Wade’s Health Law Highlights for November 11, 2025

340B

• HRSA has finalized the 340B Rebate Model Pilot Program with nine manufacturers approved to participate starting January 1, 2026. The approved manufacturers include Bristol Myers Squibb, Immunex Corporation, AstraZeneca AB, Pharmacyclics, Merck Sharp & Dohme, Boehringer Ingelheim, Novo Nordisk Inc., Janssen Biotech, Inc., and Janssen Pharmaceuticals, Inc., each participating with specific drugs and all using Beacon as their service platform. Manufacturers will issue rebates at the unit level calculated as WAC minus the 340B ceiling price based on the date of service, and may request limited medical claims data in addition to pharmacy claims fields. HRSA advises covered entities to replenish accumulations for affected drugs before the January 1, 2026, effective date and requires manufacturers to provide covered entities at least 60 days advance notice before any additional rebate plans become effective. The pilot shifts from upfront discounting to post-dispense rebates for the approved drugs. Source: Husch Blackwell

Artificial Intelligence

• The Joint Commission and the Coalition for Health AI released guidance in September 2025 to help healthcare organizations manage AI systems. The guidance outlines seven elements including governance structures, patient privacy protections, data security, quality monitoring, safety event reporting, bias assessment, and workforce training. Healthcare organizations should establish AI oversight committees with members from compliance, IT, clinical operations, and data privacy. Texas will require healthcare providers to disclose AI use to patients starting January 1, 2026, under House Bill 149. Organizations must ensure AI tools comply with HIPAA and conduct performance evaluations to detect bias and maintain accuracy across patient populations. Source: Parker Poe
• Healthcare providers must implement a five-pillar framework to ensure AI compliance amid new regulations. The ONC HTI-1 Final Rule and HHS 2025 AI Strategic Plan require transparency in AI systems, while California AB 489 prohibits AI from using titles or language suggesting licensure as professionals. Practices must secure Business Associate Agreements that cover downstream subcontractors, request algorithm transparency data on training sources and demographic performance, and establish policies distinguishing administrative AI use from clinical decision-making. Tools processing clinical conversations require explicit patient consent beyond passive disclosure, and all AI-generated output affecting patient care must undergo review by licensed professionals with audit trail documentation. The HHS promotes AI systems that meet FAVES standards: Fair, Appropriate, Valid, Effective, and Safe. Source: Medical Economics

Breach Notification

• Conduent Business Solutions faces at least nine proposed class action lawsuits in New Jersey federal court following an October 2024 data breach that affected 10.52 million people. The New Jersey-based company, which Xerox spun off in 2017 and generates $3.4 billion in revenue, discovered that an unauthorized party accessed its network between Oct. 21, 2024, and Jan. 13, 2025, compromising files containing names, Social Security numbers, medical information, and health insurance information. Affected clients include Blue Cross Blue Shield of Montana, Blue Cross Blue Shield of Texas, Humana, Premera Blue Cross, and the Wisconsin Department of Children and Families. Ransomware gang SafePay claimed responsibility in February and threatened to publish 8.5 terabytes of stolen data. Montana state regulators are investigating why the insurer waited nearly 10 months to notify 462,000 affected members. Source: Bank Info Security

Compliance Programs

• The Office of Inspector General has outlined seven elements that medical practices must implement to establish a compliance program. Organizations must develop written policies and procedures, appoint a compliance officer and committee, provide ongoing training to all staff, and maintain open communication channels for reporting concerns. The framework requires regular monitoring and auditing of operations such as billing and coding, enforcement of standards through discipline, and prompt investigation and correction of violations. Compliance programs create accountability among staff from front office personnel to providers and administrators. A compliance infrastructure can increase the value of a practice to potential buyers and partners. Source: Stevens & Lee

Drugs & Devices

• The FDA issued guidance in June 2025 establishing cybersecurity requirements for medical devices that create enforcement risk under the False Claims Act. The guidance interprets Section 524B of the Federal Food, Drug, and Cosmetic Act, which defines “cyber devices” as any device containing software or connectivity capabilities such as Wi-Fi or Bluetooth. The FDA can now deny premarket authorization based solely on cybersecurity deficiencies, and failing to maintain cybersecurity processes constitutes a prohibited act under the law. The Department of Justice recently settled with Illumina Inc. over cybersecurity violations under the False Claims Act, demonstrating that noncompliance may lead to investigations and civil enforcement. Manufacturers must integrate cybersecurity considerations from the earliest stages of product development and maintain monitoring throughout the device lifecycle. Source: Morgan Lewis
• The FDA proposed eliminating comparative efficacy studies for biosimilar approval on October 29, 2025. The draft guidance suggests that comparative analytical assessments of protein structure, physiochemical, and functional attributes can replace clinical studies with efficacy endpoints for therapeutic protein products such as antibodies. FDA justifies this shift by citing accumulated experience and the sensitivity of current analytical technologies, which the agency says can detect differences between biosimilars and reference products more effectively than clinical studies. The proposal applies when products are manufactured from clonal cell lines, are well-characterized, the relationship between quality attributes and clinical efficacy is understood, and human pharmacokinetic similarity studies are feasible. Source: Jones Day

False Claims Act

• The U.S. Court of Appeals for the Fifth Circuit affirmed the dismissal of a False Claims Act whistleblower suit against a rehabilitation hospital, ruling the claims lacked sufficient factual support. A former sales representative alleged the facility submitted false Medicare claims by allowing non-clinical staff to influence patient admission decisions. The court determined that Medicare regulations permit non-clinical personnel to gather screening information, provided clinicians make the final admission decisions. The complaint was found to lack the required particularity for fraud claims under Rule 9(b), as it failed to identify any specific false claims submitted to Medicare. The Fifth Circuit also upheld the denial of further leave to amend the complaint, deeming any future amendments futile after two previous unsuccessful attempts. Source: VitalLaw.com

