Senate Bill 31, known as the Life of the Mother Act, aims to clarify medical exceptions to Texas abortion laws that currently permit the procedure only when the mother’s life or major bodily function is at risk. The bill would specify that doctors need not delay treatment if doing so increases risk to the pregnant woman, broadens definitions for ectopic pregnancy and premature water breaks, and protects physician-patient discussions about abortion options from being considered “aiding and abetting.” With bipartisan support including 12 Republican senators and Lt. Gov. Dan Patrick’s backing, the legislation would require the Texas Medical Board to offer educational courses about physicians’ rights under the law. Texas doctors have reported confusion about existing laws, with 29% lacking clear understanding of abortion regulations, leading to delayed care and increased complications for pregnant women.
Artificial Intelligence
Healthcare organizations implementing LLMs face eight critical challenges including over-reliance on AI without domain expertise integration, unresolved data quality issues across fragmented systems, and ethical risks in handling sensitive healthcare data. Additional pitfalls include poor workflow integration, inadequate model validation post-deployment, neglect of regulatory requirements, overpromising AI capabilities to stakeholders, and failure to customize models for specific healthcare needs. Healthcare companies must maintain human expertise in the loop, implement robust data governance, ensure regulatory compliance, and set realistic expectations to successfully deploy LLMs that enhance rather than compromise patient care and operational efficiency.
Compliance Programs & Audits
Compliance auditing has become mandatory in today’s regulatory environment, with federal and state laws requiring companies to conduct regular reviews of their practices. The Office of Inspector General’s Compliance Program Guidance identifies auditing as a core element that helps organizations detect fraud, assess policy adherence, and mitigate risks before they escalate into enforcement actions. Recent settlements demonstrate the consequences of inadequate compliance monitoring, with companies like Pfizer, Teva, Innovasis, and Endo Health Solutions paying millions or billions in penalties for violations related to kickbacks, improper marketing, and other infractions. Companies should prioritize auditing high-risk areas including speaker programs, healthcare professional arrangements, promotional materials, and patient assistance programs using a risk-based approach.
Contracting
Healthcare AI vendor contracts require thorough pre-negotiation preparation, including comprehensive risk assessment and stakeholder engagement. Organizations must evaluate AI tools within a governance framework using resources like HEAT maps and the NIST AI Risk Management Framework to categorize risks. Contract negotiations should address data rights, with customers seeking ownership of inputs and outputs while vendors aim to retain rights to their services and products. Key contract provisions include privacy, security, regulatory compliance, indemnification, and liability limitations, with special attention to HIPAA compliance when patient health information is involved.
Cybersecurity & Privacy
Healthcare cyberattacks have increased dramatically, with annual large breaches nearly tripling from 242 (2010-2014) to 713 (2020-2024), with 81% caused by hacking or IT incidents in 2024 alone. The 2024 Change Healthcare breach affected 190 million individuals, making it the largest healthcare data breach to date. When protected health information is compromised, organizations must notify affected individuals, media outlets, state agencies, and the Office for Civil Rights, potentially facing investigations, enforcement actions, and costly settlements. Healthcare entities must strengthen defenses through annual security risk assessments, multi-factor authentication, and comprehensive incident response plans, with HHS proposing updates to the HIPAA Security Rule to mandate these protective measures.
[The Office for Civil Rights has announced a $3 million settlement with Solara Medical Supplies for HIPAA violations](HHS Settles HIPAA Security Breach Stemming from Phishing Cyberattack for $3 Million). A phishing attack compromised eight employee email accounts, exposing protected health information of over 100,000 individuals, followed by a second breach when notification letters were sent to incorrect addresses affecting 1,500 more people. OCR investigation determined Solara failed to conduct proper risk analysis, implement adequate security measures, and notify affected parties in a timely manner. The settlement includes a corrective action plan requiring risk analysis, implementation of a risk management plan, policy development, and staff training on HIPAA compliance.
