Category: Health Law Highlights

AI Implementation

• A recent report reveals that AI is primarily used for administrative tasks in healthcare settings, with clinical applications still in early adoption stages. Most medical facilities have been using AI for at least 10 months, and there is an expectation for AI to play a larger role in reviewing electronic health records and enhancing patient care. A significant knowledge gap exists, as only 24% of respondents received AI training from their employers, and concerns about data privacy and ethical issues are prevalent among 72% and 70% of respondents, respectively. Currently, AI is used for transcribing patient notes and business meetings, creating routine communications, and analyzing medical images. In the future, over 40% of respondents expect AI to assist more in clinical applications and physician training.
• The Department of Justice (DOJ) is scrutinizing the use of AI in healthcare, updating compliance guidelines to ensure companies mitigate risks associated with AI misuse, emphasizing the need for robust compliance programs and risk assessments. Health care companies must ensure compliance programs are equipped to handle AI-related risks, with adequate resources and training to prevent misuse and ensure accountability. Overall, these developments highlight significant legal challenges and regulatory scrutiny in the healthcare sector, emphasizing the need for vigilant compliance and monitoring of ongoing litigation.
• The Texas Attorney General has initiated investigations into 15 companies including Character.AI, Reddit, Instagram, and Discord regarding their privacy and safety practices for minors under the SCOPE Act and TDPSA, which require parental consent for data collection and provide tools for privacy control. The investigations are part of Texas’s broader data privacy enforcement initiative, following a recent lawsuit against TikTok and a $1.4 billion settlement with Meta over facial recognition data misuse. The SCOPE Act specifically prohibits sharing minors’ personal information without parental consent and requires companies to provide parental control tools, while the TDPSA enforces strict notice and consent requirements for collecting minors’ personal data. These protections extend to AI products, and Texas has demonstrated its commitment to data privacy enforcement through actions like the lawsuit against General Motors for illegal driver surveillance and data sharing with insurance companies. Texas is becoming a leader in data privacy enforcement, with these investigations representing a significant step toward ensuring technology companies comply with state laws protecting children from exploitation and harm.

Data Privacy

• Healthcare data represents 30% of global data, with 97% currently unused, though this is changing through AI and improved accessibility. Real-world data (RWD) and evidence (RWE) are becoming crucial, with 90% of life sciences executives leveraging RWE for decision-making, while AI algorithms have improved clinical trial matching by over 40% and recruitment by 1,800%. Patient-centric healthcare organizations are achieving twice the revenue growth compared to those with lower satisfaction scores, with AI-powered clinical decision support systems saving approximately $1,000 per patient encounter. Supply chain challenges remain significant, with 80% of healthcare providers expecting issues to persist or worsen, and half of suppliers losing over 2.5% revenue due to shortages between February 2023-2024, though predictive AI systems can now identify product shortages with over 90% accuracy.
• Even public-facing healthcare websites can present significant privacy risks through seemingly innocent features like contact forms, appointment requests, and symptom checkers. Unauthenticated pages can inadvertently capture Protected Health Information (PHI) through web forms, tracking technologies, cookies, and web beacons, which may collect user data including IP addresses and browsing history. Healthcare organizations must implement proper safeguards including data encryption, secure storage, explicit consent mechanisms, and careful evaluation of third-party tracking technologies to maintain HIPAA compliance. Organizations should consider minimizing PHI collection on public pages by providing general inquiry options instead of detailed health information forms, while maintaining clear privacy notices and readily accessible contact information for privacy-related concerns. The protection of PHI requires ongoing vigilance and consistency, as even basic data points can constitute protected health information when linked to an individual’s healthcare activities.

Data Breaches

• The healthcare sector experienced unprecedented data breaches in 2024, with 168 million individuals affected across all reported incidents and 137 million from the top 10 breaches alone. Change Healthcare suffered the largest breach, affecting 100 million individuals due to a BlackCat/ALPHV ransomware attack that exploited an MFA-lacking Citrix portal, resulting in a $22 million ransom payment and widespread healthcare disruptions. Kaiser Foundation Health Plan (13.4M affected), HealthEquity (4.3M), and Concentra Health Services (4M) rounded out the top breaches, with most incidents involving hacking or IT incidents, particularly targeting third-party vendors. Nine out of the ten largest breaches were attributed to hacking/IT incidents, with five originating from HIPAA business associates’ network servers. The breaches highlighted ongoing cybersecurity challenges in healthcare, including ransomware threats, third-party risk management issues, and the need for enhanced security measures like MFA implementation.

Cybersecurity

• The Office of the Inspector General (OIG) has called for enhancements to the HIPAA audit program due to increasing cyberattacks on healthcare organizations, resulting from the narrow scope and ineffective oversight of previous audits conducted by the Office for Civil Rights (OCR) in 2016-2017. In response, OCR plans to resume HIPAA audits by late 2024 or early 2025, with an expanded focus on physical and technical safeguards, and the development of criteria for compliance reviews. While OCR agreed to most of OIG’s recommendations, it did not concur with the recommendation to ensure deficiencies are corrected, citing limitations in legal authority and resources. OCR also intends to define metrics for monitoring audit effectiveness and will survey past audit participants to track compliance improvements. The enforcement process for potential HIPAA violations involves reviewing complaints, investigating breaches, and potentially referring criminal violations to the Department of Justice.
• A recent report analyzed cyberattacks on cyber-physical systems (CPS) and found significant financial impacts, with 27% of organizations experiencing losses of $1 million or more. Key contributors to these losses included lost revenue (39%), recovery costs (35%), and employee overtime (33%). Ransomware was a major factor, with 53% of respondents paying over $500,000 to regain access to encrypted systems, a problem particularly severe in the healthcare sector. Operational impacts were also significant, with 33% experiencing a full day or more of downtime and 49% taking a week or more to recover. Despite these challenges, 56% of organizations reported increased confidence in their CPS’s ability to withstand cyberattacks, and 72% expect security improvements in the coming year.

Geo-Location Data

• Fog Data Science, a location-tracking company, provides services to police departments by using geolocation data from smartphones to identify places visited by suspects, including sensitive locations like doctors’ offices. The company uses a “Project Intake Form” that asks police to provide locations and personal details about suspects to refine their search in a database of geolocation data collected from mobile apps. This practice has raised privacy concerns, particularly regarding the potential use of location tracking to prosecute abortions. An investigation by the Electronic Frontier Foundation revealed that Fog Data Science purchases extensive geolocation data from data brokers, which is then sold to law enforcement agencies. The Federal Trade Commission has taken action against one of Fog’s data sources, Venntel, for selling sensitive location data without user consent.

Enforcement

• Recent enforcement actions by state and federal law enforcement, including the Texas AG settlement with Pieces Technologies and the FTC’s Operation AI Comply, signal increased scrutiny of AI products under existing consumer protection laws. These actions highlight the importance of clear and conspicuous disclosures regarding AI accuracy, efficacy, and potential risks, as well as the need for substantiation of claims about AI bias and functionality. Companies using AI should be aware of the legal risks and take proactive steps to ensure compliance with applicable laws and regulations.

Centers for Medicare & Medicaid Services

• On November 1, the Centers for Medicare & Medicaid Services (CMS) finalized an extension of virtual direct supervision through real-time audio-visual technology until December 31, 2025, and permanently for certain “incident to” services. These changes are part of the CY 2025 Medicare Physician Fee Schedule (MPFS) and Medicare Hospital Outpatient Prospective Payment System (OPPS) final rules, which revise regulations to balance patient safety and program integrity with expanded access to care. CMS has permanently extended virtual direct supervision for specific low-risk services typically performed by auxiliary personnel, such as those described by CPT code 99211. CMS is considering further expanding permanent virtual direct supervision for additional low-risk services like diagnostic tests and behavioral health. Stakeholders have generally supported the extension, though concerns about patient safety and billing barriers remain.
• Medicaid involves a complex five-year lookback period where any unexplained transfers of assets can result in penalty periods affecting eligibility. The penalty period length is calculated by dividing the transferred asset value by the state’s determined nursing home cost, with the period beginning when the applicant is otherwise eligible for benefits while in a nursing facility. Several exemptions exist, including transfers between spouses, transfers to young or disabled children, and specific cases involving primary residence transfers to siblings or caretaker children who meet certain criteria. Applicants can avoid penalties by proving the transfer was intended for fair market value, was made for purposes other than qualifying for Medicaid, or if the transferred assets are returned. The process is particularly challenging for elderly residents with diminished cognitive function, often requiring nursing facility staff or consultants to handle the documentation and appeals process.
• CMS Issues Final Rules for Medicare Parts A and B Overpayments: Key and Lingering Questions outlines significant changes to Medicare overpayment rules effective January 1, 2025. The Centers for Medicare & Medicaid Services released a final rule in November 2024 that modifies overpayment requirements in two key ways: allowing a 180-day suspension of the return deadline during good-faith investigations and changing the standard for identifying overpayments to align with the False Claims Act’s knowledge standard. The new rule removes the requirement to quantify overpayment amounts before identification, though CMS notes that practical considerations still require calculation within 60 days of identification. While appearing to extend timeframes for providers, the rule may actually reduce available time for identifying and returning overpayments, and leaves several critical questions unanswered regarding notice requirements and handling of incomplete investigations after the 180-day period.

