this article.

Key Considerations Before Negotiating Healthcare AI Vendor Contracts

The integration of artificial intelligence (AI) tools in healthcare is revolutionizing the industry, bringing efficiencies to the practice of medicine and benefits to patients. However, the negotiation of third-party AI tools requires a nuanced understanding of the tool’s application, implementation, risk and the contractual pressure points. Before entering the negotiation room, consider the following key insights:
I. The Expanding Role of AI in Healthcare
AI’s role in healthcare is rapidly expanding, offering a wide range of applications including real-time patient monitoring, streamlined clinical note-taking, evidence-based treatment recommendations, and population health management. Moreover, AI is transforming healthcare operations by automating staff tasks, optimizing operational and administrative processes, and providing guidance in surgical care. These technological advancements can not only improve efficiency but also enhance the quality of care provided. AI-driven customer support tools are also enhancing patient experiences by offering timely responses and personalized interactions. Even in employment recruiting, AI is being leveraged to identify and attract top talent in the healthcare sector.
With such a wide array of applications, it is crucial for stakeholders to understand the specific AI service offering when negotiating a vendor contract and implementing the new technology. This knowledge ensures that the selected AI solution aligns with the organization’s goals and can be effectively integrated into existing systems, while minimizing each party’s risk.
II. Pre-Negotiation Strategies
Healthcare AI arrangements are complex, often involving novel technologies and products, a wide range of possible applications, important data use and privacy considerations and the potential to significantly impact patient care and patient satisfaction. Further, the regulatory landscape is developing and can be expected to evolve significantly in the coming years. Vendors and customers should consider the following when approaching a negotiation:
Vendor Considerations:

Conduct a Comprehensive Assessment: Understand the problem the product is addressing, expected users, scope, proposed solutions, data involved, potential evolution, and risk level.
Engage Stakeholders: Schedule kick-off calls with the customer’s privacy, IT, compliance, and clinical or administrative teams.
Documentation: Maintain summary documentation detailing model overview, value proposition, processing activities, and privacy/security controls.
Collaborate with Sales: Develop strategies with the sales team and consider trial periods or pilot programs. Plan for the progression of these programs. For example, even if a pilot program is free, data usage terms should still apply.

Customer Considerations:

Evaluate Within AI Governance Scope: Don’t treat an AI contract like a normal tech engagement. Instead, approach this arrangement within a larger AI governance scope, including accounting for the introduction of ethical frameworks, data governance practices, monitoring and evaluation systems, and related guardrails to work in tandem with the product’s applications.
Engage Stakeholders: Collaborate with legal, privacy, IT, compliance, and other relevant stakeholders from the outset.
Consider AI-Specific Contracts: Use AI-specific riders or MSAs and review standard vendor forms to streamline negotiations.
Assess Upstream Contract Requirements: Ensure upstream requirements can be appropriately reflected downstream.
Perform vendor due diligence:As with any nascent industry, some vendors will not survive or may significantly change their focus or products, which might impact support or the long-term viability of the service. Learn about your vendor and ask questions about their financial stability, privacy and security posture.