The Seventh Circuit ruled in Hulce v. Zipongo that communications promoting free services do not qualify as “telephone solicitations” under the TCPA. Plaintiff Hulce received approximately 20 calls and texts from Foodsmart about services available at no cost through his healthcare plan, with payment coming from the insurer rather than Hulce. Foodsmart successfully argued that since their communications encouraged use of free services rather than purchase of services, they fell outside the TCPA’s definition of solicitation. The court determined that encouraging use of a service available at no cost to the recipient does not constitute encouraging a purchase, even when a third party pays for the service.
The Department of Health and Human Services plans to cut 10,000 full-time jobs as part of a larger reduction that will decrease total headcount by 20,000 employees, saving $1.8 billion annually according to HHS. The cuts will affect multiple agencies including 3,500 workers at FDA, 2,400 at CDC, 1,200 at NIH, and 300 at CMS, though HHS claims the reductions will not impact core services like Medicare, Medicaid, or food and drug reviews. The reorganization includes consolidating 28 redundant offices into 15 new divisions, reducing regional offices from 10 to five, and creating new entities like the Administration for a Healthy America, which will combine multiple existing health offices. Democratic lawmakers and health advocates have criticized the cuts, warning they could harm vulnerable populations and disrupt essential services.
Immigration
Hospitals and healthcare systems nationwide are experiencing increased random inspections by USCIS targeting H-1B visa holders. Immigration officers from the Fraud Detection and National Security Directorate conduct unannounced site visits to verify compliance with H-1B program requirements, focusing on Public Access Files, work location accuracy, and position/salary verification. Non-compliance can result in fines, program debarment, operational disruption, and reputation damage. Healthcare facilities are advised to conduct system-wide compliance reviews, train staff on inspection protocols, collaborate with immigration counsel, standardize recordkeeping, and stay informed about policy changes to maintain compliance.
Taxation
Continuing Care Retirement Communities (CCRCs) provide comprehensive senior care from independent living to skilled nursing, with entrance fees averaging $400,000 and monthly fees around $3,450. Residents can deduct portions of these fees as medical expenses on their taxes if their total medical costs exceed 7.5% of their adjusted gross income. The deductible percentage varies by facility and is calculated based on the community’s aggregate healthcare costs, not individual usage. This tax benefit applies from day one of residency regardless of current healthcare needs and requires itemizing deductions on Schedule A of Form 1040. Alternative senior living arrangements like assisted living facilities and home modifications may also qualify for similar tax advantages if they meet IRS criteria for medical necessity.
Telehealth
The DEA has further delayed the effective dates of two telemedicine prescribing rules until December 31, 2025. The rules would expand prescribing of buprenorphine for opioid use disorder and controlled substances for VA patients via telemedicine. Originally scheduled to become effective February 18, 2025, then delayed to March 21, 2025, the Department of Justice now seeks additional time to review questions of fact, law, and policy despite some commenters requesting immediate implementation. Meanwhile, practitioners can continue prescribing controlled medications via telemedicine without prior in-person visits under COVID-19 flexibilities through the end of 2025.
Healthcare price transparency laws implemented since 2021 require hospitals and health plans to publish pricing information online and prohibit gag clauses that restrict sharing of cost and claims data. The Consolidated Appropriations Act of 2021 codified these prohibitions, requiring annual attestation of compliance through the Gag Clause Prohibition Compliance Attestation process, with the first submission deadline on December 31, 2023. Healthcare providers can leverage these regulations by requesting comprehensive pricing data, benchmarking against competitors, and highlighting value metrics to negotiate better reimbursement rates with payers. Despite these regulatory advances, challenges remain including limited enforcement, complex data formats, and the need for stricter penalties to ensure compliance from health plans.
Texas Attorney General Ken Paxton announced the arrest of Maria Margarita Rojas, a 48-year-old midwife who operated multiple clinics in the Houston area. Rojas, known as “Dr. Maria,” was charged with performing illegal abortions and practicing medicine without a license, both serious offenses under Texas law. Her network included three clinics—in Waller, Cypress, and Spring—where unlicensed individuals allegedly posed as medical professionals. The Attorney General’s office has filed for a temporary restraining order to shut down these facilities and may seek civil penalties of at least $100,000 per violation under the Texas Human Life Protection Act of 2021. Texas law specifically holds abortion providers, not patients, criminally responsible for unlawful procedures.