Compliance Programs

• The Office of Inspector General (OIG) issued new Industry-Specific Compliance Program Guidance (ICPG) for nursing facilities, updating its previous guidance from 2000 and 2008 to address modern compliance challenges. The guidance focuses on four main risk areas: quality of care and life, Medicare/Medicaid billing requirements, Federal Anti-Kickback Statute compliance, and other risks including HIPAA and civil rights. Quality of care issues highlighted include staffing levels, infection control, emergency preparedness, and medication use, with the OIG noting these were particularly problematic during the COVID-19 pandemic. The guidance addresses billing compliance under the prospective payment system, warning against common issues like duplicate billing and fraudulent cost reports, while also providing recommendations for avoiding kickback risks in referral arrangements with various healthcare entities. The OIG encourages nursing facilities to use this guidance to identify their own risk areas and implement appropriate compliance and quality programs to mitigate these risks.

Hospital Outpatient Practices

• Texas hospitals have been acquiring doctors’ practices and integrating them into their outpatient networks, benefiting from higher Medicare fees for hospital-operated facilities. Congress is considering reforms to standardize Medicare payments regardless of the service location, potentially saving the government up to $100 billion over the next decade. This change could significantly impact hospital revenues, as they rely on these higher fees to support outpatient services. Hospitals argue that the higher fees are necessary to cover the costs of treating uninsured patients and maintaining service access. The proposed reforms, supported by bipartisan efforts, aim to curb Medicare spending, but they raise concerns about financial strain on hospitals, especially those already struggling, like rural hospitals in Texas.

HIPAA

• The U.S. Department of Health and Human Services “Reproductive Health Care Privacy Rule” becomes effective on December 23, 2024. To enhance privacy protections for reproductive health services, including abortion, the rule prohibits Covered Entities and Business Associates from disclosing protected health information (PHI) for investigations or liability related to reproductive health care if it is lawful or protected under federal law. Requests for PHI related to reproductive health care require a signed attestation confirming the information will not be used for prohibited purposes. Covered Entities must update their Notice of Privacy Practices to reflect these changes and ensure disclosures to law enforcement are only made when legally required and compliant with HIPAA. Professional organizations advise caution in disclosing PHI to prevent or lessen serious threats, recommending legal consultation for such decisions.
• The Office of the Inspector General (OIG) has called for enhancements to the HIPAA audit program due to increasing cyberattacks on healthcare organizations, resulting from the narrow scope and ineffective oversight of previous audits conducted by the Office for Civil Rights (OCR) in 2016-2017. In response, OCR plans to resume HIPAA audits by late 2024 or early 2025, with an expanded focus on physical and technical safeguards, and the development of criteria for compliance reviews. While OCR agreed to most of OIG’s recommendations, it did not concur with the recommendation to ensure deficiencies are corrected, citing limitations in legal authority and resources. OCR also intends to define metrics for monitoring audit effectiveness and will survey past audit participants to track compliance improvements. The enforcement process for potential HIPAA violations involves reviewing complaints, investigating breaches, and potentially referring criminal violations to the Department of Justice.
• HHS-OIG anticipates recovering $7.13 billion in FY 2024 from investigations and audits, including $4 billion from activities between April and September 2024, resulting from 1,548 criminal and civil enforcement actions. The June 2024 National Health Care Fraud Enforcement Action charged 193 individuals in schemes totaling $2.75 billion in losses, while 3,234 individuals were added to the HHS-OIG exclusion list, barring them from federal healthcare programs. Notable cases included two brothers ordered to pay $424 million in restitution for DME fraud and a nurse practitioner ordered to pay $192 million, with HHS-OIG consistently achieving a $10 return on every $1 invested in investigations. The agency’s investigations revealed significant issues in durable medical equipment fraud schemes, involving telemarketing strategies and physician bribes for unnecessary equipment orders. Beyond financial recoveries, HHS-OIG identified systemic issues including states’ inability to monitor maltreatment in foster care facilities and the need to improve maternal healthcare access through MCO provider coverage requirements.
• Even public-facing healthcare websites can present significant privacy risks through seemingly innocent features like contact forms, appointment requests, and symptom checkers. Unauthenticated pages can inadvertently capture Protected Health Information (PHI) through web forms, tracking technologies, cookies, and web beacons, which may collect user data including IP addresses and browsing history. Healthcare organizations must implement proper safeguards including data encryption, secure storage, explicit consent mechanisms, and careful evaluation of third-party tracking technologies to maintain HIPAA compliance. Organizations should consider minimizing PHI collection on public pages by providing general inquiry options instead of detailed health information forms, while maintaining clear privacy notices and readily accessible contact information for privacy-related concerns. The protection of PHI requires ongoing vigilance and consistency, as even basic data points can constitute protected health information when linked to an individual’s healthcare activities.

OIG Fraud Alert

• The Office of Inspector General (OIG) has issued a Special Fraud Alert to highlight fraud and abuse risks associated with marketing arrangements between Medicare Advantage Organizations (MAOs), healthcare professionals (HCPs), agents, and brokers. The alert identifies problematic compensation arrangements that violate the Federal anti-kickback statute, leading to improper steering of Medicare enrollees, unfair competition, and potential harm to enrollees. Specifically, payments from MAOs to HCPs for referrals and from HCPs to agents or brokers for steering enrollees are scrutinized. Such arrangements may result in enrollees being inappropriately enrolled in Medicare Advantage plans that do not meet their needs, often influenced by financial incentives rather than the best interest of the enrollees. The alert also outlines suspect characteristics of these arrangements that could indicate heightened fraud and abuse risk.

GLP-1 Drugs

• Since 2022, four GLP-1 drugs, including those for weight loss, have been on the FDA’s drug shortage list due to high demand, leading to widespread compounding of these drugs, which would normally be prohibited. Compounded GLP-1s have become popular due to their accessibility and lower cost, despite potential differences from branded versions in formulation and administration. If the shortage ends, compounded GLP-1s will become unapproved drugs, posing legal and regulatory challenges for the FDA and compounders. The situation highlights unique market dynamics and regulatory challenges, but it is unlikely to signal a broader shift in FDA’s approach to drug compounding. The compounded GLP-1 market’s future is uncertain, with potential legal battles and pressure from branded drug manufacturers to restrict compounding.

Insurance Coverage

• A federal judge blocked a Biden administration rule allowing DACA recipients to enroll in health insurance through the Affordable Care Act, siding with 19 state attorneys general who argued it violated a law against providing public benefits to those without legal immigration status. This ruling affects DACA recipients in the 19 states that filed the lawsuit, leaving the rule in effect elsewhere. The decision prevents thousands of DACA recipients in those states from accessing subsidized health coverage, forcing many to rely on employer-provided insurance, state programs, or remain uninsured. The Kansas Attorney General, who led the legal challenge, praised the ruling as upholding the rule of law.

Physician Compensation

• It is vital to use nationally published compensation and productivity survey data correctly to set provider compensation at fair market value (FMV). Misconceptions about using survey data for FMV provider compensation are common, including the belief that compensation under the 75th percentile is always FMV or that compensation above the 90th percentile is impermissible. Relying solely on productivity ratios like compensation per wRVU or compensation-to-collections can also be misleading, as they don’t fully capture the complexity of provider compensation. To ensure FMV compensation, organizations should analyze individual arrangements, consider regional variations, and seek expert guidance from valuation firms like VMG Health.

Fraud & Abuse

• Recent lawsuits by pharmaceutical manufacturers challenge the U.S. Department of Health and Human Services Office of Inspector General’s interpretation of the Anti-Kickback Statute (AKS), arguing that violations require corrupt intent; however, courts have largely sided with the OIG, maintaining that any remuneration intended to induce purchases violates the AKS. In Zafirov v. Florida Medical Associates LLC, a Florida court ruled the False Claims Act (FCA) qui tam provision unconstitutional, raising questions about FCA enforcement without this mechanism, though the government still retains authority to file FCA actions independently.

Medicare Advantage Organizations

• The U.S. Department of Health and Human Services Office of Inspector General (OIG) issued a special fraud alert on December 11, 2024, focusing on potentially abusive marketing arrangements between Medicare Advantage Organizations (MAOs), healthcare professionals (HCPs), and brokers/agents. The alert specifically addresses two concerning arrangements: MAOs providing payments to HCPs for patient referrals, and HCPs paying agents/brokers for patient recommendations, both of which could violate the federal anti-kickback statute and other laws. OIG identified several suspect characteristics that may indicate fraud risk, including payments contingent on patient demographics or health status, and remuneration that varies with referral numbers. Following recent settlements with MCS Advantage ($4.2 million) and Oak Street Health ($60 million), this alert emphasizes the need for careful structuring of relationships between MAOs, HCPs, and brokers/agents to ensure compliance with federal laws and prevent improper steering, inappropriate enrollments, and anticompetitive conduct. The guidance aims to protect Medicare Advantage beneficiaries from enrolling in unsuitable plans or choosing inappropriate healthcare providers based on financially motivated recommendations rather than their actual healthcare needs.
• The Centers for Medicare and Medicaid Services released a 240-page Proposed Rule on December 10, 2024, introducing significant changes to Medicare Advantage (MA), Medicare Part D, Medicaid, Medicare cost plans, and PACE programs. Key changes include stricter requirements for medical loss ratio (MLR) reporting, requiring incentives and bonuses to be tied to measurable clinical or quality improvement standards, and new regulations for quality improvement activity expenses. The rule proposes new guidelines for supplemental benefits administered through debit cards, including restrictions on usage and marketing, while expanding the definition of “marketing” under MA and Part D regulations to enable stronger CMS oversight. Additional proposals include enhanced agent/broker disclosure obligations, new pharmacy network contracting requirements including mandatory notification deadlines and reciprocal termination rights, and required pharmacy enrollment in the Medicare Transaction Facilitator Data Module. The proposals aim to improve transparency, reduce excessive spending, and enhance beneficiary protections across Medicare programs.

