Insights

The first applications to lift an automatic suspension under the Procurement Act 2023 (the Act) have recently been decided. In Parkingeye Limited v Velindre University NHS Trust & Anor [2026] EWHC 1019 (TCC), handed down on 1 May 2026, HHJ Keyser KC dismissed applications by two NHS contracting authorities to lift the suspension preventing them from concluding a car park management services contract. This is the first judicial consideration of the new test under section 102(2) of the Act.

On April 29, 2026, the New York Department of Financial Services (NYDFS) announced the finalization of a $2.25 million settlement with Delta Dental of New York and Delta Dental Insurance Co., resolving allegations that the affiliated companies failed to comply with the state’s stringent cybersecurity, consumer data protection, and incident reporting requirements. For health insurers, managed care organizations, and their third-party service providers operating in New York, the announcement comes as the latest signal that the NYDFS intends to aggressively enforce its cybersecurity regulations — which are widely considered the strictest in the nation following a 2023 overhaul. These regulations, codified at 23 NYCkRR 500 (Cybersecurity Requirements for Financial Services Organizations), apply to any entity licensed under New York insurance law, including health insurers, managed care organizations, and their third-party service providers.

The appropriate use of AI tools during the claims review process continues to be a major topic of debate within the health care industry — but in recent weeks, emerging litigation has inspired critics to turn their attention specifically to the technology’s application within federal health programs. On March 25, 2026, the Electronic Frontier Foundation (EFF) filed a lawsuit against the Centers for Medicare and Medicaid Services (CMS), citing the agency’s alleged failure to answer a Freedom of Information Act (FOIA) request for records the EFF believes will provide crucial insight into the design, safeguards, vendor relationships, and real-world performance of the Medicare Wasteful and Inappropriate Service Reduction (WISeR) Model, CMS’s  AI-driven prior authorization pilot program for certain Medicare services.

On April 30, 2026, the DOJ announced the launch of the Fraud Oversight through Careful Use of Statistics initiative (FOCUS) to increase coordination between the Department and the growing host of data miners who sift through publicly available government data to identify patterns of alleged fraud. The launch of FOCUS highlights a growing trend in False Claims Act (FCA) enforcement: civilian data miners with access to public data — but no other connection to the alleged defendants — are filing almost as many qui tam complaints as company insiders.

On April 10, 2026, the Centers for Medicare and Medicaid Services (CMS) issued a proposed rule (2026 CMS Interoperability Standards and Prior Authorization for Drugs, or CMS-0062-P) outlining the agency’s plans to impose new interoperability requirements on payors participating in certain Medicare and Medicaid programs. As described by the agency in a recent press release, the proposed rule “builds on” prior rulemaking by clarifying and enhancing interoperability requirements for payors’ prior authorization processes, specifically those associated with coverage requests for pharmaceutical therapies.

In mid-April, a bipartisan coalition of 45 State Attorneys General (AG) submitted a formal letter to the U.S. Department of Labor (DOL) expressing their collective support for a proposed rule (Improving Transparency into Pharmacy Benefit Manager Fee Disclosure, or RIN 1210-AB37), which would — if enacted — impose new disclosure obligations on pharmacy benefit managers (PBM) regulated under the Employee Retirement Income Security Act of 1974 (ERISA).

In keeping with ongoing efforts to intensify regulatory oversight of organ procurement organizations (OPOs) and curtail improper spending within federal health programs, the Centers for Medicare & Medicaid Services (CMS) recently issued a proposed rule that would, among other adjustments, align Medicare payment policies for non-renal organs to be consistent with those currently applicable to kidneys. If enacted as drafted, this latest rule could have a direct impact on the financial stability of OPOs and histocompatibility laboratories (HCL) at a time when such organizations face increasing pressure to meet CMS’s new outcome measures — or else face non-renewal or decertification later this year. 

On April 6, 2026, the Centers for Medicare & Medicaid Services (CMS) published its final rule governing the Medicare Advantage (Part C) and Prescription Drug Benefit (Part D) programs for Contract Year (CY) 2027. The final rule is effective June 1, 2026, with most provisions applicable to coverage beginning January 1, 2027, and marketing and communications changes taking effect October 1, 2026. Beyond payment, the rule pursues a broad deregulatory agenda aligned with Executive Order 14192, reversing marketing and enrollment safeguards introduced in 2023 and easing documentation and reporting obligations, while introducing new program integrity requirements.

Is evidence that a company tracked return on investment (ROI) for certain actions and expenses sufficient to prove mens rea and plead a violation of the federal Anti-Kickback Statute (AKS) with the requisite particularity? A recent decision in the U.S. District Court for the Southern District of New York (SDNY) suggests that it is.

On Friday, April 10, 2026, the U.S. Department of Justice (DOJ) announced that International Business Machines Corporation (IBM) has agreed to pay just over $17 million to resolve allegations that it violated the False Claims Act (FCA) by failing to comply with federal anti-discrimination requirements incorporated into its federal contracts due to allegedly discriminatory diversity, equity, and inclusion (DEI) employment practices. This resolution marks the first FCA settlement secured by the DOJ under its Civil Rights Fraud Initiative, created in May 2025, and announced by then-Deputy Attorney General Todd Blanche as part of the administration’s coordinated efforts to target allegedly unlawful DEI practices. Per the agreement, the settlement is neither an admission of liability by IBM nor a concession by the United States that its claims are not well founded.

