Author: WadeEmmert

AI in Healthcare

• A new American Medical Association survey reveals that physician acceptance of AI in healthcare has increased, with 35% now showing enthusiasm compared to 30% in 2023. The adoption rate of AI tools among physicians has jumped from 38% to 66% between 2023 and 2024. The survey, conducted from August 2023 to November 2024, found that 57% of physicians view AI’s potential to reduce administrative tasks as a key benefit. Physicians prioritize data privacy (87%), feedback channels (88%), and EHR integration (84%) for AI implementation.
• Colorado’s new Artificial Intelligence Act will take effect on February 1, 2026, requiring healthcare providers to prevent algorithmic discrimination in AI systems that make consequential decisions about patient care. The law mandates that organizations using high-risk AI systems implement risk management policies, conduct impact assessments, and provide transparency about AI usage to patients. Healthcare providers must notify individuals before AI makes consequential decisions and allow appeals for adverse outcomes, while the Colorado Attorney General holds exclusive enforcement authority. Organizations with fewer than 50 employees who don’t train their own AI models are exempt from many compliance requirements, though the law’s reach extends to any business serving Colorado residents.

Antitrust

• President Trump’s return to the White House signals a shift in antitrust enforcement approach for private equity firms. The administration has appointed Andrew Ferguson as FTC chair and nominated Gail Slater to lead the DOJ’s antitrust division, replacing Lina Khan and Jonathan Kanter respectively. The Trump administration is expected to be more accepting of negotiated settlements and divestitures involving private equity, moving away from the Biden administration’s stricter stance on merger enforcement and roll-up acquisitions. While antitrust scrutiny will continue, particularly in Big Tech and healthcare sectors, new HSR premerger notification rules taking effect in February 2025 will require closer monitoring of interlocking directorates. PE firms must maintain compliance protocols for board appointments as the new HSR form enhances the ability to detect potential violations of Section 8 of the Clayton Act.
• States are taking a more active role in healthcare antitrust enforcement through state-level transaction notification regimes known as “Baby HSRs” or “Mini HSRs.” These state regulations impose requirements on healthcare transactions that may fall below federal HSR Act thresholds, with states implementing additional scrutiny for private equity involvement in healthcare deals. States cite concerns that profit motives could reduce quality of care as justification for increased oversight of private equity transactions. The regulations vary by state, with some imposing more stringent requirements than federal rules, and many states continue to implement or expand their healthcare transaction approval processes.

Biometric Data

• Three states in the U.S. – Illinois, Texas, and Washington – have established laws to regulate biometric data collection and usage. Illinois’ BIPA stands as the strictest law, requiring written notice, explicit consent, and public data retention schedules, while allowing individuals to file lawsuits for violations. Texas’ CUBI and Washington’s statute mandate notice requirements and data protection measures but do not permit private lawsuits. Organizations must comply with these regulations when collecting biometric data such as facial features, voice patterns, and fingerprints, while implementing security measures to protect this information.

Drugs & Devices

• A Texas judge ordered Dr. Maggie Carpenter to pay over $100,000 in penalties for prescribing abortion pills via telemedicine to a woman near Dallas. New York Governor Kathy Hochul rejected Louisiana’s request to extradite Carpenter, who faces criminal charges in Louisiana for prescribing abortion pills to a minor. The Texas ruling includes an injunction preventing Carpenter from prescribing abortion medication to Texas residents, while Louisiana’s case marks the first criminal charges against a doctor for prescribing abortion pills across state lines. Both cases will test New York’s shield law, which protects doctors who prescribe abortion medication to states where abortion is restricted.
• Texas convenience stores are selling synthesized Kratom products containing 7-Hydroxymitragynine, a substance that acts like opioids in the brain. While natural Kratom has been used traditionally in Southeast Asia, companies are now creating concentrated pills that are 97% pure 7-OH, far exceeding the 2% limit set by Texas law. The Texas Kratom Consumer Protection Act outlaws these synthetic versions, but state officials are not enforcing the regulations. The Global Kratom Coalition reports 24 million Americans use Kratom, though the synthesized versions sold in stores can lead to addiction and withdrawal symptoms.
• The FDA has published final guidance on communications about unapproved uses of approved medical products on January 6, 2025. The guidance defines SIUU communications as firm-initiated exchanges with healthcare providers about scientific information on unapproved uses, requiring specific disclosures and source publications. The document clarifies what constitutes “scientifically sound” studies, removes requirements for plain language, and provides new rules about separating promotional from scientific communications. The guidance also addresses “calls to value,” prohibiting communications that pre-judge product benefits while allowing those that present scientific information for clinical decision-making. The FDA maintains core policies while requiring firms to update their internal procedures to align with the new guidance.
• The FDA has issued its first guidance on using artificial intelligence models in drug development and regulatory submissions, with a public comment period open through April 7. The guidance introduces a seven-step risk-based framework for assessing AI model credibility, covering nonclinical, clinical, postmarketing, and manufacturing phases while excluding drug discovery and operational efficiencies. FDA recommends implementing life cycle maintenance plans to monitor AI models’ ongoing performance and ensure they remain suitable for their context of use. The guidance emphasizes early engagement with FDA through various programs like the Center for Clinical Trial Innovation and the Complex Innovative Trial Design Meeting Program. President Trump signed an executive order on January 23 to remove barriers to AI leadership, rescinding previous Biden administration restrictions on AI development.

Fraud & Abuse

• Healthcare fraud schemes are increasingly using AI to generate false claims and clone medical records, with losses representing 3% of total healthcare expenditures, amounting to $144 billion annually based on 2023’s $4.8 trillion U.S. health spending. Healthcare organizations are implementing both supervised and unsupervised machine learning models to detect fraud patterns and suspicious billing behaviors. The technology helps special investigation units identify emerging fraud schemes more quickly than traditional rules-based systems. Health plans are advised to use AI as a complement to human expertise while implementing strategies such as cross-plan data analysis and verification of member tips.
• The Department of Justice charged 193 defendants, including 76 medical professionals, in health-care fraud schemes totaling $2.75 billion in intended losses and $1.6 billion in actual losses during the 2024 National Health Care Fraud Enforcement Action. The fraud cases involved wound grafts, unlawful prescriptions, telemedicine schemes, and laboratory fraud, with Medicare Advantage insurers allegedly overcharging CMS by $83 billion in 2024. The DOJ plans to continue prioritizing enforcement of opioid-related crimes, unnecessary services, substandard care, and Covid-19 fraud cases. Despite potential changes under the Trump administration, health-care fraud enforcement will likely remain a priority due to its revenue generation for the government. In response, physicians are increasingly moving to cash-based practices to avoid regulatory burdens, though those accepting federal plans must maintain compliance systems and seek legal counsel for business arrangements.

Pharma

• The Department of Health and Human Services has postponed the effective date of modifications to NCPDP Retail Pharmacy Standards and Medicaid Pharmacy Subrogation Standard to April 14, 2025. The delay follows President Trump’s January 20 memorandum calling for a regulatory freeze pending review, with Acting Secretary Dorothy A. Fink citing the need to review questions of fact, law, and policy. The final rule updates standards for electronic healthcare transactions, including claims, eligibility, authorization, and benefits coordination. The postponement will affect the compliance timeline, pushing the full compliance date beyond February 2028, and allows time to correct an error in the transition period calculation that was originally set to begin August 11, 2027, but should have been June 11, 2027. The HHS has waived notice and comment requirements, making the delay effective immediately upon Federal Register publication.

Private Equity

• A report released by federal agencies analyzing over 2,000 public comments reveals concerns about healthcare industry consolidation and private equity investment. The report identifies issues including higher prices from provider consolidation, quality reductions in PE-backed transactions, and PE firms controlling up to 50% of physician practices in some metropolitan areas. Studies show PE acquisitions correlate with safety issues and reduced quality in healthcare facilities, while physicians report concerns about understaffing and restricted referrals. In response, Massachusetts passed legislation in 2025 granting new powers to review healthcare transactions involving PE firms, though the federal agencies’ continued focus on PE may shift under the Trump administration.
• Private equity firms were connected to 56% of large corporate bankruptcies across industries in 2024, with healthcare showing a particularly high rate. Of eight major healthcare bankruptcies with liabilities over $500 million, seven involved companies with private equity ownership history. The healthcare sector’s 21% rate of private equity-related bankruptcies exceeded the broader economy’s 11% rate and matched 2023 levels. The Private Equity Stakeholder Project reports these bankruptcies can result in healthcare facility closures and disrupted patient care. Valentina Dabos from PESP emphasizes these trends raise concerns for policymakers, investors, and consumers.
• Healthcare mergers and acquisitions are expected to increase in 2025 as inflation eases and interest rates decline. Private equity transactions with physician practices typically involve a combination of cash payment and rollover equity through management services organizations, with rollover equity potentially comprising up to 40% of deal value. While orthopedic and spine surgery groups have historically resisted private equity investment due to their profitable ancillary services, this resistance is weakening except among mega-groups. Transaction success requires broad stakeholder support, experienced advisors, regulatory compliance, and careful structuring of tax treatment and indemnification terms. Generational differences often emerge in these deals, as older physicians typically receive larger portions of purchase price while younger doctors face career-long relationships with financial investors.
• The Senate Budget Committee and HHS released reports in January 2025 examining private equity ownership in healthcare. The reports identified concerns including reduced care quality, facility closures, higher costs, understaffing, and lack of ownership transparency. HHS proposed new oversight measures including expanded transparency requirements, lower merger reporting thresholds, and increased enforcement against hospital consolidation. The reports recommend PE firms maintain compliance through monitoring regulations, documenting quality metrics, and implementing strong compliance programs. The impact of these potential changes under the Trump administration remains uncertain.

Telehealth

• Healthcare technology trends in 2025 include a shift in telehealth usage to focus on behavioral health and specialist care. Hospitals are expanding AI applications through dedicated centers and AI scribes, while implementing LiDAR sensors and wearable devices for patient monitoring. Remote patient monitoring and hospital-at-home programs continue to grow as medical centers face staffing challenges. Cybersecurity remains critical after ransomware attacks doubled in 2024, affecting over 1,000 U.S. hospitals and prompting healthcare organizations to strengthen their security measures and vendor oversight. AI tools are being developed to detect network breaches and automate tasks like appointment scheduling and medical billing.

Ambulatory Surgery Centers

• United Surgical Partners International, Surgical Care Affiliates, and Amsurg Corporation lead the ambulatory surgery center market with 520, 320, and 250 centers respectively. CMS approved 21 new procedures for ASC coverage in 2025, focusing on dental and regenerative therapy services, while implementing a 2.9% Medicare payment increase. Major consolidation occurred through acquisitions and partnerships, with USPI acquiring 45 new centers including Covenant Physician Partners, though 67% of ASCs remained independent. Several states reformed Certificate of Need laws, with North Carolina and Tennessee planning full repeals for ASCs by 2025 and 2027 respectively, while Georgia introduced exemptions for single-specialty centers. The migration of high-acuity procedures to ASCs continued, with Surgery Partners reporting a 50% increase in total joint cases, while lower-acuity procedures moved to office-based settings.

Cybersecurity & Ransomware

• The Trump administration has indefinitely suspended all meetings of the Health Information Technology Advisory Committee (HITAC). The committee, established by the 21st Century Cures Act in 2016, consists of 25 members who recommend policies and standards for healthcare data and technologies to the federal government. The Trump administration has also paused other health agency communications and removed certain healthcare data from federal websites.
• Several healthcare organizations faced ransomware attacks in January 2025, including New York Blood Center Enterprises which affected locations across multiple states, and Frederick Health in Maryland which disrupted IT systems and led to patient diversions. Matagorda County, Texas experienced a network outage due to a cyberattack, while Texas Tech University Health Sciences Center disclosed a ransomware attack affecting 533,874 individuals. Despite these incidents, blockchain analysis firm Chainalysis reported a 35% decrease in ransom payments in 2024 compared to 2023, attributing this decline to increased law enforcement action and more victims refusing to pay.
• The HHS Office for Civil Rights has proposed new cybersecurity measures for healthcare providers under HIPAA, including mandatory vulnerability scanning every 6 months and expanded annual risk analyses. Healthcare providers must implement cybersecurity protections through staff training, limited access controls, and strong password protocols to prevent data breaches. New regulations require signed attestations for reproductive health information disclosures, with additional privacy protections becoming mandatory by February 16, 2026.

