This blog discusses the regulatory requirements that apply to risk-bearing entities in Massachusetts, including recent updates introduced by Chapter 343 of the Massachusetts Acts of 2024 (the Act). This blog is part of Foley & Lardner’s RBE series (see our Introduction posted November 18, 2024, and our post on New York and New Jersey’s Requirements posted February 24, 2025).

In Massachusetts, “Provider Organizations” are entities “in the business of health care delivery or management that represent one or more health care providers in contracting with carriers for the payments of heath care services.”[1] Certain Provider Organizations are required to register with the Massachusetts Health Policy Commission (the HPC) and submit data to the Massachusetts Center for Health Information and Analysis (CHIA) annually.[2]

Certain Provider Organizations with reimbursement models that incorporate financial risk must register with the Massachusetts Division of Insurance (the Division). Entities that take on financial risk in contracts with third-party payors where payment models are not solely based on fee-for-service reimbursements are classified as “Risk-Bearing Provider Organizations” (RBPO). Additionally, any Provider Organization that has a contracting affiliation with one or more providers or Provider Organizations is also classified as an RBPO.

Under the Division’s regulations, risk means the financial risk taken on by an RBPO under contracts where it manages some or all the care for a patient population for a fixed budgeted fee. Downside risk occurs when the cost of care exceeds the fixed payment amount, leaving the entity responsible for the overage. An RBPO that assumes the full or partial downside risk must seek a Risk Certificate annually from the Division.[3]

RBPO Registration

A Provider Organization that meets the definition of an RBPO, irrespective of its size or profit, must register with the Division annually unless it only takes on risk through the Medicare Program. To register, the RBPO must submit information including, but not limited to:

• Filing Materials. All documents submitted to the HPC in connection with its Provider Organization registration, including information about its ownership, contracting arrangements, and total revenue by each third-party payor.
• Downside Risk Contracts. A description of all downside risk contracts, including the level and nature of risk assumed.
• Financial Information. Audited financial statements showing the RBPO’s sources of financial support and a financial plan.
• Utilization Plan. A utilization plan that describes how the RBPO will monitor patient utilization under risk contracts.
• Actuarial Certificate. An actuarial certificate that certifies that the downside risk contracts are not expected to threaten the RBPO’s financial solvency.[4]

An RBPO that can demonstrate its risk contracts do not contain significant downside risk may apply for a Risk Certificate Waiver, which requires significantly less information than a full Risk Certificate.  

RBPOs that fail to comply with the Division’s registration requirements will be given an opportunity to cure their non-compliance. However, the Commissioner of the Division may suspend or cancel an RBPO’s Risk Certificate and has broad authority to “take such other action as appropriate under law to enforce the requirements.”[5]

Provider Organization Registration with the HPC and CHIA

The HPC currently requires Provider Organizations subject to registration to disclose the highest entity in its corporate structure that is engaged in health care delivery or management. The registrant must also disclose its corporate parent.

Approximately 50 organizations were required to register in 2024, the majority of which were hospital systems, physician groups, and behavioral health providers that received US$25 million or more in net patient service revenue from third-party payors.  

The Act will expand the type of ownership information that Provider Organizations are required to submit to the HPC. Regulations are still in process, but the HPC will require additional information relating to significant equity investors, health care real estate investment trusts, and management services organizations that have an ownership interest in a Provider Organization.

Further, the Act increased penalties for Provider Organizations that fail to report parallel information to CHIA from US$1,000 per week for each week of non-compliance, capped at US$50,000, to US$25,000 per week for each week of non-compliance with no cap.

Conclusion

Awareness of the registration requirements required in Massachusetts is paramount for RBPOs seeking to maintain their financial and operational stability. Accordingly, such requirements — both those required of Provider Organizations and RBPOs — should be carefully reviewed prior to entering into any risk contracts to ensure regulatory compliance.

[1] 211 CMR 155.02; 958 CMR 6.02.

[2] 958 CMR 6.04.

[3] 211 CMR 155.04; 155.05.

[4] Mass. Gen. Laws Ann. ch. 176T, § 3.

[5] 211 CMR 155.08.