Categories
Health Law Highlights

Wade’s Health Law Highlights for October 28, 2025

Artificial Intelligence

  • Insurance companies face lawsuits alleging AI algorithms denied patient care without human oversight. UnitedHealth Group, Cigna, and Humana are defending against claims that their AI programs led to denied care, though the companies deny using AI for coverage denials. A May survey from the National Association of Insurance Commissioners found 84% of 93 insurers used AI, with 68% using it for prior authorization approvals, though only 12% reported using it to deny authorization requests. Healthcare providers are deploying their own AI tools to automate prior authorization requests and appeals, with physicians spending an average of 13 hours per week on these requests and the industry spending nearly $13 billion on prior authorization in 2023. Providers have adopted AI faster than insurers, creating agent wars between the two sides. Source: Healthcare Brew
  • California has banned AI systems from using healthcare licensing terms that could mislead consumers about professional qualifications. Assembly Bill No. 489, enacted on October 11, 2025, prohibits AI and generative AI technologies from using terms like “doctor” or “M.D.” in advertising or functionality that falsely suggest operation by licensed healthcare professionals. The legislation extends existing prohibitions on unauthorized use of healthcare licensure terms to cover entities that develop or deploy AI systems in healthcare contexts. Healthcare professional licensing boards can enforce violations through injunctions and other remedies, with each instance of prohibited term usage constituting a separate violation. Companies operating AI systems in healthcare must implement compliance measures and disclaimers to avoid enforcement action under the law. Source: Orrick

Civil Investigative Demands

Compliance

  • Healthcare organizations that bill government payers must establish formalized compliance programs through a six-step process. Organizations should first designate a compliance officer and form a committee, then begin drafting a compliance manual using OIG General Compliance Program Guidance as a framework, with completion targeted within 6-12 months. During the manual development phase, organizations should implement an anonymous reporting mechanism and code of conduct, conduct a risk assessment to identify vulnerabilities, and create a first-year work plan that addresses priorities identified through the assessment. Once the manual is complete, organizations should develop compliance training for all employees. Source: Dentons On Call

Data Privacy

  • Healthcare organizations can leverage minimum viable data governance (MVDG) to overcome data management challenges and accelerate AI adoption. MVDG provides a framework built on five pillars: Data Stewardship, Data Quality, Data Privacy, Data Security, and Metadata Management. The approach integrates governance processes into operational workflows, reducing the time required to move projects from concept to execution. MVDG breaks down data silos by unifying information into a consistent source of truth and establishes the data quality processes needed for AI-powered solutions. This method is “smart scaling” in that it adapts governance to business needs rather than creating bottlenecks. Source: HealthTech Magazine
  • Healthcare providers must reconcile data accessibility with patient privacy as cybersecurity threats intensify. Industry leaders recommend role-based access controls, encryption, and integrated EHR systems as solutions. The Department of Health and Human Services is proposing updates to the HIPAA Security Rule for the first time in more than two decades. The proposed changes eliminate “addressable” implementation specifications, requiring organizations to fully implement, document, and enforce every safety feature from encryption to incident response. Technologies such as privacy-preserving data enclaves, AI-powered monitoring, and centralized HIPAA-compliant platforms can enable data sharing while protecting patient information. Source: Healthcare IT Today

Fraud & Abuse

  • A federal health care fraud prosecution in Dallas collapsed after a prosecutor and defense attorney deleted court-ordered text messages, leading to charges against both legal professionals. Former federal prosecutor Carlos A. Lopez, 48, and Dallas defense attorney Barrett R. Howell, 50, face misdemeanor charges for deleting government text messages in April 2023 that a judge had ordered them to produce. The misconduct forced the Justice Department to dismiss all charges with prejudice against three defendants who were accused of operating a $107 million Medicare fraud scheme through Trinity Clinical Laboratories LLC between 2018 and 2019. Both Lopez and Howell are expected to sign plea agreements and face up to one year in prison and $100,000 fines each. U.S. District Judge Barbara M. G. Lynn rebuked the Justice Department during a May 2023 hearing after learning of the deleted messages. Source: wfaa.com
  • The Department of Justice created the Enforcement & Affirmative Litigation Branch within its Civil Division on September 25, 2025. The Branch consists of two sections: the Enforcement Section, which will pursue cases under the Federal Food, Drug, and Cosmetic Act, Consumer Product Safety Act, and Federal Trade Commission Act; and the Affirmative Litigation Section, which will bring lawsuits against states, municipalities, and private actors that allegedly obstruct administration policies. The reorganization does not create statutory powers but consolidates affirmative litigation functions. The Branch will focus on health care providers, drug and device marketing, and consumer product labeling, with False Claims Act enforcement related to gender-affirming care designated as a priority area. Companies in health care, pharmaceutical, and consumer-products sectors should review their marketing, labeling, and promotional protocols for compliance with federal standards. Source: Polsinelli

GLP-1

Marketing

Medicare Reimbursement

  • The HHS Office of Inspector General released a report calling for heightened oversight of Medicare billing for remote patient monitoring services. Medicare payments for RPM surpassed $500 million in 2024, serving nearly one million enrollees, despite Medicare coverage for RPM having been established only in 2019. OIG’s 2024 report found that nearly half of enrollees who received RPM services did not receive all three components: education and setup, device supply, and treatment management. The report recommends CMS monitor providers billing for enrollees with no prior practice history, new enrollees receiving RPM for the first time, enrollees never receiving treatment management, enrollees already receiving RPM at another practice, or multiple monitoring devices per month for a single enrollee. Providers should reinforce training and processes to ensure RPM services are medically necessary and compliant with Medicare requirements. Source: Morgan Lewis Health Law Scan

Mergers & Acquisitions

  • Healthcare buyers must conduct AI due diligence during mergers and acquisitions as organizations expand artificial intelligence use without governance frameworks. Many healthcare organizations deploy AI applications ranging from clinical decision-support interventions to patient communications without comprehensive monitoring strategies, creating compliance and liability risks for potential buyers. New state regulations compound these risks, with California’s Assembly Bill 489 prohibiting AI systems from suggesting medical advice comes from licensed professionals and Illinois banning AI use in mental health decision-making processes. Buyers should examine target companies’ AI oversight structures, governance programs, vendor contracts, and develop post-closing integration strategies to manage HIPAA violations and other legal exposures. The process requires collaboration between legal, IT, and clinical teams to assess risks and ensure compliance in this evolving regulatory landscape. Source: Sheppard Mullin Healthcare Law Blog

Value-Based Care

Wearables

Categories
Health Law Highlights

Wade’s Health Law Highlights for October 21, 2025

AI Governance

  • Joint Commission and the Coalition for Health AI released the first national guidance for responsible AI implementation in U.S. healthcare systems. The guidance establishes policies for local validation, monitoring, and use that healthcare organizations can integrate into existing or new processes. The organizations plan to release governance playbooks later this year and in 2026, followed by a voluntary AI certification program for Joint Commission’s more than 22,000 accredited healthcare organizations. The partnership, launched in June 2025, combines Joint Commission’s standards and reach with CHAI’s technical expertise to help health systems utilize AI while improving patient outcomes. CHAI membership includes nearly 3,000 organizations across healthcare and technology sectors. Source: Joint Commission
  • Healthcare providers are generating return on investment from AI in tech support and patient experience applications, according to a Google survey of more than 600 senior leaders in healthcare and life sciences. The survey found 80% reported better patient engagement metrics and 70% saw higher patient satisfaction scores, with both tech support and patient experience showing ROI for 34% of respondents. Meanwhile, 44% of organizations now use agentic AI agents, though data privacy and security remains the top concern for healthcare executives evaluating AI suppliers. A separate NYU study of 55,000 portal messages revealed clinicians use AI for patient communication 20% of the time, reducing composition time by 7% but requiring additional time for reviewing and editing AI-generated drafts. Source: AI in Healthcare

Biotech

  • The biotech industry confronts a convergence of financial and regulatory pressures while showing signs of recovery in select funding areas. A patent cliff threatens $300 billion in biologics revenue from 2023 through 2028, while the Inflation Reduction Act and potential tariff policies create pricing uncertainties for pharmaceutical companies. Venture capital funding rebounded in 2024 to $23.1 billion total, exceeding pre-pandemic levels, though fewer companies received funding with larger average round sizes. The IPO market remains weak with only 30 companies raising $4 billion in 2024, and 39% of smaller biotech firms hold less than one year of operating cash. Alliance deals reached $144 billion in potential value during 2024, representing the highest level in a decade as companies pursue partnerships over traditional mergers and acquisitions. Source: DCAT Value Chain Insights

Cybersecurity

  • Healthcare organizations face escalating cyber threats that directly compromise patient safety and care delivery. A Ponemon Institute survey of 677 healthcare IT professionals found that 93% of organizations experienced cyberattacks in the past year, with 72% reporting disruptions to patient care including delayed procedures, extended hospital stays, and complications that led to increased mortality rates in 29% of cases. Organizations experienced an average of 43 attacks each, up from 40 the previous year, while supply chain attacks proved most damaging with 87% of victims reporting negative patient care impacts. The average cost of the most expensive cyberattack reached $3.9 million, though this represents a decrease from 2024’s $4.7 million average, with operational disruption accounting for the largest expense at $1.2 million per incident. Human error contributed to 35% of data breaches, with employees failing to follow security policies, while 75% of organizations plan to migrate clinical applications to cloud platforms and 30% have adopted AI security tools. Source: HIPAA Journal
  • The EU Data Act establishes a framework requiring companies to provide users access to data from connected products and related services, with obligations that became applicable September 12, 2025. The regulation applies to manufacturers of connected products placed on the EU market and service providers, regardless of their location, covering Internet of Things devices that collect data about their use or environment. Users gain rights to access personal and non-personal data their devices generate, and companies must make this data available on fair, non-discriminatory terms while allowing transfer to third parties upon request. Medical and health devices fall within scope, including wearables and digital health platforms, requiring manufacturers to build mechanisms for patients to retrieve operational data in portable formats. Non-compliance can result in fines, regulatory investigations, and civil liability, with the regulation working alongside the European Health Data Space Regulation that entered force in 2025. Source: White & Case LLP

