Wade’s Health Law Highlights for November 25, 2025

340B

• HRSA has approved plans from 10 manufacturers to participate in the 340B Rebate Model Pilot Program, which will inform the development of future models consistent with the 340B statute. The participating manufacturers include Bristol Myers Squibb (Eliquis), Immunex Corporation (Enbrel), AstraZeneca (Farxiga), Pharmacyclics (Imbruvica), Merck Sharp Dohme (Januvia), Boehringer Ingelheim (Jardiance), Novo Nordisk (Novolog products and Fiasp products), Janssen Biotech (Stelara), Janssen Pharmaceuticals (Xarelto), and Novartis Pharmaceuticals (Entresto). Nine plans begin January 1, 2026, while Entresto begins April 1, 2026, and all use the Beacon platform for processing. Covered entities must purchase drugs through their 340B wholesaler accounts and request rebates after purchase, with manufacturers required to load WAC prices in those accounts. HRSA will audit both covered entities and manufacturers to ensure compliance with statutory requirements. Source: 340B Rebate Model Pilot Program | HRSA

Artificial Intelligence

• OpenAI prohibits its tools from providing professional advice without licensed oversight in updated Usage Policies. The company now bans use of ChatGPT, API services, and integrated products for tailored legal, medical, or financial advice unless a licensed professional is involved, and also prohibits facilitation of suicide, self-harm, or sexual violence content. The changes mirror policies Anthropic announced in August and align with state laws like California’s Assembly Bill 3030, which requires disclaimers on AI-generated patient communications, and Illinois’ Wellness and Oversight for Psychological Resources Act, which prohibits AI therapy without clinician oversight. Organizations deploying AI must now update governance frameworks, acceptable use policies, employee training, and consumer disclaimers to ensure human expertise oversees all professional recommendations. Companies should review integrations with OpenAI and other AI providers and prohibit inputting protected health information or trade secrets into public AI tools. Source: Baker Donelson
• Patients use AI chatbots for health information as an alternative to physicians. A 2024 KFF poll found that 17% of adults use AI chatbots at least once a month for health information and advice, with that figure rising to 25% among adults under age 30. Patients report using ChatGPT to interpret symptoms, explain lab results, and guide treatment decisions, citing long wait times, high costs, and dissatisfaction with clinical interactions as reasons for turning to the technology. Jennifer Tucker, a Wisconsin resident, said ChatGPT never rushes her out of conversations. However, a preprint study from Oxford University found that users rarely made correct diagnoses or identified appropriate next steps when using ChatGPT to assess symptoms, and researchers warn that chatbots can generate incorrect or unsafe advice. Source: Becker’s Hospital Review

Cybersecurity

• Healthcare organizations face a gap between cyber attack speed and detection capabilities. Hackers can access information within less than five hours after breaching a network, while organizations take an average of 235 days to detect a breach. Healthcare entities experience an average of two breaches per day that threaten personal health information. Commercial cybersecurity models using AI have achieved over 99% accuracy in detecting intrusions, malware, and phishing attacks, though AI will augment rather than replace cybersecurity professionals. Source: Healthcare Finance News
• Healthcare accounted for 23% of all data breaches in 2024, making it the most breached industry. A recent study analyzing over 1,000 global breach cases found healthcare breaches increased from 18% in 2023, surpassing finance, professional services, and retail sectors. The HIPAA Journal reported 184,111,469 records were breached in 2024, representing a 9.4% increase from the prior year. UnitedHealth Group paid $22 million in ransom after a February attack on its Change Healthcare subsidiary compromised the personal information of 100 million people. The sector’s vulnerability is attributed to interconnected systems spanning multiple entities and the human factor of multiple users accessing systems. Source: IT Brew.
• Doctor Alliance is investigating a claim that a hacker stole 353 GB of data containing 1.24 million files from the Dallas-based healthcare billing services provider. A hacker using the name Kazu posted the claim on an underground forum around November 7, 2025, demanding a $200,000 ransom by November 21, 2025, and threatening to sell the data if payment is not made. A 200 MB sample posted by the hacker contains patient names, addresses, phone numbers, email addresses, medical record numbers, Medicare numbers, diagnoses, treatment information, medications, and provider information. Doctor Alliance confirmed that an unauthorized individual accessed a single client account and that the vulnerability was remediated, but the company has not confirmed whether data was stolen and has engaged cybersecurity experts to investigate. Multiple class action lawsuits have been filed in the United States District Court for the Northern District of Texas against Doctor Alliance and one of its clients, Prima Care, with plaintiffs asserting claims of negligence, breach of contract, and breach of fiduciary duty. Source: HIPAA Journal

