Author: WadeEmmert

Antitrust

• Texas Attorney General Ken Paxton filed a lawsuit against Epic alleging the company monopolizes the electronic health record market and restricts parental access to children’s medical records. The lawsuit claims Epic, which controls 42% of the hospital EHR market and maintains records for 325 million patients, uses exclusionary tactics to prevent competition from partners, customers and employees, and interferes with hospitals’ ability to use their own patient data. Paxton alleges Epic automatically hides children’s medication lists, treatment notes and provider messages from parents when the child turns 12, violating Texas law that grants parents unrestricted access to their children’s medical records. Epic responded that doctors and health systems, not the company, determine parental access to children’s records, and that the lawsuit fails to understand Epic’s business model and market position. The lawsuit is part of Paxton’s initiative to investigate EHR vendors’ compliance with state laws on parental access, following a settlement earlier this year with Austin Diagnostic Clinic that restored parental proxy access for children aged 12 to 17. Source: Fierce Healthcare

Artificial Intelligence

• AI implementation in healthcare functions as an intangible asset that can be valued through income, market, and cost approaches. The technology reduces workforce expenses and human error while improving efficiency through labor cuts, error reduction, and resource allocation, which can result in fewer medical supplies being used. Healthcare organizations face risks from AI adoption, including HIPAA violations when protected health information enters non-compliant systems, malpractice liability from AI-guided physical therapy appointments, and potential errors from poor data quality. AI that identifies coding errors, documentation gaps, and billing anomalies reduces exposure to audits and penalties, supporting more stable financial projections. Some healthcare businesses already use AI through software vendors for patient charting and billing without full awareness, creating compliance vulnerabilities. Source: VMG Health
• The technology industry is undergoing a shift from the “Rule of 40” to a new “Rule of Data” as open-source AI models achieve parity with proprietary alternatives. The median Rule of 40 score dropped to 12% in Q1 2025, while investors now prioritize proprietary data assets over revenue growth metrics. AI-Native companies command valuation multiples of 20x-50x revenue compared to 5x-10x for AI-Enabled firms, with biological data emerging as the most defensible asset class. The Burn Multiple (Net Burn divided by Net New ARR) has become the key metric, with ratios below 1.5x considered optimal. In Q3 2025, AI funding represented 46% of all venture capital dollars, with investors paying premiums for companies demonstrating data flywheels while seed funding for wrapper startups has declined. Source: Healthcare Digital

Enforcement

• Federal agencies will deploy machine learning tools in 2026 to detect healthcare fraud faster and more broadly than before. The DOJ, HHS-OIG, and CMS are expanding use of AI to analyze claims data, referral patterns, and prescribing practices in Medicare and Medicaid programs. DOJ and HHS established a False Claims Act Working Group and will pursue expanded liability theories, particularly for Medicare Advantage risk-adjustment submissions. Enforcement will target telehealth providers for remote prescribing of controlled substances, pharmacies and PBMs for opioid-related practices, and value-based care arrangements for improper incentive structures and quality-metric manipulation. States are increasing fraud enforcement in Medicaid and commercial-payer markets through mandatory fraud reporting and AI detection initiatives. Source: Arnall Golden Gregory LLP

HIPAA

• The Office for Civil Rights has mandated that healthcare providers grant parents access to minors’ non-confidential health records through patient portals, marking the first time OCR has made this requirement explicit and an enforcement priority. The guidance followed a complaint about a school-administered vaccine given to a minor without parental consent. Under HIPAA, parents serve as personal representatives with rights to access protected health information, except when state law permits minors to consent to services independently or when parents agree to confidential relationships between minors and providers. Many healthcare organizations previously blocked all parental portal access for adolescents due to technical limitations in separating confidential from routine care within electronic health record systems. OCR now states that denying parents electronic access to non-confidential information may violate the HIPAA Privacy Rule, requiring organizations to reconfigure systems, modify default settings, and work with vendors to isolate confidential services. Source: Holt Law
• CHIME and more than 100 hospital systems and provider organizations have called for HHS to withdraw proposed updates to the HIPAA Security Rule. The proposed update, issued in December 2024 under the Biden administration, spans over 390 pages and mandates cybersecurity measures that convert previously voluntary performance goals into requirements. In a December 8, 2025 letter to HHS Secretary Robert F. Kennedy, Jr., signatories requested withdrawal of the rule and a collaborative approach to develop standards without what they characterize as crushing regulatory burdens. The organizations cite concerns about financial costs and implementation timelines given the complexities of healthcare delivery systems. While the signatories support updating cybersecurity standards and recognize cybersecurity as a patient safety issue, they advocate for policy development that includes input from providers and patients. Source: HIPAA Journal

Reimbursement

• Congress passed Medicaid cuts that will reduce federal spending by $700 billion over the next decade, marking the program’s largest contraction since its inception. The policy measures include tighter eligibility rules, lower federal matching rates, and restrictions on hospital and nursing home payments eligible for federal reimbursement. More than 37 million children and millions of long-term care patients will lose coverage, as Medicaid covers 40% of pediatric office visits, nearly 50% of pediatric hospital admissions, and 60% of extended nursing home stays. Healthcare providers will face fewer covered patients and lower reimbursement rates while still absorbing uncompensated emergency care costs, yet federal healthcare fraud enforcement is expanding, with the Department of Justice adding Massachusetts to its healthcare fraud Strike Force. False Claims Act settlements routinely exceed any revenue lost to Medicaid cuts, making compliance spending cuts a risk for companies facing revenue pressure. Source: Goodwin Law

Risk Management

• AI models trained on patient health information pose security risks that extend beyond traditional data breaches. Healthcare systems integrate AI across telehealth, diagnostics, billing, claims, and scheduling, but models fine-tuned on PHI, imaging, EHRs, or claims data can become gateways to HIPAA-protected content. An IBM report found that 13% of organizations have experienced breaches of AI models or applications, and 97% lacked proper access controls. The training process opens vulnerabilities through data leakage, model inversion, and prompt injection. Organizations should implement three security pillars: PHI minimization and data policy (limiting training datasets, isolating models, establishing retention timelines aligned with HIPAA), segmented AI environments (creating smaller purpose-built models by department or dataset), and continuous monitoring and validation (automated logging and auditing for abnormal access patterns, data leakage, model manipulation, and credential drift). Source: Health IT Answers

Telehealth

• President Trump signed legislation on November 12, 2025, extending Medicare telehealth flexibilities through January 1, 2026. H.R. 5371 reverses a rollback of pandemic-era telehealth rules that occurred following a government shutdown. The extension permits Medicare beneficiaries to receive telehealth services from their homes without geographic restrictions, allows audio-only telehealth coverage, and expands the list of practitioners who can furnish and bill for Medicare telehealth services. The legislation also permits federally qualified health centers and rural health clinics to continue serving as distant site practitioners and defers in-person visit requirements. The Centers for Medicare and Medicaid is expected to issue guidance on claim submissions and retroactive reimbursement, but providers must prepare for potential changes when these flexibilities expire. Source: Greenbaum, Rowe, Smith & Davis LLP

Ambulatory Surgery Centers

• Ambulatory surgery centers are becoming essential to health system growth strategies as clinical, financial, regulatory, and competitive forces push care beyond hospital walls. Technology improvements and post-pandemic comfort with higher-acuity procedures have made ASCs viable for surgeries previously limited to hospitals, while federal and state policy changes, including inpatient-only list removals and relaxed certificate-of-need requirements, encourage the migration of care. Payers are directing procedures like colonoscopies and endoscopies to ASCs for cost efficiency, and patients prefer the convenience and streamlined experience. Health systems face barriers including the need for strategic clarity and understanding that running an ASC requires different competencies than running a hospital. Single-specialty centers in musculoskeletal care, spine, cardiac, and electrophysiology are accelerating, and ASCs are becoming a tool for physician recruitment and retention amid workforce shortages. Source: VMG Health

Dentistry

• Dental practices are adopting data analytics solutions to transform patient care from reactive to proactive models. These platforms analyze patient records, treatment histories, financial transactions, and appointment trends to track performance indicators including patient retention, chair occupancy, and revenue cycle efficiency. The systems enable preventive care by identifying patterns in patient histories and treatment gaps, while value-based care frameworks assess success based on patient outcomes rather than procedure volume. Practices face implementation challenges including data fragmentation across systems and staff resistance, which are addressed through data integration platforms, intuitive interfaces with AI-powered recommendations, and compliance features such as data encryption and role-based access controls. Analytics also enhance revenue cycle management by identifying billing inefficiencies and support marketing efforts by tracking patient acquisition costs and campaign returns. Source: Healthcare Tech Outlook

Food & Drug Administration

• The FDA deployed agentic AI capabilities for all agency employees. The systems plan, reason, and execute multi-step actions to achieve specific goals, with human oversight built in, and the tool is optional for staff. The agency previously deployed Elsa, an LLM-based tool, in May, which over 70% of staff now use. The agentic AI will assist with meeting management, pre-market reviews, post-market surveillance, inspections, compliance, and administrative functions. The models operate in a high-security GovCloud environment and do not train on input data or data from regulated industry. Source: FDA

Fraud & Abuse

• A federal grand jury indicted a Houston man for using fraudulent prescriptions to obtain controlled substances from pharmacies across five states. Darrion Denard Brooks, 28, and co-conspirators allegedly used fictitious identification information and DEA registration numbers of at least five medical professionals without authorization to obtain prescriptions between November 2023 and March 2025. The scheme resulted in at least 11 fraudulent prescriptions for codeine and other controlled substances from eight pharmacies in Louisiana, Texas, Florida, Georgia, and Tennessee. Brooks faces one count of conspiracy and four counts of obtaining controlled substances by fraud, with a maximum penalty of four years in prison per count. DEA and HHS-OIG are investigating the case. Source: U.S. Department of Justice
• The First Circuit ruled that clinical laboratories can rely on physician orders as evidence of medical necessity when billing Medicare, establishing a “safe harbor” for scienter under the False Claims Act unless whistleblowers produce specific evidence to rebut that reliance. The court affirmed summary judgment for MD Labs, a Nevada clinical laboratory, in a qui tam action brought by Omni Healthcare, a Florida medical group that alleged MD Labs defrauded Medicare by billing for medically unnecessary PCR urinary tract infection tests when cheaper bacterial urine culture tests would have sufficed. The court found Omni failed to produce evidence that MD Labs acted with actual knowledge, deliberate ignorance, or reckless disregard regarding the alleged lack of medical necessity at the time it billed Medicare. Omni’s owner admitted he deliberately instructed staff to order only PCR tests from MD Labs, even when providers requested bacterial urine culture tests, to build a False Claims Act case against the laboratory. The court rejected Omni’s evidence, which included internal emails, medical literature, absence of coverage determinations, and bundling practices, as insufficient to establish scienter.Source: CaseMine

HIPAA

• The Department of Health and Human Services is proposing updates to the HIPAA Security Rule for the first time in more than two decades in response to 2024 data breaches affecting more than 182 million individuals across over 670 incidents. The rules eliminate “addressable” implementation specifications, requiring all safety features to be fully implemented, documented, and enforced. Organizations must encrypt all electronic protected health information in transit and at rest, implement multi-factor authentication for system access, and terminate employee access within 24 hours of departure. The updates mandate annual technology asset inventories and network mapping, require restoration of lost systems within 72 hours of cyber incidents, and establish continuous risk assessments as a requirement. Manual compliance approaches using spreadsheets and human-led audits will no longer meet the standards. Source: Healthcare IT Today
• HHS has proposed expanding HIPAA Security Rule requirements to cover AI systems that handle patient health data. The January 2025 proposed rule, scheduled for finalization in May 2026, establishes that electronic protected health information used in AI training data, prediction models, and algorithms is protected under HIPAA and requires covered entities to maintain written inventories of AI software and monitor for vulnerabilities. The rule applies to both covered entities and business associates, while 12 states have enacted their own AI healthcare legislation. Civil penalties for violations can reach $50,000 per violation, and criminal penalties for knowing violations range from one to 10 years imprisonment with fines between $50,000 and $250,000. Healthcare providers must ensure AI tools use encrypted internal servers, as public server tools like ChatGPT do not comply with HIPAA Privacy and Security Rules. Source: Amundsen Davis
• Mass tort attorneys face challenges retrieving and reviewing medical records for hundreds or thousands of clients. Under HIPAA, healthcare providers have 30 days to respond to written records requests, with an option for an additional 30-day extension. Records can be obtained through client consent, signed releases, limited power of attorney, or through subpoena or court order. The American Bar Association recommends attorneys follow HIPAA guidelines when handling medical records, including selecting retrieval partners who guarantee HIPAA compliance and implementing staff training. AI-powered tools can address challenges in medical records review, including volume, terminology, and inconsistent organization across providers. Source: U.S. Legal Support

Med Spa and Medical Aesthetics

• Med spa providers face felony charges for performing procedures without proper supervision from state-licensed physicians. An Arizona nurse was arrested for injecting Botox and prescription drugs without supervision from an Arizona-licensed medical director, after an undercover agent confirmed violations following a tip to the Attorney General’s office. The nurse worked at a med spa overseen by a non-resident physician who lacked Arizona licensure and now faces felony charges for practicing medicine without a license, conspiracy, and fraudulent schemes. State laws typically prohibit non-physician practitioners from performing services such as injectables and laser treatments without supervision from a state-licensed physician or, in some states, an advanced practice provider. Multiple states have prosecuted providers for violating scope-of-practice requirements, and enforcement efforts by state licensing boards and prosecutorial agencies are intensifying as the med spa industry grows. Source: Quarles Law Firm
• Medical aesthetics practice owners can choose from four succession planning strategies to exit the market. The first option involves hiring an associate who transitions into ownership over time, requiring 7 to 10 years of planning before exit. The second strategy entails selling to private equity, where owners receive cash at closing and continue working as employees for 3 to 5 years, with planning recommended 6 to 8 years prior to exit. Owners can also sell to another private practice within 12 to 18 months of their planned exit. The fourth option allows owners to close the practice entirely, selling equipment and storing patient records according to state regulations and HIPAA guidelines. Source: VMG Health

