Fraud, Abuse & Enforcement
- OIG Advisory Opinion No. 26-14 grants a favorable determination to a pharmaceutical manufacturer sponsoring free antibody testing to identify patients potentially eligible for its drug. Under the Arrangement, the Requestor contracts with a third-party laboratory to provide no-cost antibody tests to patients in all 50 states who present with symptoms of an ultra-rare condition or who have cancer warranting paraneoplastic screening, with no billing to patients or payors including Federal health care programs. OIG concluded the Arrangement implicates the Federal anti-kickback statute because it confers remuneration on patients and providers, but declined to impose sanctions based on safeguards including the 1.6 percent positivity rate, prohibitions on sales representatives discussing the Product in connection with the testing, restrictions on data sharing to aggregate de-identified figures, and the absence of provider payments tied to prescribing. OIG further determined the Arrangement satisfies the Promotes Access to Care Exception to the Beneficiary Inducements CMP because the Test removes a diagnostic barrier for an under-recognized condition, is unlikely to skew clinical decision-making or drive overutilization, and enhances patient safety. Source: OIG Advisory Opinion No. 26-14
- A Texas nurse practitioner practicing in Louisiana, received a sentence of 87 months in prison, three years of supervised release, and a restitution order of $1,508,868.25 for causing more than $12 million in false claims to Medicare. Working as an independent contractor for a telehealth company from October 2018 to October 2019, Scharmaine Lawson Baker signed hundreds of orders for cancer genetic tests after phone calls lasting under 30 seconds and without examining patients, accepting kickbacks she later omitted from her bankruptcy petition. She ordered ovarian and cervical cancer tests for male patients and never reviewed test results, including those showing patients carried variants predisposing them to cancer. The scheme generated over $12.1 million in claims to Medicare, with laboratories receiving more than $1.5 million in reimbursements. A federal jury in the Eastern District of Louisiana convicted her on six counts of health care fraud following a three-day trial in July 2025. Source: United States Department of Justice
Physician Compensation & Stark Law
- The U.S. Court of Appeals for the Fourth Circuit ruled that productivity-based physician compensation tied to work relative value units does not constitute payment based on the volume or value of referrals under the Stark law, affirming dismissal of a False Claims Act lawsuit against Thomas Health System. The court held that compensation is considered referral-based only when a physician’s referrals are a variable in the compensation formula, a threshold that a standard wRVU model does not meet. The court also declined to treat hospital subsidies to affiliated physician groups or compensation at or above the 90th percentile as evidence of fraud, noting that 10% of physicians will always exceed that threshold by definition. Applying Rule 9(b)’s heightened pleading standard, the court found that the complaint identified only routine business practices rather than a specific fraudulent act, requiring that a complaint “identify the fire” rather than point to smoke. Source: Becker’s ASC
- Standard percentile-based compensation benchmarks fail to reflect the workforce realities facing rural healthcare markets, where roughly 20% of Americans live but only 9% of physicians practice. As of 2025, Primary Care Health Professional Shortage Areas serve approximately 92 million people, and projections point to a nationwide shortfall of 141,160 FTE physicians by 2038, with non-metropolitan areas bearing a disproportionate share. Rural providers routinely carry expanded scopes of practice, heavier call burdens, and sole-source specialist responsibilities that survey data — which is retrospective and standardized — does not capture. Relying exclusively on benchmark frameworks risks producing compensation structures that are neither competitive nor sustainable, accelerating burnout and turnover that trigger service disruptions, coverage gaps, and higher operational costs. Compensation in rural settings must be evaluated holistically — across salary, productivity incentives, call coverage, and administrative duties — and assessed through the lens of commercial reasonableness, with regular market analysis and proactive retention initiatives to preserve community access to care. Source: VMG Health
Federal Regulatory & Reimbursement
- CMS has issued two Medicaid regulations implementing H.R. 1, the One Big Beautiful Bill Act that alter provider payments and condition coverage on community engagement. A proposed payment rule would cap certain state directed payment rates at 100 percent of published Medicare rates in expansion states and 110 percent in non-expansion states, extending Medicare-based caps to all such arrangements for rating periods on or after January 1, 2029, with comments due July 21, 2026. An Interim Final Rule, which states must begin implementing by January 1, 2027, requires states to verify compliance using Medicaid claims, encounter data, eligibility files, SNAP records, and unemployment wage data before requesting documentation from patients, who may lose coverage over missed notices, lack of internet access, limited English proficiency, or homelessness. To claim the medical frailty exemption, a patient’s serious or complex condition must significantly impair the ability to meet engagement requirements, and states must keep documentation supporting each determination, prompting reliance on treating clinicians to verify functional limitations and treatment needs. Beginning in 2028, repeated self-attestation will be limited, increasing patients’ dependence on provider or data-system records to retain exemptions. Source: Association of Clinicians for the Underserved
