This week features three high-impact developments: a sweeping CMS action that immediately halts new Medicare enrollment for hospices and home health agencies nationwide, a significant reorganization of HHS’s Office for Civil Rights that signals enhanced enforcement across HIPAA, conscience rights, and civil rights, and an unfavorable OIG advisory opinion that puts physician-device company consulting arrangements under fresh scrutiny.

Table of Contents

CMS Imposes Nationwide Six-Month Enrollment Moratorium on Hospices and Home Health Agencies

On May 13, 2026, CMS announced an immediate nationwide six-month moratorium on new Medicare enrollment for both hospices and home health agencies, citing pervasive and escalating fraud in both sectors. The action, taken in coordination with Vice President JD Vance’s Anti-Fraud Task Force, is among the most significant fraud prevention actions in the agency’s history, extending a tool the agency has historically applied on a regional basis to cover the entire country simultaneously.

Key Details

The moratoria (for hospices and for HHAs) took immediate effect on May 13, 2026, and are set to run for six months, with CMS retaining authority to extend it in successive six-month increments or lift it early if conditions warrant. The moratoria halt new initial Medicare enrollment applications for hospices and home health agencies nationwide during the applicable moratorium period, and also apply to certain changes in majority ownership. Existing enrolled providers are not affected and may continue furnishing services and submitting claims. Applications submitted on or after May 13, 2026 will be denied. Applications received by the Medicare Administrative Contractor prior to May 13, 2026 are not subject to the moratorium.

CMS, OIG, and DOJ have identified hospice and home health as among the highest-risk areas for Medicare fraud, with enforcement actions targeting a range of compliance issues including the recruitment of patients who do not qualify for hospice or home health services, falsification of medical documentation to support eligibility determinations, billing for services that were never rendered or medically unnecessary, and kickback arrangements that may have generated improper patient referrals in violation of the federal Anti-Kickback Statute.

The nationwide scope of the moratorium is deliberate. A separate Federal Register notice states that the risk in hospice has dramatically increased in the past seven years, citing problems in Arizona, Nevada, Texas, and California as well as criminal convictions nationwide, with CMS noting that a national approach will eliminate the ability of bad actor operators to evade detection by simply shifting their activities across state lines. This directly addresses a pattern observed under prior regional moratoria, where fraudulent operators would simply close operations in a targeted state and reopen in another state that is not targeted at that time.

This moratorium follows CMS’s earlier nationwide enrollment moratorium in February 2026 covering certain durable medical equipment, prosthetics, orthotics, and supplies companies, signaling an increasingly aggressive provider enrollment and program integrity enforcement posture by the agency. In connection with the moratorium announcement, CMS has suspended payments to approximately 800 hospices and HHAs suspected of fraud in Los Angeles alone, with $70 million in payments suspended to date.

What this Means for You

The moratorium creates meaningfully different compliance situations depending on where an organization stands. For organizations that had enrollment applications pending with their Medicare Administrative Contractor before May 13, those applications are exempt from the moratorium and should continue to be processed normally. For organizations planning new market entry as a hospice or home health provider, de novo strategies requiring initial Medicare enrollment are effectively suspended for the duration of the moratorium, and applications submitted on or after May 13 will be denied. Strategic alternatives may include acquiring existing enrolled providers rather than pursuing new enrollments, though competition for acquisition targets with existing Medicare enrollments is expected to intensify as a result of this policy.

For currently enrolled hospices and home health agencies, the moratorium’s more immediate implication is the scrutiny that accompanies it. During the six-month moratorium, CMS will intensify targeted investigations, deploy advanced data analytics, and accelerate the removal of hospice and HHA providers from the Medicare program that are suspected of committing fraud. Existing providers should treat this as a clear signal to audit their billing practices, eligibility documentation, and referral arrangements now, before CMS or its program integrity contractors initiate contact. Robust fraud, waste, and abuse compliance programs, thorough patient eligibility documentation, and clean referral arrangements are the operational priorities.

Frequently Asked Questions

Does the CMS enrollment moratorium affect existing hospice and home health providers? No. The moratorium applies only to new initial Medicare enrollment applications and certain changes in majority ownership. Existing enrolled providers may continue furnishing services and submitting claims without interruption. However, CMS has stated it will intensify investigations of existing providers during the moratorium period, meaning currently enrolled organizations should expect heightened scrutiny of their billing and documentation practices.