Medical Privacy

• Texas healthcare organizations must comply with multiple state laws that exceed HIPAA requirements. The Texas Medical Records Privacy Act (2001) and HB300 (2011) work alongside HIPAA, while the Texas Identity Theft Enforcement and Protection Act defines “sensitive personal information” more broadly than HIPAA’s PHI definition and requires breach notifications. The Texas Data Privacy and Security Act applies to non-PHI data such as marketing lists and website tracking information, requiring organizations to limit collection and obtain consent for uses like targeted marketing. The Texas Responsible AI Governance Act mandates patient notification when AI is used in diagnosis or clinical decision support, while SB1188 requires AI-generated diagnostic outputs to be reviewed under Texas Medical Board standards and prohibits storing data like credit scores in electronic health records. Organizations follow a “most protective law wins” approach and must train employees on all applicable Texas laws, not just HIPAA. Source: HIPAA Journal

MedTech

• Courts are holding medtech companies liable under the Lanham Act for claims about proprietary technology, comparative performance, and regulatory status. The Federal Circuit ruled in Crocs, Inc. v. Effervescent, Inc. that statements about proprietary or patented technology can trigger liability if they create a false impression, rejecting the notion that intangible claims are immune from scrutiny. In Guardant Health, Inc. v. Natera, Inc., a jury awarded $292.5 million after finding that comparative performance claims based on non-equivalent studies misled clinicians about diagnostic test accuracy. The Second Circuit in Zesty Paws LLC v. Nutramax Laboratories, Inc. determined that superlatives like “#1” may be interpreted as factual in data-driven healthcare markets rather than puffery. Courts have also imposed over $1.4 million in sanctions in a case involving Raydiant Oximetry for baseless false advertising claims. Source: Gardner Law

Private Equity

• Governor Gavin Newsom signed two laws in October 2025 that restrict private equity involvement in California healthcare and establish transaction reporting requirements. AB 1415 requires healthcare entities, management services organizations, and other parties to provide written notice to the Department of Health Care Access and Information at least 90 days before transactions involving material transfers of assets or operational control, with reporting requirements applying to transactions closing on or after April 1, 2026. SB 351 codifies California’s Corporate Practice of Medicine doctrine by prohibiting private equity groups and hedge funds from interfering with clinical judgment, controlling patient records, hiring or firing clinical staff based on competency, or setting parameters for payer contracts. The law renders noncompete clauses and non-disparagement provisions unenforceable in agreements with private equity or hedge fund-backed practices, though sale-of-business noncompete provisions remain valid. Both laws take effect January 1, 2026, and SB 351 does not grandfather existing management service organization arrangements or contracts. Source: Health Care Law Matters
• States are implementing laws to restrict private equity ownership and control in healthcare. California prohibits private investors from interfering with physician and dentist judgment and bars contract terms that restrict provider competition or speech about care quality. Oregon restricts dual ownership in medical entities and management services organizations, and prohibits MSOs from controlling clinical operations including staffing levels, visit duration, diagnostic coding, and pricing. California, Massachusetts, and New Mexico require private equity groups, hedge funds, and MSOs to submit written notice and financial information for transactions involving material changes in control, while Massachusetts strengthened oversight with limits on sale-leaseback transactions between hospitals and REITs. Maine imposed a one-year moratorium on hospital purchases by private equity or REITs. Source: Consumer Financial Services Law Monitor

Antitrust

• U.S. Judge Jeffrey Cummings denied the Federal Trade Commission’s request to block GTCR LLC’s $627 million acquisition of Surmodics Inc. on November 10. The FTC, joined by Illinois and Minnesota, argued the merger would give GTCR control of more than 50% of the U.S. outsourced hydrophilic coatings market, as GTCR already owns Biocoat, the second provider in the market. Judge Cummings ruled that the defendants rebutted the presumption of illegality under Section 7 of the Clayton Act, finding that a proposed divestiture of Biocoat assets to Integer Holdings would mitigate competitive harm and that medical device manufacturers maintain their own coating capabilities. The FTC will not appeal the decision. Surmodics expects to close the transaction soon. Source: Mogin Law LLP

Centers for Medicare & Medicaid Services

• CMS established a mandatory value-based payment model that will apply to nearly one-quarter of physicians in select specialties beginning January 1, 2027. The Ambulatory Specialty Model targets clinicians treating heart failure and low-back pain in approximately one-quarter of U.S. metropolitan areas, evaluating performance across four categories: Quality, Cost, Improvement Activities, and Interoperability. The model operates with two-sided risk, allowing payment adjustments to Medicare Part B claims ranging from -9% to +9% in 2029, with performance measured on a two-year lag through December 31, 2033. Clinicians must have treated at least 20 episodes per year to participate and will be exempt from MIPS reporting requirements during their participation years. CMS will publish participant lists and selected geographies in 2026. Source: Healthcare Law Blog
• CMS has authorized retroactive processing of telehealth and hospital-at-home claims that were previously rejected due to the October 1, 2025 lapse in Medicare statutory payment provisions. Congress restored the provisions through passage of the Continuing Appropriations, Agriculture, Legislative Branch, Military Construction and Veterans Affairs, and Extensions Act, 2026. On November 6, 2025, CMS instructed Medicare Administrative Contractors to return telehealth claims submitted on or before November 10, 2025, that had been deemed non-payable. Practitioners must resubmit returned claims and refund beneficiary payments for services now covered retroactively. Medicare Administrative Contractors also began returning claims for the Acute Hospital Care at Home initiative on November 10, 2025, for dates of service on or after October 1, 2025. Source: Health Law Diagnosis

Data Privacy and Breach

• Metrocare Services, a Dallas, TX-based provider of mental health services to individuals in North Texas, has identified an impermissible disclosure of patient information. On September 9, 2025, an employee sent an encrypted email from their work account to a personal email account, and the email was later shared on an unauthorized network. The investigation confirmed that the encrypted email contained the protected health information of approximately 8,600 patients, including names, medical record numbers, appointment times, doctors’ names, dates of service, and duration and costs of service. Source: HIPAA Journal

HIPAA

• A federal court dismissed a Texas lawsuit that challenged both a 2024 HIPAA reproductive health care privacy rule and sought to invalidate the entire 2000 HIPAA Privacy Rule. On November 24, 2025, Judge James Wesley Hendrix of the U.S. District Court for the Northern District of Texas dismissed the case without prejudice based on a joint stipulation between Texas and HHS. The Texas Attorney General had filed the 2024 lawsuit against the U.S. Department of Health and Human Services, alleging the agency exceeded its statutory authority when issuing the HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule in April 2024. The lawsuit included a proposed remedy to challenge the validity of the 2000 HIPAA Privacy Rule. The dismissal ends this challenge to HIPAA’s validity, though questions remain about whether states will continue to challenge regulations following the Supreme Court’s decision in Loper Bright. Source: Quarles Law Firm
• 60% of healthcare organizations have experienced a HIPAA-related incident or near miss, according to a survey of 613 healthcare professionals conducted in May and June 2025. Internal employee error accounted for 49% of these incidents, while vendor or third-party breaches caused 10%. While 59% of organizations expressed confidence in their vendors’ HIPAA compliance, only 33% conduct annual vendor risk assessments, and just 69% require HIPAA training from vendors. Civil penalties for violations range from $127 to $63,973 per violation with an annual cap of $1,919,173, while criminal penalties can reach $250,000 per violation and include one to 10 years in prison. Source: Yahoo News

Non-Competes

• Texas courts enforce noncompete agreements that meet three criteria under the Texas Business and Commerce Code, while California declares such provisions illegal. Over 300 companies have relocated their headquarters to Texas in the past 10 years, with nearly half coming from California alone. Texas requires noncompetes to be ancillary to an enforceable agreement, reasonable as to time and geographic area, and no more restrictive than necessary to protect the employer’s business interests. Texas courts will apply Texas law on noncompete enforcement even when employment agreements select another state as the governing law, as established in Exxon Mobil Corp. v. Drennen. Texas courts recommend limiting noncompete terms to a maximum of five years and generally find industry-wide restrictions on employee work unenforceable. Source: The Texas Lawbook

Telehealth

• The DEA is preparing to release a fourth extension of COVID-19 telemedicine flexibilities for prescribing controlled medications, signaling continuation of pandemic-era rules that affect ketamine clinics. During the pandemic, the DEA temporarily waived requirements of the Ryan Haight Online Pharmacy Consumer Protection Act, which traditionally required in-person medical evaluations before providers could prescribe controlled substances like ketamine via telemedicine. The waiver permitted clinicians to prescribe controlled substances after two-way, real-time telemedicine visits, provided the prescription served a legitimate medical purpose and complied with state and federal law. The full text of the new rule remains under review and is not yet available for public comment. Clinics should monitor DEA announcements, update protocols to ensure practitioners are properly licensed, maintain documentation of telemedicine visits and prescription records, and establish protocols for patient screening and post-treatment follow-up. Source: Healthcare Law Insights

340B

• HRSA has approved plans from 10 manufacturers to participate in the 340B Rebate Model Pilot Program, which will inform the development of future models consistent with the 340B statute. The participating manufacturers include Bristol Myers Squibb (Eliquis), Immunex Corporation (Enbrel), AstraZeneca (Farxiga), Pharmacyclics (Imbruvica), Merck Sharp Dohme (Januvia), Boehringer Ingelheim (Jardiance), Novo Nordisk (Novolog products and Fiasp products), Janssen Biotech (Stelara), Janssen Pharmaceuticals (Xarelto), and Novartis Pharmaceuticals (Entresto). Nine plans begin January 1, 2026, while Entresto begins April 1, 2026, and all use the Beacon platform for processing. Covered entities must purchase drugs through their 340B wholesaler accounts and request rebates after purchase, with manufacturers required to load WAC prices in those accounts. HRSA will audit both covered entities and manufacturers to ensure compliance with statutory requirements. Source: 340B Rebate Model Pilot Program | HRSA

Artificial Intelligence

• OpenAI prohibits its tools from providing professional advice without licensed oversight in updated Usage Policies. The company now bans use of ChatGPT, API services, and integrated products for tailored legal, medical, or financial advice unless a licensed professional is involved, and also prohibits facilitation of suicide, self-harm, or sexual violence content. The changes mirror policies Anthropic announced in August and align with state laws like California’s Assembly Bill 3030, which requires disclaimers on AI-generated patient communications, and Illinois’ Wellness and Oversight for Psychological Resources Act, which prohibits AI therapy without clinician oversight. Organizations deploying AI must now update governance frameworks, acceptable use policies, employee training, and consumer disclaimers to ensure human expertise oversees all professional recommendations. Companies should review integrations with OpenAI and other AI providers and prohibit inputting protected health information or trade secrets into public AI tools. Source: Baker Donelson
• Patients use AI chatbots for health information as an alternative to physicians. A 2024 KFF poll found that 17% of adults use AI chatbots at least once a month for health information and advice, with that figure rising to 25% among adults under age 30. Patients report using ChatGPT to interpret symptoms, explain lab results, and guide treatment decisions, citing long wait times, high costs, and dissatisfaction with clinical interactions as reasons for turning to the technology. Jennifer Tucker, a Wisconsin resident, said ChatGPT never rushes her out of conversations. However, a preprint study from Oxford University found that users rarely made correct diagnoses or identified appropriate next steps when using ChatGPT to assess symptoms, and researchers warn that chatbots can generate incorrect or unsafe advice. Source: Becker’s Hospital Review

Cybersecurity

• Healthcare organizations face a gap between cyber attack speed and detection capabilities. Hackers can access information within less than five hours after breaching a network, while organizations take an average of 235 days to detect a breach. Healthcare entities experience an average of two breaches per day that threaten personal health information. Commercial cybersecurity models using AI have achieved over 99% accuracy in detecting intrusions, malware, and phishing attacks, though AI will augment rather than replace cybersecurity professionals. Source: Healthcare Finance News
• Healthcare accounted for 23% of all data breaches in 2024, making it the most breached industry. A recent study analyzing over 1,000 global breach cases found healthcare breaches increased from 18% in 2023, surpassing finance, professional services, and retail sectors. The HIPAA Journal reported 184,111,469 records were breached in 2024, representing a 9.4% increase from the prior year. UnitedHealth Group paid $22 million in ransom after a February attack on its Change Healthcare subsidiary compromised the personal information of 100 million people. The sector’s vulnerability is attributed to interconnected systems spanning multiple entities and the human factor of multiple users accessing systems. Source: IT Brew.
• Doctor Alliance is investigating a claim that a hacker stole 353 GB of data containing 1.24 million files from the Dallas-based healthcare billing services provider. A hacker using the name Kazu posted the claim on an underground forum around November 7, 2025, demanding a $200,000 ransom by November 21, 2025, and threatening to sell the data if payment is not made. A 200 MB sample posted by the hacker contains patient names, addresses, phone numbers, email addresses, medical record numbers, Medicare numbers, diagnoses, treatment information, medications, and provider information. Doctor Alliance confirmed that an unauthorized individual accessed a single client account and that the vulnerability was remediated, but the company has not confirmed whether data was stolen and has engaged cybersecurity experts to investigate. Multiple class action lawsuits have been filed in the United States District Court for the Northern District of Texas against Doctor Alliance and one of its clients, Prima Care, with plaintiffs asserting claims of negligence, breach of contract, and breach of fiduciary duty. Source: HIPAA Journal

