Categories
Health Law Highlights

Wade’s Health Law Highlights for October 14, 2025

AI Governance

  • Health systems possess the expertise to monitor AI tools but lack the infrastructure to implement comprehensive governance at scale. The Joint Commission and Coalition for Health AI released guidance covering AI policies, data security, quality monitoring, and safety event reporting, while the National Association of Insurance Commissioners established a model bulletin on AI use adopted by multiple states. Hospitals currently focus on low-risk AI applications such as chart review, ambient scribes, and radiology triage that maintain human oversight, according to Troy Bannister, CEO of Onboard AI. Mark Sendak of Vega Health argued that standards exist but healthcare organizations need scalable infrastructure and data systems to monitor AI tools across their systems. Industry executives expressed skepticism about Sen. Ted Cruz’s SANDBOX Act, which would create regulatory waivers for AI companies, preferring instead a distributed governance model similar to Clinical Laboratory Improvement Amendments. Source: Healthcare Innovation
  • AI in healthcare has come a long way since the FDA approved the first autonomous diagnostic system for diabetic retinopathy in 2018. The technology now detects patterns in medical scans, predicts patient deterioration, and automates administrative tasks while enabling personalized medicine through analysis of genetic and clinical data. However, algorithms can amplify healthcare inequities when training data underrepresents certain populations, and a 2023 study highlighted how racial and ethnic bias affects resource allocation and diagnostic accuracy. Current privacy frameworks like HIPAA and GDPR fail to address AI complexity, prompting new regulations including the EU AI Act that classifies medical AI as “high risk” and the US NIST AI Risk Management Framework. The American Medical Association has established principles requiring healthcare AI to be transparent and accountable while augmenting rather than replacing clinical judgment. Source: IAPP

Antitrust

  • U.S. antitrust officials signal a shift toward case-by-case enforcement over broad rulemaking as they target AI and healthcare markets for competition protection. DOJ Assistant Attorney General Gail Slater, DOJ Deputy AAG Dina Kallay, and FTC Director Daniel Guarnera outlined their enforcement priorities at the Fordham Competition Law Institute conference, backing away from the Biden Administration’s rulemaking approach in favor of targeted legal action. Slater framed the Google Search remedies decision as a foundation for AI market competition, while warning that monopolists may use privacy concerns to gatekeep data and block interoperability. The FTC plans to grant early termination of merger reviews more frequently, having already approved nearly 250 cases, and will continue enforcing against unlawful non-compete agreements despite abandoning the defunct broad rule. Officials emphasized scrutiny of incumbents in AI and healthcare sectors to prevent suppression of startups and ensure American competitiveness in deploying transformative technologies. Source: Wilson Sonsini

Cybersecurity

  • The U.S. Department of Labor expanded its cybersecurity guidance to cover all employee benefit plans, including health plans, requiring sponsors to implement 12 key security practices. Previously, DOL guidance focused only on ERISA retirement plans, leaving health plans outside the scope of federal cybersecurity requirements. Health plan sponsors must now align their cybersecurity practices with DOL standards while maintaining compliance with existing HIPAA and HITECH regulations. The 12 required practices include establishing formal cybersecurity programs, conducting annual risk assessments, implementing penetration testing, performing third-party security audits, and maintaining data encryption protocols. Unlike HIPAA and HITECH regulations that focus primarily on health data confidentiality, the DOL guidance takes a broader approach emphasizing ongoing monitoring, annual assessments, and continuous risk management across all health plan operations. Source: Security Magazine
  • Quantum computers will render current healthcare encryption methods obsolete, forcing organizations to prepare now for future security threats. Cyberthreat actors are already collecting encrypted healthcare data to store until quantum computers become available to break current RSA and ECC algorithms, according to Kurt Rohloff, chief technology officer at Duality Technologies. The National Institute of Standards and Technology released three post-quantum cryptography algorithms in 2024 after eight years of development, recommending organizations adopt these standards immediately. Healthcare data faces particular risk because health records retain sensitivity indefinitely, unlike credit card information that can be replaced when compromised. Rohloff recommends healthcare organizations conduct cryptographic inventories, discuss post-quantum plans with vendors, and consider fully homomorphic encryption that allows computations on encrypted data without decryption. Source: TechTarget

