Cybersecurity, Data Privacy & HIPAA
- Fragmented identity systems across healthcare force patients to maintain separate credentials for patient portals, EHRs, pharmacies, PBM claims platforms, and insurer authorization — multiplying security risks and driving the average cost of a healthcare data breach to $7.42 million in 2025, the highest of any industry for the 12th consecutive year. Most breaches are credential-driven, yet the majority of healthcare organizations still rely on password-based authentication, making credential stuffing attacks — where one breached account enables access to others — a widespread threat. HIPAA, the HITECH Act, NIST, and the Joint Commission for Hospital Accreditation all recommend phishing-resistant MFA methods such as passkeys and magic links, while SMS one-time passwords are considered insufficient for healthcare environments. Fine-grained access control addresses over-permissioning by enabling least-privilege permissions and proxy access — allowing, for example, a caregiver to manage a patient’s appointments without accessing full medical records — without requiring credential sharing, which violates HIPAA. Compliance with interoperability standards such as SMART on FHIR, which uses OpenID Connect and OAuth to connect healthcare apps to EHR systems, is becoming essential as AI agents like ChatGPT Health require secure, standards-based access to health records. Source: MedCity News
- South Texas Oncology and Hematology agreed to pay $1,075,000 to settle a class action lawsuit arising from a February 2024 cyberattack that exposed the personal and health data of 176,303 individuals. An unauthorized actor accessed the San Antonio provider’s network on February 15, 2024, potentially obtaining names, contact information, dates of birth, health information, and Social Security numbers. Multiple lawsuits were consolidated into Flores v. South Texas Oncology and Hematology, PLLC, alleging the provider failed to implement reasonable cybersecurity measures. Under the settlement, which has received court approval pending a final fairness hearing on July 21, 2026, class members may claim up to $5,000 in documented losses or an estimated $100 pro rata cash payment, plus two years of medical data monitoring services. Claims must be submitted by July 6, 2026, and objections or exclusion requests are due by June 22, 2026. Source: HIPAA Journal
- Research institutions deploying AI on biobank and multi-omics datasets face consent gaps that expose them to HIPAA violations, OCR investigations, state attorney general enforcement, and class action lawsuits because historical consent forms did not authorize AI analysis, cross-dataset integration, or commercial applications. Under the Common Rule and HIPAA, informed consent must be both “informed” and “specific,” and broad “future research” language does not cover AI-driven commercial uses; violations can result in millions in fines and suspension of research activities by OHRP. Genomic data compounds the risk because it is immutable, familial, and perpetually re-identifiable — research shows just 15 demographic attributes can uniquely identify 99.98% of Americans, and AI-driven combination of genomic, proteomic, metabolomic, and clinical data creates a profile no traditional de-identification technique can protect. An additional exposure arises when researchers use commercial AI tools such as ChatGPT or Claude to draft grant applications, potentially violating funder confidentiality requirements, institutional IP policies, and collaborator NDAs. To mitigate these risks, institutions must audit existing consent forms for AI authorization gaps, update consent templates to address algorithmic processing and commercial uses, establish AI use policies for grant submissions, strengthen vendor contracts to include data retention and re-identification indemnification clauses, and engage IRBs early to update review criteria for AI-specific risks. Source: Healthcare Law Insights
- HHS is set to finalize the first HIPAA update in more than a decade, eliminating the distinction between “required” and “addressable” security rules and making all cybersecurity and physical security measures mandatory for healthcare providers. Under the updated rule, protocols such as two-factor authentication, data encryption, and network segmentation will be required for all providers, and organizations must demonstrate actual implementation of access control, intrusion detection, and visitor management tools — not merely document policies. Physical security measures will be treated as core requirements, reflecting the reality that unsecured server rooms and uncontrolled facility access can enable cyberattacks that bypass even strong digital defenses. Most providers currently rely on fragmented, siloed security tools and lack the connected infrastructure needed to meet the integrated standards the update demands. Compliance will require unification of security systems and modernization of technology, with cloud migration identified as a path forward for hospitals across budget levels. Source: MedCity News