Unlicensed Practice of Medicine

• Texas Attorney General Ken Paxton has filed a lawsuit accusing a New York doctor of prescribing abortion drugs to a Texas resident in violation of state law. The lawsuit targets Dr. Margaret Carpenter, who allegedly mailed abortion pills to a 20-year-old woman in Collin County, Texas, when she was nine weeks pregnant, with Paxton seeking $100,000 for each violation of Texas’ near-total abortion ban. The case represents the first test of conflicting state abortion laws, with New York’s shield law protecting providers from out-of-state investigations while Texas vows to pursue such cases regardless. Dr. Carpenter, who is not licensed in Texas, founded the Abortion Coalition for Telemedicine and works with organizations that help provide telemedicine consultations and abortion pills to patients in states with abortion bans. Legal experts are divided on the outcome, with New York’s shield law designed to prevent Texas from bringing New York providers into Texas courts, potentially leaving Texas without a defendant to prosecute.

AI Governance

• At the HLTH health innovation conference, a panel of AI experts expressed skepticism about appointing a chief AI officer in health organizations, advocating instead for improving AI literacy across the board. Some providers have established an AI oversight committee and an AI Enablement Center to democratize AI governance and ensure responsible integration of AI technologies. The widespread use of AI in radiology for diagnostic support and the growing adoption of ambient AI scribes have significantly reduced administrative burdens for physicians. The use of AI in administrative tasks, such as drafting patient communications, has shown positive results, with patients reportedly preferring AI-generated responses for their empathetic tone. Nevertheless, it is important to maintain a human element in AI applications, ensuring that AI supports rather than replaces clinical decision-making.
• The FDA has issued final guidance on regulating changes to AI-enabled medical devices through pre-determined change control plans (PCCPs), allowing for post-market modifications while maintaining safety and effectiveness. PCCPs, first introduced in 2019, enable performance enhancements by outlining specific, verifiable modifications and include a description of planned changes, a modification protocol, and an impact assessment. The guidance, consistent with a 2023 draft, now includes a section on version control and maintenance. While no adaptive AI-enabled devices have been authorized yet, PCCPs have been approved for devices through various regulatory pathways. Modifications under a PCCP must stay within the device’s intended use, and significant changes, such as altering a device’s user base or core functionalities, require new marketing submissions.
• The rapid evolution of AI in healthcare presents challenges for physicians and legal compliance, with shifting regulations and emerging laws at both federal and state levels. A federal rule effective July 2024 requires healthcare providers to comply with anti-discrimination regulations by May 2025, while various state bills focus on transparency, bias elimination, and AI limitations. Organizations like HIMSS and the AMA provide guidance on AI implementation, emphasizing human oversight and ethical considerations to enhance patient care and reduce costs. Legal risks associated with AI, such as data privacy, potential bias, and the unlicensed practice of medicine, necessitate legal expertise for healthcare providers. Despite these challenges, AI has the potential to generate actionable insights and improve healthcare operations, provided it is used responsibly and with appropriate legal guidance.
• A recent study published in npj Digital Medicine outlines comprehensive guidelines for the responsible integration of AI into healthcare, developed by a team from Harvard Medical School and the Mass General Brigham AI Governance Committee. The study emphasizes nine principles, including fairness, robustness, and accountability, and highlights the need for diverse training datasets and regular equity evaluations to reduce bias. A pilot study and shadow deployment were conducted to assess AI systems, focusing on privacy, security, and usability in clinical workflows. The study also stresses the importance of transparent communication regarding AI systems’ FDA status and a risk-based monitoring approach. Future efforts will expand testing to ensure AI systems remain equitable and effective across diverse healthcare settings.

Medical Judgment

• A recent study at Beth Israel Medical Center revealed that generative AI tools outperformed physicians in diagnosing patients by nearly 20%, achieving around 90% accuracy. This study challenges the “fundamental theorem of informatics,” which posits that human-computer collaboration should surpass either working alone. Despite the potential of genAI in healthcare, there are concerns about biases in AI models, their impact on clinician skills, and patient data privacy. As AI technology advances, the industry must address these issues and ensure that clinicians are adequately trained to use and manage these tools effectively.
• Use of artificial intelligence (AI) in health care quality measurement can enhance the precision and efficiency of performance assessment. However, the use of AI in measurement also raises concerns about biases that could perpetuate disparities and affect vulnerable individuals. There have been recent national discussions that emphasize the need for ethical, transparent, and equi­table AI applications in health care quality measurement, such as the US Centers for Medicare & Medicaid Services’ (CMS) information session titled “AI in Quality Measurement” and the Biden-Harris Administration’s Executive Order on AI. Addressing bias is crucial to ensuring that AI tools do not exacerbate existing inequalities, but instead contribute to fair quality assessment and high-quality outcomes.
• Artificial intelligence, particularly large language models like ChatGPT, is increasingly used in healthcare for tasks such as answering patient questions and predicting diseases. A study by Ben-Gurion University researchers evaluated the performance of these models in understanding medical information, revealing that most models, even those trained on medical data, performed poorly, akin to random guessing. ChatGPT-4, however, showed better performance with an average accuracy of about 60%, though still not fully satisfactory. The research involved generating over 800,000 questions to assess model capabilities in distinguishing between medical concepts. The findings emphasize the need for caution in using AI for medical purposes and highlight the importance of developing models with a broader understanding of clinical language.

Employment

• Job applicants often face the challenge of applying for ghost jobs, which are non-existent positions posted by companies to build talent pools or create an illusion of growth. A 2024 survey found that 81% of recruiters have posted ghost jobs, and 30% of companies have done so this year. This practice raises ethical and data privacy concerns, particularly under the EU’s GDPR and California’s CCPA, which require transparency and proper notice of data collection purposes. Ghost jobs may violate these regulations, leading to potential fines and reputational damage for companies. Applicants can protect themselves by recognizing signs of ghost jobs and understanding their data privacy rights.
• Companies have increasingly adopted AI tools for hiring and employment decisions, raising concerns about bias and mistakes. A California Privacy Protection Agency meeting debated proposed rules to regulate AI in employment, emphasizing worker rights and transparency. Various U.S. states have enacted laws to manage AI in hiring, such as requiring consent for using AI in interviews or mandating audits to ensure non-bias. High-profile cases illustrate the potential for AI to discriminate, echoing past issues with automated credit decisions. Despite potential benefits, there is a call for transparency and governance in AI use, as candidates may avoid opportunities if AI is involved without clear policies.

Data Privacy

• According to a new survey, data privacy remains a top challenge for one-third (33%) of healthcare professionals across the seven major markets when integrating AI into clinical practice.
• GoodRx, a telemedicine platform provider, has agreed to settle a class action lawsuit for $25 million due to its use of tracking technologies that disclosed website visitor data to third parties without user consent. The Federal Trade Commission (FTC) found that GoodRx violated the FTC Act and the Health Breach Notification Rule by sharing sensitive user data without consent, leading to a separate $1.5 million settlement with the FTC. The consolidated lawsuit, Jane Doe et al. v. GoodRx Holdings, Inc., et al., includes claims of privacy invasion and violations of various California and New York laws, with Meta, Google, and Criteo also named as co-defendants. The Court is set to rule on the $25 million settlement, which, if approved, will allow affected individuals to file claims for compensation from the settlement fund. The plaintiffs’ attorneys are seeking $8.33 million, or one-third of the settlement, for fees and costs.
• The Federal Trade Commission (FTC) has taken action against Gravy Analytics Inc. and its subsidiary Venntel Inc. for allegedly violating the FTC Act by collecting, using, and selling sensitive geolocation data without user consent. These companies are accused of unlawfully tracking and selling data related to visits to sensitive locations such as healthcare facilities, places of worship, and schools, potentially exposing consumers to privacy risks and discrimination. The FTC claims they collected over 17 billion signals daily from about a billion mobile devices, using precise geolocation data tied to unique Mobile Advertising IDs (MAIDs), which could identify individuals. The proposed FTC order requires the companies to delete all historical location data unless de-identified, notify third parties to do the same, and establish a program to prevent unauthorized use of sensitive location data. This settlement aims to protect consumer privacy and prevent misuse of sensitive geolocation information.

HIPAA Penalties

• The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) imposed a $548,265 civil monetary penalty on Children’s Hospital Colorado for violations of the HIPAA Privacy and Security Rules following breaches reported in 2017 and 2020 due to phishing attacks. The breaches compromised the protected health information (PHI) of 3,370 and 10,840 individuals, respectively, and were partly due to disabled multi-factor authentication and unauthorized email access by third parties. OCR found additional violations for failure to train staff on HIPAA Privacy Rules and conduct a proper risk analysis of electronic PHI (ePHI). In June 2024, Children’s Hospital Colorado waived its right to a hearing, leading OCR to finalize the penalty. OCR recommends that covered entities implement robust cybersecurity measures, including multi-factor authentication, encryption, regular risk analyses, and workforce training to prevent such breaches.
• The U.S. Department of Health and Human Services Office for Civil Rights (OCR) fined Gulf Coast Pain Consultants, LLC, $1.19 million for multiple HIPAA Security Rule violations, including failing to terminate a former contractor’s access to systems containing electronic protected health information (ePHI). The contractor, who had ceased providing services in August 2018, accessed ePHI of approximately 34,310 individuals without authorization and generated around 6,500 false Medicare claims. Gulf Coast Pain Consultants failed to conduct a HIPAA-compliant risk analysis until September 30, 2022, and did not implement necessary policies and procedures for access termination and activity review until April 2020. The penalty is part of OCR’s 14th HIPAA enforcement action in 2024 and highlights the importance of proactive cybersecurity measures. Despite providing evidence of mitigating factors, Gulf Coast Pain Consultants could not reach an informal settlement with OCR.

