Wade’s Health Law Highlights for September 2, 2025

Antitrust

• Hospital associations challenge new merger notification rules as burdensome and unnecessary. The Federal Trade Commission under Lina Khan adopted changes to Hart-Scott-Rodino premerger notification requirements that took effect February 10, 2025, increasing information volume and preparation time by four times. On August 8, 2025, the American Hospital Association and Federation of American Hospitals filed an amicus brief supporting business groups’ lawsuit seeking injunctive relief against the changes. The hospital associations argued the FTC failed to identify any anticompetitive hospital merger that went undetected under prior reporting requirements. They contended the rule changes function as a tax on hospitals and aim to discourage mergers in an industry facing economic pressures. Source: Epstein Becker Green
• The Trump administration’s antitrust regulators maintain focus on healthcare competition but reject the Biden era’s emphasis on private equity and corporate greed in favor of targeting regulatory barriers to market entry. The Federal Trade Commission and Department of Justice demonstrate willingness to approve mergers through consent decrees involving divestitures, as seen in the UnitedHealth Group-Amedisys deal that required selling 164 home health and hospice locations. The FTC issued a Second Request to examine Aya Healthcare’s $615 million acquisition of Cross Country Healthcare over concerns about self-preferencing in travel nurse staffing services. The DOJ launched an investigation into NewYork-Presbyterian’s contracting practices following union complaints about anti-steering provisions that prevent insurers from excluding the health system from their networks. The FTC released findings showing that 38% of physicians belonged to practices affected by mergers between 2015 and 2020, representing consolidation across approximately 2,000 transactions. Source: Goodwin

Data Privacy & Cybersecurity

• The Office for Civil Rights published two new HIPAA Privacy Rule FAQs on August 11, 2025, clarifying PHI disclosure rules and patient access rights. The first FAQ permits healthcare providers to disclose protected health information to value-based care arrangements for treatment purposes without individual authorization, supporting payment models that tie compensation to patient outcomes. The second FAQ confirms that treatment consent forms fall within designated record sets that patients can access, removing ambiguity about these documents. The guidance aligns with the Centers for Medicare & Medicaid Services’ July 30, 2025, announcement of its Health Tech Ecosystem initiative, which over 60 organizations including Epic, Oracle Health, CVS Health, and major tech companies have pledged to adopt. OCR has announced 53 enforcement actions since launching its Right of Access Initiative in 2019, including a $200,000 penalty imposed in March 2025 against a provider that failed to provide timely patient record access. Source: Data Privacy + Cybersecurity Insider
• Ransomware attacks on hospitals create cascading effects that overwhelm neighboring healthcare facilities and endanger patients throughout entire communities. When a hospital’s systems go offline, surrounding facilities must absorb diverted ambulances and walk-in patients, creating overcapacity situations that can lead to worse patient outcomes and potential deaths. Health-ISAC tracked 446 ransomware events in healthcare during 2024, with 281 incidents occurring in just the first half of 2025, indicating the threat continues to escalate. Rural communities face greater risks than urban areas because longer ambulance travel times to alternate facilities can delay treatment and worsen medical conditions. Both the Ascension and Change Healthcare attacks stemmed from lack of multifactor authentication for remote access, highlighting how basic security gaps enable attackers to target patient care systems for maximum leverage. Source: Dark Reading

Emerging Tech

• Hospital executives believe in AI’s potential but lack readiness for implementation. A recent survey of 101 executives across integrated delivery networks, academic medical centers and independent hospitals, found that 83% believe AI can improve clinical decision-making and 75% think it could reduce operational costs. While 67% report current investments in AI for patient care and 66% pursue solutions for administrative operations, only 13% have a strategy for integrating AI into clinical workflows. Just 12% trust today’s AI algorithms as reliable enough for use, and only 10% report their organizations aggressively pursue AI implementation. Nearly half of respondents (49%) cite appropriate use of AI as one of their top three challenges. Source: Becker’s Hospital Review

False Claims Act

• Paul Njoku received a 75-month federal prison sentence for orchestrating a Medicare fraud scheme through his home health care agency. The 64-year-old owner and CEO of Opnet Health Care Services Inc. forged signatures of doctors and nurses by cutting out old signatures and taping them onto new medical documents required for Medicare payments. Njoku continued using a registered nurse’s signature on nursing notes and assessments in 2018 and 2019 without her knowledge after she left the company in 2017, and he bribed a doctor to approve home health services. From 2015 to 2019, Opnet billed Medicare over $400,000 in claims and received over $360,000, with many claims lacking required documentation or based on falsified records. A jury found Njoku guilty on all counts after deliberating for less than two hours following a three-day trial. Source: U.S. Attorney’s Office, Southern District of Texas
• The Sixth Circuit affirmed a district court’s dismissal of a False Claims Act case against three Kentucky cancer centers, ruling that Medicare does not require radiation services be performed by board-certified radiologists or radiation oncologists. In United States ex rel. Robert C. O’Laughlin, M.D. v. Radiation Therapy Services, P.S.C. et al., the court rejected Dr. O’Laughlin’s allegations of Medicare fraud after nearly a decade of litigation. The court found that CMS manuals permit any physician to perform radiation services regardless of specialty, making billing by non-specialist physicians proper. The relator failed to provide evidence linking specific Medicare claims to instances where qualified providers were absent during radiation or chemotherapy treatments. The court established that whistleblowers must present concrete, claim-specific proof rather than relying on scheduling documents or statistical inferences to survive summary judgment under the False Claims Act. Source: CaseMine

