Wade’s Health Law Highlights for September 30, 2025

Artificial Intelligence

Shadow AI tools used without IT oversight create security risks that cost healthcare organizations $200,000 more per data breach than sanctioned AI incidents. IBM’s 2025 Cost of a Data Breach report found that 20% of organizations across all sectors suffered breaches due to shadow AI incidents, compared to 13% for sanctioned AI tools. A 2025 survey revealed that 86% of healthcare IT executives reported shadow IT instances in their health systems, up from 81% in 2024. Shadow AI displaced security skills shortage as one of the top three factors contributing to breach costs, with personally identifiable information being the most compromised data type and intellectual property compromised in 40% of shadow AI incidents. More than 60% of organizations lack governance policies to manage AI or detect unauthorized AI use, according to IBM research. Source: TechTarget

Fraud & Abuse

Federal appellate courts remain divided on whether plaintiffs must prove “but-for causation” when bringing False Claims Act cases based on Anti-Kickback Statute violations. The dispute centers on a 2010 amendment to the Anti-Kickback Statute that declares claims “resulting from” kickback violations constitute false claims under the False Claims Act. The First, Sixth, and Eighth circuits have ruled that the “resulting from” language requires but-for causation, meaning plaintiffs must prove the kickback caused the false claim submission. Some courts have suggested alternative pathways exist that bypass the but-for causation requirement, but legal experts argue this interpretation contradicts statutory language and creates illogical outcomes. The Department of Justice opposes the but-for causation requirement, stating it would complicate litigation by forcing extensive analysis of physician motivations for thousands of treatment decisions. Source: Akin Gump Strauss Hauer & Feld LLP
A federal district court in Tennessee has limited False Claims Act liability for Anti-Kickback Statute violations in a September 22 ruling that could restrict healthcare fraud prosecutions. In United States v. HCA Healthcare, Inc., the court ruled that hospitals did not receive “remuneration” when a laboratory agreed not to seek reimbursement for technical components of pathology services for non-Medicare patients, since hospitals had no legal obligation to pay those costs. The court also established a “but for” causation standard, requiring whistleblowers to prove that providers would not have sought government reimbursement without the alleged kickback violation. The decision rejected claims that were merely “tainted by” kickbacks, calling such allegations too “attenuated” to establish False Claims Act liability. The court characterized the disputed arrangement as normal marketplace competition rather than illegal kickback activity. Source: Warner Norcross + Judd LLP

Hospice

Hospice providers are expanding their service offerings through diversification into palliative care, home-based primary care, and community aging programs. Hospices are broadening their horizons when it comes to service diversification. Some providers are exploring innovative care models, while others are moving upstream into palliative care and branching out their community-based services. Cost, referral streams and staffing considerations are significant pieces of developing and growing a palliative care program. The federally approved CAPABLE program has been under consideration for Medicare reimbursement since 2019. Currently, services provided under the program are reimbursed through partnerships with Accountable Care Organizations (ACOs) and private insurers. Source: Hospice News

HIPAA

A federal court vacated reproductive health care provisions of the 2024 HIPAA Privacy Rule while preserving substance use disorder protections. On June 18, 2025, in Purl v. HHS, a federal district court eliminated requirements for group health plans to update policies and Privacy Notices for reproductive health care information protections. The court preserved regulations at 42 CFR part 2 that require group health plans to implement protections for substance use disorder (SUD) records by February 16, 2026. SUD records include patient identity, diagnosis, prognosis, or treatment information maintained in connection with substance use disorder programs conducted or assisted by any U.S. government department. Group health plans cannot disclose SUD records in legal proceedings without written consent or court order, and must update Privacy Notices and distribute them to all participants by the February deadline. Source: Spencer Fane

Marketing

Texas Senate Bill 140 requires companies sending text messages to or from Texas to comply with telemarketing regulations starting September 1, 2025. The law redefines “telephone solicitation” to include text and multimedia messages, requiring companies to register with the Secretary of State and post a $10,000 bond. Text messages can only be sent between 9 am and 9 pm Monday through Saturday and between noon and 9 pm on Sundays in Central time, with fines reaching thousands of dollars per message for violations. The legislation strengthens consumer enforcement rights under the Texas Deceptive Trade Practices Act and allows consumers to bring multiple lawsuits for continuing violations. The changes come as the US Supreme Court’s June 2025 McLaughlin decision created uncertainty about federal Telephone Consumer Protection Act rules, making state laws more important in regulating text marketing campaigns. Source: Foster Garvey PC