Federal Drug Administration

Fraud & Abuse

  • The Trump Administration continued False Claims Act enforcement in healthcare during fiscal year 2025. Healthcare enforcement continued with settlements exceeding $1 billion, including a $350 million settlement with Walgreens for filling invalid opioid prescriptions and a $98 million Medicare Advantage settlement for inflated risk scores. The DOJ also maintained focus on cybersecurity compliance violations among government contractors, securing multiple settlements totaling over $20 million. Paycheck Protection Program fraud cases continue due to Congress extending the statute of limitations to 10 years in 2022. Source: Mayer Brown
  • ASCs operate under federal anti-kickback law enforcement risk despite exemption from Stark law restrictions. The federal Anti-Kickback Statute prohibits offering or receiving remuneration in exchange for patient referrals reimbursed by Medicare or Medicaid, requiring physicians who invest in ASCs to disclose their ownership interests and ensure investment opportunities are not based on referral volume. Safe harbor protections shield ASCs from prosecution when physician-owners personally perform procedures at the center and meet specific thresholds, including requirements that at least one-third of a physician-investor’s income comes from ASC-eligible procedures and physicians perform at least one-third of their procedures at the ASC. ASC ownership transactions must occur at fair market value to avoid referral-based inducements, with independent third-party valuations recommended to validate pricing and mitigate risk. Operating an ASC requires Medicare certification, state registration, and facility inspections, with restrictions that prevent space-sharing with hospitals or Medicare diagnostic facilities and prohibit passive ownership. Source: Becker’s ASC

GLP-1

  • The Fifth Circuit Court of Appeals ruled that companies can now sue competitors under state laws that mirror federal FDA regulations, breaking from the tradition that only the federal government can enforce violations of the Federal Food, Drug, and Cosmetic Act. In Zyla Life Sciences, LLC v. Wells Pharma of Houston, LLC, the court reversed a district court dismissal and held that state laws mirroring the FDCA are not preempted by federal law. Zyla Life Sciences had sued Wells Pharma under unfair competition laws in six states, claiming Wells’ sales of compounded indomethacin suppositories violated state laws that mirror FDA premarket approval requirements. The decision relied on California v. Zook (1949) and could impact the ongoing legal battles between traditional drug manufacturers and compounding pharmacies, particularly involving GLP-1 weight loss drugs. Companies operating in FDA-regulated industries now face increased risk of civil lawsuits from competitors under state law, marking a shift in regulatory enforcement beyond federal oversight. Source: Foley & Lardner LLP

Intellectual Property

  • Healthcare startups utilize software and intellectual property licensing to overcome development costs and regulatory barriers while accelerating time-to-market. Three primary licensing models exist: proprietary licensing with strict usage conditions, open source licensing that permits modification and distribution, and custom agreements tailored to specific needs. Healthcare companies must ensure licensing agreements address regulatory compliance with laws like HIPAA and GDPR, define scope of rights and ownership of improvements, and specify exclusivity terms and liability protections. Beyond licensing, startups need comprehensive IP strategies that include filing patents, trademarking assets, and protecting trade secrets to attract investors and increase company valuation. These licensing arrangements enable partnerships with universities, pharmaceutical companies, and technology vendors for research collaboration and market expansion. Source: Healthcare Law Insights
  • Life sciences and medtech companies risk compromising patent rights during conferences through premature disclosure of technical details. Companies should file provisional patent applications before public disclosures and focus patent protection resources on inventions tied to core business objectives rather than pursuing patents for every idea. Teams should prepare two pitch decks—a non-confidential version and a confidential deck for NDA settings—since global patent rights depend on what companies disclose publicly. While the U.S. provides a one-year grace period after public disclosure to file for patent protection, many other jurisdictions do not offer this protection. Investors expect companies to maintain clean IP documentation, conduct freedom-to-operate scans, and protect trade secrets, particularly for software-enabled devices and AI systems. Source: Healthcare Law Insights

Private Equity & Startups

  • Physician-founded healthcare companies require structured equity plans, regulatory compliance, and disciplined funding approaches to succeed. Founders should implement standard four-year vesting schedules with one-year cliffs, while advisors need written agreements with defined scope, deliverables, and milestone-based equity that reflects fair market value rather than referral-based compensation. Early-stage funding typically uses SAFE agreements with valuation caps and discounts, progressing to clean preferred stock with 1x non-participating liquidation preferences for priced rounds. Due diligence examines corporate structure integrity, deal economics clarity, and regulatory compliance, particularly for companies delivering direct care through physician-owned professional corporation and management services organization models. Companies should form immediately when intellectual property, data, personnel, or pilot programs are involved, as delays complicate ownership and rights assignments. Source: Healthcare Law Insights
  • The California Governor signed SB 351, restricting private equity and hedge fund control over medical and dental practices. The law, which takes effect January 1, 2026, mandates that only physicians and dentists can own medical records, make employment decisions, negotiate payor agreements, make billing decisions, and approve medical equipment and supplies. SB 351 prohibits practice management contracts from including non-compete clauses that would bar providers from competing after termination or from commenting on quality of care issues and revenue strategies. The legislation grants the California Attorney General authority to seek injunctive relief and attorney’s fees from investors who violate corporate practice of medicine laws. The law applies exclusively to physician and dental practices backed by private equity or hedge funds and excludes government-owned healthcare entities from its restrictions. Source: The National Law Review

Medicaid Reimbursement

Telehealth

  • Key telehealth flexibilities from the COVID-19 public health emergency expired on October 1, 2025, after Congress failed to extend them beyond the September 30 deadline. The expired provisions include allowing telehealth services from patients’ homes, expanding practitioner definitions to include occupational therapists and physical therapists, permitting audio-only telehealth sessions, and waiving in-person visit requirements for mental health services. The Centers for Medicare & Medicaid Services published then removed guidance instructing Medicare contractors to implement temporary claims holds for affected services. Medicare will now revert to pre-pandemic restrictions that limit telehealth services to designated rural areas and require in-person hospice recertifications. While bipartisan support exists for extending these flexibilities, the timing of any future extension and whether it might apply retroactively remains uncertain. Source: Healthcare Law Blog

Texas Medical Board

  • The Texas Medical Board reprimanded Houston doctor for prescribing ivermectin to a COVID-19 patient at a Fort Worth hospital where she lacked treatment privileges. Administrative law judges determined Bowden engaged in unprofessional conduct when she prescribed the medication to a Tarrant County Sheriff’s Deputy in October 2021 without completing the required privilege application. The incident escalated when the physician sent a nurse to administer the medication, creating what the hospital called a “disruptive scene” that required police intervention. The doctor, an ear, nose and throat specialist, stated she does not regret her actions and plans to appeal the reprimand while filing a lawsuit against the medical board. The reprimand carries no fines or suspension. She has gained national attention for her opposition to COVID-19 vaccine mandates and support for ivermectin treatment. Source: Houston Chronicle
Categories
Health Law Highlights

Wade’s Health Law Highlights for October 14, 2025

AI Governance

  • Health systems possess the expertise to monitor AI tools but lack the infrastructure to implement comprehensive governance at scale. The Joint Commission and Coalition for Health AI released guidance covering AI policies, data security, quality monitoring, and safety event reporting, while the National Association of Insurance Commissioners established a model bulletin on AI use adopted by multiple states. Hospitals currently focus on low-risk AI applications such as chart review, ambient scribes, and radiology triage that maintain human oversight, according to Troy Bannister, CEO of Onboard AI. Mark Sendak of Vega Health argued that standards exist but healthcare organizations need scalable infrastructure and data systems to monitor AI tools across their systems. Industry executives expressed skepticism about Sen. Ted Cruz’s SANDBOX Act, which would create regulatory waivers for AI companies, preferring instead a distributed governance model similar to Clinical Laboratory Improvement Amendments. Source: Healthcare Innovation
  • AI in healthcare has come a long way since the FDA approved the first autonomous diagnostic system for diabetic retinopathy in 2018. The technology now detects patterns in medical scans, predicts patient deterioration, and automates administrative tasks while enabling personalized medicine through analysis of genetic and clinical data. However, algorithms can amplify healthcare inequities when training data underrepresents certain populations, and a 2023 study highlighted how racial and ethnic bias affects resource allocation and diagnostic accuracy. Current privacy frameworks like HIPAA and GDPR fail to address AI complexity, prompting new regulations including the EU AI Act that classifies medical AI as “high risk” and the US NIST AI Risk Management Framework. The American Medical Association has established principles requiring healthcare AI to be transparent and accountable while augmenting rather than replacing clinical judgment. Source: IAPP

Antitrust

  • U.S. antitrust officials signal a shift toward case-by-case enforcement over broad rulemaking as they target AI and healthcare markets for competition protection. DOJ Assistant Attorney General Gail Slater, DOJ Deputy AAG Dina Kallay, and FTC Director Daniel Guarnera outlined their enforcement priorities at the Fordham Competition Law Institute conference, backing away from the Biden Administration’s rulemaking approach in favor of targeted legal action. Slater framed the Google Search remedies decision as a foundation for AI market competition, while warning that monopolists may use privacy concerns to gatekeep data and block interoperability. The FTC plans to grant early termination of merger reviews more frequently, having already approved nearly 250 cases, and will continue enforcing against unlawful non-compete agreements despite abandoning the defunct broad rule. Officials emphasized scrutiny of incumbents in AI and healthcare sectors to prevent suppression of startups and ensure American competitiveness in deploying transformative technologies. Source: Wilson Sonsini

Cybersecurity

  • The U.S. Department of Labor expanded its cybersecurity guidance to cover all employee benefit plans, including health plans, requiring sponsors to implement 12 key security practices. Previously, DOL guidance focused only on ERISA retirement plans, leaving health plans outside the scope of federal cybersecurity requirements. Health plan sponsors must now align their cybersecurity practices with DOL standards while maintaining compliance with existing HIPAA and HITECH regulations. The 12 required practices include establishing formal cybersecurity programs, conducting annual risk assessments, implementing penetration testing, performing third-party security audits, and maintaining data encryption protocols. Unlike HIPAA and HITECH regulations that focus primarily on health data confidentiality, the DOL guidance takes a broader approach emphasizing ongoing monitoring, annual assessments, and continuous risk management across all health plan operations. Source: Security Magazine
  • Quantum computers will render current healthcare encryption methods obsolete, forcing organizations to prepare now for future security threats. Cyberthreat actors are already collecting encrypted healthcare data to store until quantum computers become available to break current RSA and ECC algorithms, according to Kurt Rohloff, chief technology officer at Duality Technologies. The National Institute of Standards and Technology released three post-quantum cryptography algorithms in 2024 after eight years of development, recommending organizations adopt these standards immediately. Healthcare data faces particular risk because health records retain sensitivity indefinitely, unlike credit card information that can be replaced when compromised. Rohloff recommends healthcare organizations conduct cryptographic inventories, discuss post-quantum plans with vendors, and consider fully homomorphic encryption that allows computations on encrypted data without decryption. Source: TechTarget

