Categories
Health Law Highlights

Wade’s Health Law Highlights for May 27, 2025

Antitrust

  • State attorneys general are intensifying antitrust enforcement across multiple fronts. States are implementing “baby HSR” statutes requiring merging companies to file notifications directly with state AGs, with Washington recently adopting such laws and Colorado’s taking effect in August 2025. Litigation activity is increasing around healthcare and labor issues, exemplified by Michigan’s lawsuit against pharmacy benefit managers for price fixing and California’s action against no-poach agreements in the food processing industry. States are also bolstering criminal enforcement through initiatives like BRACE—a bid-rigging and criminal enforcement working group—while legislatures in California and New York advance bills to increase criminal penalties for antitrust violations. Companies must now consider state enforcement as carefully as federal oversight, with particular attention to transaction notifications, litigation risk, and enhanced criminal enforcement. Source: McCarter & English, LLP
  • The Department of Justice secured its first criminal wage-fixing conviction when a federal jury found a home health care operator guilty of conspiring with competitors to fix wages for home healthcare nurses. The April 14, 2025 verdict in the District of Nevada case relied heavily on text messages between the operator and competitors that referenced a “mutual agreement” on wages. This landmark conviction follows the DOJ’s 2016 guidance that wage-fixing agreements among labor-market competitors are per se illegal and subject to criminal prosecution, despite previous unsuccessful attempts to secure jury convictions in similar cases. The case is a cautionary tale of the risks of communications outside normal corporate monitoring. Source: Lathrop GPM

Bioprinting

  • 3D printing is revolutionizing healthcare by enabling a shift from mass-produced solutions to customized treatments tailored to individual patients. The technology has transformed multiple medical fields, including prosthetics that can be made affordably for children, custom implants for facial reconstruction and spine repairs, and anatomical models that allow surgeons to practice complex procedures before operations. In pharmaceuticals, 3D printing creates personalized drug dosages and delivery systems, with the FDA approving the first 3D-printed drug Spritam in 2015. While bioprinting has progressed to creating tissue structures like liver tissue, developing full functional organs remains experimental, with current research focusing on smaller tissues and improving cell viability. Despite challenges with regulations, standardization, and accessibility, the integration of artificial intelligence with 3D printing promises further advances in medical applications through optimized designs and materials. Source: Ars Technica

Data Privacy

Drug & Devices

  • Biotech companies are increasingly turning to collaborative deal structures to navigate FDA staffing shortages and financial constraints. With FDA retirements and layoffs extending approval timelines, biotechs facing limited cash runways are using licensing agreements and development partnerships to secure alternative financing while reducing operational costs. These collaborations typically involve upfront payments, milestone-based compensation, and royalties, as exemplified by Zealand Pharma’s recent $5.3 billion collaboration with Roche for obesity treatment technology. However, Hart-Scott-Rodino filing requirements for transactions exceeding certain thresholds (now $126.4 million in 2025) may delay deal completions, with new rules extending filing timelines from under 10 days to at least 30 days and increased scrutiny from the FTC and DOJ on pharmaceutical industry transactions. Source: JD Supra

Emerging Technology

  • Brain-computer interface technology is advancing rapidly with four leading companies poised to expand human trials significantly in 2025. Paradromics, Synchron, Precision Neuroscience, and Neuralink each employ different implantation approaches, from Synchron’s blood vessel-based electrodes to Neuralink’s deep brain implants that penetrate seven millimeters into brain tissue. The number of people with these interfaces will more than double in the next 12 months as companies advance their FDA-approved trials, while Apple has announced plans to make its devices compatible with these implants. Though medical experts caution against viewing this technology as a consumer product due to surgical risks, Morgan Stanley projects the brain-computer implant market will reach $1 billion annually by 2041. These interfaces already enable paralyzed patients to control computers and communicate, with potential future applications including thought-to-speech translation and prosthetic limb manipulation. Source: Wall Street Journal
  • Taiwan is pioneering AI healthcare integration with Nurabot, an AI-powered robot nurse that handles routine hospital tasks to address nurse burnout. Developed through collaboration between Foxconn and Kawasaki Heavy Industries, Nurabot delivers medications, patrols wards, and guides visitors, allowing human nurses to focus on critical patient care as the world faces a projected shortage of 4.5 million nurses by 2030. The technology leverages NVIDIA supercomputers and digital twins—virtual replicas of hospital wards—to simulate and optimize operations before real-world implementation. Taichung Veterans General Hospital is currently conducting field trials with Nurabot, while future iterations may communicate in multiple languages, recognize faces, and assist in lifting patients. Despite challenges like data privacy concerns, Taiwan’s approach offers potential solutions to global healthcare staffing issues through AI integration. Source: Rude Baguette
  • IoT technology revolutionizes healthcare billing through automation and real-time data access. The systems enable automatic recording of usage and charges without manual compilation, providing staff with precise information for error-free bills while reducing labor costs. Patients gain transparency through digital portals displaying detailed bill breakdowns, which reduces disputes and encourages timely payments. Implementation challenges include data privacy concerns (59% of patients fear misuse of medical information), regulatory compliance with laws like HIPAA, compatibility issues between vendor systems, and high upfront costs despite long-term savings. Source: IoT For All

Fraud & Abuse

Gender-Affirming Care

Medical Malpractice

  • Four key states are implementing significant medical malpractice reforms that fundamentally reshape how liability cases proceed through the legal system. Texas restricts evidence to actual payments rather than billed amounts while requiring disclosure of third-party litigation funding, Georgia eliminates “anchoring” tactics by plaintiffs and imposes procedural barriers including discovery stays, Utah establishes minimum insurance requirements and reporting mechanisms to address rural provider shortages, and South Carolina narrows joint liability by requiring fault allocation across all parties. These state-level reforms demonstrate a shift away from headline-grabbing damage caps toward granular changes to legal mechanics that advantage defendants earlier in proceedings, potentially signaling a nationwide trend in malpractice litigation rules. Source: Scott Righthand

Medicare

Mental Health

  • Federal departments have suspended enforcement of the 2024 Mental Health Parity regulations until ongoing litigation concludes plus 18 months . The suspension, announced on May 15, 2025, reinstates the 2013 Final Rule and affects three key requirements: outcomes-based testing, mandatory meaningful benefits across classifications, and fiduciary certification obligations. Plan sponsors and insurers must still conduct nonquantitative treatment limitation comparative analyses and maintain compliance with statutory obligations under the Consolidated Appropriations Act. The departments indicated they will reexamine their enforcement approaches while encouraging states to adopt similar enforcement positions. Despite the suspension, health plans should continue good-faith compliance efforts with the remaining mental health parity requirements. Source: McDermott Will & Emery
Categories
Health Law Highlights

Wade’s Health Law Highlights for May 20, 2025

Academic Medical Centers

Data Breach

Fraud & Abuse

  • The Department of Justice has prioritized False Claims Act theories in its criminal enforcement agenda. The Criminal Division’s top priorities include health care fraud and government contracts fraud, trade and customs fraud, and violations of controlled substances laws—all central focuses of False Claims Act enforcement. These enforcement priorities suggest the DOJ views civil FCA liability and criminal penalties as connected pathways in addressing high-priority misconduct. Businesses in regulated industries now face potential parallel criminal investigations alongside civil FCA scrutiny, making robust compliance systems increasingly critical. Recent changes to DOJ enforcement policies regarding self-disclosure, cooperation, and remediation further emphasize that compliance missteps may carry heavier penalties than before. Source: Skadden, Arps, Slate, Meagher & Flom LLP