Emerging Technology

• Healthcare law in 2025 will focus on four key areas of technological advancement and regulation. AI implementation in healthcare requires new legal frameworks to address risks, errors, and biases, while HIPAA and HITECH compliance becomes critical for protecting patient data against cyberattacks. Telehealth expansion drives changes in licensing requirements and reimbursement policies, while the healthcare industry continues its shift from fee-for-service to value-based care models following the ACA’s implementation. These changes necessitate new regulations for data-sharing, antitrust considerations, and risk-sharing arrangements to protect both patients and healthcare professionals.
• Healthcare providers currently use AI for tasks including disease diagnosis, chart preparation, and treatment planning. The technology presents legal risks in four main areas: HIPAA privacy violations when using public-facing AI platforms, malpractice concerns in the informed consent process, uncertainty about liability when AI recommendations lead to incorrect treatments, and potential billing errors that could trigger false claims allegations. Healthcare providers must maintain human oversight of AI systems and cannot use AI reliance as a defense against malpractice claims, while failure to use available AI technology could also create liability risks. Doctors must disclose AI use to patients during the informed consent process and ensure all AI systems comply with HIPAA requirements.
• Healthcare systems have transformed to prioritize patient accessibility through technology-enabled solutions. Remote consultations, online prescriptions, and digital platforms now allow patients to receive care without disrupting their routines. Healthcare providers maintain safety through strict regulatory compliance and secure technology for patient data protection. Artificial intelligence and wearable devices enable real-time monitoring and early detection of health risks, while electronic health records improve communication between medical professionals. The integration of these technologies creates a healthcare system that balances convenience with quality care standards.
• AI is being used in healthcare for tasks including disease diagnosis, chart preparation, pre-authorization, and treatment planning. Healthcare providers must ensure AI systems meet HIPAA requirements and avoid using public-facing AI platforms that could compromise patient privacy. Doctors remain liable for malpractice even when using AI for diagnosis and treatment recommendations, and must disclose AI use to patients during the informed consent process. The technology can create liability for coding and billing errors if incorrect recommendations are followed.

Fraud & Abuse

• Phoenix couple pleaded guilty to orchestrating a $1.2 billion healthcare fraud scheme through their companies Apex Medical LLC and Viking Medical Consultants LLC from November 2022 to May 2024. The couple used untrained sales representatives to target elderly and terminally ill patients in care facilities, ordering unnecessary wound grafts and submitting fraudulent claims to Medicare and other insurers. Their scheme resulted in actual payments of $614 million from federal and private healthcare programs, with $279 million in kickbacks from an allograft distributor. The couple was arrested at Phoenix Sky Harbor International Airport while attempting to flee to London, and they now face up to 20 years in prison and must pay restitution exceeding $600 million each.
• A federal district court in Florida ruled on September 30, 2024, that the False Claims Act’s qui tam provision is unconstitutional in the case of U.S. ex rel. Zafirov v. Florida Medical Associates LLC. The Department of Justice reported that whistleblowers filed 712 qui tam suits in fiscal year 2023, resulting in $2.3 billion in settlements and judgments. The court determined that relators act as “Officers” of the United States executive branch without proper appointment under Article II of the Constitution. The case will likely be appealed to the 11th Circuit Court and may reach the Supreme Court, as Justice Thomas has previously expressed concerns about qui tam provisions. If upheld, this ruling could limit private parties’ ability to pursue fraud cases on behalf of the government, potentially reducing the number of enforcement actions due to government resource constraints.

Gender-Affirming Care

• Texas Attorney General Ken Paxton has sued three doctors – Dr. May Lau, Dr. Brett Cooper, and Dr. Hector Granados – for allegedly providing gender-affirming care to transgender minors. Lau and Cooper entered Rule 11 agreements in January that prevent them from practicing medicine on patients while allowing them to continue research and academic work, while Granados is under a court-ordered temporary injunction. The lawsuits stem from Senate Bill 14, which prohibits medical providers from providing gender-affirming care to trans minors in Texas, though treatment remains legal for cisgender patients. The Texas Medical Board can revoke licenses of physicians who violate the ban, though doctors may continue treating existing patients to safely discontinue prescriptions.

HIPAA

• The U.S. Department of Health and Human Services announced new HIPAA security rules taking effect March 7, 2025. The updates remove the distinction between “required” and “addressable” standards, making all security measures mandatory with limited exceptions. The changes mandate encryption for all electronic protected health information, require multi-factor authentication, and establish requirements for vulnerability scanning and penetration testing. Healthcare organizations and their business associates must comply with these rules or face penalties up to $50,000 per violation with a maximum of $1.9 million per year, plus potential jail time of 1-10 years. Human error remains the leading cause of healthcare data breaches at 76%, highlighting the need for these enhanced security measures.
• HIPAA-regulated entities must report 2024 data breaches affecting fewer than 500 individuals to the HHS Office for Civil Rights by March 1, 2025. The HIPAA Breach Notification Rule requires entities to notify affected individuals within 60 days of breach discovery, with breaches affecting 500 or more residents requiring additional media notifications. For smaller breaches affecting fewer than 500 individuals, organizations can submit reports annually through the OCR data breach portal, with each breach reported separately. Business associates must notify covered entities of breaches within 60 days, though covered entities can delegate notification responsibilities back to their business associates while retaining ultimate responsibility for compliance. Failure to meet these deadlines may result in financial penalties for non-compliance.

Physician Fee Schedule

• The Medicare Physician Fee Schedule for 2025 introduces a conversion factor decrease to $32.3465, representing a 2.83% reduction from 2024. The Medicare Economic Index projects a 4.9% increase in practice costs while payments decline, creating financial pressure on healthcare providers. Care management services see notable increases, with chronic care management codes rising 8-15% and new behavioral health integration codes gaining 12-18%. Geographic Practice Cost Indices show significant adjustments in major metropolitan areas, with San Francisco maintaining the highest PE GPCI at 1.842. The MIPS program maintains its 75-point threshold with potential penalties reaching 9% for underperformers, while high performers can receive bonuses averaging 1.31%.

Data Privacy

• Data breach incidents in 2024 affected 1.7 billion individuals, marking a 312% increase from 2023 despite a 1% decrease in total breaches. Six major breaches accounted for 85% of all notices, including Change Healthcare with 190 million records. Cyberattacks caused 80% of all data compromises, with four of the largest breaches resulting from lack of multifactor authentication. While 40% of states now have comprehensive data privacy laws, with eight more taking effect in 2025, the U.S. still lacks federal data privacy legislation.
• The FDA and CISA have identified security vulnerabilities in patient monitors that could allow unauthorized access and manipulation of the devices. Certain monitors, which display patient vital signs in healthcare and home settings, contain a hidden backdoor in their software that enables cybersecurity controls to be bypassed and patient data to be accessed. The FDA has not identified any incidents related to these vulnerabilities but advises disconnecting affected devices from the internet and using local monitoring features only. Healthcare facilities must unplug and stop using devices that rely on remote monitoring, as no software patch exists to address these risks. The warning comes as healthcare data breaches have increased by 100% from 2018 to 2023, with the number of affected individuals rising by 1000%.

Dental

• Dental plans distinguish between non-covered services and disallowed services in their payment policies. Non-covered services are those not included in a patient’s dental plan due to limitations or exclusions, while disallowed services are covered procedures that the plan refuses to pay for due to deficiencies or improper execution. Participating dentists must follow fee schedule limits even for non-covered services and file claims unless patients pay out-of-pocket and request no filing under HIPAA rules. When services are disallowed, dentists cannot bill patients or retain payments, though they may contest these determinations through their participation agreements. HIPAA allows patients to prevent claim filing by paying in full and making a written request.

Fraud & Abuse

• The U.S. Department of Justice recovered $1.67 billion in healthcare fraud settlements in 2024, with major developments including a new whistleblower program targeting private insurer fraud. The DOJ launched increased scrutiny of private equity and venture capital firms in healthcare, examining their influence on portfolio companies and patient care. The Civil Cyber Fraud Initiative secured $14 million in settlements related to cybersecurity violations, while the FDA strengthened its focus on medical device cybersecurity through new guidance documents and enforcement actions. The government expanded whistleblower incentives with rewards up to 30% of recovered funds for the first $100 million, signaling continued emphasis on fraud detection and prevention.

Healthcare Delivery

• The United States faces a physician shortage of 50,000 doctors, with projections indicating this number could reach 80,000 by 2035. The shortage affects multiple specialties, with cardiology expected to experience a 17% deficit by 2035, while thoracic surgery and ophthalmology face potential deficits of 31% and 30% respectively. The situation in cardiology appears particularly concerning as 54% of general cardiologists are 55 or older, compared to 38-40% of primary care providers in the same age range. Training new physicians requires 12 or more years of education, making immediate solutions difficult. AMN Healthcare’s report suggests focusing on workforce management and improving working conditions to retain existing physicians.
• Amazon has partnered with Teladoc Health to expand its healthcare offerings, including virtual care and chronic condition management through its Health Benefits Connector. Walmart has launched same-day pharmacy delivery across 49 states, integrating pharmacy, merchandise, and grocery into a single online order with 15,000 pharmacists nationwide. AWS has partnered with General Catalyst to develop AI-driven healthcare solutions, while also expanding its collaboration with Booz Allen Hamilton for government technology solutions. Walmart plans to launch a drone delivery system at its Kaufman, Texas location through a $750,000 project with Alphabet’s Wing. The companies continue to compete through technological innovation, with Amazon projecting double-digit revenue growth over the next five years.
• Dr. Margaret Daley Carpenter, a New York doctor and co-founder of the Abortion Coalition for Telemedicine, was indicted by a Louisiana grand jury for prescribing abortion medication via telehealth to a woman in Louisiana. The case marks the first criminal charges against a physician for prescribing abortion medication to a patient in a state where they don’t practice and will test New York’s shield law, which protects providers from out-of-state prosecutions. Louisiana, which bans abortion except in cases of rape and incest, classified abortion medications as Schedule IV controlled substances last year. New York Governor Kathy Hochul has stated she will not comply with any extradition requests from Louisiana, while Attorney General Letitia James condemned the charges.

HIPAA

• The U.S. Department of Health and Human Services has proposed new HIPAA Security Rule updates through a Notice of Proposed Rulemaking that will affect group health plans and their sponsors. The updates require plan documents to explicitly connect safeguards to provisions applying to covered entities and business associates, while mandating sponsors report security incidents within 24 hours of contingency plan activation. Plan sponsors must amend existing documents to reflect these changes, though many may already have compliant procedures in place. HHS is seeking input on implementation deadlines and potential transition periods for document amendments, with future updates expected to address encryption, multi-factor authentication, and administrative controls.

Hospice

• The U.S. hospice care industry faces significant transformation as private equity firms acquire providers, with nearly three-quarters now under for-profit ownership. The number of Americans aged 65 and older will increase 47% to 82 million by 2050, intensifying demand for hospice services. For-profit ownership has led to challenges including staff burnout, reduced care quality, and increased billing issues, while workforce shortages limit access to services. Non-profit organizations are positioned to address these challenges through integration with broader healthcare systems, increased collaboration between providers, and adoption of new technologies like AI and telehealth. The industry must focus on improving quality standards and accessibility while maintaining the core mission of providing comprehensive end-of-life care.

Innovative Technology

• The FDA issued draft guidance on January 7, 2025, establishing a framework to assess AI model credibility in drug and biological product development. The guidance outlines a 7-step process for evaluating AI models throughout the drug product lifecycle, including defining questions of interest, determining context of use, assessing risks, developing credibility plans, executing plans, documenting results, and determining model adequacy. The framework requires sponsors to provide detailed documentation about model development, training data, and evaluation processes while emphasizing ongoing performance monitoring. The FDA is accepting public comments until April 7, 2025, and encourages early engagement with organizations on AI credibility assessment.
• German researchers have developed a method to repair heart damage using stem cells, with trials showing results in both primates and humans. The heart contains specialized muscle cells called cardiomyocytes which stop dividing after maturity, meaning damage from injury or infection becomes permanent. Blocked blood vessels can kill these cells, leading to reduced heart function and death. Scientists attempted to address this by converting induced pluripotent stem cells into cardiomyocytes and injecting them into damaged hearts, though initial animal experiments showed mixed results.
• Proposed House Bill 2298, relating to a health care facility grant program supporting the use of artificial intelligence technology in scanning medical images, would establish a grant program in Texas to support health care facilities in utilizing artificial intelligence (AI) technology for cancer detection through medical imaging. Eligible applicants include hospitals and federally qualified health centers within the state. The program, administered by a commission, requires applicants to provide matching funds and submit a detailed plan for AI technology use, including physician oversight and scanning capacity. Grants, limited to $250,000, are awarded annually to no more than five recipients. Recipients must report on the effectiveness of AI in cancer detection within a year.

