Categories
Health Law Highlights

Wade’s Health Law Highlights for June 24, 2025

OIG Advisory Opinions

Clinical Trials

  • Medical device manufacturers face critical decisions in clinical trial planning that can determine company survival. Companies must collect clinical data for pre-market submissions through processes that consume time and money while putting business existence at risk. Three pathways exist for medical device investigations based on risk levels: minimal risk, nonsignificant risk (NSR), and significant risk (SR) studies, with each requiring different oversight and regulatory requirements. Before conducting pivotal trials, companies must define their intended use, indications, and claims since FDA market authorization depends on clinical trial results. Companies should establish FDA communication plans and work with expert statisticians, clinicians, and regulatory counsel to mitigate risks and ensure proper execution. Source: Gardner Law

Corporate Practice of Medicine

  • Healthcare entities face compliance challenges when expanding across state lines due to varying corporate practice of medicine laws and ownership requirements. The corporate practice of medicine doctrine varies significantly by state, with jurisdictions like New York establishing strict prohibitions while others allow more flexibility in corporate structures. Professional entity ownership requirements differ across states, with some mandating wholly or majority ownership by licensed professionals while others like Delaware permit non-physician ownership under certain limitations. Healthcare entities may need to create new entities, revise ownership agreements, or establish management services organization structures to comply with jurisdictional requirements. Legal counsel recommends conducting thorough due diligence and preparing new governance agreements before expanding operations into new markets. Source: Stevens & Lee

Cybersecurity

  • Congress introduced bipartisan legislation to strengthen cybersecurity coordination between federal agencies protecting the healthcare sector. The Healthcare Cybersecurity Act of 2025 was introduced in the House by Representatives Jason Crow (D-CO) and Brian Fitzpatrick (R-PA), with a companion bill in the Senate by Senators Jacky Rosen (D-NV) and Todd Young (R-IN). The legislation would require the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to collaborate on cybersecurity improvements, establish a liaison between the agencies, authorize cybersecurity training for personnel, and conduct a study identifying sector risks. Healthcare cyberattacks have escalated with over 700 data breaches affecting 500 or more individuals reported annually for the past four years, including 278 million individuals affected in 2024. The 2024 Change Healthcare ransomware attack, which compromised an estimated 190 million records and disrupted healthcare operations nationwide, exemplifies the sector’s vulnerability to cyber threats. Source: HIPAA Journal

Emerging Tech

  • Health systems across the U.S. are accelerating partnerships with tech companies to embed AI into clinical care, operations and administrative workflows. Mayo Clinic partnered with hellocare.ai in June to advance ambient clinical intelligence, aiming to support early detection, reduce clinician workload and enhance proactive inpatient care. Northwestern Medicine entered a multi-year collaboration with PathAI to transform pathology diagnostics through AI, including joint research, clinical innovation programs and co-development of machine learning-powered diagnostic algorithms. Oracle Health, Cleveland Clinic and G42 announced a partnership in May to build an AI-driven platform for healthcare delivery in both the U.S. and UAE, leveraging national-scale data analytics, clinical applications and precision medicine tools. These partnerships reflect a push among health systems and tech companies to ensure AI tools are grounded in clinical realities while benefiting from technical expertise. Source: Becker’s Hospital Review

Fair Market Valuations

  • Healthcare organizations must follow eight documentation steps to maintain compliance during fair market value processes for provider compensation arrangements. The documentation requirements include gathering provider profiles, service descriptions, business justifications, productivity metrics, compensation terms, FMV analyses, contract documents, and team approvals to meet Stark Law and Anti-kickback Statute requirements. Organizations should seek third-party FMV opinions when arrangements involve high referral risk, complex compensation structures, or when internal resources lack access to market data sources and valuation expertise. Primary care and orthopedic specialties present higher referral risks compared to pathology or emergency medicine, while arrangements involving co-management, telehealth, or value-based payments require specialized valuation approaches. Many healthcare organizations are moving FMV reviews in-house to reduce costs and improve turnaround times, but must ensure they have the resources and training to conduct these reviews effectively. Source: VMG Health

Health Data

  • Four states sent personal health data from their insurance websites to technology companies including Google, LinkedIn, and Snapchat. Nevada’s exchange transmitted prescription drug names and dosages to LinkedIn and Snapchat, while Maine and Rhode Island sent prescription information and doctor names to Google through analytics tools. Massachusetts Health Connector shared whether visitors reported being pregnant, blind, or disabled with LinkedIn. The Markup and CalMatters discovered this data sharing through web trackers on state exchanges established under the Affordable Care Act after auditing websites from all 19 states that operate their own health insurance marketplaces. Nevada and Massachusetts stopped transmitting data to these companies after reporters contacted them about the findings. Source: The Markup

HIPAA

  • The U.S. Department of Health and Human Services is implementing new HIPAA regulations in 2025 to strengthen patient privacy and security. The updates respond to the rise of telemedicine, growing use of electronic health records, and a 264% increase in ransomware attacks against healthcare systems in 2024. Healthcare organizations must comply with expanded patient access requirements by July 2025 and update vendor management practices by December 2025, while implementing multi-factor authentication, data encryption, and penetration testing. The regulations include new protections for reproductive health information and requirements for AI tools and telehealth platforms to comply with privacy and security rules. Healthcare professionals express concerns about the cost and technical complexity of implementing these changes, particularly for small practices with outdated technology. Source: Security Boulevard

Legislation

  • Texas lawmakers passed legislation requiring food manufacturers to remove certain ingredients or add warning labels to products. The Texas House approved SB 25 on May 26, 2025, with bipartisan support, targeting ingredients like Red 40 and titanium dioxide that are banned in other countries. The bill requires manufacturers to either eliminate these substances or display warnings stating the ingredient is not recommended by authorities in Australia, Canada, the European Union, or the United Kingdom. High fructose corn syrup was removed from the prohibited list after food companies opposed its inclusion, though legislators rejected industry efforts to eliminate the warning label requirement entirely. The legislation now awaits Governor Greg Abbott’s signature and would take effect September 1, 2025. Source: The Daily Intake

Private Equity

  • Private equity investors maintain interest in healthcare services and technology companies despite higher borrowing costs and increased regulatory scrutiny as of mid-2025. Macroeconomic volatility has compressed valuations and extended deal timelines through the first half of 2025, but demographic trends and fragmentation among provider groups continue to attract growth-oriented capital. PE firms are targeting outpatient care models, physician specialty platforms, behavioral health services, home-based care, AI-driven clinical decision support, and value-based care platforms. Federal enforcement from the FTC and DOJ has intensified challenges to physician group consolidation, while state laws increasingly require material change notifications for healthcare mergers and acquisitions. Labor shortages and wage inflation present additional risks, particularly for home health, skilled nursing facilities, and behavioral health settings. Source: ArentFox Schiff
Categories
Article

Transforming Texas Long-Term Care: The Upcoming PDPM LTC Methodology

Big changes are on the horizon for long-term care in Texas. The Texas Health and Human Services Commission (HHSC) is gearing up to implement a new payment methodology, the Patient Driven Payment Model for Long-Term Care (PDPM LTC), set to take effect on September 1, 2025. This marks a significant shift from the current Resource Utilization Group (RUG-III) model, promising enhanced payment accuracy and a stronger focus on the individual needs of patients.

Why the Change? A Shift Towards Patient-Centric Care

The core objective behind PDPM LTC is to move away from a payment system based solely on the volume of services provided, towards one that prioritizes the unique characteristics and complex needs of each individual patient. This aligns payments more closely with the actual costs of care, particularly for long-stay residents with complex conditions and cognitive impairments.

This Texas-specific version of PDPM is modeled after the framework already implemented in skilled nursing facilities (SNFs). Its development has been a collaborative effort, stemming from an internal HHSC workgroup formed in 2019 and extensive consultation with the Nursing Facility Payment Methodology Advisory Committee (NF-PMAC) since early 2020. In April 2022, the NF-PMAC recommended the Texas-specific PDPM model as the best fit for accurately representing Texas nursing home resident characteristics, care services, and costs. This recommendation ultimately led to a legislative directive in the 2024-25 General Appropriations Act (House Bill 1, Rider 25) formally tasking HHSC with its development and implementation.