Data Breach

  • Harris Health notified over 5,000 patients that a former employee accessed their electronic health records without authorization for a decade. The Houston-area healthcare system discovered the breach on February 10, 2021, but the unauthorized access occurred from January 4, 2011, to March 8, 2021. The employee was terminated after an investigation confirmed that patient records were accessed without legitimate work purpose and some information was disclosed to unauthorized individuals, prompting Harris Health to notify the FBI. The compromised data included names, dates of birth, addresses, medical histories, medications, health insurance information, and Social Security numbers for some patients. Patient notifications were delayed four years at the request of law enforcement to avoid interfering with their investigation. Source: HIPAA Journal

Data Privacy

  • The Texas App Store Accountability Act will expose mobile app developers to private lawsuits starting January 1, 2026. The law requires app developers serving Texas users to assign age ratings for apps and in-app purchases, implement age verification systems, obtain parental consent for minors, and notify app stores of changes to terms of service or privacy policies. Unlike other Texas privacy laws, TASAA allows private litigants to sue for economic damages, injunctive relief, and attorney’s fees under the Texas Deceptive Trade Practices Act, while the Texas Attorney General can recover up to $10,000 per violation. The law prohibits developers from enforcing contracts against minors without parental consent, misrepresenting age ratings, and sharing personal data collected for age verification purposes. Utah and Louisiana will implement laws later in 2026. Source: Womble Bond Dickinson
  • States are stepping in to regulate reproductive health data privacy after a federal court struck down enhanced HIPAA protections in 2025. A Texas federal judge vacated the Reproductive Health Care Privacy rule in Purl v. U.S. Department of Health and Human Services on June 18, 2025, after a physician challenged it for conflicting with state child abuse reporting requirements. The Department of Health and Human Services did not appeal the decision by the August 18, 2025 deadline, leaving covered entities to rely on existing HIPAA protections. California, Virginia, and Washington have enacted comprehensive laws that extend beyond traditional healthcare entities to cover fitness trackers, retailers, and tech companies that process reproductive health data, with penalties ranging from $2,500 to $250,000 per violation. These state laws require explicit consent for data collection and sharing, with New York preparing similar legislation through the pending New York Health Information Privacy Act. Source: Troutman Pepper Locke

Devices

  • Ingestible sensors are transforming healthcare by providing real-time health monitoring from inside the human body. These capsule-shaped devices pass through the digestive tract and track temperature, medication adherence, pH levels, gastrointestinal motility, and biomarkers before transmitting data wirelessly to smartphones or tablets. The technology enables healthcare providers to monitor chronic diseases, ensure medication compliance, and conduct post-surgical monitoring without invasive procedures. The ingestible sensors market is projected to grow from $986.2 million in 2025 to over $1.7 billion by 2032 at an 8.1% compound annual growth rate. However, the technology faces challenges including high costs, data privacy concerns, and regulatory barriers, with the FDA approving only a few ingestible sensor products under strict guidelines. Source: Technowize

Enforcement

  • The Department of Justice established the Enforcement & Affirmative Litigation Branch within its Civil Division to consolidate enforcement efforts targeting public health and safety violations. The new branch contains two sections: an Enforcement Section that will pursue cases under the Controlled Substances Act, Food Drug and Cosmetic Act, and Federal Trade Commission Act, and an Affirmative Litigation Section that will sue states, municipalities, and private entities that obstruct federal policies. DOJ identified two priorities for the branch: targeting pharmaceutical companies, health care providers, and medical associations regarding gender transition claims, and ending sanctuary jurisdiction laws that impede federal immigration enforcement. The reorganization coincides with the FDA’s September 9, 2025 announcement of a crackdown on deceptive drug advertising and the winding down of the Consumer Protection Branch. The restructuring does not expand DOJ’s statutory powers but centralizes certain consumer protection matters and enforcement priorities. Source: Epstein Becker Green

Fraud & Abuse

  • The Trump Administration expanded False Claims Act enforcement beyond traditional healthcare and defense contracting into new areas including trade fraud, civil rights violations, and gender-related medical treatments during fiscal year 2025. The Department of Justice secured settlements exceeding $500 million in healthcare cases, including $98 million from a Medicare Advantage provider for inflated risk scores, $60 million from a pharmaceutical company for kickbacks, and $350 million from Walgreens for filling invalid opioid prescriptions. The DOJ launched the Civil Rights Fraud Initiative targeting universities and organizations that allegedly violate civil rights laws while receiving federal funding, and created a Trade Fraud Task Force with Homeland Security to pursue customs duty evasion cases. Government contractors faced over $20 million in cybersecurity-related settlements for failing to meet federal security requirements. The administration continues pursuing Paycheck Protection Program fraud cases under the extended 10-year statute of limitations, with settlements including $21.6 million from three foreign-owned companies. Source: Mayer Brown
  • Accountable care organizations report detecting fraud in Medicare skin substitute treatments that cost individual patients over $600,000 in 2025. Six doctor groups are seeing higher rates of spending on skin substitutes this year compared to 2024, with one case exceeding $2 million per patient. The Centers for Medicare and Medicaid Services estimates Medicare spent $10 billion on these treatments last year and has proposed reducing reimbursement from $2,000 per square centimeter to around $125, with a final decision expected in November. The accountable care organizations first alerted CMS to the possible fraud two years ago but say the agency is not moving fast enough to address the problem. The wound care industry is fighting the proposed payment reductions through the MASS Coalition, arguing the changes will not help crack down on fraud. Source: POLITICO
  • A federal court ordered Humana to pay $90 million to the government following the first whistleblower settlement involving Medicare prescription drug contracting fraud. Former Humana actuary Steven Scott alleged the company submitted fraudulent bids to the Centers for Medicare & Medicaid Services for Part D contracts from 2011 to 2017, maintaining two sets of books while providing coverage below required levels. The court also ordered Humana to pay $32 million in attorney fees to Scott’s legal team, while Scott received $26.1 million as his whistleblower share, equivalent to 29% of the government settlement. Humana did not admit liability in the agreement and said it settled to avoid litigation costs. The Department of Justice declined to intervene in the case, which centered on allegations that Humana’s “basic Walmart Plan” was not actuarially equivalent to required standards despite the company’s certifications to CMS. Source: Healthcare Innovation

HIPAA

  • The Office for Civil Rights reached a $182,000 settlement with Cadia Healthcare Facilities for posting patient success stories online without proper HIPAA authorization. On September 30, 2025, OCR announced the settlement with five Delaware rehabilitation and nursing facilities for violating HIPAA Privacy and Breach Notification Rules. Cadia compromised the protected health information of 150 patients by posting their names, photographs, and treatment details on the company’s public website through a success story program. The settlement requires Cadia to implement a two-year Corrective Action Plan, review compliance policies, train staff, and ensure no PHI appears on websites or marketing materials. This enforcement action follows similar cases, including a 2016 settlement with Complete P.T. for $25,000 over patient testimonials posted without authorization. Source: Mintz
  • Reid Health agreed to settle a class action lawsuit over allegations it used Meta Pixel tracking tools that disclosed patients’ protected health information without consent. The lawsuit, Jane Doe v. Reid Health, claimed the Richmond-based healthcare provider impermissibly shared patient data with third-party technologies through website tracking tools that collect information about user interactions, web pages visited, and searches performed. Reid Health denied any wrongdoing but chose to settle rather than face the costs and risks of continued litigation. Under the settlement terms, class members can claim a $25 cash payment and receive automatic enrollment in a medical shield product that protects against personal information misuse. Class members have until October 25, 2025, to object to the settlement, with claims due by December 24, 2025, and a final fairness hearing scheduled for December 9, 2025. Source: HIPAA Journal

Joint Ventures

Medicare Reimbursement

  • The Centers for Medicare & Medicaid Services issued final guidance for the 2028 implementation of the Inflation Reduction Act’s Drug Price Negotiation Program, marking the last year the agency must implement the program through guidance rather than rulemaking. The guidance establishes policies for Part B drugs to be selected for price negotiation for the first time, alongside Part D drugs, with CMS planning to select 15 drugs from the 50 highest-spending drugs in each category. CMS finalized most proposals but reversed course on treating certain fixed combination drugs as distinct qualifying single source drugs and will now include Medicare Advantage expenditure data in selection calculations. The agency shortened the negotiation timeline for 2028, giving manufacturers only six weeks for meetings instead of the previous two months. CMS concurrently issued revised Information Collection Request forms for small biotech exceptions and biosimilar delay requests, with public comments due by October 30, 2025. Source: Hogan Lovells

Mergers & Acquisitions

  • Healthcare transaction activity showed mixed results in early 2025 as political uncertainty and federal policy changes disrupted deal momentum. Deal values declined in the second quarter despite volume increases, with tariff threats and federal changes creating market uncertainty that caused investors to pull back. Dental practices dominated physician group transactions, accounting for over half of all deals in the first six months, while e-health transactions jumped from 124 deals in 2024 to 160 deals in the same 2025 period. Behavioral health deals increased from 34 to 54 transactions during the same timeframe, and hospital transactions cooled after elevated activity in 2024. Non-private equity investment reached 200 deals in the second quarter of 2025, marking the first time this threshold was crossed in 18 months. Source: CLA

Regenerative Medicine

  • The FDA issued draft guidance on September 20, 2025, establishing expedited review pathways for regenerative medicine therapies targeting serious conditions. The guidance will replace earlier FDA guidance from February 2019 and outlines how sponsors can utilize streamlined review processes for cell and gene therapies and other regenerative medicine products. The FDA has received almost 370 Regenerative Medicine Advanced Therapy (RMAT) designation requests as of September 2025 and approved 184, with 13 RMAT-designated products receiving marketing approval as of June 2025. The guidance emphasizes long-term safety monitoring for regenerative therapies and encourages sponsors to use digital health technologies for safety data collection and real-world evidence to support accelerated approval applications. The FDA is accepting public comments on the draft guidance through November 24, 2025. Source: Holland & Knight

