Insights

In a development likely to ramp up regulatory pressure on an industry already under significant federal scrutiny, Federal Trade Commission (FTC) Chairman Andrew Ferguson recently directed leaders across his agency to launch a team dedicated to cooperatively advancing enforcement and advocacy activities relevant to health care.

On March 20, 2026, the Centers for Medicare and Medicaid Services (CMS) released new guidance outlining the agency’s audit methods and instructions for Medicare Advantage (MA) plans subject to upcoming risk adjustment data validation (RADV) audits for payment year (PY) 2020. In addition to providing necessary context for MA plans selected for auditing, this resource clarifies CMS’s methodological and procedural expectations. While the high-level takeaways are recapped below for convenience, we strongly recommend that MA organizations selected for PY 2020 audits closely review the guidance to understand what may be involved — or required — during the agency’s review.

The National Association of Insurance Commissioners (NAIC) is intensifying its oversight of how insurers use AI — and the pace of regulatory activity shows no signs of slowing. Over the past several months, the NAIC has published a formal Issue Brief staking out its position on federal AI legislation, launched a multistate AI Evaluation Tool pilot aimed at examining insurers’ AI governance programs, and continued to expand adoption of its AI Model Bulletin across state lines. These developments continue a trend towards enhancing regulation; the NAIC adopted AI Principles in 2020 and a Model Bulletin in 2023 clarifying that existing insurance laws apply to AI systems and establishing expectations for governance, documentation, testing, and third-party oversight. That Model Bulletin has now been adopted in approximately 24 states.

2026 will prove to be a pivotal year for organ procurement organizations (OPOs). For the first time, the impact of the Center for Medicare and Medicaid Services’ (CMS) 2020 outcome measures will be fully felt, as the year marks the end of the first certification cycle governed by the new benchmarks. In the meantime, OPOs are challenging the 2020 rule in several federal lawsuits and, as that litigation progresses, CMS is accepting comments on a new proposed rule, which we discussed in a prior alert. 

On February 26, 2026, the Senate Health, Education, Labor, and Pensions (HELP) Committee voted 22-1 to advance the Health Care Cybersecurity and Resiliency Act of 2026. Sponsored by a bipartisan group — led by HELP Committee Chair Senator Bill Cassidy (R-LA); and Senators Mark Warner (D-VA), Maggie Hassan (D-NH), and John Cornyn (R-TX) — the bill represents perhaps the most significant federal legislative effort to overhaul health care cybersecurity since the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, and would compel health care companies to make major investments in cybersecurity.

On March 3, 2026, the Department of Labor (DOL), Department of Health and Human Services (HHS), and Department of the Treasury (TREAS) — collectively, the “Tri-Agencies” — published their fourth annual report to Congress on enforcement of the Mental Health Parity and Addiction Equity Act (MHPAEA). The 2025 Report demonstrates a shift in approach by the Tri-Agencies in its tone and content and suggests that federal regulators, and the DOL in particular, are not as active as they previously were in MHPAEA enforcement. However, federal enforcement remains ongoing, and state enforcement of mental health parity laws continues to grow. Plans and issuers must continue to maintain comprehensive compliance processes and documentation for MHPAEA compliance.

A recent decision by the United States Court of Appeals for the Fifth Circuit, Farmers Texas County Mutual Insurance Co. v. 1st Choice Accident & Injury, LLC, No. 24-20275 (5th Cir. Feb. 24, 2026), offers important lessons for health care payors and other potential plaintiffs considering civil claims under the federal Racketeer Influenced and Corrupt Organizations Act (RICO). Although the Fifth Circuit’s decision focused on a procedural issue, the underlying case turned on a fundamental pleading failure: the plaintiff insurers did not adequately describe the fraudulent network they were suing as a RICO “enterprise.” The result was dismissal of a $14 million fraud case.

On February 20, 2026, the Department of Justice’s Antitrust Division (DOJ) and Ohio Attorney General (Ohio AG) sued OhioHealth Corporation (OhioHealth), alleging that OhioHealth had unlawfully restrained trade in the market for general acute care inpatient hospital services in the Columbus metropolitan statistical area and the narrower Central Columbus area, respectively. The DOJ and Ohio AG allege violations of Section 1 of the Sherman Act, as well as the Valentine Act (Ohio’s antitrust statute), claiming that OhioHealth leveraged its market power to impose contractual restrictions that blocked payors from working with competing health systems to design “budget-conscious” lower-cost health plans.