How PDPM LTC Works: Key Components

The new PDPM LTC methodology leverages the Minimum Data Set (MDS) version 3.0 as its foundational data source for classifying residents. Unlike RUG-III, which has five rate components with only two case-mix adjusted, PDPM LTC operates with a different structure:

  • Nursing Component: This component aims to quantify the direct care needed by a resident based on their MDS 3.0 assessment data. Residents are classified into one of six nursing groups, ranging from “extensive services” (Group E – for high-acuity needs like tracheostomy or ventilator care) to “reduced physical function” (Group P). It’s important to note that this Texas version includes six nursing groups, not all 25 possible CMS SNF PDPM nursing groups. Section GG items are utilized in the calculation of this component.
  • Non-Therapy Ancillary (NTA) Component: This component captures the medical complexity of residents by identifying specific conditions and services, using a weighted count of comorbidities derived from MDS items. Residents are assigned to one of three NTA groups based on their total NTA score.
  • Case-Mix Index (CMI): The Nursing and NTA components are adjusted by a CMI, a relative value assigned based on assessment data. These CMIs for both components will be directly based on the Skilled Nursing Facility (SNF) Medicare PDPM CMIs from the CMS Final Rule for fiscal year 2024. HHSC will not automatically adjust CMIs when CMS updates them, but will evaluate the impact for legislative consideration.
  • Non-Case-Mix Component: This part of the total reimbursement rate is constant for all residents and is not adjusted by CMI. It covers costs related to dietary services, laundry, housekeeping, general administration, and fixed capital assets. This component will be calculated as a weighted median from the most recently examined cost reports.

Special Considerations and Add-ons

PDPM LTC also includes specific considerations for certain patient populations:

  • Severe Cognitive Impairment (BIMS Add-on): Residents with confirmed severe cognitive impairment, as determined by their Brief Interview for Mental Status (BIMS) score on the MDS, will receive an additional 5% of the highest CMI-adjusted nursing rate.
  • HIV/AIDS Add-on: Mirroring Medicare’s SNF PDPM, residents with a confirmed HIV/AIDS diagnosis will receive an additional 18% of their nursing group’s rate and be assigned to the highest NTA rate. Due to federal and state regulations, this diagnosis cannot be reported on MDS data and must be indicated on the claim using ICD-10 Code B20.
  • Therapy Components: The new methodology does not include payments for physical, occupational, and speech/language therapy (PT/OT/SLP) components in the daily care rates; these will continue to be reimbursed through Nursing Facility Specialized Services.
  • Hospice Care: The proposed methodology does not introduce any changes to reimbursement for hospice care, which will continue at 95% of the total rate per resident’s PDPM LTC group.

In total, the combination of these components allows for 72 possible different reimbursement rates. Additionally, two default groups will be in place for situations where MDS assessments are missing or contain errors, ensuring providers are still reimbursed at a base rate.

Implementation and What Comes Next

HHSC plans a phased implementation, with algorithms for PDPM LTC replacing RUG-III calculations and relevant changes being made to the Long-Term Care Online Portal (LTCOP) and claims system. While Section GG of the MDS will be visible in the LTCOP by August 2024 (nursing facilities have been completing it since November 2022), it will not be used for payment calculations until the September 1, 2025, implementation. The Assessment Reference Date (ARD) of the MDS will continue to guide the calculation of PDPM LTC. Importantly, the Long-Term Care Medicaid Information (LTCMI) will still be required for assessments, though the data collected will not be used in PDPM LTC calculations.

HHSC is committed to providing support and resources for providers during this transition. Webinars like the one held on April 12, 2024, are being recorded and made available online, along with presentation slides and a Frequently Asked Questions (FAQ) document summarizing stakeholder questions and HHSC responses. User guides will be updated, and training materials developed to help providers familiarize themselves with the changes. A PDPM LTC calculation worksheet and a crosswalk for billing under the new payment groupers will also be published closer to implementation.

This significant overhaul represents a move towards a more equitable and accurate payment system in Texas long-term care, aiming to better reflect the diverse and complex needs of its residents. Providers are encouraged to stay informed and utilize the resources provided by HHSC as the implementation date approaches.

Categories
Health Law Highlights

Wade’s Health Law Highlights for June 17, 2025

Accountable Care Organizations

  • Hospitals participating in CMS accountable care organizations require more than two years of maturity before seeing improvements in patient care costs and quality, according to a study comparing 121 ACO-participating hospitals with 853 non-participating hospitals from 2010 to 2013. Researchers found that hospitals with an ACO maturity score of zero performed worse than non-participants in acute myocardial infarction mortality rates and perioperative pulmonary embolism or deep vein thrombosis rates, but these differences disappeared as ACO maturity increased. The study showed that higher ACO maturity scores correlated with reductions in accidental punctures and lacerations among participating hospitals. Researchers noted that early ACOs focused primarily on enhancing care coordination and strengthening primary care rather than transforming inpatient care processes during the initial 18 months. Currently, only 1,450 of more than 5,000 Medicare-enrolled hospitals participate in CMS ACOs, leaving room for expansion as the agency aims to transition all traditional Medicare beneficiaries to accountable care by 2030. Source: American Journal of Managed Care

Cybersecurity

  • Healthcare organizations face an escalating cybersecurity crisis with 33 attacks recorded in 2025 and global healthcare ransomware surging 31%. Over 90% of healthcare cyberattacks are phishing scams enhanced by AI, while healthcare data sells for up to 50 times more than financial information on black markets. Third-party vendors cause 50-60% of data breaches, prompting healthcare organizations to adopt the HITRUST framework for vendor risk assessment. The government is implementing mandatory cybersecurity standards through the Health Infrastructure Security and Accountability Act and proposed HIPAA Security Rule modifications requiring encryption, multi-factor authentication, and vulnerability testing. Healthcare providers are deploying AI-powered threat detection systems and zero-trust architectures to combat these threats in real time. Source: Information Security Buzz

Drugs & Devices

  • Sixteen states have proposed or passed legislation to make ivermectin available over the counter despite scientific evidence showing the deworming drug does not treat COVID-19 or cancer. Idaho, Arkansas, and Tennessee have enacted such laws, while Louisiana passed a bill awaiting the governor’s signature, driven by social media claims that ivermectin treats cancer, COVID-19, foot pain, arthritis, lupus, and acne. High-quality clinical trials found ivermectin ineffective against COVID-19, and doctors report patients with treatable cancers have delayed treatment to try ivermectin, only to return with advanced disease. Despite state laws, pharmacies remain unable to sell ivermectin over the counter because it remains federally regulated by the FDA, with NBC News finding no pharmacists willing to dispense it without a prescription in states with permissive laws. Pharmacists cite liability concerns since the prescription drug lacks over-the-counter packaging with consumer directions and safety statements. Source: Ars Technica

EMTALA

  • CMS rescinded July 2022 guidance on EMTALA obligations for pregnant patients and pregnancy loss cases. The Department of Health and Human Services and Centers for Medicare & Medicaid Services announced on June 3, 2025, that they are withdrawing two hospital guidance documents (QSO-22-22-Hospitals and QSO-21-22-Hospitals) and a letter from the former Secretary of Health and Human Services because these documents do not reflect current administration policy. CMS stated it will continue to enforce EMTALA, which protects all individuals who present to hospital emergency departments seeking examination or treatment, including for emergency medical conditions that place the health of a pregnant woman or her unborn child in serious jeopardy. The agency said it will work to rectify perceived legal confusion and instability created by the former administration’s actions. Source: CMS

Fraud & Abuse

  • Healthcare fraud enforcement under the False Claims Act reached $1.67 billion in settlements and judgments in 2024, representing 57% of all FCA recoveries. The Department of Justice secured settlements from Independent Health ($98 million for upcoding Medicare diagnoses), Gilead Sciences ($202 million for kickbacks to HIV medication practitioners), and Teva Pharmaceuticals ($450 million for Medicare copay conspiracies and generic drug price fixing). Attorney General Pam Bondi and Deputy Assistant Attorney General Michael Granston have committed to enforcement, with DOJ guidance instructing prosecutors to prioritize healthcare fraud cases. The government recovers three dollars for every dollar spent fighting fraud, according to DOJ officials. Enforcement now extends beyond traditional healthcare to include Walgreens ($350 million for opioid prescription violations) and McKinsey ($650 million for consulting on OxyContin sales acceleration). Source: Forensic Risk