A second person has been arrested in connection with illegal abortion services at clinics operated by a midwife near Houston. Jose Manuel Cendan Ley, a 29-year-old medical assistant, faces charges of performing an illegal abortion and practicing without a license, while Rojas was previously arrested for operating three clinics that allegedly performed illegal abortion procedures. Texas Attorney General Ken Paxton announced that Rubildo Labanino Matos was also arrested for practicing medicine without a license in connection to the investigation. Texas law bans abortion at all stages of pregnancy with exceptions only for life-threatening conditions, with those convicted of performing illegal abortions facing up to 20 years in prison. This case represents the first criminal charges filed under Texas’s near-total abortion ban.
AI in Healthcare
AI healthcare models trained on limited institutional data face challenges in broader applications. Healthcare institutions currently train AI models using data from their own populations, creating systems that work well locally but fail when deployed in different settings due to variations in practice patterns, genetic factors, and lifestyle differences across regions. The isolation of medical data in institutional silos prevents AI from reaching its potential to standardize and improve healthcare globally. To address this, healthcare organizations must implement cross-institutional data sharing frameworks and ensure AI models are trained on diverse populations. The solution requires collaboration between health systems, regulatory support, and transparent validation processes to create AI models that can be trusted and effective across all healthcare settings.
Google is developing multiple AI healthcare initiatives, including TxGemma for drug discovery, Articulate Medical Intelligence Explorer for patient data collection, and a “co-scientist” chatbot for research assistance. The company has partnered with medical centers like Beth Israel Deaconess in Boston and Princess Maxima Center in the Netherlands, where doctors report tasks that once took days now complete in seconds. Meanwhile, Congress continues to extend pandemic-era telehealth rules through short-term solutions rather than permanent legislation, causing concern among healthcare providers about long-term investment in remote care technologies.
The FUTURE-AI framework provides international consensus guidelines for developing trustworthy healthcare AI systems through six guiding principles: fairness, universality, traceability, usability, robustness, and explainability. Developed by a consortium of 117 experts from 50 countries over a two-year period, the framework includes 30 detailed recommendations covering the entire AI lifecycle from design to deployment. FUTURE-AI is designed as a dynamic framework that will evolve with technological advancements and stakeholder feedback to ensure AI tools are technically robust, clinically safe, ethically sound, and legally compliant.
Cybersecurity
HIPAA regulations require healthcare providers and business associates to protect patient information in electronic communications. When communicating PHI to patients via email or text, covered entities must either encrypt the information or warn patients about security risks and obtain their consent to proceed with unsecured communications. For communications from patients, providers can assume email is acceptable if initiated by the patient, though warning about risks is recommended. Communications with other providers or third parties require stricter security measures, as simply warning about risks is insufficient; these messages must comply with Security Rule standards through encryption or other safeguards.
Healthcare data breaches reached record levels in 2024, with a 9.96% increase from 2023. The healthcare sector ranks second to finance in sensitive data volume, with 68% of medical devices expected to be connected by 2025, creating increased security risks through wireless communication and cloud storage. The industry faces future challenges from quantum computing threats, with NIST developing post-quantum cryptography standards while organizations still struggle with basic security measures like multi-factor authentication.
A vulnerability in ChatGPT identified last year is being exploited to target healthcare organizations, with 35% of analyzed organizations unprotected due to security misconfigurations. A recent report documented over 10,000 cyberattack attempts in one week, despite the vulnerability being classified as medium severity. The American Hospital Association warns these attacks could lead to data breaches, unauthorized transactions, and regulatory penalties. Healthcare remains the costliest sector for cyberattacks, with the average breach costing nearly $11 million—more than three times the global average.
The U.S. Department of Health and Human Services’ Office for Civil Rights has reached a $227,816 settlement with Health Fitness Corporation for HIPAA Security Rule violations. The settlement, which marks the fifth enforcement action in OCR’s Risk Analysis Initiative, resolves an investigation triggered by four breach reports filed between October 2018 and January 2019, where electronic protected health information became discoverable online due to a server misconfiguration. Health Fitness failed to conduct a thorough risk analysis until January 2024, affecting approximately 4,304 individuals whose data was exposed beginning in August 2015 but not discovered until June 2018. Under the agreement, Health Fitness must implement a corrective action plan including annual risk analyses, risk management planning, and policy development, which OCR will monitor for two years.