- FDA’s November 2023 proposed rule to create new device classifications for hundreds of antimicrobial wound dressings and washes drew opposition from 95 percent of commenters, yet a withdrawal notice has not appeared. The proposal targets products incorporating ingredients such as hypochlorous acid and silver, with FDA citing antimicrobial resistance concerns and regulatory clarity as its rationales. Of 76 unique comments submitted to docket FDA-2023-N-3392, 58 strongly opposed the rule, 14 opposed it in part, two supported it, and two could not be classified, with opponents including physicians, researchers, medical societies, device companies, and the Alliance for Wound Care Stakeholders, which requested withdrawal. Commenters raised concerns about disruptions to care for vulnerable patients and inadequate economic analyses required under the Regulatory Flexibility Act. The final rule was scheduled for May 2026, and with the comment period closed, stakeholders can keep the matter before decisionmakers by contacting the FDA Commissioner’s Office, the Office of Management and Budget, Congress, or submitting deregulation suggestions through Regulations.gov. Source: Epstein Becker Green
AI in Healthcare
- AI-driven drug discovery is outpacing the legal frameworks that govern intellectual property ownership, creating ambiguities that derail deals during due diligence and acquisition. When a university researcher uses a commercial AI platform to analyze a health system’s patient data and identifies a new drug indication, ownership fractures across the vendor’s algorithm, the health system’s data, and the researcher’s validation, because U.S. law bars algorithms from being named inventors and patent law requires natural-person conception. Most licensing agreements predate AI integration and fail to specify whether licensing a model conveys ownership of its outputs, allowing vendors holding irrevocable or transferable output licenses to compete with licensees or train improved models for competitors. Models trained on protected health information create HIPAA and state privacy exposure under California’s CPRA and Washington’s My Health My Data Act, particularly because genomic data can re-identify individuals from de-identified datasets, while FDA’s January 2025 draft guidance covers AI for data analysis but not AI-driven target discovery or repurposing. In university spin-outs, AI platforms may account for 30 to 40% of the underlying innovation, and granting vendors 10 to 15% equity alongside the university’s 5 to 10% stake dilutes founders before institutional investors arrive, prompting term sheets to require explicit ownership allocation, model audit and version-control rights, performance warranties on accuracy and lawful data sourcing, regulatory cooperation including FDA pre-IND attendance, and broad indemnification against infringement, data breach, validation failure, and algorithmic bias claims. Source: Healthcare Law Insights
- Infusion providers adopting AI tools face regulatory and liability exposure under HIPAA, the False Claims Act, and state AI laws when they deploy these systems without governance frameworks. Independent and regional infusion centers use AI for prior authorization, clinical documentation, revenue cycle optimization, and patient scheduling, with 46% of healthcare organizations now implementing generative AI. The FDA framework classifies AI that replaces clinician judgment as a potential medical device requiring clearance, while every AI vendor accessing protected health information must execute a Business Associate Agreement that restricts use of patient data for model training without authorization. AI-generated documentation errors that affect large claim volumes create aggregate False Claims Act liability, and the AI origin of an error provides no defense. Texas (SB 815), Arizona (H.B. 2175), Maryland (H.B. 820), and Nebraska (LB 77) passed 2025 laws barring AI as the sole basis for medical necessity denials, California’s Assembly Bill 489 (signed October 11, 2025) prohibits patient-facing AI from implying its advice comes from a licensed professional, and the Colorado AI Act takes effect in January 2027. Source: Benesch Law
- A January 2026 data breach at the clinician network behind AI telehealth company Medvi exposed names, addresses, email addresses, dates of birth and medical information for 716,000 people. HIPAA and business associate agreements prohibit a technology vendor from reusing a provider’s patient data to train its AI products or exposing that data to other entities, even when a BAA is in place. The compliant approach trains classification models only on anonymized data scrubbed of all 18 HIPAA identifiers, then generates synthetic documents in a data factory to refine accuracy. Each customer receives a custom model with no data crossover with other clients, built from samples of anonymized and redacted documents the provider supplies. Deploying general-purpose tools such as ChatGPT, Claude or Gemini against a health care function leaves the operator unable to identify what data are used and where they go, defeating PHI protection. Source: Medical Economics
Privacy, Security & HIPAA Compliance
- The employee health plan of Spencer’s Gifts paid $450,000 to settle HIPAA violations stemming from a November 2021 ransomware attack by the Conti gang that compromised the personal and health data of 10,023 plan members. The breach was discovered when employees reported being unable to connect to the company’s VPN; investigators found an unauthorized actor had accessed the network, encrypted data on servers storing protected health information, and demanded a ransom. HHS Office for Civil Rights determined that prior to the breach, the health plan had failed to conduct a security risk analysis and failed to implement policies and procedures required under HIPAA’s privacy and security rules. Under a two-year corrective action plan, Spencer’s must complete a risk analysis, revise its HIPAA policies and procedures, and train its workforce accordingly. The settlement is HHS OCR’s 20th ransomware enforcement action and its 14th citing security risk analysis failures, and the agency has signaled that penalty size is driven by compliance program quality, not breach volume. Source: Bank Info Security