HIPAA

  • The US Department of Health and Human Services Office for Civil Rights has escalated enforcement of HIPAA risk analysis requirements through a dedicated initiative that has resulted in nine settlements totaling over $1 million in penalties since October 2024. The Risk Analysis Initiative targets healthcare entities that fail to conduct proper assessments of potential risks to electronic protected health information, a requirement under the HIPAA Security Rule that OCR describes as the foundation for cybersecurity practices. Healthcare organizations face increasing pressure as ransomware breaches have surged 264% since 2018, with settlements ranging from $10,000 to $350,000 for violations involving breaches affecting between 4,304 and 585,621 individuals. The enforcement effort has continued across both the Biden and Trump administrations, with OCR finding that many entities’ risk analyses were based on incomplete inventories of where protected health information is stored and transmitted. The initiative encompasses various breach types including ransomware attacks, server misconfigurations, and unauthorized access to medical imaging systems. Source: ArentFox Schiff
  • Healthcare organizations continue to struggle with HIPAA compliance implementation despite awareness of their obligations, according to survey results from hundreds of organizations across the United States. The survey found that many organizations have not appointed dedicated HIPAA Privacy Officers with sufficient decision-making authority and continue to provide training less frequently than annually, often excluding business associates from compliance education. Organizations also lack written documentation for complex or emerging risks, with some not updating their HIPAA risk assessments in several years despite increasing cybersecurity threats. Only a minority of respondents indicated they feel confident their organization could effectively respond to an Office for Civil Rights compliance audit or data breach investigation. The Office for Civil Rights is scrutinizing risk assessments under its enforcement initiative, with organizations facing a high probability of financial penalties for noncompliance. Source: HIPAA Journal

Medicare

  • Medicare paid $124 million for evaluation and management services billed alongside eye injections that violated federal requirements. The Office of Inspector General found that for 42 percent of the 3.3 million intravitreal injections provided during June 2022 through May 2023, providers billed for evaluation and management services on the same day using modifier 25, which bypassed system controls designed to prevent improper payments. Documentation for 22 of 24 sampled services did not support the use of modifier 25, as the services were not significant and separately identifiable from the injection procedures. The Centers for Medicare & Medicaid Services lacked adequate internal controls to detect and prevent these potentially improper payments, including clear requirements for modifier 25 use and medical reviews of claims. The audit recommends that CMS update billing requirements, conduct medical reviews to recover up to $124 million in improper payments, and provide better education to providers about appropriate billing practices. Source: HHS.gov

Med Spas

Patient Rights

  • The Fifth Circuit upheld Texas parental consent requirements that prevent minors from confidentially accessing contraception at federally funded Title X clinics. Alexander Deanda, a father of three daughters, filed suit in 2020 challenging the Department of Health and Human Services’ administration of Title X, arguing he wanted notification if his children sought contraceptives based on his Christian beliefs. Title X, enacted in 1970, provides family planning services to low-income individuals and in 2021 HHS prohibited parental consent requirements for minors seeking services. The district court ruled in Deanda’s favor, finding that federal law did not preempt Texas Family Code provisions requiring parental consent for medical care, but the Fifth Circuit avoided deciding the constitutional question of balancing parental and minor rights by using the doctrine of constitutional avoidance. The ruling threatens minors’ access to confidential reproductive care through mechanisms like judicial bypass. Source: Harvard Law Review

Senior Living Facilities

Categories
Health Law Highlights

Wade’s Health Law Highlights for June 10, 2025

Accountable Care Organizations

Data Breach

  • U.S. Dermatology Partners (Texas), a network of over 100 dermatology practices across several states, recently announced a cyberattack and data breach that occurred in June 2024. The network disruption on June 19, 2024, was indicative of a cyberattack, and subsequent investigations by third-party digital forensics experts confirmed unauthorized access and data exfiltration. By April 2, 2025, a thorough review revealed that the stolen data included personal information such as names, dates of birth, medical record numbers, health insurance information, and specific details about dermatology services received. Additionally, a limited number of individuals had their Social Security and/or driver’s license numbers compromised. Notification letters to affected individuals began mailing on May 30, 2025. USDP has offered complimentary credit monitoring and identity protection services to those whose Social Security numbers and/or driver’s license numbers were involved. This breach underscores the importance of robust cybersecurity measures to protect sensitive health information. Source: HIPAA Journal

Emerging Tech

  • Intelligence Amplification technology is revolutionizing healthcare compliance management through systems like Compliance Risk Analyzer that detect and mitigate billing and coding risks. Unlike artificial general intelligence that aims to replace human decision-making, IA augments human capabilities through predictive analytics, statistical modeling, and heuristic methods that identify high-risk patterns by comparing provider data to national benchmarks. The system generates provider-specific risk analysis reports, creates targeted audit action plans, and enables benchmarking against industry standards, resulting in proactive risk mitigation, increased efficiency, cost savings, and improved audit accuracy. While delivering significant benefits, Compliance Risk Analyzer functions optimally as part of a hybrid model where IA supports human auditors, recognizing that healthcare compliance requires nuanced human judgment alongside computational assistance. Source: VMG Health

EMTALA

  • The Trump administration rescinded Biden-era guidance requiring hospitals to perform emergency abortions under federal law. The Department of Health and Human Services issued guidance in July 2022 that required doctors to perform abortions in emergency departments under the Emergency Medical Treatment and Labor Act (EMTALA), even in states where abortion is banned, when the procedure serves as stabilizing treatment for conditions like ectopic pregnancy or preeclampsia. The guidance was part of the Biden administration’s efforts to preserve abortion access after the Supreme Court overturned Roe v. Wade. CMS announced they rescinded the guidance because it does not reflect current administration policy, though they said they will continue enforcing EMTALA for emergency medical conditions affecting pregnant women. Source: ABC News
  • A federal investigation found that a Texas hospital violated law by sending a woman home without treating her life-threatening ectopic pregnancy. The Centers for Medicare and Medicaid Services determined that Ascension Seton Williamson in Round Rock failed to provide proper medical screening and stabilizing treatment to Kyleigh Thurman in February 2023. Thurman returned to the hospital multiple times with bleeding before her fallopian tube ruptured, requiring surgery that removed part of her reproductive system. The hospital violated the federal Emergency Medical Treatment and Labor Act, which requires emergency rooms to provide stabilizing treatment to all patients. The Trump administration announced it would revoke Biden-era guidance that directed hospitals to provide emergency abortions for women experiencing medical emergencies. Source: PBS News

Food & Drug Administration

  • The Trump administration’s FY26 budget proposal for the FDA reveals significant structural changes while maintaining overall operational capacity. The $6.8 billion proposal represents a 3.9% decrease from FY25 levels, balancing reduced discretionary funding ($3.2 billion, down 11.4%) with increased user fees ($3.6 billion, up 4%). The budget prioritizes the “Make America Healthy Again” agenda with $234.6 million for food safety and chronic disease initiatives, including plans to phase out certain food dyes and modernize safety protocols. Workforce reductions continue with the budget reflecting cuts of 1,940 full-time employees and $456.6 million in support of the “Reduction of Federal Bureaucracy initiative,” while projecting $626 million in savings from streamlined agency functions. Congressional appropriations committees have begun reviewing the proposal and will continue the funding process through September 2025. Source: Akin Gump
  • The FDA will implement artificial intelligence across all its centers by the end of June to combat regulatory delays caused by recent layoffs. The agency completed a pilot scientific review using generative AI that will reduce non-productive busywork in the review process. The AI rollout comes as the FDA has missed target decision dates for drug approvals and faces staffing cuts from the Health and Human Services Secretary, who put 3,500 FDA jobs on the chopping block. All FDA centers must begin implementing the AI approach immediately, with plans to tailor AI models to each center’s needs. Source: BioSpace

Fraud & Abuse

  • Dr. Benjamin Tiongson, a pain management physician practicing in Houston, Sugar Land, and Katy, has agreed to pay $390,082 to resolve allegations of Medicare fraud. Between December 2021 and December 2022, Tiongson allegedly billed Medicare for surgical implantation of neurostimulator electrodes, procedures that typically require operating rooms and command thousands of dollars in reimbursement. Instead of performing these invasive surgeries, Tiongson reportedly provided electro-acupuncture treatments that merely involved inserting thin wires into patients’ ears and taping devices behind them, all conducted in clinic settings without surgical incisions. The settlement, reached after investigation by the U.S. Attorney’s Office and Department of Health and Human Services, resolves these allegations without determination of liability. Source: United States Department of Justice
  • A Frisco physician has agreed to pay $3.5 million to resolve allegations of COVID-19 billing fraud. Dr. Samad Khan, owner of SK Primary Care, allegedly submitted approximately 400,000 false claims to the COVID-19 Uninsured Program between April 2020 and October 2021 for evaluation and management services that were never performed. The United States contends that Khan’s COVID-19 testing sites were staffed by medical assistants who only performed specimen collection, yet he billed for higher-level services that required qualified healthcare professionals and often submitted two claims per patient—one for testing and another for providing results. Khan knowingly used incorrect billing codes that provided substantially higher reimbursements than the appropriate specimen collection codes, according to the settlement that resolves these allegations without a determination of liability. Source: United States Department of Justice