Insurance & Reimbursement

• California enacted the Physicians Make Decisions Act in September 2024, prohibiting health insurers from using AI alone to deny medical claims based on medical necessity. The law, which took effect January 1, requires physician oversight for medical necessity decisions while still allowing insurers to use AI tools under specific guidelines and state inspection requirements. The legislation comes amid class action lawsuits against Cigna and United Healthcare for allegedly using AI to deny physician-approved claims. While the Act makes violations a crime, providers cannot enforce it directly but may pursue remedies through other state laws, and other states are expected to follow with similar legislation.

Medicaid

• In Texas, where postpartum Medicaid coverage was extended from 2 months to 12 months in 2023, implementation has faced significant challenges. The program now covers more than 265,000 pregnant and postpartum Texans, but many patients remain unaware of their extended benefits and struggle to access care. Texas healthcare providers report confusion about the new coverage rules, with many doctors learning about the changes through billing departments rather than official communications. The state’s recent removal of people from Medicaid rolls has complicated matters further, with many postpartum women having to fight to reinstate their coverage. Structural issues like provider shortages and limited mental health screening coverage continue to hinder access to care under the expanded program.

Private Equity

• Private equity firms have invested hundreds of billions of dollars in healthcare over the past 15 years, leading to increased scrutiny from the Department of Justice under the False Claims Act. PE firms typically use leveraged buyouts to purchase companies, leaving portfolio companies with substantial debt burdens that can complicate FCA enforcement and recoveries. The DOJ has two main options for addressing fraud in PE-owned healthcare companies: pursuing fraudulent transfer claims under the Federal Debt Collection Procedures Act and targeting individual liability, particularly former owners who received cash payouts during buyouts.

Antitrust & Competition

• The Federal Trade Commission has reached a settlement with private equity firm Welsh, Carson, Anderson & Stowe over U.S. Anesthesia Partners’ market consolidation in Texas. USAP, which operates in 700 facilities with 4,500 clinicians nationwide, acquired multiple anesthesia practices in Dallas between 2014 and 2016, gaining control of 40-50% of the market. The settlement prohibits Welsh Carson from increasing its ownership stake in USAP, limits board representation, and requires FTC notification for future healthcare acquisitions. In a related case, USAP faced similar restrictions in Colorado, where it controlled 86.7% of inpatient surgeries by 2021, leading to a $200,000 settlement and contract divestitures.
• With President Trump taking office and Andrew Ferguson becoming FTC Chair, significant changes are coming to healthcare antitrust enforcement. The Biden administration took an aggressive approach to healthcare antitrust enforcement, challenging mergers, investigating pharmacy benefit managers, and withdrawing previous policy guidance. The Trump administration is expected to continue scrutiny of healthcare industry concentration and PBMs while potentially reinstating clearer guidance for businesses. States like California will maintain their own strict healthcare antitrust enforcement regardless of federal changes. New FTC Chair Ferguson has indicated openness to reforming rather than completely rescinding the 2023 merger guidelines.
• The Federal Trade Commission released a Second Interim Staff Report on January 15, 2025, revealing that prescription drug spending rose from $393 billion in 2016 to $600 billion in 2023. The report found that pharmacies affiliated with the three largest Pharmacy Benefit Managers (PBMs) received 68% of specialty drug revenue in 2023, with markups reaching over 1,000% on some medications. The investigation uncovered that affiliated pharmacies generated $7.3 billion in revenue above acquisition costs, while PBMs earned $1.4 billion through spread pricing practices. The FTC plans to continue its investigation, particularly focusing on potential violations of the Robinson-Patman Act, while states consider additional PBM regulations. The Commission concluded that specialty generic drugs have increasing financial importance and require further investigation into pricing practices.

Emerging Technologies

• The Office for Civil Rights published a final rule on May 6, 2024, regulating the use of AI and other patient care decision support tools in healthcare settings. The rule applies to recipients of federal financial assistance, HHS, and entities under the Affordable Care Act, requiring them to identify and mitigate discrimination risks in their use of these tools. A January 10, 2025 “Dear Colleagues” letter provides guidance on compliance, including requirements for risk identification through methods like AI registries and vendor information gathering. The general prohibition on discrimination took effect July 5, 2024, while requirements for risk identification and mitigation will begin May 1, 2025. A nationwide injunction currently stays enforcement of portions related to gender identity discrimination.
• President Trump has rescinded the Biden administration’s executive order on AI safety, halting requirements for company safety testing reports while existing recommendations and research initiatives remain in place. The Trump administration is pursuing a $100 billion partnership with OpenAI, SoftBank, and Oracle for technology infrastructure development, while maintaining Biden’s executive order on data centers. Industry experts are divided on the implications, with some concerned the move will weaken AI safety efforts globally, while others see opportunities for companies to establish rules under new leadership. Congress and state legislatures continue working on AI legislation as the U.S. approach to AI regulation shifts.

Cybersecurity & Ransomware

• A new report shows that 84% of healthcare organizations detected cyberattacks on their infrastructure in the past year. Phishing emerged as the primary threat for on-premises systems, while account compromise affected 74% of healthcare organizations in cloud environments. The attacks led to financial losses for 69% of healthcare organizations, exceeding the cross-industry average of 60%. The consequences included leadership changes in 21% of cases and legal action in 19% of affected healthcare organizations, both rates higher than the 13% average across other industries.
• The cyberattack on Change Healthcare in February 2024 compromised the data of more people than originally thought. The ALPHV/BlackCat ransomware gang claimed responsibility for the attack, which disrupted over 100 healthcare applications and impacted thousands of pharmacies and healthcare providers. The breach exposed sensitive information including names, Social Security numbers, medical records, and insurance details, resulting in $1.1 billion in costs for UnitedHealth Group. The final impact assessment increased significantly from initial estimates of 100 million affected individuals to the current figure of 190 million.
• In 2024, multiple states enacted data privacy laws, with California and Texas implementing significant regulations while seven other states passed comprehensive privacy legislation. The Federal Trade Commission increased enforcement against data brokers and companies handling sensitive data, requiring new safeguards for location data and expanding breach notification rules. States including California, Colorado, and Utah passed AI-specific regulations targeting high-risk AI systems and requiring safeguards and disclosures. Massachusetts narrowed its wiretapping law scope regarding website tracking technologies, while Washington and Nevada enacted laws protecting consumer health data outside HIPAA. State enforcement actions ramped up, with California and Texas leading investigations into data collection practices and improper data sharing.

Fraud & Abuse

• The Second Circuit Court of Appeals has joined other federal circuits in adopting the “at least one purpose rule” in Anti-Kickback Statute violations. AKS prohibits payments by defendants if any single purpose of a payment was to induce patient referrals, even if other legitimate reasons exist. In the case before the court, Steven Camburn alleged Novartis violated the False Claims Act by providing improper payments to physicians through speaker programs to encourage prescriptions of their multiple sclerosis drug Gilenya. The Second Circuit found sufficient evidence in three categories of allegations: speaker programs without legitimate attendees, excessive compensation for canceled events, and strategic speaker selection to induce prescriptions. The court joins the Third, Fifth, Seventh, Ninth, and Tenth Circuits in applying this interpretation, with the First and Fourth Circuits also assuming this standard.
• The Department of Justice and qui tam relators filed a record-breaking 1,402 new False Claims Act cases in 2024, representing a 16% increase from 2023’s previous record. Total recoveries reached $2.9 billion, with $2.2 billion coming from qui tam suits where DOJ intervened. A Florida federal court ruled the FCA’s qui tam provisions unconstitutional under the Appointments Clause, though this decision faces uncertain prospects on appeal. The second Trump administration is expected to continue aggressive FCA enforcement while potentially limiting reliance on sub-regulatory guidance and increasing voluntary dismissals of qui tam cases. President Biden also signed into law the Administrative False Claims Act, expanding agencies’ ability to pursue claims up to $1 million through administrative proceedings.
• Three Texas healthcare providers settled Stark Law violation cases for a total of $21.3 million in 2024. Horizon Medical Center paid $14.2 million for improper service identification and problematic financial relationships, while Little River Healthcare’s CEO Jeffrey Madison paid $5.3 million for illegal kickback schemes and received a 25-year exclusion from federal healthcare programs. Dr. Mohammad Athari in Houston paid $1.8 million for referring patients to his own diagnostic centers between 2014 and 2021, violating laws that prohibit physicians from referring patients to facilities where they maintain financial interests. The Department of Justice continues to pursue healthcare fraud cases, focusing on both institutions and executives who violate federal healthcare regulations.
• Northwest Anesthesiology and Pain Services (NWAP) has agreed to pay $999,999 to resolve Medicare claims violations. The Houston-based provider hired Stacey Green and Remedy Physician Solutions in 2019 to manage pain practices, where Green implemented bonus payments based on lab referrals rather than productivity. Between 2019 and 2021, NWAP paid $1.8 million in bonus payments through this system, which the government deemed improper kickbacks for referrals. NWAP self-disclosed the violations to authorities and cooperated with the investigation conducted by the U.S. Attorney’s Office and Department of Health and Human Services Office of Inspector General.

Health Policy

• Drug pricing and health care fraud remain central issues as Robert F. Kennedy Jr. and Marty Makary await confirmation as HHS secretary and FDA commissioner. The Trump administration continues implementation of drug price negotiations under the Inflation Reduction Act despite pharmaceutical industry litigation, while ACA subsidies face expiration in 2025. Health care fraud enforcement priorities include clinical trial fraud, cybersecurity, and product referral arrangements, with FDA focusing on medical device cybersecurity and AI software guidance. The reauthorization of OMUFA in 2025 presents opportunities to address drug shortages, biosimilar substitution rules, and dietary supplement regulations, while the FDA maintains its focus on the opioid epidemic and real-world evidence for rare disease treatments.

Health Administration

• VMG Health explores how Occam’s Razor principles can improve healthcare administration. The principle advocates for simplifying complex healthcare systems by focusing on essential elements in areas like patient discharge, resource allocation, and regulatory compliance. Healthcare organizations can streamline operations through vendor consolidation, automated compliance platforms, and simplified communication protocols. The approach emphasizes removing unnecessary steps while maintaining quality care and meeting regulatory requirements. The article While simplification is beneficial, administrators must balance efficiency with the inherent complexity of healthcare operations.

HIPAA: Enforcement

• The U.S. Department of Health and Human Services Office for Civil Rights has announced six enforcement actions in early 2025, focusing on three key initiatives: Right of Access, Risk Analysis, and Ransomware protection. The enforcement actions include penalties ranging from $10,000 to $3,000,000 for violations involving ransomware attacks, phishing incidents, and failure to provide timely access to medical records. The cases affected over 175,000 individuals’ protected health information and involved both healthcare providers and business associates. OCR emphasizes that organizations must conduct regular risk analyses, implement security measures, and ensure prompt access to patient records to avoid future enforcement actions.

HIPAA: Privacy Rule

• The U.S. Department of Justice has dropped charges against Dr. Eithan Haim, who faced prosecution for obtaining protected health information about transgender surgeries at Texas Children’s Hospital. The case began when journalist Christopher Rufo reported in 2023 that the hospital continued performing transgender procedures on minors after announcing they would stop. Dr. Haim, who provided the whistleblower documents to Rufo, faced up to 10 years in prison and a $250,000 fine for accessing patient information without authorization. U.S. District Judge David Hittner dismissed all counts with prejudice.

HIPAA: Security Rule

• The U.S. Department of Health and Human Services published proposed updates to the HIPAA Security Rule on January 6, 2025, marking the first major revision since 2013. The new requirements mandate business associates to notify covered entities within 24 hours of activating contingency plans and provide annual verification of technical safeguards. Business Associate Agreements must be updated to include these new provisions within one year and 60 days after the Final Rule publication, with a transition period available for existing agreements. The proposal allows covered entities to appoint business associates as Security Officers while maintaining ultimate compliance responsibility, and the HHS Office for Civil Rights will accept comments through March 7, 2025. The changes will affect both current and future business associate relationships, requiring updates to vendor management programs and security risk assessment processes.
• The Department of Health and Human Services Office for Civil Rights has published a notice of proposed rulemaking to strengthen HIPAA Security Rule requirements. The proposal eliminates flexible “addressable” specifications in favor of mandatory security controls and requires implementation of multifactor authentication, encryption, and data backup systems. Healthcare organizations must conduct annual risk analyses, compliance audits, and obtain written verification from business associates regarding security measures. The rule, open for comments through March 7, 2025, will take effect 60 days after final publication with a 180-day compliance period. Organizations must update their Business Associate Agreements within one year and implement stricter technical controls, including removing system access within one hour of employee termination.

