Healthcare Empowered

Advertising

• Twenty US states have enacted comprehensive privacy laws that regulate health data usage in digital advertising. The Federal Trade Commission and state regulators have expanded definitions of health data to include browsing histories, location information, and medical purchases, with Washington and Nevada implementing specific consumer health data laws requiring detailed consent. The Dobbs v. Jackson Women’s Health decision has accelerated concerns about health data privacy, particularly regarding reproductive healthcare information. Companies are adapting through various strategies including national opt-in consent standards, data suppression in certain states, increased due diligence, and demographic-based targeting instead of individual health data. Despite potential changes in federal enforcement under new administration, state-level regulation of health data is expected to increase, particularly in Democratic-leaning states.

Artificial Intelligence

• AI in healthcare currently faces mixed results across different applications. AI-powered ambient scribing tools for clinical documentation show varying effectiveness, with some studies indicating time savings while others suggest increased time spent on records. Clinical decision support tools, particularly for sepsis detection, struggle with accuracy and false positives, though tools like Sayvant offer promise in medical decision-making documentation. AI also shows potential for medical record summarization, though current limitations necessitate a measured approach focused on targeted innovations rather than transformation.
• OpenAI and Oracle have announced the Stargate AI infrastructure project, a $500 billion initiative backed by Softbank and MGX to develop next-generation AI infrastructure over four years. Project leaders claim it will revolutionize healthcare through capabilities like 48-hour personalized cancer vaccines and improved disease treatments, while studies show AI can match doctor accuracy in diagnoses. However, experts suggest there are implementation challenges including payment systems, clinician training, and integration across healthcare facilities.

Corporate Practice of Medicine

• Physician Practice Management (PPM) structures split operations between a physician practice professional corporation and a management services organization to comply with medical practice laws. Combining employees from both entities under one health plan creates a multiple employer welfare arrangement (MEWA), which faces regulatory burdens and potential state law violations. To avoid MEWA complications, organizations can implement mirror plans with pooled stop-loss insurance, establish separate level-funded plans, or purchase coverage through a professional employer organization (PEO). These alternatives help PPM entities maintain compliant health coverage while avoiding the complexities of MEWA regulations. The solutions enable cost savings through larger group ratings while preserving the intended separation between clinical and business operations.

Fraud, Abuse and Waste

• The U.S. Department of Justice filed a False Claims Act complaint against an Idaho home health agency and its owner on February 25, 2025. The agency received $1.8 million in PPP loans in 2020 while certifying they were not engaged in illegal activity, but the owner later pled guilty to Medicaid fraud covering 2018-2021, resulting in a 180-day jail sentence and $146,000 restitution order. The Justice Department now seeks $5.4 million plus penalties from the agency and its owner, arguing the SBA would not have forgiven the PPP loans had they known about the fraudulent Medicaid billing. The case demonstrates how past certifications can create additional liability when criminal conduct is discovered, even years after the fact.
• The Fourth Circuit Court of Appeals has rejected a challenge from the Pharmaceutical Coalition for Patient Access regarding an unfavorable advisory opinion on their proposed Medicare Part D assistance program. The Coalition had planned to implement a program where drug manufacturers would subsidize copayments for cancer patients meeting specific income criteria who were prescribed their medications. The Office of Inspector General (OIG) determined this program could violate the Anti-Kickback Statute by inducing patients to select specific drugs based on financial incentives rather than medical necessity and allowing manufacturers to charge higher prices. The Fourth Circuit upheld the OIG’s opinion, interpreting “induce” and “remuneration” broadly under the Anti-Kickback Statute and dismissing arguments about multiple manufacturers negating quid pro quo arrangements. The court also ruled that claims of disparate treatment were unreviewable since enforcement decisions lie solely with the agency.
• The former CEO of Little River Healthcare has been sentenced to three years in federal prison and must pay $5.3 million for violating the Anti-Kickback Statute. The hospital partnered with a diagnostics company to bill insurers at higher rates for blood tests while using marketers to facilitate kickbacks to referring physicians. Other co-conspirators were also convicted for their roles in coordinating referrals and laundering money through shell corporations. The scheme involved hospitals paying portions of laboratory revenues to marketers, who then distributed funds to physicians making referrals.

Fraud and Misrepresentation

• A traveling nurse t Ver Halen Aesthetics and Plastic Surgery in Southlake reported that Dr. Jon Ver Halen performed surgeries while his license was suspended, though Dr. Rodney Sosa was listed as the physician of record. Sosa, who is now in federal prison for healthcare fraud, would consult with patients and mark their bodies for surgery but would leave the operating room while Ver Halen performed the procedures. The clinic marketed Sosa as the surgeon through social media, though he was an internal medicine physician rather than a board-certified plastic surgeon. When patients experienced complications and requested follow-up visits with Sosa, they were told he was unavailable due to a family emergency while he dealt with fraud allegations. Ver Halen has since surrendered his medical license and is now a law student in Houston.

Information Blocking

• The 2016 21st Century Cures Act established rules against information blocking in healthcare electronic records to promote data sharing and competition. The Department of Health and Human Services and Federal Trade Commission collaborated to implement these rules, requiring fair licensing terms for protected health information. In January 2024, Real Time Medical Systems filed the first lawsuit under these rules against PointClickCare Technologies, alleging that PCC blocked access to health records through unsolvable CAPTCHA walls to hinder competition. The District Court of Maryland granted Real Time a preliminary injunction, and the case is now on appeal to the Fourth Circuit. The case marks the first enforcement action of the Cures Act’s information blocking provisions since its enactment.

Insurance

• A new American Medical Association survey reveals that prior authorization requirements create barriers to patient care, with physicians reporting increased denials over the past five years and concerns about AI-driven review systems. The survey found that prior authorization led to care delays, with 77% of physicians reporting patients had to attempt ineffective treatments first, and 23% noting hospitalizations due to authorization delays. A Senate report indicated that AI systems deny claims up to 16 times more frequently than human reviewers, prompting the AMA to warn against unregulated AI in medical decision-making. Despite lawmaker scrutiny and legal challenges, experts predict insurers will continue implementing AI review systems, potentially forcing providers to adopt their own AI tools for claims submission.
• A new American Medical Association survey reveals that 61% of doctors worry about insurers using AI to increase treatment pre-approval denials. The survey found that 93% of physicians report prior authorization delays care, while 82% say patients sometimes abandon treatment due to these delays. Despite 66% of doctors using AI in their practices, 49% want increased regulatory oversight of how insurers employ AI in the approval process. Hospitals report increasing claim denials attributed to AI tools, with 89% of doctors stating that prior authorization battles contribute to burnout. The process impacts patient care, with 29% of doctors reporting serious adverse events due to authorization delays, and 23% noting patients requiring hospitalization as a result.

Security

• The Department of Health and Human Services has proposed updates to the HIPAA Security Rule on January 6, 2025, with comments open until March 7, 2025. The updates eliminate the distinction between “required” and “addressable” standards, making all security measures mandatory for healthcare entities. The new requirements include encryption, multifactor authentication, regular security audits, vulnerability scans, data backup procedures, and network mapping. The Privacy Rule changes reduce patient record request fulfillment time from 30 to 15 days and allow patients to photograph their health information in designated private areas. Healthcare providers must implement these changes and retrain staff on the new requirements once finalized.
• The U.S. Department of Health and Human Services proposes updates to the HIPAA Security Rule due to widespread adoption of electronic health records, with 80% of physicians’ offices and 96% of hospitals using them as of 2021. The updates aim to address increased cybersecurity risks in healthcare delivery systems and establish centralized security standards, as current voluntary guidelines have seen inconsistent implementation. HHS chose a prescriptive approach rather than recognizing existing frameworks for safe harbor incentives, despite the 2021 HITECH Act amendments. The proposed changes, which have a public comment deadline of March 7, 2025, would raise security standards and potentially burden smaller providers, though HHS maintains the rules allow for flexibility in implementation.

Taxation

• The Fifth Circuit Court upheld the Tax Court’s denial of tax-exempt status for Memorial Hermann Accountable Care Organization (MHACO) under Section 501(c)(4). MHACO, formed in 2012 as a not-for-profit corporation, participated in the Medicare Shared Savings Program while also serving patients with Medicare Advantage and employer-sponsored health plans. The court applied the substantial-nonexempt-purpose test, determining that MHACO’s operations primarily benefited commercial insurers rather than promoting social welfare, as 81% of its patients had employer-sponsored insurance. The court noted that MHACO’s members-only structure, which excluded uninsured individuals, failed to benefit the greater Houston community and thus did not qualify for tax exemption.

Transgender Care

• Texas has filed a lawsuit against Dr. Hector Granados and two other doctors for allegedly violating a 2023 law banning gender-affirming care for minors. The state claims Granados prescribed testosterone to a 16-year-old patient after the ban, while he maintains he only prescribed it for hormone deficiencies, not gender transition. Texas is among 27 states that have restricted or banned treatments like puberty blockers and hormone therapy for minors, with some families now seeking care in states like New Mexico where such treatments remain legal. The trial is set for October, and if found guilty, Granados and his co-defendants, Dr. May Lau and Dr. M. Brett Cooper, could lose their medical licenses and face fines. Attorney General Ken Paxton states his office will enforce the ban, while doctors must choose between their ethical duties and maintaining their ability to practice medicine.

Artificial Intelligence

• A recent American Medical Association survey of 1,183 physicians shows AI usage among doctors increased from 38% in 2023 to 66% in 2024. Physicians use AI primarily for visit documentation, discharge summaries, care plans, translation services, and medical research summaries, with 68% reporting AI provides advantages in patient care. While 36% of physicians express excitement about AI, up from 30% in 2023, 47% believe increased oversight is needed to build trust in the technology. The survey reveals physicians want features like feedback channels, data privacy assurances, EHR integration, and proper training to advance AI adoption in healthcare.
• Healthcare will transform from centralized hospitals to an invisible, integrated system woven into daily life through AI and edge computing. The shift is driven by younger generations demanding personalized care, advancing biometric technology, and the convergence of diagnostic capabilities into smaller devices. By 2051, healthcare will move into homes and repurposed community spaces, with AI-powered preventive care and mental health support becoming standard features of everyday environments. Wearable technology will predict health issues decades in advance, while household items will continuously collect health data and provide real-time monitoring.
• Organizations are shifting from static AI compliance to continuous governance models as AI systems become more integrated into business operations. The EU AI Act and U.S. regulations require companies to implement real-time monitoring, vendor oversight, and cross-functional governance structures to manage AI risks. Organizations must address challenges including model drift, data provenance, third-party transparency, and AI liability through continuous auditing and risk assessment frameworks. Companies need to balance AI explainability with intellectual property protection while ensuring compliance with privacy regulations like GDPR and CCPA. Those who adopt proactive AI governance frameworks position themselves for competitive advantage in responsible AI innovation.

Data Breach

• The City of McKinney in Texas reported a cyberattack affecting 17,751 individuals’ protected health information. McKinney’s breach occurred in October 2024, with unauthorized access detected on November 14, 2024, leading to exposure of personal data including Social Security numbers, financial information, and medical records.