HIPAA

  • Healthcare organizations must implement comprehensive vendor management strategies to mitigate significant HIPAA compliance risks from third-party relationships. While properly executing Business Associate Agreements is crucial, experts emphasize it must be part of a broader risk-based approach that includes thorough initial vetting, continuous monitoring, and incident response planning. Organizations should implement tiered vendor assessments based on data access levels and sensitivity, with particular scrutiny for vendors handling Protected Health Information. Common compliance failures include treating BAAs as mere checkboxes, insufficient upfront diligence, inadequate ongoing monitoring, and failure to assess subcontractor relationships. Healthcare entities cannot outsource accountability and must treat vendors as extensions of their organization while maintaining clear boundaries regarding day-to-day operations to properly manage liability. Source: Relias Media

Med Spas

Medicare & Medicaid

  • Trump directs Health and Human Services to cap Medicaid payments at Medicare rates to eliminate fraud schemes. The memorandum targets state programs that tax healthcare providers then return the money as Medicaid payments, which triggers federal matching funds and allows providers to receive nearly three times Medicare rates. State Directed Payments under this system quadrupled over four years and reached $110 billion in 2024. The directive instructs the Secretary of Health and Human Services to ensure Medicaid payment rates do not exceed Medicare levels. Trump claims the current system allows states to avoid contributing funds while enriching healthcare providers through federal matching payments. Source: The White House
  • CMS will audit all Medicare Advantage contracts for each payment year in newly initiated audits following an announcement on May 21, 2025. The agency plans to complete audits for payment years 2018 through 2024, as CMS is several years behind in completing Risk Adjustment Data Validation (RADV) audits that verify diagnosis codes submitted by MA plans are supported by patient medical records. The Medicare Payment Advisory Commission estimates MA plans may overbill the government $43 billion per year through risk-adjusted payments based on enrollee diagnoses. CMS Administrator Dr. Mehmet Oz stated the agency has a duty to ensure MA plans bill the government accurately, and the Trump Administration aims to complete remaining audits by early 2026. To meet this goal, CMS will increase medical coders from 40 to 2,000 people beginning in September 2025 and deploy technology to flag unsupported diagnoses. Source: King & Spalding
  • The Center for Medicare and Medicaid Innovation plans to expand digital health technology and artificial intelligence integration across federal health care programs. CMMI released a white paper on May 13, 2025, outlining its strategy that emphasizes virtual care expansion, mobile health applications, and AI implementation for value-based care organizations. CMS Administrator Dr. Mehmet Oz and CMMI Director Abe Sutton stated that AI can increase health care supply and announced plans to create clearer reimbursement pathways for AI technologies. The agency seeks public input on certifying health-focused mobile applications for Medicare inclusion and is requesting comments on digital health through June 16, 2025. Sutton cautioned that some AI systems may increase costs by enabling providers to capture more services, requiring targeted reforms to focus on technologies that both expand care supply and reduce expenses. Source: Jones Day

Price Transparency

Categories
Health Law Highlights

Wade’s Health Law Highlights for June 3, 2025

Emerging Tech

  • Alibaba’s healthcare AI model has achieved medical expertise comparable to senior physicians in China. The model, powered by Qwen 2.5-32B foundation technology, passed medical qualification exams at the “Deputy Chief Physician” level across 12 disciplines with 74.8% accuracy, outperforming competitors including OpenAI’s GPT-4o. Now integrated into Alibaba’s Quark AI assistant app with 200 million users, the model automatically handles health-related inquiries and has been refined through collaboration with medical institutions. Source: South China Morning Post
  • Digital health companies using AI for patient communication face significant legal exposure under the Telephone Consumer Protection Act (TCPA). While many companies focus solely on HIPAA compliance, the TCPA restricts automated calls, texts, and artificial voice messages without prior express consent, with written consent required for marketing communications. The FCC’s 2024 ruling classified AI-generated voices as “artificial voices” under the TCPA, though courts continue to wrestle with how this applies to chatbots and text-based systems. Digital health companies should conduct TCPA risk assessments, audit consent processes, obtain express written consent when in doubt, and monitor evolving litigation trends. Despite a 2021 Supreme Court decision narrowing the definition of automatic telephone dialing systems, TCPA compliance remains challenging as state regulations may differ and create legal risks even for companies without telemarketing intent. Source: Foley & Lardner LLP
  • The U.S. House of Representatives has passed legislation imposing a 10-year federal moratorium on state AI regulation. The “One Big Beautiful Bill Act” (H.R. 1) narrowly passed on May 22, 2025 by a 215-214 vote, containing a provision that would preempt state laws regulating artificial intelligence systems, potentially nullifying healthcare protections enacted in states like California, Connecticut, and Maryland. The moratorium threatens state initiatives requiring human oversight of AI in healthcare decisions, particularly those preventing insurers from using AI to autonomously deny coverage or process claims. The proposal faces significant opposition from state officials, including a bipartisan group of 35 California lawmakers and the National Conference of State Legislatures, while also potentially violating the Senate’s Byrd Rule as it may be considered extraneous to budgetary matters in a reconciliation bill. Source: Arnall Golden Gregory LLP

Data Breaches

  • WellNow Urgent Care has reached a $4.4 million settlement following a 2023 ransomware attack that compromised the protected health information of approximately 597,000 individuals. The cyberattack exposed sensitive data including names, birth dates, and for some victims, Social Security numbers, leading to consolidated lawsuits filed in March 2024 that alleged negligence and breach of implied contract. The settlement divides affected individuals into two subclasses: 541,870 people whose Social Security numbers were not compromised (eligible for up to $3.3 million in benefits) and 55,131 people whose Social Security numbers were exposed (eligible for up to $1.1 million in benefits). Class members can claim compensation for lost time and documented expenses up to $7,500, with those in the SSN subclass having the additional option of receiving a pro rata cash payment. Source: HIPAA Journal
  • Four healthcare organizations across the United States recently reported data breaches exposing sensitive patient information. Cooper Health System in New Jersey experienced the largest breach, affecting 57,412 individuals whose names and Social Security numbers were compromised after unusual network activity was detected on May 14, 2024. Union County Children and Youth Services in Pennsylvania suffered a ransomware attack on March 13, 2025, with at least 501 individuals affected, while Balance Autism in Iowa reported unauthorized access affecting 1,281 clients between March 11-17, 2025. The Carpenter Health Network in Louisiana identified a security incident between February 4-28, 2025, compromising personal and health information of 878 individuals, with all four organizations implementing additional security measures and offering credit monitoring services to affected individuals. Source: HIPAA Journal

Food & Drug Administration

Med Spas

Medicare

Private Equity

  • Private equity firms investing in healthcare face mounting legal and regulatory challenges across multiple fronts. The FTC and DOJ have intensified antitrust scrutiny of healthcare roll-up strategies, with enforcement actions targeting even smaller acquisitions that accumulate market power, as demonstrated by the recent USAP case resulting in a final consent order with notification and compliance requirements. States including New York, Massachusetts, Vermont, Rhode Island, and Connecticut have enacted laws requiring pre-transaction notice or approval for healthcare mergers and acquisitions, while the Corporate Practice of Medicine doctrine continues to restrict non-physician ownership of medical practices in states like New Jersey and New York. PE-backed healthcare entities face increased scrutiny through False Claims Act investigations related to billing practices, as seen in the $15.3 million settlement with Alliance Family of Companies, while simultaneously confronting public criticism that PE ownership prioritizes profits over patient care. Proactive legal planning and ongoing compliance monitoring have become essential for PE firms to navigate this complex environment and protect long-term investments in healthcare. Source: Greenbaum, Rowe, Smith & Davis LLP

Real Estate

  • Specialized appraisers are essential in healthcare real estate due to the sector’s unique complexities. Healthcare properties require appraisers with expertise in four critical areas: understanding healthcare operations across various facility types, navigating complex lease structures including timeshare arrangements, interpreting healthcare market trends and demographics that affect property values, and evaluating diverse property types from hospitals to specialized treatment centers with unique design requirements. These specialized appraisers can accurately determine property values by comprehending how buildings operate, evaluating unique lease structures, forecasting market trends, and recognizing the specific functional needs of different healthcare facilities. Source: VMG Health