Quantum Computing

• The convergence of quantum technology and artificial intelligence in precision medicine is set to revolutionize healthcare by enabling highly personalized treatments and advancing drug design, medical imaging, and real-time health monitoring. Second-generation quantum technologies, which integrate quantum and classical computing, offer significant advantages in computing, sensing, and networking, with applications ranging from drug discovery to secure patient data sharing. However, these advancements come with regulatory challenges, as existing frameworks may not adequately address the unique risks associated with quantum devices, necessitating the development of new evaluation protocols, risk management frameworks, and clinical trial guidelines. Policymakers are encouraged to promote quantum literacy, anticipate societal impacts, and implement adaptive regulations to balance innovation with public safety. Ultimately, global collaboration and harmonized standards are essential to harnessing the potential of quantum technology in healthcare responsibly.

Centers for Medicare & Medicaid Services

• The Centers for Medicare & Medicaid Services (CMS) implemented a final rule in October requiring casualty insurers, defined as Responsible Reporting Entities (RREs), to report certain payments to Medicare beneficiaries or face Civil Money Penalties (CMPs). The rule focuses on “Non-Group Health Plans” (NGHPs), including liability insurers, no-fault carriers, and workers’ compensation plans, and emphasizes reporting timeliness while excluding penalties for reporting quality. This change follows the U.S. Supreme Court’s June 2024 decision to overturn the Chevron doctrine, adding scrutiny to CMS’s long-standing NGHP User Guide. Insurers face complexities in identifying the correct RRE and correctly reporting “total payment obligation to the claimant” (TPOC) settlements, with risks of overreporting in complex settlements involving multiple insurers. CMS’s guidance and the Supreme Court decision highlight the need for insurers to carefully assess their reporting obligations to avoid penalties.
• On November 1, 2024, the Centers for Medicare & Medicaid Services (CMS) released the CY 2025 Hospital Outpatient Prospective Payment System (OPPS) and Ambulatory Surgery Center (ASC) Payment System final rule, which includes a 2.9% increase in Medicare OPPS payments for 2025. This increase results from a 3.4% projected hospital market basket percentage increase, reduced by a 0.5% multifactor productivity reduction mandated by the ACA. The rule has been criticized by the American Hospital Association (AHA) for not adequately addressing the financial challenges faced by hospitals, particularly in rural and underserved areas. CMS has approved 21 new medical and dental procedures for the ASC covered procedures list for 2025, resulting in a projected $308 million increase in ASC payments, bringing the total to approximately $7.4 billion. The rule aligns with the Biden-Harris Administration’s goals to address health disparities and improve transparency, but concerns remain about the impact of rising labor and supply costs on healthcare delivery.

Emerging Technology

• The convergence of quantum technology and artificial intelligence in precision medicine is set to revolutionize healthcare by enabling highly personalized treatments and advancing drug design, medical imaging, and real-time health monitoring. Second-generation quantum technologies, which integrate quantum and classical computing, offer significant advantages in computing, sensing, and networking, with applications ranging from drug discovery to secure patient data sharing. However, these advancements come with regulatory challenges, as existing frameworks may not adequately address the unique risks associated with quantum devices, necessitating the development of new evaluation protocols, risk management frameworks, and clinical trial guidelines. Policymakers are encouraged to promote quantum literacy, anticipate societal impacts, and implement adaptive regulations to balance innovation with public safety. Ultimately, global collaboration and harmonized standards are essential to harnessing the potential of quantum technology in healthcare responsibly.

Fraud & Abuse

• Dr. Basem Hamid, a 52-year-old neurologist from Pearland, Texas, has agreed to pay $948,359.85 to settle allegations of submitting false Medicare claims. The claims involved billing for the surgical implantation of neurostimulator electrodes between August 27, 2019, and October 3, 2022. However, it is alleged that neither Dr. Hamid nor his staff performed these surgeries. Instead, patients received electro-acupuncture devices that were non-invasive and applied in his clinic, not in a surgical setting. Many patients reported that the devices, which were taped behind the ear, often fell off within a few days.
• The U.S. Department of Justice (DOJ) has historically focused on combating fraud against federally funded healthcare programs like Medicare, Medicaid, and TRICARE by encouraging whistleblowers to file lawsuits under the False Claims Act. Recently, the DOJ launched the Corporate Whistleblower Awards Pilot Program, a three-year initiative aimed at incentivizing reports of corporate crime, including private healthcare fraud, with potential monetary rewards for whistleblowers. This program expands the DOJ’s focus to include fraud involving private insurers and healthcare benefit programs outside the scope of the False Claims Act. The DOJ’s updated Evaluation of Corporate Compliance Program guidance emphasizes the importance of confidential reporting structures to protect whistleblowers and urges healthcare providers to enhance compliance programs to address both public and private healthcare fraud. These developments signal an increased scrutiny of corporate healthcare practices and the need for robust compliance systems.
• Edelmira Marquez, the 59-year-old owner of Marquez Medical Supply in El Paso, was sentenced to five years in federal prison and ordered to pay over $1.7 million in restitution for a health care fraud scheme involving adult diapers. Marquez pleaded guilty to conspiracy to commit health care fraud by billing Medicaid and Medicare for more expensive items while providing lower-value products. The fraud, which began as early as 2010, was uncovered by an investigation led by the Texas Attorney General Medicaid Fraud Control Unit and the FBI. In addition to the prison sentence, Marquez was fined $20,000 and admitted full responsibility for her actions. Born in Chihuahua, Mexico, and a naturalized U.S. citizen since 2008, Marquez had no prior criminal record and cooperated with investigators.

HIPAA Penalties

• The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) imposed a $548,265 civil monetary penalty on Children’s Hospital Colorado for violations of the HIPAA Privacy and Security Rules following breaches reported in 2017 and 2020 due to phishing attacks. The breaches compromised the protected health information (PHI) of 3,370 and 10,840 individuals, respectively, and were partly due to disabled multi-factor authentication and unauthorized email access by third parties. OCR found additional violations for failure to train staff on HIPAA Privacy Rules and conduct a proper risk analysis of electronic PHI (ePHI). In June 2024, Children’s Hospital Colorado waived its right to a hearing, leading OCR to finalize the penalty. OCR recommends that covered entities implement robust cybersecurity measures, including multi-factor authentication, encryption, regular risk analyses, and workforce training to prevent such breaches.
• The U.S. Department of Health and Human Services Office for Civil Rights (OCR) fined Gulf Coast Pain Consultants, LLC, $1.19 million for multiple HIPAA Security Rule violations, including failing to terminate a former contractor’s access to systems containing electronic protected health information (ePHI). The contractor, who had ceased providing services in August 2018, accessed ePHI of approximately 34,310 individuals without authorization and generated around 6,500 false Medicare claims. Gulf Coast Pain Consultants failed to conduct a HIPAA-compliant risk analysis until September 30, 2022, and did not implement necessary policies and procedures for access termination and activity review until April 2020. The penalty is part of OCR’s 14th HIPAA enforcement action in 2024 and highlights the importance of proactive cybersecurity measures. Despite providing evidence of mitigating factors, Gulf Coast Pain Consultants could not reach an informal settlement with OCR.

Mental Health and Substance Use

• The Mental Health Parity and Addiction Equity Act of 2008 (MHPAEA) requires parity between mental health/substance use disorder (MH/SUD) benefits and medical/surgical (M/S) benefits in group health plans, prohibiting stricter financial or treatment limitations on MH/SUD benefits. Final rules released on September 9, 2024, mandate detailed comparative analyses of non-quantitative treatment limitations (NQTLs) effective in 2025, with specific content requirements including outcomes data and fiduciary certification. Plan fiduciaries must certify the engagement of qualified service providers and monitor their work, with a short timeline for providing analyses upon request. New definitions for terms like “evidentiary standards” and “factors” are introduced, and definitions for benefits have been revised to exclude state guidelines. Plan sponsors must ensure compliance with these requirements and be prepared to respond quickly to requests and changes.

Pharmacy Benefit Managers

• In February 2024, a group including the Johnson & Johnson Group Health Plan sued Johnson & Johnson over alleged fiduciary breaches related to the management of its specialty-drug prescription benefit program under ERISA. The plaintiffs claimed that Johnson & Johnson failed to negotiate effectively with its pharmacy benefit manager (PBM) and to oversee third-party conflicts of interest, resulting in excessive drug payments and higher costs for plan members. This lawsuit highlights increasing scrutiny on PBM practices and suggests a broader fiduciary responsibility for plan sponsors and administrators. As a response, plans are advised to establish competitive PBM procurement processes, maintain continuous oversight of PBM contracts, and routinely review these contracts to ensure compliance and adaptability to regulatory changes. The case underscores the importance of fulfilling fiduciary duties to protect plan members’ interests.

