Categories
Health Law Highlights

Wade’s Health Law Highlights for November 25, 2025

340B

  • HRSA has approved plans from 10 manufacturers to participate in the 340B Rebate Model Pilot Program, which will inform the development of future models consistent with the 340B statute. The participating manufacturers include Bristol Myers Squibb (Eliquis), Immunex Corporation (Enbrel), AstraZeneca (Farxiga), Pharmacyclics (Imbruvica), Merck Sharp Dohme (Januvia), Boehringer Ingelheim (Jardiance), Novo Nordisk (Novolog products and Fiasp products), Janssen Biotech (Stelara), Janssen Pharmaceuticals (Xarelto), and Novartis Pharmaceuticals (Entresto). Nine plans begin January 1, 2026, while Entresto begins April 1, 2026, and all use the Beacon platform for processing. Covered entities must purchase drugs through their 340B wholesaler accounts and request rebates after purchase, with manufacturers required to load WAC prices in those accounts. HRSA will audit both covered entities and manufacturers to ensure compliance with statutory requirements. Source: 340B Rebate Model Pilot Program | HRSA

Artificial Intelligence

  • OpenAI prohibits its tools from providing professional advice without licensed oversight in updated Usage Policies. The company now bans use of ChatGPT, API services, and integrated products for tailored legal, medical, or financial advice unless a licensed professional is involved, and also prohibits facilitation of suicide, self-harm, or sexual violence content. The changes mirror policies Anthropic announced in August and align with state laws like California’s Assembly Bill 3030, which requires disclaimers on AI-generated patient communications, and Illinois’ Wellness and Oversight for Psychological Resources Act, which prohibits AI therapy without clinician oversight. Organizations deploying AI must now update governance frameworks, acceptable use policies, employee training, and consumer disclaimers to ensure human expertise oversees all professional recommendations. Companies should review integrations with OpenAI and other AI providers and prohibit inputting protected health information or trade secrets into public AI tools. Source: Baker Donelson
  • Patients use AI chatbots for health information as an alternative to physicians. A 2024 KFF poll found that 17% of adults use AI chatbots at least once a month for health information and advice, with that figure rising to 25% among adults under age 30. Patients report using ChatGPT to interpret symptoms, explain lab results, and guide treatment decisions, citing long wait times, high costs, and dissatisfaction with clinical interactions as reasons for turning to the technology. Jennifer Tucker, a Wisconsin resident, said ChatGPT never rushes her out of conversations. However, a preprint study from Oxford University found that users rarely made correct diagnoses or identified appropriate next steps when using ChatGPT to assess symptoms, and researchers warn that chatbots can generate incorrect or unsafe advice. Source: Becker’s Hospital Review

Cybersecurity

  • Healthcare organizations face a gap between cyber attack speed and detection capabilities. Hackers can access information within less than five hours after breaching a network, while organizations take an average of 235 days to detect a breach. Healthcare entities experience an average of two breaches per day that threaten personal health information. Commercial cybersecurity models using AI have achieved over 99% accuracy in detecting intrusions, malware, and phishing attacks, though AI will augment rather than replace cybersecurity professionals. Source: Healthcare Finance News
  • Healthcare accounted for 23% of all data breaches in 2024, making it the most breached industry. A recent study analyzing over 1,000 global breach cases found healthcare breaches increased from 18% in 2023, surpassing finance, professional services, and retail sectors. The HIPAA Journal reported 184,111,469 records were breached in 2024, representing a 9.4% increase from the prior year. UnitedHealth Group paid $22 million in ransom after a February attack on its Change Healthcare subsidiary compromised the personal information of 100 million people. The sector’s vulnerability is attributed to interconnected systems spanning multiple entities and the human factor of multiple users accessing systems. Source: IT Brew.
  • Doctor Alliance is investigating a claim that a hacker stole 353 GB of data containing 1.24 million files from the Dallas-based healthcare billing services provider. A hacker using the name Kazu posted the claim on an underground forum around November 7, 2025, demanding a $200,000 ransom by November 21, 2025, and threatening to sell the data if payment is not made. A 200 MB sample posted by the hacker contains patient names, addresses, phone numbers, email addresses, medical record numbers, Medicare numbers, diagnoses, treatment information, medications, and provider information. Doctor Alliance confirmed that an unauthorized individual accessed a single client account and that the vulnerability was remediated, but the company has not confirmed whether data was stolen and has engaged cybersecurity experts to investigate. Multiple class action lawsuits have been filed in the United States District Court for the Northern District of Texas against Doctor Alliance and one of its clients, Prima Care, with plaintiffs asserting claims of negligence, breach of contract, and breach of fiduciary duty. Source: HIPAA Journal

Drugs & Devices

Fraud & Abuse

Hospitals

Medicare

  • CMS established a mandatory payment model for specialists treating low back pain and heart failure that runs from January 1, 2027 through December 31, 2033. The Ambulatory Specialty Model applies to individual clinicians who bill under Medicare Physician Fee Schedule, have specialty codes in Cardiology, Anesthesiology, Interventional Pain Management, Neurosurgery, Orthopedic Surgery, Pain Management, Physical Medicine or Rehabilitation, treat at least 20 episodes of either condition two years before the performance year, and practice in select geographic areas. CMS will measure performance across four categories—quality, cost, improvement activities, and promoting interoperability—with quality and cost each weighted at 50 percent of the final score. Medicare Part B payments will be adjusted using a payment multiplier calculated from each clinician’s performance score. Clinicians cannot opt out of participation if they meet the criteria, and participants will be exempt from MIPS reporting during ASM performance years. Source: BakerHostetler

Part 2, Substance Abuse

Workforce

  • States are expanding scope-of-practice rules for nurse practitioners and physician assistants to address workforce shortages projected to continue through the next decade. California began issuing 103 NP certifications in 2023 under Assembly Bill 890, which permits nurse practitioners to practice independently within hospitals and clinics, and expects to open applications for 104 NP certifications in 2026, which will allow full independence after three years of 103-level experience. California also enacted AB 1501, effective January 1, 2026, increasing the physician-to-PA supervision ratio from 1:4 to 1:8. New York extended its NP autonomy model in 2025, exempting nurse practitioners with at least 3,600 hours of practice from maintaining written collaborative agreements with physicians through July 2026. Meanwhile, federal minimum nurse staffing standards issued by CMS in April 2024 were vacated by a district court in April 2025 and Congress enacted a ten-year enforcement moratorium in July 2025, leaving state-level staffing laws as the enforceable requirements. Source: Healthcare Law Blog
  • Ambient AI scribes reduced physician burnout by 74% in a study of 263 clinicians across six health care systems. The Yale-led research, published in JAMA Network Open, examined physicians and advanced practice practitioners who used the Abridge ambient AI scribe for 30 days in ambulatory settings. Burnout rates dropped from 51.9% to 38.8%, while clinicians reported improvements in cognitive load and ability to focus on patients. The AI scribes transcribe patient-clinician conversations and generate visit notes, saving clinicians about an hour each day according to a companion study. Source: Yale Daily News