Wade’s Health Law Highlights for January 20, 2026

340B

• A federal judge issued a preliminary injunction on December 29, 2025 halting the Department of Health and Human Services’ 340B Rebate Model Pilot Program, which was set to launch January 1, 2026. The program would have restructured the 340B Drug Pricing Program from upfront discounts to post-sale rebates for ten drugs under the Medicare Drug Price Negotiation Program, requiring covered entities to pay wholesale acquisition cost and later apply for rebates. The American Hospital Association and Maine Hospital Association sued, arguing HHS acted arbitrarily by failing to adequately consider the program’s impact, citing $400 million in estimated compliance costs. The court found the administrative record minimal and noted that hospitals demonstrated they would face harm, though it stated a rebate program would not be impermissible if proper process was followed. On January 7, 2026, the First Circuit Court of Appeals declined the government’s request to stay the injunction, keeping the pilot program on hold. Source: Healthcare Law Insights
• The Fifth Circuit ruled hospitals must complete administrative processes before challenging Medicare payment regulations in court, reversing a district court decision that had blocked a 2023 Centers for Medicare and Medicaid Services rule. The December 9, 2025 decision requires hospitals to file cost reports, receive payment determinations from Medicare contractors, and appeal to the Provider Reimbursement Review Board before seeking judicial review under 42 USC § 405(g). The 2023 regulation excludes patients in uncompensated care pools from disproportionate share hospital payment calculations, affecting hospitals in California, Texas, Massachusetts, Florida, and other states that created alternatives to Medicaid expansion. Texas hospitals expected to lose more than $10 million in DSH payments and eligibility for the 340B drug discount program under the rule. The court rejected arguments that hospitals could bypass administrative procedures because the regulation impacts 340B eligibility, which cannot be recovered retroactively. Source: Morgan Lewis

Artificial Intelligence

• Google removed AI Overviews health summaries following an investigation that found the feature provided false and misleading medical information. The investigation revealed that searches for liver test norms generated raw data tables without context and failed to adjust figures for patient demographics such as age, sex, and ethnicity. Experts flagged this as problematic because patients with serious liver conditions might mistakenly believe they are healthy and skip follow-up care. Google disabled specific queries like “what is the normal range for liver blood tests” but left other queries and variations active. The problems stem from AI Overviews relying on Google’s page ranking algorithm, which struggles with SEO-gamed content and spam, then presenting this information with an authoritative tone. Source: Ars Technica
• OpenAI launched ChatGPT for Healthcare with Boston Children’s Hospital, AdventHealth, Baylor Scott & White Health, and Stanford Medicine Children’s Health as initial adopters. The platform runs on GPT-5.2 models and includes role-based access controls, governance features, and single sign-on support, with a design that restricts internet connections to prevent external data exposure. Boston Children’s Hospital reports that 30% of its employees use a customized ChatGPT tool and measures success through hours saved and return on investment. AdventHealth began pilots in May with 1,500 business users and now focuses on revenue cycle activities and graduate medical education, while Baylor Scott & White plans to deploy the platform to 2,000 to 5,000 employees in the first quarter. The platform meets HIPAA requirements and operates within existing cybersecurity protocols. Source: Becker’s Hospital Review
• Anthropic launched Claude for Healthcare and partnered with HealthEx to enable patients to connect their electronic health records to the AI chatbot. The announcement came days after OpenAI unveiled ChatGPT for Health and includes connectors for Function Health, Apple Health, and Android Health Connect, available to Claude Pro and Max subscribers in the U.S. HealthEx consolidates medical records from more than 50,000 health systems, and Claude uses Model Context Protocol to securely retrieve relevant data without using health information for model training. For enterprise customers, Anthropic added connectors to databases including the Centers for Medicare & Medicaid Services Coverage Database, ICD-10, PubMed, ClinicalTrials.gov, and bioRxiv, working with companies such as AstraZeneca, Sanofi, Banner Health, and Veeva. The company demonstrated that Claude can reduce the time to draft a Phase II clinical trial protocol from days to about an hour. Source: Fortune