Regulation & Oversight

• The White House removed inspectors general from most cabinet-level agencies through immediate termination emails sent on January 24. Between 12 and 17 inspectors general were dismissed without the legally required 30-day notice to Congress, with only the Department of Justice and Homeland Security IGs remaining in place. The dismissals sparked bipartisan concern, with Republican Senator Charles Grassley requesting explanation and Democratic leaders condemning the action as an attack on government oversight. At least one dismissed IG plans to report to work Monday, arguing the terminations violated federal law, while Hannibal Ware, chair of the Council of IGs, stated the removals appear legally insufficient. The White House provided no explanation for the dismissals beyond citing “changing priorities” in the termination notices.

Texas Medical Board Rules

• The Texas Medical Board implemented new rules that require medical spas and IV hydration clinics to post physician information and ensure staff wear identification. The rules consolidate delegation requirements under Chapter 169, mandating written documentation of all medical delegations and allowing physician assistants and advanced practice nurses to provide emergency consultations. Practitioner-patient relationships can now be established through in-person visits or telemedicine, while the Board plans to issue standardized forms for alternative medicine and review ketamine treatment regulations. The Board removed office medication dispensing limits but reminds physicians that state law still restricts supplying drugs beyond immediate patient needs.

Advisory Opinion

• The Office of Inspector General (OIG) issued Advisory Opinion 25-01, concluding that a pharmaceutical company’s arrangement to provide free access to a specific drug for eligible patients does not warrant administrative sanctions under the Federal anti-kickback statute or the Beneficiary Inducements Civil Monetary Penalty (CMP) provisions. The drug in question is an infusion therapy for a disease with limited alternative treatments. The program provides free medication to patients meeting specific financial and clinical criteria, including uninsured individuals or those unable to afford out-of-pocket costs. The OIG determined the arrangement poses a low risk of fraud or abuse, as it neither interferes with clinical decision-making nor steers patients toward specific providers or plans. Patients and providers must adhere to strict conditions, including ensuring the drug is used only for designated individuals and not reimbursed by any payor.

AI Regulation in Healthcare

• The House Bipartisan Task Force on Artificial Intelligence released a 253-page report on December 17, 2024, outlining key recommendations for AI implementation in healthcare. The report highlights AI’s potential to reduce drug development time and costs from the current 12-year average, with the FDA having approved over 800 non-generative AI/ML-enabled medical devices. The Task Force identified challenges including interoperability issues between systems, liability standards for AI-related medical decisions, and the need to revise physician reimbursement models as AI increases efficiency. The report concludes with five recommendations focusing on safety, research support, risk management, liability standards, and payment mechanisms, while emphasizing that medical practitioners must maintain responsibility for AI-augmented decisions. The Task Force’s findings come as the incoming Trump administration signals a departure from the Biden-Harris Executive Order on AI regulation.
• The U.S. Department of Health and Human Services has released its AI Strategic Plan, a 200-page document outlining four key goals for AI in healthcare: catalyzing innovation, promoting trustworthy development, democratizing access, and cultivating AI-empowered workforces. The plan aims to accelerate scientific breakthroughs, improve clinical outcomes, enhance healthcare delivery, and respond to public health threats through AI implementation. HHS will provide funding through programs like Bridge2AI and TARGET, while addressing biosecurity and privacy risks through national guidelines and industry collaboration sandboxes. The initiative includes partnerships with organizations like NIH’s AIM-AHEAD consortium to ensure equitable AI access for underserved populations, while Premier Inc. has expressed support for the plan’s alignment with healthcare workforce enhancement and value-based care goals. The strategy includes development of talent pipelines through programs such as NIH’s DATA National Service Scholar Program to ensure long-term successful AI adoption in medical research and discovery.
• California Attorney General released two legal advisories addressing AI regulation in California, with one focusing on general AI applications generally and another specifically targeting healthcare. The first advisory outlines existing California laws that apply to AI development and usage, including consumer protection, civil rights, and data protection laws, while also detailing new AI regulations effective January 1, 2025, covering disclosure requirements, likeness protection, and election material guidelines. The second advisory specifically addresses AI in healthcare settings, requiring healthcare entities to test, validate, and audit AI systems for safety and lawful use. Healthcare providers must maintain transparency about AI usage in patient care and data training.
• At CES 2025, FTC Commissioners discussed the agency’s approach to AI regulation. The Commissioners agreed on pursuing cases involving AI-related fraud and deception, though they differed on the extent of developer liability for AI tools misused by third parties, as evidenced in the Rytr and Sitejabber settlements. Both Commissioners expressed concerns about voice cloning fraud, with the FTC implementing an Impersonation Rule and launching a Voice Cloning Challenge to combat such scams. The discussion highlighted plans to investigate children’s interactions with AI chatbots through potential market studies. The Commissioners maintained a pro-innovation stance while acknowledging their differing views on enforcement approaches, suggesting continued FTC engagement with AI regulation in the next Administration.

Antitrust & Competition

• Welsh Carson agrees to pare back anesthesia market power to avoid new FTC suit. The Federal Trade Commission has reached a settlement with private equity firm Welsh Carson following allegations of anticompetitive behavior in the Texas anesthesia market through its portfolio company U.S. Anesthesia Partners. The agreement requires Welsh Carson to freeze its investment in USAP at minority levels, reduce its board representation to one seat, and obtain FTC approval for future anesthesia investments nationwide. The settlement comes after a federal court dismissed the FTC’s initial lawsuit in May 2024, and the FTC commissioners voted 5-0 to accept the agreement days before President-elect Trump’s administration takes office.
• The State of Colorado reached an agreement with Dallas-based U.S. Anesthesia Partners (USAP) requiring the company to divest contracts at five hospitals, modify noncompete agreements, and pay $200,000 in restitution. USAP, which employs 4,500 clinicians across 700 facilities nationwide, controlled 86.7% of Denver-area hospital anesthesia services by 2021 and charged 30-40% higher rates than competitors. The Federal Trade Commission filed a case in Texas’ Southern District in December 2023, alleging USAP engaged in similar practices there, where it has become the dominant provider in major cities through acquisitions of over a dozen practices, 1,000 doctors, and 750 nurses since 2012. The company’s reimbursement rates in Texas are double the median rate of other anesthesia providers in the state.

Cybersecurity & Ransomware

• A new report examines the major cybersecurity challenges facing healthcare organizations in 2025 . The data reveals that 72% of medical imaging systems are internet-connected with vulnerabilities, while 82% of healthcare organizations report attacks originating from third parties. The report identifies three primary threat vectors: social engineering attacks, internet-facing devices with known exploitable vulnerabilities, and third-party risks. According to the 2024 Claroty State of CPS Survey, 26% of healthcare organizations lack proper threat detection capabilities, and 56% fail to utilize threat intelligence for cyber physical systems. The article concludes that healthcare organizations must implement comprehensive cybersecurity measures including multi-factor authentication, regular software updates, and strict access controls to protect patient safety and service continuity.
• A new report revealed 1,204 confirmed ransomware attacks in 2024, with 195.4 million records compromised and $133.5 million paid in ransoms. The healthcare sector experienced 223 confirmed attacks, with 181 targeting healthcare providers and 42 affecting non-provider healthcare organizations, compromising over 141 million healthcare records total. The Change Healthcare attack was the most significant of 2024, resulting in $2.9 billion in losses and affecting 100 million individuals’ protected health information. RansomHub emerged as the most active ransomware group with 89 confirmed attacks, while the average ransom demand across all sectors was $3.5 million. In response, the HHS Office for Civil Rights has proposed updates to the HIPAA Security Rule, requiring healthcare organizations to implement enhanced cybersecurity measures including regular vulnerability scans, penetration testing, and encryption protocols.

Fraud & Abuse

• The Department of Justice released its annual report showing total civil fraud recoveries of $2.9 billion for FY2024, marking the fourth-lowest recovery since 2010. Healthcare industry recoveries hit a decade low at $1.67 billion, representing 57.3% of total recoveries, down from historical averages of over 80%. The number of qui tam lawsuits reached a record high of 979 in FY2024, with 609 cases outside healthcare, while qui tam recoveries accounted for 82% of total civil fraud recoveries at $2.2 billion. FY2025 has begun with $850 million in recoveries from Teva Pharmaceuticals and Raytheon, while the DOJ continues to focus on Medicare Advantage fraud, Anti-Kickback Statute violations, cybersecurity issues, and pandemic-related fraud schemes.
• A former Texas hospital CEO was sentenced to 36 months in federal prison and ordered to pay $5,343,630 for his role in a healthcare kickback conspiracy. The scheme involved Little River Healthcare, Stamford Memorial Hospital, and Boston Heart Diagnostics, where hospitals billed insurers at inflated rates for blood tests and shared profits with marketers who paid kickbacks to referring physicians through fake investment opportunities. A total of 21 defendants were indicted in the conspiracy, with several receiving prison sentences, while others pleaded guilty before trial. Peter Bennett was convicted for laundering over $2.7 million in kickback proceeds through sham trusts and shell corporations, while Robert O’Neal pleaded guilty to conspiracy charges related to arranging physician referrals and money laundering.
• A physician and his son plead guilty to a kickback conspiracy. The scheme involved the physician’s pain management clinic referring prescriptions for compound drugs to pharmacies where his son worked as a marketer, resulting in $6.6 million in kickback payments. The pair faces up to 5 years in prison and $250,000 in fines.
• A Fredericksburg physician was sentenced to 10 years in prison for a $70 million Medicare fraud scheme. A 61-year-old physician signed prescriptions and medical records for over 13,000 Medicare beneficiaries without examining them, resulting in $70 million in fraudulent Medicare claims for medical equipment and cancer genetic testing. The physician received $475,000 for his role in the scheme and must pay $26 million in restitution. In May 2024, he was convicted of conspiracy to commit healthcare fraud and three counts of false statements related to healthcare matters.
• A McAllen pharmacist has pleaded guilty in a $110 million healthcare fraud scheme. Between 2014 and 2016, the pharmacist paid $24 million in kickbacks to marketers who directed prescriptions for compound drugs to his pharmacy, resulting in $110 million in billings to federal health care programs. The pharmacist will be sentenced on March 25, where he faces up to five years in federal prison and a potential $250,000 fine.

HIPAA & Patient Confidentiality

• The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has intensified its focus on health data security and artificial intelligence. The agency published updates to the HIPAA Security Rule on January 6, 2025, requiring new security measures including encryption, multi-factor authentication, and annual audits. Between December 2024 and January 2025, OCR announced nine enforcement actions related to health data security and launched HIPAA audits of 50 regulated entities. The agency issued guidance on responsible AI use through Section 1557 regulations and a “Dear Colleague” letter, with new discrimination prevention requirements taking effect May 1, 2025. Healthcare organizations must review HIPAA risk analyses, strengthen security measures, and implement AI compliance protocols to meet OCR’s enhanced requirements.
• The U.S. Department of Health and Human Services Office for Civil Rights has reached a $3,000,000 settlement with Solara Medical Supplies following HIPAA violations related to a phishing attack that compromised 114,007 patients’ electronic protected health information through eight employee email accounts between April and June 2019. A second breach occurred when Solara sent 1,531 breach notification letters to incorrect addresses in January 2020. The investigation revealed Solara failed to conduct risk analysis, implement security measures, and provide timely breach notifications. Under the settlement terms, Solara must implement a two-year corrective action plan that includes risk analysis, security management, policy updates, and staff training.
• Memorial Healthcare System has settled an alleged HIPAA Right of Access violation with the U.S. Department of Health and Human Services’ Office for Civil Rights. The case involved a patient who made multiple requests for EEG records starting December 30, 2020, but didn’t receive them until September 29, 2021, nine months after the initial request and only after OCR initiated an investigation. The HIPAA Privacy Rule requires healthcare providers to furnish patient records within 30 days of request, with a possible 30-day extension in limited circumstances. While OCR initially proposed a $100,000 penalty, Memorial Healthcare System contested the findings and ultimately agreed to pay $60,000 to resolve the litigation. The settlement was announced on January 15, 2025, after negotiations between OCR and Memorial Healthcare System concluded.