FDA

• Hims & Hers Health stock dropped 26% after the FDA declared the end of semaglutide shortages and announced plans to crack down on compound pharmacies within 90 days. The company has been selling compounded versions of semaglutide, the active ingredient in Wegovy and Ozempic, for $200 per month compared to the $1,000 monthly cost of branded versions. Despite this setback, Hims & Hers has expanded through acquisitions, including a U.S.-based peptide facility and Trybe Labs for at-home testing services. The company’s weight loss program is projected to generate $100 million in revenue by the end of 2025, following stock gains of over 200% last year.
• The FDA announced on February 21 that the semaglutide injection product shortage has ended, removing it from the Drug Shortage List where it had been since 2022. The medication, used for Type 2 diabetes and weight loss, will face new restrictions on compounding, with state-licensed pharmacies and physicians having until April 22, 2025, and outsourcing facilities until May 22, 2025, to comply with FDA regulations. Healthcare providers will no longer be able to compound versions of semaglutide that are copies of brand-name products, requiring patients to switch to brand-name medications. The changes will impact medical practices, pharmacies, outsourcing facilities, and telehealth companies that have been providing compounded versions of the medication at lower costs than brand-name alternatives. Healthcare providers must consult with attorneys to ensure compliance with the new regulations before the deadlines.

Fraud & Abuse

• The United States Court of Appeals for the First Circuit ruled that kickbacks must be the “but-for” cause of claim submissions to establish falsity in False Claims Act cases based on Anti-Kickback Statute violations. The ruling emerged from United States of America v. Regeneron Pharmaceuticals, Inc., which examined whether Medicare claims for Eylea influenced by kickback violations through copayment coverages constituted false claims. While Regeneron advocated for the stricter but-for causation standard already adopted by the Sixth and Eighth Circuits, the government pushed for the Third Circuit’s more lenient approach requiring only proof of a causal link between claims and AKS violations. The First Circuit’s decision to adopt the but-for standard will limit the scope of actionable FCA claims and affect how the government and whistleblowers pursue damages for AKS violations in federal healthcare programs.
• On February 18, 2025, the First Circuit Court joined the Sixth and Eighth Circuits in ruling that Anti-Kickback Statute violations must be the “but-for” cause of false claims to trigger False Claims Act liability. This decision created a split with the Third Circuit, which only requires showing that a patient was exposed to an illegal recommendation before a claim was submitted. The court rejected the government’s arguments for a lower causation standard, citing the need to limit overbroad FCA claims and require proper proof of causation. Healthcare providers still face liability through false certification theories, which don’t require proving causation. The government appears to be shifting toward using false certification arguments rather than relying on the 2010 amendments that created the causation requirement.
• The Justice Department has launched a civil fraud investigation into UnitedHealth Group’s Medicare billing practices, focusing on how the company records diagnoses that trigger extra payments from Medicare Advantage plans. The investigation follows Wall Street Journal reports that UnitedHealth received $8.7 billion in federal payments in 2021 for diagnoses added to patient records without doctor treatment, with each nurse home visit generating an average of $2,735 in additional payments. The DOJ has interviewed medical providers about UnitedHealth’s practices of promoting specific diagnoses and offering incentives to add them to patient records, while the company’s shares fell 7% on news of the investigation, erasing $30 billion in market value. This probe adds to existing scrutiny of the $400 billion company, which includes a separate antitrust investigation and a lawsuit to block its $3.3 billion acquisition of Amedisys.

Texas Legislation

• The Texas Legislature has introduced a bill requiring electronic health records to include dedicated spaces for recording biological sex and sexual development disorders. The legislation defines biological sex based on reproductive system function and mandates that medical algorithms use this recorded biological sex for treatment decisions. Health care providers can only amend the recorded biological sex to correct clerical errors or if a patient is diagnosed with a sexual development disorder. The bill, if passed, will take effect September 1, 2025. The new requirements will apply only to electronic health records created after the law’s effective date.
• A Texas State Senator filed a bill requiring explicit consent for medical research on corpses in Texas. The legislation responds to an NBC News investigation that revealed UNT Health Science Center used unclaimed bodies for experiments and leased body parts to companies without contacting families. Current Texas law allows medical institutions to use unclaimed bodies after attempting to notify relatives within 72 hours, but the new bill would require prior written consent from the deceased or next of kin. Following the investigation, UNT Health Science Center leaders were fired, the Willed Body Program was suspended, and the university president stepped down, while Tarrant County ended its relationship with the program.

HIPAA

• The U.S. Department of Health and Human Services has proposed updates to HIPAA Security Rule requirements in a new Notice of Proposed Rulemaking. The updates include mandatory implementation specifications for contingency plans, requiring exact backup copies of electronic protected health information and system restoration within 72 hours of an event. The proposal introduces a new vulnerability management standard requiring automated scanning every six months, ongoing monitoring of known vulnerabilities, annual penetration testing, and timely software patches. Business associates must notify covered entities within 24 hours of activating contingency plans, and regulated entities must maintain written security incident response procedures. The public comment period for these proposed changes ends March 7, 2025.
• The US Department of Health and Human Services issued a proposed update to the HIPAA Security Rule in June 2024 to strengthen cybersecurity requirements for electronic protected health information. Mobile healthcare apps present unique security challenges, with 79% of healthcare organizations experiencing API-related security incidents in 2023. The proposed rule needs specific requirements for mobile app security, including protection against cloned apps, device manipulation, man-in-the-middle attacks, and API key exposure.

Medicare

• Medicare Advantage plans required approximately two prior authorizations per enrollee in 2023, while Traditional Medicare required only 0.01 per beneficiary. Prior authorization requirements for Medicare Advantage plans increased to 50 million in 2023, up from 42 million in 2022, despite CMS rules aimed at reducing these requirements. A Senate report revealed that the three largest Medicare Advantage insurers intentionally denied prior authorizations to increase profits, with United Healthcare’s denial rate for skilled nursing facility stays rising 800% between 2019 and 2022. While 3.2 million prior authorization requests were denied in 2023, only 11.7% were appealed, though 81.7% of appeals resulted in overturned denials. The process impacts skilled nursing facilities through delayed admissions, reduced patient volume, and revenue loss.
• Medicare physician payments have seen only an 11% increase from 2001 to 2021 while practice costs rose 39%. The Centers for Medicare & Medicaid Services implemented a 2.83% reimbursement cut for 2025, prompting concerns about practice viability and patient access. Congress replaced the problematic Sustainable Growth Rate formula with MACRA in 2015, introducing value-based payment models through MIPS and APMs. A bipartisan bill called the Medicare Patient Access and Practice Stabilization Act was introduced in January 2025 to reverse the cuts, with a critical March 14 deadline looming for Congress to act on budget measures that could affect physician payments.

AI in Healthcare

• A new American Medical Association survey reveals that physician acceptance of AI in healthcare has increased, with 35% now showing enthusiasm compared to 30% in 2023. The adoption rate of AI tools among physicians has jumped from 38% to 66% between 2023 and 2024. The survey, conducted from August 2023 to November 2024, found that 57% of physicians view AI’s potential to reduce administrative tasks as a key benefit. Physicians prioritize data privacy (87%), feedback channels (88%), and EHR integration (84%) for AI implementation.
• Colorado’s new Artificial Intelligence Act will take effect on February 1, 2026, requiring healthcare providers to prevent algorithmic discrimination in AI systems that make consequential decisions about patient care. The law mandates that organizations using high-risk AI systems implement risk management policies, conduct impact assessments, and provide transparency about AI usage to patients. Healthcare providers must notify individuals before AI makes consequential decisions and allow appeals for adverse outcomes, while the Colorado Attorney General holds exclusive enforcement authority. Organizations with fewer than 50 employees who don’t train their own AI models are exempt from many compliance requirements, though the law’s reach extends to any business serving Colorado residents.

Antitrust

• President Trump’s return to the White House signals a shift in antitrust enforcement approach for private equity firms. The administration has appointed Andrew Ferguson as FTC chair and nominated Gail Slater to lead the DOJ’s antitrust division, replacing Lina Khan and Jonathan Kanter respectively. The Trump administration is expected to be more accepting of negotiated settlements and divestitures involving private equity, moving away from the Biden administration’s stricter stance on merger enforcement and roll-up acquisitions. While antitrust scrutiny will continue, particularly in Big Tech and healthcare sectors, new HSR premerger notification rules taking effect in February 2025 will require closer monitoring of interlocking directorates. PE firms must maintain compliance protocols for board appointments as the new HSR form enhances the ability to detect potential violations of Section 8 of the Clayton Act.
• States are taking a more active role in healthcare antitrust enforcement through state-level transaction notification regimes known as “Baby HSRs” or “Mini HSRs.” These state regulations impose requirements on healthcare transactions that may fall below federal HSR Act thresholds, with states implementing additional scrutiny for private equity involvement in healthcare deals. States cite concerns that profit motives could reduce quality of care as justification for increased oversight of private equity transactions. The regulations vary by state, with some imposing more stringent requirements than federal rules, and many states continue to implement or expand their healthcare transaction approval processes.

Biometric Data

• Three states in the U.S. – Illinois, Texas, and Washington – have established laws to regulate biometric data collection and usage. Illinois’ BIPA stands as the strictest law, requiring written notice, explicit consent, and public data retention schedules, while allowing individuals to file lawsuits for violations. Texas’ CUBI and Washington’s statute mandate notice requirements and data protection measures but do not permit private lawsuits. Organizations must comply with these regulations when collecting biometric data such as facial features, voice patterns, and fingerprints, while implementing security measures to protect this information.

Drugs & Devices

• A Texas judge ordered Dr. Maggie Carpenter to pay over $100,000 in penalties for prescribing abortion pills via telemedicine to a woman near Dallas. New York Governor Kathy Hochul rejected Louisiana’s request to extradite Carpenter, who faces criminal charges in Louisiana for prescribing abortion pills to a minor. The Texas ruling includes an injunction preventing Carpenter from prescribing abortion medication to Texas residents, while Louisiana’s case marks the first criminal charges against a doctor for prescribing abortion pills across state lines. Both cases will test New York’s shield law, which protects doctors who prescribe abortion medication to states where abortion is restricted.
• Texas convenience stores are selling synthesized Kratom products containing 7-Hydroxymitragynine, a substance that acts like opioids in the brain. While natural Kratom has been used traditionally in Southeast Asia, companies are now creating concentrated pills that are 97% pure 7-OH, far exceeding the 2% limit set by Texas law. The Texas Kratom Consumer Protection Act outlaws these synthetic versions, but state officials are not enforcing the regulations. The Global Kratom Coalition reports 24 million Americans use Kratom, though the synthesized versions sold in stores can lead to addiction and withdrawal symptoms.
• The FDA has published final guidance on communications about unapproved uses of approved medical products on January 6, 2025. The guidance defines SIUU communications as firm-initiated exchanges with healthcare providers about scientific information on unapproved uses, requiring specific disclosures and source publications. The document clarifies what constitutes “scientifically sound” studies, removes requirements for plain language, and provides new rules about separating promotional from scientific communications. The guidance also addresses “calls to value,” prohibiting communications that pre-judge product benefits while allowing those that present scientific information for clinical decision-making. The FDA maintains core policies while requiring firms to update their internal procedures to align with the new guidance.
• The FDA has issued its first guidance on using artificial intelligence models in drug development and regulatory submissions, with a public comment period open through April 7. The guidance introduces a seven-step risk-based framework for assessing AI model credibility, covering nonclinical, clinical, postmarketing, and manufacturing phases while excluding drug discovery and operational efficiencies. FDA recommends implementing life cycle maintenance plans to monitor AI models’ ongoing performance and ensure they remain suitable for their context of use. The guidance emphasizes early engagement with FDA through various programs like the Center for Clinical Trial Innovation and the Complex Innovative Trial Design Meeting Program. President Trump signed an executive order on January 23 to remove barriers to AI leadership, rescinding previous Biden administration restrictions on AI development.