- The HIPAA Security Rule’s current encryption standards, including RSA-2048, are expected to become vulnerable to quantum computing and may not hold beyond 2030. In January 2025, the U.S. Department of Health and Human Services issued a notice of proposed rulemaking to update the HIPAA Security Rule, the first overhaul of healthcare data security obligations since 2013. NIST has already published post-quantum encryption replacements, but the proposed rule does not yet incorporate them. Healthcare data poses a compounded risk because records such as genomic profiles and clinical datasets do not expire, meaning data encrypted today could be harvested now and decrypted once quantum computing matures. Decisions made during this rulemaking cycle will determine whether electronic protected health information remains secure over the next 10 to 20 years. Source: IAPP
Fraud & Abuse Enforcement
- False Claims Act enforcement hit a record $6.8 billion in FY 2025, more than doubling the prior year’s $2.9 billion, with healthcare and life sciences accounting for $5.7 billion — roughly 83% — of total recoveries. Whistleblower-initiated qui tam filings reached 1,297, nearly double the prior 10-year annual average, and for the first time, relators recovered more in cases the government declined to join ($2.27 billion) than in cases it did ($2.23 billion), signaling that DOJ’s decision not to intervene no longer signals a case will collapse. At the same time, DOJ lost more than 5,000 employees in the first year of the second Trump administration, shut down over 900 federal fraud cases and more than 100 healthcare fraud matters, and proposed a FY 2026 budget cutting the FBI by $545 million — even as senior officials publicly named healthcare fraud a top enforcement priority and relaunched the DOJ-HHS FCA Working Group with six focus areas including Medicare Advantage, kickbacks, and EHR manipulation. A constitutional challenge in United States ex rel. Zafirov v. Florida Medical Associates, LLC is now before the Eleventh Circuit, with a panel that showed skepticism toward the government’s position at oral argument in December 2025, and observers expect an affirmance that could reach the Supreme Court. Healthcare providers should not treat DOJ’s staffing constraints as a reprieve, as the pipeline of pre-existing investigations continues to generate settlements, data analytics increasingly substitute for personnel, and the administration is also deploying the FCA against DEI practices and gender-affirming care billed to federal programs. Source: Arnall Golden Gregory LLP
- The HHS Office of Inspector General issued a favorable advisory opinion declining to impose sanctions on a three-phase ownership transfer plan for a California ambulatory surgical center, even though the arrangement could generate remuneration implicating the Federal Anti-Kickback Statute. The plan, structured around the retirement of a sole physician-owner and estate planning objectives, would transfer ASC ownership interests to his non-physician spouse at no cost, allow his two physician-children to purchase shares at fair market value, and ultimately pass remaining interests to those children through testamentary transfer. Financial distributions to investors qualified under the single-specialty and multi-specialty ASC safe harbors because all transactions were structured at fair market value, returns were proportional to capital investment, no financing assistance was provided to investors, and no investment terms were tied to referral volume. Transfers that fell outside safe harbor protection — including the spousal gift and the children’s share purchases — were nonetheless deemed low-risk because the spouse had no role in health care, the transfers were documented as bona fide succession planning, and the retiring physician committed to cease clinical practice, relinquish all governance roles, and certify no referral influence without directing his patient panel to any specific successor. The OIG’s opinion signals that family-based ownership succession in ASCs can survive Anti-Kickback scrutiny where referrals are functionally decoupled from ownership and transactions reflect legitimate estate planning rather than disguised remuneration. Source: Lamb McErlane PC
Texas Legislation & Compliance
- Under the Texas Covenants Not to Compete Act, courts are required — not permitted — to rewrite overbroad non-compete agreements rather than void them, a rule that carries consequences for both employers and employees. The statute mandates that courts reform unreasonable restrictions on time, geographic area, or scope of activity to the extent necessary to make them enforceable, and then enforce the agreement as rewritten — a process courts apply at every stage of litigation, including temporary injunction proceedings. Courts most frequently reform geographic scope and activity restrictions, tying geography to the territory where the employee actually worked and limiting activity restrictions to roles substantially similar to the employee’s prior position, as seen in Hipps v. CBRE, Inc. (2024) and Galderma Laboratories, L.P. v. Brenner (2026). When a court is forced to reform an overbroad agreement, the employer loses the right to recover attorneys’ fees and cannot pursue financial damages for breaches that occurred before the rewrite, leaving injunctive relief as the only available remedy. Reformation is not available when the underlying agreement is unenforceable, lacks adequate consideration, or when the non-compete has already expired. Source: Hendershot Cowart P.C.