Health Data

  • Patient data faces significant vulnerabilities when health tech companies fold, due to inadequate regulations and inconsistent security practices. Despite the health tech industry’s growth to $908.5 billion in 2023 with projections to reach $3.1 trillion by 2033, approximately 90% of health tech startups eventually fail, as exemplified by Forward’s abrupt closure in 2024 which left patients struggling to retrieve health records and maintain prescription access. Currently, only 20 states have instituted rules for patient health data protection, with most safeguards relying on user agreements that 91% of consumers don’t read, as seen when 23andMe’s bankruptcy prompted customers to rush to delete their data before possible transfer. Security experts recommend companies implement solid encryption, access controls, proper data deletion procedures with 30-day buffers, and rapid response plans to protect patient information when companies shut down. Source: Healthcare Brew

Insurance Coverage

  • The Tenth Circuit Court of Appeals has ruled that hospital excess liability insurance policies must treat each patient claim as a separate “medical incident.” The May 2, 2025 decision in AdHealth Limited v. PorterCare Adventist Health Systems affirmed that each claim must individually exceed the $2 million self-insurance retention to qualify for excess coverage. PorterCare had sought $40 million in coverage after settling lawsuits from thousands of patients exposed to infection risks due to inadequate sterilization procedures. The court rejected PorterCare’s argument that all claims constituted a single medical incident, instead interpreting the policy language “any one person” as unambiguously limiting coverage to individual claimants. The ruling highlights the importance of policy language in determining how multiple related claims will be treated for insurance purposes. Source: Carlton Fields

Long-Term Care

  • A federal court has struck down key provisions of the Centers for Medicare & Medicaid Services’ staffing mandate for long-term care facilities. The Northern District of Texas vacated requirements for 24/7 registered nurse staffing and minimum staffing ratios of 3.48 hours per resident per day that were set to begin implementation in May 2026. The court determined CMS exceeded its statutory authority by contradicting existing law that requires RN services for only eight consecutive hours daily and by imposing uniform staffing ratios that fail to account for facilities’ unique needs. This ruling follows the Supreme Court’s decision in Loper Bright Enterprises v. Raimondo, which limits federal agencies to authority clearly delegated by Congress and enhances judicial oversight of regulatory actions. While providing regulatory relief, long-term care facilities should continue addressing staffing challenges and monitor potential appeals of this decision. Source: Troutman Pepper Locke

Medicare Advantage

  • UnitedHealth Group faces multiple federal investigations amid leadership changes and financial struggles. According to The Wall Street Journal, the Department of Justice has been conducting a criminal fraud investigation into UnitedHealthcare’s Medicare Advantage business since at least summer 2024, though the company claims no knowledge of such an investigation. This comes alongside an existing antitrust probe examining the relationship between UnitedHealthcare and Optum, plus a civil investigation into Medicare Advantage billing practices. UnitedHealth reported poor first-quarter performance in 2025 with medical costs exceeding expectations. The company’s stock has reached multi-year lows following these developments. Source: Fierce Healthcare

Mergers & Acquisitions

  • Healthcare transaction activity hit its lowest point since Q3 2020, with Q4 2024 volumes decreasing 10.4% from Q3 and 11.7% compared to Q4 2023. Professional Services, Outsourced Services, and Behavioral Health dominated the landscape, accounting for 73.2% of all transactions, with significant deals including New Enterprise Associates’ $1.3 billion acquisition of NeueHealth and Cencora’s $4.6 billion purchase of Retina Consultants of America. Despite an overall 4.9% decline in 2024 transactions compared to 2023, certain sectors showed growth, including Behavioral Health (+7.5%), Managed Care (+10.6%), and Specialty Outpatient Facilities (+14.0%). Healthcare investors continue to face regulatory scrutiny and elevated interest rates, though the incoming Trump administration is expected to create a more favorable M&A environment in 2025 with a less aggressive approach to merger regulation and potential tax cuts. Source: [Ankura](https://www.jdsupra.com/legalnews/quarterly-healthcare-transactions-4427961/

Part 2

  • The U.S. Department of Health and Human Services has updated 42 CFR Part 2 to align substance use disorder record confidentiality requirements with HIPAA and HITECH standards. The New Rule allows patients to sign a single consent form for future disclosures rather than requiring separate authorizations for each disclosure, while also implementing HIPAA-like breach notification requirements. Penalties for violations now include both civil fines up to $1.5 million per calendar year and criminal penalties up to $250,000 with potential imprisonment from one to ten years. Healthcare entities subject to Part 2 must update their policies regarding patient consent, information disclosure, medical records, breach notification, privacy notices, and data storage. Organizations must comply with these new requirements by February 16, 2026 to avoid significant penalties in the increasingly stringent enforcement landscape. Source: Katton

Regulation

Categories
Health Law Highlights

Wade’s Health Law Highlights for May 13, 2025

Artificial Intelligence in Healthcare

Fraud & Abuse

  • The Seventh and Second Circuits issued opinions narrowing the scope of advertising, marketing, and booking fee activities that violate the federal Anti-Kickback Statute (AKS). In Sorenson, the Seventh Circuit reversed a conviction by ruling that payments to marketing firms for generating leads don’t constitute illegal kickbacks when physicians retain independent judgment and the payments represent compensation for advertising rather than inducement for referrals. Similarly, in Sisselman, the Second Circuit affirmed dismissal of claims against Zocdoc, finding that the company’s reliance on favorable HHS-OIG advisory opinions about its booking fee model defeated the scienter requirement necessary for AKS violations. These rulings establish that marketing activities are not automatically illegal under the AKS when marketers don’t directly influence healthcare decisions and that obtaining favorable advisory opinions can provide protection against both AKS and False Claims Act allegations. Source: Venable
  • The U.S. Attorney’s Office for the Southern District of New York announced a $202 million civil False Claims Act settlement with Gilead, resolving allegations that the company’s speaker program violated the Anti-Kickback Statute. Between 2011 and 2017, Gilead paid 548 healthcare providers more than $23.7 million in honoraria, meals, and travel expenses, which prosecutors claimed induced recipients to prescribe Gilead’s HIV medications. The government questioned these programs’ educational value, citing issues including venue selection, alcohol service, and commercial influence on speaker selection, while sales personnel reportedly circumvented meal limits by recording food costs as room fees. This settlement serves as a reminder that authorities analyze speaker program data to identify compliance issues, encouraging companies to implement rigorous controls such as headquarters-based review of speakers and restricting repeat attendance at similar programs. Source: Skadden
  • Attorney General Pam Bondi has directed the Department of Justice to investigate pharmaceutical companies and healthcare providers involved in gender transition treatments for potential violations of federal law. The April 22, 2025 memorandum implements Executive Order 14187, which reversed Biden Administration policies supporting gender transition treatments and procedures. The DOJ will pursue potential False Claims Act violations against providers who submit reimbursement claims for gender transition medications or procedures to federal healthcare programs, along with Food, Drug, and Cosmetic Act violations for “off-label” promotion of medications used for transitions. Bondi announced the creation of the Coalition Against Child Mutilation to coordinate with state attorneys general, expressed eagerness to work with qui tam whistleblowers, and stated the DOJ will no longer follow World Professional Association for Transgender Health guidelines. Healthcare and life sciences companies are advised to review promotional materials, billing practices, and internal whistleblowing procedures to mitigate enforcement risks. Source: DLA Piper
  • Four individuals have been sentenced to federal prison for orchestrating a $110 million healthcare fraud scheme in Texas. John Rodriguez, a former pharmacist who owned Pharr Family Pharmacy, received 60 months imprisonment while his co-conspirators Mohammad Chowdhury received 30 months, and Hector de la Cruz and Alex Flores each received 46 months. The group paid kickbacks to medical providers who referred prescriptions to Rodriguez’s pharmacy, which then billed federal programs including the Department of Labor, TRICARE, and Medicare. From 2014 to 2016, the pharmacy submitted more than $110 million in claims to federal health care programs for compound drugs, with all defendants now required to serve three years of supervised release following their prison terms. The investigation involved multiple federal agencies including the FBI, with U.S. Attorney Nicholas Ganjei stating that “Illegal kickbacks are the engine that drives health care fraud.” Source: United States Department of Justice