Fraud & Abuse

• Healthcare fraud schemes are increasingly using AI to generate false claims and clone medical records, with losses representing 3% of total healthcare expenditures, amounting to $144 billion annually based on 2023’s $4.8 trillion U.S. health spending. Healthcare organizations are implementing both supervised and unsupervised machine learning models to detect fraud patterns and suspicious billing behaviors. The technology helps special investigation units identify emerging fraud schemes more quickly than traditional rules-based systems. Health plans are advised to use AI as a complement to human expertise while implementing strategies such as cross-plan data analysis and verification of member tips.
• The Department of Justice charged 193 defendants, including 76 medical professionals, in health-care fraud schemes totaling $2.75 billion in intended losses and $1.6 billion in actual losses during the 2024 National Health Care Fraud Enforcement Action. The fraud cases involved wound grafts, unlawful prescriptions, telemedicine schemes, and laboratory fraud, with Medicare Advantage insurers allegedly overcharging CMS by $83 billion in 2024. The DOJ plans to continue prioritizing enforcement of opioid-related crimes, unnecessary services, substandard care, and Covid-19 fraud cases. Despite potential changes under the Trump administration, health-care fraud enforcement will likely remain a priority due to its revenue generation for the government. In response, physicians are increasingly moving to cash-based practices to avoid regulatory burdens, though those accepting federal plans must maintain compliance systems and seek legal counsel for business arrangements.

Pharma

• The Department of Health and Human Services has postponed the effective date of modifications to NCPDP Retail Pharmacy Standards and Medicaid Pharmacy Subrogation Standard to April 14, 2025. The delay follows President Trump’s January 20 memorandum calling for a regulatory freeze pending review, with Acting Secretary Dorothy A. Fink citing the need to review questions of fact, law, and policy. The final rule updates standards for electronic healthcare transactions, including claims, eligibility, authorization, and benefits coordination. The postponement will affect the compliance timeline, pushing the full compliance date beyond February 2028, and allows time to correct an error in the transition period calculation that was originally set to begin August 11, 2027, but should have been June 11, 2027. The HHS has waived notice and comment requirements, making the delay effective immediately upon Federal Register publication.

Private Equity

• A report released by federal agencies analyzing over 2,000 public comments reveals concerns about healthcare industry consolidation and private equity investment. The report identifies issues including higher prices from provider consolidation, quality reductions in PE-backed transactions, and PE firms controlling up to 50% of physician practices in some metropolitan areas. Studies show PE acquisitions correlate with safety issues and reduced quality in healthcare facilities, while physicians report concerns about understaffing and restricted referrals. In response, Massachusetts passed legislation in 2025 granting new powers to review healthcare transactions involving PE firms, though the federal agencies’ continued focus on PE may shift under the Trump administration.
• Private equity firms were connected to 56% of large corporate bankruptcies across industries in 2024, with healthcare showing a particularly high rate. Of eight major healthcare bankruptcies with liabilities over $500 million, seven involved companies with private equity ownership history. The healthcare sector’s 21% rate of private equity-related bankruptcies exceeded the broader economy’s 11% rate and matched 2023 levels. The Private Equity Stakeholder Project reports these bankruptcies can result in healthcare facility closures and disrupted patient care. Valentina Dabos from PESP emphasizes these trends raise concerns for policymakers, investors, and consumers.
• Healthcare mergers and acquisitions are expected to increase in 2025 as inflation eases and interest rates decline. Private equity transactions with physician practices typically involve a combination of cash payment and rollover equity through management services organizations, with rollover equity potentially comprising up to 40% of deal value. While orthopedic and spine surgery groups have historically resisted private equity investment due to their profitable ancillary services, this resistance is weakening except among mega-groups. Transaction success requires broad stakeholder support, experienced advisors, regulatory compliance, and careful structuring of tax treatment and indemnification terms. Generational differences often emerge in these deals, as older physicians typically receive larger portions of purchase price while younger doctors face career-long relationships with financial investors.
• The Senate Budget Committee and HHS released reports in January 2025 examining private equity ownership in healthcare. The reports identified concerns including reduced care quality, facility closures, higher costs, understaffing, and lack of ownership transparency. HHS proposed new oversight measures including expanded transparency requirements, lower merger reporting thresholds, and increased enforcement against hospital consolidation. The reports recommend PE firms maintain compliance through monitoring regulations, documenting quality metrics, and implementing strong compliance programs. The impact of these potential changes under the Trump administration remains uncertain.

Telehealth

• Healthcare technology trends in 2025 include a shift in telehealth usage to focus on behavioral health and specialist care. Hospitals are expanding AI applications through dedicated centers and AI scribes, while implementing LiDAR sensors and wearable devices for patient monitoring. Remote patient monitoring and hospital-at-home programs continue to grow as medical centers face staffing challenges. Cybersecurity remains critical after ransomware attacks doubled in 2024, affecting over 1,000 U.S. hospitals and prompting healthcare organizations to strengthen their security measures and vendor oversight. AI tools are being developed to detect network breaches and automate tasks like appointment scheduling and medical billing.

Ambulatory Surgery Centers

• United Surgical Partners International, Surgical Care Affiliates, and Amsurg Corporation lead the ambulatory surgery center market with 520, 320, and 250 centers respectively. CMS approved 21 new procedures for ASC coverage in 2025, focusing on dental and regenerative therapy services, while implementing a 2.9% Medicare payment increase. Major consolidation occurred through acquisitions and partnerships, with USPI acquiring 45 new centers including Covenant Physician Partners, though 67% of ASCs remained independent. Several states reformed Certificate of Need laws, with North Carolina and Tennessee planning full repeals for ASCs by 2025 and 2027 respectively, while Georgia introduced exemptions for single-specialty centers. The migration of high-acuity procedures to ASCs continued, with Surgery Partners reporting a 50% increase in total joint cases, while lower-acuity procedures moved to office-based settings.

Cybersecurity & Ransomware

• The Trump administration has indefinitely suspended all meetings of the Health Information Technology Advisory Committee (HITAC). The committee, established by the 21st Century Cures Act in 2016, consists of 25 members who recommend policies and standards for healthcare data and technologies to the federal government. The Trump administration has also paused other health agency communications and removed certain healthcare data from federal websites.
• Several healthcare organizations faced ransomware attacks in January 2025, including New York Blood Center Enterprises which affected locations across multiple states, and Frederick Health in Maryland which disrupted IT systems and led to patient diversions. Matagorda County, Texas experienced a network outage due to a cyberattack, while Texas Tech University Health Sciences Center disclosed a ransomware attack affecting 533,874 individuals. Despite these incidents, blockchain analysis firm Chainalysis reported a 35% decrease in ransom payments in 2024 compared to 2023, attributing this decline to increased law enforcement action and more victims refusing to pay.
• The HHS Office for Civil Rights has proposed new cybersecurity measures for healthcare providers under HIPAA, including mandatory vulnerability scanning every 6 months and expanded annual risk analyses. Healthcare providers must implement cybersecurity protections through staff training, limited access controls, and strong password protocols to prevent data breaches. New regulations require signed attestations for reproductive health information disclosures, with additional privacy protections becoming mandatory by February 16, 2026.

Emerging Technology

• Healthcare law in 2025 will focus on four key areas of technological advancement and regulation. AI implementation in healthcare requires new legal frameworks to address risks, errors, and biases, while HIPAA and HITECH compliance becomes critical for protecting patient data against cyberattacks. Telehealth expansion drives changes in licensing requirements and reimbursement policies, while the healthcare industry continues its shift from fee-for-service to value-based care models following the ACA’s implementation. These changes necessitate new regulations for data-sharing, antitrust considerations, and risk-sharing arrangements to protect both patients and healthcare professionals.
• Healthcare providers currently use AI for tasks including disease diagnosis, chart preparation, and treatment planning. The technology presents legal risks in four main areas: HIPAA privacy violations when using public-facing AI platforms, malpractice concerns in the informed consent process, uncertainty about liability when AI recommendations lead to incorrect treatments, and potential billing errors that could trigger false claims allegations. Healthcare providers must maintain human oversight of AI systems and cannot use AI reliance as a defense against malpractice claims, while failure to use available AI technology could also create liability risks. Doctors must disclose AI use to patients during the informed consent process and ensure all AI systems comply with HIPAA requirements.
• Healthcare systems have transformed to prioritize patient accessibility through technology-enabled solutions. Remote consultations, online prescriptions, and digital platforms now allow patients to receive care without disrupting their routines. Healthcare providers maintain safety through strict regulatory compliance and secure technology for patient data protection. Artificial intelligence and wearable devices enable real-time monitoring and early detection of health risks, while electronic health records improve communication between medical professionals. The integration of these technologies creates a healthcare system that balances convenience with quality care standards.
• AI is being used in healthcare for tasks including disease diagnosis, chart preparation, pre-authorization, and treatment planning. Healthcare providers must ensure AI systems meet HIPAA requirements and avoid using public-facing AI platforms that could compromise patient privacy. Doctors remain liable for malpractice even when using AI for diagnosis and treatment recommendations, and must disclose AI use to patients during the informed consent process. The technology can create liability for coding and billing errors if incorrect recommendations are followed.

Fraud & Abuse

• Phoenix couple pleaded guilty to orchestrating a $1.2 billion healthcare fraud scheme through their companies Apex Medical LLC and Viking Medical Consultants LLC from November 2022 to May 2024. The couple used untrained sales representatives to target elderly and terminally ill patients in care facilities, ordering unnecessary wound grafts and submitting fraudulent claims to Medicare and other insurers. Their scheme resulted in actual payments of $614 million from federal and private healthcare programs, with $279 million in kickbacks from an allograft distributor. The couple was arrested at Phoenix Sky Harbor International Airport while attempting to flee to London, and they now face up to 20 years in prison and must pay restitution exceeding $600 million each.
• A federal district court in Florida ruled on September 30, 2024, that the False Claims Act’s qui tam provision is unconstitutional in the case of U.S. ex rel. Zafirov v. Florida Medical Associates LLC. The Department of Justice reported that whistleblowers filed 712 qui tam suits in fiscal year 2023, resulting in $2.3 billion in settlements and judgments. The court determined that relators act as “Officers” of the United States executive branch without proper appointment under Article II of the Constitution. The case will likely be appealed to the 11th Circuit Court and may reach the Supreme Court, as Justice Thomas has previously expressed concerns about qui tam provisions. If upheld, this ruling could limit private parties’ ability to pursue fraud cases on behalf of the government, potentially reducing the number of enforcement actions due to government resource constraints.

Gender-Affirming Care

• Texas Attorney General Ken Paxton has sued three doctors – Dr. May Lau, Dr. Brett Cooper, and Dr. Hector Granados – for allegedly providing gender-affirming care to transgender minors. Lau and Cooper entered Rule 11 agreements in January that prevent them from practicing medicine on patients while allowing them to continue research and academic work, while Granados is under a court-ordered temporary injunction. The lawsuits stem from Senate Bill 14, which prohibits medical providers from providing gender-affirming care to trans minors in Texas, though treatment remains legal for cisgender patients. The Texas Medical Board can revoke licenses of physicians who violate the ban, though doctors may continue treating existing patients to safely discontinue prescriptions.

HIPAA

• The U.S. Department of Health and Human Services announced new HIPAA security rules taking effect March 7, 2025. The updates remove the distinction between “required” and “addressable” standards, making all security measures mandatory with limited exceptions. The changes mandate encryption for all electronic protected health information, require multi-factor authentication, and establish requirements for vulnerability scanning and penetration testing. Healthcare organizations and their business associates must comply with these rules or face penalties up to $50,000 per violation with a maximum of $1.9 million per year, plus potential jail time of 1-10 years. Human error remains the leading cause of healthcare data breaches at 76%, highlighting the need for these enhanced security measures.
• HIPAA-regulated entities must report 2024 data breaches affecting fewer than 500 individuals to the HHS Office for Civil Rights by March 1, 2025. The HIPAA Breach Notification Rule requires entities to notify affected individuals within 60 days of breach discovery, with breaches affecting 500 or more residents requiring additional media notifications. For smaller breaches affecting fewer than 500 individuals, organizations can submit reports annually through the OCR data breach portal, with each breach reported separately. Business associates must notify covered entities of breaches within 60 days, though covered entities can delegate notification responsibilities back to their business associates while retaining ultimate responsibility for compliance. Failure to meet these deadlines may result in financial penalties for non-compliance.

