On August 25, 2025, the U.S. Department of Health and Human Services Office of Inspector General (“OIG”) issued a report analyzing Medicare billing practices for remote patient monitoring (“RPM”) services during 2024. As RPM technologies have matured and become more accessible, their availability has driven widespread adoption and enhanced patient care by enabling continuous, data-informed management outside the clinic; at the same time, this proliferation has attracted heightened government attention. The report highlights the rapid growth of RPM utilization and payments, identifies patterns that may be indicators of potential fraud and abuse, and reiterates the need for enhanced oversight by the Centers for Medicare & Medicaid (“CMS”). The OIG’s findings assist providers in assessing regulatory and compliance implications.

Sheridan Capital Partners has announced an investment in National Care Systems (NCS).

NCS, founded in 1992 and based in Brooklyn, New York, is a provider of revenue cycle management software serving skilled nursing facilities and assisted living facilities across the United States.

Sheridan, founded in 2012 and based in Chicago, is healthcare-focused firm

Regulators of data privacy laws have expressed a desire in recent months to intensify enforcement around opt-out preference signals, also known as universal opt-out mechanisms (the “Opt-Out Signals”).

Opt-Out Signals allow consumers to automatically opt-out of the sale and sharing of personal information for targeted advertising across all websites they may visit through an internet

After years of waiting, the U.S. Department of Defense (DoD) posted to the Federal Register for public inspection on September 9, 2025, a final rule implementing the Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) standards into the Defense Federal Acquisition Regulation Supplement (DFARS) (the Final Rule), which was formally published a day later on September 10, 2025. The Final Rule’s requirements will become effective in the DFARS as of November 10, 2025, and pertain to all DoD contractors and subcontractors.  Defense contractors should ensure their compliance with the standards as soon as possible in order to maintain eligibility to compete for DoD contracts and perform DoD subcontracts, as well as to avoid bid protests and/or civil False Claims Act allegations.

In 2020, California was the first mover in state comprehensive privacy law legislation, a distinction it held for approximately three years before other states took similar action.  Indeed, eighteen additional states have passed their own privacy bills, along with many complementary laws related to children’s privacy, consumer health data privacy, biometric data privacy, and data broker practices.  Notwithstanding these efforts, California has retained its reputation as the most formidable state enforcer of privacy law protections—until now, at least.  As we explain, recent enforcement actions by the Attorneys General of Connecticut and Nebraska highlight an important shift: states beyond California are not only enacting laws aimed at safeguarding privacy, they are taking action to demonstrate that those laws have teeth.

On July 11, 2025, in United States v. Schena, the U.S. Court of Appeals for the Ninth Circuit issued the first appellate decision interpreting the Eliminating Kickbacks in Recovery Act (“EKRA”). The decision marks a significant development in EKRA’s enforcement, as it represents the first time a federal appeals court has addressed EKRA’s reach and moved toward some clarity in its application to marketing arrangements within the healthcare industry, particularly in the often-discussed lab context.

On April 14th, 2025, the U.S. Court of Appeals for the Seventh Circuit reversed the Anti-Kickback Statute (AKS) conviction of Mark Sorensen, the owner and operator of a Medicare-registered durable medical equipment distributor in United States v. Sorensen, 134 F.4th 493, 496 (7th Cir. 2025). The lower court had found that Sorensen’s practice of hiring advertising and marketing companies based on a percentage-based fee to sell orthopedic braces to Medicare patients violated the AKS at 42 U.S.C. § 1320a-7b(b)(2)(A). In reversing the district court, the Seventh Circuit followed the Fifth Circuit’s United States v. Marchetti, holding that the central question was whether the defendant intended to “induce ‘referrals,’ which is illegal” or whether he intended to “compensate advertisers, which is permissible.” Finding that there was no evidence of this improper intent, particularly as the marketers were not in a position to influence patients, the Seventh Circuit reversed.

On July 31, 2025, the U.S. Department of Justice announced a $1.75 million False Claims Act (FCA) settlement with Aero Turbine, a California-based defense contractor, and private equity firm Gallant Capital Partners. The settlement arises out of allegations that Aero Turbine failed to comply with cybersecurity requirements under a U.S. Air Force contract and provided