The Carbon Health CPOM Settlement: What It Means for Telemedicine and Digital Health using friendly PC/MSO model
California just secured a $4.5 million settlement with Carbon Health over the corporate practice of medicine, and it should have every telemedicine founder, digital health operator, and MSO-PC structure reading their own contracts tonight. This is not a one-off. It is the third corporate-practice action California has taken in roughly three months, and it is the first time the Attorney General has forced a company to tear down and rebuild a friendly-PC structure. It also lands in the same window that a new statute, SB 351, took effect and handed the state sharper enforcement tools.
If you run a physician-adjacent business built on a friendly PC or MSO-PC model, this guide walks through what actually happened, why the enforcement theory reaches you, and the concrete steps to make your structure defensible, including the California contract corrections and payment mechanics most operators get wrong.
The short version
The friendly PC and MSO-PC model is still legal. The exposure is the gap between a clean contract and messy operations.
California enforced this under its longstanding CPOM doctrine plus consumer-protection law, not a payer audit, which means cash-pay telehealth is squarely in range.
A co-founder paid a $100,000 personal penalty. Individual accountability is now on the table.
If you have California exposure, three captive-PC contract provisions need to come out now, and your banking and management-fee mechanics need to match the paperwork.
What is the corporate practice of medicine (CPOM)?
The corporate practice of medicine doctrine keeps clinical decisions with the licensed physician whose legal duty runs to the patient, and out of the hands of unlicensed owners whose duty runs to shareholders. The concern is practical: when a layperson controls clinical hiring, protocols, pricing, formulary, and marketing, the physician's independent judgment gets subordinated to commercial pressure, and the patient carries the risk.
California has enforced CPOM through case law for years, including People ex rel. Allstate Insurance Co. v. Discovery Radiology Physicians (2023) and Epic Medical Management v. Paquette (2015). What changed on January 1, 2026, is that part of the doctrine is now codified. SB 351 added Division 1.7, sections 1190 through 1192, to the Health and Safety Code. It defines prohibited conduct, voids offending contract provisions, and, for the first time, authorizes the Attorney General to seek injunctive relief and to recover attorney's fees and costs.
One important limit that operators keep missing: SB 351's specific prohibitions are aimed at private equity groups and hedge funds, not at every unlicensed entity, and the statute expressly says it does not lower the existing CPOM bar. So the older, broader doctrine still governs most friendly-PC structures, and SB 351 sits on top of it as a sharper tool against investor-controlled ones. Either way, the fee-shifting quietly changes the economics of every marginal structure.
What happened in the Carbon Health settlement?
Carbon Health, founded in 2015, grew to more than 80 clinics across eight states, including 54 in California. On June 26, 2026, the California Attorney General announced a settlement resolving claims that the company violated the state's ban on the corporate practice of medicine, alongside false advertising, unlawful consumer-contract, and improper billing claims. The findings fall into three buckets.
Structural control by an unlicensed entity. According to the complaint, a corporate entity not licensed to practice medicine effectively owned and controlled the medical practice. Two contract features did the damage: the management entity could replace the physician-owner with a physician of its own choosing, and the physician-owner could not remove the management entity without risking loss of the practice. That combination turns the physician into a nominee who controls nothing.
Operational control by unlicensed officers. Beyond the paperwork, unlicensed executives were found directing staffing, advertising, and insurance negotiations. This is the part operators underestimate. Even when a contract assigns authority to the physician, if daily reality shows non-clinicians making the calls, the operations become the evidence.
Consumer and billing harms. The state also cited misleading advertising about insurance coverage, including telling patients they were in-network when they were not, a hidden automatic-charge contract term, and improper billing including overcharges, duplicate charges, and slow refunds.
The result: $4.4 million in penalties against the company, $100,000 against co-founder and former CEO Eren Bali personally, and a required restructuring of the corporate structure so a non-medical company can no longer control or own the physician practices. A Chapter 11 bankruptcy filed during the investigation did not stop enforcement.
Why the Carbon Health settlement matters for telemedicine
One detail reframes the risk for digital health: Carbon billed insurance. This was not a fringe cash-pay operation that slipped through a crack. The enforcement lever was structure, operations, and consumer protection, not a payer audit.
That matters because the cash-pay and direct-to-consumer telehealth world long assumed it was insulated, since there was often no payer positioned to complain. Carbon removes that assumption. The Attorney General built the case on structure and consumer-protection theories, and neither one requires a payer to bring. Those powers are not new. The state has long been able to reach lay control of a practice under the CPOM doctrine and to challenge deceptive billing and advertising under its general consumer-protection authority. What is new is the appetite to use them against a venture-backed digital health company, with SB 351 waiting in reserve for any structure that runs on private equity or hedge fund money. The common belief that telemedicine is unregulated is more accurately stated as under-enforced, and enforcement typically lags a new model by about three years. That lag is closing.