- Texas HB 4224 requires covered healthcare entities to post instructions in two locations — on their website and at each physical facility — telling patients how to request medical records, contact the applicable licensing or disciplinary authority, and file a consumer complaint under Texas Health and Safety Code Section 181.103. The law, which passed the Texas House 149-0 and the Texas Senate 31-0, applies to any person or entity that assembles, collects, stores, transmits, or otherwise handles protected health information, including physicians, hospitals, clinics, mental health providers, and staffing agencies. Entities that exclusively perform claims processing, data processing, utilization review, or billing on behalf of another provider are exempt, but lose that exemption if they also provide direct patient-facing services. The postings must give step-by-step instructions — not merely a statement of rights — and a HIPAA Notice of Privacy Practices alone does not satisfy the requirement. Non-compliance does not create new criminal liability but can trigger investigations by the Texas Attorney General’s office or a provider’s licensing board. Source: Hendershot Cowart P.C.
- Texas Senate Bill 2544 requires out-of-network facility providers — hospitals, ambulatory surgery centers, freestanding emergency rooms, and birthing centers — to request mediation within 180 days of receiving an initial payment for a disputed service or forfeit the right to mediation and any civil action to recover the disputed amount. The law amends Texas Insurance Code Chapter 1467, which already required completion of Texas Department of Insurance mediation before filing suit, but previously set no deadline to initiate that process. The 180-day rule applies to disputes with TDI-regulated commercial health benefit plans and self-insured ERISA plans that have opted into the Chapter 1467 process, but does not cover Medicare, Medicaid, or ERISA plans that have not opted in. The deadline mirrors the existing 90-day arbitration window that already governed out-of-network non-facility providers such as physicians and physician groups under the same framework. The legislature’s stated intent was to create a consistent, time-limited dispute resolution system and eliminate the practice of filing batches of stale claims years after services were rendered. Source: Hendershot Cowart P.C.