Private Equity

• A study published in JAMA Network Open found that hospice facilities owned by private equity firms and publicly traded companies provide lower quality care compared to nonprofit hospices, as reported by caregivers. These facilities received lower ratings in areas such as communication, timely care, respect for patients, symptom management, and training. The increase in private equity acquisitions of hospices, from a few in 2016 to over 30 by 2021, has prompted federal scrutiny, including a probe into the impact of such ownership on care quality. The study suggests that the profit-driven model of private equity and publicly traded companies may negatively influence care quality. Researchers advocate for greater transparency in hospice ownership to help regulators and families make informed decisions.

Artificial Intelligence

• Ensuring AI models provide faithful and reliable explanations is challenging, particularly in high-stakes fields like healthcare and finance, as current interpretability paradigms—intrinsic and post-hoc—fall short. Intrinsic models, though inherently interpretable, often lack general applicability and competitive performance, while post-hoc methods, although flexible, frequently produce explanations that do not align with the model’s logic. To address these issues, three new paradigms have been introduced: Learn-to-Faithfully-Explain, Faithfulness-Measurable Models, and Self-Explaining Models, which aim to enhance faithfulness and interpretability without sacrificing performance. These approaches are tested on synthetic and real-world datasets, showing significant improvements, such as a 15% increase in faithfulness metrics, while maintaining high accuracy. The new frameworks promise to bridge the gap between interpretability and performance, making AI systems more transparent and reliable for various applications.
• Explainable AI (XAI) is crucial for building trust by making AI decisions understandable, particularly in healthcare where transparency is essential for diagnostic and treatment recommendations. Autonomous and agentic AI systems enhance decision-making and patient care by automating processes, such as monitoring and treatment adjustments, while Edge AI enables real-time processing and improves data privacy by handling information locally. AI also augments the healthcare workforce by assisting with data analysis and diagnostics, allowing humans to focus on tasks requiring emotional intelligence and critical thinking. As AI reshapes job roles, it is essential for healthcare organizations to adapt and leverage these technologies effectively.
• Nearly half of Americans with health insurance receive unexpected medical bills due to systemic issues in healthcare billing, costing $210 billion annually and adding $68 billion in unnecessary expenses. Errors often stem from data entry mistakes, outdated coding practices, and duplicate billing, which AI and machine learning technologies aim to address by reducing errors and improving efficiency. AI-powered systems enhance claims processing by detecting errors in real-time, improving reimbursement rates, and reducing patient distress from rejected claims. Natural Language Processing (NLP) optimizes clinical documentation and revenue management, while AI also improves diagnostic accuracy by identifying conditions like ischemic strokes and hypertrophic cardiomyopathy early. However, human oversight is crucial to ensure AI’s responsible use, maintaining patient care standards and allowing healthcare professionals to focus on direct patient interactions.

Bias & Equity

• AI in healthcare faces challenges in ensuring patient confidentiality and data diversity, potentially leading to biased results. A Cambridge professor advocates for AI-improved data and synthetic data to address these issues, arguing they can enhance data quality and fairness. However, concerns remain about the potential for synthetic data to perpetuate biases and overlook real-world anomalies, as seen in the case of inaccurate pulse oximeter readings for darker skin tones.
• The Biden administration seeks to implement guardrails on the use of AI in healthcare to prevent biases and discrimination, particularly against low-income and minority patients, by avoiding flawed AI-driven recommendations. The success of these proposals depends on their finalization by the Trump administration. These measures align with the administration’s broader goals of enhancing access to care within Medicare and Medicaid programs.

Cybersecurity

• The HHS Office of Inspector General (OIG) report criticized the Office for Civil Rights (OCR) for its narrow HIPAA audit program, which assessed only eight out of 180 requirements, failing to adequately improve cybersecurity at healthcare organizations. The audits did not evaluate physical or technical safeguards, leaving potential vulnerabilities unaddressed. The OIG recommended expanding the audit scope, enforcing corrective measures, and establishing evaluation metrics, but the OCR cited budget constraints and a lack of resources as barriers to implementing these changes. From fiscal years 2018 to 2020, the OCR’s budget remained at $38 million, while complaints and data breach reports increased, and investigative staff numbers decreased by 30% since 2010. Despite agreeing with most recommendations, the OCR disagreed with requiring corrective measures, emphasizing that HIPAA allows for civil penalties instead, and audits are intended to offer technical assistance.
• The continued success of telehealth hinges on its accessibility, but challenges remain, such as digital inequalities and the need for inclusive design for diverse populations. Security is a critical concern as telehealth platforms handle sensitive patient data, necessitating robust measures like encryption, multi-factor authentication, and compliance with privacy laws. The inherent tension between accessibility and security requires a balance to prevent vulnerabilities without deterring patients from using these services. Emerging technologies like AI and blockchain may enhance both security and accessibility, but a collective effort from healthcare providers, developers, policymakers, and patients is essential to ensure telehealth remains safe and inclusive.

Data Privacy

• Four U.S. healthcare organizations, HealthFund Solutions, Option Care Health, Liberty Endo, and Numotion, experienced unauthorized access to employee email accounts. The breaches exposed protected health information of thousands of individuals, including names, addresses, Social Security numbers, medical information, and financial details. The organizations are offering credit monitoring and identity theft protection services to affected individuals.

Elderly & Aging

• Older adults increasingly require more clinical care and social services, which places a significant burden on an already strained healthcare system. The integration of data analytics in senior care can enhance patient-centered care by enabling predictive analytics for proactive health interventions and personalized treatment plans tailored to individual needs. This approach improves health outcomes and optimizes resource allocation, ensuring efficient use of staff and financial resources. The future of senior care is data-driven, with advancements in artificial intelligence and real-time health monitoring promising further improvements in care delivery. However, challenges such as ensuring data privacy and training staff to use these technologies effectively must be addressed.

Emerging Technologies

• Technology is revolutionizing healthcare by enhancing diagnostics, patient care, and operational efficiency through innovations such as AI-driven diagnostics, wearable health devices, telemedicine, and robotic surgeries. These advancements improve accessibility and accuracy, with AI improving diagnostic precision and telemedicine expanding care to remote areas. Wearable technology empowers patients by tracking vital signs and supporting chronic disease management, while electronic health records streamline data management for continuity of care. However, challenges like data privacy, security, and accessibility persist, requiring solutions to ensure equitable healthcare access. Overall, technology is creating a future where healthcare is more efficient, personalized, and accessible.

Fraud & Abuse

• Attorney General Ken Paxton’s Medicaid Fraud Control Unit was instrumental in a significant federal prosecution involving nine pharmaceutical distributor executives and sales representatives who unlawfully distributed nearly 70 million opioid pills and over 30 million doses of other prescription drugs, valued at over $1.3 billion. These drugs were illegally sold to Houston-area pill-mill pharmacies. The investigation resulted in nine defendants pleading guilty.
• Dr. Rajesh Bindal, a 53-year-old from Sugar Land, has agreed to pay $2,095,946 to settle allegations of submitting false claims for electro-acupuncture device placements. Bindal, through Texas Spine & Neurosurgery Center P.A., billed Medicare and the Federal Employees Health Benefits Program for surgical neurostimulator electrode implantation between March 16, 2021, and April 22, 2022. However, instead of performing surgeries, his clinic allegedly inserted monofilament wires into patients’ ears and taped the devices behind the ear, which were then falsely billed as surgeries. These procedures were performed in his clinic without making any incisions, and many devices reportedly fell off within days. The U.S. Attorney and law enforcement officials emphasized the importance of accurate billing to maintain public trust and the integrity of federal health care programs.
• Federal agents detained former hospital CEO Ralph de la Torre and seized his phone as part of an escalating federal corruption and fraud investigation into the bankrupt hospital chain Steward, which he formerly led. De la Torre, held in criminal contempt of Congress in September, and Armin Ernst, who also had his phone seized, are central figures in a corruption case in Malta involving alleged bribery of government officials. A Maltese magistrate has recommended charges against them for money laundering and corruption. Domestically, Steward executives are accused of misusing the Steward-owned malpractice insurer TRACO, resulting in significant financial discrepancies, with $99 million in outstanding loans and $176 million in accounts receivable owed by Steward.

HIPAA

• Healthcare providers must comply with the new HIPAA Reproductive Health Rule by December 23, 2024, which restricts the disclosure of reproductive healthcare information (RPHI) if the care was legal in the state it was provided and the information is sought for investigative or prosecutorial purposes. The Rule faces legal challenges, notably from Texas, and its future is uncertain, especially with potential changes in federal administration. Providers must assess the legality of reproductive care and the purpose of RPHI requests, requiring attestations from requesters to ensure compliance. They must update HIPAA policies, train employees, and potentially use a model attestation from the Office for Civil Rights. Additionally, providers must update their Notice of Privacy Practices by February 16, 2026, to reflect these changes and other proposed HIPAA modifications.
• The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) took its first enforcement action against Holy Redeemer Family Medicine for improperly disclosing a patient’s reproductive health information to a prospective employer without authorization. The disclosure included sensitive health details beyond what the patient had consented to share, violating HIPAA regulations. Holy Redeemer agreed to a settlement, paying a $35,581 penalty and adopting a corrective action plan, which includes revising privacy policies, training staff, and monitoring compliance for two years. OCR emphasized the importance of protecting patient privacy, particularly concerning reproductive health, to maintain trust in the patient-doctor relationship. Additionally, OCR’s Final Rule to enhance privacy protections for reproductive health information will take effect on December 23, 2024.
• On June 25, 2024, the Office for Civil Rights and the U.S. Department of Health and Human Services issued the HIPAA Privacy Rule to enhance privacy protections for Protected Health Information (PHI) related to reproductive healthcare. This rule prohibits healthcare entities and their associates from using or disclosing PHI for criminal, civil, or administrative investigations related to seeking or providing reproductive healthcare. Compliance with this rule is required by December 23, 2024, and updates to Notices of Privacy Practices (NPP) must be completed by February 16, 2026. The rule mandates obtaining a written attestation ensuring PHI is not used for prohibited purposes before any use or disclosure. Additionally, the rule requires updates to NPPs to reflect these protections and changes, with varying responsibilities for group health plans based on their insurance status.