Read Carbon in sequence, not isolation. The Attorney General filed an amicus brief defending the CPOM ban in Art Center Holdings v. WCE CA Art in the spring, settled with Aspen Dental over the corporate practice of dentistry in May, and settled with Carbon in June. Three coordinated actions in one quarter is a statement of intent.
Is the friendly PC model still legal?
Yes. The friendly PC and MSO-PC model is lawful when the physician genuinely controls the practice of medicine. The takeaway from Carbon is not that the model is dead. It is that the state will now look past the paperwork to examine whether clinical authority actually sits with the licensed physician in daily operation. The exposure is not the model. It is the gap between a clean contract and messy operations.
The real risk: compliant on paper, exposed in operation
Most operators focus on three things: do we have a physician, is the entity set up correctly, and is the money flowing the right way. Those are necessary and insufficient. The failure that gets enforced is subtler. The organization is compliant on paper and non-compliant in operation.
In most structures under review, the physician is a ghost. They are not running clinical hires, authoring protocols, confirming the formulary, or reviewing marketing. Often they do not understand what the agreement obligated them to do, because no one operationalized it. The vacuum gets filled by a non-clinician controlling pricing, hiring, and advertising, and the physician becomes a signature block rather than a safeguard.
When enforcement arrives, you have to prove the physician controls what the contract says they control. If the operational record cannot show it, the contract stops being a defense and becomes the roadmap a regulator uses to prove the mismatch.
What the physician must control in a compliant MSO-PC structure
A defensible structure assigns these domains to the licensed physician and proves the physician exercises them:
Clinical hiring and firing, because a layperson cannot assess clinical fitness.
Licensure, credentialing, and privileging confirmation, because a non-clinician cannot competently verify them.
Clinical protocols and standing order reviews, authored, versioned, and signed by the physician.
Scope of practice for all providers, defining what services are offered and who may deliver them.
Formulary, prescribing, and compounding policy, because these are medical decisions.
Clinical quality, peer review, and medical necessity.
Clinical fee setting, because a non-clinician should not price care.
Marketing and advertising claims, because only a clinician can judge whether a claim about care misleads a patient.
Correct Payment structures and processes reconciled and controlled by physician owner
Appropriate vendor management and selection
Privacy and security safeguards as it relates to PHI and patient data
Assigning these in a contract is step one. Demonstrating them in the operational record is what protects you.
How to fix your California MSO-PC contracts
California operators, and any structure with California exposure, should treat the following as the current drafting standard. It aligns with the position the Attorney General advanced in its recent amicus and with the theory behind the Carbon settlement. Eliminate three categories of captive-PC provisions:
Any right for the MSO to designate, replace, or swap the physician-owner. This is the single most dangerous provision.
Any MSO approval right over share transfers, or MSO status as a party to the stock transfer or restriction agreement.
Any provision where MSA termination, or a "for cause" event defined by the MSO, triggers a forced transfer of the physician's equity.
Then apply these affirmative rules:
Share transfers are triggered only by physician-side events: death, disability, loss of license, or voluntary exit.
Any successor owner is a licensed physician chosen by the physician-owner or the estate, never the MSO.
No mechanism lets a minority holder force repurchase of the majority owner's shares.
The MSA is decoupled from equity, so termination has no effect on ownership.
If no qualified physician successor exists, the structure provides for an orderly wind-down, not a transfer to the MSO.
One nuance worth drawing from the settlement itself: the state distinguished financing used as a mechanism of control from ordinary secured lending on market terms, and it preserved the ability to hold a conventional first-priority lien in practice assets. The problem is not that the MSO has money at stake. The problem is when a security interest becomes a back-door lever over who owns the practice. Keep your security interests conventional and market-term, and keep them decoupled from control of ownership.
If your California agreements contain any of the three eliminated provisions, that is a priority remediation item, not a future project.
Getting the money right: PC banking, EIN, and management fees
Payment flow is where sound structures quietly fail, and it is often the first thing a regulator can see. Common problems and their fixes:
Revenue lands in the PC account and is automatically swept in full to the MSO or parent LLC. Fix: the PC pays its own obligations first, then pays an invoiced management fee. Money should not move automatically.
The practice runs under the LLC's EIN. Fix: the PC maintains its own bank account under its own EIN.
Provider payroll is paid from the MSO account. Fix: clinical compensation and provider payroll are paid by the PC, because the PC employs or contracts the clinicians.
The MSO holds sole signatory authority over the PC account. Fix: the physician is a genuine signatory with real disbursement authority.
The management fee is a full sweep of clinical profit. Fix: the fee reflects the fair market value of services actually rendered. Fixed or cost-plus structures set at fair market value are more defensible than a percentage designed to capture all net revenue, and any percentage fee should be supported by a fair market value analysis.
The principle is simple: the physician entity must look and behave like it owns its own economics, because in law it does.
How to build operational proof of physician control
Contracts assert. Operations prove. Build a running record a regulator could review and conclude the physician is genuinely in control.
Governance cadence: a recurring clinical governance meeting chaired by the physician with dated minutes, quarterly physician attestations covering protocols, formulary, scope, and staffing, and a documented annual review of the structure against current law.