On April 6, 2026, the Centers for Medicare and Medicaid Services (CMS) circulated the Announcement of Calendar Year (CY) 2027 Medicare Advantage (MA) Capitation Rates and Part C and Part D Payment Policies (the CY 2027 Rate Announcement) to communicate Medicare Advantage (MA) capitation rates and Parts C and D payment policies. The Rate Announcement announces decisions regarding proposals initially published on January 26, 2026, in CMS’s CY 2027 Advance Notice for MA and Part D. The following is a summary of the most significant issues in the Rate Announcement, with further details below: 

As pharmaceutical weight-loss therapies have surged in popularity, health plans, regulators, and courts have found themselves grappling with a set of increasingly pressing and complex questions: who must cover these drugs, under what circumstances, and for whom?

In a development likely to ramp up regulatory pressure on an industry already under significant federal scrutiny, Federal Trade Commission (FTC) Chairman Andrew Ferguson recently directed leaders across his agency to launch a team dedicated to cooperatively advancing enforcement and advocacy activities relevant to health care.

Despite facing existential challenges in several federal courts, the performance metrics established by the Centers for Medicare and Medicaid Services’ (CMS) 2020 Final Rule for organ procurement organizations (OPO) appear to be, at least for now, withstanding scrutiny in litigation proceedings.  

On March 20, 2026, the Centers for Medicare and Medicaid Services (CMS) released new guidance outlining the agency’s audit methods and instructions for Medicare Advantage (MA) plans subject to upcoming risk adjustment data validation (RADV) audits for payment year (PY) 2020. In addition to providing necessary context for MA plans selected for auditing, this resource clarifies CMS’s methodological and procedural expectations. While the high-level takeaways are recapped below for convenience, we strongly recommend that MA organizations selected for PY 2020 audits closely review the guidance to understand what may be involved — or required — during the agency’s review.

The National Association of Insurance Commissioners (NAIC) is intensifying its oversight of how insurers use AI — and the pace of regulatory activity shows no signs of slowing. Over the past several months, the NAIC has published a formal Issue Brief staking out its position on federal AI legislation, launched a multistate AI Evaluation Tool pilot aimed at examining insurers’ AI governance programs, and continued to expand adoption of its AI Model Bulletin across state lines. These developments continue a trend towards enhancing regulation; the NAIC adopted AI Principles in 2020 and a Model Bulletin in 2023 clarifying that existing insurance laws apply to AI systems and establishing expectations for governance, documentation, testing, and third-party oversight. That Model Bulletin has now been adopted in approximately 24 states.

2026 will prove to be a pivotal year for organ procurement organizations (OPOs). For the first time, the impact of the Center for Medicare and Medicaid Services’ (CMS) 2020 outcome measures will be fully felt, as the year marks the end of the first certification cycle governed by the new benchmarks. In the meantime, OPOs are challenging the 2020 rule in several federal lawsuits and, as that litigation progresses, CMS is accepting comments on a new proposed rule, which we discussed in a prior alert. 

On February 26, 2026, the Senate Health, Education, Labor, and Pensions (HELP) Committee voted 22-1 to advance the Health Care Cybersecurity and Resiliency Act of 2026. Sponsored by a bipartisan group — led by HELP Committee Chair Senator Bill Cassidy (R-LA); and Senators Mark Warner (D-VA), Maggie Hassan (D-NH), and John Cornyn (R-TX) — the bill represents perhaps the most significant federal legislative effort to overhaul health care cybersecurity since the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, and would compel health care companies to make major investments in cybersecurity.

On March 3, 2026, the Department of Labor (DOL), Department of Health and Human Services (HHS), and Department of the Treasury (TREAS) — collectively, the “Tri-Agencies” — published their fourth annual report to Congress on enforcement of the Mental Health Parity and Addiction Equity Act (MHPAEA). The 2025 Report demonstrates a shift in approach by the Tri-Agencies in its tone and content and suggests that federal regulators, and the DOL in particular, are not as active as they previously were in MHPAEA enforcement. However, federal enforcement remains ongoing, and state enforcement of mental health parity laws continues to grow. Plans and issuers must continue to maintain comprehensive compliance processes and documentation for MHPAEA compliance.

A recent decision by the United States Court of Appeals for the Fifth Circuit, Farmers Texas County Mutual Insurance Co. v. 1st Choice Accident & Injury, LLC, No. 24-20275 (5th Cir. Feb. 24, 2026), offers important lessons for health care payors and other potential plaintiffs considering civil claims under the federal Racketeer Influenced and Corrupt Organizations Act (RICO). Although the Fifth Circuit’s decision focused on a procedural issue, the underlying case turned on a fundamental pleading failure: the plaintiff insurers did not adequately describe the fraudulent network they were suing as a RICO “enterprise.” The result was dismissal of a $14 million fraud case.