Dentistry
[The Texas Health and Human Services Commission has adopted an amendment to the Texas Government Code](Adopted Rules Title 25) that requires providers to be reimbursed for teledentistry services. This amendment allows dentists to use synchronous audiovisual technologies to conduct oral evaluations of established clients. As a result, oral evaluations are now more accessible, reducing unnecessary travel for clients in the Texas Health Steps Program.
FDA
FDA regulations prohibit compounding pharmacies from creating “essentially a copy” of commercially available drugs unless the modification produces a “significant difference” for an individual patient. Adding B12 to name brand weight loss drugs does not automatically exempt them from being considered copies under Sections 503A and 503B of the Federal Food, Drug, and Cosmetic Act. For a compounded drug to be permissible, the prescribing practitioner must document that the modification creates a significant difference for the specific patient. The FDA established these rules to prevent compounders from circumventing regulatory requirements by making minor changes to commercially available medications.
Medicaid
Medicaid program integrity involves both federal and state responsibilities, with states handling day-to-day administration while the federal government provides support and oversight. There is no comprehensive measure of fraud in Medicaid, though most fraud is committed by providers rather than beneficiaries, with the Health Care Fraud and Abuse Control program recovering $3.4 billion across Medicaid and Medicare in FY 2023. Improper payments, which had a 5.1% rate in 2024, are not equivalent to fraud, as 79.1% resulted from insufficient documentation or administrative errors rather than payments to ineligible recipients. HHS and CMS develop strategies to address program integrity issues, focusing on prevention and early detection rather than just recovery of misspent funds.
HIPAA was designed to balance privacy protections with healthcare efficiency but was never intended as a comprehensive health information privacy law. The healthcare privacy landscape has become increasingly complex due to the explosion of non-HIPAA health data from mobile apps, wearables, and tech platforms that remain largely unregulated. States have created overlapping privacy laws with inconsistent requirements, while the FTC and state attorneys general use general consumer protection authority to fill regulatory gaps. Federal legislation is unlikely to resolve these issues as proposals typically exempt HIPAA-covered entities, potentially creating dual regulatory systems that complicate compliance and impede medical research, public health initiatives, and healthcare innovation.
[The Fifth Circuit Court of Appeals affirmed that Memorial Hermann Accountable Care Organization does not qualify for tax-exempt status under Section 501(c)(4)](Accountable Care Organization Denied Tax-Exempt Status | Gordon Feinblatt LLC). The court applied the “substantial non-exempt purpose” test, determining that Memorial primarily benefited healthcare providers and insurance companies rather than promoting social welfare. Memorial had argued for the application of the “primary purpose test” from Treasury Regulations, but the court rejected this approach while noting it would have reached the same conclusion under either standard. Though currently binding only in Louisiana, Mississippi, and Texas, the ruling suggests Accountable Care Organizations elsewhere may face similar tax treatment.
If you’re a healthcare provider, you likely rely on vendors who handle patient information—your EHR system, billing company, IT support, and more. But how well do you know their security practices?
Before entrusting them with PHI (protected health information), conduct due diligence. Here are some red flags to watch for:
🔴 No mention of HIPAA compliance on their website? That’s a problem.
🔴 Misspelling HIPAA as “HIPPA”? If they can’t spell it, they probably don’t understand it.
🔴 No third-party security certifications? That’s a risk.
🔴 Small vendor with no resources for security audits? That could be a liability.
Don’t assume vendors know what they’re doing—ask tough questions. At the end of the day, your practice is responsible for protecting patient data, and a reckless vendor could expose you to massive penalties.
Have questions? Drop a comment or email me at wade@texashealthlaw.com.
🔒 Privacy is everyone’s responsibility. Take it seriously.
340B
Multiple legal developments occurred in 340B program litigation across the United States. Two amicus briefs were filed supporting a state in a contract pharmacy law appeal case, while a court permitted withdrawal of a preliminary injunction motion in an HRSA audit process case. In a Medicare Advantage payment dispute, the court issued a split decision on accessing damages documentation. Six cases challenging HRSA’s rejection of drug manufacturers’ rebate models saw various legal actions, including the granting of intervention motions and the filing of amicus briefs supporting the defendant. Intervenors in one rebate model case filed supplemental authority, prompting responses from both the plaintiff and supporting amici.