Hospitals

Legislation

  • Two bills were introduced that would create new regulatory requirements for healthcare organizations undergoing ownership, operational, or governance changes. House Bill 2747 would require healthcare entities to notify the Texas attorney general 90 days before material change transactions and authorizes penalties up to $10,000 per violation. Senate Bill 1595 mandates healthcare entities report ownership and control information to the secretary of state annually and during material change transactions, with substantial penalties for non-compliance. The reporting requirements for material change transactions apply to entities with at least $10 million in assets or revenue, with penalties reaching $500,000 per violation for larger organizations. Both bills would take effect September 1, 2025, if passed. Source: King & Spalding
  • The Texas House of Representatives has approved two bills designed to facilitate access to psychedelic-assisted therapy once federal approval is granted. The first bill, HB 4014, passed 115-31 and establishes a state-backed study into the use of psilocybin, MDMA, and ketamine for treating conditions like PTSD and depression, with the study to be conducted in consultation with researchers at Baylor College of Medicine and UT Austin. The second bill, HB 4813, passed unanimously and ensures substances reclassified under federal law will be similarly controlled under state law “as soon as practicable,” aimed specifically at expediting access to psychedelic therapies for Texas veterans once FDA approval occurs. The legislation builds on a 2021 measure that studied psychedelics for treating veterans with PTSD, which supporters say helped make Texas “a pioneer in this space.” Source: Marijuana Moment

Life Science

  • Private equity firms investing in life science companies face regulatory challenges across multiple domains including AI, fraud enforcement, and pharmaceutical pricing. The Trump Administration has revamped regulatory frameworks through executive orders that mandate agency restructuring and significant deregulation across health agencies. DOJ continues investigating fraud in the sector with heightened scrutiny of investor involvement in portfolio company operations, though establishing FCA liability for sponsors remains legally challenging. New trade policies implementing baseline and reciprocal tariffs affect the healthcare industry, with pharmaceutical imports under national security investigation through Section 232. Medicare drug price negotiations proceed while executive orders seek to lower costs through accelerated approvals for generics and improved drug importation programs. Source: White & Case

Medicare

Non-Competes

  • Several states have enacted legislation taking effect in 2025 that restricts noncompete agreements for healthcare workers. Arkansas will ban physician noncompetes completely while Louisiana limits them to three years for primary care physicians and five years for other physicians. Maryland restricts noncompetes to one year and within ten miles for healthcare workers earning under $350,000, while Pennsylvania caps them at one year for doctors and certain nursing professionals. Utah prohibits “health care services platforms” from requiring noncompetes, joining states like Texas, Florida, and Colorado that already have established limitations on physician noncompete agreements. Source: Foley & Lardner

Nursing

Categories
Health Law Highlights

Wade’s Health Law Highlights for May 6, 2025

Artificial Intelligence

  • Houston Methodist is teaming up with Ambience Healthcare to integrate AI into emergency departments and inpatient care settings to address documentation and workflow challenges. The technology will capture provider-patient conversations, gather details for admissions and documentation, extract information from charts, and understand specific coding needs of each care setting. Emergency department clinicians report high burnout levels and complete approximately 4,000 mouse clicks during busy shifts, while the new AI aims to reduce this “click mileage” by eliminating copy-pasting documentation. Dr. Jordan Dale, chief medical information officer at Houston Methodist, stated they are committed to finding new ways to relieve clinicians with AI technology that enhances the patient-provider experience.
  • The University of Texas Medical Branch (UTMB) uses AI to automatically analyze all CT scans for cardiac risk, identifying patients with coronary artery calcification who might otherwise go undetected. The system calculates an Agatston score through convolutional neural networks, categorizes patients into risk tiers, and sends automated notifications to high-risk patients and their physicians, evaluating approximately 450 scans monthly with 5-10 high-risk cases identified. UTMB also employs AI for rapid stroke and pulmonary embolism detection, with algorithms that notify care teams within seconds of imaging, and uses AI to assist with inpatient admission decisions by analyzing electronic health records.

Data Breach

  • Ascension Health has announced having some of its patients’ data potentially exfiltrated following a December attack that compromised a former business partner’s third-party software. Patient information from care sites in Alabama, Indiana, Michigan, Tennessee, and Texas was inadvertently shared with the breached business partner, including names, birthdates, addresses, phone numbers, email addresses, Social Security numbers, race, gender, and clinical details. Ascension says their own systems, networks, and electronic health records were not involved in this incident. This disclosure follows a previous Black Basta ransomware attack reported months ago that affected 5.6 million individuals and disrupted Ascension’s electronic health records system and some hospital emergency care operations.

Food as Medicine

  • Food as medicine encompasses nutritional interventions to prevent or treat disease through programs like medically tailored meals and produce prescriptions. Medicare Advantage offers food as medicine through supplemental benefits, special benefits for chronically ill enrollees, and the Value-Based Insurance Design Model, while Medicaid provides coverage through Section 1115 waivers and other authorities. There is uncertainty about future federal funding for food as medicine initiatives. Private funding faces challenges as employer health plans must classify food interventions as qualified medical expenses, requiring physician documentation and third-party verification.

Fraud & Abuse

Geriatrics

Medicare Beneficiaries

  • Medicare requirements follow patients regardless of a provider’s cash-based practice model, with three provider categories determining Medicare billing obligations. Participating providers enroll in Medicare and accept assignment on all claims, billing Medicare directly for covered services. Non-participating providers enroll in Medicare but choose which claims to accept assignment on, must submit all claims to Medicare, and face limitations on what they can charge beneficiaries. Opt-out providers must file an affidavit valid for two years, enter specific contracts with Medicare beneficiaries, and can charge patients without Medicare limitations, though certain provider types cannot opt out of Medicare.

Provider Networks

  • Network rental agreements in healthcare allow payers to access each other’s provider networks and fee schedules, which can circumvent negotiated contracts and subject providers to unfavorable rates. These arrangements may violate antitrust laws as horizontal price-fixing schemes under Section 1 of the Sherman Act, with courts applying the per se rule to find them unreasonably restrictive of trade. In January 2025, AIDS Health Foundation won over $10 million in damages after an arbitrator ruled that a network rental agreement between Prime Therapeutics and Express Scripts constituted illegal price-fixing, while a similar class action by Osterhaus Pharmacy against Express Scripts is proceeding after surviving a motion to dismiss in February 2025. Oklahoma has proposed legislation (SB789) to prohibit pharmacy benefit managers from making their provider networks available to other PBMs, potentially effective November 2025.

