Categories
Health Law Highlights

Wade’s Health Law Highlights for July 7, 2026

Fraud & Abuse and Enforcement

FDA & Drug Regulation

Artificial Intelligence in Health Care

  • University Health and Houston Methodist are complying with Texas’s new clinical AI disclosure law by embedding required disclosures into their existing patient consent processes. The Texas Responsible Artificial Intelligence Governance Act (TRAIGA), effective January 1, requires health care providers to give patients or their representatives conspicuous written disclosure whenever an AI system is used in diagnosis or treatment, before or at the time of the clinical interaction, with a narrow emergency exception. University Health delivers disclosures verbally when AI meaningfully informs a care decision and through standardized language in general consent forms, applying a standard based on what a reasonable patient would consider AI-generated or AI-assisted. Houston Methodist enhanced its consent for treatment to reflect AI use and focuses on transparency at or before interactions such as AI-enabled calls and ambient listening. A December 16 Manatt Health analysis found at least four states have enacted laws governing how health systems must disclose or limit clinical AI use, with states expected to remain the primary regulators of health care AI in 2026. Source: Becker’s Hospital Review
  • Physicians who enter protected health information into consumer AI tools such as ChatGPT or Gemini without a business associate agreement commit a breach of the HIPAA Privacy and Security Rules. By 2024, 66% of U.S. physicians reported using some form of AI in practice, but consumer platforms do not sign BAAs, and under 45 CFR §164.502 a covered entity may not disclose PHI to a third party without patient authorization or a valid BAA. Liability for unauthorized disclosure rests with the practice as the covered entity and does not transfer to the AI vendor. Any AI tool that processes PHI must be covered by a BAA before first use and, under 45 CFR §164.308, preceded by a documented security risk analysis. Recommended safeguards include inventorying current AI use, verifying BAA status, conducting risk analyses, adopting written acceptable-use policies, and providing AI-specific training. Source: Medical Economics
  • HHS outlined plans to accelerate AI adoption in clinical care after receiving more than 7,000 comments on using AI to lower health care costs. Issued under the Make America Healthy Again initiative, the RFI sought input on how digital health regulatory frameworks should evolve, whether reimbursement structures could better support deflationary technologies, and how research investment could strengthen implementation. HHS leaders reported broad consensus for better coordination across HHS agencies, support in creating governance structures, and guidance on identifying effective AI tools. U.S. health care spending rose 7.3% to a record $5.7 trillion in 2025 and is projected to exceed 20.5% of GDP by 2034. HHS cited steps already underway, including development of AI agents to manage cardiovascular disease care and FDA work to clarify regulation of autonomous AI-enabled medical technologies proportionate to their risk. Source: HIPAA Journal

HIPAA & Data Security

  • HIPAA Security Rule compliance requires an ongoing security program rather than a one-time project, and health care companies that treat it as complete accumulate risk and enforcement exposure. The Security Rule requires accurate, thorough, and periodic analysis of risks to the confidentiality, integrity, and availability of electronic protected health information, with a new or focused analysis whenever a material change occurs, such as new technology, new vendors handling ePHI, workforce restructuring, or a security incident. Following each analysis, entities must maintain a risk management plan that prioritizes remediation, assigns ownership, and sets timelines, supported by continuous monitoring including log reviews, vulnerability scanning, access control auditing, and vendor security monitoring. The 2026 BakerHostetler Data Security Incident Response Report found threat actors increasingly move from initial access to data exfiltration without deploying encryption, making ransomware-style detection insufficient. OCR’s Risk Analysis Initiative penalizes companies that have not performed adequate risk analyses, and multiple state attorneys general launched investigations into health care companies in 2025, often concurrent with or following closed OCR investigations. Source: Baker Data Counsel

Reimbursement & Coding Compliance

Telehealth & Pharmacy

Transactions & the ASC Market

Healthcare Workforce

Litigation & Premises Liability

  • A Houston veterinary technician sued the Texas Medical Center for more than $10 million, alleging that preventable security failures led to a violent attack in a public parking garage. According to the petition, Baleigh Burmaster was attacked around 6:30 a.m. on May 11 moments after exiting her vehicle in Texas Medical Center Public Parking Garage 1, where the assailant repeatedly stabbed her and forced her back into the car during an ordeal attorneys estimate lasted 10 to 15 minutes. The lawsuit alleges the garage had no operational surveillance cameras or on-site security personnel, and that the suspect entered hours earlier and remained undetected. Attorneys argue the attack was foreseeable, citing at least four violent crimes reported in and around the medical center in a two-week span, and note the suspect was identified using Houston METRO surveillance video rather than garage cameras. The filing points to security improvements made after the incident, including increased patrols and additional signage, as evidence stronger protections were available. Source: KPRC Click2Houston