Medicare & Medicaid

• The Department of Health and Human Services has announced 15 drugs for the second round of Medicare price negotiations. The negotiations will begin in 2025 with prices taking effect in 2027, following the first round which achieved price reductions of 38% to 79% on 10 drugs. Wegovy ($1,350) and Ozempic ($1,000) lead the list of medications, which includes treatments for conditions ranging from diabetes to cancer. The selected drugs were used by 5.3 million Medicare beneficiaries between 2023-2024, representing $41 billion in prescription drug costs. The first round of negotiations is expected to save Medicare beneficiaries $1.5 billion in out-of-pocket costs when implemented in 2026.

Mergers, Acquisitions & Private Equity

• Healthcare M&A transactions declined by 2.8% in Q3 2024, marking the lowest level since Q3 2020, with private equity participation dropping to 7% from 12% in Q2. Major deals included TowerBrook Capital Partners and Clayton, Dubilier & Rice’s $8.9 billion acquisition of R1 RCM Inc., Carlyle’s $3.8 billion purchase of Baxter International’s Kidney Care segment, and Orlando Health’s $439.4 million acquisition of three Florida hospitals from Steward Health Care. Professional Services dominated the sector with 54.8% of total deal volume, while the Hospital sector saw a 50% increase in transaction activity due to Steward Health Care’s divestitures. The Federal Reserve’s interest rate cuts and California’s veto of Assembly Bill 3129 signal potential growth in healthcare M&A activity for 2025, despite ongoing regulatory scrutiny.
• A recent report by the Federal Trade Commission warns that private equity ownership introduces “new and unique risks” to healthcare, surpassing those associated with general industry consolidation. The investigation, which reviewed over 2,000 public comments, highlights concerns such as higher consumer prices, operational changes, and staffing reductions linked to private equity-backed healthcare services. The agencies urge Congress and state legislators to enhance oversight by lowering the federal reporting threshold for mergers and acquisitions and expanding transparency rules regarding nursing home ownership. The report notes that private equity firms have significant investments across various healthcare sectors, including physician practices, emergency room staffing, nursing homes, mental health facilities, and hospitals. It also points out that companies with private equity ties are more prone to bankruptcies.

Confidentiality & Cybersecurity

• The US Court of Appeals has struck down net neutrality regulations, allowing Internet Service Providers (ISPs) to monitor, prioritize, and control Internet traffic. The ruling impacts healthcare privacy as ISPs can now track and sell patient data from telehealth sessions, mental health searches, and digital health app usage to third parties. Healthcare providers must implement stronger privacy measures, including encrypted platforms, VPNs, and HIPAA-compliant systems to protect patient information. FCC Chair Jessica Rosenworcel has called for congressional action, while healthcare professionals are urged to advocate for patient privacy through policy engagement and partnerships with privacy organizations. The decision particularly affects rural patients who rely on telehealth services and raises concerns about potential discrimination based on health-related Internet activity.
• A recent report reveals that 73% of healthcare organizations still use legacy systems, which creates security vulnerabilities that cybercriminals can exploit. Healthcare IT teams must build security measures into applications from the start, ensure flexibility across platforms, and implement vendor management strategies to protect data. The modernization process requires consideration of usability factors to prevent users from circumventing security controls, while features like Pure Storage’s SafeMode Snapshots provide protection against data breaches. Organizations that implement these strategies can better protect patient data, maintain productivity, and preserve patient trust.
• The U.S. Department of Health and Human Services Office for Civil Rights has proposed major changes to the HIPAA Security Rule that would require healthcare organizations to implement stricter cybersecurity measures by mid-2025. The changes include mandatory encryption of protected health information, multi-factor authentication, vulnerability scanning every 6 months, penetration testing annually, and notification requirements within 24 hours for certain security events. HHS estimates first-year compliance costs at $9 billion, with subsequent annual costs of $6 billion through year five. The proposal comes in response to a 950% increase in individuals affected by healthcare data breaches since 2018, though its fate remains uncertain as it transitions between administrations. The 60-day public comment period ends March 7, 2025, with compliance required 180 days after the final rule takes effect.
• Healthcare data breaches affected 184,111,469 records in 2024, representing 53% of the U.S. population, with 703 large breaches reported to OCR. The largest breach occurred at Change Healthcare, affecting 100 million individuals through a ransomware attack that caused widespread disruption to healthcare services and medication access across the U.S. healthcare system. The year saw 13 breaches involving more than 1 million healthcare records each, with 11 caused by hacking incidents and 8 involving business associates of HIPAA-covered entities. In response to these breaches, the HHS Office for Civil Rights published cybersecurity performance goals and proposed updates to the HIPAA Security Rule to mandate stronger security measures, including multifactor authentication and encryption requirements. The fate of these proposed security updates now rests with the incoming Trump administration.
• SOC 2 audits provide healthcare organizations with a framework for managing data security, privacy, and operational integrity. The audit process ensures protection of Protected Health Information (PHI) and Personally Identifiable Information (PII) through controls that safeguard against unauthorized access and breaches. While not legally mandated, SOC 2 complements HIPAA, HITECH, and GDPR regulations by addressing data encryption, access control, and risk management. The framework includes five trust service principles – Security, Availability, Processing Integrity, Confidentiality, and Privacy – and helps organizations manage third-party vendor risks through certification requirements. Healthcare providers can prepare for SOC 2 audits through gap analysis, control implementation, staff training, and partnership with expert consultants.

Innovation

• OpenAI CEO Sam Altman claims his company knows how to build AGI and predicts AI agents will join the workforce in 2025. OpenAI defines AGI as systems that outperform humans at economic tasks, with a specific financial threshold of $100 billion in profits set in their agreement with Microsoft. The technology rights for AGI are excluded from OpenAI’s IP investment contracts with companies like Microsoft, marking its strategic importance. Critics, including Gary Marcus, have dismissed Altman’s claims as marketing hype. Altman acknowledges the potential economic disruption from AGI and suggests universal basic income as a solution for workforce displacement.
• A New York University study published in Nature Medicine reveals that introducing just 0.001% of medical misinformation into LLM training data can compromise the model’s accuracy, resulting in over 7% harmful responses. The researchers tested this by injecting false information into “The Pile” database across 60 medical topics, finding that the poisoned models not only produced misinformation about targeted topics but became generally unreliable about medicine. The study demonstrates that for $100, someone could generate 40,000 articles to poison a large model like LLaMA 2, with the misinformation potentially hidden in invisible webpage text. While the researchers developed an algorithm to flag potentially false medical information, the study highlights ongoing challenges with both intentional poisoning and existing medical misinformation in training data, including outdated information in curated databases like PubMed.

Legislation

• The Texas Legislature is considering the Texas Responsible AI Governance Act, which aims to regulate high-risk AI systems that make consequential decisions affecting areas like healthcare, housing, and employment. The Act establishes strict requirements for developers and deployers, including mandatory risk assessments, consumer disclosures, and human oversight of AI decisions. The legislation prohibits specific AI uses such as social scoring, unauthorized biometric data collection, and emotional inference without consent, while giving consumers rights to transparency and legal action. The Texas Attorney General would have enforcement authority with fines up to $100,000 per violation, and businesses operating in Texas would need to ensure compliance through impact assessments and updated procedures.
• California has enacted a law prohibiting insurance companies from using AI alone to deny health insurance claims. The legislation, Senate Bill 1120 (Physicians Make Decisions Act), was signed by Governor Gavin Newsom in September 2024 in response to data showing 26% of California insurance claims were denied in 2024. The law requires human judgment in coverage decisions, sets strict deadlines for claim reviews (5 business days for standard cases, 72 hours for urgent cases, and 30 days for retrospective reviews), and gives the California Department of Managed Health Care enforcement authority with power to issue fines. The initiative has gained national attention, with 19 states considering similar legislation and congressional offices exploring federal regulations.

Regulation

• The FDA has released new draft guidance for AI-enabled medical devices, building on its previous predetermined change control plan guidance from December 2023. The guidance, to be published in the Federal Register on January 7, provides recommendations for the total product lifecycle of AI-enabled devices, including design, development, maintenance, and documentation requirements. The FDA has authorized over 1,000 AI-enabled devices and will accept public comments on the draft guidelines through April 7, with specific focus on AI lifecycle alignment, generative AI recommendations, performance monitoring, and user information requirements. The agency will host webinars on February 18 to discuss the regulatory proposal and on January 14 regarding the final PCCPs guidance, while emphasizing the importance of addressing transparency and bias in AI medical devices. The guidance aims to ensure performance considerations across race, ethnicity, disease severity, gender, age, and geographical factors are addressed throughout device development and monitoring.

Advanced Practice Providers

• Advanced Practice Providers (APPs), including nurse practitioners, physician assistants, and other specialists, are filling healthcare gaps caused by physician shortages and increased demand for services. Chief APPs (CAAPs) have emerged as leaders who manage APP integration within healthcare organizations. APPs can diagnose conditions, prescribe medications, conduct exams, and interpret tests, while spending more time with patients than traditional providers. The expansion of APP roles offers a solution to healthcare access issues, particularly in underserved areas, and their scope of practice continues to grow alongside the importance of CAAPs in healthcare systems.

Patient Confidentiality

• The US Court of Appeals has struck down net neutrality regulations, allowing Internet Service Providers (ISPs) to monitor, prioritize, and control Internet traffic. The ruling impacts healthcare privacy as ISPs can now track and sell patient data from telehealth sessions, mental health searches, and digital health app usage to third parties. Healthcare providers must implement stronger privacy measures, including encrypted platforms, VPNs, and HIPAA-compliant systems to protect patient information. FCC Chair Jessica Rosenworcel has called for congressional action, while healthcare professionals are urged to advocate for patient privacy through policy engagement and partnerships with privacy organizations. The decision particularly affects rural patients who rely on telehealth services and raises concerns about potential discrimination based on health-related Internet activity.
• The U.S. Department of Health and Human Services has proposed new HIPAA Security Rules, marking the first update since 2013, with publication scheduled for January 6, 2025. The proposed changes include mandatory encryption of PHI at rest and in transit, implementation of multi-factor authentication, and requirements for covered entities to review and update security policies regularly. Business associates must provide written verification of technical safeguards annually and notify covered entities within 24 hours of access changes or contingency plan activations. The rules establish specific timeframes for security compliance, including 15-day patches for critical risks and 72-hour system restoration requirements, while requiring organizations to maintain technology asset inventories and network maps with annual updates.
• Healthcare data breaches affected 184,111,469 records in 2024, representing 53% of the U.S. population, with 703 large breaches reported to OCR. The largest breach occurred at Change Healthcare, affecting 100 million individuals through a ransomware attack that caused widespread disruption to healthcare services and medication access across the U.S. healthcare system. The year saw 13 breaches involving more than 1 million healthcare records each, with 11 caused by hacking incidents and 8 involving business associates of HIPAA-covered entities. In response to these breaches, the HHS Office for Civil Rights published cybersecurity performance goals and proposed updates to the HIPAA Security Rule to mandate stronger security measures, including multifactor authentication and encryption requirements. The fate of these proposed security updates now rests with the incoming Trump administration.

Fraud & Abuse

• ASD Specialty Healthcare has agreed to pay $1.67 million to settle anti-kickback claims for providing free inventory management systems to retina practices that agreed to purchase drugs from them. The company, operating as Besse Medical and a subsidiary of Cencora, acquired the PODIS system in 2017 and offered it at no cost to physicians who signed agreements to purchase drugs, including AMD treatments, while denying access to non-customers. Two whistleblowers from Regeneron Pharmaceuticals brought forth the claims and will receive $250,705 from the settlement. Medicare spent $386 million on branded AMD drugs in 2022, with $334.4 million specifically on aflibercept. The Department of Justice has also filed a separate False Claims Act complaint against Regeneron for allegedly inflating Medicare reimbursement rates for Eylea.
• A federal grand jury in Virginia indicted Chesapeake Regional Medical Center on January 8, 2025, for healthcare fraud and conspiracy to defraud the United States. The charges stem from the hospital’s alleged involvement with a physicia who was previously sentenced to 59 years in prison for performing unnecessary surgeries and falsifying medical records, resulting in $20.8 million in fraudulent billings. The indictment claims hospital staff received two sets of documents for early deliveries – one with real dates and another with falsified dates – yet continued to allow procedures and bill Medicaid. The hospital faces decisions about pleading guilty or going to trial, with potential consequences including fines, monitoring requirements, and property forfeiture. This case establishes precedent for hospitals’ responsibility to prevent fraud and highlights how employee knowledge of illegal activities can result in criminal charges for the institution.
• The Second Circuit Court of Appeals has expanded the Anti-Kickback Statute by adopting the “at-least-one-purpose rule”, which states that a violation occurs when inducing healthcare purchases is just one purpose of a payment, rather than requiring it to be the sole purpose. The ruling emerged from a qui tam lawsuit against Novartis Pharmaceuticals, where the relator alleged the company used speaker programs to provide kickbacks to doctors who prescribed their multiple sclerosis drug Gilenya. The Second Circuit revived parts of the lawsuit on December 27, 2024, focusing on allegations of sham speaking events, excessive payments for canceled engagements, and the selection of high-prescribing physicians as speakers. The Court determined that no quid pro quo proof is required for AKS violations, joining seven other circuit courts in this interpretation. The decision creates heightened enforcement risks for healthcare companies and requires them to review their physician payment practices.