Smart Devices

  • Smart devices are revolutionizing healthcare by shifting the industry from reactive treatment to proactive prevention through continuous monitoring technologies. These devices collect real-time physiological data including heart rate, blood oxygen levels, and glucose measurements, which AI algorithms analyze to detect patterns and predict health risks before symptoms appear. Wearable technologies like smartwatches with ECG capabilities can identify irregular heart rhythms, infectious diseases, and neurological disorders while enabling remote monitoring and integration with telehealth platforms. Emerging innovations include advanced biosensors that detect biomarkers through sweat or tears, miniaturized implantable devices for internal monitoring, and digital twins that create virtual replicas of patients to predict disease progression and optimal treatments. The transformation toward predictive healthcare faces challenges in ensuring data security, developing explainable AI systems that clinicians can trust, and providing equitable access across populations. Source: Healthcare Tech Outlook
  • Consumer health AI technologies are rapidly entering a complex regulatory environment as they shift from an unregulated space to one governed by various state privacy laws. These technologies often fall outside HIPAA’s scope but are increasingly subject to regulations like the California Consumer Privacy Act, Washington’s My Health My Data Act, and Texas’s Data Privacy and Security Act. The resulting regulatory patchwork varies by location and treats combined geolocation and healthcare data as particularly sensitive information. Tech companies using AI in consumer health applications will need to adapt to these unfamiliar privacy and security requirements that govern the collection and sharing of sensitive personal data. Source: GovInfoSecurity

Taxation

  • CMS has proposed new rules to eliminate a Medicaid financing loophole that could save the federal government $33 billion over five years. The May 15, 2025 proposal aims to prevent states from disproportionately taxing Medicaid services to draw down federal matching funds by adding stricter requirements for healthcare-related tax waivers. Seven states with existing waivers, including California, New York, Michigan, and Massachusetts, would be affected, with recently approved waivers receiving no transition period and requiring immediate compliance when the rule is finalized. The changes would prevent states from imposing higher tax rates on Medicaid-related services than on non-Medicaid services, forcing significant restructuring of state healthcare taxes. This regulatory effort parallels congressional action, as the House Energy and Commerce Committee recently advanced similar provisions in the 2025 budget reconciliation bill. Source: Sheppard Mullin Richter & Hampton LLP
Categories
Health Law Highlights

Wade’s Health Law Highlights for May 27, 2025

Antitrust

  • State attorneys general are intensifying antitrust enforcement across multiple fronts. States are implementing “baby HSR” statutes requiring merging companies to file notifications directly with state AGs, with Washington recently adopting such laws and Colorado’s taking effect in August 2025. Litigation activity is increasing around healthcare and labor issues, exemplified by Michigan’s lawsuit against pharmacy benefit managers for price fixing and California’s action against no-poach agreements in the food processing industry. States are also bolstering criminal enforcement through initiatives like BRACE—a bid-rigging and criminal enforcement working group—while legislatures in California and New York advance bills to increase criminal penalties for antitrust violations. Companies must now consider state enforcement as carefully as federal oversight, with particular attention to transaction notifications, litigation risk, and enhanced criminal enforcement. Source: McCarter & English, LLP
  • The Department of Justice secured its first criminal wage-fixing conviction when a federal jury found a home health care operator guilty of conspiring with competitors to fix wages for home healthcare nurses. The April 14, 2025 verdict in the District of Nevada case relied heavily on text messages between the operator and competitors that referenced a “mutual agreement” on wages. This landmark conviction follows the DOJ’s 2016 guidance that wage-fixing agreements among labor-market competitors are per se illegal and subject to criminal prosecution, despite previous unsuccessful attempts to secure jury convictions in similar cases. The case is a cautionary tale of the risks of communications outside normal corporate monitoring. Source: Lathrop GPM

Bioprinting

  • 3D printing is revolutionizing healthcare by enabling a shift from mass-produced solutions to customized treatments tailored to individual patients. The technology has transformed multiple medical fields, including prosthetics that can be made affordably for children, custom implants for facial reconstruction and spine repairs, and anatomical models that allow surgeons to practice complex procedures before operations. In pharmaceuticals, 3D printing creates personalized drug dosages and delivery systems, with the FDA approving the first 3D-printed drug Spritam in 2015. While bioprinting has progressed to creating tissue structures like liver tissue, developing full functional organs remains experimental, with current research focusing on smaller tissues and improving cell viability. Despite challenges with regulations, standardization, and accessibility, the integration of artificial intelligence with 3D printing promises further advances in medical applications through optimized designs and materials. Source: Ars Technica

Data Privacy

Drug & Devices

  • Biotech companies are increasingly turning to collaborative deal structures to navigate FDA staffing shortages and financial constraints. With FDA retirements and layoffs extending approval timelines, biotechs facing limited cash runways are using licensing agreements and development partnerships to secure alternative financing while reducing operational costs. These collaborations typically involve upfront payments, milestone-based compensation, and royalties, as exemplified by Zealand Pharma’s recent $5.3 billion collaboration with Roche for obesity treatment technology. However, Hart-Scott-Rodino filing requirements for transactions exceeding certain thresholds (now $126.4 million in 2025) may delay deal completions, with new rules extending filing timelines from under 10 days to at least 30 days and increased scrutiny from the FTC and DOJ on pharmaceutical industry transactions. Source: JD Supra

Emerging Technology

  • Brain-computer interface technology is advancing rapidly with four leading companies poised to expand human trials significantly in 2025. Paradromics, Synchron, Precision Neuroscience, and Neuralink each employ different implantation approaches, from Synchron’s blood vessel-based electrodes to Neuralink’s deep brain implants that penetrate seven millimeters into brain tissue. The number of people with these interfaces will more than double in the next 12 months as companies advance their FDA-approved trials, while Apple has announced plans to make its devices compatible with these implants. Though medical experts caution against viewing this technology as a consumer product due to surgical risks, Morgan Stanley projects the brain-computer implant market will reach $1 billion annually by 2041. These interfaces already enable paralyzed patients to control computers and communicate, with potential future applications including thought-to-speech translation and prosthetic limb manipulation. Source: Wall Street Journal
  • Taiwan is pioneering AI healthcare integration with Nurabot, an AI-powered robot nurse that handles routine hospital tasks to address nurse burnout. Developed through collaboration between Foxconn and Kawasaki Heavy Industries, Nurabot delivers medications, patrols wards, and guides visitors, allowing human nurses to focus on critical patient care as the world faces a projected shortage of 4.5 million nurses by 2030. The technology leverages NVIDIA supercomputers and digital twins—virtual replicas of hospital wards—to simulate and optimize operations before real-world implementation. Taichung Veterans General Hospital is currently conducting field trials with Nurabot, while future iterations may communicate in multiple languages, recognize faces, and assist in lifting patients. Despite challenges like data privacy concerns, Taiwan’s approach offers potential solutions to global healthcare staffing issues through AI integration. Source: Rude Baguette
  • IoT technology revolutionizes healthcare billing through automation and real-time data access. The systems enable automatic recording of usage and charges without manual compilation, providing staff with precise information for error-free bills while reducing labor costs. Patients gain transparency through digital portals displaying detailed bill breakdowns, which reduces disputes and encourages timely payments. Implementation challenges include data privacy concerns (59% of patients fear misuse of medical information), regulatory compliance with laws like HIPAA, compatibility issues between vendor systems, and high upfront costs despite long-term savings. Source: IoT For All

Fraud & Abuse

Gender-Affirming Care

Medical Malpractice

  • Four key states are implementing significant medical malpractice reforms that fundamentally reshape how liability cases proceed through the legal system. Texas restricts evidence to actual payments rather than billed amounts while requiring disclosure of third-party litigation funding, Georgia eliminates “anchoring” tactics by plaintiffs and imposes procedural barriers including discovery stays, Utah establishes minimum insurance requirements and reporting mechanisms to address rural provider shortages, and South Carolina narrows joint liability by requiring fault allocation across all parties. These state-level reforms demonstrate a shift away from headline-grabbing damage caps toward granular changes to legal mechanics that advantage defendants earlier in proceedings, potentially signaling a nationwide trend in malpractice litigation rules. Source: Scott Righthand