Physician Fee Schedule

• The Medicare Physician Fee Schedule for 2025 introduces a conversion factor decrease to $32.3465, representing a 2.83% reduction from 2024. The Medicare Economic Index projects a 4.9% increase in practice costs while payments decline, creating financial pressure on healthcare providers. Care management services see notable increases, with chronic care management codes rising 8-15% and new behavioral health integration codes gaining 12-18%. Geographic Practice Cost Indices show significant adjustments in major metropolitan areas, with San Francisco maintaining the highest PE GPCI at 1.842. The MIPS program maintains its 75-point threshold with potential penalties reaching 9% for underperformers, while high performers can receive bonuses averaging 1.31%.

Data Privacy

• Data breach incidents in 2024 affected 1.7 billion individuals, marking a 312% increase from 2023 despite a 1% decrease in total breaches. Six major breaches accounted for 85% of all notices, including Change Healthcare with 190 million records. Cyberattacks caused 80% of all data compromises, with four of the largest breaches resulting from lack of multifactor authentication. While 40% of states now have comprehensive data privacy laws, with eight more taking effect in 2025, the U.S. still lacks federal data privacy legislation.
• The FDA and CISA have identified security vulnerabilities in patient monitors that could allow unauthorized access and manipulation of the devices. Certain monitors, which display patient vital signs in healthcare and home settings, contain a hidden backdoor in their software that enables cybersecurity controls to be bypassed and patient data to be accessed. The FDA has not identified any incidents related to these vulnerabilities but advises disconnecting affected devices from the internet and using local monitoring features only. Healthcare facilities must unplug and stop using devices that rely on remote monitoring, as no software patch exists to address these risks. The warning comes as healthcare data breaches have increased by 100% from 2018 to 2023, with the number of affected individuals rising by 1000%.

Dental

• Dental plans distinguish between non-covered services and disallowed services in their payment policies. Non-covered services are those not included in a patient’s dental plan due to limitations or exclusions, while disallowed services are covered procedures that the plan refuses to pay for due to deficiencies or improper execution. Participating dentists must follow fee schedule limits even for non-covered services and file claims unless patients pay out-of-pocket and request no filing under HIPAA rules. When services are disallowed, dentists cannot bill patients or retain payments, though they may contest these determinations through their participation agreements. HIPAA allows patients to prevent claim filing by paying in full and making a written request.

Fraud & Abuse

• The U.S. Department of Justice recovered $1.67 billion in healthcare fraud settlements in 2024, with major developments including a new whistleblower program targeting private insurer fraud. The DOJ launched increased scrutiny of private equity and venture capital firms in healthcare, examining their influence on portfolio companies and patient care. The Civil Cyber Fraud Initiative secured $14 million in settlements related to cybersecurity violations, while the FDA strengthened its focus on medical device cybersecurity through new guidance documents and enforcement actions. The government expanded whistleblower incentives with rewards up to 30% of recovered funds for the first $100 million, signaling continued emphasis on fraud detection and prevention.

Healthcare Delivery

• The United States faces a physician shortage of 50,000 doctors, with projections indicating this number could reach 80,000 by 2035. The shortage affects multiple specialties, with cardiology expected to experience a 17% deficit by 2035, while thoracic surgery and ophthalmology face potential deficits of 31% and 30% respectively. The situation in cardiology appears particularly concerning as 54% of general cardiologists are 55 or older, compared to 38-40% of primary care providers in the same age range. Training new physicians requires 12 or more years of education, making immediate solutions difficult. AMN Healthcare’s report suggests focusing on workforce management and improving working conditions to retain existing physicians.
• Amazon has partnered with Teladoc Health to expand its healthcare offerings, including virtual care and chronic condition management through its Health Benefits Connector. Walmart has launched same-day pharmacy delivery across 49 states, integrating pharmacy, merchandise, and grocery into a single online order with 15,000 pharmacists nationwide. AWS has partnered with General Catalyst to develop AI-driven healthcare solutions, while also expanding its collaboration with Booz Allen Hamilton for government technology solutions. Walmart plans to launch a drone delivery system at its Kaufman, Texas location through a $750,000 project with Alphabet’s Wing. The companies continue to compete through technological innovation, with Amazon projecting double-digit revenue growth over the next five years.
• Dr. Margaret Daley Carpenter, a New York doctor and co-founder of the Abortion Coalition for Telemedicine, was indicted by a Louisiana grand jury for prescribing abortion medication via telehealth to a woman in Louisiana. The case marks the first criminal charges against a physician for prescribing abortion medication to a patient in a state where they don’t practice and will test New York’s shield law, which protects providers from out-of-state prosecutions. Louisiana, which bans abortion except in cases of rape and incest, classified abortion medications as Schedule IV controlled substances last year. New York Governor Kathy Hochul has stated she will not comply with any extradition requests from Louisiana, while Attorney General Letitia James condemned the charges.

HIPAA

• The U.S. Department of Health and Human Services has proposed new HIPAA Security Rule updates through a Notice of Proposed Rulemaking that will affect group health plans and their sponsors. The updates require plan documents to explicitly connect safeguards to provisions applying to covered entities and business associates, while mandating sponsors report security incidents within 24 hours of contingency plan activation. Plan sponsors must amend existing documents to reflect these changes, though many may already have compliant procedures in place. HHS is seeking input on implementation deadlines and potential transition periods for document amendments, with future updates expected to address encryption, multi-factor authentication, and administrative controls.

Hospice

• The U.S. hospice care industry faces significant transformation as private equity firms acquire providers, with nearly three-quarters now under for-profit ownership. The number of Americans aged 65 and older will increase 47% to 82 million by 2050, intensifying demand for hospice services. For-profit ownership has led to challenges including staff burnout, reduced care quality, and increased billing issues, while workforce shortages limit access to services. Non-profit organizations are positioned to address these challenges through integration with broader healthcare systems, increased collaboration between providers, and adoption of new technologies like AI and telehealth. The industry must focus on improving quality standards and accessibility while maintaining the core mission of providing comprehensive end-of-life care.

Innovative Technology

• The FDA issued draft guidance on January 7, 2025, establishing a framework to assess AI model credibility in drug and biological product development. The guidance outlines a 7-step process for evaluating AI models throughout the drug product lifecycle, including defining questions of interest, determining context of use, assessing risks, developing credibility plans, executing plans, documenting results, and determining model adequacy. The framework requires sponsors to provide detailed documentation about model development, training data, and evaluation processes while emphasizing ongoing performance monitoring. The FDA is accepting public comments until April 7, 2025, and encourages early engagement with organizations on AI credibility assessment.
• German researchers have developed a method to repair heart damage using stem cells, with trials showing results in both primates and humans. The heart contains specialized muscle cells called cardiomyocytes which stop dividing after maturity, meaning damage from injury or infection becomes permanent. Blocked blood vessels can kill these cells, leading to reduced heart function and death. Scientists attempted to address this by converting induced pluripotent stem cells into cardiomyocytes and injecting them into damaged hearts, though initial animal experiments showed mixed results.
• Proposed House Bill 2298, relating to a health care facility grant program supporting the use of artificial intelligence technology in scanning medical images, would establish a grant program in Texas to support health care facilities in utilizing artificial intelligence (AI) technology for cancer detection through medical imaging. Eligible applicants include hospitals and federally qualified health centers within the state. The program, administered by a commission, requires applicants to provide matching funds and submit a detailed plan for AI technology use, including physician oversight and scanning capacity. Grants, limited to $250,000, are awarded annually to no more than five recipients. Recipients must report on the effectiveness of AI in cancer detection within a year.

Insurance & Reimbursement

• California enacted the Physicians Make Decisions Act in September 2024, prohibiting health insurers from using AI alone to deny medical claims based on medical necessity. The law, which took effect January 1, requires physician oversight for medical necessity decisions while still allowing insurers to use AI tools under specific guidelines and state inspection requirements. The legislation comes amid class action lawsuits against Cigna and United Healthcare for allegedly using AI to deny physician-approved claims. While the Act makes violations a crime, providers cannot enforce it directly but may pursue remedies through other state laws, and other states are expected to follow with similar legislation.

Medicaid

• In Texas, where postpartum Medicaid coverage was extended from 2 months to 12 months in 2023, implementation has faced significant challenges. The program now covers more than 265,000 pregnant and postpartum Texans, but many patients remain unaware of their extended benefits and struggle to access care. Texas healthcare providers report confusion about the new coverage rules, with many doctors learning about the changes through billing departments rather than official communications. The state’s recent removal of people from Medicaid rolls has complicated matters further, with many postpartum women having to fight to reinstate their coverage. Structural issues like provider shortages and limited mental health screening coverage continue to hinder access to care under the expanded program.

Private Equity

• Private equity firms have invested hundreds of billions of dollars in healthcare over the past 15 years, leading to increased scrutiny from the Department of Justice under the False Claims Act. PE firms typically use leveraged buyouts to purchase companies, leaving portfolio companies with substantial debt burdens that can complicate FCA enforcement and recoveries. The DOJ has two main options for addressing fraud in PE-owned healthcare companies: pursuing fraudulent transfer claims under the Federal Debt Collection Procedures Act and targeting individual liability, particularly former owners who received cash payouts during buyouts.

Antitrust & Competition

• The Federal Trade Commission has reached a settlement with private equity firm Welsh, Carson, Anderson & Stowe over U.S. Anesthesia Partners’ market consolidation in Texas. USAP, which operates in 700 facilities with 4,500 clinicians nationwide, acquired multiple anesthesia practices in Dallas between 2014 and 2016, gaining control of 40-50% of the market. The settlement prohibits Welsh Carson from increasing its ownership stake in USAP, limits board representation, and requires FTC notification for future healthcare acquisitions. In a related case, USAP faced similar restrictions in Colorado, where it controlled 86.7% of inpatient surgeries by 2021, leading to a $200,000 settlement and contract divestitures.
• With President Trump taking office and Andrew Ferguson becoming FTC Chair, significant changes are coming to healthcare antitrust enforcement. The Biden administration took an aggressive approach to healthcare antitrust enforcement, challenging mergers, investigating pharmacy benefit managers, and withdrawing previous policy guidance. The Trump administration is expected to continue scrutiny of healthcare industry concentration and PBMs while potentially reinstating clearer guidance for businesses. States like California will maintain their own strict healthcare antitrust enforcement regardless of federal changes. New FTC Chair Ferguson has indicated openness to reforming rather than completely rescinding the 2023 merger guidelines.
• The Federal Trade Commission released a Second Interim Staff Report on January 15, 2025, revealing that prescription drug spending rose from $393 billion in 2016 to $600 billion in 2023. The report found that pharmacies affiliated with the three largest Pharmacy Benefit Managers (PBMs) received 68% of specialty drug revenue in 2023, with markups reaching over 1,000% on some medications. The investigation uncovered that affiliated pharmacies generated $7.3 billion in revenue above acquisition costs, while PBMs earned $1.4 billion through spread pricing practices. The FTC plans to continue its investigation, particularly focusing on potential violations of the Robinson-Patman Act, while states consider additional PBM regulations. The Commission concluded that specialty generic drugs have increasing financial importance and require further investigation into pricing practices.