- Medical spas that qualify as HIPAA-covered entities must provide documented HIPAA training to every member of their workforce — including part-time employees, temporary staff, and volunteers — with records retained for a minimum of six years. The requirement is set out at 45 CFR §164.530(b) and 45 CFR §164.308(a)(5) and cannot be waived; failure to comply is a standalone violation, as demonstrated in 2023 when St. Joseph’s Medical Center paid an $80,000 OCR penalty tied in part to a lack of Privacy Rule training. Most medical spas employ fewer than ten staff, creating compliance risks particular to small facilities — including multitasking in reception areas where PHI is routinely exposed, and credential sharing that corrupts audit trails and can result in sanctions against employees who did not personally commit the underlying violation. Training must cover the minimum necessary standard, unique login credential requirements, breach escalation procedures, and the range of consequences for non-compliance, which extend to criminal penalties under Section 1177 of the Social Security Act for violations committed for personal gain. Medical spas in Texas and California face additional obligations under, respectively, the Texas Medical Records Privacy Act as amended by HB 300 and the Confidentiality of Medical Information Act, both of which impose requirements beyond the federal HIPAA baseline. Source: HIPAA Journal
Healthcare Transactions & Investment
- Women’s health companies are consolidating fertility, menopause, hormone therapy, GLP-1 programs, and behavioral health into single longitudinal platforms rather than operating discrete service lines. Danish research found that women spend an average of nine years in poor health, wait longer for diagnoses, and face these challenges near midlife while working and caring for children and aging parents. Integrated platforms allow a patient’s clinical history, reproductive stage, and medication use to follow her across services, producing higher retention, recurring revenue, and stronger employer and payor relationships, while some operators now run hybrid models that pair direct-to-consumer offerings with covered benefits and cash-pay services. Expansion into prescribing, pharmacy fulfillment, lab testing, and diagnostics triggers obligations under anti-kickback and beneficiary inducement rules, fee-splitting restrictions, corporate practice of medicine limits, state telehealth laws, and pharmacy rules, and broadens exposure to HIPAA, state consumer health data laws, and FTC risk across sensitive reproductive, genetic, and biometric data. Investors should confirm that platform growth rests on scalable clinical protocols covering patient selection, informed consent, medication management, adverse event response, and provider supervision, and should test whether each revenue channel is compliant and whether the target can expand into priority states without altering its clinical or operational model. Source: Katten
Employment & Labor
- An exempt employee may perform additional hourly, non-exempt work for the same employer without losing exempt status, the U.S. Department of Labor concluded in an FLSA opinion letter. The matter arose at an academic medical center where salaried, exempt nursing professional development specialists worked about 40 hours weekly in their exempt role and occasionally picked up one or two 12-hour staff nurse shifts on weekends paid at an hourly rate. The arrangement preserved the exemption because the specialists spent the majority of their time on exempt duties involving autonomy, judgment, designing educational programs, onboarding staff, and conducting competency processes, and because the employer met the salary basis and salary level requirements. FLSA regulations permit an exempt employee to receive extra compensation, including hourly pay, for work beyond the normal workweek as long as the guaranteed salary remains. If combined work shows the primary duty has become non-exempt, the employer loses the exemption and must calculate overtime on combined hours and total compensation, so employers should confirm the duties test, pay the required salary threshold, document the secondary role and its pay, and periodically review whether the work has shifted toward non-exempt duties. Source: Parker Poe
Consumer Protection & TCPA
- Text messages qualify as “telephone calls” under Section 227(c) of the TCPA, a magistrate judge in the Western District of Texas recommended in Callier v. American Auto Group LLC. Brandon Callier alleged that American Auto Group, a California LLC doing business as All American Auto Care, sent two unsolicited texts on May 4 and May 20, 2025, marketing vehicle service contracts while his number was on the National Do Not Call Registry, and the defendant defaulted after service through the California Secretary of State. Adopting the majority position over the contrary view in Jones v. Blackstone Medical Services, LLC, the court held that texts count as calls under Section 227(c) and that Callier adequately pleaded a Section 227(c)(5) claim, with the coextensive Texas Business and Commerce Code Section 305.053 claim following but yielding no additional damages under the no-double-recovery rule. The court recommended denying judgment on the Chapter 302 claim because that statute did not define “telephone solicitation” to include text messages until an amendment took effect September 1, 2025, after both texts. The court recommended $1,000 in damages—the statutory $500 per violation for the two texts—with no willfulness enhancement and no stacking, and denied a permanent injunction because Callier alleged no contact since May 2025. Source: TCPAWorld