How long will the hospice and home health enrollment moratorium last? The moratorium took effect May 13, 2026, and is set to run for an initial six-month period, meaning new enrollment applications could begin processing again around mid-November 2026. However, as outlined in the Federal Register notice, CMS retains authority to extend the moratorium in successive six-month increments if fraud concerns persist, or to lift it earlier if the underlying conditions are adequately addressed.

HHS Restructures OCR Into Three Divisions, Signaling Enhanced Enforcement Across HIPAA, Conscience Rights, and Civil Rights

On May 18, 2026, HHS announced a significant reorganization of its Office for Civil Rights, splitting OCR into three dedicated divisions, each with its own senior executive leadership and subject-matter focus: the Conscience and Religious Freedom Division, the Civil Rights Division, and the Health Information Privacy, Data, and Cybersecurity Division. A Federal Register notice with additional details is expected in June 2026.

Key Details

OCR is the HHS component responsible for enforcing federal civil rights laws in healthcare, conscience and religious freedom protections, and the HIPAA Privacy, Security, and Breach Notification Rules.Under the prior structure, the Biden administration had combined the Conscience and Religious Freedom Division and the Civil Rights Division into a single Policy Division. The reorganization returns OCR to a program-based model that separates each area into its own division with dedicated leadership.

The Conscience and Religious Freedom Division was originally established in January 2018 under the first Trump administration and operated until March 2023, when it was disbanded by the Biden administration. Its formal reinstatement as a standalone division with dedicated senior executive leadership reflects the current administration’s stated priority of defending religious liberty, enforcing conscience protections, and addressing what it characterizes as antisemitism and anti-Christian bias in healthcare settings. In March 2026, OCR had already launched investigations into 13 states for allegedly violating federal conscience protections for healthcare workers with religious or moral objections to certain procedures.

The creation of a dedicated Health Information Privacy, Data, and Cybersecurity Division is the development most directly relevant to most compliance officers. The reorganization comes during a period of persistent cyberattacks and other breaches in the healthcare sector, as well as during a time when critical regulatory updates have been processed for both the HIPAA Security and Privacy Rules. HHS has confirmed that complaint intake and processing, as well as review of reported HIPAA breaches, will continue to be handled through a centralized Enforcement Division supporting field office operations, and that the reorganization is not expected to result in any reduction in OCR’s workforce.

What this Means for You

The creation of a standalone Health Information Privacy, Data, and Cybersecurity Division with dedicated senior leadership is a structural signal that OCR intends to treat HIPAA enforcement as a distinct, elevated priority. This comes on top of several already active OCR enforcement initiatives: the Risk Analysis Initiative, launched in October 2024 and expanded in 2026 to include risk management; and the Right of Access Initiative, which has produced 54 enforcement actions since its launch. A dedicated division with its own leadership creates institutional focus and accountability that is likely to accelerate, not reduce, enforcement activity in these areas.

At the same time, the formal reinstatement of the Conscience and Religious Freedom Division, with dedicated leadership and an already-active investigations docket, means healthcare providers should assess their compliance with federal conscience protection statutes, which prohibit discrimination against healthcare workers who decline to participate in certain procedures on religious or moral grounds.

Review your HIPAA compliance program now to confirm it addresses all three areas currently under active OCR initiative: documented risk analysis, documented risk management, and timely patient right of access. HHS provides guidance material for each of these at HHS.gov/OCR, and organizations that have not recently audited their programs against these specific standards should do so before an enforcement action provides the motivation.

Frequently Asked Questions

What are the three new divisions of the HHS Office for Civil Rights? Following the May 18, 2026 reorganization announced at HHS.gov, OCR is now organized into the Conscience and Religious Freedom Division, the Civil Rights Division, and the Health Information Privacy, Data, and Cybersecurity Division. Each has its own senior executive leadership and subject-matter focus, with a centralized Enforcement Division continuing to handle complaint intake and HIPAA breach review.

What are the three active OCR HIPAA enforcement initiatives compliance officers should be aware of? OCR currently has three active enforcement initiatives: the Risk Analysis Initiative, which scrutinizes whether covered entities have conducted accurate and thorough HIPAA security risk analyses; enhanced risk management scrutiny, which is an expansion of the Risk Analysis Initiative and examines whether organizations have acted on the findings of those analyses through documented remediation; and the Right of Access Initiative, which enforces patients’ rights to timely access to their medical records. The creation of a dedicated HIPAA division within OCR suggests enforcement activity across all three is likely to intensify.