Emerging Technologies

• The Office for Civil Rights published a final rule on May 6, 2024, regulating the use of AI and other patient care decision support tools in healthcare settings. The rule applies to recipients of federal financial assistance, HHS, and entities under the Affordable Care Act, requiring them to identify and mitigate discrimination risks in their use of these tools. A January 10, 2025 “Dear Colleagues” letter provides guidance on compliance, including requirements for risk identification through methods like AI registries and vendor information gathering. The general prohibition on discrimination took effect July 5, 2024, while requirements for risk identification and mitigation will begin May 1, 2025. A nationwide injunction currently stays enforcement of portions related to gender identity discrimination.
• President Trump has rescinded the Biden administration’s executive order on AI safety, halting requirements for company safety testing reports while existing recommendations and research initiatives remain in place. The Trump administration is pursuing a $100 billion partnership with OpenAI, SoftBank, and Oracle for technology infrastructure development, while maintaining Biden’s executive order on data centers. Industry experts are divided on the implications, with some concerned the move will weaken AI safety efforts globally, while others see opportunities for companies to establish rules under new leadership. Congress and state legislatures continue working on AI legislation as the U.S. approach to AI regulation shifts.

Cybersecurity & Ransomware

• A new report shows that 84% of healthcare organizations detected cyberattacks on their infrastructure in the past year. Phishing emerged as the primary threat for on-premises systems, while account compromise affected 74% of healthcare organizations in cloud environments. The attacks led to financial losses for 69% of healthcare organizations, exceeding the cross-industry average of 60%. The consequences included leadership changes in 21% of cases and legal action in 19% of affected healthcare organizations, both rates higher than the 13% average across other industries.
• The cyberattack on Change Healthcare in February 2024 compromised the data of more people than originally thought. The ALPHV/BlackCat ransomware gang claimed responsibility for the attack, which disrupted over 100 healthcare applications and impacted thousands of pharmacies and healthcare providers. The breach exposed sensitive information including names, Social Security numbers, medical records, and insurance details, resulting in $1.1 billion in costs for UnitedHealth Group. The final impact assessment increased significantly from initial estimates of 100 million affected individuals to the current figure of 190 million.
• In 2024, multiple states enacted data privacy laws, with California and Texas implementing significant regulations while seven other states passed comprehensive privacy legislation. The Federal Trade Commission increased enforcement against data brokers and companies handling sensitive data, requiring new safeguards for location data and expanding breach notification rules. States including California, Colorado, and Utah passed AI-specific regulations targeting high-risk AI systems and requiring safeguards and disclosures. Massachusetts narrowed its wiretapping law scope regarding website tracking technologies, while Washington and Nevada enacted laws protecting consumer health data outside HIPAA. State enforcement actions ramped up, with California and Texas leading investigations into data collection practices and improper data sharing.

Fraud & Abuse

• The Second Circuit Court of Appeals has joined other federal circuits in adopting the “at least one purpose rule” in Anti-Kickback Statute violations. AKS prohibits payments by defendants if any single purpose of a payment was to induce patient referrals, even if other legitimate reasons exist. In the case before the court, Steven Camburn alleged Novartis violated the False Claims Act by providing improper payments to physicians through speaker programs to encourage prescriptions of their multiple sclerosis drug Gilenya. The Second Circuit found sufficient evidence in three categories of allegations: speaker programs without legitimate attendees, excessive compensation for canceled events, and strategic speaker selection to induce prescriptions. The court joins the Third, Fifth, Seventh, Ninth, and Tenth Circuits in applying this interpretation, with the First and Fourth Circuits also assuming this standard.
• The Department of Justice and qui tam relators filed a record-breaking 1,402 new False Claims Act cases in 2024, representing a 16% increase from 2023’s previous record. Total recoveries reached $2.9 billion, with $2.2 billion coming from qui tam suits where DOJ intervened. A Florida federal court ruled the FCA’s qui tam provisions unconstitutional under the Appointments Clause, though this decision faces uncertain prospects on appeal. The second Trump administration is expected to continue aggressive FCA enforcement while potentially limiting reliance on sub-regulatory guidance and increasing voluntary dismissals of qui tam cases. President Biden also signed into law the Administrative False Claims Act, expanding agencies’ ability to pursue claims up to $1 million through administrative proceedings.
• Three Texas healthcare providers settled Stark Law violation cases for a total of $21.3 million in 2024. Horizon Medical Center paid $14.2 million for improper service identification and problematic financial relationships, while Little River Healthcare’s CEO Jeffrey Madison paid $5.3 million for illegal kickback schemes and received a 25-year exclusion from federal healthcare programs. Dr. Mohammad Athari in Houston paid $1.8 million for referring patients to his own diagnostic centers between 2014 and 2021, violating laws that prohibit physicians from referring patients to facilities where they maintain financial interests. The Department of Justice continues to pursue healthcare fraud cases, focusing on both institutions and executives who violate federal healthcare regulations.
• Northwest Anesthesiology and Pain Services (NWAP) has agreed to pay $999,999 to resolve Medicare claims violations. The Houston-based provider hired Stacey Green and Remedy Physician Solutions in 2019 to manage pain practices, where Green implemented bonus payments based on lab referrals rather than productivity. Between 2019 and 2021, NWAP paid $1.8 million in bonus payments through this system, which the government deemed improper kickbacks for referrals. NWAP self-disclosed the violations to authorities and cooperated with the investigation conducted by the U.S. Attorney’s Office and Department of Health and Human Services Office of Inspector General.

Health Policy

• Drug pricing and health care fraud remain central issues as Robert F. Kennedy Jr. and Marty Makary await confirmation as HHS secretary and FDA commissioner. The Trump administration continues implementation of drug price negotiations under the Inflation Reduction Act despite pharmaceutical industry litigation, while ACA subsidies face expiration in 2025. Health care fraud enforcement priorities include clinical trial fraud, cybersecurity, and product referral arrangements, with FDA focusing on medical device cybersecurity and AI software guidance. The reauthorization of OMUFA in 2025 presents opportunities to address drug shortages, biosimilar substitution rules, and dietary supplement regulations, while the FDA maintains its focus on the opioid epidemic and real-world evidence for rare disease treatments.

Health Administration

• VMG Health explores how Occam’s Razor principles can improve healthcare administration. The principle advocates for simplifying complex healthcare systems by focusing on essential elements in areas like patient discharge, resource allocation, and regulatory compliance. Healthcare organizations can streamline operations through vendor consolidation, automated compliance platforms, and simplified communication protocols. The approach emphasizes removing unnecessary steps while maintaining quality care and meeting regulatory requirements. The article While simplification is beneficial, administrators must balance efficiency with the inherent complexity of healthcare operations.

HIPAA: Enforcement

• The U.S. Department of Health and Human Services Office for Civil Rights has announced six enforcement actions in early 2025, focusing on three key initiatives: Right of Access, Risk Analysis, and Ransomware protection. The enforcement actions include penalties ranging from $10,000 to $3,000,000 for violations involving ransomware attacks, phishing incidents, and failure to provide timely access to medical records. The cases affected over 175,000 individuals’ protected health information and involved both healthcare providers and business associates. OCR emphasizes that organizations must conduct regular risk analyses, implement security measures, and ensure prompt access to patient records to avoid future enforcement actions.

HIPAA: Privacy Rule

• The U.S. Department of Justice has dropped charges against Dr. Eithan Haim, who faced prosecution for obtaining protected health information about transgender surgeries at Texas Children’s Hospital. The case began when journalist Christopher Rufo reported in 2023 that the hospital continued performing transgender procedures on minors after announcing they would stop. Dr. Haim, who provided the whistleblower documents to Rufo, faced up to 10 years in prison and a $250,000 fine for accessing patient information without authorization. U.S. District Judge David Hittner dismissed all counts with prejudice.

HIPAA: Security Rule

• The U.S. Department of Health and Human Services published proposed updates to the HIPAA Security Rule on January 6, 2025, marking the first major revision since 2013. The new requirements mandate business associates to notify covered entities within 24 hours of activating contingency plans and provide annual verification of technical safeguards. Business Associate Agreements must be updated to include these new provisions within one year and 60 days after the Final Rule publication, with a transition period available for existing agreements. The proposal allows covered entities to appoint business associates as Security Officers while maintaining ultimate compliance responsibility, and the HHS Office for Civil Rights will accept comments through March 7, 2025. The changes will affect both current and future business associate relationships, requiring updates to vendor management programs and security risk assessment processes.
• The Department of Health and Human Services Office for Civil Rights has published a notice of proposed rulemaking to strengthen HIPAA Security Rule requirements. The proposal eliminates flexible “addressable” specifications in favor of mandatory security controls and requires implementation of multifactor authentication, encryption, and data backup systems. Healthcare organizations must conduct annual risk analyses, compliance audits, and obtain written verification from business associates regarding security measures. The rule, open for comments through March 7, 2025, will take effect 60 days after final publication with a 180-day compliance period. Organizations must update their Business Associate Agreements within one year and implement stricter technical controls, including removing system access within one hour of employee termination.

Regulation & Oversight

• The White House removed inspectors general from most cabinet-level agencies through immediate termination emails sent on January 24. Between 12 and 17 inspectors general were dismissed without the legally required 30-day notice to Congress, with only the Department of Justice and Homeland Security IGs remaining in place. The dismissals sparked bipartisan concern, with Republican Senator Charles Grassley requesting explanation and Democratic leaders condemning the action as an attack on government oversight. At least one dismissed IG plans to report to work Monday, arguing the terminations violated federal law, while Hannibal Ware, chair of the Council of IGs, stated the removals appear legally insufficient. The White House provided no explanation for the dismissals beyond citing “changing priorities” in the termination notices.

Texas Medical Board Rules

• The Texas Medical Board implemented new rules that require medical spas and IV hydration clinics to post physician information and ensure staff wear identification. The rules consolidate delegation requirements under Chapter 169, mandating written documentation of all medical delegations and allowing physician assistants and advanced practice nurses to provide emergency consultations. Practitioner-patient relationships can now be established through in-person visits or telemedicine, while the Board plans to issue standardized forms for alternative medicine and review ketamine treatment regulations. The Board removed office medication dispensing limits but reminds physicians that state law still restricts supplying drugs beyond immediate patient needs.

Advisory Opinion

• The Office of Inspector General (OIG) issued Advisory Opinion 25-01, concluding that a pharmaceutical company’s arrangement to provide free access to a specific drug for eligible patients does not warrant administrative sanctions under the Federal anti-kickback statute or the Beneficiary Inducements Civil Monetary Penalty (CMP) provisions. The drug in question is an infusion therapy for a disease with limited alternative treatments. The program provides free medication to patients meeting specific financial and clinical criteria, including uninsured individuals or those unable to afford out-of-pocket costs. The OIG determined the arrangement poses a low risk of fraud or abuse, as it neither interferes with clinical decision-making nor steers patients toward specific providers or plans. Patients and providers must adhere to strict conditions, including ensuring the drug is used only for designated individuals and not reimbursed by any payor.