Staffing

Texas Medicaid

  • The Texas Health and Human Services Commission denied Cook Children’s Health Plan a renewed Medicaid contract in March 2024, putting healthcare for 125,000 members at risk starting September, including 10,000 children with complex medical needs. The decision could force families to switch to one of four national for-profit plans, potentially disrupting established care relationships and eliminating local community-based coordination that has served Fort Worth families for 25 years. Cook Children’s has filed legal action against the commission after their protest was denied, while state lawmakers have introduced bills to change how Medicaid contracts are awarded to protect local healthcare management. The contract termination could impact 400 Fort Worth employees, 1,455 primary care providers, and 2,550 specialists, causing 75.6% insurance plan turnover in Tarrant County.
Categories
Health Law Highlights

Wade’s Health Law Highlights for April 29, 2025

Affordable Care Act

Artificial Intelligence

  • Texas Children’s Hospital has developed an AI model to assess bone age in pediatric patients, reducing radiologist image reading time by 30-50% since its November launch. The AI interprets X-rays to estimate bone age, which radiologists then verify, allowing them to focus on more complex procedures like interventional radiology. This bone age tool is part of Texas Children’s broader initiative that has produced twelve in-house AI solutions, including models for employee recognition, patient no-shows, and readmissions. The hospital maintains a comprehensive AI governance framework with representatives from clinical, operational, information security, and legal departments to ensure ethical use, prevent bias, and protect data privacy.
  • The Trump Administration released two revised policies on April 3, 2025, replacing previous AI guidelines with new frameworks for federal agencies. OMB Memorandum M-25-21 encourages agencies to implement AI solutions that maximize taxpayer value while identifying healthcare applications as “high-impact AI” due to their role in medical devices, patient diagnosis, and insurance decisions. The second policy, OMB Memorandum M-25-22, requires agencies including HHS to update acquisition procedures for AI systems, establish cross-functional teams for decision-making, and ensure appropriate intellectual property terms in contracts. These updates must be completed by December 29, 2025, replacing policies from the previous administration that were rescinded through Executive Order 14179 in January 2025.

Business Associates

Data Access and Breach

  • Data silos in healthcare create fragmented information landscapes that hinder patient care, delay diagnosis, and force clinical staff to perform time-consuming clerical tasks. The Trusted Exchange Framework and Common Agreement (TEFCA) aims to break down these silos by connecting health information networks and imposing financial penalties for information blocking. Healthcare organizations can improve data integration by creating stakeholder incentives, implementing strong governance frameworks, empowering patients to control their data, and adopting cloud-native management technologies. Eliminating data silos optimizes clinical workflows, reduces errors, enables specialist collaboration, and creates a foundation for AI applications that can identify patients at risk for adverse outcomes.
  • Blue Shield of California confirmed on April 9 that a misconfigured Google Analytics implementation exposed protected health information of 4.7 million patients between April 2021 and January 2024. The breach, identified as the largest healthcare data breach of 2025, potentially shared patient names, locations, gender, family size, medical services information, and search criteria with Google Ads for targeted advertising. Blue Shield stated no malicious actors were involved and the exposed data did not include Social Security numbers, driver’s licenses, or financial information. The company has advised affected members to monitor their accounts and credit reports for suspicious activity.
  • The U.S. Department of Health and Human Services Office for Civil Rights has reached a $600,000 settlement with PIH Health, Inc. over HIPAA violations. The California health care network reported a June 2019 phishing attack that compromised 45 employee email accounts and exposed the protected health information of 189,763 individuals. OCR’s investigation found PIH failed to properly protect health information, conduct thorough risk analysis, and notify affected parties within the required timeframe. As part of the settlement, PIH must implement a corrective action plan including risk analysis, management planning, policy development, and staff training, which will be monitored by OCR for two years.

Fraud & Abuse

Hospitals

Medicare

  • CMS issued its annual Hospital Inpatient Prospective Payment System and Long-Term Care Hospital Prospective Payment System Proposed Rule for FY 2026 on April 11, 2025. The proposal includes a 2.4% increase in operating payment rates for general acute care hospitals and a 2.6% increase for LTCH standard payment rates, with expected IPPS payment increases of $4 billion. CMS plans to discontinue the low wage index hospital policy following a court order, reduce the labor-related share from 67.6% to 66%, and modify the nursing and allied health payment formula by changing the order of operations for calculating reimbursable net costs. The proposal also announces the reallocation of FTE cap slots from two closed teaching hospitals and increases the uncompensated care payment pool to $7.14 billion for FY 2026, with comments due by June 10, 2025.
  • Healthcare providers face potential revenue losses of $80 billion in 2026 due to looming Medicaid cuts, with hospitals at greatest risk if states drop expansion programs. Federal policy changes may include reducing assistance percentages, capping funds, intensifying eligibility requirements, and increasing scrutiny of payments, which could accelerate hospital closures particularly in rural and low-income areas. Healthcare organizations must respond by improving margins, expanding alternative revenue streams, optimizing operations, enhancing care coordination, and strengthening documentation compliance to survive these financial challenges.

Mergers & Acquisitions

  • States are rapidly enacting health care transaction review laws that require pre-transaction notification and often approval from state agencies before health care entities can complete mergers, acquisitions, or ownership changes. These laws can be categorized into four types: those amending material change transaction processes, bills seeking disclosure, legislation enhancing antitrust laws, and proposals prohibiting private equity and hedge funds from controlling health care entities. California’s proposals AB 1415 and SB 351 seek to broaden the Office of Health Care Affordability’s review authority over transactions involving management services organizations and reinforce prohibitions against corporate practice of medicine, particularly targeting private equity and hedge funds.

Non-Competes

  • Arkansas passed legislation that voids noncompete agreements restricting physicians’ practice within their scope. The law, expected to take effect around July 15, 2025, applies to medical doctors and osteopaths licensed under Arkansas statutes. The Act does not specify whether it will invalidate existing physician noncompete agreements or only apply to future contracts. While physician noncompetes are now prohibited, other restrictive covenants such as non-solicitation agreements, confidentiality agreements, and standard employment terms remain enforceable for physicians in Arkansas.

Pharmacies & Benefit Managers

  • The pharmacy industry confronts significant challenges as 29% of retail pharmacies closed between 2010-2021, with closures disproportionately affecting communities serving Medicaid and Medicare patients. Drug shortages persist due to vulnerable supply chains heavily dependent on foreign manufacturing of pharmaceutical ingredients from China and India, which legislative efforts like California’s CalRx initiative and the federal Affordable Drug Manufacturing Act aim to address. President Trump’s February 2025 Executive Order mandates enhanced transparency in drug pricing, requiring agencies to propose new guidelines within 90 days. The pharmacy sector is simultaneously exploring artificial intelligence to improve medication management and patient care, though implementation faces obstacles including high costs, potential lack of human touch, data quality concerns, and ethical considerations around patient information.
  • CMS published a final rule requiring Part D pharmacies to enroll in the Medicare Transaction Facilitator Data Module to facilitate the Medicare Drug Price Negotiation Program established by the Inflation Reduction Act. The Data Module will help manufacturers verify eligibility and accelerate retrospective refunds to pharmacies for the ten negotiated drug products in 2026, while an optional Payment Module will facilitate fund transfers and manage claims revisions. Enrollment begins in June 2025 after the rule takes effect on June 3, with chain pharmacies able to enroll through one centralized submission and dispensing entities permitted to use Pharmacy Service Administrative Organizations to receive Maximum Fair Price refunds.
  • In a federal court ruling, Tennessee’s “any willing pharmacy” law was deemed preempted by ERISA because it impermissibly affected plan structure rather than merely regulating costs. The McKee decision aligns with the Tenth Circuit’s ruling in PCMA v. Mulready, which invalidated Oklahoma’s law requiring PBMs to follow certain pharmacy network standards. Courts have consistently held that while states can regulate PBM reimbursement rates, they cannot interfere with plan operation or network design. Self-funded group health plans currently face conflicting state PBM laws across multiple jurisdictions, creating a regulatory challenge that requires resolution by either the Supreme Court or Congress.