Data Breach

  • Harris Health notified over 5,000 patients that a former employee accessed their electronic health records without authorization for a decade. The Houston-area healthcare system discovered the breach on February 10, 2021, but the unauthorized access occurred from January 4, 2011, to March 8, 2021. The employee was terminated after an investigation confirmed that patient records were accessed without legitimate work purpose and some information was disclosed to unauthorized individuals, prompting Harris Health to notify the FBI. The compromised data included names, dates of birth, addresses, medical histories, medications, health insurance information, and Social Security numbers for some patients. Patient notifications were delayed four years at the request of law enforcement to avoid interfering with their investigation. Source: HIPAA Journal

Data Privacy

  • The Texas App Store Accountability Act will expose mobile app developers to private lawsuits starting January 1, 2026. The law requires app developers serving Texas users to assign age ratings for apps and in-app purchases, implement age verification systems, obtain parental consent for minors, and notify app stores of changes to terms of service or privacy policies. Unlike other Texas privacy laws, TASAA allows private litigants to sue for economic damages, injunctive relief, and attorney’s fees under the Texas Deceptive Trade Practices Act, while the Texas Attorney General can recover up to $10,000 per violation. The law prohibits developers from enforcing contracts against minors without parental consent, misrepresenting age ratings, and sharing personal data collected for age verification purposes. Utah and Louisiana will implement laws later in 2026. Source: Womble Bond Dickinson
  • States are stepping in to regulate reproductive health data privacy after a federal court struck down enhanced HIPAA protections in 2025. A Texas federal judge vacated the Reproductive Health Care Privacy rule in Purl v. U.S. Department of Health and Human Services on June 18, 2025, after a physician challenged it for conflicting with state child abuse reporting requirements. The Department of Health and Human Services did not appeal the decision by the August 18, 2025 deadline, leaving covered entities to rely on existing HIPAA protections. California, Virginia, and Washington have enacted comprehensive laws that extend beyond traditional healthcare entities to cover fitness trackers, retailers, and tech companies that process reproductive health data, with penalties ranging from $2,500 to $250,000 per violation. These state laws require explicit consent for data collection and sharing, with New York preparing similar legislation through the pending New York Health Information Privacy Act. Source: Troutman Pepper Locke

Devices

  • Ingestible sensors are transforming healthcare by providing real-time health monitoring from inside the human body. These capsule-shaped devices pass through the digestive tract and track temperature, medication adherence, pH levels, gastrointestinal motility, and biomarkers before transmitting data wirelessly to smartphones or tablets. The technology enables healthcare providers to monitor chronic diseases, ensure medication compliance, and conduct post-surgical monitoring without invasive procedures. The ingestible sensors market is projected to grow from $986.2 million in 2025 to over $1.7 billion by 2032 at an 8.1% compound annual growth rate. However, the technology faces challenges including high costs, data privacy concerns, and regulatory barriers, with the FDA approving only a few ingestible sensor products under strict guidelines. Source: Technowize

Enforcement

  • The Department of Justice established the Enforcement & Affirmative Litigation Branch within its Civil Division to consolidate enforcement efforts targeting public health and safety violations. The new branch contains two sections: an Enforcement Section that will pursue cases under the Controlled Substances Act, Food Drug and Cosmetic Act, and Federal Trade Commission Act, and an Affirmative Litigation Section that will sue states, municipalities, and private entities that obstruct federal policies. DOJ identified two priorities for the branch: targeting pharmaceutical companies, health care providers, and medical associations regarding gender transition claims, and ending sanctuary jurisdiction laws that impede federal immigration enforcement. The reorganization coincides with the FDA’s September 9, 2025 announcement of a crackdown on deceptive drug advertising and the winding down of the Consumer Protection Branch. The restructuring does not expand DOJ’s statutory powers but centralizes certain consumer protection matters and enforcement priorities. Source: Epstein Becker Green