AI Regulation in Healthcare

• The House Bipartisan Task Force on Artificial Intelligence released a 253-page report on December 17, 2024, outlining key recommendations for AI implementation in healthcare. The report highlights AI’s potential to reduce drug development time and costs from the current 12-year average, with the FDA having approved over 800 non-generative AI/ML-enabled medical devices. The Task Force identified challenges including interoperability issues between systems, liability standards for AI-related medical decisions, and the need to revise physician reimbursement models as AI increases efficiency. The report concludes with five recommendations focusing on safety, research support, risk management, liability standards, and payment mechanisms, while emphasizing that medical practitioners must maintain responsibility for AI-augmented decisions. The Task Force’s findings come as the incoming Trump administration signals a departure from the Biden-Harris Executive Order on AI regulation.
• The U.S. Department of Health and Human Services has released its AI Strategic Plan, a 200-page document outlining four key goals for AI in healthcare: catalyzing innovation, promoting trustworthy development, democratizing access, and cultivating AI-empowered workforces. The plan aims to accelerate scientific breakthroughs, improve clinical outcomes, enhance healthcare delivery, and respond to public health threats through AI implementation. HHS will provide funding through programs like Bridge2AI and TARGET, while addressing biosecurity and privacy risks through national guidelines and industry collaboration sandboxes. The initiative includes partnerships with organizations like NIH’s AIM-AHEAD consortium to ensure equitable AI access for underserved populations, while Premier Inc. has expressed support for the plan’s alignment with healthcare workforce enhancement and value-based care goals. The strategy includes development of talent pipelines through programs such as NIH’s DATA National Service Scholar Program to ensure long-term successful AI adoption in medical research and discovery.
• California Attorney General released two legal advisories addressing AI regulation in California, with one focusing on general AI applications generally and another specifically targeting healthcare. The first advisory outlines existing California laws that apply to AI development and usage, including consumer protection, civil rights, and data protection laws, while also detailing new AI regulations effective January 1, 2025, covering disclosure requirements, likeness protection, and election material guidelines. The second advisory specifically addresses AI in healthcare settings, requiring healthcare entities to test, validate, and audit AI systems for safety and lawful use. Healthcare providers must maintain transparency about AI usage in patient care and data training.
• At CES 2025, FTC Commissioners discussed the agency’s approach to AI regulation. The Commissioners agreed on pursuing cases involving AI-related fraud and deception, though they differed on the extent of developer liability for AI tools misused by third parties, as evidenced in the Rytr and Sitejabber settlements. Both Commissioners expressed concerns about voice cloning fraud, with the FTC implementing an Impersonation Rule and launching a Voice Cloning Challenge to combat such scams. The discussion highlighted plans to investigate children’s interactions with AI chatbots through potential market studies. The Commissioners maintained a pro-innovation stance while acknowledging their differing views on enforcement approaches, suggesting continued FTC engagement with AI regulation in the next Administration.

Antitrust & Competition

• Welsh Carson agrees to pare back anesthesia market power to avoid new FTC suit. The Federal Trade Commission has reached a settlement with private equity firm Welsh Carson following allegations of anticompetitive behavior in the Texas anesthesia market through its portfolio company U.S. Anesthesia Partners. The agreement requires Welsh Carson to freeze its investment in USAP at minority levels, reduce its board representation to one seat, and obtain FTC approval for future anesthesia investments nationwide. The settlement comes after a federal court dismissed the FTC’s initial lawsuit in May 2024, and the FTC commissioners voted 5-0 to accept the agreement days before President-elect Trump’s administration takes office.
• The State of Colorado reached an agreement with Dallas-based U.S. Anesthesia Partners (USAP) requiring the company to divest contracts at five hospitals, modify noncompete agreements, and pay $200,000 in restitution. USAP, which employs 4,500 clinicians across 700 facilities nationwide, controlled 86.7% of Denver-area hospital anesthesia services by 2021 and charged 30-40% higher rates than competitors. The Federal Trade Commission filed a case in Texas’ Southern District in December 2023, alleging USAP engaged in similar practices there, where it has become the dominant provider in major cities through acquisitions of over a dozen practices, 1,000 doctors, and 750 nurses since 2012. The company’s reimbursement rates in Texas are double the median rate of other anesthesia providers in the state.

Cybersecurity & Ransomware

• A new report examines the major cybersecurity challenges facing healthcare organizations in 2025 . The data reveals that 72% of medical imaging systems are internet-connected with vulnerabilities, while 82% of healthcare organizations report attacks originating from third parties. The report identifies three primary threat vectors: social engineering attacks, internet-facing devices with known exploitable vulnerabilities, and third-party risks. According to the 2024 Claroty State of CPS Survey, 26% of healthcare organizations lack proper threat detection capabilities, and 56% fail to utilize threat intelligence for cyber physical systems. The article concludes that healthcare organizations must implement comprehensive cybersecurity measures including multi-factor authentication, regular software updates, and strict access controls to protect patient safety and service continuity.
• A new report revealed 1,204 confirmed ransomware attacks in 2024, with 195.4 million records compromised and $133.5 million paid in ransoms. The healthcare sector experienced 223 confirmed attacks, with 181 targeting healthcare providers and 42 affecting non-provider healthcare organizations, compromising over 141 million healthcare records total. The Change Healthcare attack was the most significant of 2024, resulting in $2.9 billion in losses and affecting 100 million individuals’ protected health information. RansomHub emerged as the most active ransomware group with 89 confirmed attacks, while the average ransom demand across all sectors was $3.5 million. In response, the HHS Office for Civil Rights has proposed updates to the HIPAA Security Rule, requiring healthcare organizations to implement enhanced cybersecurity measures including regular vulnerability scans, penetration testing, and encryption protocols.

Fraud & Abuse

• The Department of Justice released its annual report showing total civil fraud recoveries of $2.9 billion for FY2024, marking the fourth-lowest recovery since 2010. Healthcare industry recoveries hit a decade low at $1.67 billion, representing 57.3% of total recoveries, down from historical averages of over 80%. The number of qui tam lawsuits reached a record high of 979 in FY2024, with 609 cases outside healthcare, while qui tam recoveries accounted for 82% of total civil fraud recoveries at $2.2 billion. FY2025 has begun with $850 million in recoveries from Teva Pharmaceuticals and Raytheon, while the DOJ continues to focus on Medicare Advantage fraud, Anti-Kickback Statute violations, cybersecurity issues, and pandemic-related fraud schemes.
• A former Texas hospital CEO was sentenced to 36 months in federal prison and ordered to pay $5,343,630 for his role in a healthcare kickback conspiracy. The scheme involved Little River Healthcare, Stamford Memorial Hospital, and Boston Heart Diagnostics, where hospitals billed insurers at inflated rates for blood tests and shared profits with marketers who paid kickbacks to referring physicians through fake investment opportunities. A total of 21 defendants were indicted in the conspiracy, with several receiving prison sentences, while others pleaded guilty before trial. Peter Bennett was convicted for laundering over $2.7 million in kickback proceeds through sham trusts and shell corporations, while Robert O’Neal pleaded guilty to conspiracy charges related to arranging physician referrals and money laundering.
• A physician and his son plead guilty to a kickback conspiracy. The scheme involved the physician’s pain management clinic referring prescriptions for compound drugs to pharmacies where his son worked as a marketer, resulting in $6.6 million in kickback payments. The pair faces up to 5 years in prison and $250,000 in fines.
• A Fredericksburg physician was sentenced to 10 years in prison for a $70 million Medicare fraud scheme. A 61-year-old physician signed prescriptions and medical records for over 13,000 Medicare beneficiaries without examining them, resulting in $70 million in fraudulent Medicare claims for medical equipment and cancer genetic testing. The physician received $475,000 for his role in the scheme and must pay $26 million in restitution. In May 2024, he was convicted of conspiracy to commit healthcare fraud and three counts of false statements related to healthcare matters.
• A McAllen pharmacist has pleaded guilty in a $110 million healthcare fraud scheme. Between 2014 and 2016, the pharmacist paid $24 million in kickbacks to marketers who directed prescriptions for compound drugs to his pharmacy, resulting in $110 million in billings to federal health care programs. The pharmacist will be sentenced on March 25, where he faces up to five years in federal prison and a potential $250,000 fine.

HIPAA & Patient Confidentiality

• The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has intensified its focus on health data security and artificial intelligence. The agency published updates to the HIPAA Security Rule on January 6, 2025, requiring new security measures including encryption, multi-factor authentication, and annual audits. Between December 2024 and January 2025, OCR announced nine enforcement actions related to health data security and launched HIPAA audits of 50 regulated entities. The agency issued guidance on responsible AI use through Section 1557 regulations and a “Dear Colleague” letter, with new discrimination prevention requirements taking effect May 1, 2025. Healthcare organizations must review HIPAA risk analyses, strengthen security measures, and implement AI compliance protocols to meet OCR’s enhanced requirements.
• The U.S. Department of Health and Human Services Office for Civil Rights has reached a $3,000,000 settlement with Solara Medical Supplies following HIPAA violations related to a phishing attack that compromised 114,007 patients’ electronic protected health information through eight employee email accounts between April and June 2019. A second breach occurred when Solara sent 1,531 breach notification letters to incorrect addresses in January 2020. The investigation revealed Solara failed to conduct risk analysis, implement security measures, and provide timely breach notifications. Under the settlement terms, Solara must implement a two-year corrective action plan that includes risk analysis, security management, policy updates, and staff training.
• Memorial Healthcare System has settled an alleged HIPAA Right of Access violation with the U.S. Department of Health and Human Services’ Office for Civil Rights. The case involved a patient who made multiple requests for EEG records starting December 30, 2020, but didn’t receive them until September 29, 2021, nine months after the initial request and only after OCR initiated an investigation. The HIPAA Privacy Rule requires healthcare providers to furnish patient records within 30 days of request, with a possible 30-day extension in limited circumstances. While OCR initially proposed a $100,000 penalty, Memorial Healthcare System contested the findings and ultimately agreed to pay $60,000 to resolve the litigation. The settlement was announced on January 15, 2025, after negotiations between OCR and Memorial Healthcare System concluded.

Medicare & Medicaid

• The Department of Health and Human Services has announced 15 drugs for the second round of Medicare price negotiations. The negotiations will begin in 2025 with prices taking effect in 2027, following the first round which achieved price reductions of 38% to 79% on 10 drugs. Wegovy ($1,350) and Ozempic ($1,000) lead the list of medications, which includes treatments for conditions ranging from diabetes to cancer. The selected drugs were used by 5.3 million Medicare beneficiaries between 2023-2024, representing $41 billion in prescription drug costs. The first round of negotiations is expected to save Medicare beneficiaries $1.5 billion in out-of-pocket costs when implemented in 2026.

Mergers, Acquisitions & Private Equity

• Healthcare M&A transactions declined by 2.8% in Q3 2024, marking the lowest level since Q3 2020, with private equity participation dropping to 7% from 12% in Q2. Major deals included TowerBrook Capital Partners and Clayton, Dubilier & Rice’s $8.9 billion acquisition of R1 RCM Inc., Carlyle’s $3.8 billion purchase of Baxter International’s Kidney Care segment, and Orlando Health’s $439.4 million acquisition of three Florida hospitals from Steward Health Care. Professional Services dominated the sector with 54.8% of total deal volume, while the Hospital sector saw a 50% increase in transaction activity due to Steward Health Care’s divestitures. The Federal Reserve’s interest rate cuts and California’s veto of Assembly Bill 3129 signal potential growth in healthcare M&A activity for 2025, despite ongoing regulatory scrutiny.
• A recent report by the Federal Trade Commission warns that private equity ownership introduces “new and unique risks” to healthcare, surpassing those associated with general industry consolidation. The investigation, which reviewed over 2,000 public comments, highlights concerns such as higher consumer prices, operational changes, and staffing reductions linked to private equity-backed healthcare services. The agencies urge Congress and state legislators to enhance oversight by lowering the federal reporting threshold for mergers and acquisitions and expanding transparency rules regarding nursing home ownership. The report notes that private equity firms have significant investments across various healthcare sectors, including physician practices, emergency room staffing, nursing homes, mental health facilities, and hospitals. It also points out that companies with private equity ties are more prone to bankruptcies.

