Skip to the content340B
- A federal district court has blocked the Health Resources and Services Administration from implementing a 340B Rebate Model Pilot Program, days before its January 1, 2026 start date. The court found HRSA likely violated the Administrative Procedure Act by failing to build an adequate administrative record, provide reasoning for the program’s design, or consider $400 million in compliance costs that would have required safety-net providers to pay full price for drugs before claiming rebates instead of receiving upfront discounts. The American Hospital Association, Maine Hospital Association, and four safety-net providers filed the lawsuit on December 1, 2025, arguing the program bypassed required procedures and would disrupt patient care. The nationwide preliminary injunction prompted the federal government to appeal to the First Circuit, while drug manufacturers including AbbVie, AstraZeneca, and Novo Nordisk separately appealed the court’s denial of their intervention motions. Source: Health Law Diagnosis
AI Legislation
- Health AI policy activity surged in 2025 with 47 states introducing over 250 bills affecting health care, resulting in 33 laws enacted across 21 states. Legislation focused on AI chatbots for mental health, clinical care applications, transparency requirements, payor use of AI, and testing through “AI Sandboxes.” Congress passed H.R. 1 with the Rural Health Transformation Fund supporting AI-enabled systems after removing a provision that would have blocked state AI enforcement for up to ten years. On December 11th, President Trump issued an Executive Order directing federal agencies to challenge state AI laws and develop a national standard, though only Congress can preempt state laws. CMS promoted AI adoption in Medicare and Medicaid through payment strategy comments and information requests, while CMMI launched the ACCESS Model and FDA published the TEMPO Pilot for digital health devices targeting chronic conditions. Source: Manatt Health: Health AI Policy Tracker
- Texas physicians must disclose when they use AI systems for patient care under two new state laws that impose penalties ranging from $5,000 to $250,000 per violation. Senate Bill 1188, which took effect September 1, requires physicians who use AI for diagnostic purposes to disclose such use to patients and review all AI-created records according to medical records standards. House Bill 149, effective January 1, 2026, mandates that providers inform patients or their representatives when they interact with an AI system through written disclosures in plain language. Both laws allow for license suspension or revocation for violations, with the Texas attorney general holding enforcement authority for HB 149 after providing violators 60 days to cure alleged violations. Physicians must also ensure AI vendors handling protected health information sign business associate agreements under existing HIPAA regulations, and should verify whether vendors use patient data for model training or sales purposes. Source: Texas Medical Association
Clinical Laboratories
Employers
- Healthcare employers face increased whistleblower and retaliation claim risks as AI tools integrate into clinical labs and diagnostics. Employees who report concerns about AI use may be protected under existing laws including the Occupational Safety and Health Act, HIPAA, the False Claims Act, and state whistleblower statutes. Congress is considering the bipartisan AI Whistleblower Protection Act (S.1792, H.R.3460), introduced on May 15, 2025, by Senators Chuck Grassley and Chris Coons and Representatives Jay Obernolte and Ted Lieu, which would prohibit retaliation against employees and contractors who report AI security vulnerabilities or violations. A case pending in the US District Court for the Northern District of California, Sloan v. Verily Life Sciences LLC, involves a former executive alleging retaliation after reporting HIPAA breaches involving unauthorized use of patient data by AI systems. The Trump administration issued an Executive Order titled “Ensuring a National Policy Framework for Artificial Intelligence” to establish a national AI policy framework and preempt conflicting state AI laws. Source: K&L Gates
Data Privacy
- Healthcare data breaches cost an average of $9.8 million in 2025, marking the 14th consecutive year the sector led all industries in breach expenses. The American Hospital Association’s 2026 Environmental Scan found that healthcare breaches took 279 days to identify and contain, five weeks longer than other industries. The report attributed these costs and delays to gaps in governance and oversight, particularly around artificial intelligence. Data showed that 97% of AI-related security breaches occurred in systems without proper access controls, and most organizations lacked policies to regulate shadow AI—tools adopted without formal approval or oversight. Source: Becker’s Hospital Review