By the end of 2025, 16 drug manufacturers had voluntarily negotiated and executed agreements to adopt Most Favored Nation (MFN) pricing for certain high-cost drugs. The Trump Administration highlighted the agreements in its “Great Healthcare Plan,” published on January 15, 2026, and communicated the government’s plans to “codify” such deals as a means of “get[ting] Americans the same low prices that people in other countries pay.” The Administration recently leveraged MFN pricing to establish the TrumpRx website, which helps uninsured or cash-paying consumers find drugs at a discounted price. The website reflects the Administration’s stated commitment to provide more lower-cost drugs directly to consumers. Currently, 40 branded medications are available at reduced prices.

FAQs: What OPOs Need to Know About the Proposed Rule

On February 3, 2026, President Trump signed a $1.2 trillion spending deal that, among other points, introduced significant regulatory changes for Medicare Part D plans and PBMs providing services to PDP sponsors in the Medicare Advantage and Medicare Part D programs, and imposed significant new restrictions and transparency requirements on PBMs contracting with private group health plans.

On January 27, 2026, the Centers for Medicare and Medicaid Services (CMS) released a Health Plan Management System (HPMS) memo that provided a long-awaited update on how the agency plans to approach previously announced Risk Adjustment Data Validation (RADV) audits for Payment Years (PY) 2020-2024. The memo is the agency’s most comprehensive statement on the subject since September 25, 2025, when the Northern District of Texas vacated the 2023 RADV Final Rule. The memo makes clear that, while CMS has made certain operational adjustments in response to concerns expressed by Medicare Advantage Organizations (MAOs), the agency is largely pressing forward with the accelerated audit strategy announced in May 2025.

On January 26, 2026, the Centers for Medicare and Medicaid Services (CMS) circulated the Calendar Year (CY) 2027 Advance Notice to communicate proposed changes to Medicare Advantage (MA) capitation rates and Parts C and D payment policies.  The changes are expected to be finalized in April 2026 but may be delayed. The following is a summary of the most significant proposals, with further details below:

The U.S. Court of Appeals for the 6th Circuit may no longer be as favorable a venue for health plans engaged in legal disputes with members who allege that insufficiently detailed claim denials violate the Employee Retirement Income Security Act’s (ERISA) protections against “arbitrary and capricious” decision making.

On January 13, 2026, Miami-based pharmaceutical wholesaler Atlantic Biologicals Corporation entered into a two-year DPA, admitting to conspiracy to distribute and dispense controlled substances, including more than 14 million opioid doses to “pill mill” pharmacies in Texas at a markup. The DOJ and DEA underscored the company’s deliberate evasion of compliance checks and disregard for red flags signaling diversion.

On January 5, 2026, District of Colorado Magistrate Judge Cyrus Chung issued a recommendation that the district court grant a motion to quash a Department of Justice (DOJ) administrative subpoena that sought records about the provision of gender-related care by Children’s Hospital Colorado (Children’s) in In re: Department of Justice Administrative Subpoena No. 25-1431-030, U.S. District Court for the District of Colorado, No. 1:25-mc-00063. The court concluded that the DOJ had failed to carry its “light” burden, noting that no other courts that had considered the more than 20 similar subpoenas issued by DOJ had ruled in the DOJ’s favor.  

Since the signing of Executive Order 14187 (“Protecting Children from Chemical & Surgical Mutilation”) in late January 2025, the Trump Administration has made its skeptical stance on gender-affirming care—especially regarding services provided to minors—clear.

The regulatory environment for skilled nursing facilities (SNFs) is shifting rapidly, creating challenges and uncertainties for providers across the country—and especially those in New York. While the Trump administration has rolled back federal nurse staffing mandates, state-level requirements remain in full force, and new federal ownership disclosure rules are set to take effect in January 2026. Even as federal enforcement slows, state regulators appear primed to intensify oversight of nursing home operators by enhancing Certificate of Need (CON) review processes.

On November 26, 2025, the Centers for Medicare & Medicaid Services (CMS) published its Proposed Rule for the Medicare Program; Contract Year 2027 Policy and Technical Changes to the Medicare Advantage Program, Medicare Prescription Drug Benefit Program, and Medicare Cost Plan Program (the “CY 2027 NPRM” or “proposed rule”) for public comment. In addition to outlining prospective policy and technical changes to Medicare Advantage (Part C), the Medicare Prescription Drug Benefit (Part D), and Medicare Cost Plan regulations, the proposals showcase the government’s plans to make comprehensive updates in response to statutory changes—notably the Inflation Reduction Act of 2022 (IRA)—as well as feedback from interested parties, and current federal deregulatory priorities.

The facts before the Third Circuit in the recently decided case of Patel v. United States illustrate how parties can put themselves in a bind if they make factual admissions when resolving a criminal case involving fraud on the government while not simultaneously resolving the government’s civil claims under the False Claims Act (FCA) for the same underlying conduct.