Reproductive Rights

  • Texas Attorney announced the arrest and indictment of eight people connected to a Houston-area midwife for practicing medicine without a license. At least one of the eight individuals is also accused of performing an abortion, while the midwife Maria Margarita Rojas, 49, was previously charged in March with 15 felony counts including performance of an abortion and 12 counts of practicing medicine without a license. Rojas was the first person charged under the Texas Human Life Protection Act, and Paxton emphasized that some of the defendants include foreign nationals. Rojas’ attorney and the Center for Reproductive Rights are defending her, calling the case a sham and noting that her clinics served low-income, uninsured immigrants before being shut down. Texas law permits abortions only when a pregnant person faces risk of death or serious physical impairment, with providers facing penalties of at least $100,000, loss of medical licenses, and prison time for violations. Source: CNN
  • The US Court of Appeals for the Fifth Circuit dismissed an appeal that effectively ends HIPAA privacy protections for reproductive healthcare records. The court dismissed the appeal on September 10, 2025, following a June 2025 ruling in Purl v. Department of Health & Human Services that vacated provisions of the 2024 HIPAA Privacy Rule to Support Reproductive Health Care Privacy. The rule provided protection to protected health information related to reproductive healthcare services. The Biden Administration implemented the rule to protect reproductive healthcare records from disclosure following the 2022 Supreme Court ruling in Dobbs v. Jackson Women’s Health Organization. The dismissal signals the conclusion of the Purl case and the end of these privacy protections. Source: American Bar Association
  • States are enacting reproductive health data privacy laws after a federal court struck down HIPAA protections. A Texas federal judge overturned the Reproductive Health Care Privacy rule in June 2025, which had amended HIPAA to impose restrictions on the use and disclosure of reproductive health information for criminal or administrative investigations. California, Washington, Virginia, and New York have implemented or are implementing their own laws that extend beyond traditional healthcare entities to cover fitness trackers, retailers, and tech companies that process health-related data. These state laws require explicit consent before collecting or sharing reproductive health information and impose penalties ranging from $2,500 per violation in Virginia to $250,000 per willful violation in California. The laws apply to organizations that may not consider themselves healthcare-oriented, including digital health companies, data brokers, and companies using geolocation data. Source: Troutman Pepper Locke

Tariffs & Taxation

Categories
Health Law Highlights

Wade’s Health Law Highlights for October 7, 2025

Alternative Medicine

  • Texas Medical Board now requires physicians to obtain structured consent before providing complementary and alternative medicine therapies. Effective January 2025, the rules apply to any non-conventional treatment including peptides, stem cells, and exosomes, regardless of FDA approval status. Physicians must use an unmodified TMB consent form that covers assessment requirements such as medical history, physical exams, and discussion of conventional treatment options. The disclosure process requires documentation of treatment objectives, risks and benefits, regulatory status of substances used, and plans for periodic review of patient progress. The executed form must become part of the patient’s medical record and cannot be customized beyond translation or supplemental pages. Source: Healthcare Empowered

Devices & Wearables

  • Patients are managing their own healthcare through direct-to-consumer tests, wearable devices, and AI chatbots due to doctor shortages and long appointment wait times. Companies like Quest Diagnostics now offer more than 150 direct-to-consumer lab tests ranging from $29 complete blood counts to $385 comprehensive health profiles analyzing over 75 markers. Two-thirds of adults use smartphone apps to track health information, while new devices can monitor heart rhythm for $79-$129, screen for sleep apnea, and measure blood pressure without cuffs. Patients and caregivers are turning to ChatGPT and other AI chatbots to diagnose symptoms, manage chronic diseases, and research treatments for serious conditions. Harvard Medical School professor Dr. Tom Delbanco notes that evidence shows patient involvement in their own care leads to better outcomes, though the trend carries risks including reliance on information not reviewed by clinicians and data privacy concerns. Source: WSJ

Emerging Tech

Fraud & Abuse

  • The OIG identified billing practices that warrant scrutiny in Medicare’s remote patient monitoring program after payments reached $536 million in 2024. The August 25, 2025 report found Medicare payments for RPM services increased 31% from 2023, with nearly one million Medicare enrollees receiving services from approximately 4,600 medical practices. The OIG flagged concerning billing patterns including 45 practices billing for patients with no prior medical relationship, 52 practices billing for patients who never received treatment management, and instances of multiple practices billing the same enrollees or providers billing for multiple devices per patient monthly. The findings follow previous fraud alerts and precede an upcoming 2026 audit of Medicare Part B RPM services announced in December 2024. Healthcare providers face increased scrutiny and audit risk as the OIG calls for CMS to implement safeguards to monitor these billing patterns. Source: The FCA Insider

HIPAA

  • Texas enacted SB 1188 to regulate electronic health records and artificial intelligence use in healthcare. The law, which took effect September 1, 2025, requires all EHRs containing Texas patient data to be physically stored in the United States beginning January 1, 2026. SB 1188 applies to healthcare entities, third-party vendors, cloud service providers, and subcontractors that manage or store EHRs. The legislation mandates disclosure when AI is used for diagnostic purposes, requires EHR systems to include dedicated fields for biological sex at birth, and prohibits collection of patient credit scores or voter registration data. The law authorizes civil penalties against entities that violate its requirements. Source: Buchalter
  • Cadia Healthcare Facilities paid $182,000 to settle HIPAA violations after posting patient success stories without proper authorization on their websites and social media. The Department of Health and Human Services Office for Civil Rights investigated the five Delaware nursing homes following a complaint that the chain disclosed patient names, photographs, and health information without valid written HIPAA authorization. The investigation revealed that Cadia disclosed protected health information for 150 patients across its websites, despite having policies requiring written consent forms. Under the settlement agreement, Cadia must implement a two-year corrective action plan monitored by OCR, provide workforce training on HIPAA policies, and notify all affected individuals of the potential breach. The company apologized and stated it had enhanced its privacy policies and increased employee training. Source: McKnight’s Senior Living

Marketing

  • Texas defends its text marketing law by arguing it targets spam messages rather than consent-based business communications. Texas Senate Bill 140, signed by Governor Greg Abbott on June 20, 2025, and effective September 1, 2025, requires businesses using text message telemarketing to register with the secretary of state, pay a $200 fee, post a $10,000 security bond, and submit quarterly reports. The state filed a brief opposing a preliminary injunction request from plaintiffs including an industry association and two e-commerce companies who challenged the law in federal court. Texas argued the law excludes transmissions that mobile customers have agreed to receive and focuses on stopping deceptive solicitations without permission. The law includes a “customer” exemption for businesses that have operated under the same name for at least two years when soliciting current or former customers. Source: The National Law Review

Medicare Advantage

Mergers & Acquisitions

  • The FTC moved to block private equity firm GTCR’s $627 million acquisition of medical device company Surmodics in the Trump administration’s first merger challenge. The FTC alleges the merger would combine the two largest providers of hydrophilic coatings used in medical devices, resulting in a market share exceeding 50% and concentration levels that surpass antitrust guidelines. The Commission voted unanimously in March 2025 to file suit, arguing the transaction would eliminate competition between direct competitors in a market with high entry barriers. The case signals a shift from the Biden administration’s focus on private equity transactions to more traditional antitrust theories centered on market concentration and competitive harm. Healthcare transactions remain a priority for antitrust enforcers regardless of political administration, reflecting the industry’s impact on patients and the economy. Source: Jones Day
  • Healthcare transaction due diligence requires a fundamentally different approach than other industries due to regulatory complexity and constant change. Healthcare deals face challenges including regulatory exposure, reimbursement risk, compliance pitfalls, and cybersecurity threats, with oversight from CMS, DOH, OIG, HIPAA and commercial payer policies making compliance more difficult than most industries. Coding and billing errors can trigger claim denials, payment delays, reduced payments, and legal exposure, while annual updates to CPT and ICD codes mean rules change constantly. Historical performance fails to predict future results because reimbursement models, regulatory frameworks, and care delivery models remain in flux, forcing investors to develop forward-looking approaches that assess how policy changes will reshape revenue models. Technology tools like analytics platforms now enhance due diligence by providing targeted sampling and audit insights, while collaboration between finance and coding teams delivers a complete view of risks and opportunities rather than isolated findings. Source: VMG Health

Patient Safety

  • Florida will require Level 2 background screenings for nearly all healthcare practitioners starting July 1, 2025, under House Bill 975. The law expands fingerprint-based criminal history checks from a select group of healthcare professions to include dentists, pharmacists, therapists, social workers, and dozens of other licensed practitioners. New applicants must complete the screening before licensure, while current practitioners must undergo screening at their first renewal on or after the effective date. The law also expands the list of criminal offenses that can disqualify someone from holding a healthcare license, including abuse, fraud, and certain felonies. Practitioners who fail to complete the screening cannot have their licenses renewed, which immediately revokes their authority to practice in Florida. Source: Health Care Law Matters

Pharmaceuticals

  • The Trump Administration plans to impose tariffs on pharmaceutical imports, ending decades of duty-free trade for the industry. The administration is conducting a Section 232 investigation into pharmaceutical imports’ impact on national security, with President Trump and key officials expressing intent to introduce tariffs in the near future. Companies must review supply agreements to identify which entity serves as importer of record, as this entity bears legal responsibility for paying tariffs on U.S. imports. Pharmaceutical companies can potentially reduce tariff exposure through the “first sale” rule, which allows dutiable value to be based on the price between manufacturer and intermediary rather than the subsequent sale to the U.S. importer. Companies should also evaluate tariff-free exemptions for products used in research and development activities and consider modifications to supply chains involving chemical compounds and bulk drug substances. Source: Jones Day

Telehealth

  • Medicare telehealth flexibilities expired for the first time since the COVID-19 pandemic, ending nearly five years of extensions and forcing coverage to revert to pre-pandemic rules. Under the restored regulations, most Medicare beneficiaries can no longer receive telehealth services from home and must instead visit specific sites such as provider offices, hospitals, or skilled nursing facilities located in rural professional shortage areas outside metropolitan statistical areas. The changes also reinstate restrictions on which practitioners can provide telehealth services and limit audio-only telehealth to certain circumstances. The Centers for Medicare and Medicaid Services advised providers through an October 1 newsletter to consider sending Advance Beneficiary Notices of Noncoverage to Medicare patients continuing telehealth care and directed Medicare Administrative Contractors to hold claims for 10 days. Healthcare providers must now reassess their telehealth operations to comply with the pre-pandemic requirements while the industry awaits potential Congressional action. Source: BakerHostetler
Categories
Article

Consent Requirements for Complementary and Alternative Medicine

Effective January 2025, the Texas Medical Board (TMB) adopted new Complementary and Alternative Medicine (CAM) standards that require physicians to use a specific disclosure and consent process before providing any CAM therapy. These rules apply broadly to any non-conventional treatment—whether or not it is FDA-approved—including popular offerings such as peptides, stem cells, and exosomes.

What counts as CAM under the new rules

Under Rule §171.1, the TMB defines:

  • Alternative medicine as methods of diagnosis or treatment that are not generally considered conventional and may or may not be regulated by the FDA.
  • Complementary medicine as the use of conventional care together with some form of alternative therapy.

In short, if you are offering therapies outside standard conventional care—especially those not approved by the FDA—these standards apply.

The new required consent and disclosure form Rule §171.2 requires that, before any CAM drug, device, treatment, or intervention is provided, the physician and patient must review and execute the TMB’s Complementary and Alternative Medicine Treatment Disclosure and Consent form. Key parameters:

  • The fully executed form must be part of the patient’s medical record.
  • The form cannot be altered or customized (other than translating it or adding supplemental pages as necessary).
  • Physicians must continue to comply with all applicable statutes.