III. AI Governance and Risk Assessment
Evaluating AI-related risk requires understanding risk across the full lifecycle of an AI product, including its model architecture, training methods, data types, model access, and specific application context. In the healthcare space, this includes understanding the impact to operations, the effect on clinical care and any other impact to patients, the amount of sensitive information involved, and the degree of visibility and/or control the organization has over the model.[1] For example, the risk is much larger with respect to AI that is used to assist clinical decision-making for diagnostics (e.g., assessing static imaging in radiology); whereas, technology used for limited administrative purposes carries a comparatively smaller risk. Here are three resources that healthcare organizations can use to evaluate and address AI-related risks:
A. HEAT Map
A HEAT map can be a helpful tool for evaluating the severity of risks associated with AI systems. It categorizes risks into different “heat” levels (e.g., informational, low, medium, high, and critical). This high-level visual representation can be particularly helpful when a healthcare organization is initially deciding whether to engage a vendor for a new AI product or platform. It can help the organization identify the risk associated with rolling out a given product and prioritize risk management strategies if it moves forward in negotiating an agreement with that vendor.
For example, both the customer and the vendor might consider (and categorize within the HEAT map) what data the vendor will require to perform its services, why the vendor needs it, who will receive the data, and what data rights the vendor might be asking for, how that data is categorized, whether any federal, state or global rules impact the acceptance of that data, and what mitigations are necessary to account for data privacy.
B. NIST AI Risk Management Framework
The National Institute of Standards and Technology (NIST) has created the NIST AI Risk Management Framework to guide organizations in identifying and managing AI-related risks.[2] This framework offers an example of a risk tiering system that can be used to understand and assess the risk profile of a given AI product, and ultimately guide organizations in the creation of risk policies and protocols, evaluation of ongoing AI rollouts, and resolution of any issues that arise. Whether healthcare organizations choose to adopt this risk tiering approach or apply their own, this framework reminds organizations of the many tools at their disposal to manage risk during the rollout of an AI tool, including data protection and retention policies, education of users, incident response protocols, auditing and assessment practices, changes to management controls, secure software development practices, and stakeholder engagement.
C. Attestations and Certifications
Attestations and certificates (e.g., HITRUST, ISO 27001, SOC-2) can also help your organization ensure compliance with industry standard security and data protection practices. Specifically, HITRUST focuses on compliance with healthcare data protection standards, reducing the risk of breaches and ensuring AI systems that handle health data are secure; ISO 27001 provides a framework for managing information security, helping organizations to safeguard AI data against unauthorized access and breaches; and SOC-2 assesses and verifies a service organization’s controls related to security, availability, processing integrity, confidentiality, and privacy, in order to ensure AI services are trustworthy. By engaging in the process to meet these certification standards, the organization will be better equipped to issue-spot potential problems and implement corrective measures. Also, these certifications can demonstrate to the public that the organization takes AI risks seriously, thereby strengthening trust and credibility amongst its patients and business partners.
IV. Contract Considerations
Once parties have assessed their organizational needs, engaged applicable stakeholders/collaborators, and reviewed their risk exposure from an AI governance perspective, they can move forward in negotiating the specific terms of the agreement. Here’s a high-level checklist of the terms and conditions that each party will want to pay careful attention to in negotiations, along with a deeper dive into the considerations surrounding data use and intellectual property (IP) issues:
A. Key Contracting Provisions:

Third-party terms
Privacy and security
Data rights
Performance and IP warranties
Service level agreements (SLAs)
Regulatory compliance
Indemnification (IP infringement, data breaches, etc.)
Limitations of liability and exclusion of damages
Insurance and audit rights
Termination rights and effects

B. Data Use and Intellectual Property Issues
When negotiating the terms and conditions related to data use, ownership, and other intellectual property (IP) issues, each party will typically aim to achieve the following objectives:
Customer Perspective:

Ensure customer will own all inputs, outputs, and derivatives of its data used in the application of the AI model;
Confirm data usage will be restricted to service-related purposes;
Confirm the customer’s right to access data stored by vendor or third-party as needed. For example, the customer might want to require that the vendor provide any relevant data and algorithms in the event of a DOJ investigation or plaintiff lawsuit;[3]
Aim for broad, protective IP liability and indemnity provisions; and
Where patient health information is involved, ensure that it is being used in compliance with HIPAA. Vendors want to train their algorithm on PHI. Unless the algorithm is only being trained for the benefit of the HIPAA-regulated entity and fits within a healthcare operations exception, a HIPAA authorization from the data subject will typically be required to train the algorithm for broader purposes.

Vendor Perspective:

Ensure vendor owns all services, products, documentation, and enhancements thereto;
Access customer data sources for training and improving machine learning models; and
Retain ownership over outputs. From the vendor’s perspective, any customer data that is inputted into the vendor’s model is modified by that model or product, resulting in the blending of information owned by both sides. One potential solution to this shared ownership issue is for the vendor to grant the customer a longstanding license to use that output.

V. Conclusion
In conclusion, negotiating contracts for AI tools in healthcare demands a comprehensive understanding of the technology, data use, risks and liabilities, among other considerations. By preparing effectively and engaging the right stakeholders and collaborators, both vendors and customers can successfully navigate these negotiations.

FOOTNOTES
[1] UC AI Council Risk Assessment Guide.
[2] NIST AI 600-1, Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile (July 2024).
[3] Paul W. Grimm et al., Artificial Intelligence as Evidence, 19 Northwestern J. of Tech. and Intellectual Prop. 1, 9 (2021).
Listen to this post

FDA’s Semaglutide Shortage Resolution: Legal Implications and Risks for Compounding Pharmacies