Litigation

• Aetna sues drugmakers over alleged price-fixing scheme in a lawsuit filed in Hartford, Connecticut against nearly two dozen pharmaceutical companies, including Pfizer and Teva Pharmaceuticals, for allegedly conspiring to fix generic drug prices. The lawsuit claims the companies communicated through private meetings and trade conferences to establish a “fair share” scheme, resulting in price increases of up to 1000% for certain medications. The case follows similar legal actions by state attorneys general and other insurers, with Heritage Pharmaceuticals and Apotex already settling for $49 million in fall 2024.

No Surprises Act

• The Fifth Circuit Court of Appeals has upheld key provisions of the No Surprises Act’s Qualified Payment Amount (QPA) calculations in Texas Medical Association v. U.S. Department of Health and Human Services. The court ruled that contracted rates can be included in QPA calculations regardless of claim frequency, while excluding case-specific agreements and bonus payments from these calculations. The ruling maintains the Act’s 30-day payment deadline requirement and upholds disclosure provisions about QPA calculations. The decision impacts healthcare providers by allowing “ghost rates” in QPA calculations and excluding incentive payments, which may result in lower reimbursement rates for out-of-network services. The QPA serves as the basis for determining patient cost-sharing responsibilities and plays a key role in payment dispute resolution between providers and insurers.

AI Legislation

• The Texas Legislature is considering the Texas Responsible AI Governance Act, which would establish regulations for high-risk AI systems that make consequential decisions affecting areas like employment, education, and government services. The Act requires developers and deployers to protect consumers from algorithmic discrimination, maintain oversight of AI systems, and provide detailed disclosures about AI interactions. The legislation prohibits specific AI uses including social scoring, unauthorized biometric data collection, and emotional inference without consent, while granting consumers rights to transparency and legal action. The Texas Attorney General would have enforcement authority with fines up to $100,000 per violation, making this one of the most comprehensive state-level AI regulations proposed in the U.S.

AI Implementation

• Healthcare entities face increasing scrutiny over AI usage in patient data management, with three key areas of concern emerging: data scraping/sharing, utilization management, and discriminatory bias. Recent court cases have highlighted the importance of data anonymization in determining the validity of privacy claims, with courts generally favoring defendants when patient data is properly anonymized. Federal agencies and states are implementing regulations to limit AI’s role in medical necessity determinations, with CMS prohibiting AI-only decisions and states like California passing laws requiring specific disclosures for GenAI use in patient communications. While major litigation regarding AI discrimination hasn’t occurred yet, state attorneys general are actively investigating potential racial bias in healthcare algorithms. To mitigate risks, healthcare entities should conduct regular AI risk assessments, implement robust PHI de-identification procedures, and utilize appropriate data agreements and patient waivers.
• Testing by medical professionals has shown AI systems like ChatGPT giving dangerous medical advice up to 20% of the time. While AI tools are being used by some healthcare providers for tasks like transcription and note-taking, even these applications have shown problems with hallucinated content and bias, such as OpenAI’s Whisper inserting false information into patient records. Medical experts warn that while AI technology shows promise, its current state risks introducing dangerous “AI slop” into patient care, requiring thorough verification that may ultimately negate any time-saving benefits.
• Agentic AI is a new paradigm that makes independent decisions and takes actions without human intervention . The technology shows potential applications in healthcare through patient monitoring, manufacturing through production optimization, and transportation through autonomous vehicles. Major concerns include job displacement, data privacy, control issues, and safety risks in high-stakes environments.
• A bipartisan U.S. House task force released a report on December 17 outlining AI policy recommendations for healthcare. The report identifies AI’s potential to improve healthcare efficiency through data analysis and automation while highlighting interoperability challenges between systems. It raises concerns about patient data privacy, cybersecurity risks, and the need for healthcare workforce AI training. The report also addresses unresolved issues regarding liability rules for AI-related medical errors and unclear reimbursement policies for AI implementation in healthcare systems. The task force emphasizes that payment structures and accountability frameworks for healthcare AI remain undefined, requiring further development.

Cybersecurity

• The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has proposed the first update to the HIPAA Security Rule since 2013, requiring healthcare organizations to implement stronger cybersecurity measures for protected health information. The new requirements include written risk assessments, network segmentation, vulnerability scanning every six months, and penetration testing every 12 months. From 2018 to 2023, healthcare data breaches increased by 102%, affecting 167 million individuals in 2023 alone. The proposed changes address the evolution of healthcare delivery, increased cyber threats, and compliance issues observed by OCR. The current Security Rule remains in effect while HHS proceeds with the rulemaking process.
• The U.S. Department of Health and Human Services’ Office for Civil Rights has proposed a major update to HIPAA’s Security Rule, introducing new cybersecurity requirements with an estimated first-year compliance cost of $9 billion. The proposal includes mandatory implementation specifications for encryption, multifactor authentication, data backups every 48 hours, and requirements for business associates to verify compliance through expert analysis. Organizations will have 240 days to comply after the final rule is published, with the Notice of Proposed Rulemaking set for January 6, 2024, followed by a 60-day comment period. The proposal has bipartisan support and aims to modernize healthcare cybersecurity standards that haven’t been updated since 2013, though its fate may be influenced by the upcoming administration change.

Data Breaches

• The healthcare sector faced unprecedented cyberattacks in 2024, with 677 major health data breaches affecting 182.4 million people, including a record-breaking attack on Change Healthcare that compromised 100 million Americans and resulted in a $22 million ransom payment. Business associates were involved in 212 breaches affecting 131 million individuals, while hacking/IT incidents accounted for 550 attacks impacting 166 million people. The top 10 breaches included major healthcare organizations like Kaiser Foundation Health Plan (13.4 million affected), Ascension Health (5.6 million affected), and HealthEquity (4.3 million affected). Looking ahead to 2025, experts predict continued threats from ransomware, data theft, and supply chain attacks, with emerging concerns around telehealth security, IoT medical devices, and AI in healthcare.
• UT Southwestern Medical Center experienced a data breach in late-2024 that exposed 43,048 patients’ data through unauthorized access to a third-party calendar tool, marking their sixth breach since 2020. The exposed data included sensitive information such as names, dates of birth, Social Security numbers, medical records, diagnoses, and insurance information. UTSW’s breach occurred due to improper use of a calendar management tool without a business associate agreement. UTSW has taken remedial action, including implementing stronger security measures and notifying affected individuals.
• A significant cyberattack on Texas Tech University Health Sciences Centre (TTUHSC) and its El Paso campus compromised sensitive data of approximately 1.4 million individuals, with the Interlock ransomware group claiming responsibility for stealing 2.1 million files totaling 2.6 terabytes. The breached data included personal information such as names, Social Security numbers, financial details, and health-related records, prompting TTUHSC to offer complimentary credit monitoring services and establish a toll-free assistance line for affected individuals. The incident follows a pattern of major healthcare sector cyberattacks in 2024, including the Change Healthcare breach affecting 100 million individuals ($22 million ransom), MediSecure in Australia, and Synnovis in London’s NHS hospitals. TTUHSC discovered the breach in mid-September, reported it to authorities, and is implementing enhanced security measures while working with cybersecurity specialists.

Litigation

• Apple has agreed to pay $95 million to settle a lawsuit alleging that Siri recorded private conversations without consent. The settlement addresses “unintentional” recordings that occurred after the “Hey, Siri” feature was introduced in 2014, with users reporting suspiciously targeted ads following private conversations. Affected customers who purchased Siri-enabled devices between September 17, 2014, and December 31, 2024, can claim up to $20 per device for a maximum of five devices, with eligible devices including iPhones, iPads, Apple Watches, MacBooks, HomePods, iPod touches, and Apple TVs. A settlement approval hearing is scheduled for February 14, after which Apple will notify affected customers and delete their recorded private conversations. While the $95 million settlement appears significant, it’s notably less than the potential $1.5 billion fine Apple could have faced under the Wiretap Act if the case had proceeded to trial.
• The Texas Attorney General has begun enforcing the Texas Data Privacy and Security Act, which took effect on July 1, 2024. The Act grants consumers rights to access, correct, delete, and obtain copies of their personal data, while requiring businesses to implement security measures and limit data collection. The Attorney General has issued violation notices targeting inappropriate data sharing, lack of consumer consent, and deficiencies in privacy notices. The enforcement actions focus on cases where sensitive user data, including location and vehicle information, was shared without proper consent. Businesses operating in Texas must now ensure compliance with the Act’s requirements regarding data collection, processing, and consumer rights notifications.

Medical Reasoning

• A recent research paper evaluates the performance of OpenAI’s o1-preview model, a large language model, on clinical reasoning tasks. The study conducted five experiments focusing on differential diagnosis generation, diagnostic reasoning, triage differential diagnosis, probabilistic reasoning, and management reasoning, with assessments by physician experts. The o1-preview model demonstrated significant improvements in generating differential diagnoses and in the quality of diagnostic and management reasoning compared to previous models and human physicians. However, there were no improvements in probabilistic reasoning or triage differential diagnosis compared to past models. In a battery of tests, the model correctly diagnosed 78.3% of cases, and it selected the correct next diagnostic test in 87.5% of cases. In other tests, the model outperformed GPT-4 and physicians in clinical reasoning documentation. The study concludes that the o1-preview model exhibits superhuman performance in several medical reasoning tasks, indicating potential for integration into clinical workflows to enhance decision-making and patient care.
• A new study in European Radiology shows that GPT-4 achieved 94% accuracy in radiological diagnoses, outperforming human radiologists who scored between 73% and 89%. AI in healthcare leverages massive datasets including electronic health records, medical imaging, and clinical databases to enhance diagnostic capabilities, personalize treatment plans, and support clinical decision-making. The technology powers virtual health assistants, performs remote diagnosis through wearable devices, and accelerates drug discovery while reducing development costs. Healthcare facilities are integrating AI for medical imaging analysis and patient outcome prediction, though challenges remain in regulatory compliance, data privacy, legacy system integration, and maintaining human expertise. The implementation of AI in healthcare requires addressing concerns about patient trust, workforce adaptation, and the potential overreliance on technology.

Privacy

• The U.S. Department of Justice published a proposed rule on October 29, 2024 that would restrict or prohibit data transactions involving sensitive personal data and government-related data between U.S. persons and entities from countries of concern including China, Russia, Iran, North Korea, Cuba, and Venezuela. The rule establishes bulk data thresholds ranging from 100 to 100,000 records and covers six categories of sensitive personal data including personal identifiers, geolocation data, biometric identifiers, genomic data, health data, and financial data. The regulations will impact various sectors including healthcare providers, financial services, insurance companies, and technology firms, requiring them to implement compliance programs and maintain transaction records for 10 years. The rule prohibits all data brokerage transactions and bulk genomic data transfers, while restricting vendor, employment, and investment agreements through cybersecurity requirements established by CISA. The DOJ emphasizes this is a national security measure aimed at preventing countries of concern from accessing data that could enhance their military and intelligence capabilities.

Ransomware

• A new report reveals that ransomware attacks are costing U.S. healthcare organizations $1.9 million per day in downtime expenses. Since 2018, there have been 654 ransomware attacks on healthcare providers, with 2023 marking a record high of 143 incidents and compromising over 88.7 million patient records in total, of which 26.2 million were breached in 2023 alone. Healthcare organizations experience an average of 17 days of downtime per incident, with the highest disruptions averaging 27 days in 2022, leading to an estimated total loss of $21.9 billion over six years. Cybersecurity experts emphasize the need for preparation, including incident response teams, communication plans, and regular data backups, as hackers increasingly employ double-extortion tactics by both encrypting systems and stealing data.