Gender-Affirming Care

• The U.S. Department of Justice and state attorneys general are creating legal conflicts for healthcare providers by issuing subpoenas and civil investigative demands for records related to gender-affirming care for minors. These investigations place providers between federal HIPAA regulations, which permit limited disclosures to law enforcement, and conflicting state laws. Twenty-two states and Washington, D.C., have enacted “shield laws” that prohibit cooperation with out-of-state investigations into care that is legal within their borders, creating a compliance dilemma for providers. Entities face risks of class-action lawsuits and state enforcement, though federal courts in Massachusetts and Washington have recently quashed DOJ subpoenas against providers. When confronted with an investigative demand, providers must assess the subpoena’s scope, evaluate shield law protections, and adhere to HIPAA’s “minimum necessary” disclosure rule. Source: Morgan Lewis

HIPAA

• A group of five Delaware nursing homes owned by Cadia Healthcare was penalized $182,000 for HIPAA violations. The facilities posted patient “success” stories on websites and social media without obtaining consent from the residents. These posts, which occurred between 2022 and 2024, disclosed the names, photos, diagnoses, and therapy details of 150 patients. Information was taken directly from medical records by the marketing team. In addition to the fine, the company must institute mandatory HIPAA training, revise its policies, undergo annual audits, and hire a privacy officer. Source: Nurse.Org

Medicaid

• CMS will implement a payment model to align Medicaid drug prices with those in other countries. The GENEROUS Model, launching in January 2026, will allow participating states to purchase drugs at prices aligned with select other countries through CMS-led negotiations with manufacturers. Medicaid spent more than $100 billion on prescription drugs in 2024, with net spending at $60 billion after rebates. The program will run for five years and is optional for both manufacturers and states. CMS released a Request for Applications for manufacturers and will collect letters of intent from state Medicaid agencies. Source: CMS.gov

Physician Fee Schedule

• The Centers for Medicare & Medicaid Services (CMS) finalized its 2026 Physician Fee Schedule Final Rule, adopting several changes to drug pricing calculations and reporting that will become effective on January 1, 2026. The rule requires manufacturers to include Maximum Fair Price (MFP) units in Average Sales Price (ASP) calculations and mandates the submission of “reasonable assumptions” and compliance certifications for new contracts. While a new definition for “bundled sale” arrangements was finalized, CMS did not finalize several other proposals, including new standards for bona fide service fees (BFSFs) and specific Fair Market Value (FMV) methodologies. For Medicare inflation rebates, the agency finalized a claims-based method to exclude 340B units from Part D calculations and will establish a voluntary 340B claims data repository. Additionally, the payment methodology for most skin substitutes is changed, making ASP reporting voluntary for their manufacturers. Source: Hogan Lovells

Reproductive Rights

• The Texas Supreme Court has rejected a challenge to the state’s abortion law regarding its medical exceptions. The lawsuit was filed by women who experienced pregnancy complications and aimed to force more clarity on when doctors can perform an abortion, not to overturn the ban. Plaintiffs argued the law’s exemptions are vaguely written, causing confusion and fear of liability among doctors. A lower court had granted a temporary injunction to protect doctors using their “good faith judgment,” but an appeal from the Texas attorney general’s office immediately blocked it. The state’s high court, whose nine justices are all Republicans, upheld the ban and stated that Texas law already “permits a life-saving abortion.” Source: KFOX14
• The Center for Reproductive Rights filed a lawsuit in federal court on October 5, 2021, seeking to consolidate three state court cases against Dr. Alan Braid, a Texas physician who provided abortion care in violation of S.B. 8. Dr. Braid, owner and medical director of Alamo Women’s Reproductive Services in San Antonio, performed an abortion on September 6 for a woman who was in her first trimester but beyond the six-week limit imposed by the Texas law. Three plaintiffs filed lawsuits against Dr. Braid under S.B. 8, which awards a minimum $10,000 bounty to individuals who successfully sue abortion providers or anyone who “aids and abets” an abortion after six weeks. The Center used a federal interpleader action to ask the U.S. District Court for the Northern District of Illinois to require all three plaintiffs to pursue their claims in one proceeding and to declare the law unconstitutional. Approximately 85 to 90 percent of people who obtain abortion services in Texas are at least six weeks into pregnancy. Source: Center for Reproductive Rights

Rural Hospitals

• Texas has applied for $1 billion in federal funding to address rural health care needs through its “Rural Texas Strong” project. The application to the federal Rural Health Transformation program requests $200 million annually for five years for initiatives like recruiting workers and upgrading hospital equipment. The national program will distribute $10 billion yearly, with half awarded based on states’ “rural factors,” such as Texas’s 4.3 million rural residents and 195 fully rural counties. The Centers for Medicare and Medicaid Services (CMS) will review the application and is required to announce awards by the end of 2025. Funding distribution is expected to start in January. Source: KERA News

Weight Loss and GLP-1

• Deals announced by President Donald Trump with Eli Lilly and Novo Nordisk will lower the prices of GLP-1 obesity drugs. The agreements reduce prices for Medicare and Medicaid beneficiaries and offer the drugs directly to consumers at a discount via a website called TrumpRx.gov, which launches in January 2026. For the first time, Medicare will begin covering obesity drugs in mid-2026 through a pilot program, with eligible patients paying a $50 monthly copay. Upcoming pills will cost $149 per month through the programs, while starting doses of existing injections will be $350 per month on TrumpRx. This initiative is part of the administration’s “most favored nation” policy to align U.S. drug costs with lower prices available abroad. Source: cnbc.com