Ransomware

  • Three healthcare organizations—DaVita, Bell Ambulance, and Alabama Ophthalmology Associates—recently suffered ransomware attacks that compromised sensitive patient data including names, Social Security numbers, and medical information. The Bell Ambulance attack affected 114,000 individuals while the Alabama Ophthalmology Associates breach impacted 131,576 people, with different ransomware groups claiming responsibility for each attack. Healthcare organizations remain prime targets for cybercriminals due to the sensitive nature of patient data, with ransomware attacks against the sector increasing 300% since 2015 according to Microsoft. Security experts recommend focusing on basic security measures like strong passwords, multifactor authentication, and properly segmented networks to protect healthcare systems from these threats.
  • The U.S. Department of Health and Human Services Office for Civil Rights has reached a settlement with Comprehensive Neurology regarding a HIPAA Security Rule violation following a ransomware attack. The December 2020 breach compromised the protected health information of 6,800 individuals, including names, clinical information, insurance details, and Social Security numbers. OCR’s investigation determined that the neurology practice failed to conduct a thorough risk analysis of potential vulnerabilities to electronic protected health information. Under the settlement terms, Comprehensive Neurology must implement a corrective action plan monitored for two years and paid $25,000 to OCR, marking the agency’s 12th ransomware enforcement action and 8th enforcement action in its Risk Analysis Initiative.
Categories
Health Law Highlights

Wade’s Health Law Highlights for April 22, 2025

AI in Healthcare

  • A recent survey found that healthcare professionals expect AI to have the greatest impact on administrative tasks (52.4%), followed by EHR management (47.6%) and diagnostic accuracy (41.9%). The survey of 105 professionals across 73 U.S. healthcare organizations revealed that 81.6% of physicians and 78.8% of administrators are eager to adopt AI tools to address workforce shortages and burnout. Nearly 64.8% of respondents view AI as critical for reducing workloads, while 37.1% believe it will improve decision-making in precision medicine, diagnostics, and treatment planning through real-time data insights.
  • The National Academy of Medicine released a report comparing generative AI with conventional predictive AI in healthcare. The 15-page publication examines five key differences between these technologies: output evaluation methods, bias manifestation patterns, performance degradation characteristics, societal impacts, and compliance considerations. While predictive AI produces quantitative predictions with straightforward performance metrics, generative AI creates subjective content requiring monitoring for coherence and factual accuracy. The report also introduces a 4-point responsibility matrix categorizing stakeholders as “informed,” “consulted,” “accountable,” or “responsible” to guide implementation in clinical decision-making, administrative efficiency, and patient engagement contexts.

Antitrust

  • States are requiring more premerger filings by enacting “baby-HSR” laws modeled after the federal Hart-Scott-Rodino Act, with Washington becoming the first state to expand beyond healthcare to cover all industries. Washington’s law requires parties to submit HSR filings to the state Attorney General if they have their principal place of business in Washington or if in-state annual sales exceed 20% of the HSR filing threshold ($126.4 million). Several other states including California, Colorado, Hawaii, Nevada, Utah, West Virginia, and DC have introduced similar legislation based on the Uniform Premerger Notification Act, while fifteen states already have laws requiring pre-transaction notification for healthcare-related mergers and acquisitions. State attorneys general are increasingly active in merger enforcement, with the National Association of Attorneys General Antitrust Committee chair warning companies to ignore state AGs “at your own peril.”
  • A federal jury convicted a man for conspiring to fix wages for Las Vegas home healthcare nurses between 2016-2019 and for fraudulently concealing the investigation during his company’s sale. This marks the Department of Justice’s first antitrust jury conviction since announcing in 2016 that wage-fixing and no-poach agreements would be prosecuted criminally rather than civilly. The conviction follows three previous unsuccessful DOJ prosecutions in similar cases where juries declined to find illegal agreements. The DOJ reiterated in January 2025 that felony criminal charges remain appropriate for agreements affecting worker recruitment or wage terms.

Capital Assets

  • Healthcare equipment leases come in two main types: operating leases (short-term agreements lasting 1-5 years with lower monthly payments) and capital leases (10-20 year agreements with purchase options). Healthcare organizations can benefit from leasing through improved cash flow management, avoiding large upfront costs, and gaining tax advantages as operating leases allow for interest and depreciation deductions. Leasing provides flexibility to upgrade equipment as technology evolves, with 60% of healthcare institutions reporting a 15% increase in equipment expenses over the past two years. Understanding lease structures, fair market value, and residual values helps healthcare organizations make informed decisions about equipment acquisition.

Data Privacy

  • Three healthcare organizations reported data breaches affecting thousands of patients in recent months. Central Texas Pediatric Orthopedics experienced a network server hack on March 3, 2025, compromising personal and medical information of 140,000 patients, with the Qilin ransomware group claiming responsibility. Omni Healthcare Financial Holdings reported unauthorized network access between January 18-19, 2024, affecting 16,701 individuals, but only completed notifications on April 9, 2025, fifteen months after the breach. Community Dental Care in Minnesota discovered unauthorized access to their network on December 20, 2024, with confirmation on March 24, 2025 that names, addresses, Social Security numbers, and medical information were exposed, though the total number of affected individuals remains unclear.
  • Six current and former employees have filed a class action lawsuit against University of Maryland Medical System Corporation and University of Maryland Medical Center. Former UMMC pharmacist Matthew Bathula allegedly installed keylogging software on approximately 400 hospital devices over a decade, obtaining credentials of at least 80 staff members and using them to access victims’ personal accounts, webcams, and home security cameras. The lawsuit claims UMMC had inadequate security that enabled Bathula to target primarily young female medical professionals, recording them in private moments including breastfeeding and intimate activities. After terminating Bathula, UMMC replaced compromised computers and implemented additional cybersecurity controls, but the lawsuit alleges the hospital was aware of potential hacking for years without identifying the perpetrator.
  • Data privacy and data security represent distinct concepts that organizations often mistakenly treat as interchangeable. Data privacy focuses on individual control over personal information and regulatory compliance with laws like GDPR and HIPAA, while data security involves technical protections against unauthorized access through measures like encryption and fraud detection. The DOGE incident, where unauthorized access was gained to Treasury Department records, demonstrates how compliance with privacy regulations does not guarantee security from breaches. Organizations must establish separate teams with clear responsibilities—privacy oversight by compliance teams and security management by IT security professionals—to prevent vulnerabilities. Companies that fail to distinguish between these concepts risk regulatory penalties, consumer distrust, operational disruptions, and financial losses from both privacy violations and security breaches.

Equity

  • Health care entities managed or funded by HHS face approaching deadlines for Section 1557 compliance, with requirements to review decision-making tools for bias, adopt new policies, and train employees by May 1, 2025, while providers receiving only Medicare Part B funds have until May 6. By July 5, 2025, covered entities must distribute notices about non-English assistance availability, replacing previous foreign language taglines. The enforcement outlook remains uncertain as key components of these regulations conflict with the current administration’s policy goals, particularly regarding transgender protections and foreign language assistance requirements, following executive orders that established English as the official U.S. language.