Drugs & Devices

• The FDA Office of Combination Products revised its Pre-RFD guidance in November 2025 to establish more structure for sponsors seeking non-binding feedback on product classification. The revision replaces the 2018 guidance and creates a formal two-tier meeting framework with informational meetings held within six weeks and explanatory meetings within two weeks. Sponsors must now provide more details about product components, including sources, regulatory history, and concentrations, and limit submissions to 15-20 pages. The guidance instructs sponsors to exhaust other FDA resources before submitting a Pre-RFD and clarifies that the 60-day review period begins after OCP acknowledges acceptance of the submission. Sponsors must incorporate responses to OCP questions into revised Pre-RFD submissions using tracked-changes and clean versions rather than supplements. Source: Hogan Lovells
• Healthcare organizations face multiple barriers when integrating data from EHRs, wearables, and patient-reported sources into unified systems. The obstacles include different data formats, lack of interoperability between systems, inconsistent terminologies and coding standards, and security concerns that expose organizations to breaches and regulatory penalties. Data quality problems arise during system consolidations and EHR transitions, with organizations maintaining a benchmark of keeping duplicate patient records below one percent. Cloud-native platforms can connect pharmacy systems across enterprises, while AI and large language models convert unstructured data from clinician notes and PDFs into structured information. Wearables generate high volumes of data that can overwhelm workflows unless prefiltered to identify signals that matter for care. Source: Healthcare IT Today
• AI systems collect data on conversations, emotions, locations, and thoughts, creating risks as companies develop wearable devices that track users in real time. OpenAI’s CEO has stated a vision for AI systems that access every conversation, email, and book a person has encountered throughout their life. AI chatbots pose as therapists to collect personal information, with some users dying by suicide after these interactions, while therapy and companionship represent the top self-reported use case for AI in 2025. Data portability offers a potential solution by allowing users to store information in personal data wallets or pods controlled by local AI assistants rather than companies. Laws like GDPR and CCPA struggle to address AI-era data collection challenges. Source: Fast Company
• Senator Bill Cassidy (R-LA) introduced the Health Information Privacy Reform Act (HIPRA) to extend privacy protections to health data collected by wearables and health apps. The bill creates a category called Applicable Health Information (AHI) that includes identifiable data about health or healthcare not created by healthcare providers, health plans, or clearinghouses. HIPRA would apply to “regulated entities” that determine how AHI is processed and “service providers” that process AHI on their behalf, with tech companies and app developers in scope while government agencies and HIPAA-covered entities remain excluded. The Department of Health and Human Services would develop privacy, security, and breach standards for AHI in consultation with the FTC, and regulated entities would need to obtain permission before selling AHI. The law would take effect one year after enactment and would preempt weaker state laws while using HIPAA’s civil penalty framework for enforcement. Source: Alston & Bird Privacy, Cyber & Data Strategy Blog

Fraud & Abuse

• Aesculap Implant Systems agreed to pay $38.5 million to resolve allegations that it sold knee implants it knew would fail at an unacceptable rate. The Justice Department alleged that between July 2010 and June 2023, the orthopedic and spine device maker sold Vega-brand prosthetic implants that became loose after surgery because bone cement did not properly adhere to the implants, resulting in false claims to Medicare and Medicaid. The settlement also resolves allegations that Aesculap violated the Anti-Kickback Statute by paying a physician consulting fees, international travel, and entertainment to use the knee implant devices. The company entered into a non-prosecution agreement for distributing two medical devices without FDA clearance. As of April 2024, Aesculap ceased all knee replacement device sales in the U.S. Source: Becker’s Spine Review
• A 51-year-old Baltimore County woman received a 38-month federal prison sentence for impersonating nurses at more than 40 Maryland healthcare facilities between September 2019 and August 2023. The woman, a certified medical assistant with no nursing license, used stolen identities and fabricated credentials to work as both a registered nurse and licensed practical nurse. She pleaded guilty in August to making false statements in healthcare matters and aggravated identity theft after forging a physician’s signature on a controlled substance prescription for Tramadol. The court ordered her to repay $145,000 in restitution, representing wages she earned while the facilities billed Medicare and Medicaid for her services. Healthcare fraud prosecutions rose nearly 20% between FY 2020 and FY 2024, with factors including technology advances, data breaches, and staffing agency use contributing to the increase. Source: Nurse.Org

