Compliance

In June 2025, the U.S. Department of Health and Human Services Office of Inspector General (OIG) announced a new item in its Work Plan: “Medicare Payments for Clinical Diagnostic Laboratory Tests in 2024.” This annual review, mandated by the Protecting Access to Medicare Act of 2014 (PAMA), focuses on analyzing the top 25 laboratory tests by Medicare expenditures for the previous calendar year. For clinical laboratories and healthcare providers, this announcement signals the need to pay close attention to billing practices, compliance programs, and potential audit risks.

On July 2, 2025, the Department of Justice (DOJ) and the Department of Health and Human Services (HHS) announced the creation of the DOJ-HHS False Claims Act Working Group, a high-level interagency initiative aimed at strengthening the government’s civil enforcement of the False Claims Act (FCA) in the healthcare space. While the DOJ and HHS have long worked together to combat fraud, this Working Group marks a formalized, tightly coordinated effort focused on high-impact enforcement areas.

Recently, Attorney General Pam Bondi purportedly issued an internal memorandum in response to Executive Order 14187 (“Protecting Children from Chemical and Surgical Mutilation”) concerning the treatment of transgender minors by medical practitioners, hospitals, clinics, and pharmaceutical companies. The memo set forth guidance for all Department of Justice (DOJ) employees to investigate individuals and entities who provide gender-affirming care to minor patients. To be clear, the memorandum—which has been posted in various locations on the internet and widely reported on by various media outlets but has not been verified as authentic by Husch Blackwell—is an internal policy statement directed to DOJ personnel and is not law. While it purports to issue “guidelines” pursuant to an executive order from the President, that executive order is itself under scrutiny (and has been partially enjoined).

A recent False Claims Act (FCA) litigation—Jensen ex rel. United States of America v. Genesis Laboratory—highlights critical compliance risks for laboratories. This case reinforces the need for laboratories to ensure adherence to federal regulations governing medical necessity, lab requisition practices, and the Anti-Kickback Statute (AKS).

On February 20, 2025, the ERISA Industry Committee (ERIC) announced that its legal counsel submitted a letter to the U.S. Departments of Labor (DOL), Health and Human Services (HHS) and Treasury, requesting a stay of enforcement of the September 2024 Mental Health Parity and Addiction Equity Act (MHPAEA) Final Rule. In the letter, ERIC urged the Departments to exercise their authority under 5 U.S.C. § 705 to postpone the effective date of the Final Rule while litigation challenging its validity is ongoing. This request marks a significant development in the legal landscape surrounding mental health parity laws and could have far-reaching implications for employers, health plans, and other stakeholders in the health insurance industry.

On January 17, 2025, the ERISA Industry Committee (ERIC) filed a lawsuit in the U.S. District Court for the District of Columbia, claiming that the 2024 Mental Health Parity and Addiction Equity Act (MHPAEA) Final Rule oversteps legal bounds, breaches the Administrative Procedure Act (APA), improperly delegates the Departments of Labor, Health and Human Services and Treasury’s (Departments) executive power to private entities, and violates the Due Process Clause. ERIC argues that under the Mental Health Parity Act of 1996, the plan was not obligated to assess any disparate impact that a term, applicable to both medical/surgical (M/S) and mental health and substance use disorder (MH/SUD) benefits, might have had on access to MH/SUD benefits. The Mental Health Parity and Addiction Equity Act of 2008 (MHPAEA) similarly maintained the disparate treatment standard of liability, rather than the disparate impact standard. Moreover, the Departments acknowledged in the 2013 regulations that “disparate results alone” did not constitute a parity violation.

On December 27, 2024, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued proposed changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule (the Proposed Rule) to strengthen the cybersecurity protections that HIPAA-regulated entities are required to maintain for electronic protected health information (ePHI).

On January 8, 2025, a federal grand jury in Virginia returned an indictment against a hospital. This rare criminal event in healthcare alleges that Chesapeake Regional Medical Center conspired to defraud the United States and committed healthcare fraud. Hospitals are almost never criminally charged, as federal investigations into hospitals are nearly always civil proceedings under the False Claims Act. This post explains how this hospital’s alleged actions rose to the level that merited criminal indictment.

On November 15, 2024, the California Board of Pharmacy issued a public notice of its intent to modify Cal. Code Regs. tit. 16 § 1708.2, which governs the discontinuation of pharmacy businesses in California. The regulation currently states:

“Any permit holder shall contact the board prior to transferring or selling any dangerous drugs, devices or

Keypoint: With the increased frequency and severity of cyberattacks against healthcare systems, state and federal agencies strive to improve cybersecurity controls with varied success.

In November 2023, New York Governor Kathy Hochul announced proposed regulations that would be the first state regulations for hospitals in New York. The governor described the proposed regulation as a “nation-leading blueprint” that would complement the federal Health Insurance Portability and Accountability Act (HIPAA) Security Rule enforced by the U.S. Department of Health and Human Services (HHS).