Documentation standards: version-controlled protocols with physician signature on each revision, credentialing files under physician oversight, clinical hiring and termination records showing physician decision, a marketing review log showing physician sign-off, and fee schedules showing physician approval.
The test for every item: if a regulator asked you to prove the physician controlled this decision, could you produce a dated, contemporaneous document? If not, that is a gap, and gaps are where cases are made.
Who is at risk: companies, executives, and physician-owners
The $100,000 personal penalty against Carbon's co-founder is the signal that individual actors are within reach. Expect scrutiny to expand in three directions: other states adopting California's statutory approach, high-volume direct-to-consumer prescribing models such as weight-management and hormone platforms that fit the structural and advertising theories, and personal accountability for executives who direct control and physician-owners who serve as figureheads. For the physician, that risk includes licensing board exposure, not just civil penalties.
CPOM compliance self-audit checklist
Work through these. Every "no" is a remediation item.
Structure:
Can the MSO replace or swap the physician-owner? (In California, eliminate this.)
Is the MSO a party to, or approver of, any share transfer agreement?
Does MSA termination trigger any transfer of the physician's equity?
Are share transfers limited to physician-side triggers with a physician successor?
Are any MSO security interests conventional and market-term, and decoupled from control of ownership?
Operations:
Does the physician make and document clinical hiring and firing?
Are protocols authored and signed by the physician, with version history?
Does the physician confirm formulary, prescribing, and compounding policy?
Are clinical fees set or approved by the physician?
Does the physician review clinical marketing before it runs?
Money:
Does the PC hold its own bank account under its own EIN?
Is the physician a genuine signatory with disbursement authority?
Are provider payroll and compensation paid by the PC?
Is the management fee set at fair market value rather than a full profit sweep?
Evidence:
Is there a physician-chaired governance meeting with dated minutes?
Are quarterly physician attestations in place?
Could you produce contemporaneous proof of physician control for each clinical domain
Frequently asked questions
What is the corporate practice of medicine (CPOM)? It is the legal doctrine that prohibits unlicensed individuals and corporations from owning or controlling medical practices or exercising control over clinical decisions, in order to protect patients and preserve physician independence.
Did Carbon Health make the friendly PC model illegal? No. The friendly PC and MSO-PC model remains lawful when the physician genuinely controls the practice of medicine. The settlement targeted structures and operations that gave an unlicensed entity effective control.
Does CPOM apply to cash-pay telemedicine? Yes. California's enforcement runs on structure and consumer protection, which do not depend on a payer. Cash-pay and direct-to-consumer telehealth are within reach.
What is SB 351? A California law, effective January 1, 2026, and codified at Health and Safety Code Division 1.7, sections 1190 through 1192. It defines prohibited conduct, voids offending contract provisions, and authorizes Attorney General enforcement with fee-shifting. Its specific prohibitions target private equity groups and hedge funds, and it expressly does not lower the broader CPOM bar that applies to all unlicensed control.
Was the Carbon settlement based on SB 351? Not directly. The Attorney General built the case on the longstanding CPOM doctrine together with false advertising, unlawful consumer-contract, and billing claims. SB 351 is the parallel development that now gives the state an additional, statute-based tool against investor-controlled structures.
What should I do first? Read your contracts against your org chart, remove any captive-PC provisions if you operate in California, correct your payment and banking flows, and start building a documented record of physician control.
Work with Camino
Camino Strategy Group builds compliant MSO-PC structures and the operational infrastructure that makes them hold up: governance cadence, attestation systems, documentation standards, correct and true ongoing engagement with physician partners and remediation of legacy contracts. We help private practice founders, digital health companies, and healthcare entrepreneurs build structures that survive scrutiny, not just ones that read well on signing day.
Building foundations that scale | caminostrategygroup.com
Sources
California Department of Justice, "Attorney General Bonta Announces First-of-Its-Kind Settlement with Carbon Health and its Co-Founder" (June 26, 2026): https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-first-its-kind-settlement-carbon-health-and-its
Holland & Knight, "California AG Settlement Again Targets Friendly PC Model" (June 2026): https://www.hklaw.com/en/insights/publications/2026/06/california-ag-settlement-again-targets-friendly-pc-model
Sheppard Mullin, "California Attorney General Secures CPOM Settlement Requiring Carbon Health to Restructure Its Friendly PC Arrangement" (June 2026): https://www.sheppard.com/insights/blogs/california-attorney-general-secures-corporate-practice-of-medicine-cpom-settlement-requiring-carbon-health-to-restructure-its-friendly-pc-arrangement
Foley & Lardner, "California Attorney General Escalates Attack on PC-MSO Model" (June 2026): https://www.foley.com/insights/publications/2026/06/california-attorney-general-escalates-attack-on-pc-mso-model-what-venture-backed-private-equity-and-digital-health-companies-need-to-know/
California Health & Safety Code, Division 1.7, sections 1190-1192 (SB 351): https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260SB351