What must be covered with the patient

The mandated form (22 TAC §171.2(b)) lays out a structured, line-by-line process—each section is initialed by physician and patient, with “N/A” allowed only when truly inapplicable. Among the required elements:

Assessment

  • A description of conventional and non-conventional diagnostic methods.
  • A completed medical history and physical exam.
  • Discussion of conventional treatment options and referrals if needed.
  • Documentation of any prior conventional treatments and outcomes, including if the patient declined them.
  • An assessment of whether the CAM therapy could interfere with ongoing or recommended care.

Disclosure

  • Objectives and expected outcomes (e.g., functional improvement, pain relief, psychosocial benefits).
  • Risks and benefits of the proposed treatment.
  • The extent to which the treatment may interfere with other medical care.
  • A description of the proposed treatment’s therapeutic basis or mechanism of action, in plain language.
  • The regulatory status of any drug/supplement/remedy involved:
    • FDA-approved for human use,
    • Exempt from FDA preapproval under DSHEA (dietary supplements), or
    • A non-commercial pharmaceutical compound under clinical investigation standards.
  • A documented, individualized treatment plan incorporating history, prior records, exam findings, and the need for further testing, consults, referrals, or other modalities.
  • A favorable risk/benefit profile compared to other treatments for the same condition.
  • A reasonable expectation of a favorable outcome, including preventive benefits.
  • An expectation of greater benefit than no treatment.
  • Plans for periodic review at reasonable intervals, based on the patient’s progress and any new information about the condition, to confirm treatment objectives are being met.

The form also emphasizes that consent is voluntary; patients should not feel pressured and may withdraw consent at any time. Importantly, physicians must keep accurate, complete records, including discussions about off-label use or CAM.

Why this matters—for patients and physicians

  • Transparency and trust: Patients deserve to know when a therapy is unconventional, not FDA-approved, investigational, or a dietary supplement, and how that status affects safety and efficacy claims.
  • Safety and coordination: Many CAM therapies can interact with other treatments. The required assessment and interference review help ensure care is coordinated and harm is minimized.
  • Shared decision-making: Clear objectives, risks, benefits, and mechanisms—explained in plain language—support informed choices aligned with patient goals and values.
  • Quality and accountability: A tailored treatment plan, periodic reassessment, and documentation of conventional alternatives help maintain clinical rigor.
  • Regulatory compliance and risk management: Using the TMB’s unmodified form and preserving it in the medical record reduces legal risk and demonstrates adherence to state standards.

Practical steps for clinics

  • Update intake and consent workflows to include the TMB CAM Consent before any CAM therapy is initiated.
  • Train clinicians and staff to review each required element, ensure patient comprehension, and document all discussions.
  • Build templates for supplemental pages (e.g., treatment-specific risks/benefits, literature summaries, monitoring schedules).
  • Standardize how you disclose FDA/DSHEA/compounding status for treatments like peptides, stem cells, and exosomes.
  • Schedule periodic reviews and track outcomes to meet the rule’s reassessment requirement.
  • Ensure your EHR stores the fully executed form and related notes in a consistent, auditable location.

Bottom line

Texas now requires a standardized, thorough disclosure and consent for all CAM therapies. For practices offering non-FDA-approved options such as peptides, stem cells, or exosomes, compliance isn’t just a regulatory checkbox—it’s good medicine.

By setting clear expectations, coordinating care, evaluating risk/benefit, and documenting shared decision-making, physicians can protect patients and themselves while preserving access to innovative therapies.

Categories
Health Law Highlights

Wade’s Health Law Highlights for September 30, 2025

Artificial Intelligence

  • Shadow AI tools used without IT oversight create security risks that cost healthcare organizations $200,000 more per data breach than sanctioned AI incidents. IBM’s 2025 Cost of a Data Breach report found that 20% of organizations across all sectors suffered breaches due to shadow AI incidents, compared to 13% for sanctioned AI tools. A 2025 survey revealed that 86% of healthcare IT executives reported shadow IT instances in their health systems, up from 81% in 2024. Shadow AI displaced security skills shortage as one of the top three factors contributing to breach costs, with personally identifiable information being the most compromised data type and intellectual property compromised in 40% of shadow AI incidents. More than 60% of organizations lack governance policies to manage AI or detect unauthorized AI use, according to IBM research. Source: TechTarget

Fraud & Abuse

Hospice

HIPAA

  • A federal court vacated reproductive health care provisions of the 2024 HIPAA Privacy Rule while preserving substance use disorder protections. On June 18, 2025, in Purl v. HHS, a federal district court eliminated requirements for group health plans to update policies and Privacy Notices for reproductive health care information protections. The court preserved regulations at 42 CFR part 2 that require group health plans to implement protections for substance use disorder (SUD) records by February 16, 2026. SUD records include patient identity, diagnosis, prognosis, or treatment information maintained in connection with substance use disorder programs conducted or assisted by any U.S. government department. Group health plans cannot disclose SUD records in legal proceedings without written consent or court order, and must update Privacy Notices and distribute them to all participants by the February deadline. Source: Spencer Fane

Marketing

  • Texas Senate Bill 140 requires companies sending text messages to or from Texas to comply with telemarketing regulations starting September 1, 2025. The law redefines “telephone solicitation” to include text and multimedia messages, requiring companies to register with the Secretary of State and post a $10,000 bond. Text messages can only be sent between 9 am and 9 pm Monday through Saturday and between noon and 9 pm on Sundays in Central time, with fines reaching thousands of dollars per message for violations. The legislation strengthens consumer enforcement rights under the Texas Deceptive Trade Practices Act and allows consumers to bring multiple lawsuits for continuing violations. The changes come as the US Supreme Court’s June 2025 McLaughlin decision created uncertainty about federal Telephone Consumer Protection Act rules, making state laws more important in regulating text marketing campaigns. Source: Foster Garvey PC

Medicare

Medicaid

  • Texas overpaid $10.5 million to hospices due to lack of oversight policies during fiscal years 2020 through 2022. The Office of Inspector General found that 174 hospices, representing 36 percent of hospices that received payments, were overpaid because Texas had no policies and procedures for calculating and collecting hospice cap overpayments. Of the total overpayments, $6.9 million represents the Federal share that should have been returned to the Federal Government. The OIG recommends that Texas collect the $10.5 million in overpayments and refund the Federal share, and also develop policies and procedures for future cap overpayment calculations. Texas agreed with the second recommendation but did not indicate concurrence or nonconcurrence with the first recommendation. Source: Office of Inspector General

Mergers & Acquisitions

Non-Competes

Pharmacies

  • Four Texas pharmacy professionals received prison sentences for operating a pill mill that distributed over half a million opioid pills. Arthur Billings, 61, the owner of Health Fit Pharmacy in Houston, was sentenced to 12 years in prison and ordered to forfeit $2.6 million for his role in the conspiracy. Three pharmacists who worked at the facility received sentences ranging from 20 months to six years in prison, with forfeiture orders between $5,000 and $68,931. The cash-only pharmacy dispensed hydrocodone and oxycodone to individuals posing as patients for drug traffickers, using fraudulent prescriptions issued under stolen physician identities. The operation continued despite repeated warnings from the Texas State Board of Pharmacy, the Texas Department of Public Safety, and the Drug Enforcement Administration. Source: U.S. Department of Justice

Private Equity

Website Tracking

  • Four federal courts delivered mixed rulings in August on Electronic Communications Privacy Act claims against healthcare companies using website tracking technologies like Meta Pixel and Google Analytics. The decisions reveal a split among courts on invoking ECPA’s “crime-tort exception,” with Illinois courts producing contradictory outcomes—some allowing claims to proceed where plaintiffs alleged transmission of protected health information to third parties, while others dismissed cases for lack of specificity about what information was disclosed. A Washington court permitted an addiction treatment case to advance, finding that results from an online addiction survey coupled with appointment requests constituted protected health information. Courts emphasized that successful ECPA claims require plaintiffs to provide details about what health information was disclosed and how it relates to individual health status, rather than general assertions about website usage. The rulings demonstrate that the outcome of these cases depends on the specifics of alleged HIPAA violations and whether tracking data can identify individuals and relate to their health conditions. Source: Byte Back
Categories
Health Law Highlights

Wade’s Health Law Highlights for September 23, 2025

Advertising

  • The FDA announced a crackdown on direct-to-consumer pharmaceutical advertising on September 9, following a presidential memorandum directing action against misleading advertising practices. The agency issued thousands of template letters to pharmaceutical companies warning them to remove misleading advertising and sent hundreds of cease-and-desist letters to companies violating advertising rules. FDA plans to increase enforcement actions from the current 10-20 untitled letters annually to hundreds per year, with focus on social media and digital advertising content. The agency targets violations of “fair balance” requirements between drug risks and benefits, with attention to how seniors access risk information and influencer posts that fail to follow regulations. FDA also intends to eliminate the “adequate provision” rule that currently allows drug manufacturers to avoid listing all safety risks in broadcast advertisements if they direct consumers to additional information sources. Source: Loeb & Loeb LLP

Cybersecurity

  • Healthcare organizations must understand cloud lifecycle management beyond initial migration to achieve cost optimization and security compliance. Healthcare systems have increased cloud adoption over the past five to seven years, with providers like Amazon Web Services offering compliance and security features that reduce concerns about hosting protected health information in the cloud. Organizations face challenges including stakeholder buy-in, security concerns around PHI, selecting appropriate cloud architecture, and maintaining HIPAA compliance throughout the cloud lifecycle. Cloud lifecycle management begins with planning and determining what to host in the cloud, followed by migration, operationalizing with a FinOps approach for financial responsibility, continuous workload optimization, and eventual decommissioning or modernization. Technology partners such as Mission Cloud Services can guide healthcare organizations through each stage of cloud lifecycle management, with cloud infrastructure serving as a foundation for accessing AI and machine learning tools. Source: HealthTech Magazine

Data Privacy

  • Texas mandates electronic health records must be stored within the United States starting January 1, 2026. Senate Bill 1188 requires all electronic health records under the control of covered entities to be physically maintained in the United States or U.S. territories, regardless of whether the records are stored by the covered entity or a third party. The law defines “covered entity” more broadly than HIPAA, encompassing nearly any entity that assembles, collects, analyzes, uses, evaluates, stores, or transmits protected health information, including healthcare providers, payors, schools, researchers, and business associates. Violations can result in civil penalties between $5,000 and $250,000, and regulatory agencies may revoke or suspend licenses, registrations, or certifications. The Texas Health and Human Services Commission and the Texas Attorney General are authorized to investigate and penalize non-compliance with the storage requirements. Source: Katten Muchin Rosenman LLP