Compliance

• The Centers for Medicare & Medicaid Services, Department of Labor, and Department of the Treasury proposed changes to payer price transparency regulations affecting non-grandfathered group health plans and health insurance issuers. The proposal requires insurers to prepare In-network Rate Files at the provider network level rather than for each plan, exclude provider-rate combinations for services providers would be unlikely to perform, and reduce reporting frequency from monthly to quarterly. For out-of-network data, the Departments propose lowering the claims threshold from 20 to 11 claims, aggregating Allowed Amount Files by market type, and extending the reporting period from 90 days to 6 months. The proposal also requires a new Change-log file to track changes between reporting periods and mandates that cost-sharing information be provided over the phone upon request. The machine-readable file amendments would take effect 12 months after final rule publication, while self-service tool provisions would apply to plan years beginning on or after January 1, 2027. Source: CMS
• Health care providers must comply with three areas when billing for services by nurse practitioners and physician assistants. Medicare billing methods for Advance Practice Professionals include direct billing, incident-to billing, and split billing, with each method having requirements and limitations based on practice setting. State professional licensure laws vary, with some states allowing full practice authority while others require physician oversight. Providers must evaluate whether their teams exceed permitted APP-to-physician ratios, whether physicians review the required number of charts and medication records, and whether on-site physician presence requirements are met. Hospital licensing requirements, Medicare conditions of participation, and accreditation requirements impose standards for APP services. Source: Thompson Coburn LLP
• Compliance training serves as the foundation for healthcare organizations to navigate regulations from HIPAA, CMS, and OSHA while protecting patients and employees. Healthcare compliance training falls into two categories: workplace compliance covering internal codes of conduct and ethics policies, and regulatory compliance mandated by state or federal law governing patient safety and data protection. Programs typically include HIPAA training, fraud and abuse prevention, infection control, workplace safety, and OSHA requirements. Federal laws such as HIPAA require annual certification, though organizations that excel in compliance implement ongoing training through refresher courses, microlearning modules, and real-time reminders. Non-compliance can result in financial penalties reaching millions of dollars, license suspension, legal action, and damage to reputation and patient trust. Source: NAVEX

Drug & Device

• The FDA classifies therapeutic products as biologics if they contain proteins with more than 40 amino acids, a threshold that determines whether sponsors must pursue a biologics license application or a new drug application. The classification affects development timelines, data requirements, and regulatory strategy for pharmaceutical sponsors. Two FDA centers regulate biologics: the Center for Biologics Evaluation and Research handles vaccines, cell and gene therapies, and blood products, while the Center for Drug Evaluation and Research oversees therapeutic proteins, monoclonal antibodies, and enzymes. The European Medicines Agency uses a different approach, basing classification on manufacturing method rather than amino acid count. The FDA treats antibody-drug conjugates as combination products and recommends sponsors submit them through the biologics license application process. Source: Alston & Bird