Medicare Expansion

• The Biden administration has proposed significant health care reforms, including expanding Medicare and Medicaid coverage to include GLP-1 weight-loss drugs like Wegovy and Zepbound, which could benefit millions but cost the government an estimated $36 billion over ten years. The proposals also aim to prevent Medicare Advantage plans from denying previously authorized claims and improve transparency and appeal processes, as only 4% of denied claims are currently appealed despite an 80% success rate.

Mental Health & Substance Use

• On September 23, 2024, the Departments of Labor, Treasury, and Health and Human Services issued a final rule under the Mental Health Parity and Addiction Equity Act (MHPAEA), which requires insurers and group health plan sponsors to conduct a comparative analysis of nonquantitative treatment limitations (NQTLs) for mental health and substance use disorder benefits. Effective for plan years starting on or after January 1, 2025, the rule mandates that ERISA plan fiduciaries certify a prudent process in selecting and monitoring service providers for this analysis. The comparative analysis requirement, in effect since February 10, 2021, applies to most group health plans and includes various NQTLs like prior authorization and network design. Plan sponsors must ensure compliance by arranging for these analyses and updating contracts with insurers and vendors. Enforcement includes audits and penalties for non-compliance, with ERISA participants entitled to request the analysis within 30 days.

OIG

• The Office of Inspector General (OIG) issued Advisory Opinion No. 24-09 in response to a request from a municipal corporation about a proposal to charge insurance for treatment-in-place (TIP) emergency medical services without ambulance transport, while waiving patient cost-sharing amounts. The OIG assessed whether this proposal would violate the Federal anti-kickback statute or the Beneficiary Inducements Civil Monetary Penalty (CMP) provisions. Although the arrangement could potentially generate prohibited remuneration under these statutes, the OIG concluded that it would not impose administrative sanctions due to the low risk of fraud and abuse associated with the proposal.
• On November 20, 2024, the Office of Inspector General (OIG) released new compliance guidelines for nursing facilities, which is the first industry-specific guidance since the 2023 General Compliance Program Guidance. The guidance emphasizes best practices for nursing facilities, covering topics such as quality of care, Medicare and Medicaid billing requirements, and the federal Anti-Kickback Statute. Additionally, an OIG report published on November 12, 2024, found that Medicare overpaid acute-care hospitals an estimated $190 million over five years for outpatient services to hospice enrollees, and the OIG recommended improvements to prevent future overpayments.
• The HHS Office of Inspector General (OIG) report criticized the Office for Civil Rights (OCR) for its narrow HIPAA audit program, which assessed only eight out of 180 requirements, failing to adequately improve cybersecurity at healthcare organizations. The audits did not evaluate physical or technical safeguards, leaving potential vulnerabilities unaddressed. The OIG recommended expanding the audit scope, enforcing corrective measures, and establishing evaluation metrics, but the OCR cited budget constraints and a lack of resources as barriers to implementing these changes. From fiscal years 2018 to 2020, the OCR’s budget remained at $38 million, while complaints and data breach reports increased, and investigative staff numbers decreased by 30% since 2010. Despite agreeing with most recommendations, the OCR disagreed with requiring corrective measures, emphasizing that HIPAA allows for civil penalties instead, and audits are intended to offer technical assistance. See report here.

Cybersecurity

• The Office of Inspector General (OIG) has once again found the U.S. Department of Health and Human Services’ (HHS) information security program to be ineffective, as detailed in their report. The OIG’s annual audit, required by the Federal Information Security Modernization Act of 2014, revealed that HHS failed to meet maturity in all five functional areas of the NIST framework: Identify, Protect, Detect, Respond, and Recover. The OIG made six recommendations to improve HHS’s information security, including updating system inventories and implementing a comprehensive cybersecurity risk management strategy. Despite these recommendations, HHS only concurred with five, disagreeing on the need to fully implement a new cybersecurity risk management strategy. This audit exemplifies ongoing challenges faced by federal agencies in meeting FISMA requirements, with HHS struggling to address security flaws, particularly in its cloud systems.
• The ransomware landscape has become more distributed, with a rise in small-scale groups and a decrease in activity from previously dominant groups like LockBit and ALPHV. Poorly secured and outdated VPNs remain a primary initial access vector for ransomware groups, highlighting the critical importance of robust security measures like multi-factor authentication.
• Telehealth programs are increasingly targeted by cybercriminals due to their rapid expansion and critical role in patient care. Healthcare organizations can protect sensitive health data by conducting risk assessments of telehealth providers, implementing isolated network access points, and continuously monitoring security measures. Hospitals and health systems should integrate telehealth provider security into their overall strategy, ensuring compliance with industry standards like HIPAA and HITRUST.
• The IEEE Standards Association has published IEEE 2933, a new healthcare cybersecurity standard addressing vulnerabilities in connected medical devices. IEEE 2933, developed with input from global experts, focuses on six essential elements of medical device security, including trust, identity, privacy, protection, safety, and security. By adopting IEEE 2933, the healthcare industry can take a proactive stance in safeguarding patient safety and system integrity.

Data Privacy

• Elon Musk has been criticized for encouraging users of X, the platform he owns, to upload medical images to its AI tool, Grok, raising concerns about privacy and accuracy issues. Musk claims Grok is in early stages but already quite accurate, though results have been mixed, with some users reporting accurate diagnoses and others experiencing errors. Critics highlight the absence of HIPAA protections on X and ethical concerns about sharing sensitive health data on social media. The New York Times and experts like Bradley Malin emphasize the risks involved, including potential misuse of data and public trust issues. The debate underscores the need for regulation in AI-driven healthcare to prevent misuse and ensure safety.
• The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has announced a new enforcement initiative called the Risk Analysis Initiative, aimed at ensuring compliance with the HIPAA Security Rule Risk Analysis provision. This initiative is part of OCR’s broader efforts, including its seventh enforcement action related to ransomware, to address deficiencies in how organizations assess risks to electronic protected health information (ePHI). With a reported 264% increase in large breaches involving ransomware since 2018, the initiative emphasizes the need for healthcare entities to evaluate their cybersecurity measures and resource allocation. OCR’s focus is on enhancing the identification and remediation of threats to ePHI, a critical aspect of HIPAA compliance. This initiative follows OCR’s previous enforcement strategy, the Right of Access Initiative, suggesting a continued rigorous approach to ensuring compliance.

Artificial Intelligence

• In a randomized clinical trial published in JAMA Network Open, it was found that the use of a large language model (LLM) did not significantly enhance diagnostic reasoning performance among physicians compared to conventional resources. The study involved 50 physicians and showed that while the LLM alone outperformed both groups of physicians, its integration with physicians did not improve diagnostic reasoning. The trial highlighted the need for further development in human-computer interactions to effectively integrate LLMs into clinical practice. Despite the LLM’s potential, the study suggests that simply providing access to LLMs is insufficient to improve diagnostic reasoning in practice.
• Public Citizen experts are urging the U.S. Food and Drug Administration (FDA) to address the risks posed by AI in healthcare, which could worsen existing issues and threaten patient safety. Dr. Robert Steinbrook, Health Research Group Director, testified before the FDA’s Digital Health Advisory Committee, emphasizing the need for stringent regulations to prevent harm from rapidly developed AI devices. A report by Eagan Kemp highlights the growing use of AI in administrative tasks, medical practices, and mental health support, warning that without safeguards, AI could lead to inequitable care and exacerbate disparities. Public Citizen has recommended regulatory measures to the Department of Health and Human Services, expressing concern that the incoming Trump administration may prioritize innovation over regulation, potentially compromising patient safety.
• AI tools, particularly GenAI, are being used to enhance healthcare by detecting health threats and unauthorized access to patient data, but they must be accurate and secure to be effective. The article warns that AI can also be exploited by cybercriminals to harm healthcare systems through social engineering and other malicious activities. It emphasizes the need for healthcare organizations to establish robust AI policies and risk management strategies to mitigate these threats. Finally, the article advises thorough testing of AI tools to ensure they do not compromise patient data or violate legal requirements.
• Microsoft and major institutions like Yale, Harvard, and the University of Michigan are advancing AI initiatives, yet the technology’s adoption may be outpacing regulatory and oversight capabilities. The FDA currently approves AI tools as devices, which undergo a different and sometimes less rigorous approval process than drugs, raising concerns about their real-world efficacy and safety. The article emphasizes the need for transparency, stronger regulations, and a public database to track AI performance and ensure accountability. It also calls for increased resources for the FDA and suggests that patients and healthcare professionals should stay informed and engaged to promote responsible AI use in medicine.
• Academic Medical Centers (AMCs) are uniquely positioned to accelerate the translation of research into clinical care, particularly through the use of artificial intelligence (AI). AMCs can leverage AI to improve patient care, especially in resource-constrained settings, and create efficiencies for providers and research organizations. Despite challenges, the potential rewards of AI implementation are significant.