Medicare

CMS plans to phase out its inpatient-only procedure list over three years starting in 2026, prompting healthcare providers to call for elimination of Medicare’s three-day hospital stay requirement for skilled nursing facility coverage. The proposed removal of 285 procedures, mostly musculoskeletal, threatens access to post-acute care since traditional Medicare beneficiaries must have a three-day inpatient hospital stay within 30 days before qualifying for skilled nursing facility coverage. LeadingAge, representing over 5,400 nonprofit providers, submitted comments to CMS recommending elimination of the rule, which affects 20% to 50% of current skilled nursing facility admissions and only applies to roughly 20% of Medicare beneficiaries on traditional Medicare plans. The organization proposes reimagining skilled nursing facilities as settings for chronic care management and direct physician admissions, allowing patients to avoid hospitals for stabilizing treatments. Industry leaders argue the three-day stay rule forces patients into cycles of hospital visits and compromises quality of life while driving up costs. Source: Skilled Nursing News

Medicaid

Texas overpaid $10.5 million to hospices due to lack of oversight policies during fiscal years 2020 through 2022. The Office of Inspector General found that 174 hospices, representing 36 percent of hospices that received payments, were overpaid because Texas had no policies and procedures for calculating and collecting hospice cap overpayments. Of the total overpayments, $6.9 million represents the Federal share that should have been returned to the Federal Government. The OIG recommends that Texas collect the $10.5 million in overpayments and refund the Federal share, and also develop policies and procedures for future cap overpayment calculations. Texas agreed with the second recommendation but did not indicate concurrence or nonconcurrence with the first recommendation. Source: Office of Inspector General

Mergers & Acquisitions

The FTC and DOJ reported 32 merger enforcement actions in fiscal year 2024 while processing 1,973 transactions under the Hart-Scott-Rodino Act. The agencies issued 59 second requests for additional information, representing approximately 3% of all reported transactions. Healthcare transactions accounted for 3% of reported deals, with the FTC issuing second requests for two hospital acquisitions and two ambulatory healthcare service acquisitions. Healthcare sector enforcement will remain a top priority going forward. Source: Stevens & Lee

Non-Competes

The Federal Trade Commission issued warning letters to healthcare employers and staffing firms, urging them to review their noncompete agreements for legal compliance. The letters, signed by Chairman Andrew Ferguson, advised recipients to immediately discontinue any agreements that do not comply with law and notify employees accordingly. The action follows the FTC’s withdrawal of its defense of a nationwide noncompete ban that federal courts had enjoined. The FTC also issued a request for information from the public about noncompete agreements in healthcare, seeking examples that have affected wages, hiring difficulties, or competition within specific geographic areas. The Commission stated these restrictions can limit healthcare professionals’ employment options and patient choices, particularly in rural areas where medical services face constraints. Source: Stevens & Lee

Pharmacies

Four Texas pharmacy professionals received prison sentences for operating a pill mill that distributed over half a million opioid pills. Arthur Billings, 61, the owner of Health Fit Pharmacy in Houston, was sentenced to 12 years in prison and ordered to forfeit $2.6 million for his role in the conspiracy. Three pharmacists who worked at the facility received sentences ranging from 20 months to six years in prison, with forfeiture orders between $5,000 and $68,931. The cash-only pharmacy dispensed hydrocodone and oxycodone to individuals posing as patients for drug traffickers, using fraudulent prescriptions issued under stolen physician identities. The operation continued despite repeated warnings from the Texas State Board of Pharmacy, the Texas Department of Public Safety, and the Drug Enforcement Administration. Source: U.S. Department of Justice

Private Equity

Private equity firms are investing in hormone replacement therapy businesses as the treatment gains mainstream acceptance following the debunking of a 2002 study that set back menopause care for two decades. HRT has expanded from endocrinology and gynecology practices into primary care, dermatology, and aesthetic medicine. Investors view HRT as a source of recurring revenue and higher customer lifetime value, as patients commit to long-term treatment plans and the service provides stability during economic downturns. However, challenges include regulatory compliance, recruiting medical staff, patient education requirements, and tensions over insurance coverage versus cash-pay models. Several PE firms exemplify this trend through partnerships to integrate HRT services across various platforms and expand into new markets. Source: VMG Health

Website Tracking

Four federal courts delivered mixed rulings in August on Electronic Communications Privacy Act claims against healthcare companies using website tracking technologies like Meta Pixel and Google Analytics. The decisions reveal a split among courts on invoking ECPA’s “crime-tort exception,” with Illinois courts producing contradictory outcomes—some allowing claims to proceed where plaintiffs alleged transmission of protected health information to third parties, while others dismissed cases for lack of specificity about what information was disclosed. A Washington court permitted an addiction treatment case to advance, finding that results from an online addiction survey coupled with appointment requests constituted protected health information. Courts emphasized that successful ECPA claims require plaintiffs to provide details about what health information was disclosed and how it relates to individual health status, rather than general assertions about website usage. The rulings demonstrate that the outcome of these cases depends on the specifics of alleged HIPAA violations and whether tracking data can identify individuals and relate to their health conditions. Source: Byte Back