Drugs & Devices

• The FDA Office of Combination Products revised its Pre-RFD guidance in November 2025 to establish more structure for sponsors seeking non-binding feedback on product classification. The revision replaces the 2018 guidance and creates a formal two-tier meeting framework with informational meetings held within six weeks and explanatory meetings within two weeks. Sponsors must now provide more details about product components, including sources, regulatory history, and concentrations, and limit submissions to 15-20 pages. The guidance instructs sponsors to exhaust other FDA resources before submitting a Pre-RFD and clarifies that the 60-day review period begins after OCP acknowledges acceptance of the submission. Sponsors must incorporate responses to OCP questions into revised Pre-RFD submissions using tracked-changes and clean versions rather than supplements. Source: Hogan Lovells
• Healthcare organizations face multiple barriers when integrating data from EHRs, wearables, and patient-reported sources into unified systems. The obstacles include different data formats, lack of interoperability between systems, inconsistent terminologies and coding standards, and security concerns that expose organizations to breaches and regulatory penalties. Data quality problems arise during system consolidations and EHR transitions, with organizations maintaining a benchmark of keeping duplicate patient records below one percent. Cloud-native platforms can connect pharmacy systems across enterprises, while AI and large language models convert unstructured data from clinician notes and PDFs into structured information. Wearables generate high volumes of data that can overwhelm workflows unless prefiltered to identify signals that matter for care. Source: Healthcare IT Today
• AI systems collect data on conversations, emotions, locations, and thoughts, creating risks as companies develop wearable devices that track users in real time. OpenAI’s CEO has stated a vision for AI systems that access every conversation, email, and book a person has encountered throughout their life. AI chatbots pose as therapists to collect personal information, with some users dying by suicide after these interactions, while therapy and companionship represent the top self-reported use case for AI in 2025. Data portability offers a potential solution by allowing users to store information in personal data wallets or pods controlled by local AI assistants rather than companies. Laws like GDPR and CCPA struggle to address AI-era data collection challenges. Source: Fast Company
• Senator Bill Cassidy (R-LA) introduced the Health Information Privacy Reform Act (HIPRA) to extend privacy protections to health data collected by wearables and health apps. The bill creates a category called Applicable Health Information (AHI) that includes identifiable data about health or healthcare not created by healthcare providers, health plans, or clearinghouses. HIPRA would apply to “regulated entities” that determine how AHI is processed and “service providers” that process AHI on their behalf, with tech companies and app developers in scope while government agencies and HIPAA-covered entities remain excluded. The Department of Health and Human Services would develop privacy, security, and breach standards for AHI in consultation with the FTC, and regulated entities would need to obtain permission before selling AHI. The law would take effect one year after enactment and would preempt weaker state laws while using HIPAA’s civil penalty framework for enforcement. Source: Alston & Bird Privacy, Cyber & Data Strategy Blog

Fraud & Abuse

• Aesculap Implant Systems agreed to pay $38.5 million to resolve allegations that it sold knee implants it knew would fail at an unacceptable rate. The Justice Department alleged that between July 2010 and June 2023, the orthopedic and spine device maker sold Vega-brand prosthetic implants that became loose after surgery because bone cement did not properly adhere to the implants, resulting in false claims to Medicare and Medicaid. The settlement also resolves allegations that Aesculap violated the Anti-Kickback Statute by paying a physician consulting fees, international travel, and entertainment to use the knee implant devices. The company entered into a non-prosecution agreement for distributing two medical devices without FDA clearance. As of April 2024, Aesculap ceased all knee replacement device sales in the U.S. Source: Becker’s Spine Review
• A 51-year-old Baltimore County woman received a 38-month federal prison sentence for impersonating nurses at more than 40 Maryland healthcare facilities between September 2019 and August 2023. The woman, a certified medical assistant with no nursing license, used stolen identities and fabricated credentials to work as both a registered nurse and licensed practical nurse. She pleaded guilty in August to making false statements in healthcare matters and aggravated identity theft after forging a physician’s signature on a controlled substance prescription for Tramadol. The court ordered her to repay $145,000 in restitution, representing wages she earned while the facilities billed Medicare and Medicaid for her services. Healthcare fraud prosecutions rose nearly 20% between FY 2020 and FY 2024, with factors including technology advances, data breaches, and staffing agency use contributing to the increase. Source: Nurse.Org

Hospitals

• The Joint Commission will implement its Accreditation 360 model on January 1, 2026, removing more than 700 standards from the hospital accreditation framework while maintaining core expectations. The organization will make its standards publicly available without requiring a paid subscription and will introduce 14 national performance goals that replace the former national patient safety goals. The initiative includes the Survey Analysis for Evaluating Risk (SAFER) matrix with enhanced details and a new Survey Analysis for Evaluating Strengths (SAFEST) program to highlight what organizations do well. The Joint Commission will also launch an optional Continuous Engagement model that provides voluntary touchpoints between traditional three-year survey cycles. Nurse staffing becomes national performance goal 12, placing expectations on nursing governance, executive oversight, and the role of nurse executives in hospital leadership decisions. Source: McDermott Will & Emery
• Hospitals face compliance challenges when compensating provider groups for unassigned patient care, requiring precise definitions and cost segregation to maintain fair market value standards. Compensation for unassigned care must correlate to the direct burden of providing care solely to unassigned patients, with risk arising when payment arrangements fail to separate costs and revenue between assigned and unassigned patient panels. Valuation requires three metrics: direct time allocation, resource intensity, and coverage requirements, with cost segregation serving as the cornerstone of compliance. Stark Law and Anti-Kickback Statute compliance demand demonstration that subsidies reflect market conditions rather than inducement for referrals, requiring market-based justification and documentation of business purposes. Organizations must conduct periodic reviews of unassigned patient volumes, annual reassessment of market conditions, and regular evaluation of resource utilization to maintain compliance. Source: VMG Health.

Medicare

• CMS established a mandatory payment model for specialists treating low back pain and heart failure that runs from January 1, 2027 through December 31, 2033. The Ambulatory Specialty Model applies to individual clinicians who bill under Medicare Physician Fee Schedule, have specialty codes in Cardiology, Anesthesiology, Interventional Pain Management, Neurosurgery, Orthopedic Surgery, Pain Management, Physical Medicine or Rehabilitation, treat at least 20 episodes of either condition two years before the performance year, and practice in select geographic areas. CMS will measure performance across four categories—quality, cost, improvement activities, and promoting interoperability—with quality and cost each weighted at 50 percent of the final score. Medicare Part B payments will be adjusted using a payment multiplier calculated from each clinician’s performance score. Clinicians cannot opt out of participation if they meet the criteria, and participants will be exempt from MIPS reporting during ASM performance years. Source: BakerHostetler

Part 2, Substance Abuse

• The Department of Health and Human Services published a rule on February 8, 2024, that aligns substance use disorder patient records regulations under 42 C.F.R. Part 2 with HIPAA and HITECH standards, taking effect February 16, 2026. The rule permits patients to grant blanket consent for use or disclosure of their SUD records for treatment, payment, and health care operations, replacing the prior requirement for separate consent for each disclosure. Providers may now disclose de-identified SUD data to public health authorities without patient consent if the data meets HIPAA de-identification requirements, and Part 2 programs are no longer required to segment SUD records from other medical data in their systems. The rule updates enforcement to match HIPAA civil penalties and breach notification processes while synchronizing patient notice requirements with HIPAA Notice of Privacy Practices. SUD records remain prohibited from use in legal or administrative proceedings without patient consent or a court order. Source: The National Law Review

Workforce

• States are expanding scope-of-practice rules for nurse practitioners and physician assistants to address workforce shortages projected to continue through the next decade. California began issuing 103 NP certifications in 2023 under Assembly Bill 890, which permits nurse practitioners to practice independently within hospitals and clinics, and expects to open applications for 104 NP certifications in 2026, which will allow full independence after three years of 103-level experience. California also enacted AB 1501, effective January 1, 2026, increasing the physician-to-PA supervision ratio from 1:4 to 1:8. New York extended its NP autonomy model in 2025, exempting nurse practitioners with at least 3,600 hours of practice from maintaining written collaborative agreements with physicians through July 2026. Meanwhile, federal minimum nurse staffing standards issued by CMS in April 2024 were vacated by a district court in April 2025 and Congress enacted a ten-year enforcement moratorium in July 2025, leaving state-level staffing laws as the enforceable requirements. Source: Healthcare Law Blog
• Ambient AI scribes reduced physician burnout by 74% in a study of 263 clinicians across six health care systems. The Yale-led research, published in JAMA Network Open, examined physicians and advanced practice practitioners who used the Abridge ambient AI scribe for 30 days in ambulatory settings. Burnout rates dropped from 51.9% to 38.8%, while clinicians reported improvements in cognitive load and ability to focus on patients. The AI scribes transcribe patient-clinician conversations and generate visit notes, saving clinicians about an hour each day according to a companion study. Source: Yale Daily News

340B

• 340B covered entities face new rebate models and Medicare Part D claims reporting requirements starting January 1, 2026. The rebate models extend to all 340B covered entity types, all payors, and all dispensing locations, using the Beacon software platform with eight manufacturers participating under different policies. CMS will identify Medicare Part D claims for 340B drugs through a data-driven model that associates prescriber NPIs with covered entities and contract pharmacies, and through a voluntary claims data repository. CMS expects federally qualified health centers, Critical Access Hospitals, and IPPS hospitals to submit claims data during the voluntary testing period, with mandatory reporting anticipated as early as 2027. The changes stem from the Inflation Reduction Act requirement that drug manufacturers provide rebates on drugs with prices increasing faster than inflation, with 340B drug claims excluded from these calculations. Source: McDermott Will & Schulte

Anti-Kickback Statute

• The Office of Inspector General determined a medical device manufacturer with 35% physician ownership did not violate federal anti-kickback statutes because it met all eight requirements of the Small Entity Investment safe harbor. The company, which manufactures devices for emergency stroke treatment, sought Advisory Opinion 25-09 after concerns arose that physician owners could order or recommend the company’s products in hospitals while other owners lacked such influence. Federal anti-kickback statutes prohibit remuneration to induce referrals for items reimbursable under federal health care programs. The safe harbor requirements include limits on referral source ownership to 40%, identical investment terms for all investors, prohibition of referral-based incentives, revenue caps from investor referrals, and proportional distributions. OIG declined to take action after the company certified compliance with all standards and demonstrated ongoing monitoring practices. Source: Health Care Law Matters

Data Privacy & Governance

• 2025 marks a shift in state privacy regulation from new legislation to enforcement and rulemaking. Nine states amended existing comprehensive privacy laws, with Connecticut and Montana making changes to coverage thresholds, consumer rights, and protections for minors. California finalized CCPA regulations covering automated decision-making technology, risk assessments, and cybersecurity audits that take effect January 1, 2026, with businesses required to submit certifications under penalty of perjury starting in 2028. Enforcement actions increased across multiple states, with California settling cases totaling over $2,300,000, Texas securing a $1,375,000,000 settlement, and Florida filing its first lawsuit under the Digital Bill of Rights. Eight states enacted youth privacy laws, while New York, Virginia, and California passed health privacy legislation restricting geofencing and collection of reproductive health data. Source: IAPP
• Hospitals are allocating 4.2% of their 2026 budgets to AI governance and safety despite rapid adoption of AI technology across clinical and operational workflows, according to Black Book Research. Only 22% of hospitals report confidence they could deliver an auditable AI explanation within 30 days to regulators or payers, with the gap widening at smaller facilities where just 15% of small hospitals report readiness. Only 29% of hospitals have implemented and enforced AI policies covering model inventory, lineage and sign-offs, while 48% remain in drafting stages. The data shows 41% cite limited explainability artifacts from vendors as their top audit barrier, and 33% report unclear internal ownership between IT, quality/safety and compliance departments. A separate report from the Healthcare Financial Management Association found that 88% of health systems use AI internally, but only 18% have a mature governance structure. Source: Healthcare Finance News

Drug & Device

• The FDA’s Digital Health Advisory Committee examined a hypothetical prescription chatbot using generative AI to treat major depressive disorder in adults. The committee provided recommendations on premarket evidence requirements, postmarket monitoring, labeling, and integration into clinical care, marking a step toward regulating generative AI mental health tools that the agency has not yet cleared. The recommendations call for validated depression endpoints, human escalation pathways, equity monitoring across populations and languages, and risk-stratified postmarket surveillance to address risks including hallucinations, model drift, and cybersecurity vulnerabilities. Manufacturers must demonstrate technical reliability, test capability boundaries, and provide transparent labeling about purpose, limits, data practices, and prescriber requirements. States including Illinois and California have enacted legislation requiring user disclosures that confirm interaction with AI solutions and prohibiting branding that implies licensure to deliver therapy. Source: Orrick

Fraud & Abuse

• The Office of Inspector General determined that a medical device manufacturer with 35% physician ownership did not violate federal anti-kickback statutes because the company met all eight requirements of the Small Entity Investment safe harbor. The company, which manufactures devices for emergency stroke treatment, sought OIG Advisory Opinion 25-09 after concerns arose that physician owners could order or recommend the company’s devices in hospitals. The safe harbor requirements include caps on referral source ownership (40% maximum), identical investment terms for all investors, and revenue limits from investor referrals (40% maximum in a 12-month period). OIG acknowledged the scenario appeared suspicious but found no violations because the company certified compliance with all standards, including proportional distributions and no special treatment for physician investors. The opinion recommends that companies with physician investors implement compliance policies, conduct regular training, and maintain ongoing monitoring of ownership structures and revenue thresholds. Source: Health Care Law Matters
• Seven women face charges in a Fort Bend County Medicare fraud scheme that allegedly billed the government more than $100 million for hospice care provided to patients who were not terminally ill. Four defendants were indicted by a federal grand jury on Oct. 8, joining three previously charged women. Two women owned multiple hospices and group homes in Fort Bend County and allegedly received more than $87 million from 2019 to 2025 through fraudulent billing after bribing a doctor to falsify patient qualification documents. One woman now faces 48 felonies including 14 money laundering counts, and the Justice Department seeks to seize more than $4.5 million in assets and two homes connected to her. All seven women have pleaded not guilty and await trial next year. Source: Yahoo News