Dr. Death Redux

• Dr. Raynaldo Ortiz was sentenced to 190 years in prison for injecting dangerous drugs into patient IV bags at Baylor Scott & White Surgicare North Dallas, leading to at least 12 cardiac complications and the death of a colleague. Ortiz was convicted in April after an eight-day trial on multiple counts of tampering with consumer products and drug adulteration. Surveillance footage showed Ortiz tampering with IV bags, which were later linked to severe patient reactions.

Emerging Tech

• In a randomized clinical trial published in JAMA Network Open, it was found that the use of a large language model (LLM) did not significantly enhance diagnostic reasoning performance among physicians compared to conventional resources. The study involved 50 physicians and showed that while the LLM alone outperformed both groups of physicians, its integration with physicians did not improve diagnostic reasoning. The trial highlighted the need for further development in human-computer interactions to effectively integrate LLMs into clinical practice. Despite the LLM’s potential, the study suggests that simply providing access to LLMs is insufficient to improve diagnostic reasoning in practice.

Fraud & Abuse

• A federal jury in Dallas has found Healthcare Associates of Texas, LLC (HCAT) liable for fraudulent Medicare billing practices, potentially resulting in $304 million in penalties under the False Claims Act. The case was brought by a whistleblower, a former HCAT executive, who alleged that HCAT submitted 21,844 false claims to Medicare between 2015 and 2021. The fraudulent schemes included billing for services by uncredentialed providers, splitting bills to obscure provider identities, and charging inflated rates. The jury found HCAT, its founding physicians, former CEO, and ex-Chief Compliance Officer liable for these actions. The whistleblower will receive a percentage of any recovered funds, though the specific award has not been disclosed.
• A Texas laboratory owner was charged with healthcare fraud for submitting over $79 million in fraudulent claims to Medicare and Medicaid for unnecessary respiratory pathogen panel tests. The owner allegedly used a physician’s identity without consent and falsely represented that the lab used reference laboratories to conduct the tests. The government seized over $15 million in cash and is investigating the case with multiple agencies.

Gender-Affirming Care

• Attorney General Ken Paxton has filed lawsuits against two UT Southwestern and Children’s Health physicians, alleging they provided illegal “gender transition” treatments to minors. The lawsuits claim the physicians violated Senate Bill 14, which prohibits such treatments for minors, and highlight their association with the now-closed GENECIS Clinic. The American Academy of Pediatrics supports gender-affirming care, while a conservative advocacy group, the American College of Pediatricians, opposes it.

Health Policy

• Robert F. Kennedy Jr. has expressed strong opposition to the FDA’s current practices, which he believes suppress public health advancements by limiting access to non-patentable treatments and products. He criticizes the pharmaceutical industry’s reliance on patents, suggesting that many FDA actions are designed to protect this business model. Kennedy advocates for allowing the manufacture and distribution of medical products without FDA approval, permitting broader marketing claims, and opposing regulations on raw milk and certain food additives. His stance suggests a push for more lenient FDA policies regarding unapproved medical uses and claims for “clean foods.” President-elect Trump has indicated he will nominate Kennedy as secretary of health and human services, potentially giving him oversight of the FDA.
• The Food and Drug Administration (FDA) has made it a federal requirement to inform patients about their breast density when they receive mammograms, following a policy initially enacted in Texas. Higher breast density, characterized by more glandular tissue, can obscure cancer detection on mammograms since both appear white. Patients with dense breasts are advised to undergo more comprehensive exams, such as ultrasounds or MRIs, for better cancer detection. This federal mandate follows the 2012 Texas rule, known as Henda’s Law, which was adopted by 18 other states before becoming a nationwide requirement. Breast cancer remains the most common cancer among women in Texas, with over 21,000 diagnoses expected this year and nearly 3,500 estimated deaths.

Patient Confidentiality

• The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has announced a new enforcement initiative called the Risk Analysis Initiative, aimed at ensuring compliance with the HIPAA Security Rule Risk Analysis provision. This initiative is part of OCR’s broader efforts, including its seventh enforcement action related to ransomware, to address deficiencies in how organizations assess risks to electronic protected health information (ePHI). With a reported 264% increase in large breaches involving ransomware since 2018, the initiative emphasizes the need for healthcare entities to evaluate their cybersecurity measures and resource allocation. OCR’s focus is on enhancing the identification and remediation of threats to ePHI, a critical aspect of HIPAA compliance. This initiative follows OCR’s previous enforcement strategy, the Right of Access Initiative, suggesting a continued rigorous approach to ensuring compliance.
• Elon Musk has been criticized for encouraging users of X, the platform he owns, to upload medical images to its AI tool, Grok, raising concerns about privacy and accuracy issues. Musk claims Grok is in early stages but already quite accurate, though results have been mixed, with some users reporting accurate diagnoses and others experiencing errors. Critics highlight the absence of HIPAA protections on X and ethical concerns about sharing sensitive health data on social media. The New York Times and experts like Bradley Malin emphasize the risks involved, including potential misuse of data and public trust issues. The debate underscores the need for regulation in AI-driven healthcare to prevent misuse and ensure safety.

Risk Management

• The Office of Inspector General (OIG) has released updated Industry-Specific Compliance Program Guidance (ICPG) for nursing facilities. The 2024 ICPG shifts the focus from fraud prevention to quality of care and resident safety, reflecting the interconnectedness of care quality and compliance. Nursing facilities are encouraged to review their practices, identify gaps, and implement changes to align with the new framework.
• Overpayments pose significant risks to healthcare providers, leading to financial losses and compliance issues. Statistical Sampling and Overpayment Estimation (SSOE) is a method that uses a small, representative sample of claims to estimate overpayments across a larger pool, offering a cost-effective alternative to reviewing every claim. The SSOE process involves sampling claims, identifying overpayments, and extrapolating results to provide a reliable picture of financial impact. Key data fields for accurate overpayment estimation include claim details, provider and patient information, service codes, and overpayment indicators. SSOE not only helps in compliance and reducing financial risks but also provides insights into improving billing processes and addressing financial leakage.

Taxation

• The Fifth Circuit denied tax-exempt status to the Memorial Hermann Accountable Care Organization (MHACO), a healthcare nonprofit, under Section 501(c)(4) of the Internal Revenue Code, citing substantial nonexempt purposes. This decision extends the “substantial nonexempt purpose” test, traditionally applied to 501(c)(3) entities, to 501(c)(4) organizations, potentially affecting other nonprofits with similar structures. The court found that MHACO’s activities primarily benefited private healthcare providers and commercial insurers, rather than promoting social welfare, as required for tax exemption. The ruling could impact nonprofits with private membership or financial benefit structures, possibly affecting their operations and governance. Additionally, the decision may influence politically active nonprofits by curbing activities such as political spending.

Telehealth

• The Drug Enforcement Administration (DEA) and the Department of Health and Human Services (HHS) have issued a third extension of telemedicine flexibilities for prescribing controlled substances, now set to expire on December 31, 2025, allowing practitioners to prescribe Schedule II-V substances without an in-person evaluation under certain conditions. This extension serves as a transitional measure from the emergency provisions of the COVID-19 pandemic to a more permanent regulatory framework, reflecting ongoing efforts to modernize healthcare delivery while ensuring patient safety. The extension maintains continuity of care, particularly for patients with chronic conditions or substance use disorders, and provides time for stakeholders to adapt to future regulations. The DEA and HHS are considering public feedback, including 38,369 comments, to develop a comprehensive set of permanent rules that balance access to care with safeguards against misuse.
• The DEA and HHS have extended COVID-era tele-prescribing flexibilities for controlled substances through December 31, 2025. This extension provides more time to finalize permanent tele-prescribing rules that balance public health, access, and diversion risks. The agencies aim for a smooth transition for patients and practitioners who have come to rely on telemedicine for controlled substance prescriptions.

Artificial Intelligence

• The Department of Homeland Security (DHS) has released a voluntary framework outlining AI responsibilities for critical infrastructure sectors. The framework, developed with industry input, addresses risks like AI-based attacks and design failures, emphasizing practical implementation for safety and security. While the future of the framework under a potential Trump administration remains uncertain, DHS highlights its own AI pilot projects and integration efforts.
• The Global Privacy Assembly’s Joint Statement emphasizes that data scraping, even of publicly accessible data, must comply with privacy laws, including obtaining consent when necessary. Relying solely on platform terms for data scraping does not guarantee compliance with data protection and AI laws.
• President-elect Trump’s return to the White House may impact the artificial intelligence (AI) industry. Trump’s alliance with tech billionaire Elon Musk and his pledge to repeal President Biden’s AI executive order suggest a focus on private sector-driven innovation and competition over regulation.
• According to a recent cybersecurity report, healthcare organizations block 17.2% of AI transactions, ranking third behind finance and insurance, and technology sectors. This is slightly below the national average of 18.5%, indicating a lag in healthcare’s efforts to secure sensitive data against AI threats. Despite being the sixth-largest user of AI and machine learning, the healthcare sector’s AI adoption is expected to grow. The most popular AI applications in healthcare include ChatGPT, Drift, OpenAI, Writer, and Intercom. Healthcare organizations are actively engaging in AI safety initiatives, with some developing in-house AI platforms, while addressing concerns about data privacy, security, and the reliability and bias of AI algorithms in patient care.
• Pieces Technologies, a Dallas-based company, uses AI to streamline physician documentation, saving time on tasks like patient summaries, discharge notes, and progress notes. The platform, now in use at hospitals nationwide, has expanded to include a mobile version and is exploring outpatient applications. Despite facing scrutiny over AI accuracy, Pieces continues to innovate and secure funding for its patient-facing technology.
• California enacted two new laws governing the use of AI in healthcare. One law requires health plans using AI in utilization review to disclose its use and ensure determinations are based on clinical information. The other law mandates providers using AI in patient communications to obtain consent and follow specific protocols.