Economics

  • Hospitals in economically disadvantaged areas adopt health information technologies at lower rates than those in affluent regions, according to a study of 16,646 hospital observations from 2018-2023. Hospitals in the most deprived areas were less likely to implement treatment-stage telehealth, postdischarge telehealth, electronic data query systems, and data availability functions compared to hospitals in the least deprived areas. The research found that hospital participation in accountable care organizations was associated with higher adoption rates across all technology types, with ACO-participating hospitals showing adoption probabilities 2-7 percentage points higher than non-participating facilities. Despite persistent gaps, health information technology adoption increased over time across all hospitals regardless of area deprivation level, with adoption rates rising from 2018 to 2023. Hospital characteristics including bed size, urban versus rural location, and ACO participation explained 60-104% of the observed disparities in technology adoption between advantaged and disadvantaged areas. Source: JAMA Health Forum

Fraud & Abuse

  • Healthcare whistleblowers now use AI algorithms to analyze public datasets and flag statistical anomalies that signal potential fraud. The Department of Justice recorded 979 qui tam actions in 2024, marking the second-highest number of False Claims Act cases in program history, with many initiated through mathematical outliers rather than insider tips. The Centers for Medicare & Medicaid Services pioneered this approach in 2011 with their Fraud Prevention System, which prevented or caught $820 million in inappropriate payments within three years by running predictive analytics on 100% of Medicare fee-for-service claims. Analysis of nearly 3,500 analytics-driven audits reveals an 18% error rate, roughly double what traditional probe audits detect, while traditional audits examine only 10 encounters per provider and miss over 90% of potential issues. Healthcare organizations can now use tools like VMG Health’s Compliance Risk Analyzer to identify the same billing patterns and anomalies before external investigators spot them. Source: VMG Health
  • The federal government made $162 billion in improper payments during fiscal year 2024, representing a $74 billion decrease from the $236 billion recorded in 2023. The decline occurred primarily due to the termination of pandemic-related programs, with the Department of Labor’s Pandemic Unemployment Assistance program alone accounting for a $44 billion reduction. Of the total improper payments, $135 billion (84%) were overpayments to recipients, while the remainder included underpayments, unknown payment errors, and procedural violations. Five programs concentrated 75% of all improper payments: Medicare, Medicaid, the Earned Income Tax Credit, SNAP, and the Restaurant Revitalization Fund. Since 2003, the federal government has made an estimated $2.8 trillion in improper payments across various programs and agencies. Source: U.S. GAO

IV Hydration

Litigation

  • Healthcare tech companies face mounting class action lawsuits that threaten investor confidence and stock stability. The sector has become a target for litigation due to digitization, data privacy concerns, and regulatory scrutiny, with UnitedHealth Group settling for $69 million in 2024 after accusations of prioritizing business relationships over 401(k) fund performance. Data breach lawsuits surged in 2024, with plaintiffs filing more cases than in any prior year, despite amendments to privacy laws that reduced per-scan damages. Companies that demonstrate transparency and strategic pivots during legal disputes recover faster than those with poor leadership, while servant and transformational leadership styles help mitigate risks through proactive compliance. Investors should monitor leadership actions such as cybersecurity spending increases as indicators of a company’s ability to manage legal challenges and maintain long-term stability. Source: AInvest

Medical Devices

  • The FDA has escalated enforcement against AI health apps by issuing warning letters to SeniorLife Technologies and Whoop for marketing diagnostic features without proper authorization. SeniorLife received an August 21, 2025 warning letter for its AI app that assesses mobility and cognitive health, predicts fall risk, and detects Alzheimer’s signs without premarket clearance, while also lacking basic quality system controls like complaint handling and employee training procedures. Whoop received a July 14, 2025 warning letter for its Blood Pressure Insights feature that estimates systolic and diastolic blood pressure, which FDA determined to be inherently diagnostic and tied to hypertension conditions. Both companies violated regulations by falsely claiming FDA approval in their marketing materials and failing to submit required 510(k) applications for their diagnostic software functions. The enforcement actions signal FDA’s position that AI-enabled health software performing diagnostic functions must undergo premarket review regardless of how companies frame the features as “wellness” tools. Source: Hogan Lovells
  • The Office of Inspector General approved physician ownership in a medical device company through Advisory Opinion 25-09 while maintaining scrutiny of such arrangements. The opinion involved an emergency stroke treatment device company where physician investors owned 35 percent of the company and could order or recommend the device to hospitals. OIG found no Federal Anti-Kickback Statute violation because the arrangement met all requirements of the small entity investment safe harbor, including keeping physician ownership under 40 percent and providing equal investment terms to all investors. Despite the approval, OIG reaffirmed that physician-owned medical device companies remain “inherently suspect” and warned that such arrangements can create incentives to overutilize services and distort clinical judgment. The opinion confirms that compliance pathways exist for physician investment in medical device companies when structures align with safe harbor requirements. Source: Orrick

Non-Competes

Qui Tam Actions

  • A federal judge rejected TriHealth’s constitutional challenge to the False Claims Act but certified the case for appeal to the Sixth Circuit Court. On July 28, 2025, U.S. District Judge Douglas Russell Cole stayed the False Claims Act lawsuit in United States of America et al. v. TriHealth Inc. et al. while the constitutional challenge proceeds. TriHealth argued that the FCA’s qui tam provisions violate the Constitution’s Article II Appointments and Take Care Clauses and that whistleblowers Thomas Murphy and Dr. Set Shahbabian lack standing under Article III. The court ruled that relators are not officers under the Appointments Clause and that the Executive Branch retains control over relator conduct, rejecting TriHealth’s constitutional arguments. This case represents the third federal court of appeals to examine the constitutionality of qui tam provisions, with legal experts predicting the issue will eventually reach the Supreme Court. Source: Whistleblowers Blog

Reimbursement

  • CMS is conducting more frequent and targeted RADV audits to increase oversight of risk adjustment programs. These audits pressure healthcare organizations and payers to ensure precise Hierarchical Condition Category (HCC) coding and documentation, as coding errors can trigger repayment demands and penalties. For payers, RADV audits validate risk-adjusted payments and can uncover financial discrepancies leading to recoupment of overpayments, while providers face repayment demands and penalties for documentation or coding errors. Organizations must implement internal controls, conduct regular coding validations, and invest in provider education to reduce audit exposure. Clinical documentation serves as evidence that validates diagnoses, requiring specificity, clarity, and completeness to avoid claims being flagged during audits. Source: VMG Health

Telehealth

  • Telehealth delivers financial benefits to healthcare organizations through increased revenue, reduced losses, and decreased operational costs. The technology helps prevent patient attrition by offering virtual visits and self-scheduling capabilities that meet consumer expectations for convenience and access. Healthcare organizations can avoid government penalties through remote physiological monitoring programs, with 2,499 hospitals facing Medicare readmission penalties averaging $208,000 per hospital in 2022. Telehealth reduces recruitment costs by improving clinician satisfaction and combating burnout, which decreases staff turnover rates. Organizations can also lower facility costs since telehealth work can be performed from clinicians’ homes, allowing multiple providers to share exam rooms and expanding geographic reach without additional physical space. Source: Telehealth.org
  • The telehealth obesity market has experienced explosive growth, reaching $57.75 billion in 2024 and projected to hit $392.89 billion by 2033 with a 24% compound annual growth rate. The U.S. telehealth weight-loss market saw a 300% year-over-year increase in patient consultations for GLP-1 prescriptions in 2025, with platforms like Noom and LifeMD bundling these medications with AI-driven coaching services. The FDA has issued over 100 warning letters to telehealth providers for promoting compounded GLP-1 drugs as equivalents to FDA-approved medications, creating opportunities for compliant companies like Weight Watchers (WW), which has attracted 87,000+ subscribers with its hybrid model combining FDA-approved medications and behavioral support. An estimated 40 million people will use GLP-1 medications by 2029, generating $126 billion in sales. Source: Ainvest
Categories
Article

Texas’s New IV Therapy Law: What Patients, Clinics, and Clinicians Need to Know

After a highly publicized death linked to an IV infusion at a Texas spa in 2023, state lawmakers moved to bring clearer rules and stronger oversight to IV services offered outside traditional medical settings. The result is House Bill 3749—formally “Jenifer’s Law”—signed by Governor Greg Abbott on June 20, 2025, and effective September 1, 2025. The law sets statewide standards for who may order and administer elective IV therapy in non-facility locations such as wellness spas, mobile IV services, and in-home settings. It also tightens how physician oversight must work when care is delegated. Here’s what the law says, why it matters, and how it will change everyday practice for patients and providers.

What the Law Covers: “Elective IV Therapy” Outside Traditional Settings

Jenifer’s Law creates a new chapter in the Texas Occupations Code devoted to “elective intravenous therapy.” The law defines this as IV treatment sought by a patient to relieve temporary discomfort or improve short-term wellness—think hydration drips, vitamin infusions, and similar services. The rules apply when the IV is provided outside of a physician’s office, a licensed health facility, a licensed mental hospital, or a state-operated hospital. In other words, the law targets non-facility locations that have fueled the growth of wellness-focused IV services.

Key Takeaway: If an IV service is offered at a spa, pop-up, mobile unit, hotel, workplace, or a client’s home, it is likely covered by the new rules.

Who Can Prescribe or Order Elective IV Therapy

Under the law, a physician is the center of care. Each elective IV session must be prescribed or ordered by a physician licensed in Texas, or delegated by a Texas physician to one of only two types of clinicians:

  • Physician assistants (PAs)
  • Advanced practice registered nurses (APRNs)

That delegation must occur under “adequate physician supervision” and via a prescriptive authority agreement between the physician and the PA or APRN.

Who Can Administer Elective IV Therapy

The law also narrows who may physically start and run the IV. A physician may delegate the act of administering elective IV therapy only to:

  • PAs
  • APRNs
  • Registered nurses (RNs)

Again, this must happen under adequate physician supervision.

What “Adequate Physician Supervision” Means in Practice

The statute uses the term “adequate physician supervision” without a highly technical definition. In practical terms, existing Texas standards and commentary make clear that:

  • Supervision must match the training and experience of the PA, APRN, or RN.
  • Physicians are expected to provide ongoing oversight, ensure protocols and emergency procedures are in place, and review care.
  • The supervising physician does not have to be physically present at all times, but must be continuously responsible for appropriate oversight.