- Healthcare data breaches in 2025 affected nearly 57 million individuals across 642 reported incidents, marking a 13.5% reduction from 2024’s record numbers. The Department of Health and Human Services Office for Civil Rights breach portal shows 15 breaches affected more than 500,000 individuals each, with Aflac experiencing the largest breach at 22.65 million individuals globally, followed by Conduent Business Services at 10.52 million and Yale New Haven Health System at 5.56 million. Many breaches resulted from ransomware attacks and unauthorized network access, compromising names, Social Security numbers, medical information, and health insurance data. The figures may increase due to reporting delays caused by a 43-day government shutdown that created a backlog at the OCR breach portal. Yale New Haven Health settled related class action lawsuits for $18 million, while Medusind agreed to a $5 million settlement. Source: HIPAA Journal
- Blockchain and AI technologies are transforming healthcare data management by addressing data silos, privacy concerns, and security breaches. Blockchain provides security, transparency, and decentralization through unalterable records stored across multiple nodes, while AI enables predictive analytics, automation, and medical imaging analysis. The combined technologies enable secure data sharing for research, fraud detection in billing, drug development security, and patient control over medical records. Applications in 2025 span hospitals, pharmaceuticals, insurance companies, wearable devices, and public health authorities for uses including diagnosis, clinical trials, claim verification, and outbreak prediction. Challenges include balancing data privacy with blockchain transparency, regulatory barriers, integration costs, AI model bias, and scalability for processing millions of records. Source: Blockchain Council
Fraud & Abuse
- Healthcare fraud enforcement intensified in 2025 as the Department of Justice conducted the largest healthcare fraud takedown in its history through “Operation Gold Rush” and restructured its civil enforcement apparatus by creating the Enforcement & Affirmative Litigation Branch in September. The DOJ entered into its first non-prosecution agreement related to artificial intelligence involving a Medicare Advantage organization that used a platform to drive enrollments through pharmacists in exchange for kickbacks. Cybersecurity failures led to False Claims Act liability in settlements with a genomic sequencing technology company and a federal managed care contractor, neither of which involved actual data breaches. The government secured multiple settlements targeting speaker programs, medical device manufacturers, and digital health platforms, while 2025 delivered several FCA trials including cases against CVS/Omnicare, CVS Caremark, SuperValu, Novo Nordisk, and others. State attorneys general increased enforcement activity and several states including Massachusetts, Connecticut, and Maine introduced reporting and oversight requirements on private equity healthcare acquisitions. Source: White & Case LLP
- The False Claims Act imposes time limits on government enforcement actions that depend on when officials discover alleged fraud, with claims generally barred after 6 years from the violation or 3 years from discovery. Under 31 U.S.C. § 3731(b), the statute applies whichever period occurs last, allowing the government to file claims more than 6 years after a violation if fraud was discovered late, though a 10-year statute of repose creates an absolute deadline. Courts remain divided on whether the “last overt act rule” from criminal conspiracy law applies to civil FCA conspiracy claims, with some district courts holding that the limitations period runs from the date of the last overt act in furtherance of the conspiracy. The Second Circuit rejected this approach in Blusal Meats, Inc. v. United States (1987) and district courts in that circuit have continued to decline applying the rule as recently as 2020. Other federal circuits have not addressed the issue, leaving litigants to navigate conflicting interpretations when evaluating statute of limitations defenses. Source: Epstein Becker Green
- Dr. Mark Malone and Advanced Pain Care agreed to pay $13,625,000 to resolve allegations of submitting false claims for urine drug testing to federal and state healthcare programs. The United States alleged that the pain management practice submitted false claims to Medicare, Medicaid, TRICARE, the Federal Employees Health Benefits Program, and the Department of Veterans Affairs by conducting concurrent presumptive and definitive urine drug tests on the same patient without reviewing presumptive results to determine if definitive testing was medically necessary. The settlement covers alleged false claims from January 3, 2017, to December 31, 2021. Advanced Pain Care entered into a five-year Corporate Integrity Agreement requiring the practice to maintain a compliance program and hire an Independent Review Organization to review claims. The settlement resolves five separate lawsuits filed under the qui tam provisions of the federal False Claims Act and the Texas Health Care Program Fraud Prevention Act. Source: U.S. Attorney’s Office, Western District of Texas