HIPAA

• Senator Bill Cassidy (R-LA) has proposed legislation to extend HITECH Act privacy and security requirements to entities that handle health information outside the traditional HIPAA framework. The bill would require entities not subject to HIPAA to provide plain language disclosures when accessing health data, informing individuals that their information will no longer receive HIPAA protections and obtaining consent before selling the data. The legislation would mandate that health and wellness apps, regardless of their size or current compliance obligations, provide notices about the loss of HIPAA protection and offer opt-out rights for data use. Companies would face expanded breach notification duties and would need to implement more stringent information security protections that align with HIPAA security standards, including documentation, retention, training, and logging requirements. The bill would also require written authorization for sharing information, which would restrict marketing practices that rely on cookies and other data-sharing mechanisms. Source: Privacy Compliance & Data Security
• Healthcare providers have incurred over $100 million in fines in recent years due to unauthorized data sharing through tracking pixels on websites. Tracking pixels embedded in patient portals and telehealth platforms may inadvertently transmit protected health information to third parties such as analytics and social media companies, prompting enforcement actions by the Office for Civil Rights and Federal Trade Commission. Standard Business Associate Agreements often fail to address risks from AI-driven analytics, behavioral tracking, and secondary data use. New York’s Information Security Breach and Notification Act now imposes a 30-day breach notification deadline and expands protected data definitions to include medical history and health insurance identifiers, affecting both HIPAA-covered entities and non-regulated organizations. Organizations should conduct vendor risk assessments, customize Business Associate Agreements, and implement continuous oversight of vendor performance to ensure HIPAA compliance. Source: Stevens & Lee

Medicare & Medicaid

• An appellate court ruling emphasized that Medicaid applicants for long-term care must meet clinical eligibility requirements in addition to financial standards. To qualify for long-term care Medicaid, applicants must require hands-on assistance with at least three Activities of Daily Living, including bathing, dressing, eating, toileting, and mobility, as determined through a Pre-Admission Screening. The case involved an individual denied benefits who could complete some Activities of Daily Living but required prompting, oversight, and assistance to remain safe. The court specified that clinical evaluations must assess physical capability, cognitive function, safety awareness, and the ability to perform tasks without supervision. Attorneys Richard I. Miller and Donald A. Dennison noted that individuals who need help with fewer than three Activities of Daily Living remain ineligible for coverage even if they cannot live independently. Source: Mandelbaum Barrett PC
• Medicare Advantage provider directories contain errors that mislead enrollees about available care. A report from the Department of Health and Human Services Office of Inspector General found that 55% of behavioral health providers listed in Medicare Advantage plan networks did not provide care for plan enrollees. The average Medicare Advantage plan contracts with only 16% of behavioral health providers in their area, below the 25% threshold that defines a “limited network.” The Centers for Medicare & Medicaid Services created a temporary Special Election Period for individuals who enrolled in Medicare Advantage plans through Medicare Plan Finder based on directory information and discovered within three months that their provider was not in-network. To qualify, enrollees must contact 1-800-MEDICARE and can then switch to a different Medicare Advantage plan or return to Original Medicare. Source: Medicare Rights Center

Mergers & Acquisitions

• The healthcare M&A market remains active but operates with increased selectivity in Q4 2025, with deal volume down from 2021-22 levels as buyers focus on technology-enabled care, distressed assets, and provider consolidation. Ambulatory surgery centers, behavioral health, home health, AI platforms, and revenue cycle management tools attract the most investor interest, while the FTC and DOJ maintain scrutiny over provider consolidation and local market concentration. Buyers are using earn-outs, seller financing, minority stakes, and joint ventures to bridge valuation gaps as financing costs remain elevated. Analysts predict a measured rebound in deal volume for 2026, driven by lower interest rates and middle-market transactions, though regulatory oversight will intensify around roll-up transactions and AI-driven clinical tools. The firm recommends that acquirers engage legal counsel early to address data governance, workforce risk, and integration planning. Source: Arnall Golden Gregory LLP

Mobile Devices

• Cyberattacks targeting Android mobile devices in healthcare increased by 224% in the year ending May 2025, according to a 2025 Mobile, IoT & OT Threat Report. The energy sector experienced the highest increase at 387%, while manufacturing saw a 111% rise in mobile attacks. Android malware transactions increased by 67%, with 239 malicious applications downloaded 42 million times from the Google Play Store. The rise in hybrid work, bring-your-own-device policies, and proliferation of IoT devices in healthcare operations has expanded the attack surface, with malware families such as Mirai, Mozi, and Gafgyt targeting vulnerabilities to breach networks. Experts predict continued growth in AI-driven exploits and recommends implementing zero-trust architectures for internet-facing devices to defend against threats. Source: HIPAA Journal

Pharmacy Benefit Managers

• Alternative pharmacy benefit managers are gaining market share as the three largest PBMs face federal scrutiny for allegedly overcharging for drugs and favoring their own pharmacies. Federal lawsuits and investigations have accused CVS Health’s Caremark, Cigna’s Express Scripts, and UnitedHealth Group’s Optum Rx of pocketing savings and giving perks to their vertically integrated insurance companies and pharmacies. Alternative PBMs such as Navitus, AffirmedRx, and Rightway Healthcare use fee-for-service models and claim to pass 100% of negotiated discounts to clients, unlike the Big 3 which the FTC accused of making $1.4 billion through spread pricing from 2017 to 2022. A September report found that 61% of 324 employers surveyed have moved away from or are considering leaving the Big 3 in the next three years. Navitus has secured 800 clients covering 18 million lives since 2003, while competitors AffirmedRx and Rightway have attracted clients including 7-Eleven, Purdue University, and Tyson Foods. Source: Healthcare Brew

Revenue Cycle Management

• Hospitals are adopting accounts payable automation to address cost pressures as U.S. health spending reached $4.9 trillion in 2023, with hospital expenditures up 10.4%, the fastest pace since 2003. Administrative expenses account for 15%-25% of national health expenditures, making automation a lever for margin protection. More than 60% of finance leaders are deploying automation to improve efficiency and resilience. Temple University Health System, with $2.7 billion in net patient revenue and 290,000 invoices processed annually, implemented AP automation through workflow redesign, ERP assessment, KPI establishment, and cross-department governance summits. AP automation delivers lower operating costs, faster processing, compliance readiness, and working capital optimization. Source: Grant Thornton

Substance Use Disorder (42 CFR Part 2)

• The federal government updated 42 CFR Part 2 regulations governing substance use disorder records to align with HIPAA while maintaining patient protections, with enforcement beginning February 16, 2026. The changes, issued in April 2024, introduce a single patient consent that authorizes uses and disclosures of Part 2 records for treatment, payment, and healthcare operations, allowing HIPAA covered entities to redisclose records in accordance with HIPAA. The regulations establish “SUD counseling notes” as a protected category that requires specific patient consent for disclosure, similar to psychotherapy notes under HIPAA. HHS Office for Civil Rights will enforce Part 2 using the HIPAA civil and criminal penalty framework, and the HIPAA Breach Notification Rule now applies to Part 2 records held by covered entities and business associates. Organizations subject to Part 2 must update notices, consent forms, contracts, and training programs before the compliance date. Source: Foley Hoag LLP

Workplace

• Healthcare workers face workplace violence at rates five times higher than other industries, according to Bureau of Labor Statistics data. A 2024 survey found 91% of emergency physicians have either experienced violence at work or know a colleague who has, while one-fourth of nurses have been physically assaulted on the job. Violent incidents in hospitals increased 63% between 2011 and 2018, with the cost of violence reaching $18.27 billion in 2023, of which $14.6 billion went to post-incident costs. Modern hospital security systems combine access control, AI-enhanced video surveillance, alarm systems, emergency notification systems, and trained security personnel, with approximately 92% of hospitals having some form of access control. Source: Omnilert

340B

• HRSA has finalized the 340B Rebate Model Pilot Program with nine manufacturers approved to participate starting January 1, 2026. The approved manufacturers include Bristol Myers Squibb, Immunex Corporation, AstraZeneca AB, Pharmacyclics, Merck Sharp & Dohme, Boehringer Ingelheim, Novo Nordisk Inc., Janssen Biotech, Inc., and Janssen Pharmaceuticals, Inc., each participating with specific drugs and all using Beacon as their service platform. Manufacturers will issue rebates at the unit level calculated as WAC minus the 340B ceiling price based on the date of service, and may request limited medical claims data in addition to pharmacy claims fields. HRSA advises covered entities to replenish accumulations for affected drugs before the January 1, 2026, effective date and requires manufacturers to provide covered entities at least 60 days advance notice before any additional rebate plans become effective. The pilot shifts from upfront discounting to post-dispense rebates for the approved drugs. Source: Husch Blackwell

Artificial Intelligence

• The Joint Commission and the Coalition for Health AI released guidance in September 2025 to help healthcare organizations manage AI systems. The guidance outlines seven elements including governance structures, patient privacy protections, data security, quality monitoring, safety event reporting, bias assessment, and workforce training. Healthcare organizations should establish AI oversight committees with members from compliance, IT, clinical operations, and data privacy. Texas will require healthcare providers to disclose AI use to patients starting January 1, 2026, under House Bill 149. Organizations must ensure AI tools comply with HIPAA and conduct performance evaluations to detect bias and maintain accuracy across patient populations. Source: Parker Poe
• Healthcare providers must implement a five-pillar framework to ensure AI compliance amid new regulations. The ONC HTI-1 Final Rule and HHS 2025 AI Strategic Plan require transparency in AI systems, while California AB 489 prohibits AI from using titles or language suggesting licensure as professionals. Practices must secure Business Associate Agreements that cover downstream subcontractors, request algorithm transparency data on training sources and demographic performance, and establish policies distinguishing administrative AI use from clinical decision-making. Tools processing clinical conversations require explicit patient consent beyond passive disclosure, and all AI-generated output affecting patient care must undergo review by licensed professionals with audit trail documentation. The HHS promotes AI systems that meet FAVES standards: Fair, Appropriate, Valid, Effective, and Safe. Source: Medical Economics

Breach Notification

• Conduent Business Solutions faces at least nine proposed class action lawsuits in New Jersey federal court following an October 2024 data breach that affected 10.52 million people. The New Jersey-based company, which Xerox spun off in 2017 and generates $3.4 billion in revenue, discovered that an unauthorized party accessed its network between Oct. 21, 2024, and Jan. 13, 2025, compromising files containing names, Social Security numbers, medical information, and health insurance information. Affected clients include Blue Cross Blue Shield of Montana, Blue Cross Blue Shield of Texas, Humana, Premera Blue Cross, and the Wisconsin Department of Children and Families. Ransomware gang SafePay claimed responsibility in February and threatened to publish 8.5 terabytes of stolen data. Montana state regulators are investigating why the insurer waited nearly 10 months to notify 462,000 affected members. Source: Bank Info Security

Compliance Programs

• The Office of Inspector General has outlined seven elements that medical practices must implement to establish a compliance program. Organizations must develop written policies and procedures, appoint a compliance officer and committee, provide ongoing training to all staff, and maintain open communication channels for reporting concerns. The framework requires regular monitoring and auditing of operations such as billing and coding, enforcement of standards through discipline, and prompt investigation and correction of violations. Compliance programs create accountability among staff from front office personnel to providers and administrators. A compliance infrastructure can increase the value of a practice to potential buyers and partners. Source: Stevens & Lee

Drugs & Devices

• The FDA issued guidance in June 2025 establishing cybersecurity requirements for medical devices that create enforcement risk under the False Claims Act. The guidance interprets Section 524B of the Federal Food, Drug, and Cosmetic Act, which defines “cyber devices” as any device containing software or connectivity capabilities such as Wi-Fi or Bluetooth. The FDA can now deny premarket authorization based solely on cybersecurity deficiencies, and failing to maintain cybersecurity processes constitutes a prohibited act under the law. The Department of Justice recently settled with Illumina Inc. over cybersecurity violations under the False Claims Act, demonstrating that noncompliance may lead to investigations and civil enforcement. Manufacturers must integrate cybersecurity considerations from the earliest stages of product development and maintain monitoring throughout the device lifecycle. Source: Morgan Lewis
• The FDA proposed eliminating comparative efficacy studies for biosimilar approval on October 29, 2025. The draft guidance suggests that comparative analytical assessments of protein structure, physiochemical, and functional attributes can replace clinical studies with efficacy endpoints for therapeutic protein products such as antibodies. FDA justifies this shift by citing accumulated experience and the sensitivity of current analytical technologies, which the agency says can detect differences between biosimilars and reference products more effectively than clinical studies. The proposal applies when products are manufactured from clonal cell lines, are well-characterized, the relationship between quality attributes and clinical efficacy is understood, and human pharmacokinetic similarity studies are feasible. Source: Jones Day