Last month, the U.S. Food and Drug Administration (the “FDA”) announced in a Declaratory Order the resolution of the shortage of semaglutide injection products Wegovy and Ozempic (the “February Declaratory Order”). On March 10th, the FDA issued guidance clarifying that 503A and 503B drug compounders must soon cease compounding semaglutide injection products[i] or risk enforcement action.[ii] This has a significant impact on compounding pharmacies as, under the Federal Food, Drug, and Cosmetic Act (the “FD&C”), drug compounders are permitted to compound their own copies of a patented drug if the FDA determines it is in shortage. Due to high demand for the drugs, Wegovy was added to the FDA’s drug shortage list in March 2022, and Ozempic in August 2022.[iii] Wegovy and Ozempic are the only FDA-approved semaglutide injection products.[iv]
Legal Challenges and Practical Impacts of the FDA’s Declaratory Order
After the February Declaratory Order was issued, the Outsourcing Facilities Association (the “OFA”) promptly filed a lawsuit against the FDA over its decision and a motion for a preliminary injunction to prevent the FDA from removing semaglutide from the drug shortage list.[v] U.S. District Court Judge Mark Pittman, who is hearing the case in a federal court in Texas, accepted Novo Nordisk’s renewed motion to intervene in the case to support its claim that the company can meet the high demand for its products.[vi]
In light of the OFA’s lawsuit, the FDA issued clarifying guidance on when compounders must cease compounding semaglutide. For compounders that have relied on the drug shortage to compound semaglutide, the FDA indicated that it will delay any enforcement action until the following dates, in order to avoid unnecessary disruption to patient treatment:

For state-licensed pharmacists or physicians compounding under Section 503A of the FD&C: April 22, 2025, or until the District Court issues a decision on the OFA’s preliminary injunction motion, whichever is later; and
For outsourcing facilities compounding under Section 503B of the FD&C: May 22, 2025, or until the District Court issues a decision on the OFA’s preliminary injunction motion, whichever is later.

The FDA noted that this delay in enforcement will allow patients a reasonable amount of time to transfer their prescriptions to different pharmacies to obtain the FDA-approved drug as well as to allow local pharmacies to adjust their stocking and ordering patterns to account for shifts in patient demand.
Bases for the FDA’s Decision
The FDA is required to “maintain an up-to-date list of drugs that are determined by [the FDA] to be in shortage in the United States”[vii] with a “shortage” being “a period of time when the demand or projected demand for the drug within the United Sates exceeds the supply of the drug.”[viii] To reach its decision, the FDA noted its consideration of information from numerous stakeholders, including individuals, telehealth companies, pharmacy compounders, associations representing pharmacy compounders, outsourcing facilities, and Novo Nordisk, the manufacturer of Wegovy and Ozempic. Novo Nordisk provided the FDA with information related to its production and inventory of the drugs, including quantities supplied and demanded, projected supply and demand in future months, and wholesaler inventory data. The FDA concluded that Novo Nordisk successfully demonstrated that its supply currently meets or exceeds the demand for its semaglutide injection products, and Novo Nordisk has developed sufficient reserves such that supply will meet or exceed projected future demands. The decision memorandum “Resolution of Semaglutide Injection Product Shortage and Supply Status”, dated February 21, 2025, sets forth the FDA’s full legal analysis upon which the February Declaratory Order is based.[ix]
The FDA acknowledged that it has received reports that some patients and pharmacists are not able to obtain the semaglutide injection products through the normal supply chain. However, the FDA reasoned these instances of inaccessibility are likely caused “by the practical dynamics of the part of the supply chain between Novo Nordisk and [its] customers, including wholesale distributors and pharmacies” rather than by a national shortage of supply.[x]
What’s Next for Compounders of Semaglutide?
While the OFA’s lawsuit and request for a preliminary injunction has yet to be decided, recent similar lawsuits inform the probable outcome. Specifically, the OFA previously filed a lawsuit against the FDA in October regarding the removal of tirzepatide from the shortage list. The OFA’s October suit delayed enforcement for a few months while the FDA reconsidered its decision, but on March 5th, the court upheld the FDA’s determination that the tirzepatide shortage had ended.[xi] While it is possible that the OFA’s suit challenging the February Declaratory Order could end differently, it is likely to have a similar outcome as the OFA’s challenge of tirzepatide’s removal from the shortage list. That is, enforcement may be delayed slightly, but the FDA will likely affirm its declaration that the semaglutide shortage is over.
It is expected that some compounding pharmacies, despite the February Declaratory Order, may continue to compound modified versions, such as in alternative doses or by adding additional ingredients, taking the position that it is different than the patented versions of semaglutide. However, this is a complex area of law currently being litigated with respect to tirzepatide. In addition, drug manufacturers have been actively issuing cease and desist letters and filing lawsuits against compounding pharmacies that produce tirzepatide. It is reasonable compounders of semaglutide will be met with similar action if they continue to compound modified versions of semaglutide after April 22nd or May 22nd, as applicable. As such, any compounding of drugs not on the shortage list, including semaglutide injection products, should be approached with caution given the current legal and regulatory landscape.
FOOTNOTES
[i] Rybelsus (semaglutide) tablets are FDA-approved for oral use and were not in shortage. The FDA’s February Declaratory order specifically addresses the compounding of semaglutide injection products that are “essentially a copy of a commercially available drug product” on the basis of the drug shortage exception.
[ii] U.S. Food and Drug Administration, Declaratory Order: Resolution of Shortages of Semaglutide Injection Products (Ozempic and Wegovy) (Feb. 21, 2025) [hereinafter “February Declaratory Order”].
[iii] February Declaratory Order, page 1.
[iv] February Declaratory Order, page 4.
[v] Outsourcing Facilities Ass’n v. United States Food & Drug Admin., 4:25-cv-174 (N.D. Tex. Feb. 24, 2025).
[vi] Kevin Dunleavy, In FDA obesity drug battle with compounders, Texas court allows Novo Nordisk to weigh in, Fierce Pharma (Mar. 6, 2025, 8:45 AM).e
[vii] February Declaratory Order, page 3 (citing Federal Food, Drug, and Cosmetic Act § 506E(a)).
[viii] February Declaratory Order, page 3 (citing Federal Food, Drug, and Cosmetic Act § 506C(h)(2); 21 C.F.R. 314.81(b)(3)(iii)(f)).
[ix] February Declaratory Order, page 1.
[x] February Declaratory Order, page 2.
[xi] Outsourcing Facilities Ass’n v. United States Food & Drug Admin., 4:24-cv-0953-P (N.D. Tex. Mar. 5, 2025).
Listen to this article