Fraud & Abuse

  • The Trump Administration expanded False Claims Act enforcement beyond traditional healthcare and defense contracting into new areas including trade fraud, civil rights violations, and gender-related medical treatments during fiscal year 2025. The Department of Justice secured settlements exceeding $500 million in healthcare cases, including $98 million from a Medicare Advantage provider for inflated risk scores, $60 million from a pharmaceutical company for kickbacks, and $350 million from Walgreens for filling invalid opioid prescriptions. The DOJ launched the Civil Rights Fraud Initiative targeting universities and organizations that allegedly violate civil rights laws while receiving federal funding, and created a Trade Fraud Task Force with Homeland Security to pursue customs duty evasion cases. Government contractors faced over $20 million in cybersecurity-related settlements for failing to meet federal security requirements. The administration continues pursuing Paycheck Protection Program fraud cases under the extended 10-year statute of limitations, with settlements including $21.6 million from three foreign-owned companies. Source: Mayer Brown
  • Accountable care organizations report detecting fraud in Medicare skin substitute treatments that cost individual patients over $600,000 in 2025. Six doctor groups are seeing higher rates of spending on skin substitutes this year compared to 2024, with one case exceeding $2 million per patient. The Centers for Medicare and Medicaid Services estimates Medicare spent $10 billion on these treatments last year and has proposed reducing reimbursement from $2,000 per square centimeter to around $125, with a final decision expected in November. The accountable care organizations first alerted CMS to the possible fraud two years ago but say the agency is not moving fast enough to address the problem. The wound care industry is fighting the proposed payment reductions through the MASS Coalition, arguing the changes will not help crack down on fraud. Source: POLITICO
  • A federal court ordered Humana to pay $90 million to the government following the first whistleblower settlement involving Medicare prescription drug contracting fraud. Former Humana actuary Steven Scott alleged the company submitted fraudulent bids to the Centers for Medicare & Medicaid Services for Part D contracts from 2011 to 2017, maintaining two sets of books while providing coverage below required levels. The court also ordered Humana to pay $32 million in attorney fees to Scott’s legal team, while Scott received $26.1 million as his whistleblower share, equivalent to 29% of the government settlement. Humana did not admit liability in the agreement and said it settled to avoid litigation costs. The Department of Justice declined to intervene in the case, which centered on allegations that Humana’s “basic Walmart Plan” was not actuarially equivalent to required standards despite the company’s certifications to CMS. Source: Healthcare Innovation

HIPAA

  • The Office for Civil Rights reached a $182,000 settlement with Cadia Healthcare Facilities for posting patient success stories online without proper HIPAA authorization. On September 30, 2025, OCR announced the settlement with five Delaware rehabilitation and nursing facilities for violating HIPAA Privacy and Breach Notification Rules. Cadia compromised the protected health information of 150 patients by posting their names, photographs, and treatment details on the company’s public website through a success story program. The settlement requires Cadia to implement a two-year Corrective Action Plan, review compliance policies, train staff, and ensure no PHI appears on websites or marketing materials. This enforcement action follows similar cases, including a 2016 settlement with Complete P.T. for $25,000 over patient testimonials posted without authorization. Source: Mintz
  • Reid Health agreed to settle a class action lawsuit over allegations it used Meta Pixel tracking tools that disclosed patients’ protected health information without consent. The lawsuit, Jane Doe v. Reid Health, claimed the Richmond-based healthcare provider impermissibly shared patient data with third-party technologies through website tracking tools that collect information about user interactions, web pages visited, and searches performed. Reid Health denied any wrongdoing but chose to settle rather than face the costs and risks of continued litigation. Under the settlement terms, class members can claim a $25 cash payment and receive automatic enrollment in a medical shield product that protects against personal information misuse. Class members have until October 25, 2025, to object to the settlement, with claims due by December 24, 2025, and a final fairness hearing scheduled for December 9, 2025. Source: HIPAA Journal

Joint Ventures

Medicare Reimbursement

  • The Centers for Medicare & Medicaid Services issued final guidance for the 2028 implementation of the Inflation Reduction Act’s Drug Price Negotiation Program, marking the last year the agency must implement the program through guidance rather than rulemaking. The guidance establishes policies for Part B drugs to be selected for price negotiation for the first time, alongside Part D drugs, with CMS planning to select 15 drugs from the 50 highest-spending drugs in each category. CMS finalized most proposals but reversed course on treating certain fixed combination drugs as distinct qualifying single source drugs and will now include Medicare Advantage expenditure data in selection calculations. The agency shortened the negotiation timeline for 2028, giving manufacturers only six weeks for meetings instead of the previous two months. CMS concurrently issued revised Information Collection Request forms for small biotech exceptions and biosimilar delay requests, with public comments due by October 30, 2025. Source: Hogan Lovells