Regulation

• A new paper from Paragon Health Institute outlines guidelines for regulating artificial intelligence in healthcare while maintaining innovation and patient safety. The paper emphasizes that AI regulation must be specific to technology types and use contexts, as risks vary significantly between applications like diagnostic tools versus back-office functions. The FDA’s existing framework for medical device approval provides a foundation for AI oversight, with three pathways based on risk levels and the presence of predicate devices. The guidelines recommend preserving existing patient protections under HIPAA and other laws while avoiding duplicate regulations, and stress that AI systems should demonstrate safety and effectiveness comparable to human clinicians when operating autonomously.

Antitrust

• The US antitrust agencies have withdrawn the Antitrust Guidelines for Collaboration Among Competitors, directing businesses to rely on case law instead of formal guidelines. This action follows the 2023 removal of healthcare-related enforcement policy statements, creating a guidance vacuum for businesses seeking to comply with antitrust laws. The DOJ and FTC now refer companies to select court cases as examples, though these cases demonstrate wide variation in their specifics. Companies are advised to seek antitrust reviews, implement compliance policies, and conduct regular training.

Data Breaches

• UT Southwestern Medical Center experienced a data breach in late-2024 that exposed 43,048 patients’ data through unauthorized access to a third-party calendar tool, marking their sixth breach since 2020. The exposed data included sensitive information such as names, dates of birth, Social Security numbers, medical records, diagnoses, and insurance information. UTSW’s breach occurred due to improper use of a calendar management tool without a business associate agreement. UTSW has taken remedial action, including implementing stronger security measures and notifying affected individuals.
• A significant cyberattack on Texas Tech University Health Sciences Centre (TTUHSC) and its El Paso campus between September 17-29, 2024, compromised sensitive data of approximately 1.4 million individuals, with the Interlock ransomware group claiming responsibility for stealing 2.1 million files totaling 2.6 terabytes. The breached data included personal information such as names, Social Security numbers, financial details, and health-related records, prompting TTUHSC to offer complimentary credit monitoring services and establish a toll-free assistance line for affected individuals. The incident follows a pattern of major healthcare sector cyberattacks in 2024, including the Change Healthcare breach affecting 100 million individuals ($22 million ransom), MediSecure in Australia, and Synnovis in London’s NHS hospitals. TTUHSC discovered the breach in mid-September, reported it to authorities, and is implementing enhanced security measures while working with cybersecurity specialists. The organization is directly notifying affected individuals and advising them to monitor their credit reports, financial statements, and healthcare billing records, with access to free annual credit reports from Equifax, Experian, and TransUnion.

Fraud & Abuse

• A Medicare fraud and kickback scheme led to the conviction of a hospice owner and marketer , with fraud totaling $3.2 million. The owner, who was previously banned from Medicare, concealed her ownership of the hospice through her daughter in 2025, created fake patient charts, and paid the marketer $6,000 monthly for patient referrals, resulting in 12 counts of healthcare fraud and 16 counts of kickback violations. While awaiting trial, the hospice owner took control of three additional hospices and submitted approximately $4.8 million in fraudulent claims. Many enrolled patients were not terminally ill or unaware of their hospice enrollment, with the marketer deliberately misrepresenting hospice eligibility requirements to prospective patients.
• The Seventh Circuit Court of Appeals is considering a landmark case that could redefine what constitutes a “referral” under the Federal Anti-Kickback Statute (AKS). The case centers on Mark Sorensen, owner of SyMed Inc., who was convicted and sentenced to 42 months in prison, ordered to pay nearly $2 million in forfeiture, and fined $25,000 for an arrangement where his company paid marketing firms to find patients needing orthopedic braces and secure orders from healthcare providers. The government argues that non-healthcare professionals can make referrals under the AKS when steering patients to specific providers, while Sorensen’s defense contends the marketing activities were passive and administrative, similar to services like 1-800 Contacts. The court’s pending decision will have significant implications for healthcare marketing practices, potentially expanding AKS prosecution to include marketing professionals and clarifying when promotional activities cross the line into illegal referrals. The case was argued on December 4, 2024, with the Circuit Court’s opinion expected to provide crucial guidance for healthcare entities engaging in marketing activities.
• Recent amendments to the Stark Law have introduced significant changes affecting healthcare real estate transactions. The law, which governs physician self-referral for Medicare and Medicaid patients, has been updated with new definitions of fair market value (FMV) and general market value specifically tailored to healthcare transactions. These modifications directly impact how lease and service agreements are structured under the Stark Law exceptions, while the regulations, including the Anti-Kickback Statute, continue to present operational challenges and potential pitfalls for real estate decisions in healthcare settings.

HIPAA

• The North American EHR market is projected to reach $14.72 billion in 2024 with a 2.84% CAGR through 2030, serving 88.6% of American physicians in small practices. HIPAA, enacted in 1996, serves as the cornerstone of patient data protection in the U.S., with a clear distinction between HIPAA compliance (an ongoing legal requirement) and HIPAA certification (completion of educational courses). Healthcare organizations must prioritize partnerships with HIPAA-certified experts to ensure proper data handling and security, while focusing on meaningful metrics like script lifts rather than just impressions. The digital transformation of healthcare, while promising improved patient outcomes through AI-powered EHRs and predictive models, requires careful balance between technological advancement and maintaining patient data security.
• The U.S. Department of Health and Human Services has finalized key information blocking exceptions . The first rule establishes the Trusted Exchange Framework and Common Agreement (TEFCA) Manner Exception, which allows participants to limit electronic health information exchange to other TEFCA members, with full implementation targeted for late 2025 into 2026. The second rule, HTI-3, finalizes the Protecting Care Access exception, which provides protection for healthcare providers when handling reproductive health information and must be implemented by December 23, 2024. The rules include provisions for privacy protection, information segmentation, and a good faith standard that does not require providers to conduct legal research to support their decisions to withhold information. Healthcare providers must now update their policies, train staff, and implement new procedures to comply with these exceptions while maintaining documentation of their application.
• The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has proposed the first update to the HIPAA Security Rule since 2013, requiring healthcare organizations to implement stronger cybersecurity measures for protected health information. The new requirements include written risk assessments, network segmentation, vulnerability scanning every six months, and penetration testing every 12 months. From 2018 to 2023, healthcare data breaches increased by 102%, affecting 167 million individuals in 2023 alone. The proposed changes address the evolution of healthcare delivery, increased cyber threats, and compliance issues observed by OCR. The current Security Rule remains in effect while HHS proceeds with the rulemaking process.
• A Texas federal court has issued a preliminary injunction blocking the enforcement of the 2024 HIPAA Reproductive Privacy Rule against Dr. Carmen Purl and her clinic, which was set to require compliance by December 23, 2024. The rule, which went into effect on June 24, 2024, aimed to strengthen privacy protections for reproductive health care information, but Dr. Purl and the State of Texas filed separate lawsuits challenging its validity. The court determined that the rule conflicts with child abuse reporting laws and would cause irreparable harm to the plaintiffs through compliance costs and potential violations of Texas law. The court has requested additional briefings on constitutional questions and the definition of reproductive health care, while noting that existing HIPAA rules already protect reproductive healthcare information.

Hospitals and Hospices

• Medicare hospice utilization rebounded to 51.7% in 2023, reaching pre-pandemic levels, with total Medicare hospice payments hitting $25.7 billion and serving more than 1.7 million beneficiaries. The total number of hospice providers exceeded 6,500 in 2023, marking a 10% increase primarily driven by for-profit companies, with significant growth in Arizona, California, Nevada, Texas, and Georgia – states that have become hotspots for Medicare fraud concerns. Financial performance varied significantly between provider types, with for-profit hospices achieving 16% margins while non-profits saw only 0.3% margins. CMS implemented enhanced oversight measures in August 2023 for new hospices in four of these five states, including medical review of claims before payment. Based on the positive utilization trends and providers’ access to capital, MedPAC recommended eliminating the base payment rate increase for 2026.
• Tweener hospitals, which are too large for critical access status but too small for financial security, face closure risks with 21 hospitals closing in 2024 and 700 rural facilities at risk. These facilities struggle with cost increases outpacing reimbursement, provider shortages affecting 66% of rural areas, third-party payer denials, loss of pandemic funding, and cybersecurity threats. The closures impact healthcare access and community economics, as these hospitals serve as major employers. Congress created the Rural Emergency Hospital designation in 2020 as a solution, with 18 states enacting legislation and 30 hospitals converting to this status.

Marketing

• The Federal Trade Commission issued warning letters to 21 healthcare marketing companies on December 10, 2024, during the open enrollment period for healthcare plans. The letters address potential violations related to misrepresenting benefits, costs, and incentives in healthcare plan marketing, and emphasizing the need for honest marketing practices. The FTC referenced past enforcement actions against companies like Simple Health and Benefytt Technologies as examples of consequences for violations. While no specific wrongdoing was alleged, the FTC urged recipients to review their advertisements for compliance and warned of continued monitoring of the marketplace. The agency’s warning targets companies involved in marketing Affordable Care Act Marketplace insurance and healthcare-related products, including limited benefit plans and medical discount programs.

Mergers & Acquisitions

• The DOJ’s M&A Safe Harbor policy allows companies to voluntarily disclose misconduct discovered during mergers and acquisitions within six months of closing, potentially avoiding prosecution if they remediate issues within 12 months. The policy offers benefits including reduced penalties, improved reputation, and streamlined remediation, but also carries risks such as expanded investigations, reputational damage, and increased regulatory scrutiny. Companies must evaluate several key factors when considering self-disclosure, including the nature and severity of misconduct, its widespread nature, risk of discovery, remediation feasibility, and reputational impact. Expert Amanda Johnston from Gardner Law characterizes the policy as a “double-edged sword” that requires careful consideration of specific circumstances and potential consequences. The article is part of a 5-part series focused on due diligence in FDA-regulated industries.
• The Justice Department’s Antitrust Division and FTC withdrew their 2000 Antitrust Guidelines for Collaborations Among Competitors on December 11, 2024, citing several key reasons including outdated court precedents, reliance on withdrawn policy statements, problematic safe harbors, and failure to address modern business technologies like AI and algorithmic pricing. The withdrawal was approved by a 3-2 FTC vote, with Commissioners Holyoak and Ferguson dissenting, arguing that removing guidance without replacement leaves businesses uncertain and questioning the timing given an upcoming administration change. The withdrawal does not affect other guidance documents, such as cybersecurity information sharing policies, nor does it specify how antitrust issues will be analyzed going forward. Commissioner Ferguson was noted to have been appointed by President-Elect Trump to replace Lina Khan as FTC Chairperson.
• A comprehensive study published in the Journal of the American College of Surgeons reveals that hospital mergers and acquisitions rarely deliver on their promised benefits. The systematic review, analyzing studies from 2000-2024, found that 77% showed either reduced quality or no improvement in care quality after integration, while 93% of cases resulted in increased hospital charges. Nearly 70% of U.S. hospitals are now part of larger health systems, yet more than half of the reviewed studies (54%) demonstrated a negative net impact on healthcare value.