Fraud & Abuse

• The Texas Medicaid Fraud Control Unit recovered more than $125 million in 2025 and secured 123 arrests and 180 indictments for healthcare fraud. In June 2025, the unit participated in the largest health care fraud enforcement action in American history, which resulted in criminal charges against 30 defendants connected to more than a dozen schemes in Texas. The schemes involved more than $177 million in fraudulent billings nationally, $1.7 million in illegal kickbacks, and the diversion of over 10 million opioid pills. Since 2020, the unit has recovered more than $1 billion in settlements, judgments, and restitution for Texas taxpayers. The unit receives 75 percent of its funding from the U.S. Department of Health and Human Services ($22,792,664 for fiscal year 2024) and 25 percent from the State of Texas ($7,597,553). Source: Office of the Attorney General
• The First Circuit Court of Appeals ruled that clinical laboratories can rely on physician orders to establish medical necessity and are not required to independently assess clinical judgment in False Claims Act cases. In United States ex rel. OMNI Healthcare, Inc. v. MD Spine Solutions LLC, the court held that a physician’s order provides a safe harbor for medical necessity, and once a lab shows it acted pursuant to a doctor’s order, the burden shifts to the relator to produce evidence that the lab knew the order was improper. The case arose from a qui tam action brought by Omni Healthcare against MD Spine Solutions, an independent laboratory offering PCR-based urinary tract infection testing, alleging the lab knowingly submitted claims for tests that were not medically necessary under Medicare requirements. The court affirmed that FCA scienter turns on the defendant’s subjective knowledge at the time the claim was submitted, not on post-submission assessments of medical necessity. The decision does not provide complete immunity, as labs retain a duty to ensure they are not submitting false claims and must maintain compliance programs while watching for red flags such as unusually templated orders or inconsistent requisition forms. Source: Polsinelli
• A doctor and clinic employee received prison sentences for a healthcare fraud scheme that exploited patients at adult day care centers in the Rio Grande Valley. Dr. Osama Nahas, 70, of McAllen, received 120 months in prison, while Isabel Pruneda, 54, of Edinburg, received 97 months after a federal jury convicted them on March 1, 2024, of conspiracy to commit healthcare fraud, healthcare fraud, and conspiracy to violate the Anti-Kickback Statute. From January 2016 through December 2017, Nahas, who owned Crosspoint Medical Clinic in Edinburg, and Pruneda, a medical assistant, ordered unnecessary lab tests and prescriptions for patients and directed them to specific companies in exchange for kickbacks. Both defendants paid bribes disguised as rent to adult day care owners to access their facilities, and law enforcement seized hundreds of thousands of dollars in stolen medications during a June 2018 search warrant. Chief U.S. District Judge Randy Crane ordered both defendants to pay over $3.1 million in restitution to Medicare and serve three years of supervised release. Source: U.S. Department of Justice, Southern District of Texas
• Kaiser Permanente affiliates agreed to pay $556 million to resolve allegations that they violated the False Claims Act by submitting invalid diagnosis codes to increase Medicare Advantage payments from the government. The United States alleged that from 2009 to 2018, Kaiser pressured physicians to add diagnoses to medical records through “addenda” months or over a year after patient visits, often when the diagnoses had nothing to do with the visits in question. The government alleged Kaiser mined patients’ medical histories to identify diagnoses not submitted to the Centers for Medicare & Medicaid Services for risk adjustment, then sent queries to providers urging them to add these codes to increase reimbursements. Kaiser allegedly set goals for adding diagnoses and linked physician and facility bonuses to meeting these targets, despite internal warnings from its own physicians and compliance office that the practices violated CMS rules. The settlement resolves whistleblower lawsuits brought by former Kaiser employees Ronda Osinek and James M. Taylor, M.D., who will receive $95 million of the recovery. Source: Department of Justice

HIPAA

• Healthcare providers must update their HIPAA Notice of Privacy Practices by February 16, 2026, to comply with changes to the HIPAA Privacy Rule. The changes align HIPAA with revised regulations governing substance use disorder records under 42 CFR part 2. Updates include notices about rights concerning substance use disorder records, restrictions on using such records in civil, criminal, administrative, or legislative proceedings without consent or court order, and warnings about potential redisclosure of information. Entities that maintain substance use disorder records and intend to use them for fundraising must provide patients an opportunity to opt out of fundraising communications. A Texas federal court struck down portions of the Biden administration’s HIPAA Reproductive Health Rule, which the Trump administration chose not to challenge, meaning covered entities can disregard those vacated provisions while complying with the remaining modifications. Source: Holland & Hart’s Health Law Blog
• The HHS Office for Civil Rights issued guidance in January 2026 that establishes system hardening and patching as mandatory components of HIPAA Security Rule compliance. Regulated entities must maintain IT asset inventories, monitor vulnerability alerts from NIST and CISA, conduct vulnerability scanning, and implement formal vulnerability management programs, with patching treated as a continuous process rather than an episodic task. OCR requires compensating controls such as network segmentation and access restrictions when patches are unavailable for legacy systems or zero-day vulnerabilities. The guidance identifies unused software, default administrator accounts, and improperly configured security tools as enforcement targets, while emphasizing that security baselines from frameworks like NIST SP 800-53 must be tailored to each entity’s environment rather than adopted as checklists. Organizations must document testing and evaluation of system changes through their HIPAA risk analysis process, as enforcement trends show increasing scrutiny of basic cybersecurity failures. Source: Baker Donelson