OIG Issues Unfavorable Anti-Kickback Opinion on Physician-Device Company Consulting Arrangements

On May 13, 2026, OIG issued Advisory Opinion No. 26-10, an unfavorable opinion concluding that a medical device company’s proposal to pay physician consultants a percentage of product line sales as compensation for consulting services would generate prohibited remuneration under the Anti-Kickback Statute if the requisite intent were present. The opinion is significant beyond the specific arrangement at issue: it demonstrates that OIG will look past structural safeguards, including explicit carve-outs designed to exclude a physician’s own cases from the payment calculation, to assess the totality of financial incentives created by an arrangement.

Key Details

The company at issue manufactures orthopedic implants, including hips, knees, and shoulders, and had existing arrangements with surgeons to assist in designing and developing specific individual products. The proposed expansion would broaden each physician’s role from advising on a single product to consulting on an entire product line, with compensation calculated as a percentage of total sales across that product line for the quarter.

The company attempted to limit AKS exposure by proposing to exclude four categories of sales from the payment calculation: sales from the physician’s own surgeries, sales to hospitals where the physician works or has an ownership interest, sales of products for use in surgeries performed by the physician’s immediate family members, and sales already covered by a separate agreement. OIG found these exclusions insufficient. Even with the carve-outs in place, a physician’s payment would still increase whenever product line sales volume increased from any source, including sales driven by surgeons the physician had trained.

This is where OIG’s analysis becomes particularly instructive. Because training other surgeons to use the company’s products was explicitly one of the required services under the agreement, and because those trainees’ subsequent purchases were included in the royalty calculation, OIG concluded the physician had a direct financial stake in how much their trainees adopted the company’s products. That financial incentive, OIG determined, was too close to paying for referrals to be permissible under the AKS.

OIG viewed the full arrangement holistically: the company would pay the physician, the physician would train and influence other surgeons to adopt the company’s products over competitors, those surgeons would order more products reimbursable by federal healthcare programs, and the physician’s payment would increase as a result. Structuring the payment as consulting compensation rather than a direct referral fee did not change OIG’s analysis.

What this Means for You

This advisory opinion is a direct warning to both medical device companies and the physicians who consult for them. OIG is signaling that even arrangements involving genuine, documentable consulting work, with explicit contractual carve-outs designed to exclude a physician’s own cases, are not insulated from AKS scrutiny if the compensation structure creates financial incentives tied to the broader adoption of a company’s products by other clinicians.

The critical structural principle this opinion clarifies is the distinction between fixed-fee consulting arrangements, which might be defensible under an AKS safe harbor provision, and percentage-of-sales arrangements. A fixed fee for defined consulting services does not fluctuate based on how many surgeons adopt a product, so it does not create the financial incentive OIG identified here. A percentage-of-sales structure, by contrast, ties the physician’s payment directly to market penetration, regardless of how the carve-outs are structured.

Physicians currently party to consulting or royalty arrangements with medical device companies, particularly those where compensation is calculated as a percentage of product line sales, should have those arrangements reviewed by qualified healthcare counsel. Device companies should evaluate whether their existing physician consulting agreements create compensation structures where payment turns on the adoption of their products by other clinicians. Where that incentive is present, restructuring toward fixed-fee compensation for defined, documented services might mitigate potential AKS exposure.

Frequently Asked Questions

Can a medical device company pay physicians for consulting services without violating the Anti-Kickback Statute? Yes, but the structure of the compensation matters significantly. OIG might approve fixed-fee consulting arrangements where the fee reflects fair market value for defined, documented services and does not fluctuate based on the volume or value of referrals or product sales. What Advisory Opinion No. 26-10 makes clear is that percentage-of-sales compensation structures, even with carve-outs designed to exclude the physician’s own cases, can still violate the AKS if the arrangement creates financial incentives tied to how much other clinicians adopt the company’s products.

Does it matter that a physician consulting arrangement excludes the physician’s own cases from the payment calculation? Not necessarily. OIG’s analysis in Advisory Opinion No. 26-10 demonstrates that excluding a physician’s own cases from the compensation calculation does not eliminate AKS risk if the compensation structure still creates a financial incentive tied to broader product adoption. OIG will examine the totality of the arrangement, including the physician’s role in training other surgeons and the effect of that training on product sales included in the royalty calculation.

Healthcare compliance regulations move fast. Check back every Wednesday for the developments that impact your healthcare business.

Have a question about how these developments affect your organization?