OIG Advisory

• New OIG Advisory Opinion No. 24-10 addresses a medical and dental supplies distributor’s proposed expansion of their customer loyalty program, where members earn points on dental-related purchases that can be redeemed for discounts on future purchases. The program includes a tiered membership system based on annual spending, offering benefits like priority scheduling, extended warranties, and service discounts, with points worth $0.005 each and redeemable for up to 50% of purchase prices. The program would cover approximately 200,000 dental-related products, including both federally reimbursable and non-reimbursable items, with points earned equally regardless of product type and membership available to smaller customers like dental practitioners, specialists, laboratories, and local dental service organizations. While the arrangement would technically generate prohibited remuneration under the Federal anti-kickback statute, the OIG concluded it poses low risk of fraud and abuse due to its structure, transparency, and limitations, and therefore would not impose administrative sanctions. The program includes safeguards such as points being non-transferable, having no cash value, requiring partial payment for all purchases, and maintaining transparency through a points dashboard managed by a third-party vendor.
• New OIG Advisory Opinion No. 24-11 addresses a pharmaceutical manufacturer’s program to provide free meningococcal vaccinations to patients prescribed their drugs, which carry a high risk of meningococcal infections (1,000-2,000 times greater than healthy individuals). The program aims to remove barriers to vaccination access and includes both the vaccines themselves and administration through either a third-party vendor or healthcare providers, with Medicare Part D enrollees exempt from out-of-pocket costs for these vaccines as of January 1, 2023. While the arrangement technically constitutes remuneration under the Federal anti-kickback statute, the OIG determined the fraud risk is low since it primarily enhances safety protocol compliance rather than inducing drug purchases, and healthcare providers can only bill for a nominal administration fee (approximately $20). The OIG concluded they would not impose sanctions under the Federal anti-kickback statute or the Beneficiary Inducements CMP, as the arrangement primarily serves to address FDA safety concerns and doesn’t significantly influence provider selection or medical decision-making.
• New OIG Advisory Opinion No. 24-12 evaluates a pharmaceutical company’s arrangement to provide free genetic testing and counseling services for patients with specific kidney-related conditions, particularly focusing on an ultra-rare genetic condition affecting only 3 in 1,000,000 people. The arrangement includes three types of genetic testing panels offered through Quest Diagnostics’ subsidiary Blueprint Genetics, along with optional genetic counseling services, all provided at no cost to eligible patients who meet specific medical criteria. The pharmaceutical company manufactures a drug approved for treating one subtype of the condition (Subtype 1), but the arrangement prohibits sharing identifiable patient data with the company and prevents any direct marketing of the drug through the program. The OIG concluded that while the arrangement technically generates prohibited remuneration under both the Federal anti-kickback statute and Beneficiary Inducements CMP, they would not impose administrative sanctions due to the low risk of fraud and abuse, given the narrow eligibility criteria, lack of marketing connection to the drug, and various safeguards in place. The arrangement includes specific limitations, such as applying only to the requesting company and requiring all material facts to be fully and accurately presented for the opinion to remain valid.
• New OIG Advisory Opinion No. 24-13 evaluates a pharmaceutical company’s arrangement to provide financial assistance for travel, lodging, meals, and associated expenses to patients receiving a specific cell therapy product. The arrangement was intended to support patients who need to travel to specialized treatment centers for a potentially curative T-cell immunotherapy, especially those who have tried and failed other treatment options. The OIG concluded that while the arrangement could potentially be seen as providing prohibited remuneration under the Federal anti-kickback statute, it would not impose administrative sanctions. The OIG found the risk of fraud and abuse to be low because the arrangement helps remove barriers to accessing necessary medical care without promoting overutilization or inappropriate use of services. The arrangement also ensures that patients and their caregivers receive support only when other assistance is unavailable, thereby reducing the risk of it being used as a marketing tool to influence treatment decisions. Furthermore, the OIG determined that the arrangement does not violate the Beneficiary Inducements CMP because it meets the “Promotes Access to Care Exception.” This exception applies when the remuneration improves a patient’s ability to obtain medically necessary services without increasing costs or compromising patient safety and quality of care.

Pharma

• The 340B Program in 2024 experienced major changes as pharmaceutical manufacturers introduced rebate models requiring entities to pay non-340B prices upfront and request rebates afterward, leading to legal challenges from Johnson & Johnson, Eli Lilly, and Bristol-Myers Squibb against HHS. At least 37 manufacturers continued restricting 340B pricing for contract pharmacy arrangements, while eight states enacted laws to protect contract pharmacy access, with the 8th Circuit Court upholding Arkansas’s law. The 340B SUSTAIN Act gained momentum in Congress, proposing to formalize contract pharmacy arrangements and establish a centralized clearinghouse for claims processing. HRSA issued a revised Alternative Dispute Resolution process and continued audits based on sub-regulatory guidance, despite ongoing challenges to its enforcement authority.

Real Estate and Leases

• Letters of Intent are vital for health care leases. Though typically non-binding, the LOI serves as a roadmap for lease negotiations and should address terms including initial and renewal periods, operating expenses, assignment rights, maintenance obligations, holdover provisions, tenant improvements, exclusivity rights, and default terms. The document must include specific details about permitted use, square footage, parking rights, and signage rather than deferring details to the final lease. Senior Counsel Allison Zangrilli and Zlata Fayer from Epstein Becker Green’s Health Care and Life Sciences Group provide this guidance based on their experience in commercial lease negotiations. The article emphasizes that comprehensive LOI terms reduce negotiation time and prevent costly disputes during the lease drafting process.
• In a significant ruling from the U.S. Bankruptcy Court for the Western District of Pennsylvania, the Guardian Elder Care case established that assisted living and nursing facilities qualify as residential properties under Section 365(d)(3) of the Bankruptcy Code, allowing more flexibility in post-petition rent payments during Chapter 11 proceedings. The court applied a “totality of circumstances” test to determine the property classification, considering factors such as long-term occupancy and the facilities’ purpose as homes for residents. The decision aligns with legislative history from 1984, which initially created the residential/nonresidential distinction primarily to protect shopping center landlords. The ruling provides relief for healthcare facilities facing financial challenges after the reduction of pandemic-era federal support, while still maintaining protections for landlords through administrative expense priority and stay relief options.

Transgender Care

• A federal appeals court ruled that two Texas doctors lack standing to sue over the Biden administration’s transgender health discrimination policy. The unanimous decision by the 5th U.S. Circuit Court of Appeals reversed a lower court ruling, finding that doctors Susan Neese and James Hurly faced no enforcement threat under the Department of Health and Human Services’ 2021 policy interpreting the Affordable Care Act to prohibit discrimination based on gender identity. The doctors had claimed they risked losing federal funding if they refused to provide treatments they didn’t support, but the court determined they had valid, non-discriminatory reasons for their medical practices. In 2022, HHS issued a formal rule barring gender identity discrimination in healthcare, which was later put on hold amid challenges from Republican states, and the incoming Trump administration could potentially roll back these protections.

AI Implementation

• A recent report reveals that AI is primarily used for administrative tasks in healthcare settings, with clinical applications still in early adoption stages. Most medical facilities have been using AI for at least 10 months, and there is an expectation for AI to play a larger role in reviewing electronic health records and enhancing patient care. A significant knowledge gap exists, as only 24% of respondents received AI training from their employers, and concerns about data privacy and ethical issues are prevalent among 72% and 70% of respondents, respectively. Currently, AI is used for transcribing patient notes and business meetings, creating routine communications, and analyzing medical images. In the future, over 40% of respondents expect AI to assist more in clinical applications and physician training.
• The Department of Justice (DOJ) is scrutinizing the use of AI in healthcare, updating compliance guidelines to ensure companies mitigate risks associated with AI misuse, emphasizing the need for robust compliance programs and risk assessments. Health care companies must ensure compliance programs are equipped to handle AI-related risks, with adequate resources and training to prevent misuse and ensure accountability. Overall, these developments highlight significant legal challenges and regulatory scrutiny in the healthcare sector, emphasizing the need for vigilant compliance and monitoring of ongoing litigation.
• The Texas Attorney General has initiated investigations into 15 companies including Character.AI, Reddit, Instagram, and Discord regarding their privacy and safety practices for minors under the SCOPE Act and TDPSA, which require parental consent for data collection and provide tools for privacy control. The investigations are part of Texas’s broader data privacy enforcement initiative, following a recent lawsuit against TikTok and a $1.4 billion settlement with Meta over facial recognition data misuse. The SCOPE Act specifically prohibits sharing minors’ personal information without parental consent and requires companies to provide parental control tools, while the TDPSA enforces strict notice and consent requirements for collecting minors’ personal data. These protections extend to AI products, and Texas has demonstrated its commitment to data privacy enforcement through actions like the lawsuit against General Motors for illegal driver surveillance and data sharing with insurance companies. Texas is becoming a leader in data privacy enforcement, with these investigations representing a significant step toward ensuring technology companies comply with state laws protecting children from exploitation and harm.

Data Privacy

• Healthcare data represents 30% of global data, with 97% currently unused, though this is changing through AI and improved accessibility. Real-world data (RWD) and evidence (RWE) are becoming crucial, with 90% of life sciences executives leveraging RWE for decision-making, while AI algorithms have improved clinical trial matching by over 40% and recruitment by 1,800%. Patient-centric healthcare organizations are achieving twice the revenue growth compared to those with lower satisfaction scores, with AI-powered clinical decision support systems saving approximately $1,000 per patient encounter. Supply chain challenges remain significant, with 80% of healthcare providers expecting issues to persist or worsen, and half of suppliers losing over 2.5% revenue due to shortages between February 2023-2024, though predictive AI systems can now identify product shortages with over 90% accuracy.
• Even public-facing healthcare websites can present significant privacy risks through seemingly innocent features like contact forms, appointment requests, and symptom checkers. Unauthenticated pages can inadvertently capture Protected Health Information (PHI) through web forms, tracking technologies, cookies, and web beacons, which may collect user data including IP addresses and browsing history. Healthcare organizations must implement proper safeguards including data encryption, secure storage, explicit consent mechanisms, and careful evaluation of third-party tracking technologies to maintain HIPAA compliance. Organizations should consider minimizing PHI collection on public pages by providing general inquiry options instead of detailed health information forms, while maintaining clear privacy notices and readily accessible contact information for privacy-related concerns. The protection of PHI requires ongoing vigilance and consistency, as even basic data points can constitute protected health information when linked to an individual’s healthcare activities.

Data Breaches

• The healthcare sector experienced unprecedented data breaches in 2024, with 168 million individuals affected across all reported incidents and 137 million from the top 10 breaches alone. Change Healthcare suffered the largest breach, affecting 100 million individuals due to a BlackCat/ALPHV ransomware attack that exploited an MFA-lacking Citrix portal, resulting in a $22 million ransom payment and widespread healthcare disruptions. Kaiser Foundation Health Plan (13.4M affected), HealthEquity (4.3M), and Concentra Health Services (4M) rounded out the top breaches, with most incidents involving hacking or IT incidents, particularly targeting third-party vendors. Nine out of the ten largest breaches were attributed to hacking/IT incidents, with five originating from HIPAA business associates’ network servers. The breaches highlighted ongoing cybersecurity challenges in healthcare, including ransomware threats, third-party risk management issues, and the need for enhanced security measures like MFA implementation.

Cybersecurity

• The Office of the Inspector General (OIG) has called for enhancements to the HIPAA audit program due to increasing cyberattacks on healthcare organizations, resulting from the narrow scope and ineffective oversight of previous audits conducted by the Office for Civil Rights (OCR) in 2016-2017. In response, OCR plans to resume HIPAA audits by late 2024 or early 2025, with an expanded focus on physical and technical safeguards, and the development of criteria for compliance reviews. While OCR agreed to most of OIG’s recommendations, it did not concur with the recommendation to ensure deficiencies are corrected, citing limitations in legal authority and resources. OCR also intends to define metrics for monitoring audit effectiveness and will survey past audit participants to track compliance improvements. The enforcement process for potential HIPAA violations involves reviewing complaints, investigating breaches, and potentially referring criminal violations to the Department of Justice.
• A recent report analyzed cyberattacks on cyber-physical systems (CPS) and found significant financial impacts, with 27% of organizations experiencing losses of $1 million or more. Key contributors to these losses included lost revenue (39%), recovery costs (35%), and employee overtime (33%). Ransomware was a major factor, with 53% of respondents paying over $500,000 to regain access to encrypted systems, a problem particularly severe in the healthcare sector. Operational impacts were also significant, with 33% experiencing a full day or more of downtime and 49% taking a week or more to recover. Despite these challenges, 56% of organizations reported increased confidence in their CPS’s ability to withstand cyberattacks, and 72% expect security improvements in the coming year.

Geo-Location Data

• Fog Data Science, a location-tracking company, provides services to police departments by using geolocation data from smartphones to identify places visited by suspects, including sensitive locations like doctors’ offices. The company uses a “Project Intake Form” that asks police to provide locations and personal details about suspects to refine their search in a database of geolocation data collected from mobile apps. This practice has raised privacy concerns, particularly regarding the potential use of location tracking to prosecute abortions. An investigation by the Electronic Frontier Foundation revealed that Fog Data Science purchases extensive geolocation data from data brokers, which is then sold to law enforcement agencies. The Federal Trade Commission has taken action against one of Fog’s data sources, Venntel, for selling sensitive location data without user consent.

Enforcement

• Recent enforcement actions by state and federal law enforcement, including the Texas AG settlement with Pieces Technologies and the FTC’s Operation AI Comply, signal increased scrutiny of AI products under existing consumer protection laws. These actions highlight the importance of clear and conspicuous disclosures regarding AI accuracy, efficacy, and potential risks, as well as the need for substantiation of claims about AI bias and functionality. Companies using AI should be aware of the legal risks and take proactive steps to ensure compliance with applicable laws and regulations.