Insider Threats: Potential Signs and Security Tips

In recent news, New York’s Stram Center for Integrative Medicine reported a security incident involving an employee misusing a patient’s payment card information. According to a breach report filed with the U.S. Department of Health and Human Services Office for Civil Rights, the incident may have involved 15,263 patients’ information—even though the bad actor only misused one patient’s payment card. The individual has been arrested and is no longer employed. According to the Stram Center, social security numbers are not involved, but it is offering complimentary credit monitoring and identity protection services to affected individuals.
When we hear “data breach,” we’re likely to think of ransomware incidents, business email compromises, and other cyberattacks from external threats. However, according to a Cybersecurity Insiders report, 83% of organizations reported at least one insider attack in 2024. According to IBM’s 2024 Cost of a Data Breach report, data breaches resulting from insider threats were the costliest, at $4.99 million on average. While insider threats may not make headlines as frequently, organizations should take measures to mitigate risks surrounding insider data incidents. Insider threats include unintentional errors, such as emailing personal information to the wrong recipient, misplacing documents, and speaking about personal information among those without authorized access. Insider threats also include malicious insider threats, such as disgruntled employees.
Organizations should monitor for several signs that may signal a malicious insider threat:

Timing of access – Malicious insiders may access the network and systems at unusual times. If an employee typically only works night shifts but the user’s access logs suddenly reflect daytime activity, this could indicate potential malicious activity.
Unexpected spikes in network traffic – Atypical spikes in network traffic might reflect that a user is downloading or copying large volumes of data.
Unusual requests – If a user is requesting access to applications or information that are beyond the scope of their role or unusual for team members in similar roles, this could signal malicious intent.

Several security practices can help organizations reduce the risk of insider attacks:

Endpoint monitoring – Constant endpoint monitoring can help organizations analyze user and entity behavior, scan networks, and detect potential early signs of insider activity.
Role-based access – Employees should only have access to the information that they need to fulfill their job responsibilities. Providing employees access on a least-privilege basis helps minimize the risk of unauthorized access and misuse.
Culture of awareness – Regular cybersecurity training, including on best practices such as locking one’s computer and maintaining proper password hygiene, can help minimize unauthorized insider access.

Since malicious insiders often already have some level of existing access to an organization’s systems and knowledge of business practices and organization policies, such threats can cause significant harm. Insider threat prevention should be an integral component of all organizations’ overall cybersecurity posture.

What Is the Meaning of a Whistleblower in Healthcare?

Learning how to report Medicare, Medicaid, TRICARE, FEHB, and VA health fraud, and other false claims involving federal funds is crucial when it comes to protecting patients as well as taxpayers and keeping these healthcare programs solvent. Most whistleblowers are ordinary workers who are just doing their job when they come across fraudulent practices of their employer. Acting as a healthcare whistleblower ensures that the U.S. healthcare industry prioritizes patients over profit. 
What Is a Whistleblower?
A whistleblower is someone who reports evidence of fraud, waste, abuse, or other wrongdoing within an organization. In healthcare, whistleblowers are often nurses, doctors, medical office staff, pharmaceutical or EHR sales representatives, or other employees of healthcare organizations. To protect these taxpayer-funded health care programs, organizational insiders or whistleblowers (known as relators) can help.
Individuals who wish to report their employer for defrauding one or more of these government healthcare programs can do so by obtaining an experienced qui tam attorney. Under the False Claims Act, healthcare whistleblowers may be eligible to receive a financial reward and certain protection against retaliation when they report their employers for defrauding a government healthcare program. By reporting through a False Claims Act qui tam suit, they may be able to receive from 10% to 30% percent of the government’s total recovery when successful.
What Are the Most Common Types of Healthcare Fraud?
Some of the most common kinds of healthcare fraud include:

Medicare Advantage fraud: Medicare Advantage (Medicare Part C), an insurance program funded by taxpayers, has been enormously popular with seniors but is also subject to being defrauded. One common fraud by healthcare organizations and plans has been to make their patients appear sicker than they are to submit false and inflated claims for payment to the government program. Medicare Advantage insurers have paid settlements for such violations under the False Claims Act thanks to whistleblowers (individuals who reported their employer for defrauding the government).
Kickback schemes: Under the Stark Law, physicians are prohibited from making referrals that are connected to their own financial interests. However, many nursing homes, home healthcare providers, hospitals, provider groups, managed care organizations, pharmacies, drug manufacturers, laboratories, durable medical equipment (DME) providers, and other health care organizations have unlawfully offered financial incentives to induce referrals to obtain new Medicare, Medicaid, TRICARE and VA Health insured patients. Pharmaceutical companies have been held accountable under the False Claims Act when they provide doctors and their staff speaking fees, expensive dinners, sporting event tickets, airfare, and other benefits to physicians to induce them to prescribe their drugs and products. All of these are examples of kickbacks, which are illegal in government healthcare programs and can lead to the payment of damages and civil penalties and a reward for whistleblowers.
Upcoding and billing for services not rendered: Upcoding is fraudulent medical billing in which a government-insured claim is submitted for payment regarding a service that is more expensive than the service that was actually performed. Billing for services not rendered is just that: billing the government for services that were never provided to the patient. Both are illegal under the False Claims Act.
Billing for unnecessary services: Health care fraud is a leading source of False Claims Act qui tam settlements and judgments. These recoveries restore funds to federal programs such as Medicare, Medicaid, and TRICARE, the health care program for service members and their families. But just as important, in many cases, enforcement of the False Claims Act also protects patients from medically unnecessary or potentially harmful actions.
Pharmaceutical fraud: Pharmaceutical companies have unprecedented power in the American economy to set prices for lifesaving drugs and treatments. False Claims Act qui tam suits have involved allegations that drug companies conspired to fix the price of various generic drugs, which led to higher drug prices for federal health care programs. Other schemes involve underpaying rebates under the Medicaid fraud rebate program.
At home healthcare fraud: At home healthcare is a booming industry, with over 3 million Americans receiving skilled nursing or long-term care at home. However, approximately 84% of home health agencies are for-profit corporations, according to the CDC. Home health care is rife with opportunities for fraud as well as patient abuse. Examples include falsely certifying to the government the number of actual hours or care provided, claiming care was provided by qualified staff when it was done by unskilled individuals, billing for unnecessary services, upcoding and billing for services not rendered.

The Department of Justice recovered over $1.67 billion in the last fiscal year that was lost to healthcare fraud. This was in no small part to the actions healthcare whistleblowers who simply wanted to do the right thing. Over the course of the last fiscal year 2024, false claims from managed care providers, hospitals, pharmacies, pharmaceutical companies, laboratories, and physicians accounted for over half of the total federal fraud reported and recovered through qui tam lawsuits. During the same period, the relator shares for the individuals who exposed fraud and false claims by filing qui tam actions exceeded $400 million paid directly to these individuals who stepped up and did the right thing.
Why Is Whistleblowing Important in Healthcare?
Blowing the whistle on healthcare fraud protects patients and prevents the government health care programs (Medicare, Medicaid, FEHB, VA health, and TRICARE) from becoming insolvent. Whistleblowing can help to deter conduct whereby healthcare providers are influenced by improper financial considerations over providing patients the right care at the right time. Other conduct such as those identified here can put patients at risk of harm.
There is simply no reason why taxpayers should pay higher costs to line the pockets of fraudulent health care organizations or providers. Whistleblowers can also help government enforcement agencies to get rid of the bad apples in the health care industry, a goal the entire industry should be able to get behind. Reporting medical fraud allows patients to get the care they deserve and deter future misconduct of organizations and providers that attempt to take advantage of the system. Federally funded healthcare is in place to protect those who need and deserve a safety net for their care, including seniors (who will be all of us one day), U.S. military veterans, U.S. active duty military members and their families, lower-income Americans including children. Those who perpetrate healthcare fraud schemes take advantage of vulnerable populations and also reduce the pool of healthcare funds available for us all. Healthcare organizations and providers should not get to enrich themselves at the expense of patients and taxpayers.
What Is Qui Tam in Healthcare?
Qui tam is a provision of law that allows whistleblowers the opportunity to sue on behalf of the government and collect rewards. Whistleblowers are known as relators under the False Claims Act, which is the most powerful enforcement tool to recover misspent taxpayer funds. Qui tam suits in the healthcare space rest upon allegations involving healthcare organizations that submit or cause another organization to submit false claims to the government in order to wrongfully claim or keep funds under the Medicare, Medicaid, TRICARE, VA Health or FEHB programs. If you have information relating to Medicare Advantage fraud, health care kickback schemes, Stark violations, upcoding or billing for services not rendered, billing for unnecessary services, drug price-fixing or Medicaid best price or rebate violations, home health fraud, or any other kind of health care fraud committed by your employer or a competitor in your space, you may be able to become a qui tam relator and be eligible for a reward.
What Protections Do Healthcare Whistleblowers Receive?
If you report fraudulent practices such as these under the False Claims Act, you can receive protections if your employer retaliates or discriminates against you due to your disclosure. With a federal right of action, your qui tam attorney can sue on your behalf in order to receive:

Reinstatement at prior seniority level
Up to double back pay with interest
Front pay, in cases where reinstatement is not possible
Additional damages
Attorneys fees and costs

However, reporting as soon as possible is advisable in order to ensure that this statute applies. If you are fired before you are able to report fraud to the government, you may not only lose access to valuable information that can contribute to your claim, but you also may not be able to sue for FCA whistleblower protections.

2025 Updates to Washington’s Paid Sick Leave Law: What Employers Need to Know

Washington expanded the covered uses and definition of a family member under Washington’s paid sick leave law effective January 1, 2025.
Under Washington’s paid sick leave law employers must provide non-exempt employees with at least one hour of paid sick leave for every 40 hours the employee works. Leave accrual is not capped, which means there is no limit on the amount of paid sick leave hours an employee can accrue in one year. Employers are required to allow employees to carry over 40 unused hours each year.
Employees may use accrued paid sick leave for certain legally protected reasons, including: (1) the employee’s personal medical care; (2) to care for a family member with a mental or physical illness, injury, or health condition; (3) to care for a child when their school or place of care is closed by a public official for a health-related reason; (4) closure of the employee’s place of business for a health-related reason; or (5) for reasons under Washington’s Domestic Violence Leave Act.
The definition of who is considered an employee’s family member or child for purposes of using paid sick leave has been expanded as follows:

The definition of “family member” is revised to include any individual who regularly resides in the employee’s home and “who has a relationship with them that creates an expectation that they would take care of them during an illness.” Family member does not include an individual who resides in the same home with no expectation that the employee will care for the individual.
“Child” now also includes the spouse of the employee’s child.
“Grandchild” and “grandparent” will be defined to mean the employee’s grandchild or grandparent.

Estate Plan vs. Life Care Plan: Understanding the Difference and Why You May Need Both

When planning for the future, many people think of estate planning as the go-to solution. While an estate plan is an essential part of securing your legacy, it doesn’t address the practical and financial challenges of aging. That’s where a Life Care Plan comes in.
Both estate planning and life care planning help individuals and families prepare for the future, but they serve different purposes. Understanding the difference can help you make informed decisions about your long-term well-being and financial security.
What is an Estate Plan?
An estate plan is a legal strategy that ensures your assets, healthcare decisions, and legacy are managed according to your wishes—both during your lifetime and after your passing.
Key Elements of an Estate Plan:

Last Will and Testament: Outlines how your assets will be distributed after you pass away
Trusts: Can help manage assets during your lifetime and provide for your loved ones in a tax-efficient way
Financial Power of Attorney: Authorizes a trusted person to handle financial matters if you become incapacitated
Healthcare Power of Attorney & Living Will: Ensures medical decisions align with your preferences if you are unable to make them yourself
Guardianship Designations: Important for parents with minor children or those caring for a loved one with special needs

An Estate Planning Can:

Protect your assets and ensures they go to the right people
Minimize taxes and legal disputes
Prevent court involvement in decisions about your care and finances
Provide clear instructions for loved ones during difficult times

What is a Life Care Plan?
A Life Care Plan is a comprehensive roadmap for aging, focusing on quality of care, financial security, and long-term well-being. Unlike an estate plan, which primarily addresses what happens after you pass away, a Life Care Plan helps you and your family manage aging-related challenges while you’re alive.
Key Elements of a Life Care Plan:

Health & Safety Planning: Identifying risks and resources to help seniors remain at home safely for as long as possible
Care Coordination: Connecting with in-home caregivers, assisted living, or nursing home options as needs change and advocating for the best, most appropriate care
Financial Planning for Long-Term Care: Exploring options like Medicaid planning, VA benefits, and asset protection strategies to avoid exhausting personal savings
Legal Protections: Ensuring power of attorney, healthcare proxies, and other documents are in place to avoid guardianship proceedings
Support for Family Caregivers: Providing resources to ease the burden on loved ones who assist with care

Life Care Planning Can:

Help seniors stay independent while preparing for future care needs
Reduce financial strain by incorporating Medicaid and other benefits into the plan
Prevent families from having to make difficult care decisions in a crisis
Ensure the senior’s wishes are honored regarding medical care and living arrangements

Estate Plan vs. Life Care Plan: Which Do You Need?

Feature

Estate Plan

Life Care Plan

Focus
Asset distribution & legal affairs
Aging, care coordination, & financial planning

Timing
Addresses issues after death or incapacity
Addresses issues during aging & declining health

Legal Documents
Wills, trusts, power of attorney, healthcare proxy
Power of attorney, healthcare directives, Medicaid planning

Financial Protection
Minimizes taxes & probate costs
Helps protect assets from long-term care costs

Medical & Care Planning
Directs end-of-life healthcare choices
Coordinates medical providers, in-home care, assisted living, & nursing home options

Family Impact
Reduces legal disputes over inheritance
Reduces caregiver burden, family disputes over care,& financial stress

Why Having Both is Crucial
An estate plan alone is not enough to prepare for the challenges of aging. A Life Care Plan ensures that your care needs and finances are managed properly while you’re alive, while an Estate Plan ensures your legacy is handled as you wish after you pass.
For example, imagine an 85-year-old who has a will, but suddenly experiences cognitive decline. Their estate plan may dictate what happens to their assets after their death, but it won’t address who will manage their care, how they will afford it, or whether they can stay at home safely. That’s where a Life Care Plan steps in—helping them age in place, access benefits like Medicaid, and ensure their spouse isn’t left financially vulnerable.
Get Started with a Plan for Your Future
Whether you’re planning for your golden years or helping a loved one navigate aging, a well-structured Life Care Plan and Estate Plan work together to provide peace of mind.
As elder care attorneys, we help families:

Preserve assets while securing quality care
Avoid costly mistakes in Medicaid and long-term care planning
Reduce stress on family caregivers
Ensure legal protections are in place

Trump Administration Announces Changes to CMS Innovation Models

On March 12, 2025, the Centers for Medicare and Medicaid Services (CMS) Innovation Center (Center) announced it would make changes to its model portfolio to align with its statutory mandate and strategic goals of reducing program spending and maintaining or improving quality of care.
The Center develops and implements payment and service delivery models and conducts Congressionally mandated demonstrations to support health care transformation and increase access to high-quality care. The models reward health care providers for delivering high-quality and cost-efficient care. The models last for a set period and apply to a specific health condition, care episode, provider type, community or innovation within Medicare Advantage or Medicare Part D.
Value based care has been largely a bipartisan issue, however, each administration typically puts its mark on the Center’s implementation of existing innovation models. This announcement reflects the Trump Administration’s evaluation of current Center models and their determinations as to which models to end early, modify or potentially delay implementation of.  
Models CMS Will End Early
CMS announced the following models will end early, by December 31, 2025:

Maryland Total Cost of Care (MTCC) Model;
Primary Care First (PCF) Model Options;
ESRD Treatment Choices (ETC) Model; and
Making Care Primary (MCP) Model.