Medicare

Mental Health

  • Federal departments have suspended enforcement of the 2024 Mental Health Parity regulations until ongoing litigation concludes plus 18 months . The suspension, announced on May 15, 2025, reinstates the 2013 Final Rule and affects three key requirements: outcomes-based testing, mandatory meaningful benefits across classifications, and fiduciary certification obligations. Plan sponsors and insurers must still conduct nonquantitative treatment limitation comparative analyses and maintain compliance with statutory obligations under the Consolidated Appropriations Act. The departments indicated they will reexamine their enforcement approaches while encouraging states to adopt similar enforcement positions. Despite the suspension, health plans should continue good-faith compliance efforts with the remaining mental health parity requirements. Source: McDermott Will & Emery
Categories
Health Law Highlights

Wade’s Health Law Highlights for May 20, 2025

Academic Medical Centers

Data Breach

Fraud & Abuse

  • The Department of Justice has prioritized False Claims Act theories in its criminal enforcement agenda. The Criminal Division’s top priorities include health care fraud and government contracts fraud, trade and customs fraud, and violations of controlled substances laws—all central focuses of False Claims Act enforcement. These enforcement priorities suggest the DOJ views civil FCA liability and criminal penalties as connected pathways in addressing high-priority misconduct. Businesses in regulated industries now face potential parallel criminal investigations alongside civil FCA scrutiny, making robust compliance systems increasingly critical. Recent changes to DOJ enforcement policies regarding self-disclosure, cooperation, and remediation further emphasize that compliance missteps may carry heavier penalties than before. Source: Skadden, Arps, Slate, Meagher & Flom LLP

Health Data

  • Patient data faces significant vulnerabilities when health tech companies fold, due to inadequate regulations and inconsistent security practices. Despite the health tech industry’s growth to $908.5 billion in 2023 with projections to reach $3.1 trillion by 2033, approximately 90% of health tech startups eventually fail, as exemplified by Forward’s abrupt closure in 2024 which left patients struggling to retrieve health records and maintain prescription access. Currently, only 20 states have instituted rules for patient health data protection, with most safeguards relying on user agreements that 91% of consumers don’t read, as seen when 23andMe’s bankruptcy prompted customers to rush to delete their data before possible transfer. Security experts recommend companies implement solid encryption, access controls, proper data deletion procedures with 30-day buffers, and rapid response plans to protect patient information when companies shut down. Source: Healthcare Brew

Insurance Coverage

  • The Tenth Circuit Court of Appeals has ruled that hospital excess liability insurance policies must treat each patient claim as a separate “medical incident.” The May 2, 2025 decision in AdHealth Limited v. PorterCare Adventist Health Systems affirmed that each claim must individually exceed the $2 million self-insurance retention to qualify for excess coverage. PorterCare had sought $40 million in coverage after settling lawsuits from thousands of patients exposed to infection risks due to inadequate sterilization procedures. The court rejected PorterCare’s argument that all claims constituted a single medical incident, instead interpreting the policy language “any one person” as unambiguously limiting coverage to individual claimants. The ruling highlights the importance of policy language in determining how multiple related claims will be treated for insurance purposes. Source: Carlton Fields

Long-Term Care

  • A federal court has struck down key provisions of the Centers for Medicare & Medicaid Services’ staffing mandate for long-term care facilities. The Northern District of Texas vacated requirements for 24/7 registered nurse staffing and minimum staffing ratios of 3.48 hours per resident per day that were set to begin implementation in May 2026. The court determined CMS exceeded its statutory authority by contradicting existing law that requires RN services for only eight consecutive hours daily and by imposing uniform staffing ratios that fail to account for facilities’ unique needs. This ruling follows the Supreme Court’s decision in Loper Bright Enterprises v. Raimondo, which limits federal agencies to authority clearly delegated by Congress and enhances judicial oversight of regulatory actions. While providing regulatory relief, long-term care facilities should continue addressing staffing challenges and monitor potential appeals of this decision. Source: Troutman Pepper Locke

Medicare Advantage

  • UnitedHealth Group faces multiple federal investigations amid leadership changes and financial struggles. According to The Wall Street Journal, the Department of Justice has been conducting a criminal fraud investigation into UnitedHealthcare’s Medicare Advantage business since at least summer 2024, though the company claims no knowledge of such an investigation. This comes alongside an existing antitrust probe examining the relationship between UnitedHealthcare and Optum, plus a civil investigation into Medicare Advantage billing practices. UnitedHealth reported poor first-quarter performance in 2025 with medical costs exceeding expectations. The company’s stock has reached multi-year lows following these developments. Source: Fierce Healthcare

Mergers & Acquisitions

  • Healthcare transaction activity hit its lowest point since Q3 2020, with Q4 2024 volumes decreasing 10.4% from Q3 and 11.7% compared to Q4 2023. Professional Services, Outsourced Services, and Behavioral Health dominated the landscape, accounting for 73.2% of all transactions, with significant deals including New Enterprise Associates’ $1.3 billion acquisition of NeueHealth and Cencora’s $4.6 billion purchase of Retina Consultants of America. Despite an overall 4.9% decline in 2024 transactions compared to 2023, certain sectors showed growth, including Behavioral Health (+7.5%), Managed Care (+10.6%), and Specialty Outpatient Facilities (+14.0%). Healthcare investors continue to face regulatory scrutiny and elevated interest rates, though the incoming Trump administration is expected to create a more favorable M&A environment in 2025 with a less aggressive approach to merger regulation and potential tax cuts. Source: [Ankura](https://www.jdsupra.com/legalnews/quarterly-healthcare-transactions-4427961/

Part 2

  • The U.S. Department of Health and Human Services has updated 42 CFR Part 2 to align substance use disorder record confidentiality requirements with HIPAA and HITECH standards. The New Rule allows patients to sign a single consent form for future disclosures rather than requiring separate authorizations for each disclosure, while also implementing HIPAA-like breach notification requirements. Penalties for violations now include both civil fines up to $1.5 million per calendar year and criminal penalties up to $250,000 with potential imprisonment from one to ten years. Healthcare entities subject to Part 2 must update their policies regarding patient consent, information disclosure, medical records, breach notification, privacy notices, and data storage. Organizations must comply with these new requirements by February 16, 2026 to avoid significant penalties in the increasingly stringent enforcement landscape. Source: Katton

Regulation

Categories
Health Law Highlights

Wade’s Health Law Highlights for May 13, 2025

Artificial Intelligence in Healthcare

Fraud & Abuse

  • The Seventh and Second Circuits issued opinions narrowing the scope of advertising, marketing, and booking fee activities that violate the federal Anti-Kickback Statute (AKS). In Sorenson, the Seventh Circuit reversed a conviction by ruling that payments to marketing firms for generating leads don’t constitute illegal kickbacks when physicians retain independent judgment and the payments represent compensation for advertising rather than inducement for referrals. Similarly, in Sisselman, the Second Circuit affirmed dismissal of claims against Zocdoc, finding that the company’s reliance on favorable HHS-OIG advisory opinions about its booking fee model defeated the scienter requirement necessary for AKS violations. These rulings establish that marketing activities are not automatically illegal under the AKS when marketers don’t directly influence healthcare decisions and that obtaining favorable advisory opinions can provide protection against both AKS and False Claims Act allegations. Source: Venable
  • The U.S. Attorney’s Office for the Southern District of New York announced a $202 million civil False Claims Act settlement with Gilead, resolving allegations that the company’s speaker program violated the Anti-Kickback Statute. Between 2011 and 2017, Gilead paid 548 healthcare providers more than $23.7 million in honoraria, meals, and travel expenses, which prosecutors claimed induced recipients to prescribe Gilead’s HIV medications. The government questioned these programs’ educational value, citing issues including venue selection, alcohol service, and commercial influence on speaker selection, while sales personnel reportedly circumvented meal limits by recording food costs as room fees. This settlement serves as a reminder that authorities analyze speaker program data to identify compliance issues, encouraging companies to implement rigorous controls such as headquarters-based review of speakers and restricting repeat attendance at similar programs. Source: Skadden
  • Attorney General Pam Bondi has directed the Department of Justice to investigate pharmaceutical companies and healthcare providers involved in gender transition treatments for potential violations of federal law. The April 22, 2025 memorandum implements Executive Order 14187, which reversed Biden Administration policies supporting gender transition treatments and procedures. The DOJ will pursue potential False Claims Act violations against providers who submit reimbursement claims for gender transition medications or procedures to federal healthcare programs, along with Food, Drug, and Cosmetic Act violations for “off-label” promotion of medications used for transitions. Bondi announced the creation of the Coalition Against Child Mutilation to coordinate with state attorneys general, expressed eagerness to work with qui tam whistleblowers, and stated the DOJ will no longer follow World Professional Association for Transgender Health guidelines. Healthcare and life sciences companies are advised to review promotional materials, billing practices, and internal whistleblowing procedures to mitigate enforcement risks. Source: DLA Piper
  • Four individuals have been sentenced to federal prison for orchestrating a $110 million healthcare fraud scheme in Texas. John Rodriguez, a former pharmacist who owned Pharr Family Pharmacy, received 60 months imprisonment while his co-conspirators Mohammad Chowdhury received 30 months, and Hector de la Cruz and Alex Flores each received 46 months. The group paid kickbacks to medical providers who referred prescriptions to Rodriguez’s pharmacy, which then billed federal programs including the Department of Labor, TRICARE, and Medicare. From 2014 to 2016, the pharmacy submitted more than $110 million in claims to federal health care programs for compound drugs, with all defendants now required to serve three years of supervised release following their prison terms. The investigation involved multiple federal agencies including the FBI, with U.S. Attorney Nicholas Ganjei stating that “Illegal kickbacks are the engine that drives health care fraud.” Source: United States Department of Justice