Fraud & Abuse

  • The Seventh Circuit Court of Appeals overturned a landmark Anti-Kickback Statute conviction. Mark Sorensen, the owner of SyMed Inc., had been sentenced to 42 months in prison for allegedly paying kickbacks to marketing firms, a DME manufacturer, and a billing company in connection with Medicare-billed orthopedic braces. The appellate court ruled that Sorensen’s payments did not violate the law because there was insufficient evidence that any recipients influenced healthcare decisions, noting that 80% of prescriptions were rejected by physicians who maintained independent decision-making authority. This ruling clarifies that marketing recommendations are not necessarily illegal referrals and that percentage-based compensation structures are not automatically unlawful under the Anti-Kickback Statute.

Laboratories

  • Recent False Claims Act litigation demonstrates critical compliance risks for medical laboratories. In Jensen ex rel. United States of America v. Genesis Laboratory, the court dismissed qui tam claims that Genesis submitted false claims to Medicare for unnecessary tests and violated the Anti-Kickback Statute by waiving copayments to induce referrals, citing insufficient evidence. The takeaway is that laboratories must exercise independent judgment on medical necessity despite physician certifications, ensure requisition forms comply with Medicare regulations, review copayment waiver policies, and maintain documentation of compliance efforts. Laboratories should implement robust compliance programs, provide staff training, document processes thoroughly, and consult legal counsel to mitigate regulatory risks.

Medicare

  • CMS issued the fiscal year 2026 Medicare Hospital Inpatient Prospective Payment System proposed rule on April 11, 2025, with comments due by June 10, 2025. The rule proposes a 2.4% increase in operating payment rates for qualifying acute care hospitals, creates several new MS-DRG categories while deleting others, and increases uncompensated care payments to $7.29 billion for FY 2026. Special rural designations including the Medicare-dependent hospital program and low-volume hospital payment adjustment are set to expire on September 30, 2025, with hospitals previously qualifying for MDH status to be paid based on the federal rate thereafter. The rule also proposes updates to the Transforming Episode Accountability Model, which will begin as a five-year mandatory model on January 1, 2026.
  • The Trump administration released two final regulatory documents for Medicare Advantage (MA) for 2026, with CMS finalizing a basic payment update of +5.06% that will increase MA payments by $25 billion. CMS did not finalize proposals to expand coverage of anti-obesity medications or implement health equity requirements for utilization management policies, but did codify IRA provisions requiring $0 cost sharing for ACIP-recommended vaccines and $35 monthly caps for insulin. The final rule also includes provisions for Dual Eligible Special Needs Plans, inpatient setting protections, and guardrails for supplemental benefits, while the new risk model will be fully implemented in 2026, saving Medicare trust funds approximately $13 billion.

Pharmacy Benefit Managers

  • Arlington-based Texas Health Resources is suing six drugmakers and pharmacy benefit managers, alleging they colluded to raise insulin prices by up to 1,000% over two decades while collecting secret rebates and fees. The nonprofit system filed the federal lawsuit on March 26 in New Jersey District Court against Express Scripts, CVS Caremark, Optum Rx, Sanofi, Eli Lilly, and Novo Nordisk, claiming violations of the RICO Act and Texas consumer protection laws. Texas Health Resources, which covers about 40,000 beneficiaries through its self-funded insurance plan, joins more than 400 other entities that have filed similar lawsuits against these companies. All defendants have denied the allegations, with CVS Caremark, Sanofi, Novo Nordisk, Optum Rx, and Eli Lilly each issuing statements calling the lawsuit baseless or meritless and defending their pricing practices.

Private Equity

  • Texas’ Corporate Practice of Medicine doctrine prohibits corporations and non-physicians from practicing medicine or employing physicians to provide medical services. Private equity firms use Management Service Organization models to invest in healthcare while attempting to comply with CPOM restrictions, but many management service agreements contain provisions that transfer excessive control to non-physician entities. Courts have identified several red flags that indicate CPOM violations, including excessive fee structures, control over medical personnel, financial control, influence over clinical decision-making, and restrictive clauses that limit physicians’ ability to terminate relationships. Contracts that violate the CPOM doctrine are likely unenforceable under Texas law, giving physicians potential legal grounds to terminate problematic MSO relationships without penalty.ata Privacy
  • Three healthcare organizations reported data breaches affecting thousands of patients in recent months. Central Texas Pediatric Orthopedics experienced a network server hack on March 3, 2025, compromising personal and medical information of 140,000 patients, with the Qilin ransomware group claiming responsibility. Omni Healthcare Financial Holdings reported unauthorized network access between January 18-19, 2024, affecting 16,701 individuals, but only completed notifications on April 9, 2025, fifteen months after the breach. Community Dental Care in Minnesota discovered unauthorized access to their network on December 20, 2024, with confirmation on March 24, 2025 that names, addresses, Social Security numbers, and medical information were exposed, though the total number of affected individuals remains unclear.

Ransomware

  • Ransomware group Qilin posted 42 gigabytes of data stolen from Central Texas Pediatric Orthopedics on the dark web in February, with the practice now notifying 140,121 affected individuals. The unauthorized access occurred between January 23-26, 2025, compromising patient information including names, government IDs, medical data, insurance details, birth dates, and X-ray images of minors. CTPO has reported the breach to the FBI and implemented security enhancements including endpoint detection software, password resets, and server rebuilding. Experts warn that pediatric healthcare records are particularly valuable targets due to children’s pristine credit histories, with several law firms already investigating the incident for potential class action litigation.

Reimbursement

Skilled Nursing Facilities

  • CMS has extended the deadline for Skilled Nursing Facilities (SNFs) to submit Medicare revalidations to August 1, 2025, following a previous extension from the original deadline to May 1, 2025. The extension comes as AHCA/NACL reports less than 20% of SNFs had submitted applications by mid-March, with many applications being returned with requests for additional information. The revalidation process now includes Attachment 1, which collects new categories of information on ownership, management, organization, and administration. CMS updated its guidance on April 9, 2025, with additions to Section IV and FAQs regarding requirements for reporting Additional Disclosable Parties.
Categories
Article

Legal Risks of Patient Marketing

Health care providers seeking to grow their practice must tread carefully when it comes to marketing arrangements. While increasing patient volume is a common business goal, not all marketing tactics are legally permissible—especially when they involve payment structures tied to patient referrals. Even seemingly harmless agreements, such as paying a company based on the number of patients it delivers, can trigger serious legal and regulatory consequences.

The health care marketing industry often promotes services promising fast and measurable patient growth. These offers can be enticing, especially in competitive markets. However, providers must scrutinize these deals, as some cross legal boundaries. In Texas, the Patient Solicitation Act makes it illegal to offer or receive anything of value in exchange for referring patients. That means performance-based marketing arrangements could be interpreted as unlawful inducements.

Federal law also casts a wide net. The Anti-Kickback Statute prohibits remuneration for referrals involving federally funded programs like Medicare and Medicaid. Violations can lead to significant civil and criminal penalties, including fines, exclusion from federal health care programs, and even imprisonment. Additionally, such conduct may run afoul of the False Claims Act, especially if it results in improperly billed federal claims.

Texas law adds another layer of complexity with its barratry statute, which bans the improper solicitation of professional services—including by health care providers. This statute is often enforced in the context of personal injury and legal services, but its reach can extend to medical marketing tactics that resemble client chasing.

Penalties for violating these laws can be severe. In addition to civil and criminal liability, providers risk disciplinary action from their licensing boards, which may include suspension or revocation of their professional licenses.