Marketing

• Texas Senate Bill 140 takes effect September 1, 2025, expanding the state’s telemarketing regulations to cover text messages and SMS marketing. The law allows consumers to file private lawsuits against businesses for violations and removes caps on cumulative damage recoveries. Companies that send marketing texts to Texas phone numbers must register each business location with the Texas Secretary of State, pay a $200 filing fee, and post a $10,000 security bond. The Texas Attorney General can impose penalties of up to $5,000 per violation, while consumers can seek actual damages or treble damages for knowing violations. Exemptions include banks, insurance companies, nonprofits, and communications with current or former customers, though the law does not define what constitutes a “customer.” Source: Thompson Hine LLP

Medical Devices

• Illumina agreed to pay $9.8 million to settle False Claims Act allegations with the Department of Justice for selling genomic sequencing systems with cybersecurity vulnerabilities to federal agencies. The biotechnology company allegedly falsely represented that its LRM and UCS software adhered to cybersecurity standards including ISO and NIST from February 2016 through September 2023. The settlement represents the first cybersecurity-focused False Claims Act enforcement action in the healthcare industry and arose from a whistleblower complaint filed by Illumina’s former Director for Platform Management. The former employee will receive $1.9 million from the settlement, and the case is notable because it focused on failures to implement cybersecurity programs regardless of whether actual breaches occurred. The resolution signals that cybersecurity representations and certifications will become a focus area for future False Claims Act enforcement actions against medical device companies. Source: Orrick

Management Services Organizations

• The California legislature is advancing two bills that target private equity groups, hedge funds, and management services organizations operating in the state’s healthcare industry. AB 1415 would require management services organizations to notify the Office of Health Care Affordability of asset sales and changes of control, expanding reporting obligations that currently apply only to payors, providers, and delivery systems. SB 351 would clarify where private equity groups and hedge funds may provide advisory support while ensuring physicians and dentists retain ultimate authority over clinical decisions. AB 1415 has passed the Senate Appropriations Committee and is set for a third reading by the Senate, while SB 351 has cleared the Assembly Committee on Appropriations and awaits an Assembly vote. The bills would increase compliance burdens for management services organizations and reinforce restrictions on private equity participation in healthcare. Source: Polsinelli

Patient Care

• Medicare enrollees left acute-care hospitals against medical advice at rising rates since 2006, spiking during the COVID-19 public health emergency and remaining slightly elevated in 2023. From 2006 to 2019, AMA discharge rates grew from about 0.68% to 0.99%, peaked near 1.17% during the PHE, and ended at 1.00% in 2023, with those leaving AMA showing higher 30-day readmission (34.6% vs. 16.2%) and mortality (4.23% vs. 2.09%) than those discharged home. AMA rates were inversely correlated with CMS Overall Hospital Quality Star Ratings, with lowest-rated hospitals nearly three times more likely to have AMA discharges than highest-rated hospitals (1.95% vs. 0.66%). Dual Medicare-Medicaid enrollees and patients with a mental health diagnosis were more likely to leave AMA than Medicare-only enrollees and those without such diagnoses, including within each Star Rating tier. The brief notes CMS lacks specific guidance on designating and managing AMA discharges, and indicates findings may inform future guidance to improve outcomes and reduce costs. Source: HHS OIG Data Brief A-04-24-03003

Pharmacies

• New Medicare regulations that took effect January 1, 2025 have increased criminal prosecution risks for pharmacies facing claim reversals. The Centers for Medicare and Medicaid Services overhauled regulations under the federal Overpayment Statute, redefining when pharmacies “identify” overpayments and limiting internal investigation periods to 180 days maximum. Pharmacies can face criminal charges for violations including failure to submit “clean claims,” noncompliance with prescription rules, and billing errors involving prescription drugs. Criminal penalties include fines up to $250,000 for individuals and $500,000 for businesses, plus potential federal imprisonment up to five years under the False Claims Act. Investigations by the FBI and Department of Health and Human Services Office of Inspector General can result from claim rejections by Part D sponsors and other Medicare billing compliance failures. Source: Oberheiden P.C.