Abortion
Texas and Louisiana have filed lawsuits against a New York physician for providing telehealth abortion services across state lines. The cases challenge shield laws designed to protect out-of-state clinicians who prescribe abortion medication via telehealth, with New York Governor Hochul refusing to comply with extradition requests. Several states including Vermont, Maine, California, Colorado, Massachusetts, and New York have enacted shield laws to protect clinicians from legal consequences when providing abortion care to out-of-state patients. The outcomes of these cases could impact the broader landscape of telemedicine by setting precedents for how states can enforce healthcare laws beyond their borders.
Biometric Data
Texas Representative Capriglione has introduced a bill (HB 3755) aimed at amending the state’s biometric privacy legislation. This bill seeks to include a definition of artificial intelligence and clarifies that the law does not pertain to AI or associated training, processing, or storage, unless conducted for the purpose of uniquely identifying a specific individual.
Data Breaches
A new report analyzing 180 healthcare email breaches from 2024 to 2025 reveals that 43.3% of incidents involved Microsoft 365 misconfigurations. Healthcare organizations face an average breach cost of $9.8 million, with ransomware attacks increasing 264% since 2018. The HHS Office for Civil Rights has intensified enforcement, issuing significant fines including a $9.76 million settlement with Solara Medical Supplies. Despite a 50% increase in cybersecurity spending since 2018, 98.9% of breached organizations lacked basic email security protocols, and only 1.1% maintained a low-risk security posture. The OCR continues to push for proactive HIPAA compliance as email remains the primary attack vector in healthcare.
Central Texas Pediatric Orthopedics, an Austin-based medical practice filed a data breach notice with the Texas Attorney General on March 6, 2025. The breach exposed sensitive patient information including names, medical information, health insurance details, and government-issued identification for at least 90,000 people. The practice has begun sending notification letters to affected individuals, though they have not posted a website notice or press release about the incident. The source of the breach remains unclear, as it could have originated from either CTPO directly or one of their vendors.
In 2024, healthcare data breaches affected 53% of the U.S. population, with 13 breaches impacting over 1 million records each, including a record breach affecting 100 million individuals. In response, the Department of Health and Human Services issued a Notice of Proposed Rulemaking to modify HIPAA’s Security Rule, addressing AI systems and electronic protected health information for the first time. The new requirements mandate regulated entities to develop technology asset inventories, conduct risk analyses, and monitor vulnerabilities related to AI systems handling health data. Healthcare organizations must now implement AI governance programs that include maintaining lists of AI tools, reviewing data access protocols, and addressing security gaps. The proposed changes aim to protect against emerging threats like offensive AI, which can mutate and evade detection while learning from its environment.
Emerging Technologies
A research paper published in the Journal of Theoretical and Computational Advances in Scientific Research presents a framework combining blockchain and AI technologies for healthcare data integration. The blockchain component provides a secure platform for sharing medical records between healthcare providers, patients, and researchers. AI algorithms process the integrated data to enable predictive analysis, automated diagnostics, and personalized treatment recommendations. The framework addresses challenges in healthcare data privacy, interoperability, and efficiency through secure data integration and intelligent decision-making.
Fraud & Abuse
A Plano pharmacist was sentenced to 17.5 years in prison and ordered to pay $115 million in restitution for orchestrating a $145 million healthcare fraud scheme. Between 2014 and 2017, Dehshid Nourian and his co-conspirators paid bribes to doctors who prescribed unnecessary compound creams to federal workers, which were mixed by teenagers for $15 but billed to the Department of Labor for up to $16,000 per prescription. The pharmacies collected $90 million through this scheme while attempting to evade $24 million in taxes through money laundering operations. A federal jury convicted Nourian on multiple counts of healthcare fraud, money laundering, and tax evasion, leading to the forfeiture of $405 million in assets including brokerage accounts, real estate, and vehicles. The case represents the largest healthcare fraud forfeiture in Department of Justice history.