Prescriptive Authority Agreements: Limits and Requirements

When a PA or APRN is delegated authority to prescribe or order elective IV therapy, a written prescriptive authority agreement with the physician is required. These agreements are a cornerstone of the new framework:

  • They must spell out practice locations, which drugs or devices may be used, how to consult and refer, how to handle emergencies, and how the team communicates.
  • They should include quality checks like chart reviews and periodic meetings.
  • They must be reviewed, signed, and dated annually by all parties.
  • They count toward the physician’s cap on prescriptive authority agreements—Texas generally limits a physician to seven PA/APRN agreements (combined or full-time equivalent). Importantly, the usual exception that sometimes allows exceeding that cap does not apply to elective IV therapy.
  • Agreements must be registered with the Texas Medical Board before the delegated clinician begins work.

What This Means for Medical Spas, IV Clinics, and Mobile Providers

The most immediate changes are operational:

  • Unlicensed staff may not start or administer IV drips in non-facility settings.
  • New patients need an order or prescription from a physician or a delegated PA/APRN working under a registered prescriptive authority agreement.
  • A supervising physician must be actively overseeing the care, with protocols for screening, emergencies, and communication.
  • Physicians are limited by the seven-agreement cap for PAs and APRNs engaged in elective IV therapy, which may affect staffing and growth plans.
  • Documentation should emphasize safety screening (medical history, contraindications, vital signs as appropriate) and demonstrate physician oversight.

Providers should prepare by:

  • Auditing staffing models to ensure only PAs, APRNs, or RNs administer IVs.
  • Updating intake, consent, and emergency procedures to reflect the elective nature of services and safety-focused screening.
  • Reviewing and registering prescriptive authority agreements, including updating them to specify drugs, protocols, and quality measures.
  • Training teams on escalation and emergency response, including when to call 911.
  • Monitoring guidance from the Texas Medical Board, which may clarify expectations around supervision and documentation.

Does the Law Loosen or Tighten the Industry?

There are two lenses on the law’s impact:

  • Tightening: The statute clearly limits who may order and administer elective IV therapy in non-facility settings and ties those actions to physician oversight and formal prescriptive agreements. That will prevent the unlicensed practice scenarios that contributed to the 2023 tragedy and will raise the bar on staffing, documentation, and supervision.
  • Potential flexibility: By explicitly framing these services as “elective,” some see a shift in emphasis from proving medical necessity to ensuring safety. In that view, the focus becomes careful screening for contraindications and clear consent rather than diagnosing and treating a specific medical condition. Some industry observers speculate this could support menu-style offerings, provided they are safe for the individual patient.

For now, providers should treat the law as a safety and oversight mandate and await any medical board guidance on how “elective” intersects with existing standards of care.

What Patients Can Expect

For consumers, the experience should feel more medical and more consistent:

  • You should be asked about your medical history, allergies, medications, and any conditions that could make IV therapy risky.
  • A physician will have ordered the therapy, either directly or through a PA/APRN working under a formal agreement.
  • A licensed clinician (PA, APRN, or RN) will start and manage your IV.
  • The site should have clear protocols and be prepared to respond to complications.

Bottom Line

Jenifer’s Law brings overdue clarity and safety standards to a fast-growing corner of wellness care. It ensures a physician is accountable for ordering elective IV therapy and supervising care, restricts who can administer IVs in non-facility settings to licensed clinicians, and requires formal, board-registered agreements when PAs and APRNs are involved in prescribing. Clinics will need to tighten protocols, adjust staffing, and document oversight. Patients should see better screening and more professionalized care.

Categories
Health Law Highlights

Wade’s Health Law Highlights for September 16, 2025

OIG Advisory Opinion No. 25-10

  • The OIG issued a favorable advisory opinion for a grant-funded family-powered therapy arrangement. The Company’s mission is to provide care for individuals with a certain disorder, particularly for those individuals who lack adequate access to care. The therapy for the disorder is generally covered by insurance, including Medicare. The Company created a tax-exempt Foundation that awards monthly grants directly to families of children receiving this therapy from any provider, based on verified treatment hours, adherence, and financial need. The Foundation’s grant decisions are made under policies approved by an independent board and outside counsel, do not vary by provider choice, and require that a child already have a treatment plan in place; families may change providers and remain eligible. The OIG found low risk of overutilization or inappropriate steering because the Company’s donations are unrestricted, the Foundation operates autonomously, funds go to families (not providers), and eligibility is provider‑neutral and needs‑based. Source: OIG Advisory Opinion No. 25-10 (Sept. 8, 2025)

Antitrust

  • States are expanding antitrust oversight of healthcare transactions to target private equity and other for-profit entities in healthcare mergers and acquisitions. Washington and Colorado implemented premerger notification laws that went into effect on July 27 and August 6, 2025, while Indiana modified its transaction notice law and New Mexico enacted a permanent version of its notification law. Pennsylvania proposed H.B. 1460 to authorize the Attorney General to block healthcare transactions involving private equity companies that are “against the public interest,” while California’s A.B. 1415 would expand OHCA review requirements to include private equity companies, hedge funds, and management services organizations. Illinois introduced S.B. 1998 to require private equity and hedge funds to obtain Attorney General consent for financing healthcare transactions, and Massachusetts is considering multiple bills to strengthen its transaction review process, including requiring bonds from private equity groups and authorizing post-transaction reviews. Source: Healthcare Law Blog

Cybersecurity

  • The Department of Justice is using the False Claims Act to pursue cybersecurity violations by government contractors and healthcare companies. Two settlements demonstrate this expansion: a defense contractor and private equity firm paid $1.75 million for failing to implement NIST cybersecurity controls and control access to Controlled Unclassified Information between 2018-2020, while a biotechnology company paid $9.8 million for selling genomic sequencing systems with cybersecurity vulnerabilities to the federal government from 2016-2023. These cases mark the first FCA cybersecurity settlement involving healthcare Quality System Regulations and the first to include a private equity firm alongside a defense contractor. The DOJ launched its Civil Cyber-Fraud Initiative in 2021 and recently reformed the DOJ-HHS False Claims Act Working Group to focus on medical device investigations. FCA settlements exceeded $2.9 billion in fiscal year 2024, with per-claim penalties now exceeding $28,000. Source: Healthcare Law Blog

Data Blocking

Durable Medical Equipment

  • CMS has launched initiatives using artificial intelligence to combat fraud in the durable medical equipment industry. The agency created a competition to leverage AI and machine learning for detecting anomalies in Medicare claims data, targeting fee-for-service hospice, Part B and DME claims through a two-phase process. AI results from private payers have been mixed due to the nuances in DME claims. CMS is also implementing the Wasteful and Inappropriate Service Reduction (WISeR) model and promoting competitive bidding as fraud-reduction measures. Industry experts anticipate increased audits this year from Unified Program Integrity Contractors (UPIC), particularly targeting catheters, surgical dressings, supplies and respiratory claims. Source: HME News

Equity and Access

Food and Drug Administration

  • The FDA will now publish Complete Response Letters in real time through a centralized database, marking a shift in transparency for drug and biologic applications. The agency will post CRLs for pending New Drug Applications and Biologics License Applications shortly after transmission to sponsors, while also releasing historical letters from 2024 forward. The FDA has already published 89 archived CRLs and will continue releasing letters tied to withdrawn or abandoned applications. While confidential commercial information and trade secrets will be redacted, sponsor identities and high-level scientific and regulatory deficiencies will remain visible. The letters are searchable by product, sponsor, or therapeutic area through the openFDA database, creating new competitive intelligence opportunities and compliance challenges for pharmaceutical companies. Source: Orrick

Fraud & Abuse

  • A former laboratory CEO and nine healthcare professionals agreed to pay over $6 million to settle federal allegations of kickback schemes involving laboratory testing referrals. Christopher Grottenthaler, former CEO of True Health Diagnostics in Frisco, Texas, will pay $4.25 million to resolve claims he orchestrated kickbacks disguised as managed service organization distributions to induce doctors’ laboratory referrals to Medicare, Medicaid, and TRICARE from January 2015 to May 2018. Two physicians, Dr. Hong Davis and Dr. Elizabeth Seymour, along with seven marketers, agreed to pay an additional $1,818,462 for their participation in the scheme. The settlements are part of a broader Department of Justice effort that has recovered over $59 million in civil False Claims Act settlements for healthcare kickbacks disguised as MSO investment distributions, involving 50 physicians. The Anti-Kickback Statute prohibits offering or receiving remuneration to induce referrals of services covered by federal healthcare programs to ensure medical decisions are based on patient interests rather than financial incentives. Source: U.S. Department of Justice

Friendly PC Model

Medical Marijuana

  • Texas implemented an expanded medical marijuana program that adds chronic pain as a qualifying condition. The law signed by Gov. Greg Abbott also adds traumatic brain injury, Crohn’s disease, and other inflammatory bowel diseases to the list of qualifying conditions. A recent poll of 391 cannabis consumers found 91% believe cannabis treats chronic pain, with 65% calling it “very effective” and 26% “mildly effective.” The Department of Public Safety will issue 12 new dispensary licenses across Texas, expanding from the current three facilities, with the first nine licenses awarded December 1 from 139 applicants who applied in 2023. Federal data shows at least two million Texans use cannabis regularly. Source: Marijuana Moment

Management Services Organizations

  • Physicians entering Management Services Organization arrangements face risks that require documentation and negotiation to protect their interests. MSOs handle administrative functions like billing and compliance while allowing physicians to focus on clinical work, but disputes can emerge when these arrangements involve private equity or joint ventures. Physicians must document all compensation terms including salary, bonuses, equity rights, and expense reimbursements across multiple agreements, as verbal agreements prove difficult to enforce. Termination provisions require attention to prevent physicians from being removed without recourse, including restrictions on no-cause termination and clear definitions of termination “for cause” with cure periods. All agreements must preserve physician autonomy over medical decisions and comply with healthcare fraud and abuse laws. Source: Stevens & Lee

Medicaid

  • CMS has issued new federal payment limits for State Directed Payments in Medicaid managed care to combat fraud and preserve program integrity. The guidance implements requirements from the One Big Beautiful Bill Act, limiting SDPs for hospital and nursing facility services to 100% of Medicare rates in Medicaid expansion states and 110% in non-expansion states, effective July 4, 2025. States can qualify for a grandfathering period until January 1, 2028, for certain SDPs submitted before the deadline, followed by a phased reduction to meet the new limits. The restrictions come as SDP usage has exploded from just 2 states in 2016 to 39 states today, with CMS projecting annual spending of $124.3 billion for FY 2025 and $144.6 billion for FY 2026. States must now revise pending SDP submissions to comply with Section 71116 requirements before CMS will continue review. Source: CMS Guidance