Hospitals

• The Joint Commission will implement its Accreditation 360 model on January 1, 2026, removing more than 700 standards from the hospital accreditation framework while maintaining core expectations. The organization will make its standards publicly available without requiring a paid subscription and will introduce 14 national performance goals that replace the former national patient safety goals. The initiative includes the Survey Analysis for Evaluating Risk (SAFER) matrix with enhanced details and a new Survey Analysis for Evaluating Strengths (SAFEST) program to highlight what organizations do well. The Joint Commission will also launch an optional Continuous Engagement model that provides voluntary touchpoints between traditional three-year survey cycles. Nurse staffing becomes national performance goal 12, placing expectations on nursing governance, executive oversight, and the role of nurse executives in hospital leadership decisions. Source: McDermott Will & Emery
• Hospitals face compliance challenges when compensating provider groups for unassigned patient care, requiring precise definitions and cost segregation to maintain fair market value standards. Compensation for unassigned care must correlate to the direct burden of providing care solely to unassigned patients, with risk arising when payment arrangements fail to separate costs and revenue between assigned and unassigned patient panels. Valuation requires three metrics: direct time allocation, resource intensity, and coverage requirements, with cost segregation serving as the cornerstone of compliance. Stark Law and Anti-Kickback Statute compliance demand demonstration that subsidies reflect market conditions rather than inducement for referrals, requiring market-based justification and documentation of business purposes. Organizations must conduct periodic reviews of unassigned patient volumes, annual reassessment of market conditions, and regular evaluation of resource utilization to maintain compliance. Source: VMG Health.

Medicare

• CMS established a mandatory payment model for specialists treating low back pain and heart failure that runs from January 1, 2027 through December 31, 2033. The Ambulatory Specialty Model applies to individual clinicians who bill under Medicare Physician Fee Schedule, have specialty codes in Cardiology, Anesthesiology, Interventional Pain Management, Neurosurgery, Orthopedic Surgery, Pain Management, Physical Medicine or Rehabilitation, treat at least 20 episodes of either condition two years before the performance year, and practice in select geographic areas. CMS will measure performance across four categories—quality, cost, improvement activities, and promoting interoperability—with quality and cost each weighted at 50 percent of the final score. Medicare Part B payments will be adjusted using a payment multiplier calculated from each clinician’s performance score. Clinicians cannot opt out of participation if they meet the criteria, and participants will be exempt from MIPS reporting during ASM performance years. Source: BakerHostetler

Part 2, Substance Abuse

• The Department of Health and Human Services published a rule on February 8, 2024, that aligns substance use disorder patient records regulations under 42 C.F.R. Part 2 with HIPAA and HITECH standards, taking effect February 16, 2026. The rule permits patients to grant blanket consent for use or disclosure of their SUD records for treatment, payment, and health care operations, replacing the prior requirement for separate consent for each disclosure. Providers may now disclose de-identified SUD data to public health authorities without patient consent if the data meets HIPAA de-identification requirements, and Part 2 programs are no longer required to segment SUD records from other medical data in their systems. The rule updates enforcement to match HIPAA civil penalties and breach notification processes while synchronizing patient notice requirements with HIPAA Notice of Privacy Practices. SUD records remain prohibited from use in legal or administrative proceedings without patient consent or a court order. Source: The National Law Review

Workforce

• States are expanding scope-of-practice rules for nurse practitioners and physician assistants to address workforce shortages projected to continue through the next decade. California began issuing 103 NP certifications in 2023 under Assembly Bill 890, which permits nurse practitioners to practice independently within hospitals and clinics, and expects to open applications for 104 NP certifications in 2026, which will allow full independence after three years of 103-level experience. California also enacted AB 1501, effective January 1, 2026, increasing the physician-to-PA supervision ratio from 1:4 to 1:8. New York extended its NP autonomy model in 2025, exempting nurse practitioners with at least 3,600 hours of practice from maintaining written collaborative agreements with physicians through July 2026. Meanwhile, federal minimum nurse staffing standards issued by CMS in April 2024 were vacated by a district court in April 2025 and Congress enacted a ten-year enforcement moratorium in July 2025, leaving state-level staffing laws as the enforceable requirements. Source: Healthcare Law Blog
• Ambient AI scribes reduced physician burnout by 74% in a study of 263 clinicians across six health care systems. The Yale-led research, published in JAMA Network Open, examined physicians and advanced practice practitioners who used the Abridge ambient AI scribe for 30 days in ambulatory settings. Burnout rates dropped from 51.9% to 38.8%, while clinicians reported improvements in cognitive load and ability to focus on patients. The AI scribes transcribe patient-clinician conversations and generate visit notes, saving clinicians about an hour each day according to a companion study. Source: Yale Daily News