An El Paso physician has agreed to pay $468,626 to resolve allegations under the Federal False Claims Act. The United States alleged that Dr. John Patterson received kickbacks from Nursemind Home Care Inc. to falsely certify ineligible patients for hospice services, resulting in fraudulent claims to federal healthcare programs. Patterson received cooperation credit for assisting with the investigation and agreeing to testify in related criminal cases. The investigation led to the criminal prosecution of Nursemind Home Care owner Zenia Chavez, who pleaded guilty to conspiracy charges.
Texas has secured a $40 million settlement from Molina Healthcare through the state’s Healthcare Program Enforcement Division. The case involved Molina Healthcare, a Fortune 500 company that manages care for Medicaid STAR+PLUS program members who are disabled, blind, or over 65 years old. The settlement stems from allegations that Molina failed to conduct timely assessments of Medicaid beneficiaries and hid this non-compliance from Texas authorities. A whistleblower initiated the case under the Texas Health Care Program Fraud Prevention Act’s qui tam provisions.
Healthcare fraud enforcement will remain a priority despite potential regulatory rollbacks under a second Trump administration, according to a new report. The COVID-19 Fraud Enforcement Task Force has pursued over 3,500 criminal cases and secured $1.4 billion in seizures, with nursing homes facing scrutiny over false claims and misuse of relief funds. Recent court decisions, including Zafirov which ruled whistleblower-led False Claims cases unconstitutional, and Loper Bright which eliminated deference to regulatory agencies, may provide new defenses for healthcare providers. The Supreme Court’s Jarkesy decision, requiring jury trials for civil penalties, could impact 20 pending cases before the HHS Departmental Appeals Board.
Office of Inspector General
The U.S. Department of Health and Human Services Office of Inspector General has released updated compliance guidance for nursing facilities, marking its first revision since 2008. The guidance focuses on preventing fraud and abuse through proper billing practices, documentation requirements, and monitoring of financial arrangements between facilities and referral sources. Nursing facilities must implement robust compliance programs that include regular audits, staff training, and oversight from responsible individuals including investors. The OIG specifically highlights concerns about joint ventures, pharmacy arrangements, hospice relationships, and “tunneling” practices that could violate anti-kickback laws.
A federal audit found that Texas failed to fully comply with federal waiver and state health, safety, and administrative requirements at all 20 adult day activity and health service facilities examined. The Office of Inspector General (OIG) reported 253 instances of provider noncompliance, including deficiencies in facility maintenance, staff qualifications, and regulatory adherence. Of the 20 audited providers, 19 failed to meet one or more health and safety requirements, while 19 also violated administrative regulations. The report recommended corrective actions, improved oversight, and enhanced facility staffing and training. Texas agreed with the recommendations and outlined steps to address the issues.
Patents
A Federal Circuit addressed the patentability of “obvious” pharmaceutical dosing methods, In the case of ImmunoGen, Inc. v. Stewart, the parties agreed that a method of using the recited immunoconjugate (also known as IMGN853) to treat FOLR1-expressing ovarian cancer or cancer of the peritoneum was known in the art at the time of filing. Therefore, whether the claims were patentable from an obviousness perspective turned on whether the recited dosing limitation of “6 mg per kg of AIDW of the patient” would have been obvious to a person of ordinary skill in the art (POSITA) at the time of filing. The Court determined that the dosing method would have been obvious to try since it overlapped with known dosing schemes, and therefore, was not patentable. The ruling sets a high bar for proving non-obviousness of dosing regimens for known drugs, even when dealing with unpredictable effects.
Weight Loss Drugs
A U.S. District Court ruled in favor of the FDA on March 5, 2025, denying the Outsourcing Facilities Association’s motion for a preliminary injunction and stay regarding tirzepatide compounding. The case emerged after tirzepatide products Mounjaro and Zepbound were placed on the drug shortage list in December 2022 due to high demand, allowing compounding facilities to produce copies under specific regulations. The FDA declared the shortage resolved, ending the compounding permission for 503A pharmacies immediately and setting a March 19, 2025 deadline for 503B facilities. The OFA filed an appeal on March 10, 2025, while questions remain about whether modified compound versions of the drug could continue under patient-specific need provisions. The FDA has not yet taken a position on these modified compounds, though their status may depend on whether they are considered copies of commercially available products.