False Claims Act

• The U.S. Court of Appeals for the Fifth Circuit affirmed the dismissal of a False Claims Act whistleblower suit against a rehabilitation hospital, ruling the claims lacked sufficient factual support. A former sales representative alleged the facility submitted false Medicare claims by allowing non-clinical staff to influence patient admission decisions. The court determined that Medicare regulations permit non-clinical personnel to gather screening information, provided clinicians make the final admission decisions. The complaint was found to lack the required particularity for fraud claims under Rule 9(b), as it failed to identify any specific false claims submitted to Medicare. The Fifth Circuit also upheld the denial of further leave to amend the complaint, deeming any future amendments futile after two previous unsuccessful attempts. Source: VitalLaw.com

Gender-Affirming Care

• The U.S. Department of Justice and state attorneys general are creating legal conflicts for healthcare providers by issuing subpoenas and civil investigative demands for records related to gender-affirming care for minors. These investigations place providers between federal HIPAA regulations, which permit limited disclosures to law enforcement, and conflicting state laws. Twenty-two states and Washington, D.C., have enacted “shield laws” that prohibit cooperation with out-of-state investigations into care that is legal within their borders, creating a compliance dilemma for providers. Entities face risks of class-action lawsuits and state enforcement, though federal courts in Massachusetts and Washington have recently quashed DOJ subpoenas against providers. When confronted with an investigative demand, providers must assess the subpoena’s scope, evaluate shield law protections, and adhere to HIPAA’s “minimum necessary” disclosure rule. Source: Morgan Lewis

HIPAA

• A group of five Delaware nursing homes owned by Cadia Healthcare was penalized $182,000 for HIPAA violations. The facilities posted patient “success” stories on websites and social media without obtaining consent from the residents. These posts, which occurred between 2022 and 2024, disclosed the names, photos, diagnoses, and therapy details of 150 patients. Information was taken directly from medical records by the marketing team. In addition to the fine, the company must institute mandatory HIPAA training, revise its policies, undergo annual audits, and hire a privacy officer. Source: Nurse.Org

Medicaid

• CMS will implement a payment model to align Medicaid drug prices with those in other countries. The GENEROUS Model, launching in January 2026, will allow participating states to purchase drugs at prices aligned with select other countries through CMS-led negotiations with manufacturers. Medicaid spent more than $100 billion on prescription drugs in 2024, with net spending at $60 billion after rebates. The program will run for five years and is optional for both manufacturers and states. CMS released a Request for Applications for manufacturers and will collect letters of intent from state Medicaid agencies. Source: CMS.gov

Physician Fee Schedule

• The Centers for Medicare & Medicaid Services (CMS) finalized its 2026 Physician Fee Schedule Final Rule, adopting several changes to drug pricing calculations and reporting that will become effective on January 1, 2026. The rule requires manufacturers to include Maximum Fair Price (MFP) units in Average Sales Price (ASP) calculations and mandates the submission of “reasonable assumptions” and compliance certifications for new contracts. While a new definition for “bundled sale” arrangements was finalized, CMS did not finalize several other proposals, including new standards for bona fide service fees (BFSFs) and specific Fair Market Value (FMV) methodologies. For Medicare inflation rebates, the agency finalized a claims-based method to exclude 340B units from Part D calculations and will establish a voluntary 340B claims data repository. Additionally, the payment methodology for most skin substitutes is changed, making ASP reporting voluntary for their manufacturers. Source: Hogan Lovells

Reproductive Rights

• The Texas Supreme Court has rejected a challenge to the state’s abortion law regarding its medical exceptions. The lawsuit was filed by women who experienced pregnancy complications and aimed to force more clarity on when doctors can perform an abortion, not to overturn the ban. Plaintiffs argued the law’s exemptions are vaguely written, causing confusion and fear of liability among doctors. A lower court had granted a temporary injunction to protect doctors using their “good faith judgment,” but an appeal from the Texas attorney general’s office immediately blocked it. The state’s high court, whose nine justices are all Republicans, upheld the ban and stated that Texas law already “permits a life-saving abortion.” Source: KFOX14
• The Center for Reproductive Rights filed a lawsuit in federal court on October 5, 2021, seeking to consolidate three state court cases against Dr. Alan Braid, a Texas physician who provided abortion care in violation of S.B. 8. Dr. Braid, owner and medical director of Alamo Women’s Reproductive Services in San Antonio, performed an abortion on September 6 for a woman who was in her first trimester but beyond the six-week limit imposed by the Texas law. Three plaintiffs filed lawsuits against Dr. Braid under S.B. 8, which awards a minimum $10,000 bounty to individuals who successfully sue abortion providers or anyone who “aids and abets” an abortion after six weeks. The Center used a federal interpleader action to ask the U.S. District Court for the Northern District of Illinois to require all three plaintiffs to pursue their claims in one proceeding and to declare the law unconstitutional. Approximately 85 to 90 percent of people who obtain abortion services in Texas are at least six weeks into pregnancy. Source: Center for Reproductive Rights

Rural Hospitals

• Texas has applied for $1 billion in federal funding to address rural health care needs through its “Rural Texas Strong” project. The application to the federal Rural Health Transformation program requests $200 million annually for five years for initiatives like recruiting workers and upgrading hospital equipment. The national program will distribute $10 billion yearly, with half awarded based on states’ “rural factors,” such as Texas’s 4.3 million rural residents and 195 fully rural counties. The Centers for Medicare and Medicaid Services (CMS) will review the application and is required to announce awards by the end of 2025. Funding distribution is expected to start in January. Source: KERA News

Weight Loss and GLP-1

• Deals announced by President Donald Trump with Eli Lilly and Novo Nordisk will lower the prices of GLP-1 obesity drugs. The agreements reduce prices for Medicare and Medicaid beneficiaries and offer the drugs directly to consumers at a discount via a website called TrumpRx.gov, which launches in January 2026. For the first time, Medicare will begin covering obesity drugs in mid-2026 through a pilot program, with eligible patients paying a $50 monthly copay. Upcoming pills will cost $149 per month through the programs, while starting doses of existing injections will be $350 per month on TrumpRx. This initiative is part of the administration’s “most favored nation” policy to align U.S. drug costs with lower prices available abroad. Source: cnbc.com

Cybersecurity

• Healthcare remains the sector with the costliest data breaches, with incidents averaging $7.42 million in damages and marking the 12th consecutive year the industry topped breach costs. Health records sell for up to $250 on the dark web. It is projected that ransomware will impact 40% of US healthcare systems by 2026, causing care delivery disruptions at 60% of hospitals. The 2025 HIPAA Security Rule updates propose mandatory multi-factor authentication, 60-day breach reporting deadlines, and network segmentation requirements. NIST has introduced post-quantum cryptography standards including ML-KEM and ML-DSA to protect against future quantum computing threats. Technologies like federated learning and differential privacy enable AI development while protecting patient data, and Zero Trust Architecture has become standard for healthcare security. Source: Cybernews

Drugs and Devices

• AI is transforming healthcare and biotechnology through advancements in drug discovery, genomics, medical imaging, and personalized medicine, with the global AI market expanding rapidly through 2032. By 2030, AI is predicted to play a role in developing more than half of new drugs. The researchers examined multimodal AI models, drug discovery algorithms, precision medicine platforms, genomics tools, and automated diagnostics, finding rapid growth in AI-related publications and patents. However, the authors identified challenges including publication bias favoring outcomes, limited access to unpublished data, underreporting of failures, and concerns about accessibility in English-language publications. The researchers recommend systematic reviews of gray literature, inclusion of insights, and adoption of bias-aware bibliometric techniques to ensure balanced assessment of AI’s impact. Source: Foley & Lardner LLP
• Medical device manufacturers must address three elements when handling FDA recalls and CAPA investigations: recurrence prevention, escape analysis, and fraud considerations, according to the REF Rule framework. The U.S. will formally harmonize 21 CFR 820 with ISO 13485 and ISO 14971 in three months from October 2025. Device corrections can result in voluntary recalls, mandatory recalls, or market removal, with each non-conformance requiring documented CAPA investigation. The costs of device recalls and non-compliance reach $7.5 to $9 billion annually, with an additional $1 to $2 billion in lost sales and product development, according to a 2023 study. In September 2025, Exactech Inc. paid $8 million to settle false claims allegations for selling defective knee replacement implants to the Department of Veterans Affairs. Source: Gardner Law
• Texas Attorney General Ken Paxton sued Johnson & Johnson and Kenvue, claiming they deceptively marketed Tylenol to pregnant women despite alleged links to autism and other disorders. The lawsuit marks the first from a state government since President Donald Trump claimed in September that Tylenol use during pregnancy is linked to autism, though no published study has found a direct cause and effect. Kenvue stated that acetaminophen is the safest pain reliever for pregnant women and that the claims lack legal merit and scientific support. Louisiana Republican Senator Bill Cassidy said the lawsuit should be thrown out because the evidence is weak, while the American College of Obstetricians and Gynecologists continues to recommend acetaminophen as the safest painkiller during pregnancy. A similar civil suit against Kenvue was thrown out by a judge citing lack of evidence and is under appeal with hearings set in November in New York. Source: ABC News

Laboratories

• The Centers for Medicare and Medicaid Services will transition the Clinical Laboratory Improvement Amendments program to paperless operations on March 1, 2026. After this date, CMS will no longer send paper fee coupons, paper CLIA certificates, or CLIA update notifications to laboratories. Laboratories can update their email addresses through three methods: contacting their state agency, completing an updated CMS 116 Application form, or for accredited laboratories, contacting their Accreditation Organization. Following the March 1 deadline, CLIA certificates will be sent electronically and fees will be processed through the Pay.gov platform. CMS will work with state agencies and accreditation organizations until May 2026 to assist laboratories that miss the cutoff date. Source: Polsinelli

Mergers & Acquisitions

• Compliance programs have become determinants of liability and valuation in healthcare mergers and acquisitions under current DOJ and OIG enforcement policies. The DOJ and HHS Office of Inspector General require healthcare entities to maintain functional compliance systems with seven foundational elements including written policies, leadership oversight, training, risk assessment and corrective action. Acquirers face successor liability for target companies’ pre-closing violations if they continue operations without addressing past misconduct or fail to integrate targets into their compliance infrastructure. The DOJ-HHS False Claims Act Working Group, revived in 2025, coordinates cross-agency enforcement that traces corporate misconduct across mergers and reorganizations. Companies can reduce exposure through the DOJ’s Voluntary Self-Disclosure Policy, but the Corporate Whistleblower Awards Pilot Program allows insiders to report violations directly to the government for financial rewards. Source: Stevens & Lee
• The One Big Beautiful Bill Act has cut Medicaid payments to states by approximately $1 trillion over 10 years, causing US healthcare M&A activity to fall to the lowest level in over a decade. The 15% cut to the federal program has created valuation uncertainty, with initial offers now coming in one to two EBITDA turns lower than deals from a year ago. The number of transactions in 3Q25 fell 28% year-over-year to 290, the lowest quarterly total since 1Q15, according to Mergermarket data. MedSuite ended its sale process in early September after sponsor Greater Sum Ventures paused due to market conditions, while Abound Health pulled its sale process in September after three rounds of bids amid valuation concerns tied to rate cuts in North Carolina. Colorado imposed 1.6% spending cuts across the board to healthcare providers after needing to fill a $783 million budget hole, of which $90 million was attributable to federal Medicaid cutbacks. Source: ION Analytics
• Healthcare mergers and acquisitions increased from Q2 to Q3 2025, with the physician practice management sector recording 130 deals and reaching a quarterly high for the year. The One Big Beautiful Bill Act, signed into law on July 4, changed Medicaid eligibility and provisions of the Affordable Care Act. Sycamore Partners completed a $10 billion acquisition of Walgreens Boots Alliance on August 28, while UnitedHealth closed a $3.3 billion purchase of Amedisys in August after two years of regulatory review. Private equity firms and their portfolio companies announced 507 healthcare transactions through September, with 35% occurring in the physician practice management sector. The dental space accounted for 53% of physician practice management transactions in Q3, with 183 reported deals. Source: Bass, Berry & Sims PLC

Private Equity

• Regulators have intensified scrutiny of private equity firms in healthcare, pursuing enforcement actions against both physician practices and investment firms for improper billing, coding violations, and management fees that exceed fair market value. Investigators now target management fees and physician compensation as primary areas of concern, with regulators arguing that non-FMV management fees suggest PE firms are operating medical practices in violation of state corporate practice of medicine laws. PE firms have been fined for charging management fees outside FMV parameters and for coding practices at practice locations. Post-close monitoring has become essential, with purchase price allocation and goodwill impairment testing serving as foundations for financial management and audit readiness. PE firms use income repair mechanisms, rollover equity opportunities, and junior physician equity pathways to retain physicians during the hold period. Source: VMG Health
• The California Governor signed two bills that will regulate private equity and hedge fund involvement in healthcare transactions starting January 1, 2026. Assembly Bill 1415 expands the California Office of Health Care Affordability authority to review transactions involving private equity groups and hedge funds that were previously outside its jurisdiction. Senate Bill 351 prohibits these entities from interfering with physician and dentist judgment on matters including diagnostic testing, referrals, patient care, and workload, and bars them from controlling decisions on medical records, staff hiring based on competence, payor contracts, coding, billing, and equipment selection. The legislation also bans non-compete clauses and restrictions on departing professionals from expressing opinions about quality of care or business practices in management agreements. The bills apply when private equity groups or hedge funds are “involved in any manner” with physician or dental practices, though transactions involving hospital-owned management services organizations are exempt. Source: Healthcare Law Insights