Mergers & Acquisitions

  • Healthcare transaction activity showed mixed results in early 2025 as political uncertainty and federal policy changes disrupted deal momentum. Deal values declined in the second quarter despite volume increases, with tariff threats and federal changes creating market uncertainty that caused investors to pull back. Dental practices dominated physician group transactions, accounting for over half of all deals in the first six months, while e-health transactions jumped from 124 deals in 2024 to 160 deals in the same 2025 period. Behavioral health deals increased from 34 to 54 transactions during the same timeframe, and hospital transactions cooled after elevated activity in 2024. Non-private equity investment reached 200 deals in the second quarter of 2025, marking the first time this threshold was crossed in 18 months. Source: CLA

Regenerative Medicine

  • The FDA issued draft guidance on September 20, 2025, establishing expedited review pathways for regenerative medicine therapies targeting serious conditions. The guidance will replace earlier FDA guidance from February 2019 and outlines how sponsors can utilize streamlined review processes for cell and gene therapies and other regenerative medicine products. The FDA has received almost 370 Regenerative Medicine Advanced Therapy (RMAT) designation requests as of September 2025 and approved 184, with 13 RMAT-designated products receiving marketing approval as of June 2025. The guidance emphasizes long-term safety monitoring for regenerative therapies and encourages sponsors to use digital health technologies for safety data collection and real-world evidence to support accelerated approval applications. The FDA is accepting public comments on the draft guidance through November 24, 2025. Source: Holland & Knight

Reproductive Rights

  • Texas Attorney announced the arrest and indictment of eight people connected to a Houston-area midwife for practicing medicine without a license. At least one of the eight individuals is also accused of performing an abortion, while the midwife Maria Margarita Rojas, 49, was previously charged in March with 15 felony counts including performance of an abortion and 12 counts of practicing medicine without a license. Rojas was the first person charged under the Texas Human Life Protection Act, and Paxton emphasized that some of the defendants include foreign nationals. Rojas’ attorney and the Center for Reproductive Rights are defending her, calling the case a sham and noting that her clinics served low-income, uninsured immigrants before being shut down. Texas law permits abortions only when a pregnant person faces risk of death or serious physical impairment, with providers facing penalties of at least $100,000, loss of medical licenses, and prison time for violations. Source: CNN
  • The US Court of Appeals for the Fifth Circuit dismissed an appeal that effectively ends HIPAA privacy protections for reproductive healthcare records. The court dismissed the appeal on September 10, 2025, following a June 2025 ruling in Purl v. Department of Health & Human Services that vacated provisions of the 2024 HIPAA Privacy Rule to Support Reproductive Health Care Privacy. The rule provided protection to protected health information related to reproductive healthcare services. The Biden Administration implemented the rule to protect reproductive healthcare records from disclosure following the 2022 Supreme Court ruling in Dobbs v. Jackson Women’s Health Organization. The dismissal signals the conclusion of the Purl case and the end of these privacy protections. Source: American Bar Association
  • States are enacting reproductive health data privacy laws after a federal court struck down HIPAA protections. A Texas federal judge overturned the Reproductive Health Care Privacy rule in June 2025, which had amended HIPAA to impose restrictions on the use and disclosure of reproductive health information for criminal or administrative investigations. California, Washington, Virginia, and New York have implemented or are implementing their own laws that extend beyond traditional healthcare entities to cover fitness trackers, retailers, and tech companies that process health-related data. These state laws require explicit consent before collecting or sharing reproductive health information and impose penalties ranging from $2,500 per violation in Virginia to $250,000 per willful violation in California. The laws apply to organizations that may not consider themselves healthcare-oriented, including digital health companies, data brokers, and companies using geolocation data. Source: Troutman Pepper Locke

Tariffs & Taxation