To avoid these pitfalls, health care providers should never enter into marketing or referral agreements without first consulting qualified legal counsel. A proactive legal review can help ensure that promotional strategies comply with both state and federal laws, protecting the provider’s reputation, finances, and professional standing. When it comes to patient marketing, compliance must always come before convenience.

Categories
Health Law Highlights

Wade’s Health Law Highlights for April 15, 2025

OIG Advisory Opinion No. 25-02

Favorable opinion regarding an arrangement whereby Requestor— designated as a community health center pursuant to Section 330 of the Public Health Service Act—proposes, during the provision of certain social services to individuals, to: (1) identify individuals in need of primary care services; (2) inform them of the availability of such services; and (3) schedule an appointment for them to receive primary care services from Requestor or refer them to a local primary care provider.

🔍 What’s the Issue?

A federally designated Community Health Center (the “Requestor”) asked the Office of Inspector General (OIG) if it could legally do the following as part of its community outreach:

  1. Identify individuals in need of primary care during their visits for social services (like childcare, food, or safety support).
  2. Inform them about available primary care providers.
  3. Help them schedule appointments—either with the Health Center itself or another local provider.

They wanted to make sure this setup wouldn’t violate federal anti-kickback laws or other rules meant to prevent improper patient referrals.

🏥 Background on the Health Center

  • Offers free or low-cost medical and social services to underserved communities.
  • Also gives out non-healthcare goods, like diapers, books, and help for crime victims.
  • Many people come for the social services but don’t realize they can also get affordable medical care there.

⚖️  Legal Concerns

two key laws at play:

  1. Anti-Kickback Statute – Prohibits giving something of value to induce someone to use federally funded healthcare services.
  2. Beneficiary Inducements CMP – Prohibits offering free stuff to patients to influence their choice of healthcare provider.

  OIG’s Conclusion: Allowable with conditions

OIG said they will not impose penalties because:

  • The Health Center does not push patients to choose them—they provide a neutral list of providers in alphabetical order.
  • Other providers can be included on the list (“any willing provider” rule).
  • People can still get social services even if they don’t want or need healthcare.
  • The goal is to connect underserved people with care they might otherwise skip due to cost or confusion.

OIG found the setup aligns with the Health Center’s mission to help underserved populations and isn’t a scheme to inappropriately gain more patients.

🚦 Bottom Line

The arrangement is legally allowable as long as it’s carried out fairly and transparently. The Health Center must stick to the safeguards they promised—neutral lists, no pressure to choose them, and full freedom for individuals to pick any provider or none at all.

Data Privacy

  • A dental management firm is notifying 173,400 people across six states about an email hack that exposed sensitive information including names, Social Security numbers, and medical data. The Nashville-based firm, which provides HR and finance services to 60 dental practices and 10 group practices, faces at least four federal class action lawsuits alleging negligence in safeguarding patient information. The breach was discovered on September 11, 2024, when suspicious activity was detected in an employee’s email account, making it the largest of three major dental-related data breaches reported in 2025. In 2024, about two dozen dental practice breaches affected more than 1.2 million individuals, highlighting the sector’s vulnerability to cyberattacks.
  • HIPAA compliance faces significant changes in 2025 as HHS implements new security measures following a 264% increase in ransomware attacks in 2024. The Office for Civil Rights is enforcing stricter security risk analysis requirements while proposing updates to the HIPAA Security Rule that would mandate technical improvements like encryption and multifactor authentication. Patient access rights remain a priority with multiple enforcement actions in 2024-2025, alongside new information blocking rules effective December 2024. Additionally, HHS issued a final rule protecting reproductive health care information privacy in December 2024, though this faces legal challenges from Texas in federal court.

False Claims Act

Medicare Reimbursement

  • A new Medicare policy aims to combat fraud in the skin substitutes market where spending quadrupled in four years, costing taxpayers nearly $10 billion annually. The Local Coverage Determination (LCD) ensures Medicare only covers treatments with clinical evidence while maintaining access to over a dozen proven skin substitutes. The policy targets companies that exploited loopholes to generate nine-figure revenues without research or FDA review, and will take effect April 13, 2025. Medicare Administrative Contractors implemented this measure to proactively prevent fraud rather than relying on lengthy investigations after damage is done.

Mergers & Acquisitions

  • The U.S. Department of Health and Human Services is closing six of its ten Office of the General Counsel regional offices and reducing its workforce by 20,000 employees. This consolidation will likely cause disruptions to Change of Ownership approvals needed for healthcare mergers and acquisitions, as well as delays in enforcement actions and compliance determinations. The four remaining OGC offices will redistribute workload across larger geographic areas, potentially resulting in loss of localized expertise and creating challenges for Medicare contractors. Healthcare investors and providers are advised to consult with experienced attorneys to navigate these changes and minimize transaction disruptions.
  • The Texas House of Representatives introduced House Bill 2747, requiring health care entities to provide 90-day advance notice to the Texas Attorney General for transactions resulting in material ownership, operations, or governance changes. The bill, which would take effect September 1, 2025 if passed, applies to a broad range of health care entities including providers, facilities, provider organizations, and pharmacy benefit managers. The legislation grants the Texas Attorney General power to conduct market studies on health care market conditions and transaction impacts, with violations potentially resulting in a $10,000 civil penalty. Texas joins numerous states implementing increased oversight of health care transactions, with common focus on competition, market concentration, and care quality.
Categories
Article

Think Twice Before Responding to That Negative Online Review

It’s natural to want to defend your practice—especially when a negative online review feels unfair, misleading, or outright false. But for healthcare providers, responding to a bad review isn’t just a public relations concern—it’s a legal one. You could be walking straight into a HIPAA violation.

Under HIPAA—and many state privacy laws—healthcare providers are prohibited from disclosing patient health information to unauthorized individuals. This includes not only obvious disclosures, such as a diagnosis or treatment details, but also something as seemingly harmless as confirming that someone is a patient. Even a simple statement like, “I’m sorry you felt that way about your visit,” could be interpreted as a disclosure of protected health information (PHI).

So what should you do when confronted with a negative review?

First, decide if it’s worth responding at all. Not every negative review needs a response. Sometimes, the most strategic move is to let it go. However, if the review contains false or defamatory statements, you may want to contact the review platform and request that it be removed in accordance with their content policies.

If you do choose to respond, you can still do so in a way that protects patient privacy. A compliant response should acknowledge that your practice takes concerns seriously, reaffirm your general commitment to quality care, and invite the individual to contact your office directly to discuss the matter further. This approach demonstrates professionalism without crossing any legal boundaries.

What you should never do is reference the reviewer’s condition, visit, or any personal detail—no matter how vague it seems. Likewise, avoid blaming the patient, even if you feel their account is inaccurate or incomplete. Comments like, “You missed several appointments” or “You didn’t follow the treatment plan,” are not only unprofessional—they may constitute a HIPAA violation.

Also, don’t get pulled into an online back-and-forth. Responding more than once can escalate tensions, increase the risk of disclosing sensitive information, and reflect poorly on your practice. One thoughtful, respectful response is enough.

Finally, remember that your response is not just for the reviewer—it’s for everyone else reading it. Potential patients will form impressions about your professionalism, judgment, and values based on how you handle criticism. Always be polite, measured, and HIPAA-compliant. A negative review can be frustrating—but turning it into a HIPAA violation is far worse. Stay calm, stay professional, and when in doubt, don’t respond publicly at all.