Medicare Coverage & Reimbursement
- CMS is moving to eliminate reimbursement advantages for FDA breakthrough-designated devices while simultaneously creating a faster Medicare coverage pathway for the same class of products. The FY 2027 IPPS proposed rule would repeal the alternative New Technology Add-on Payment (NTAP) pathway, requiring all applicants — including FDA-designated breakthrough devices — to meet newness, cost, and substantial clinical improvement criteria beginning October 1, 2026; the same repeal would apply to the Transitional Pass-Through (TPT) program in the outpatient setting. On April 23, 2026, CMS and FDA jointly announced the RAPID (Medicare Regulatory Alignment for Predictable and Immediate Device) coverage pathway, under which eligible breakthrough devices — Class III devices and Class II devices in the FDA Total Product Life Cycle Advisory Program — that are the subject of an investigational device exemption study could receive a proposed national coverage determination the same day FDA grants market authorization, potentially compressing the coverage timeline from nine to twelve months to as little as two months. CMS has paused the Transitional Coverage for Emerging Technologies pathway to focus resources on RAPID implementation. Final IPPS policies are expected on or around August 1, 2026. Source: McDermott+
Practice Transactions & Business Models
- Concierge medicine is a $7.35 billion market projected to nearly double by 2030, as physicians across specialties abandon traditional insurance-based practice for membership models that charge patients a retainer fee in exchange for smaller patient panels, same-day access, and individualized care. Practices operate under two structures: hybrid models, which collect membership fees for enhanced access while continuing to bill insurance and Medicare for clinical services, and direct primary care models, which collect a periodic fee covering a defined scope of services and bill no third-party payers. Hybrid models reduce patient volume but retain CMS compliance obligations, while direct primary care models risk regulatory scrutiny as healthcare service plans if their scope of services is not properly structured. Membership agreements must disclose what fees cover, state that membership is not health insurance, specify termination and refund terms, and outline patient obligations. In California, only licensed physicians may own a medical practice under Business and Professions Code § 2400, and concierge arrangements—often structured as Professional Medical Corporations with a Management Services Organization—require legal counsel to navigate corporate, contractual, and patient-transition requirements. Source: Nossaman
- Home health and hospice M&A deal volume in the second half of 2025 reached its highest level since 2021, but buyers are applying tighter underwriting standards than during the 2019–2022 peak. Rising interest rates and constrained credit markets in 2023 and 2024 reduced leverage and compressed EBITDA add-back tolerance from roughly 20% down to 12–15%, and that discipline has carried into 2026. Hospice platforms with compliance records, diversified payor mix, and consistent growth are trading at 10x–15x EBITDA, while assets with inconsistent documentation or weak infrastructure face pricing reductions and extended diligence. Buyers now prioritize revenue durability, documentation quality, eligibility support, operational scalability, and technology infrastructure over geography or EMR system ownership. For sellers, preparation — not market timing — determines whether a transaction closes at expected value, as compliance gaps and fragmented systems increasingly result in purchase price adjustments, escrows, or deal failure. Source: Arnall Golden Gregory LLP
Employee Benefits & Pharmacy
- Employers can legally reimburse employees for GLP‑1 medications purchased through direct-to-consumer platforms using Health Reimbursement Arrangements (HRAs), despite widespread broker advice to the contrary. Platforms including Hims, Lilly Direct, and NovoCare offer GLP‑1 drugs at $149–$449 per month — versus $1,000-plus through traditional pharmacy channels — and their terms restrict reimbursement from “commercial insurance,” not from employer-funded HRAs, which carry no underwriter and involve no risk transfer. Lilly Direct’s checkout flow (fulfilled through Gifthealth) expressly invites HSA and FSA reimbursement, and a participant-directed HRA mirrors that same transaction structure: the employee pays cash at the point of sale and submits for reimbursement afterward from a separate employer account. Brokers and benefits vendors who advise against these arrangements are often commercially aligned with the carriers and PBMs that lose margin when prescriptions leave the traditional channel. Employers should retain independent benefits counsel to evaluate platform-specific terms and HRA plan design before accepting a blanket “too risky” conclusion. Source: Amundsen Davis
Medical Malpractice
- Strokes are among the most commonly misdiagnosed conditions in the United States, and the errors that give rise to malpractice liability occur before, during, and after the event itself. Grounds for a claim include failure to order diagnostic tests, failure to treat known risk factors such as high blood pressure and diabetes, misdiagnosis as conditions including migraines, seizures, or sepsis, delayed or absent treatment after a correct diagnosis, and medication errors involving blood thinners, anticoagulants, or antiplatelet drugs. Errors by emergency responders and ER staff — including triage failures and surgical mistakes — also support liability, as does failure to monitor a patient after initial treatment. Florida law imposes strict timing requirements on malpractice claims, making prompt action necessary for anyone who believes a stroke was mishandled. Patients or family members with concerns should gather medical records, document the basis for their suspicions, and consult an attorney. Source: Searcy Law