- The Department of Health and Human Services Office of Inspector General is soliciting proposals for new or modified safe harbor provisions under the Federal anti-kickback statute and for new Special Fraud Alerts. The annual notification, required by Section 205 of HIPAA, seeks recommendations to develop regulations that protect certain payment and business practices from sanctions under the Federal anti-kickback statute, which prohibits offering or receiving remuneration to induce referrals for items or services reimbursable under Federal health care programs. Violations constitute felonies punishable by fines up to $100,000 and imprisonment up to 10 years. The agency will evaluate proposals based on factors including access to health care services, quality of care, patient choice, competition among providers, costs to Federal programs, potential overutilization, and the ability to serve medically underserved populations. Stakeholders can submit comments electronically at regulations.gov or by mail to OIG using file code OIG-1125-N. Source: Federal Register
HIPAA
- HIPAA does not prohibit healthcare providers from storing or accessing protected health information outside the United States, though covered entities remain liable for breaches by offshore vendors. Providers must enter compliant business associate agreements, implement safeguards, and ensure minimum access, but regulators face limitations in pursuing offshore entities when data is mishandled. CMS requires Medicare Advantage and Part D plans to obtain attestations from offshore subcontractors handling beneficiary information, with obligations flowing to network providers. States impose restrictions that vary: Texas prohibits work performance and data maintenance outside the US through its Uniform Managed Care Contract, Ohio bars executive agencies from contracting for offshore services, and Florida prohibits certain providers from storing electronic health records outside the US, its territories, or Canada. Providers should inventory data flows, map payer obligations, screen for state mandates, strengthen contracts with encryption and audit requirements, and conduct annual security audits of offshore subcontractors. Source: Shumaker, Loop & Kendrick, LLP
- Healthcare providers must update their Notice of Privacy Practices by February 16, 2026 to comply with changes to the HIPAA Privacy Rule. The changes align HIPAA with revised regulations governing substance use disorder records under 42 CFR part 2. Covered entities that create or maintain substance use disorder records must notify patients that use or disclosure of such records for treatment, payment, or healthcare operations generally requires written consent, unlike other protected health information. The updated notices must also include statements about limits on using substance use disorder treatment records in legal proceedings and provide opt-out opportunities for fundraising communications involving such records. Covered entities may ignore requirements related to the Reproductive Health Rule, which was struck down by a federal court. Source: Holland & Hart LLP
- The proposed Health Information Privacy Reform Act would extend HIPAA-style privacy, security, and breach obligations to consumer health companies that currently operate outside traditional regulatory coverage. The legislation would apply to smartwatches, wearables, health and wellness apps, life science companies with patient apps, retail clinics, data vendors, and employer wellness programs that process health information. HIPRA defines “applicable health information” as data that identifies or is reasonably linkable to an individual and relates to health status, care, or payment, regardless of whether the data originated with a HIPAA covered entity. The law would require regulated entities to implement privacy rules, administrative and technical safeguards aligned with NIST standards, and breach notification procedures. HHS would enforce HIPRA in consultation with the FTC using HIPAA’s tiered civil penalty structure, while state laws would remain in effect if they provide greater protections. Source: Keating Muething & Klekamp PLL
Medicare Reimbursement
- CMS proposed two mandatory payment models that would replace inflation-based Medicare rebates with rebates benchmarked to international drug prices. The GLOBE Model would apply to select Medicare Part B products starting October 1, 2026, while the GUARD Model would apply to Medicare Part D products starting January 1, 2027. Both models would use pricing data from 20 reference countries including Australia, Canada, France, Germany, Japan, and the United Kingdom, with benchmarks calculated through either existing international pricing data sources or manufacturer-submitted data. The models would run for seven years and apply to approximately 25% of Medicare beneficiaries in randomly selected geographic areas, with drugs already subject to the Medicare Drug Price Negotiation Program excluded. Manufacturers who fail to pay calculated rebates would face civil monetary penalties equal to 125 percent of the assessed rebate amount, and public comments on the models are due February 23, 2026. Source: Ropes & Gray LLP