Dr. David Young, 61, of Fredericksburg, Texas, has been sentenced to 10 years in prison for Medicare fraud. The physician signed thousands of fake prescriptions and medical records for orthotic braces and cancer genetic testing for over 13,000 Medicare beneficiaries, resulting in more than $70 million in fraudulent healthcare program billing. Young received $475,000 for signing the fake prescriptions and must pay $26,622,522 in restitution.
FDA
A U.S. District Court has allowed Novo Nordisk to intervene in a case between the FDA and compounding pharmacies. Compounders sued the FDA for removing weight loss drugs from its shortage list, which had previously allowed them to produce copycat versions of Novo’s semaglutide products. The compounders claim the agency’s decisions were arbitrary and that shortages persist. Novo Nordisk cited safety concerns and investment protection in its motion to intervene, which was unopposed by both the FDA and the compounders. Eli Lilly has also filed a motion to intervene in the ongoing legal proceedings.
Medicare
CMS has revised its Medicare overpayment rule, replacing the “reasonable diligence” standard with a “knowingly” standard that only requires action when providers are aware of overpayments. The update extends the investigation timeline, giving healthcare organizations 180 days to conduct investigations before the 60-day repayment clock begins. Organizations must keep documentation of compliance efforts and implement processes for identifying, reporting, and returning overpayments. Healthcare providers who fail to address identified overpayments risk penalties under the False Claims Act, which can include treble damages and civil penalties. The new framework tries to streamline compliance while maintaining accountability through structured investigation protocols and documentation requirements.
Medicare reimbursement rates for radiologists have declined by 24.9% from 2005 to 2021 after inflation adjustments, while the average starting salary for radiologists reached $472,000 in 2023, representing a 17.7% increase since 2020. The workforce faces significant pressures with 56.4% of diagnostic radiologists being 55 or older, while new trainees are only increasing by 2.5% annually. The implementation of the No Surprises Act has complicated reimbursements for out-of-network services, and healthcare cybersecurity costs have reached $10.93 million per data breach in 2023. These challenges are pushing independent radiology groups to seek financial subsidies from hospital partners to maintain operations.
Nonprofits
Nonprofit healthcare organizations are increasingly pursuing mergers to address economic challenges and improve care delivery. These mergers can take the form of either member substitutions, where one organization becomes a controlling member while both entities remain separate, or true mergers that combine organizations into a single legal entity. The consolidations try to achieve cost efficiencies, increase bargaining power with insurance companies, and improve access to capital for technology investments and facility improvements. Mergers also enable organizations to expand their geographic reach, enhance quality of care, and invest in innovations like telemedicine and data analytics. The process requires careful consideration of mission alignment, organizational culture, and governance structures to ensure the merged entity can effectively serve its community while maintaining financial stability.
Physician-Patient
Healthcare providers who wish to terminate a patient relationship must follow specific protocols to avoid patient abandonment claims. The process requires providers to notify patients in writing of the termination, explain the reasons professionally, and give patients reasonable time (typically 30 days) to find new care. During the transition period, providers must continue necessary care and facilitate the transfer of medical records to the new provider. While providers can terminate patient relationships for valid reasons like non-compliance or non-payment, they must follow applicable laws regarding discrimination and emergency care, with exceptions only for situations posing immediate safety risks.
Ransomware
Cybersecurity firm Cyble reports 599 new ransomware victims in February 2025, up from 518 in January, with U.S. organizations experiencing a 149% increase in attacks compared to 2024. North American targets face increased attacks due to their perceived likelihood of paying ransoms, despite overall ransom payments declining by 35% year-over-year according to Chainalysis. The ransomware landscape has shifted as LockBit’s dominance waned following law enforcement intervention, while Cl0p now leads with 81 attacks, followed by Akira, Lynx, and Qilin. Construction, professional services, and healthcare remain primary targets, with construction experiencing 50 attacks, professional services 47, and healthcare 33 attacks in 2025. IT services companies continue to face attacks due to their potential as gateways to downstream clients.