Non-Competes

  • Healthcare employers must carefully review non-compete provisions in employment contracts as state laws vary and have recently changed. Ericka Adler, shareholder at Roetzel & Andress, advises that enforceable non-competes require three factors to be reasonable: geography should match patient location (such as 3 miles if patients come from within 3 miles), scope should limit restrictions to the employee’s role or practice functions, and duration should typically range from one to two years. Some states require notice language allowing employees to consult counsel before signing, while many states mandate consideration for non-compete agreements. Employees commonly request carve-outs that void non-competes if terminated without cause or if the employer breaches the contract. When violations occur, employers can send cease and desist letters to the employee and their new employer, along with pursuing other legal remedies to protect their practice. Source: Roetzel & Andress

Pharmaceuticals

  • The FTC and DOJ concluded three listening sessions on pharmaceutical competition as part of an effort to lower drug prices. The sessions featured panels of legal experts, patient advocates, academics, Congressional staffers, and industry representatives who discussed generic and biosimilar competition, patent issues, regulatory barriers, and pharmacy benefit managers. Panelists debated whether pharmaceutical companies misuse patents to prevent generic competition through practices like pay-for-delay agreements, patent thickets, and product-hopping, with some arguing the patent system drives innovation while others claimed it creates barriers. Key recommendations included implementing generics-first policies across federal programs, increasing transparency in pharmaceutical supply chains, and eliminating separate interchangeability designations for biosimilars. FTC Chair Andrew Ferguson stated the information will feed into a final report with recommendations to guide legislation and regulatory reform for prescription drug access. Source: Hogan Lovells

Physician Compensation

  • Hospitals face mounting financial pressures as Medicare cuts physician reimbursement while provider costs rise and workforce shortages intensify. The Centers for Medicare & Medicaid Services cut the Medicare conversion factor by 2.8% in 2025 to $32.35, marking the fifth consecutive year of reductions and bringing total cuts to over 10% since 2020. Meanwhile, 20% of practicing physicians are age 65 or older and another 22% are between 55-64, creating a projected shortage of up to 86,000 physicians by 2036. Hospital salary costs have risen 5% annually from 2018 through 2022, while 63% of medical groups planned to add advanced practice provider roles in 2024 to maintain coverage. Health systems are responding with recruitment incentives including relocation allowances (55% of positions), signing bonuses (51%), and loan forgiveness (17%), while anesthesia and radiology groups are seeking subsidies that sometimes double current agreements. Source: VMG Health

Remote Monitoring

  • The Department of Health and Human Services Office of Inspector General issued a report calling for increased oversight of remote patient monitoring Medicare billing due to concerns about fraud and abuse. Medicare payments for RPM services reached $536 million in 2024, representing a 31% increase from 2023, with nearly one million Medicare beneficiaries receiving these services. The OIG identified concerning billing patterns, including 45 medical practices that billed RPM services for patients with whom they had no prior medical relationship for over 80% of cases, and some practices billing for over 100 new enrollees monthly compared to an average of five. The report recommended that the Centers for Medicare and Medicaid Services and Medicare Advantage Organizations monitor practices that bill without established patient relationships, track treatment management billing rates, and watch for duplicate services across multiple providers. The OIG also flagged practices billing for multiple monitoring devices per patient per month when Medicare generally covers only one device monthly. Source: Health Law Diagnosis

Synthetic Data

  • Synthetic data represents algorithm-generated information that mimics real-world data while preserving privacy, and government adoption is expected to accelerate despite current resistance. This artificial data retains the statistical properties of original datasets and has been used since the early 1990s in applications ranging from census research to traffic management, with companies like Replica raising $52 million to develop these technologies. While 32 percent of government decision-makers worldwide refuse to consider synthetic data compared to 23 percent in other industries, Utah has emerged as a leader by incorporating synthetic data definitions into its Consumer Privacy Act and having officials advocate for its adoption. The U.S. Census Bureau controversially used synthetic data in the 2020 census to protect individual privacy while analyzing income and poverty trends, though critics worried about errors and manipulation. A noted research firm predicts that 75 percent of businesses will use generative AI to create synthetic data by 2026, with potential government applications including school performance analysis, agricultural research, and smart city management. Source: Government Technology

Wound Care

  • Home health agencies are transforming wound care practices as payment models shift from volume-based to outcomes-based reimbursement under value-based purchasing programs. The transition requires providers to move from frequent dressing changes to longer wear-time products that optimize healing while reducing care burden on clinicians and caregivers. Accountable care organizations now demand streamlined, evidence-based product formularies that homecare agencies must adopt to remain partners in coordinated care networks. Under CMS’s Patient Driven Groupings Model, wound care represents one of the highest-paying clinical categories, but only when documentation supports medical necessity and skilled intervention. The model places homecare agencies under pressure to demonstrate outcomes through data reporting while managing a 7.4% annual growth rate and widespread caregiver shortages affecting 59% of agencies. Source: Homecare Magazine
Categories
Health Law Highlights

Wade’s Health Law Highlights for September 2, 2025

Antitrust

  • Hospital associations challenge new merger notification rules as burdensome and unnecessary. The Federal Trade Commission under Lina Khan adopted changes to Hart-Scott-Rodino premerger notification requirements that took effect February 10, 2025, increasing information volume and preparation time by four times. On August 8, 2025, the American Hospital Association and Federation of American Hospitals filed an amicus brief supporting business groups’ lawsuit seeking injunctive relief against the changes. The hospital associations argued the FTC failed to identify any anticompetitive hospital merger that went undetected under prior reporting requirements. They contended the rule changes function as a tax on hospitals and aim to discourage mergers in an industry facing economic pressures. Source: Epstein Becker Green
  • The Trump administration’s antitrust regulators maintain focus on healthcare competition but reject the Biden era’s emphasis on private equity and corporate greed in favor of targeting regulatory barriers to market entry. The Federal Trade Commission and Department of Justice demonstrate willingness to approve mergers through consent decrees involving divestitures, as seen in the UnitedHealth Group-Amedisys deal that required selling 164 home health and hospice locations. The FTC issued a Second Request to examine Aya Healthcare’s $615 million acquisition of Cross Country Healthcare over concerns about self-preferencing in travel nurse staffing services. The DOJ launched an investigation into NewYork-Presbyterian’s contracting practices following union complaints about anti-steering provisions that prevent insurers from excluding the health system from their networks. The FTC released findings showing that 38% of physicians belonged to practices affected by mergers between 2015 and 2020, representing consolidation across approximately 2,000 transactions. Source: Goodwin

Data Privacy & Cybersecurity

  • The Office for Civil Rights published two new HIPAA Privacy Rule FAQs on August 11, 2025, clarifying PHI disclosure rules and patient access rights. The first FAQ permits healthcare providers to disclose protected health information to value-based care arrangements for treatment purposes without individual authorization, supporting payment models that tie compensation to patient outcomes. The second FAQ confirms that treatment consent forms fall within designated record sets that patients can access, removing ambiguity about these documents. The guidance aligns with the Centers for Medicare & Medicaid Services’ July 30, 2025, announcement of its Health Tech Ecosystem initiative, which over 60 organizations including Epic, Oracle Health, CVS Health, and major tech companies have pledged to adopt. OCR has announced 53 enforcement actions since launching its Right of Access Initiative in 2019, including a $200,000 penalty imposed in March 2025 against a provider that failed to provide timely patient record access. Source: Data Privacy + Cybersecurity Insider
  • Ransomware attacks on hospitals create cascading effects that overwhelm neighboring healthcare facilities and endanger patients throughout entire communities. When a hospital’s systems go offline, surrounding facilities must absorb diverted ambulances and walk-in patients, creating overcapacity situations that can lead to worse patient outcomes and potential deaths. Health-ISAC tracked 446 ransomware events in healthcare during 2024, with 281 incidents occurring in just the first half of 2025, indicating the threat continues to escalate. Rural communities face greater risks than urban areas because longer ambulance travel times to alternate facilities can delay treatment and worsen medical conditions. Both the Ascension and Change Healthcare attacks stemmed from lack of multifactor authentication for remote access, highlighting how basic security gaps enable attackers to target patient care systems for maximum leverage. Source: Dark Reading

Emerging Tech

  • Hospital executives believe in AI’s potential but lack readiness for implementation. A recent survey of 101 executives across integrated delivery networks, academic medical centers and independent hospitals, found that 83% believe AI can improve clinical decision-making and 75% think it could reduce operational costs. While 67% report current investments in AI for patient care and 66% pursue solutions for administrative operations, only 13% have a strategy for integrating AI into clinical workflows. Just 12% trust today’s AI algorithms as reliable enough for use, and only 10% report their organizations aggressively pursue AI implementation. Nearly half of respondents (49%) cite appropriate use of AI as one of their top three challenges. Source: Becker’s Hospital Review

False Claims Act

Marketing

  • Texas Senate Bill 140 takes effect September 1, 2025, expanding the state’s telemarketing regulations to cover text messages and SMS marketing. The law allows consumers to file private lawsuits against businesses for violations and removes caps on cumulative damage recoveries. Companies that send marketing texts to Texas phone numbers must register each business location with the Texas Secretary of State, pay a $200 filing fee, and post a $10,000 security bond. The Texas Attorney General can impose penalties of up to $5,000 per violation, while consumers can seek actual damages or treble damages for knowing violations. Exemptions include banks, insurance companies, nonprofits, and communications with current or former customers, though the law does not define what constitutes a “customer.” Source: Thompson Hine LLP

Medical Devices

Management Services Organizations

  • The California legislature is advancing two bills that target private equity groups, hedge funds, and management services organizations operating in the state’s healthcare industry. AB 1415 would require management services organizations to notify the Office of Health Care Affordability of asset sales and changes of control, expanding reporting obligations that currently apply only to payors, providers, and delivery systems. SB 351 would clarify where private equity groups and hedge funds may provide advisory support while ensuring physicians and dentists retain ultimate authority over clinical decisions. AB 1415 has passed the Senate Appropriations Committee and is set for a third reading by the Senate, while SB 351 has cleared the Assembly Committee on Appropriations and awaits an Assembly vote. The bills would increase compliance burdens for management services organizations and reinforce restrictions on private equity participation in healthcare. Source: Polsinelli

Patient Care

Pharmacies

  • New Medicare regulations that took effect January 1, 2025 have increased criminal prosecution risks for pharmacies facing claim reversals. The Centers for Medicare and Medicaid Services overhauled regulations under the federal Overpayment Statute, redefining when pharmacies “identify” overpayments and limiting internal investigation periods to 180 days maximum. Pharmacies can face criminal charges for violations including failure to submit “clean claims,” noncompliance with prescription rules, and billing errors involving prescription drugs. Criminal penalties include fines up to $250,000 for individuals and $500,000 for businesses, plus potential federal imprisonment up to five years under the False Claims Act. Investigations by the FBI and Department of Health and Human Services Office of Inspector General can result from claim rejections by Part D sponsors and other Medicare billing compliance failures. Source: Oberheiden P.C.