MTCC Model 1
Expanding upon the Maryland All-Payer Model,2 the MTCC Model established pricing of medical services provided by hospitals, primary care doctors and specialists across all payers, becoming the first CMS model to hold a state fully accountable for risk for the total cost of care for Medicare beneficiaries. With approximately 550 participants, the MTCC Model specifically includes three programs that offer hospitals and non-hospital providers incentive-based payments specific for redesign activities aimed at improving quality of care and per beneficiary per month payments to cover care management services.
The original performance period for the MTCC Model was set to end on December 31, 2026.
PCF Model Options 3
The PCF Model Options is based on the principles underlying the existing Comprehensive Primary Care Plus (CPC+) model design: prioritizing the clinician-patient relationship; enhancing care for patients with complex chronic needs and focusing financial incentives on improved health outcomes. With approximately 2,100 practices across 26 regions, the PCF Model Options provides model payments to practices through a simple payment structure (e.g., flat payment, population-based payment and performance-based adjustment with a maximum 50% upside and 10% downside) and provides practice participants with performance transparency, through identifiable information. The original performance period for the PCF Model Options was to end December 31, 2026. 
ETC Model 4
The ETC Model is a model that is mandatory for approximately 30% of ESRD facilities and certain clinicians. This model provides additional payment adjustments to providers who treat dual eligible patients, as well as Medicare beneficiaries who are eligible to receive assistance with prescription drug costs through the Part D program (Low-Income Subsidy).
The original performance period was set to end on December 31, 2027. CMS indicated it will terminate the ETC Model through rulemaking.
MCP Model 5
The MCP Model builds upon previous primary care models, such as the Comprehensive Primary Care (CPC), CPC+ and PCF Models, as well as the Maryland Primary Care Program. The MCP Model provides a pathway for primary care clinicians to gradually adopt prospective, population-based payments, while also building infrastructure to increase access to care, improve behavioral health and specialty integration and coordination.
With approximately 890 participants in eight states, the MCP Model offered three progressive tracks, where participants received either FFS payments, a 50/50 split of prospective, population-based payments and FFS payments, or only prospective, population-based payments depending on the stage of implementation efforts.
The original performance period for the PCF Model Options was set to end December 31, 2034. 
Models CMS is Considering Changing
The Center also indicated it was considering options to reduce the size of the Integrated Care for Kids (InCK) Model6 awards or make other changes to the Model. The IncK Model is a child-centered local service delivery and state payment model that includes children under the age of 21 years and pregnant woman over age 21 covered by Medicaid and in some states, children covered by Children’s Health Insurance Program (CHIP). The Model was awarded to the state of Connecticut, North Carolina, New Jersey, New York, Ohio and the Egyptian Health Department and Lurie Children’s in Illinois. The IncK Model works with state and local health service providers to focus on early intervention and treatment for children at greatest risk for physical and behavioral health issues, including children with mental health and substance abuse challenges.  
Models CMS Will No Longer Implement
The Center announced that it will no longer pursue the previously announced (but not yet implemented) Medicare $2 Drug List7 and Accelerating Clinical Evidence8 Models. The Models were originally developed to implement Executive Order 14087 – “Lowering Prescription Drug Costs for Americans,” a Biden Executive Order that was rescinded on January 20, 2025.
What to Expect Next
Impacted model participants will receive follow-up communication regarding timelines, technical assistance and other information regarding the wind-down and close-out. Additionally, the Center will support participants by advising those in state-specific total cost of care and primary care models of other regulatory options for advanced primary care payment.

[1] Maryland Total Cost of Care Model, Centers for Medicare & Medicaid Services, available at https://www.cms.gov/priorities/innovation/innovation-models/md-tccm.
[2] Established global budgets for certain Maryland hospitals to reduce Medicare hospital expenditures and improve quality of care for beneficiaries.
[3] Primary Care First Model Options, Centers for Medicare & Medicaid Services, available at https://www.cms.gov/priorities/innovation/innovation-models/primary-care-first-model-options.
[4] ESRD Treatment Choices (ETC) Model, Centers for Medicare & Medicaid Services, available at https://www.cms.gov/priorities/innovation/innovation-models/esrd-treatment-choices-model.
[5] Making Care Primary (MCP) Model, Centers for Medicare & Medicaid Services, available at https://www.cms.gov/priorities/innovation/innovation-models/making-care-primary.
[6] Integrated Care for Kids Model; Centers for Medicare & Medicaid Services, available at https://www.cms.gov/priorities/innovation/innovation-models/integrated-care-for-kids-model.
[7] Medicare Two Dollar Drug List Model; Centers for Medicare & Medicaid Services, available at https://www.cms.gov/priorities/innovation/innovation-models/medicare-two-dollar-drug-list-model.
[8] Newsroom: CMS Innovation Center’s One-Year Update on the Executive Order to Lower Prescription Drug Costs for Americans; available at https://www.cms.gov/blog/cms-innovation-centers-one-year-update-executive-order-lower-prescription-drug-costs-americans.

Kentucky Amends Consumer Privacy Law to Exempt Certain HIPAA-Covered Data

On March 15, 2025, Kentucky Governor Andy Beshear signed into law HB 473. The bill amends the Kentucky Consumer Data Protection Act (“KCDPA”) to exempt from the law’s application (1) information collected by health care providers acting as covered entities under HIPAA that maintain protected health information in accordance with HIPAA; and (2) information maintained in limited data sets by HIPAA covered entities in accordance with HIPAA’s relevant requirements. The KCDPA as amended will go into effect on January 1, 2026.