Cybersecurity

• The Office for Civil Rights (OCR) fined Providence Medical Institute (PMI) $240,000 for HIPAA violations, including lacking a Business Associate Agreement (BAA) and insufficient access controls. The fine reflects a 20% discount for PMI’s recognized security practices, but OCR has not publicly disclosed which practices qualify or how the discount was calculated. This marks the first time OCR has publicly acknowledged applying the discount, which was mandated by the Cybersecurity Act of 2015.
• New federal legislation called the Health Infrastructure Security and Accountability Act (HISAA) has been introduced to address cybersecurity risks in the healthcare sector, particularly for HIPAA Covered Entities and Business Associates. The Act is a response to high-profile cybersecurity incidents, such as the Change Healthcare breach, and aims to establish new security requirements, conduct annual risk assessments, and enforce audits to improve cybersecurity practices. HISAA proposes tiered penalties for noncompliance, removes statutory caps on penalties, and introduces fees to cover oversight costs. It also includes financial incentives and disincentives related to Medicare payments to encourage the adoption of enhanced cybersecurity measures. The act represents a significant shift in cybersecurity enforcement and oversight compared to existing HIPAA regulations.

Data Privacy

• The FTC published an explainer on the use of Data Clean Rooms (DCRs), cloud services that enable data exchange and analysis between companies. While DCRs can offer privacy protections when configured correctly, they are not inherently privacy-preserving and can be used to obfuscate privacy harms. Companies should not rely on DCRs to avoid legal obligations regarding data privacy and should be held accountable for any violations, regardless of the technology used.
• The healthcare industry is increasingly targeted by ransomware attacks, with notable incidents such as the Change Healthcare breach affecting nearly 100 million individuals. Healthcare organizations face complex decisions regarding whether to pay ransoms, balancing the need to minimize business disruption and protect sensitive data against the risks of legal liability, increased future targeting, and ethical concerns. Paying a ransom does not eliminate legal obligations to report breaches, and it may expose organizations to penalties if payments are made to sanctioned entities. The healthcare sector’s critical services and sensitive data make it a prime target, necessitating robust cybersecurity measures and comprehensive incident response strategies. Organizations must carefully evaluate their legal and strategic options to effectively manage ransomware risks.
• Texas is emerging as a significant player in privacy regulation following the implementation of the Texas Privacy and Data Security Act (TPDSA) in July 2024 and the Texas Securing Children Online through Parental Empowerment (SCOPE) Act in September 2024. Texas Attorney General Ken Paxton has initiated a privacy and security enforcement initiative, establishing a dedicated team within the Consumer Protection Division to enforce these laws. Notable actions include a lawsuit against TikTok for allegedly violating the SCOPE Act by sharing minors’ personal information without parental consent, and a settlement with Meta under the Texas biometric law for unauthorized data capture. Additionally, over 100 companies were notified for failing to register as data brokers, and car manufacturers are under investigation for data collection practices. Businesses processing Texans’ personal information should ensure compliance with the TPDSA and other relevant privacy laws to avoid enforcement actions.

Behavioral Health

• Behavioral health is a rapidly growing area in the healthcare sector, but it faces significant operational and financial challenges as companies scale and investor interest increases. Behavioral health organizations need to adopt innovative strategies to improve operations and financial performance, often requiring external expertise to navigate these complexities. They highlight the importance of effective management, strategic planning, and maintaining a focus on patient care amidst financial pressures, such as rising costs and debt. The experts emphasize the need for organizations to communicate their mission clearly, engage employees, and ensure consistent quality of care. They also advise investors to assess management’s ability to respond to data, maintain a positive organizational culture, and manage financial metrics effectively.

Drug & Device

•  New FDA advertising rules require drugmakers to use simpler language and no distractions when explaining their medications’ risks and side effects. The FDA spent more than 15 years crafting the guidelines, which are designed to do away with industry practices that downplay or distract viewers from risk information. Many companies have already adopted the rules, which become binding Nov. 20.
• The U.S. Department of Justice (DOJ) recently published a final rule on the accessibility of medical diagnostic equipment (MDE) and other accessibility-related practices that promises to have broad impact on the health care industry. Although the rule is limited to state and local government’s healthcare practices, it is likely only a matter of time before the rule’s mandates will be imposed on the entire health care industry.

Equity & Equality

• The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) published final rules implementing anti-discrimination provisions under Section 1557 of the Affordable Care Act. These rules apply to health programs receiving federal financial assistance and prohibit discrimination based on race, color, national origin, sex, age, or disability. Covered entities must meet several upcoming deadlines, including appointing a Section 1557 Coordinator by November 2, 2024, and ensuring non-discriminatory use of patient care decision support tools by May 1, 2025. By July 5, 2025, entities must post notices of language assistance services and adopt comprehensive policies and procedures to ensure compliance. The rules also require training for relevant employees on these policies within specific timeframes.

Fraud & Abuse

• Anti-Kickback Statute (AKS) enforcement is shifting away from COVID-19 pandemic-era fraud and towards unlawful marketing and referral practices. The Justice Department and HHS’ Office of Inspector General anticipate an uptick in enforcement activity, particularly against Stark law violations. Life sciences and healthcare companies should bolster compliance efforts to avoid scrutiny and potential whistleblower actions.
• The Office of Inspector General (OIG) recommends increased oversight of remote patient monitoring (RPM) services and billing in the Medicare program. The OIG report found that RPM is not being used as intended, with many enrollees not receiving all required components and concerns about fraud and abuse. The OIG also found that CMS lacks key information about RPM use, including the types of devices and health data being collected.
• The future of the Stark law is uncertain following a district court decision that a False Claims Act lawsuit could not be resolved without further briefings on the U.S. Supreme Court’s recent reversal of the Chevron deference doctrine. In July, the Supreme Court overturned Chevron deference, which had required judges to defer to federal agency interpretations in ambiguous legal cases, now mandating independent judicial interpretation. The district judge emphasized the need to interpret regulations independently, leading to the lawsuit’s dismissal due to insufficient detail in the plaintiff’s allegations. This change in judicial approach raises questions about the Stark law’s application, as it involves complex compliance requirements and exceptions.

Intellectual Property

• Companies developing cell and gene therapies face a critical decision: patenting or keeping information as a trade secret. Factors like reverse-engineering risk, patent eligibility, business model, and infringement detection influence this choice. Enforcement strategies for patents and trade secrets differ in goals, timing, pleadings, and discovery logistics, requiring careful planning.

Mergers & Acquisitions

• Behavioral health mergers and acquisitions (M&A) have recovered and stabilized, driven by factors like the emergence of mental health platforms and positive reimbursement changes. Joint venture (JV) partnerships continue to gain popularity in the mental health sector. Behavioral health providers are expanding their geographical reach by helping traditional nonprofit health systems operate more efficiently and meet the high demand for behavioral health services. Telehealth has become a common treatment method for mental health patients, with Congress extending telehealth flexibility waivers through 2024.
• The Federal Trade Commission (FTC) recently published revisions for pre-merger notification requirements under the Hart-Scott-Rodino Antitrust Act. The rule revises forms and instructions to address information gaps and ensure that transactions do not stifle competition. Entities must file information about entities and individuals influencing decision-making post-merger, non-horizontal relationships, business lines, serial acquisitions, and roll-ups.

No Surprises Act

• The Fifth Circuit Court of Appeals’ recently upheld regulations defining the qualifying payment amount (QPA) under the No Surprise Billing Rules. The QPA is a key factor in determining how much individuals and health plans must pay out-of-network providers in certain situations. The court’s decision upheld the rules governing how QPAs will be determined and the information that plans need to disclose to providers about how they determined a QPA.

Ransomware

• The healthcare industry is increasingly targeted by ransomware attacks, with notable incidents such as the Change Healthcare breach affecting nearly 100 million individuals. Healthcare organizations face complex decisions regarding whether to pay ransoms, balancing the need to minimize business disruption and protect sensitive data against the risks of legal liability, increased future targeting, and ethical concerns. Paying a ransom does not eliminate legal obligations to report breaches, and it may expose organizations to penalties if payments are made to sanctioned entities. The healthcare sector’s critical services and sensitive data make it a prime target, necessitating robust cybersecurity measures and comprehensive incident response strategies. Organizations must carefully evaluate their legal and strategic options to effectively manage ransomware risks.

Reproductive Rights

• Texas lawmakers will consider a bill that would reclassify mifepristone and misoprostol — two drugs commonly used in medication abortions — as controlled substances. This move mirrors a similar law in Louisiana, which has faced criticism from healthcare providers for potentially endangering patients’ lives. The Texas bill, if passed, would take effect in September 2025 and adds a muscle relaxant to the Schedule IV controlled substances list.

Telehealth

• States continue to modify telehealth laws and regulations, striking a balance between flexibility and quality care. While some federal telehealth flexibilities have been extended, the DEA’s remote prescribing rulemaking remains uncertain, potentially impacting providers beyond December 31, 2024. Enforcement efforts against telehealth fraud highlight the need for providers to prioritize compliance with evolving legal requirements.