Categories
Health Law Highlights

Wade’s Health Law Highlights for April 8, 2025

Antitrust

  • The Department of Justice announced the formation of an Anticompetitive Regulations Task Force aimed at eliminating state and federal laws that undermine market competition. The Task Force will focus on five key sectors: housing, transportation, food and agriculture, healthcare, and energy, while taking a whole-of-government approach with attorneys and economists from across the Antitrust Division and other agencies. Public comments will be accepted until May 26, 2025, to help identify problematic regulations, with the initiative following a similar effort from the first Trump administration in 2018. Questions remain about the Task Force’s jurisdiction over state laws and regulations, particularly regarding the state action immunity doctrine that protects state and local governments from federal antitrust claims.

Compliance, Audits, and Enforcement

  • Healthcare experts emphasize that proper documentation and regular internal audits are essential for medical billing compliance. Medical billers, coders, and nurse reviewers provide critical services including medical record reviews, billing analysis, and assessment of treatment appropriateness for healthcare providers, attorneys, and insurance companies. Healthcare providers remain responsible for billing accuracy even when using third-party billing services, making practice managers with compliance expertise a valuable investment that can prevent claim denials and expand revenue. In litigation contexts, these specialists can identify billing discrepancies, evaluate standard of care, and help establish links between injuries and medical events, transforming what begins as malpractice cases into fraud investigations when necessary.
  • The Office of Inspector General (OIG) recently released a report identifying 287 audit issues across all twelve Medicare Administrative Contractor (MAC) jurisdictions during fiscal years 2019-2021, with each jurisdiction failing to meet the 95% performance threshold for Review and Audit Quality standards in at least one year. The report categorized issues into five areas: improper reviews, inadequate oversight of medical education reimbursement, improper review of cost allocations, improper calculations for nursing programs, and inadequate review of bad debts. OIG recommended that CMS provide MACs with better explanations of evaluation results, update audit programs with revised requirements, and offer additional training, to which CMS responded that it already meets weekly with MACs and is working to incorporate updated guidance into audit programs.
  • President Trump issued an Executive Order on February 25, 2025 to strengthen enforcement of healthcare price transparency regulations, building upon a 2019 order and rooted in the Affordable Care Act’s 2010 amendments. A 2024 audit revealed only 46 percent of hospitals were compliant with transparency rules, with penalties ranging from $300 to $5,500 per day depending on hospital capacity. Healthcare organizations face increased risks including administrative penalties, civil enforcement actions, and potential criminal liability, prompting recommendations for internal audits, enhanced compliance programs, legal counsel engagement, and robust reporting mechanisms.

Cybersecurity and Data Protection

  • Biosensors in healthcare face complex regulatory challenges across different regions, with the FDA in the US using a three-tier risk classification system while the EU implements stricter Medical Device and In Vitro Diagnostic Regulations. Data security remains problematic with 40% of FDA-approved wearables lacking robust encryption, while ethical concerns persist regarding data ownership and privacy, exemplified by a study showing 60% of diabetes apps sell user data without clear consent. Technological innovation outpaces regulatory frameworks, creating validation bottlenecks for startups and highlighting the need for global harmonization, as only 15 countries have adopted the WHO’s Global Model Regulatory Framework. Market access varies significantly between countries, with reimbursement policies and affordability creating barriers to equitable distribution of biosensor technology.
  • Data privacy is a major concern when implementing AI in managed care pharmacy, particularly regarding how HIPAA-protected information interacts with large language models. Current expectations suggest liability for AI errors will primarily fall on healthcare providers rather than vendors, though this model could evolve as the technology develops. Organizations cannot guarantee AI systems are completely free from bias, making continuous data review and human oversight essential. Colborn recommends that organizations establish clear frameworks for AI use, disclose which entities receive patient data, and commit to rigorous oversight to address patient concerns.
  • According to CIO’s 2024 Security Priorities study, 40% of tech leaders prioritize strengthening confidential data protection as organizations implement comprehensive security frameworks including encryption, Zero Trust Architecture, and multi-factor authentication to combat cyber threats. Security experts recommend data governance frameworks with clear standards for quality, accuracy, and relevance, alongside Master Data Management to create a single source of truth for critical business entities. Organizations must address human error through regular cybersecurity training, simulated threats, and interactive awareness programs to transform employees into a strong defense line. AI technologies are being deployed to detect and mitigate cyber threats in real time while also optimizing operations through intelligent automation and enabling personalized customer experiences.

Drug Regulation

  • The popularity of GLP-1 drugs for weight loss and diabetes has triggered multiple litigation fronts in the U.S.. FDA drug shortages led to legal battles between brand manufacturers and compounding pharmacies, with recent cases challenging FDA decisions to remove drugs like tirzepatide and semaglutide from shortage lists. Patent litigation follows the Hatch-Waxman framework with varying timelines based on FDA exclusivity periods – liraglutide’s first generic was approved in December 2024, semaglutide faces ongoing patent challenges through 2025, and tirzepatide’s exclusivity extends to 2027. The International Trade Commission provides another venue for enforcement, with Eli Lilly pursuing action against online pharmacies selling compounded tirzepatide, potentially resulting in import bans.
  • The Eastern District of Texas vacated the FDA’s Laboratory Developed Test (LDT) Final Rule, ruling in favor of laboratory plaintiffs who argued that LDTs are services rather than devices under the Federal Food, Drug and Cosmetic Act. The court determined that LDTs are “proprietary methodologies” outside FDA jurisdiction, as the agency can only regulate tangible goods like test kits, not professional medical services. The ruling establishes that Congress gave the Centers for Medicare and Medicaid Services authority to regulate clinical laboratories and their tests under the Clinical Laboratory Improvements Act, not the FDA. The decision prevents nearly 80,000 existing LDTs and over 1,100 laboratories from falling under FDA’s regulatory framework that was scheduled to take effect in May 2025.

Medical Malpractice

  • While AI can reduce medical errors, experts debate who bears liability when AI-assisted healthcare goes wrong. The Federation of State Medical Boards recommends holding clinicians responsible for AI errors, not technology creators, with 3 in 5 physicians now using AI in their practice. Medical liability insurer Indigo believes AI will ultimately reduce malpractice rates, though legal experts note there’s no clear framework for determining fault in AI-related medical mistakes. Healthcare organizations are urged to establish AI usage guidelines for staff, as clinicians face challenges verifying AI recommendations amid time constraints and staffing shortages.

Mergers & Acquisitions

  • The physician practice M&A market is experiencing a revival with pharmaceutical companies, pharmaceutical services providers, and insurers emerging as strategic buyers in the physician practice management space. Despite headwinds including regulatory pressure, macroeconomic challenges, and operational difficulties, major transactions have occurred such as Cencora’s $4.6 billion acquisition of Retina Consultants of America and Cardinal Health’s $2.8 billion stake in GI Alliance. Strategic buyers pursue these acquisitions to diversify their businesses, achieve vertical integration, and gain control over care delivery, with future consolidation likely driven by buyers with available capital and interest in diversification.

Veterinary Medicine and Telehealth

  • A Texas State Senator has proposed legislation to expand telehealth practices to veterinary medicine, which would update Texas law to allow veterinarians to establish client-patient relationships electronically without requiring initial physical examinations. The Texas Veterinary Medical Association opposes the bill, warning that serious conditions could be misdiagnosed without physical examinations, potentially threatening animal health and the state’s $15 billion animal agriculture industry. Supporters argue telehealth would benefit rural areas with limited veterinary access.