Reproductive Rights

• A New York county judge dismissed a Texas lawsuit Friday that sought to enforce a $113,000 judgment against an abortion provider. Justice David M. Gandin ruled in favor of Ulster County Clerk Taylor Bruck, who refused to file the Texas judgment against Dr. Margaret Daley Carpenter, citing New York’s shield law that protects abortion providers from legal penalties and extradition orders. Texas Attorney General Ken Paxton attempted to send the judgment to Bruck’s office twice along with a court summons, arguing under the Constitution’s Full Faith and Credit Clause that states must recognize other states’ laws. Gandin did not evaluate that constitutional argument, noting that Texas did not request a declaration on the shield law’s constitutionality. Texas has 30 days to appeal the ruling but has not announced plans to do so. Source: The Hill

Artificial Intelligence

• Insurance companies face lawsuits alleging AI algorithms denied patient care without human oversight. UnitedHealth Group, Cigna, and Humana are defending against claims that their AI programs led to denied care, though the companies deny using AI for coverage denials. A May survey from the National Association of Insurance Commissioners found 84% of 93 insurers used AI, with 68% using it for prior authorization approvals, though only 12% reported using it to deny authorization requests. Healthcare providers are deploying their own AI tools to automate prior authorization requests and appeals, with physicians spending an average of 13 hours per week on these requests and the industry spending nearly $13 billion on prior authorization in 2023. Providers have adopted AI faster than insurers, creating agent wars between the two sides. Source: Healthcare Brew
• California has banned AI systems from using healthcare licensing terms that could mislead consumers about professional qualifications. Assembly Bill No. 489, enacted on October 11, 2025, prohibits AI and generative AI technologies from using terms like “doctor” or “M.D.” in advertising or functionality that falsely suggest operation by licensed healthcare professionals. The legislation extends existing prohibitions on unauthorized use of healthcare licensure terms to cover entities that develop or deploy AI systems in healthcare contexts. Healthcare professional licensing boards can enforce violations through injunctions and other remedies, with each instance of prohibited term usage constituting a separate violation. Companies operating AI systems in healthcare must implement compliance measures and disclaimers to avoid enforcement action under the law. Source: Orrick

Civil Investigative Demands

• The U.S. Department of Justice announced in 2025 it will increase its focus on False Claims Act cases targeting organizations that defraud the government, following a record number of cases in 2024 with emphasis on healthcare. Civil Investigative Demands authorize the DOJ to request documents, written answers, or testimony from individuals and entities as part of investigations. Recipients should immediately contact an attorney rather than directly contacting the DOJ, as attorneys can negotiate the scope and timeline of responses. After an organization responds to a CID, the government may end the investigation, request more information, negotiate a settlement, or proceed with civil or criminal action under statutes such as the False Claims Act or Anti-Kickback Statute. The timeline from response to government decision ranges from two months to over two years. Source: Balch & Bingham LLP

Compliance

• Healthcare organizations that bill government payers must establish formalized compliance programs through a six-step process. Organizations should first designate a compliance officer and form a committee, then begin drafting a compliance manual using OIG General Compliance Program Guidance as a framework, with completion targeted within 6-12 months. During the manual development phase, organizations should implement an anonymous reporting mechanism and code of conduct, conduct a risk assessment to identify vulnerabilities, and create a first-year work plan that addresses priorities identified through the assessment. Once the manual is complete, organizations should develop compliance training for all employees. Source: Dentons On Call

Data Privacy

• Healthcare organizations can leverage minimum viable data governance (MVDG) to overcome data management challenges and accelerate AI adoption. MVDG provides a framework built on five pillars: Data Stewardship, Data Quality, Data Privacy, Data Security, and Metadata Management. The approach integrates governance processes into operational workflows, reducing the time required to move projects from concept to execution. MVDG breaks down data silos by unifying information into a consistent source of truth and establishes the data quality processes needed for AI-powered solutions. This method is “smart scaling” in that it adapts governance to business needs rather than creating bottlenecks. Source: HealthTech Magazine
• Healthcare providers must reconcile data accessibility with patient privacy as cybersecurity threats intensify. Industry leaders recommend role-based access controls, encryption, and integrated EHR systems as solutions. The Department of Health and Human Services is proposing updates to the HIPAA Security Rule for the first time in more than two decades. The proposed changes eliminate “addressable” implementation specifications, requiring organizations to fully implement, document, and enforce every safety feature from encryption to incident response. Technologies such as privacy-preserving data enclaves, AI-powered monitoring, and centralized HIPAA-compliant platforms can enable data sharing while protecting patient information. Source: Healthcare IT Today

Fraud & Abuse

• A federal health care fraud prosecution in Dallas collapsed after a prosecutor and defense attorney deleted court-ordered text messages, leading to charges against both legal professionals. Former federal prosecutor Carlos A. Lopez, 48, and Dallas defense attorney Barrett R. Howell, 50, face misdemeanor charges for deleting government text messages in April 2023 that a judge had ordered them to produce. The misconduct forced the Justice Department to dismiss all charges with prejudice against three defendants who were accused of operating a $107 million Medicare fraud scheme through Trinity Clinical Laboratories LLC between 2018 and 2019. Both Lopez and Howell are expected to sign plea agreements and face up to one year in prison and $100,000 fines each. U.S. District Judge Barbara M. G. Lynn rebuked the Justice Department during a May 2023 hearing after learning of the deleted messages. Source: wfaa.com
• The Department of Justice created the Enforcement & Affirmative Litigation Branch within its Civil Division on September 25, 2025. The Branch consists of two sections: the Enforcement Section, which will pursue cases under the Federal Food, Drug, and Cosmetic Act, Consumer Product Safety Act, and Federal Trade Commission Act; and the Affirmative Litigation Section, which will bring lawsuits against states, municipalities, and private actors that allegedly obstruct administration policies. The reorganization does not create statutory powers but consolidates affirmative litigation functions. The Branch will focus on health care providers, drug and device marketing, and consumer product labeling, with False Claims Act enforcement related to gender-affirming care designated as a priority area. Companies in health care, pharmaceutical, and consumer-products sectors should review their marketing, labeling, and promotional protocols for compliance with federal standards. Source: Polsinelli

GLP-1

• Costco began selling Novo Nordisk’s GLP-1 medications Wegovy and Ozempic for $499 per month as of Oct. 3, offering discounts from list prices of $1,349.02 and $997.58 for out-of-pocket patients. Experts predict the move will not shift the market because pharmacies including Walmart, Sam’s Club, CVS, and GoodRx already offer the medications at the same price point. The partnership may increase awareness among Costco’s 81 million members, though 54% of US adults who have taken GLP-1s have struggled to afford them according to KFF. Companies like Hims & Hers sell compounded versions for $199 per month, driving Novo Nordisk and Eli Lilly to reduce prices to compete. The FDA is investigating compounding companies for their advertising methods. Source: Healthcare Brew

Marketing

• Texas implemented amendments to its telemarketing law on September 1, 2025, that now explicitly cover text messages and impose registration and bonding requirements on businesses making solicitations from or to the state. The amendments, known as S.B. 140, require businesses to register each location with the Texas Secretary of State and post a $10,000 security bond per entity. Violations trigger automatic liability under the Texas Deceptive Trade Practices Act, allowing consumers to seek $500 to $1,500 per unlawful call or text, while the Texas Attorney General can impose penalties up to $5,000 per violation. The law exempts certain entities including nonprofits, banks, insurance companies, and businesses soliciting current or former customers. Businesses that call or text individuals in Texas must comply regardless of whether they are registered to do business in the state. Source: Epstein Becker Green

Medicare Reimbursement

• The HHS Office of Inspector General released a report calling for heightened oversight of Medicare billing for remote patient monitoring services. Medicare payments for RPM surpassed $500 million in 2024, serving nearly one million enrollees, despite Medicare coverage for RPM having been established only in 2019. OIG’s 2024 report found that nearly half of enrollees who received RPM services did not receive all three components: education and setup, device supply, and treatment management. The report recommends CMS monitor providers billing for enrollees with no prior practice history, new enrollees receiving RPM for the first time, enrollees never receiving treatment management, enrollees already receiving RPM at another practice, or multiple monitoring devices per month for a single enrollee. Providers should reinforce training and processes to ensure RPM services are medically necessary and compliant with Medicare requirements. Source: Morgan Lewis Health Law Scan

Mergers & Acquisitions

• Healthcare buyers must conduct AI due diligence during mergers and acquisitions as organizations expand artificial intelligence use without governance frameworks. Many healthcare organizations deploy AI applications ranging from clinical decision-support interventions to patient communications without comprehensive monitoring strategies, creating compliance and liability risks for potential buyers. New state regulations compound these risks, with California’s Assembly Bill 489 prohibiting AI systems from suggesting medical advice comes from licensed professionals and Illinois banning AI use in mental health decision-making processes. Buyers should examine target companies’ AI oversight structures, governance programs, vendor contracts, and develop post-closing integration strategies to manage HIPAA violations and other legal exposures. The process requires collaboration between legal, IT, and clinical teams to assess risks and ensure compliance in this evolving regulatory landscape. Source: Sheppard Mullin Healthcare Law Blog

Value-Based Care

• Value-based care strategies can address four challenges facing health systems: improving access, enhancing physician alignment, generating revenue, and reducing physician enterprise losses. Clinically integrated networks free up inpatient capacity by managing low-acuity Medicare and Medicaid cases outside hospitals, creating space for patients with higher margins. Medicare Shared Savings Program accountable care organizations that generated savings in 2024 achieved median shared savings revenue of 3.1% of total medical spend. CINs allow private practices to participate in value-based care contracts while retaining independence, reducing the need for physician employment that costs health systems over $160,000 per employed physician. The Centers for Medicare & Medicaid Services has advanced value-based programs including TEAM and AHEAD regardless of party control. Source: VMG Health
• Primary care physician practices assuming financial risk for patient outcomes face growing scrutiny as the U.S. healthcare system transitions to value-based care models. The U.S. physician services industry is projected to reach $438.1 billion in 2025, with only 6% of physician groups currently backed by private equity. Starting in 2025, the CMS RADV Audit will audit 100% of Medicare Advantage contracts annually, focusing on the 10% of enrollees with the highest risk and extrapolating results for financial recoupment. The transition to CMS-HCC Version 28 reduces the number of hierarchical condition categories and recalibrates coefficients, potentially lowering risk adjustment factor scores for certain patient populations. Source: Ankura

Wearables

• The global wearable technology market reached $218.27 billion in 2024, prompting companies to pursue partnerships with health clubs, insurers, fitness brands, and wellness providers to remain competitive. These collaborations include co-marketing arrangements, incentives to utilize wearables, cross discounts, and resale agreements. Lawyers advising on these partnerships focus on three areas: branding terms that define trademark usage and marketing guidelines, data provisions that establish ownership and compliance with HIPAA, GDPR, and CCPA, and liability structures that allocate responsibility for product failures, data breaches, and disputes. The agreements require coordination between marketing, privacy, security, and product teams to address data flows and risks. Strategic partnerships offer growth opportunities for established companies seeking diversification and new entrants building brand traction. Source: Loeb & Loeb LLP

AI Governance

• Joint Commission and the Coalition for Health AI released the first national guidance for responsible AI implementation in U.S. healthcare systems. The guidance establishes policies for local validation, monitoring, and use that healthcare organizations can integrate into existing or new processes. The organizations plan to release governance playbooks later this year and in 2026, followed by a voluntary AI certification program for Joint Commission’s more than 22,000 accredited healthcare organizations. The partnership, launched in June 2025, combines Joint Commission’s standards and reach with CHAI’s technical expertise to help health systems utilize AI while improving patient outcomes. CHAI membership includes nearly 3,000 organizations across healthcare and technology sectors. Source: Joint Commission
• Healthcare providers are generating return on investment from AI in tech support and patient experience applications, according to a Google survey of more than 600 senior leaders in healthcare and life sciences. The survey found 80% reported better patient engagement metrics and 70% saw higher patient satisfaction scores, with both tech support and patient experience showing ROI for 34% of respondents. Meanwhile, 44% of organizations now use agentic AI agents, though data privacy and security remains the top concern for healthcare executives evaluating AI suppliers. A separate NYU study of 55,000 portal messages revealed clinicians use AI for patient communication 20% of the time, reducing composition time by 7% but requiring additional time for reviewing and editing AI-generated drafts. Source: AI in Healthcare

Biotech

• The biotech industry confronts a convergence of financial and regulatory pressures while showing signs of recovery in select funding areas. A patent cliff threatens $300 billion in biologics revenue from 2023 through 2028, while the Inflation Reduction Act and potential tariff policies create pricing uncertainties for pharmaceutical companies. Venture capital funding rebounded in 2024 to $23.1 billion total, exceeding pre-pandemic levels, though fewer companies received funding with larger average round sizes. The IPO market remains weak with only 30 companies raising $4 billion in 2024, and 39% of smaller biotech firms hold less than one year of operating cash. Alliance deals reached $144 billion in potential value during 2024, representing the highest level in a decade as companies pursue partnerships over traditional mergers and acquisitions. Source: DCAT Value Chain Insights

Cybersecurity

• Healthcare organizations face escalating cyber threats that directly compromise patient safety and care delivery. A Ponemon Institute survey of 677 healthcare IT professionals found that 93% of organizations experienced cyberattacks in the past year, with 72% reporting disruptions to patient care including delayed procedures, extended hospital stays, and complications that led to increased mortality rates in 29% of cases. Organizations experienced an average of 43 attacks each, up from 40 the previous year, while supply chain attacks proved most damaging with 87% of victims reporting negative patient care impacts. The average cost of the most expensive cyberattack reached $3.9 million, though this represents a decrease from 2024’s $4.7 million average, with operational disruption accounting for the largest expense at $1.2 million per incident. Human error contributed to 35% of data breaches, with employees failing to follow security policies, while 75% of organizations plan to migrate clinical applications to cloud platforms and 30% have adopted AI security tools. Source: HIPAA Journal
• The EU Data Act establishes a framework requiring companies to provide users access to data from connected products and related services, with obligations that became applicable September 12, 2025. The regulation applies to manufacturers of connected products placed on the EU market and service providers, regardless of their location, covering Internet of Things devices that collect data about their use or environment. Users gain rights to access personal and non-personal data their devices generate, and companies must make this data available on fair, non-discriminatory terms while allowing transfer to third parties upon request. Medical and health devices fall within scope, including wearables and digital health platforms, requiring manufacturers to build mechanisms for patients to retrieve operational data in portable formats. Non-compliance can result in fines, regulatory investigations, and civil liability, with the regulation working alongside the European Health Data Space Regulation that entered force in 2025. Source: White & Case LLP