Confidentiality & Cybersecurity

• The US Court of Appeals has struck down net neutrality regulations, allowing Internet Service Providers (ISPs) to monitor, prioritize, and control Internet traffic. The ruling impacts healthcare privacy as ISPs can now track and sell patient data from telehealth sessions, mental health searches, and digital health app usage to third parties. Healthcare providers must implement stronger privacy measures, including encrypted platforms, VPNs, and HIPAA-compliant systems to protect patient information. FCC Chair Jessica Rosenworcel has called for congressional action, while healthcare professionals are urged to advocate for patient privacy through policy engagement and partnerships with privacy organizations. The decision particularly affects rural patients who rely on telehealth services and raises concerns about potential discrimination based on health-related Internet activity.
• A recent report reveals that 73% of healthcare organizations still use legacy systems, which creates security vulnerabilities that cybercriminals can exploit. Healthcare IT teams must build security measures into applications from the start, ensure flexibility across platforms, and implement vendor management strategies to protect data. The modernization process requires consideration of usability factors to prevent users from circumventing security controls, while features like Pure Storage’s SafeMode Snapshots provide protection against data breaches. Organizations that implement these strategies can better protect patient data, maintain productivity, and preserve patient trust.
• The U.S. Department of Health and Human Services Office for Civil Rights has proposed major changes to the HIPAA Security Rule that would require healthcare organizations to implement stricter cybersecurity measures by mid-2025. The changes include mandatory encryption of protected health information, multi-factor authentication, vulnerability scanning every 6 months, penetration testing annually, and notification requirements within 24 hours for certain security events. HHS estimates first-year compliance costs at $9 billion, with subsequent annual costs of $6 billion through year five. The proposal comes in response to a 950% increase in individuals affected by healthcare data breaches since 2018, though its fate remains uncertain as it transitions between administrations. The 60-day public comment period ends March 7, 2025, with compliance required 180 days after the final rule takes effect.
• Healthcare data breaches affected 184,111,469 records in 2024, representing 53% of the U.S. population, with 703 large breaches reported to OCR. The largest breach occurred at Change Healthcare, affecting 100 million individuals through a ransomware attack that caused widespread disruption to healthcare services and medication access across the U.S. healthcare system. The year saw 13 breaches involving more than 1 million healthcare records each, with 11 caused by hacking incidents and 8 involving business associates of HIPAA-covered entities. In response to these breaches, the HHS Office for Civil Rights published cybersecurity performance goals and proposed updates to the HIPAA Security Rule to mandate stronger security measures, including multifactor authentication and encryption requirements. The fate of these proposed security updates now rests with the incoming Trump administration.
• SOC 2 audits provide healthcare organizations with a framework for managing data security, privacy, and operational integrity. The audit process ensures protection of Protected Health Information (PHI) and Personally Identifiable Information (PII) through controls that safeguard against unauthorized access and breaches. While not legally mandated, SOC 2 complements HIPAA, HITECH, and GDPR regulations by addressing data encryption, access control, and risk management. The framework includes five trust service principles – Security, Availability, Processing Integrity, Confidentiality, and Privacy – and helps organizations manage third-party vendor risks through certification requirements. Healthcare providers can prepare for SOC 2 audits through gap analysis, control implementation, staff training, and partnership with expert consultants.

Innovation

• OpenAI CEO Sam Altman claims his company knows how to build AGI and predicts AI agents will join the workforce in 2025. OpenAI defines AGI as systems that outperform humans at economic tasks, with a specific financial threshold of $100 billion in profits set in their agreement with Microsoft. The technology rights for AGI are excluded from OpenAI’s IP investment contracts with companies like Microsoft, marking its strategic importance. Critics, including Gary Marcus, have dismissed Altman’s claims as marketing hype. Altman acknowledges the potential economic disruption from AGI and suggests universal basic income as a solution for workforce displacement.
• A New York University study published in Nature Medicine reveals that introducing just 0.001% of medical misinformation into LLM training data can compromise the model’s accuracy, resulting in over 7% harmful responses. The researchers tested this by injecting false information into “The Pile” database across 60 medical topics, finding that the poisoned models not only produced misinformation about targeted topics but became generally unreliable about medicine. The study demonstrates that for $100, someone could generate 40,000 articles to poison a large model like LLaMA 2, with the misinformation potentially hidden in invisible webpage text. While the researchers developed an algorithm to flag potentially false medical information, the study highlights ongoing challenges with both intentional poisoning and existing medical misinformation in training data, including outdated information in curated databases like PubMed.

Legislation

• The Texas Legislature is considering the Texas Responsible AI Governance Act, which aims to regulate high-risk AI systems that make consequential decisions affecting areas like healthcare, housing, and employment. The Act establishes strict requirements for developers and deployers, including mandatory risk assessments, consumer disclosures, and human oversight of AI decisions. The legislation prohibits specific AI uses such as social scoring, unauthorized biometric data collection, and emotional inference without consent, while giving consumers rights to transparency and legal action. The Texas Attorney General would have enforcement authority with fines up to $100,000 per violation, and businesses operating in Texas would need to ensure compliance through impact assessments and updated procedures.
• California has enacted a law prohibiting insurance companies from using AI alone to deny health insurance claims. The legislation, Senate Bill 1120 (Physicians Make Decisions Act), was signed by Governor Gavin Newsom in September 2024 in response to data showing 26% of California insurance claims were denied in 2024. The law requires human judgment in coverage decisions, sets strict deadlines for claim reviews (5 business days for standard cases, 72 hours for urgent cases, and 30 days for retrospective reviews), and gives the California Department of Managed Health Care enforcement authority with power to issue fines. The initiative has gained national attention, with 19 states considering similar legislation and congressional offices exploring federal regulations.

Regulation

• The FDA has released new draft guidance for AI-enabled medical devices, building on its previous predetermined change control plan guidance from December 2023. The guidance, to be published in the Federal Register on January 7, provides recommendations for the total product lifecycle of AI-enabled devices, including design, development, maintenance, and documentation requirements. The FDA has authorized over 1,000 AI-enabled devices and will accept public comments on the draft guidelines through April 7, with specific focus on AI lifecycle alignment, generative AI recommendations, performance monitoring, and user information requirements. The agency will host webinars on February 18 to discuss the regulatory proposal and on January 14 regarding the final PCCPs guidance, while emphasizing the importance of addressing transparency and bias in AI medical devices. The guidance aims to ensure performance considerations across race, ethnicity, disease severity, gender, age, and geographical factors are addressed throughout device development and monitoring.

Advanced Practice Providers

• Advanced Practice Providers (APPs), including nurse practitioners, physician assistants, and other specialists, are filling healthcare gaps caused by physician shortages and increased demand for services. Chief APPs (CAAPs) have emerged as leaders who manage APP integration within healthcare organizations. APPs can diagnose conditions, prescribe medications, conduct exams, and interpret tests, while spending more time with patients than traditional providers. The expansion of APP roles offers a solution to healthcare access issues, particularly in underserved areas, and their scope of practice continues to grow alongside the importance of CAAPs in healthcare systems.

Patient Confidentiality

• The US Court of Appeals has struck down net neutrality regulations, allowing Internet Service Providers (ISPs) to monitor, prioritize, and control Internet traffic. The ruling impacts healthcare privacy as ISPs can now track and sell patient data from telehealth sessions, mental health searches, and digital health app usage to third parties. Healthcare providers must implement stronger privacy measures, including encrypted platforms, VPNs, and HIPAA-compliant systems to protect patient information. FCC Chair Jessica Rosenworcel has called for congressional action, while healthcare professionals are urged to advocate for patient privacy through policy engagement and partnerships with privacy organizations. The decision particularly affects rural patients who rely on telehealth services and raises concerns about potential discrimination based on health-related Internet activity.
• The U.S. Department of Health and Human Services has proposed new HIPAA Security Rules, marking the first update since 2013, with publication scheduled for January 6, 2025. The proposed changes include mandatory encryption of PHI at rest and in transit, implementation of multi-factor authentication, and requirements for covered entities to review and update security policies regularly. Business associates must provide written verification of technical safeguards annually and notify covered entities within 24 hours of access changes or contingency plan activations. The rules establish specific timeframes for security compliance, including 15-day patches for critical risks and 72-hour system restoration requirements, while requiring organizations to maintain technology asset inventories and network maps with annual updates.
• Healthcare data breaches affected 184,111,469 records in 2024, representing 53% of the U.S. population, with 703 large breaches reported to OCR. The largest breach occurred at Change Healthcare, affecting 100 million individuals through a ransomware attack that caused widespread disruption to healthcare services and medication access across the U.S. healthcare system. The year saw 13 breaches involving more than 1 million healthcare records each, with 11 caused by hacking incidents and 8 involving business associates of HIPAA-covered entities. In response to these breaches, the HHS Office for Civil Rights published cybersecurity performance goals and proposed updates to the HIPAA Security Rule to mandate stronger security measures, including multifactor authentication and encryption requirements. The fate of these proposed security updates now rests with the incoming Trump administration.

Fraud & Abuse

• ASD Specialty Healthcare has agreed to pay $1.67 million to settle anti-kickback claims for providing free inventory management systems to retina practices that agreed to purchase drugs from them. The company, operating as Besse Medical and a subsidiary of Cencora, acquired the PODIS system in 2017 and offered it at no cost to physicians who signed agreements to purchase drugs, including AMD treatments, while denying access to non-customers. Two whistleblowers from Regeneron Pharmaceuticals brought forth the claims and will receive $250,705 from the settlement. Medicare spent $386 million on branded AMD drugs in 2022, with $334.4 million specifically on aflibercept. The Department of Justice has also filed a separate False Claims Act complaint against Regeneron for allegedly inflating Medicare reimbursement rates for Eylea.
• A federal grand jury in Virginia indicted Chesapeake Regional Medical Center on January 8, 2025, for healthcare fraud and conspiracy to defraud the United States. The charges stem from the hospital’s alleged involvement with a physicia who was previously sentenced to 59 years in prison for performing unnecessary surgeries and falsifying medical records, resulting in $20.8 million in fraudulent billings. The indictment claims hospital staff received two sets of documents for early deliveries – one with real dates and another with falsified dates – yet continued to allow procedures and bill Medicaid. The hospital faces decisions about pleading guilty or going to trial, with potential consequences including fines, monitoring requirements, and property forfeiture. This case establishes precedent for hospitals’ responsibility to prevent fraud and highlights how employee knowledge of illegal activities can result in criminal charges for the institution.
• The Second Circuit Court of Appeals has expanded the Anti-Kickback Statute by adopting the “at-least-one-purpose rule”, which states that a violation occurs when inducing healthcare purchases is just one purpose of a payment, rather than requiring it to be the sole purpose. The ruling emerged from a qui tam lawsuit against Novartis Pharmaceuticals, where the relator alleged the company used speaker programs to provide kickbacks to doctors who prescribed their multiple sclerosis drug Gilenya. The Second Circuit revived parts of the lawsuit on December 27, 2024, focusing on allegations of sham speaking events, excessive payments for canceled engagements, and the selection of high-prescribing physicians as speakers. The Court determined that no quid pro quo proof is required for AKS violations, joining seven other circuit courts in this interpretation. The decision creates heightened enforcement risks for healthcare companies and requires them to review their physician payment practices.

Litigation

• Aetna sues drugmakers over alleged price-fixing scheme in a lawsuit filed in Hartford, Connecticut against nearly two dozen pharmaceutical companies, including Pfizer and Teva Pharmaceuticals, for allegedly conspiring to fix generic drug prices. The lawsuit claims the companies communicated through private meetings and trade conferences to establish a “fair share” scheme, resulting in price increases of up to 1000% for certain medications. The case follows similar legal actions by state attorneys general and other insurers, with Heritage Pharmaceuticals and Apotex already settling for $49 million in fall 2024.

