Health Law Advisor

The U.S. Court of Appeals for the First Circuit recently provided important clarity—and welcome relief—for clinical laboratories facing False Claims Act (“FCA”) allegations based on a lack of medical necessity for processing tests ordered by a physician. In a case of first impression, United States ex rel. OMNI Healthcare, Inc. v. MD Spine Solutions LLC,[1] the First Circuit held that clinical laboratories may rely on an ordering physician’s determination that lab tests billed to Medicare are medically necessary. The First Circuit held that laboratories need not second-guess a physician’s certification absent red flags or suspected improper conduct. While the First Circuit’s decision does not relieve clinical laboratories of their existing obligation under the FCA to ensure they are not submitting a false claim to government payors, it provides much-needed clarity for clinical laboratories across the country on what constitutes the knowing submission of false claims to the government and highlights several practical takeaways for managing compliance risk.

The False Claims Act (FCA) is one of the federal government’s most powerful tools for combatting healthcare fraud. Yet, as with any enforcement tool, its reach is constrained by a statute of limitations. The FCA statute of limitations provisions, set out in 31 U.S.C. § 3731(b), are surprisingly nuanced and often depend on when the government learns of the alleged misconduct. In practice, this framework often favors the government, yet these nuances are worth unpacking, which we do below.

New from the Diagnosing Health Care Podcast: Value-based enterprises depend on timely, accurate data, yet the rules that govern how that data moves between the Centers for Medicare & Medicaid Services (CMS), accountable care organizations, payors, and providers remain complex and often inconsistent.

On this episode, Epstein Becker Green attorneys Kevin Malone and Karen Mandelbaum unpack the regulatory frameworks shaping data exchange in value-based care.

They outline how federal privacy laws, CMS rules, the Health Insurance Portability and Accountability Act (HIPAA), and state requirements intersect; why CMS-sourced data operates under a different regime than Medicare Advantage; and where organizations face the biggest operational hurdles when using, sharing, and governing data across large networks.

The Second Circuit dealt a blow to the dietary supplement industry last month as it affirmed a lower court’s decision not to temporarily pause enforcement of New York’s new restrictions on sales of certain dietary supplements to minors as legal challenges continue to proceed through the court system.

As Epstein Becker & Green, P.C. previously reported, the National Security Division of the U.S. Department of Justice (“DOJ”) issued a final rule, effective on April 8, 2025, called the Bulk Sensitive Data Rule (“BSD Rule”) (codified at 28 C.F.R. Part 202), which prohibits and/or restricts U.S. persons and/or companies from engaging in certain transactions involving certain categories of government-related data and sensitive personal data with covered persons or six countries of concern– China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.

Legislation introduced in the U.S. Senate in November, informally called the “Better FDA Act of 2025,” is perhaps a bit misleading. While it involves the Food and Drug Administration (“FDA”), the full title of S. 3122—introduced on November 6—is actually “The Better Food Disclosure Act of 2025,” designed to amend the federal Food, Drug, and Cosmetic Act (“FDCA”) regarding food substances generally recognized as safe (“GRAS”).

Imagine this scenario: a longtime patient at an ENT practice decides to leave the traffic and sprawl of a major metropolitan area for a more idyllic, rural existence elsewhere in the state. Accustomed to the familiar, top-ranked brands of excellent hospitals, however, the patient is unsure of what to expect in the new location in terms of quality of care. Fortunately, posters on the walls in the old and new locations, online websites, and postcards in the mail—with the same familiar names and logos—immediately reassure the patient that the health professionals in this new location are not only as good as those back home but are affiliated with them.

In today's competitive health care landscape, hospitals are increasingly exploring innovative ways to expand their market presence and generate additional revenue streams. One particularly effective strategy is brand licensing to urgent care facilities. Becker’s Health IT, in fact, has reported on Monigle’s rankings of the 30 most trusted health system brands for 2024 and the 25 “most human” health system brands for 2025. This post explores key opportunities, challenges, and best practices for hospital administrators considering brand licensing programs.

The federal government is back in business, and those who may be scrambling to comply with the January 20, 2026, deadline for the Food and Drug Administration’s (“FDA” or the “Agency”)  Food Traceability Rule (“FTR” or “Final Rule”) will be pleased with the likely possibility of a generous extension from the agency—to July 20, 2028.

As cybersecurity breaches grow more complex and frequent, regulators are increasingly focused on organizational compliance. Organizations such as Crowdstrike report that in 2025, cyberattacks are increasing in speed, volume, and sophistication—and cybercrime has evolved as a “highly efficient business.” The escalating threat landscape demands robust security frameworks that can withstand evolving risks.

Enter the amendments announced in November 2023 to the New York’s Department of Financial Services (NYDFS) Cybersecurity Regulation, 23 NYCRR Part 500 (“Amended Regulation”), that became effective on November 1. This post explores the breadth of these Amended Regulations, and the steps that covered entities need to take now.

Health care organizations operate under constant scrutiny from government regulators and the threat of potential whistleblowers. Even in a time of government downsizing, the Trump administration has consistently publicized its intent to pursue vigorous prosecutions under the False Claims Act. And, according to U.S. Department of Justice annual fraud statistics, of the 455 new health care-related fraud matters in FY2024, 370 (or more than 81 percent) were filed by whistleblowers. On top of that, data security risks are becoming, potentially, an even greater threat. Put mildly, litigation exposure is a daily reality for health care organizations. Yet, one of the most common challenges organizations face during a legal crisis is not the merits of the inquiry but operational readiness.