Federal Drug Administration

• The FDA plans to use artificial intelligence to automate drug advertising compliance enforcement within five years as the agency faces reduced manpower while pharmaceutical advertising budgets have increased 800% since 1997. AI-driven technologies will enable the agency to issue warning letters without human inspectors reviewing complete files. The FDA currently conducts single-digit enforcement actions per year for direct-to-consumer advertisements despite the expansion of advertising vehicles. Pharmaceutical companies should work with regulatory counsel to comply with the 2023 final rule on direct-to-consumer advertising and develop corrective action plans within 15 days if they receive warning letters. Asebey predicts this automation will compel companies to tighten regulatory practices and improve consumer protection. Source: Pharmacy Times
• FDA has begun publishing complete response letters that were historically kept confidential, marking a shift toward transparency in drug approval processes. The agency frames this initiative as helping drug developers learn from prior deficiencies and strengthening public trust in FDA decision-making. Federal law requires FDA to redact personal privacy information, trade secrets, and confidential commercial information before disclosure, though the agency has not explained how this practice aligns with existing regulations that prohibit disclosing unapproved applications. Companies must now re-evaluate their disclosure practices and develop response plans for potential CRL publication. The shift creates a more transparent environment where FDA pre-approval feedback is no longer confined to confidential correspondence. Source: Morgan Lewis

Fraud & Abuse

• The Trump Administration continued False Claims Act enforcement in healthcare during fiscal year 2025. Healthcare enforcement continued with settlements exceeding $1 billion, including a $350 million settlement with Walgreens for filling invalid opioid prescriptions and a $98 million Medicare Advantage settlement for inflated risk scores. The DOJ also maintained focus on cybersecurity compliance violations among government contractors, securing multiple settlements totaling over $20 million. Paycheck Protection Program fraud cases continue due to Congress extending the statute of limitations to 10 years in 2022. Source: Mayer Brown
• ASCs operate under federal anti-kickback law enforcement risk despite exemption from Stark law restrictions. The federal Anti-Kickback Statute prohibits offering or receiving remuneration in exchange for patient referrals reimbursed by Medicare or Medicaid, requiring physicians who invest in ASCs to disclose their ownership interests and ensure investment opportunities are not based on referral volume. Safe harbor protections shield ASCs from prosecution when physician-owners personally perform procedures at the center and meet specific thresholds, including requirements that at least one-third of a physician-investor’s income comes from ASC-eligible procedures and physicians perform at least one-third of their procedures at the ASC. ASC ownership transactions must occur at fair market value to avoid referral-based inducements, with independent third-party valuations recommended to validate pricing and mitigate risk. Operating an ASC requires Medicare certification, state registration, and facility inspections, with restrictions that prevent space-sharing with hospitals or Medicare diagnostic facilities and prohibit passive ownership. Source: Becker’s ASC

GLP-1

• The Fifth Circuit Court of Appeals ruled that companies can now sue competitors under state laws that mirror federal FDA regulations, breaking from the tradition that only the federal government can enforce violations of the Federal Food, Drug, and Cosmetic Act. In Zyla Life Sciences, LLC v. Wells Pharma of Houston, LLC, the court reversed a district court dismissal and held that state laws mirroring the FDCA are not preempted by federal law. Zyla Life Sciences had sued Wells Pharma under unfair competition laws in six states, claiming Wells’ sales of compounded indomethacin suppositories violated state laws that mirror FDA premarket approval requirements. The decision relied on California v. Zook (1949) and could impact the ongoing legal battles between traditional drug manufacturers and compounding pharmacies, particularly involving GLP-1 weight loss drugs. Companies operating in FDA-regulated industries now face increased risk of civil lawsuits from competitors under state law, marking a shift in regulatory enforcement beyond federal oversight. Source: Foley & Lardner LLP

Intellectual Property

• Healthcare startups utilize software and intellectual property licensing to overcome development costs and regulatory barriers while accelerating time-to-market. Three primary licensing models exist: proprietary licensing with strict usage conditions, open source licensing that permits modification and distribution, and custom agreements tailored to specific needs. Healthcare companies must ensure licensing agreements address regulatory compliance with laws like HIPAA and GDPR, define scope of rights and ownership of improvements, and specify exclusivity terms and liability protections. Beyond licensing, startups need comprehensive IP strategies that include filing patents, trademarking assets, and protecting trade secrets to attract investors and increase company valuation. These licensing arrangements enable partnerships with universities, pharmaceutical companies, and technology vendors for research collaboration and market expansion. Source: Healthcare Law Insights
• Life sciences and medtech companies risk compromising patent rights during conferences through premature disclosure of technical details. Companies should file provisional patent applications before public disclosures and focus patent protection resources on inventions tied to core business objectives rather than pursuing patents for every idea. Teams should prepare two pitch decks—a non-confidential version and a confidential deck for NDA settings—since global patent rights depend on what companies disclose publicly. While the U.S. provides a one-year grace period after public disclosure to file for patent protection, many other jurisdictions do not offer this protection. Investors expect companies to maintain clean IP documentation, conduct freedom-to-operate scans, and protect trade secrets, particularly for software-enabled devices and AI systems. Source: Healthcare Law Insights

Private Equity & Startups

• Physician-founded healthcare companies require structured equity plans, regulatory compliance, and disciplined funding approaches to succeed. Founders should implement standard four-year vesting schedules with one-year cliffs, while advisors need written agreements with defined scope, deliverables, and milestone-based equity that reflects fair market value rather than referral-based compensation. Early-stage funding typically uses SAFE agreements with valuation caps and discounts, progressing to clean preferred stock with 1x non-participating liquidation preferences for priced rounds. Due diligence examines corporate structure integrity, deal economics clarity, and regulatory compliance, particularly for companies delivering direct care through physician-owned professional corporation and management services organization models. Companies should form immediately when intellectual property, data, personnel, or pilot programs are involved, as delays complicate ownership and rights assignments. Source: Healthcare Law Insights
• The California Governor signed SB 351, restricting private equity and hedge fund control over medical and dental practices. The law, which takes effect January 1, 2026, mandates that only physicians and dentists can own medical records, make employment decisions, negotiate payor agreements, make billing decisions, and approve medical equipment and supplies. SB 351 prohibits practice management contracts from including non-compete clauses that would bar providers from competing after termination or from commenting on quality of care issues and revenue strategies. The legislation grants the California Attorney General authority to seek injunctive relief and attorney’s fees from investors who violate corporate practice of medicine laws. The law applies exclusively to physician and dental practices backed by private equity or hedge funds and excludes government-owned healthcare entities from its restrictions. Source: The National Law Review

Medicaid Reimbursement

• Medicaid home care eligibility requirements became more restrictive on September 1, 2025, requiring applicants to demonstrate need for assistance with three activities of daily living instead of the previous two. Individuals with dementia or Alzheimer’s must now show need for “supervisory assistance or cueing” with two activities of daily living, compared to the previous requirement of just one activity. The housekeeping program, which provided up to eight hours per week of personal care assistance for tasks like meal preparation and laundry, will no longer accept new applicants. People with “legacy status” who were already enrolled in managed long-term care organizations or authorized for home care services before the September 1 cutoff remain exempt from these new requirements. The previously announced 30-month look-back period for community-based Medicaid coverage has not been implemented and has no scheduled date. Source: Falcon Rappaport & Berkman LLP

Telehealth

• Key telehealth flexibilities from the COVID-19 public health emergency expired on October 1, 2025, after Congress failed to extend them beyond the September 30 deadline. The expired provisions include allowing telehealth services from patients’ homes, expanding practitioner definitions to include occupational therapists and physical therapists, permitting audio-only telehealth sessions, and waiving in-person visit requirements for mental health services. The Centers for Medicare & Medicaid Services published then removed guidance instructing Medicare contractors to implement temporary claims holds for affected services. Medicare will now revert to pre-pandemic restrictions that limit telehealth services to designated rural areas and require in-person hospice recertifications. While bipartisan support exists for extending these flexibilities, the timing of any future extension and whether it might apply retroactively remains uncertain. Source: Healthcare Law Blog

Texas Medical Board

• The Texas Medical Board reprimanded Houston doctor for prescribing ivermectin to a COVID-19 patient at a Fort Worth hospital where she lacked treatment privileges. Administrative law judges determined Bowden engaged in unprofessional conduct when she prescribed the medication to a Tarrant County Sheriff’s Deputy in October 2021 without completing the required privilege application. The incident escalated when the physician sent a nurse to administer the medication, creating what the hospital called a “disruptive scene” that required police intervention. The doctor, an ear, nose and throat specialist, stated she does not regret her actions and plans to appeal the reprimand while filing a lawsuit against the medical board. The reprimand carries no fines or suspension. She has gained national attention for her opposition to COVID-19 vaccine mandates and support for ivermectin treatment. Source: Houston Chronicle

AI Governance

• Health systems possess the expertise to monitor AI tools but lack the infrastructure to implement comprehensive governance at scale. The Joint Commission and Coalition for Health AI released guidance covering AI policies, data security, quality monitoring, and safety event reporting, while the National Association of Insurance Commissioners established a model bulletin on AI use adopted by multiple states. Hospitals currently focus on low-risk AI applications such as chart review, ambient scribes, and radiology triage that maintain human oversight, according to Troy Bannister, CEO of Onboard AI. Mark Sendak of Vega Health argued that standards exist but healthcare organizations need scalable infrastructure and data systems to monitor AI tools across their systems. Industry executives expressed skepticism about Sen. Ted Cruz’s SANDBOX Act, which would create regulatory waivers for AI companies, preferring instead a distributed governance model similar to Clinical Laboratory Improvement Amendments. Source: Healthcare Innovation
• AI in healthcare has come a long way since the FDA approved the first autonomous diagnostic system for diabetic retinopathy in 2018. The technology now detects patterns in medical scans, predicts patient deterioration, and automates administrative tasks while enabling personalized medicine through analysis of genetic and clinical data. However, algorithms can amplify healthcare inequities when training data underrepresents certain populations, and a 2023 study highlighted how racial and ethnic bias affects resource allocation and diagnostic accuracy. Current privacy frameworks like HIPAA and GDPR fail to address AI complexity, prompting new regulations including the EU AI Act that classifies medical AI as “high risk” and the US NIST AI Risk Management Framework. The American Medical Association has established principles requiring healthcare AI to be transparent and accountable while augmenting rather than replacing clinical judgment. Source: IAPP

Antitrust

• U.S. antitrust officials signal a shift toward case-by-case enforcement over broad rulemaking as they target AI and healthcare markets for competition protection. DOJ Assistant Attorney General Gail Slater, DOJ Deputy AAG Dina Kallay, and FTC Director Daniel Guarnera outlined their enforcement priorities at the Fordham Competition Law Institute conference, backing away from the Biden Administration’s rulemaking approach in favor of targeted legal action. Slater framed the Google Search remedies decision as a foundation for AI market competition, while warning that monopolists may use privacy concerns to gatekeep data and block interoperability. The FTC plans to grant early termination of merger reviews more frequently, having already approved nearly 250 cases, and will continue enforcing against unlawful non-compete agreements despite abandoning the defunct broad rule. Officials emphasized scrutiny of incumbents in AI and healthcare sectors to prevent suppression of startups and ensure American competitiveness in deploying transformative technologies. Source: Wilson Sonsini

Cybersecurity

• The U.S. Department of Labor expanded its cybersecurity guidance to cover all employee benefit plans, including health plans, requiring sponsors to implement 12 key security practices. Previously, DOL guidance focused only on ERISA retirement plans, leaving health plans outside the scope of federal cybersecurity requirements. Health plan sponsors must now align their cybersecurity practices with DOL standards while maintaining compliance with existing HIPAA and HITECH regulations. The 12 required practices include establishing formal cybersecurity programs, conducting annual risk assessments, implementing penetration testing, performing third-party security audits, and maintaining data encryption protocols. Unlike HIPAA and HITECH regulations that focus primarily on health data confidentiality, the DOL guidance takes a broader approach emphasizing ongoing monitoring, annual assessments, and continuous risk management across all health plan operations. Source: Security Magazine
• Quantum computers will render current healthcare encryption methods obsolete, forcing organizations to prepare now for future security threats. Cyberthreat actors are already collecting encrypted healthcare data to store until quantum computers become available to break current RSA and ECC algorithms, according to Kurt Rohloff, chief technology officer at Duality Technologies. The National Institute of Standards and Technology released three post-quantum cryptography algorithms in 2024 after eight years of development, recommending organizations adopt these standards immediately. Healthcare data faces particular risk because health records retain sensitivity indefinitely, unlike credit card information that can be replaced when compromised. Rohloff recommends healthcare organizations conduct cryptographic inventories, discuss post-quantum plans with vendors, and consider fully homomorphic encryption that allows computations on encrypted data without decryption. Source: TechTarget