Hospitals

Legislation

  • Two bills were introduced that would create new regulatory requirements for healthcare organizations undergoing ownership, operational, or governance changes. House Bill 2747 would require healthcare entities to notify the Texas attorney general 90 days before material change transactions and authorizes penalties up to $10,000 per violation. Senate Bill 1595 mandates healthcare entities report ownership and control information to the secretary of state annually and during material change transactions, with substantial penalties for non-compliance. The reporting requirements for material change transactions apply to entities with at least $10 million in assets or revenue, with penalties reaching $500,000 per violation for larger organizations. Both bills would take effect September 1, 2025, if passed. Source: King & Spalding
  • The Texas House of Representatives has approved two bills designed to facilitate access to psychedelic-assisted therapy once federal approval is granted. The first bill, HB 4014, passed 115-31 and establishes a state-backed study into the use of psilocybin, MDMA, and ketamine for treating conditions like PTSD and depression, with the study to be conducted in consultation with researchers at Baylor College of Medicine and UT Austin. The second bill, HB 4813, passed unanimously and ensures substances reclassified under federal law will be similarly controlled under state law “as soon as practicable,” aimed specifically at expediting access to psychedelic therapies for Texas veterans once FDA approval occurs. The legislation builds on a 2021 measure that studied psychedelics for treating veterans with PTSD, which supporters say helped make Texas “a pioneer in this space.” Source: Marijuana Moment

Life Science

  • Private equity firms investing in life science companies face regulatory challenges across multiple domains including AI, fraud enforcement, and pharmaceutical pricing. The Trump Administration has revamped regulatory frameworks through executive orders that mandate agency restructuring and significant deregulation across health agencies. DOJ continues investigating fraud in the sector with heightened scrutiny of investor involvement in portfolio company operations, though establishing FCA liability for sponsors remains legally challenging. New trade policies implementing baseline and reciprocal tariffs affect the healthcare industry, with pharmaceutical imports under national security investigation through Section 232. Medicare drug price negotiations proceed while executive orders seek to lower costs through accelerated approvals for generics and improved drug importation programs. Source: White & Case

Medicare

Non-Competes

  • Several states have enacted legislation taking effect in 2025 that restricts noncompete agreements for healthcare workers. Arkansas will ban physician noncompetes completely while Louisiana limits them to three years for primary care physicians and five years for other physicians. Maryland restricts noncompetes to one year and within ten miles for healthcare workers earning under $350,000, while Pennsylvania caps them at one year for doctors and certain nursing professionals. Utah prohibits “health care services platforms” from requiring noncompetes, joining states like Texas, Florida, and Colorado that already have established limitations on physician noncompete agreements. Source: Foley & Lardner

Nursing

Categories
Health Law Highlights

Wade’s Health Law Highlights for May 6, 2025

Artificial Intelligence

  • Houston Methodist is teaming up with Ambience Healthcare to integrate AI into emergency departments and inpatient care settings to address documentation and workflow challenges. The technology will capture provider-patient conversations, gather details for admissions and documentation, extract information from charts, and understand specific coding needs of each care setting. Emergency department clinicians report high burnout levels and complete approximately 4,000 mouse clicks during busy shifts, while the new AI aims to reduce this “click mileage” by eliminating copy-pasting documentation. Dr. Jordan Dale, chief medical information officer at Houston Methodist, stated they are committed to finding new ways to relieve clinicians with AI technology that enhances the patient-provider experience.
  • The University of Texas Medical Branch (UTMB) uses AI to automatically analyze all CT scans for cardiac risk, identifying patients with coronary artery calcification who might otherwise go undetected. The system calculates an Agatston score through convolutional neural networks, categorizes patients into risk tiers, and sends automated notifications to high-risk patients and their physicians, evaluating approximately 450 scans monthly with 5-10 high-risk cases identified. UTMB also employs AI for rapid stroke and pulmonary embolism detection, with algorithms that notify care teams within seconds of imaging, and uses AI to assist with inpatient admission decisions by analyzing electronic health records.

Data Breach

  • Ascension Health has announced having some of its patients’ data potentially exfiltrated following a December attack that compromised a former business partner’s third-party software. Patient information from care sites in Alabama, Indiana, Michigan, Tennessee, and Texas was inadvertently shared with the breached business partner, including names, birthdates, addresses, phone numbers, email addresses, Social Security numbers, race, gender, and clinical details. Ascension says their own systems, networks, and electronic health records were not involved in this incident. This disclosure follows a previous Black Basta ransomware attack reported months ago that affected 5.6 million individuals and disrupted Ascension’s electronic health records system and some hospital emergency care operations.

Food as Medicine

  • Food as medicine encompasses nutritional interventions to prevent or treat disease through programs like medically tailored meals and produce prescriptions. Medicare Advantage offers food as medicine through supplemental benefits, special benefits for chronically ill enrollees, and the Value-Based Insurance Design Model, while Medicaid provides coverage through Section 1115 waivers and other authorities. There is uncertainty about future federal funding for food as medicine initiatives. Private funding faces challenges as employer health plans must classify food interventions as qualified medical expenses, requiring physician documentation and third-party verification.

Fraud & Abuse

Geriatrics

Medicare Beneficiaries

  • Medicare requirements follow patients regardless of a provider’s cash-based practice model, with three provider categories determining Medicare billing obligations. Participating providers enroll in Medicare and accept assignment on all claims, billing Medicare directly for covered services. Non-participating providers enroll in Medicare but choose which claims to accept assignment on, must submit all claims to Medicare, and face limitations on what they can charge beneficiaries. Opt-out providers must file an affidavit valid for two years, enter specific contracts with Medicare beneficiaries, and can charge patients without Medicare limitations, though certain provider types cannot opt out of Medicare.

Provider Networks

  • Network rental agreements in healthcare allow payers to access each other’s provider networks and fee schedules, which can circumvent negotiated contracts and subject providers to unfavorable rates. These arrangements may violate antitrust laws as horizontal price-fixing schemes under Section 1 of the Sherman Act, with courts applying the per se rule to find them unreasonably restrictive of trade. In January 2025, AIDS Health Foundation won over $10 million in damages after an arbitrator ruled that a network rental agreement between Prime Therapeutics and Express Scripts constituted illegal price-fixing, while a similar class action by Osterhaus Pharmacy against Express Scripts is proceeding after surviving a motion to dismiss in February 2025. Oklahoma has proposed legislation (SB789) to prohibit pharmacy benefit managers from making their provider networks available to other PBMs, potentially effective November 2025.