Medicaid

• Governor Abbott ordered the Texas Health and Human Services Office of Inspector General and the Texas Health and Human Services Commission to investigate potential Medicaid fraud in the state. The investigations aim to safeguard taxpayer funds, maintain access for Texans who qualify for the program, and ensure healthcare delivery remains efficient. Texas Medicaid serves children, pregnant women, the elderly, and people with disabilities. HHSC will implement anti-fraud measures and launch investigations into fraud and misdirection of taxpayer dollars. The Governor is also directing investigations into child care funding fraud and has volunteered Texas to participate in a U.S. Department of Housing and Urban Development pilot program to eliminate fraud in federal affordable housing programs. Source: Office of the Governor of Texas

OIG Advisory Opinion

• OIG issued a favorable advisory opinion allowing a manufacturer to waive cost-sharing fees for commercially insured patients receiving an FDA-approved colorectal cancer screening test. The test, a stool-based RNA screening method approved by the FDA in 2024, typically requires patients to pay $100 to $135 in cost sharing because it is not included in the U.S. Preventive Services Task Force colorectal cancer screening recommendations. Commercial insurers must cover preventive services with USPSTF A or B ratings without cost sharing, creating a disparity for this test. The OIG concluded the cost-sharing waiver would not violate the Federal Anti-Kickback Statute or Beneficiary Inducements Civil Monetary Penalty because no Federal health care program currently covers the test except fee-for-service Medicaid in 16 states. The waiver will continue until the USPSTF updates its guidelines to include the test. Source: OIG Advisory Opinion No. 26-01

Part 2 SUD

• Healthcare providers offering substance use disorder treatment reimbursed by federal programs must comply with revised 42 CFR Part 2 regulations by February 16, 2026. The Department of Health and Human Services Office for Civil Rights now holds enforcement authority, with penalties mirroring HIPAA’s tier-based structure ranging from $141 to over $2.1 million per year. Providers must update their Notice of Privacy Practices, implement single consent forms for treatment, payment, and healthcare operations, and maintain SUD counseling notes separate from medical records. The rules require providers to follow HIPAA Breach Notification procedures for Part 2 records and establish Qualified Service Organization Agreements with vendors in addition to Business Associate Agreements. Providers must train staff on these requirements, as the Office for Civil Rights considers lack of training as evidence of willful neglect during investigations. Source: Shumaker, Loop & Kendrick, LLP

Private Equity

• Global private equity markets are expected to see increased dealmaking activity and gradual exit market recovery in 2026 as macroeconomic conditions stabilize. Investors in the US, Europe, and Asia have grown more confident operating within the current environment, while firms continue to hold capital and face pressure to deploy it. The Federal Reserve is expected to cut interest rates modestly in 2026, which should improve capital accessibility for dealmakers. Exit activity is improving in the UK and Europe following a backlog of delayed exits, with sponsors considering fund-to-fund transactions, continuation vehicles, and recapitalizations alongside traditional divestitures, while IPOs are becoming options for US upper-middle-market companies. Healthcare, defense, and AI are positioned to be the busiest sectors, with healthcare activity driven by consolidation in Europe and Asia, and AI investment expanding beyond core technology companies to include infrastructure such as data centers. Source: Goodwin

Telehealth

• The DEA extended telemedicine flexibilities for prescribing controlled substances through December 31, 2026. The agency published its Fourth Temporary Extension of COVID-19 Telemedicine Flexibilities for Prescription of Controlled Medications on December 31, 2025, in coordination with the Department of Health and Human Services. DEA-registered practitioners may continue to prescribe Schedules II-V controlled substances via telemedicine without an in-person evaluation, provided all other federal and state requirements are met. The extension covers practitioner-patient relationships established through telemedicine from May 12, 2023, onward, and prevents an end to remote prescribing while the DEA finalizes regulations. Core requirements remain unchanged, including that prescriptions must be for a medical purpose, encounters must use an interactive telecommunications system, and practitioners must be authorized and registered with the DEA. Source: Healthcare Law Insights