Data Breach

• Harris Health notified over 5,000 patients that a former employee accessed their electronic health records without authorization for a decade. The Houston-area healthcare system discovered the breach on February 10, 2021, but the unauthorized access occurred from January 4, 2011, to March 8, 2021. The employee was terminated after an investigation confirmed that patient records were accessed without legitimate work purpose and some information was disclosed to unauthorized individuals, prompting Harris Health to notify the FBI. The compromised data included names, dates of birth, addresses, medical histories, medications, health insurance information, and Social Security numbers for some patients. Patient notifications were delayed four years at the request of law enforcement to avoid interfering with their investigation. Source: HIPAA Journal

Data Privacy

• The Texas App Store Accountability Act will expose mobile app developers to private lawsuits starting January 1, 2026. The law requires app developers serving Texas users to assign age ratings for apps and in-app purchases, implement age verification systems, obtain parental consent for minors, and notify app stores of changes to terms of service or privacy policies. Unlike other Texas privacy laws, TASAA allows private litigants to sue for economic damages, injunctive relief, and attorney’s fees under the Texas Deceptive Trade Practices Act, while the Texas Attorney General can recover up to $10,000 per violation. The law prohibits developers from enforcing contracts against minors without parental consent, misrepresenting age ratings, and sharing personal data collected for age verification purposes. Utah and Louisiana will implement laws later in 2026. Source: Womble Bond Dickinson
• States are stepping in to regulate reproductive health data privacy after a federal court struck down enhanced HIPAA protections in 2025. A Texas federal judge vacated the Reproductive Health Care Privacy rule in Purl v. U.S. Department of Health and Human Services on June 18, 2025, after a physician challenged it for conflicting with state child abuse reporting requirements. The Department of Health and Human Services did not appeal the decision by the August 18, 2025 deadline, leaving covered entities to rely on existing HIPAA protections. California, Virginia, and Washington have enacted comprehensive laws that extend beyond traditional healthcare entities to cover fitness trackers, retailers, and tech companies that process reproductive health data, with penalties ranging from $2,500 to $250,000 per violation. These state laws require explicit consent for data collection and sharing, with New York preparing similar legislation through the pending New York Health Information Privacy Act. Source: Troutman Pepper Locke

Devices

• Ingestible sensors are transforming healthcare by providing real-time health monitoring from inside the human body. These capsule-shaped devices pass through the digestive tract and track temperature, medication adherence, pH levels, gastrointestinal motility, and biomarkers before transmitting data wirelessly to smartphones or tablets. The technology enables healthcare providers to monitor chronic diseases, ensure medication compliance, and conduct post-surgical monitoring without invasive procedures. The ingestible sensors market is projected to grow from $986.2 million in 2025 to over $1.7 billion by 2032 at an 8.1% compound annual growth rate. However, the technology faces challenges including high costs, data privacy concerns, and regulatory barriers, with the FDA approving only a few ingestible sensor products under strict guidelines. Source: Technowize

Enforcement

• The Department of Justice established the Enforcement & Affirmative Litigation Branch within its Civil Division to consolidate enforcement efforts targeting public health and safety violations. The new branch contains two sections: an Enforcement Section that will pursue cases under the Controlled Substances Act, Food Drug and Cosmetic Act, and Federal Trade Commission Act, and an Affirmative Litigation Section that will sue states, municipalities, and private entities that obstruct federal policies. DOJ identified two priorities for the branch: targeting pharmaceutical companies, health care providers, and medical associations regarding gender transition claims, and ending sanctuary jurisdiction laws that impede federal immigration enforcement. The reorganization coincides with the FDA’s September 9, 2025 announcement of a crackdown on deceptive drug advertising and the winding down of the Consumer Protection Branch. The restructuring does not expand DOJ’s statutory powers but centralizes certain consumer protection matters and enforcement priorities. Source: Epstein Becker Green

Fraud & Abuse

• The Trump Administration expanded False Claims Act enforcement beyond traditional healthcare and defense contracting into new areas including trade fraud, civil rights violations, and gender-related medical treatments during fiscal year 2025. The Department of Justice secured settlements exceeding $500 million in healthcare cases, including $98 million from a Medicare Advantage provider for inflated risk scores, $60 million from a pharmaceutical company for kickbacks, and $350 million from Walgreens for filling invalid opioid prescriptions. The DOJ launched the Civil Rights Fraud Initiative targeting universities and organizations that allegedly violate civil rights laws while receiving federal funding, and created a Trade Fraud Task Force with Homeland Security to pursue customs duty evasion cases. Government contractors faced over $20 million in cybersecurity-related settlements for failing to meet federal security requirements. The administration continues pursuing Paycheck Protection Program fraud cases under the extended 10-year statute of limitations, with settlements including $21.6 million from three foreign-owned companies. Source: Mayer Brown
• Accountable care organizations report detecting fraud in Medicare skin substitute treatments that cost individual patients over $600,000 in 2025. Six doctor groups are seeing higher rates of spending on skin substitutes this year compared to 2024, with one case exceeding $2 million per patient. The Centers for Medicare and Medicaid Services estimates Medicare spent $10 billion on these treatments last year and has proposed reducing reimbursement from $2,000 per square centimeter to around $125, with a final decision expected in November. The accountable care organizations first alerted CMS to the possible fraud two years ago but say the agency is not moving fast enough to address the problem. The wound care industry is fighting the proposed payment reductions through the MASS Coalition, arguing the changes will not help crack down on fraud. Source: POLITICO
• A federal court ordered Humana to pay $90 million to the government following the first whistleblower settlement involving Medicare prescription drug contracting fraud. Former Humana actuary Steven Scott alleged the company submitted fraudulent bids to the Centers for Medicare & Medicaid Services for Part D contracts from 2011 to 2017, maintaining two sets of books while providing coverage below required levels. The court also ordered Humana to pay $32 million in attorney fees to Scott’s legal team, while Scott received $26.1 million as his whistleblower share, equivalent to 29% of the government settlement. Humana did not admit liability in the agreement and said it settled to avoid litigation costs. The Department of Justice declined to intervene in the case, which centered on allegations that Humana’s “basic Walmart Plan” was not actuarially equivalent to required standards despite the company’s certifications to CMS. Source: Healthcare Innovation

HIPAA

• The Office for Civil Rights reached a $182,000 settlement with Cadia Healthcare Facilities for posting patient success stories online without proper HIPAA authorization. On September 30, 2025, OCR announced the settlement with five Delaware rehabilitation and nursing facilities for violating HIPAA Privacy and Breach Notification Rules. Cadia compromised the protected health information of 150 patients by posting their names, photographs, and treatment details on the company’s public website through a success story program. The settlement requires Cadia to implement a two-year Corrective Action Plan, review compliance policies, train staff, and ensure no PHI appears on websites or marketing materials. This enforcement action follows similar cases, including a 2016 settlement with Complete P.T. for $25,000 over patient testimonials posted without authorization. Source: Mintz
• Reid Health agreed to settle a class action lawsuit over allegations it used Meta Pixel tracking tools that disclosed patients’ protected health information without consent. The lawsuit, Jane Doe v. Reid Health, claimed the Richmond-based healthcare provider impermissibly shared patient data with third-party technologies through website tracking tools that collect information about user interactions, web pages visited, and searches performed. Reid Health denied any wrongdoing but chose to settle rather than face the costs and risks of continued litigation. Under the settlement terms, class members can claim a $25 cash payment and receive automatic enrollment in a medical shield product that protects against personal information misuse. Class members have until October 25, 2025, to object to the settlement, with claims due by December 24, 2025, and a final fairness hearing scheduled for December 9, 2025. Source: HIPAA Journal

Joint Ventures

• Joint ventures have emerged as a standard mechanism for healthcare growth across multiple sectors as health systems face mounting pressure from shifting care sites, tightening margins, and labor shortages. The momentum spans sectors including ambulatory surgery centers, where Tenet Healthcare’s USPI operates 520 ASCs and 25 surgical hospitals as of April 2025, and the overall ASC market is projected to grow from $40 billion in 2024 to $57.4 billion by 2034. RadNet reports 153 joint ventures within health system partnerships representing 38.4% of its 398 locations, while Encompass Health structures 67 of its 168 inpatient rehabilitation facilities as joint ventures with acute-care hospitals. Other sectors show similar patterns, with Acadia Healthcare maintaining 21 joint venture partnerships across 22 hospitals and Civica Rx including over 50 health systems to supply around 80 medications. Execution requires coordination across strategy assessment, financial valuation, legal compliance, governance alignment, and operational management. Source: VMG Health

Medicare Reimbursement

• The Centers for Medicare & Medicaid Services issued final guidance for the 2028 implementation of the Inflation Reduction Act’s Drug Price Negotiation Program, marking the last year the agency must implement the program through guidance rather than rulemaking. The guidance establishes policies for Part B drugs to be selected for price negotiation for the first time, alongside Part D drugs, with CMS planning to select 15 drugs from the 50 highest-spending drugs in each category. CMS finalized most proposals but reversed course on treating certain fixed combination drugs as distinct qualifying single source drugs and will now include Medicare Advantage expenditure data in selection calculations. The agency shortened the negotiation timeline for 2028, giving manufacturers only six weeks for meetings instead of the previous two months. CMS concurrently issued revised Information Collection Request forms for small biotech exceptions and biosimilar delay requests, with public comments due by October 30, 2025. Source: Hogan Lovells

Mergers & Acquisitions

• Healthcare transaction activity showed mixed results in early 2025 as political uncertainty and federal policy changes disrupted deal momentum. Deal values declined in the second quarter despite volume increases, with tariff threats and federal changes creating market uncertainty that caused investors to pull back. Dental practices dominated physician group transactions, accounting for over half of all deals in the first six months, while e-health transactions jumped from 124 deals in 2024 to 160 deals in the same 2025 period. Behavioral health deals increased from 34 to 54 transactions during the same timeframe, and hospital transactions cooled after elevated activity in 2024. Non-private equity investment reached 200 deals in the second quarter of 2025, marking the first time this threshold was crossed in 18 months. Source: CLA

Regenerative Medicine

• The FDA issued draft guidance on September 20, 2025, establishing expedited review pathways for regenerative medicine therapies targeting serious conditions. The guidance will replace earlier FDA guidance from February 2019 and outlines how sponsors can utilize streamlined review processes for cell and gene therapies and other regenerative medicine products. The FDA has received almost 370 Regenerative Medicine Advanced Therapy (RMAT) designation requests as of September 2025 and approved 184, with 13 RMAT-designated products receiving marketing approval as of June 2025. The guidance emphasizes long-term safety monitoring for regenerative therapies and encourages sponsors to use digital health technologies for safety data collection and real-world evidence to support accelerated approval applications. The FDA is accepting public comments on the draft guidance through November 24, 2025. Source: Holland & Knight

Reproductive Rights

• Texas Attorney announced the arrest and indictment of eight people connected to a Houston-area midwife for practicing medicine without a license. At least one of the eight individuals is also accused of performing an abortion, while the midwife Maria Margarita Rojas, 49, was previously charged in March with 15 felony counts including performance of an abortion and 12 counts of practicing medicine without a license. Rojas was the first person charged under the Texas Human Life Protection Act, and Paxton emphasized that some of the defendants include foreign nationals. Rojas’ attorney and the Center for Reproductive Rights are defending her, calling the case a sham and noting that her clinics served low-income, uninsured immigrants before being shut down. Texas law permits abortions only when a pregnant person faces risk of death or serious physical impairment, with providers facing penalties of at least $100,000, loss of medical licenses, and prison time for violations. Source: CNN
• The US Court of Appeals for the Fifth Circuit dismissed an appeal that effectively ends HIPAA privacy protections for reproductive healthcare records. The court dismissed the appeal on September 10, 2025, following a June 2025 ruling in Purl v. Department of Health & Human Services that vacated provisions of the 2024 HIPAA Privacy Rule to Support Reproductive Health Care Privacy. The rule provided protection to protected health information related to reproductive healthcare services. The Biden Administration implemented the rule to protect reproductive healthcare records from disclosure following the 2022 Supreme Court ruling in Dobbs v. Jackson Women’s Health Organization. The dismissal signals the conclusion of the Purl case and the end of these privacy protections. Source: American Bar Association
• States are enacting reproductive health data privacy laws after a federal court struck down HIPAA protections. A Texas federal judge overturned the Reproductive Health Care Privacy rule in June 2025, which had amended HIPAA to impose restrictions on the use and disclosure of reproductive health information for criminal or administrative investigations. California, Washington, Virginia, and New York have implemented or are implementing their own laws that extend beyond traditional healthcare entities to cover fitness trackers, retailers, and tech companies that process health-related data. These state laws require explicit consent before collecting or sharing reproductive health information and impose penalties ranging from $2,500 per violation in Virginia to $250,000 per willful violation in California. The laws apply to organizations that may not consider themselves healthcare-oriented, including digital health companies, data brokers, and companies using geolocation data. Source: Troutman Pepper Locke

Tariffs & Taxation

• U.S. tariffs implemented since spring 2025 are driving healthcare construction and equipment costs up by approximately 6%, forcing hospitals to extend asset lifecycles and increase reliance on refurbished equipment. The tariffs include reciprocal duties, expanded steel and aluminum measures, and ongoing Section 301 tariffs on Chinese goods, with JE Dunn’s calculator showing a $10 million healthcare project now costs $573,761 more due to these trade policies. Healthcare facilities are responding by delaying capital expenditures, extending the useful life of imaging systems and diagnostic equipment, and turning to refurbished equipment that costs 30-70% less than new systems. VMG Health observed a $1.4 million tariff escalation line item in one facility construction budget, representing 4% of hard costs on top of typical construction contingencies. The Supreme Court will hear oral arguments in November 2025 regarding the legality of certain tariffs, while healthcare providers navigate increased costs for everything from MRI scanners to ambulances. Source: VMG Health