Staffing

Texas Medicaid

  • The Texas Health and Human Services Commission denied Cook Children’s Health Plan a renewed Medicaid contract in March 2024, putting healthcare for 125,000 members at risk starting September, including 10,000 children with complex medical needs. The decision could force families to switch to one of four national for-profit plans, potentially disrupting established care relationships and eliminating local community-based coordination that has served Fort Worth families for 25 years. Cook Children’s has filed legal action against the commission after their protest was denied, while state lawmakers have introduced bills to change how Medicaid contracts are awarded to protect local healthcare management. The contract termination could impact 400 Fort Worth employees, 1,455 primary care providers, and 2,550 specialists, causing 75.6% insurance plan turnover in Tarrant County.
Categories
Health Law Highlights

Wade’s Health Law Highlights for April 29, 2025

Affordable Care Act

Artificial Intelligence

  • Texas Children’s Hospital has developed an AI model to assess bone age in pediatric patients, reducing radiologist image reading time by 30-50% since its November launch. The AI interprets X-rays to estimate bone age, which radiologists then verify, allowing them to focus on more complex procedures like interventional radiology. This bone age tool is part of Texas Children’s broader initiative that has produced twelve in-house AI solutions, including models for employee recognition, patient no-shows, and readmissions. The hospital maintains a comprehensive AI governance framework with representatives from clinical, operational, information security, and legal departments to ensure ethical use, prevent bias, and protect data privacy.
  • The Trump Administration released two revised policies on April 3, 2025, replacing previous AI guidelines with new frameworks for federal agencies. OMB Memorandum M-25-21 encourages agencies to implement AI solutions that maximize taxpayer value while identifying healthcare applications as “high-impact AI” due to their role in medical devices, patient diagnosis, and insurance decisions. The second policy, OMB Memorandum M-25-22, requires agencies including HHS to update acquisition procedures for AI systems, establish cross-functional teams for decision-making, and ensure appropriate intellectual property terms in contracts. These updates must be completed by December 29, 2025, replacing policies from the previous administration that were rescinded through Executive Order 14179 in January 2025.

Business Associates

Data Access and Breach

  • Data silos in healthcare create fragmented information landscapes that hinder patient care, delay diagnosis, and force clinical staff to perform time-consuming clerical tasks. The Trusted Exchange Framework and Common Agreement (TEFCA) aims to break down these silos by connecting health information networks and imposing financial penalties for information blocking. Healthcare organizations can improve data integration by creating stakeholder incentives, implementing strong governance frameworks, empowering patients to control their data, and adopting cloud-native management technologies. Eliminating data silos optimizes clinical workflows, reduces errors, enables specialist collaboration, and creates a foundation for AI applications that can identify patients at risk for adverse outcomes.
  • Blue Shield of California confirmed on April 9 that a misconfigured Google Analytics implementation exposed protected health information of 4.7 million patients between April 2021 and January 2024. The breach, identified as the largest healthcare data breach of 2025, potentially shared patient names, locations, gender, family size, medical services information, and search criteria with Google Ads for targeted advertising. Blue Shield stated no malicious actors were involved and the exposed data did not include Social Security numbers, driver’s licenses, or financial information. The company has advised affected members to monitor their accounts and credit reports for suspicious activity.
  • The U.S. Department of Health and Human Services Office for Civil Rights has reached a $600,000 settlement with PIH Health, Inc. over HIPAA violations. The California health care network reported a June 2019 phishing attack that compromised 45 employee email accounts and exposed the protected health information of 189,763 individuals. OCR’s investigation found PIH failed to properly protect health information, conduct thorough risk analysis, and notify affected parties within the required timeframe. As part of the settlement, PIH must implement a corrective action plan including risk analysis, management planning, policy development, and staff training, which will be monitored by OCR for two years.

Fraud & Abuse

Hospitals

Medicare

  • CMS issued its annual Hospital Inpatient Prospective Payment System and Long-Term Care Hospital Prospective Payment System Proposed Rule for FY 2026 on April 11, 2025. The proposal includes a 2.4% increase in operating payment rates for general acute care hospitals and a 2.6% increase for LTCH standard payment rates, with expected IPPS payment increases of $4 billion. CMS plans to discontinue the low wage index hospital policy following a court order, reduce the labor-related share from 67.6% to 66%, and modify the nursing and allied health payment formula by changing the order of operations for calculating reimbursable net costs. The proposal also announces the reallocation of FTE cap slots from two closed teaching hospitals and increases the uncompensated care payment pool to $7.14 billion for FY 2026, with comments due by June 10, 2025.
  • Healthcare providers face potential revenue losses of $80 billion in 2026 due to looming Medicaid cuts, with hospitals at greatest risk if states drop expansion programs. Federal policy changes may include reducing assistance percentages, capping funds, intensifying eligibility requirements, and increasing scrutiny of payments, which could accelerate hospital closures particularly in rural and low-income areas. Healthcare organizations must respond by improving margins, expanding alternative revenue streams, optimizing operations, enhancing care coordination, and strengthening documentation compliance to survive these financial challenges.

Mergers & Acquisitions

  • States are rapidly enacting health care transaction review laws that require pre-transaction notification and often approval from state agencies before health care entities can complete mergers, acquisitions, or ownership changes. These laws can be categorized into four types: those amending material change transaction processes, bills seeking disclosure, legislation enhancing antitrust laws, and proposals prohibiting private equity and hedge funds from controlling health care entities. California’s proposals AB 1415 and SB 351 seek to broaden the Office of Health Care Affordability’s review authority over transactions involving management services organizations and reinforce prohibitions against corporate practice of medicine, particularly targeting private equity and hedge funds.

Non-Competes

  • Arkansas passed legislation that voids noncompete agreements restricting physicians’ practice within their scope. The law, expected to take effect around July 15, 2025, applies to medical doctors and osteopaths licensed under Arkansas statutes. The Act does not specify whether it will invalidate existing physician noncompete agreements or only apply to future contracts. While physician noncompetes are now prohibited, other restrictive covenants such as non-solicitation agreements, confidentiality agreements, and standard employment terms remain enforceable for physicians in Arkansas.

Pharmacies & Benefit Managers

  • The pharmacy industry confronts significant challenges as 29% of retail pharmacies closed between 2010-2021, with closures disproportionately affecting communities serving Medicaid and Medicare patients. Drug shortages persist due to vulnerable supply chains heavily dependent on foreign manufacturing of pharmaceutical ingredients from China and India, which legislative efforts like California’s CalRx initiative and the federal Affordable Drug Manufacturing Act aim to address. President Trump’s February 2025 Executive Order mandates enhanced transparency in drug pricing, requiring agencies to propose new guidelines within 90 days. The pharmacy sector is simultaneously exploring artificial intelligence to improve medication management and patient care, though implementation faces obstacles including high costs, potential lack of human touch, data quality concerns, and ethical considerations around patient information.
  • CMS published a final rule requiring Part D pharmacies to enroll in the Medicare Transaction Facilitator Data Module to facilitate the Medicare Drug Price Negotiation Program established by the Inflation Reduction Act. The Data Module will help manufacturers verify eligibility and accelerate retrospective refunds to pharmacies for the ten negotiated drug products in 2026, while an optional Payment Module will facilitate fund transfers and manage claims revisions. Enrollment begins in June 2025 after the rule takes effect on June 3, with chain pharmacies able to enroll through one centralized submission and dispensing entities permitted to use Pharmacy Service Administrative Organizations to receive Maximum Fair Price refunds.
  • In a federal court ruling, Tennessee’s “any willing pharmacy” law was deemed preempted by ERISA because it impermissibly affected plan structure rather than merely regulating costs. The McKee decision aligns with the Tenth Circuit’s ruling in PCMA v. Mulready, which invalidated Oklahoma’s law requiring PBMs to follow certain pharmacy network standards. Courts have consistently held that while states can regulate PBM reimbursement rates, they cannot interfere with plan operation or network design. Self-funded group health plans currently face conflicting state PBM laws across multiple jurisdictions, creating a regulatory challenge that requires resolution by either the Supreme Court or Congress.

Ransomware

  • Three healthcare organizations—DaVita, Bell Ambulance, and Alabama Ophthalmology Associates—recently suffered ransomware attacks that compromised sensitive patient data including names, Social Security numbers, and medical information. The Bell Ambulance attack affected 114,000 individuals while the Alabama Ophthalmology Associates breach impacted 131,576 people, with different ransomware groups claiming responsibility for each attack. Healthcare organizations remain prime targets for cybercriminals due to the sensitive nature of patient data, with ransomware attacks against the sector increasing 300% since 2015 according to Microsoft. Security experts recommend focusing on basic security measures like strong passwords, multifactor authentication, and properly segmented networks to protect healthcare systems from these threats.
  • The U.S. Department of Health and Human Services Office for Civil Rights has reached a settlement with Comprehensive Neurology regarding a HIPAA Security Rule violation following a ransomware attack. The December 2020 breach compromised the protected health information of 6,800 individuals, including names, clinical information, insurance details, and Social Security numbers. OCR’s investigation determined that the neurology practice failed to conduct a thorough risk analysis of potential vulnerabilities to electronic protected health information. Under the settlement terms, Comprehensive Neurology must implement a corrective action plan monitored for two years and paid $25,000 to OCR, marking the agency’s 12th ransomware enforcement action and 8th enforcement action in its Risk Analysis Initiative.