- CMS finalized a 2.6% payment rate increase for hospital outpatient and ambulatory surgery centers for calendar year 2026. The Centers for Medicare & Medicaid Services released the final rule on November 21, 2025, calculating the increase from a 3.3% hospital market basket update minus a 0.7% multifactor productivity reduction. CMS will phase out the Inpatient Only list over three years, beginning with removal of 285 procedures, and added 289 surgical procedures to the ASC Covered Procedures List, including cardiac ablation, lumbar fusion spinal codes, and vascular embolization procedures. The agency projects total ASC payments will reach $9.2 billion in 2026, an increase of $450 million driven by enrollment, case-mix, and utilization changes. The American Hospital Association criticized the update as insufficient given labor and supply cost pressures, while the Ambulatory Surgery Center Association welcomed the expansion of procedures that can be performed in outpatient settings. Source: VMG Health
Mergers & Acquisitions
- Health services mergers and acquisitions will rebound in 2026 after deal values declined to $46 billion through November 30, 2025, from $62 billion in 2024, according to a PwC report. AI serves as a differentiator in dealmaking as investors view the technology as a driver for margin expansion and revenue growth. Regulatory and reimbursement uncertainty remains the main challenge for M&A activity, with President Trump signing Medicaid cuts into law and ACA exchange subsidies set to expire at year-end. Private equity firms are shifting investments toward AI-backed software and services that support care delivery, including telehealth platforms, revenue cycle management tools, and workforce optimization solutions. The window for health services IPOs is opening as market conditions improve with stronger equity valuations and a more favorable interest rate outlook. Source: Healthcare Dive
- DSO transactions separate clinical operations from administrative functions through a hybrid structure that requires dentists to sell non-clinical assets while maintaining legal control over patient care. Sellers receive compensation through cash at closing based on EBITDA or collections multiples, rollover equity in the DSO or parent company, and earnouts tied to performance metrics such as revenue growth or patient retention. Selling dentists must typically work for the buyer for 3-5 years after closing under employment agreements that govern compensation and termination rights. The rollover equity is often illiquid and subject to forfeiture, with exit rights limited to events like recapitalizations or retirement, and sellers often have no control over their exit from the DSO. Termination for cause or breach of contract can trigger mandatory buyouts at reduced valuations or total forfeiture of equity. Source: CSH Law
No Surprises Act
Reproductive Rights
- States are enacting reproductive health data privacy laws to address gaps left after a Texas federal judge vacated HHS protections in June 2025. A U.S. District in Texas ruled that HHS lacked authority to distinguish between types of health information for political ends, striking down the April 2024 HIPAA amendment that prohibited use or disclosure of protected health information when sought to impose liability on individuals obtaining or providing lawful reproductive healthcare. California, Washington, Virginia, and New York have enacted laws with provisions protecting reproductive health data, with Virginia’s Senate Bill 754 extending to non-healthcare organizations including small businesses, nonprofits, and search engines. Washington’s My Health My Data Act, which took effect in April 2023, requires explicit consent to share health data and protects individuals who travel to Washington for gender-affirming and reproductive care. Source: TechTarget
Restrictive Covenants
- State legislatures across the country have enacted laws in 2025 that significantly restrict or ban non-compete agreements for healthcare professionals. Maryland, Texas, and Pennsylvania have limited non-compete terms, with Texas capping physician agreements at one year within a five-mile radius and requiring buyout provisions not exceeding annual salary. Arkansas, Montana, Colorado, Oregon, Indiana, and Illinois have expanded restrictions by banning or limiting non-competes for broader categories of medical professionals, with Colorado eliminating its previous monetary threshold for highly compensated workers. Louisiana adopted a time-based approach that prohibits non-competes with primary care physicians after three years of employment and other physicians after five years, while Utah banned health care service platforms from requiring employee non-competes. The laws aim to ensure healthcare services remain available and patients retain freedom of choice in providers. Source: Venable LLP
Rural Health