No Surprises Act

• The Fifth Circuit Court of Appeals has upheld key provisions of the No Surprises Act’s Qualified Payment Amount (QPA) calculations in Texas Medical Association v. U.S. Department of Health and Human Services. The court ruled that contracted rates can be included in QPA calculations regardless of claim frequency, while excluding case-specific agreements and bonus payments from these calculations. The ruling maintains the Act’s 30-day payment deadline requirement and upholds disclosure provisions about QPA calculations. The decision impacts healthcare providers by allowing “ghost rates” in QPA calculations and excluding incentive payments, which may result in lower reimbursement rates for out-of-network services. The QPA serves as the basis for determining patient cost-sharing responsibilities and plays a key role in payment dispute resolution between providers and insurers.

AI Legislation

• The Texas Legislature is considering the Texas Responsible AI Governance Act, which would establish regulations for high-risk AI systems that make consequential decisions affecting areas like employment, education, and government services. The Act requires developers and deployers to protect consumers from algorithmic discrimination, maintain oversight of AI systems, and provide detailed disclosures about AI interactions. The legislation prohibits specific AI uses including social scoring, unauthorized biometric data collection, and emotional inference without consent, while granting consumers rights to transparency and legal action. The Texas Attorney General would have enforcement authority with fines up to $100,000 per violation, making this one of the most comprehensive state-level AI regulations proposed in the U.S.

AI Implementation

• Healthcare entities face increasing scrutiny over AI usage in patient data management, with three key areas of concern emerging: data scraping/sharing, utilization management, and discriminatory bias. Recent court cases have highlighted the importance of data anonymization in determining the validity of privacy claims, with courts generally favoring defendants when patient data is properly anonymized. Federal agencies and states are implementing regulations to limit AI’s role in medical necessity determinations, with CMS prohibiting AI-only decisions and states like California passing laws requiring specific disclosures for GenAI use in patient communications. While major litigation regarding AI discrimination hasn’t occurred yet, state attorneys general are actively investigating potential racial bias in healthcare algorithms. To mitigate risks, healthcare entities should conduct regular AI risk assessments, implement robust PHI de-identification procedures, and utilize appropriate data agreements and patient waivers.
• Testing by medical professionals has shown AI systems like ChatGPT giving dangerous medical advice up to 20% of the time. While AI tools are being used by some healthcare providers for tasks like transcription and note-taking, even these applications have shown problems with hallucinated content and bias, such as OpenAI’s Whisper inserting false information into patient records. Medical experts warn that while AI technology shows promise, its current state risks introducing dangerous “AI slop” into patient care, requiring thorough verification that may ultimately negate any time-saving benefits.
• Agentic AI is a new paradigm that makes independent decisions and takes actions without human intervention . The technology shows potential applications in healthcare through patient monitoring, manufacturing through production optimization, and transportation through autonomous vehicles. Major concerns include job displacement, data privacy, control issues, and safety risks in high-stakes environments.
• A bipartisan U.S. House task force released a report on December 17 outlining AI policy recommendations for healthcare. The report identifies AI’s potential to improve healthcare efficiency through data analysis and automation while highlighting interoperability challenges between systems. It raises concerns about patient data privacy, cybersecurity risks, and the need for healthcare workforce AI training. The report also addresses unresolved issues regarding liability rules for AI-related medical errors and unclear reimbursement policies for AI implementation in healthcare systems. The task force emphasizes that payment structures and accountability frameworks for healthcare AI remain undefined, requiring further development.

Cybersecurity

• The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has proposed the first update to the HIPAA Security Rule since 2013, requiring healthcare organizations to implement stronger cybersecurity measures for protected health information. The new requirements include written risk assessments, network segmentation, vulnerability scanning every six months, and penetration testing every 12 months. From 2018 to 2023, healthcare data breaches increased by 102%, affecting 167 million individuals in 2023 alone. The proposed changes address the evolution of healthcare delivery, increased cyber threats, and compliance issues observed by OCR. The current Security Rule remains in effect while HHS proceeds with the rulemaking process.
• The U.S. Department of Health and Human Services’ Office for Civil Rights has proposed a major update to HIPAA’s Security Rule, introducing new cybersecurity requirements with an estimated first-year compliance cost of $9 billion. The proposal includes mandatory implementation specifications for encryption, multifactor authentication, data backups every 48 hours, and requirements for business associates to verify compliance through expert analysis. Organizations will have 240 days to comply after the final rule is published, with the Notice of Proposed Rulemaking set for January 6, 2024, followed by a 60-day comment period. The proposal has bipartisan support and aims to modernize healthcare cybersecurity standards that haven’t been updated since 2013, though its fate may be influenced by the upcoming administration change.

Data Breaches

• The healthcare sector faced unprecedented cyberattacks in 2024, with 677 major health data breaches affecting 182.4 million people, including a record-breaking attack on Change Healthcare that compromised 100 million Americans and resulted in a $22 million ransom payment. Business associates were involved in 212 breaches affecting 131 million individuals, while hacking/IT incidents accounted for 550 attacks impacting 166 million people. The top 10 breaches included major healthcare organizations like Kaiser Foundation Health Plan (13.4 million affected), Ascension Health (5.6 million affected), and HealthEquity (4.3 million affected). Looking ahead to 2025, experts predict continued threats from ransomware, data theft, and supply chain attacks, with emerging concerns around telehealth security, IoT medical devices, and AI in healthcare.
• UT Southwestern Medical Center experienced a data breach in late-2024 that exposed 43,048 patients’ data through unauthorized access to a third-party calendar tool, marking their sixth breach since 2020. The exposed data included sensitive information such as names, dates of birth, Social Security numbers, medical records, diagnoses, and insurance information. UTSW’s breach occurred due to improper use of a calendar management tool without a business associate agreement. UTSW has taken remedial action, including implementing stronger security measures and notifying affected individuals.
• A significant cyberattack on Texas Tech University Health Sciences Centre (TTUHSC) and its El Paso campus compromised sensitive data of approximately 1.4 million individuals, with the Interlock ransomware group claiming responsibility for stealing 2.1 million files totaling 2.6 terabytes. The breached data included personal information such as names, Social Security numbers, financial details, and health-related records, prompting TTUHSC to offer complimentary credit monitoring services and establish a toll-free assistance line for affected individuals. The incident follows a pattern of major healthcare sector cyberattacks in 2024, including the Change Healthcare breach affecting 100 million individuals ($22 million ransom), MediSecure in Australia, and Synnovis in London’s NHS hospitals. TTUHSC discovered the breach in mid-September, reported it to authorities, and is implementing enhanced security measures while working with cybersecurity specialists.

Litigation

• Apple has agreed to pay $95 million to settle a lawsuit alleging that Siri recorded private conversations without consent. The settlement addresses “unintentional” recordings that occurred after the “Hey, Siri” feature was introduced in 2014, with users reporting suspiciously targeted ads following private conversations. Affected customers who purchased Siri-enabled devices between September 17, 2014, and December 31, 2024, can claim up to $20 per device for a maximum of five devices, with eligible devices including iPhones, iPads, Apple Watches, MacBooks, HomePods, iPod touches, and Apple TVs. A settlement approval hearing is scheduled for February 14, after which Apple will notify affected customers and delete their recorded private conversations. While the $95 million settlement appears significant, it’s notably less than the potential $1.5 billion fine Apple could have faced under the Wiretap Act if the case had proceeded to trial.
• The Texas Attorney General has begun enforcing the Texas Data Privacy and Security Act, which took effect on July 1, 2024. The Act grants consumers rights to access, correct, delete, and obtain copies of their personal data, while requiring businesses to implement security measures and limit data collection. The Attorney General has issued violation notices targeting inappropriate data sharing, lack of consumer consent, and deficiencies in privacy notices. The enforcement actions focus on cases where sensitive user data, including location and vehicle information, was shared without proper consent. Businesses operating in Texas must now ensure compliance with the Act’s requirements regarding data collection, processing, and consumer rights notifications.

Medical Reasoning

• A recent research paper evaluates the performance of OpenAI’s o1-preview model, a large language model, on clinical reasoning tasks. The study conducted five experiments focusing on differential diagnosis generation, diagnostic reasoning, triage differential diagnosis, probabilistic reasoning, and management reasoning, with assessments by physician experts. The o1-preview model demonstrated significant improvements in generating differential diagnoses and in the quality of diagnostic and management reasoning compared to previous models and human physicians. However, there were no improvements in probabilistic reasoning or triage differential diagnosis compared to past models. In a battery of tests, the model correctly diagnosed 78.3% of cases, and it selected the correct next diagnostic test in 87.5% of cases. In other tests, the model outperformed GPT-4 and physicians in clinical reasoning documentation. The study concludes that the o1-preview model exhibits superhuman performance in several medical reasoning tasks, indicating potential for integration into clinical workflows to enhance decision-making and patient care.
• A new study in European Radiology shows that GPT-4 achieved 94% accuracy in radiological diagnoses, outperforming human radiologists who scored between 73% and 89%. AI in healthcare leverages massive datasets including electronic health records, medical imaging, and clinical databases to enhance diagnostic capabilities, personalize treatment plans, and support clinical decision-making. The technology powers virtual health assistants, performs remote diagnosis through wearable devices, and accelerates drug discovery while reducing development costs. Healthcare facilities are integrating AI for medical imaging analysis and patient outcome prediction, though challenges remain in regulatory compliance, data privacy, legacy system integration, and maintaining human expertise. The implementation of AI in healthcare requires addressing concerns about patient trust, workforce adaptation, and the potential overreliance on technology.

Privacy

• The U.S. Department of Justice published a proposed rule on October 29, 2024 that would restrict or prohibit data transactions involving sensitive personal data and government-related data between U.S. persons and entities from countries of concern including China, Russia, Iran, North Korea, Cuba, and Venezuela. The rule establishes bulk data thresholds ranging from 100 to 100,000 records and covers six categories of sensitive personal data including personal identifiers, geolocation data, biometric identifiers, genomic data, health data, and financial data. The regulations will impact various sectors including healthcare providers, financial services, insurance companies, and technology firms, requiring them to implement compliance programs and maintain transaction records for 10 years. The rule prohibits all data brokerage transactions and bulk genomic data transfers, while restricting vendor, employment, and investment agreements through cybersecurity requirements established by CISA. The DOJ emphasizes this is a national security measure aimed at preventing countries of concern from accessing data that could enhance their military and intelligence capabilities.

Ransomware

• A new report reveals that ransomware attacks are costing U.S. healthcare organizations $1.9 million per day in downtime expenses. Since 2018, there have been 654 ransomware attacks on healthcare providers, with 2023 marking a record high of 143 incidents and compromising over 88.7 million patient records in total, of which 26.2 million were breached in 2023 alone. Healthcare organizations experience an average of 17 days of downtime per incident, with the highest disruptions averaging 27 days in 2022, leading to an estimated total loss of $21.9 billion over six years. Cybersecurity experts emphasize the need for preparation, including incident response teams, communication plans, and regular data backups, as hackers increasingly employ double-extortion tactics by both encrypting systems and stealing data.

Regulation

• A new paper from Paragon Health Institute outlines guidelines for regulating artificial intelligence in healthcare while maintaining innovation and patient safety. The paper emphasizes that AI regulation must be specific to technology types and use contexts, as risks vary significantly between applications like diagnostic tools versus back-office functions. The FDA’s existing framework for medical device approval provides a foundation for AI oversight, with three pathways based on risk levels and the presence of predicate devices. The guidelines recommend preserving existing patient protections under HIPAA and other laws while avoiding duplicate regulations, and stress that AI systems should demonstrate safety and effectiveness comparable to human clinicians when operating autonomously.