Healthcare organizations have sent a letter to President Trump and HHS requesting the withdrawal of proposed HIPAA Security Rule updates. The healthcare sector has experienced 5,887 large data breaches since 2009, with hacking incidents increasing by 239% between 2018 and 2023, now accounting for 79.7% of all breaches. Healthcare groups cite concerns about financial burdens, conflicts with the HITECH Act, and implementation timeline challenges in their opposition to the proposed security updates. The Office for Civil Rights currently has 857 data breaches under investigation, with limited progress in clearing the backlog due to funding constraints. While earlier breaches primarily resulted from lost or stolen records, the current threat landscape shows a shift toward hacking and ransomware attacks as primary security challenges.
Stark Law
The Centers for Medicare & Medicaid Services settled 314 Stark Law self-disclosures in 2024, collecting $24.7 million in settlements. The number of settlements in 2024 exceeded the combined total of the previous two record years and represented over one-third of all settlements in the program’s 14-year history. The average settlement amount was $78,781.39, consistent with trends from recent years, while 51 submissions were withdrawn during 2024. CMS has increased its processing speed for settlements, with some cases now resolved within the same calendar year as submission, marking a significant improvement from previous processing times. The smallest settlement in 2024 was $4, while the largest settlement on record remains $1,196,188 from 2018.
Transparency
On February 25, 2025, President Trump signed an executive order focusing on healthcare price transparency. The order instructs the secretaries of Treasury, Labor, and Health and Human Services to implement new requirements within 90 days, mandating disclosure of actual prices rather than estimates. The directive tries to standardize pricing information across hospitals and health plans while updating enforcement policies for transparent reporting. Under current rules, hospitals must publish machine-readable files of standard charges using Centers for Medicare & Medicaid Services templates and provide price estimator tools for shoppable services.
Twenty US states have enacted comprehensive privacy laws that regulate health data usage in digital advertising. The Federal Trade Commission and state regulators have expanded definitions of health data to include browsing histories, location information, and medical purchases, with Washington and Nevada implementing specific consumer health data laws requiring detailed consent. The Dobbs v. Jackson Women’s Health decision has accelerated concerns about health data privacy, particularly regarding reproductive healthcare information. Companies are adapting through various strategies including national opt-in consent standards, data suppression in certain states, increased due diligence, and demographic-based targeting instead of individual health data. Despite potential changes in federal enforcement under new administration, state-level regulation of health data is expected to increase, particularly in Democratic-leaning states.
Artificial Intelligence
AI in healthcare currently faces mixed results across different applications. AI-powered ambient scribing tools for clinical documentation show varying effectiveness, with some studies indicating time savings while others suggest increased time spent on records. Clinical decision support tools, particularly for sepsis detection, struggle with accuracy and false positives, though tools like Sayvant offer promise in medical decision-making documentation. AI also shows potential for medical record summarization, though current limitations necessitate a measured approach focused on targeted innovations rather than transformation.
OpenAI and Oracle have announced the Stargate AI infrastructure project, a $500 billion initiative backed by Softbank and MGX to develop next-generation AI infrastructure over four years. Project leaders claim it will revolutionize healthcare through capabilities like 48-hour personalized cancer vaccines and improved disease treatments, while studies show AI can match doctor accuracy in diagnoses. However, experts suggest there are implementation challenges including payment systems, clinician training, and integration across healthcare facilities.
Corporate Practice of Medicine
Physician Practice Management (PPM) structures split operations between a physician practice professional corporation and a management services organization to comply with medical practice laws. Combining employees from both entities under one health plan creates a multiple employer welfare arrangement (MEWA), which faces regulatory burdens and potential state law violations. To avoid MEWA complications, organizations can implement mirror plans with pooled stop-loss insurance, establish separate level-funded plans, or purchase coverage through a professional employer organization (PEO). These alternatives help PPM entities maintain compliant health coverage while avoiding the complexities of MEWA regulations. The solutions enable cost savings through larger group ratings while preserving the intended separation between clinical and business operations.
Fraud, Abuse and Waste
The U.S. Department of Justice filed a False Claims Act complaint against an Idaho home health agency and its owner on February 25, 2025. The agency received $1.8 million in PPP loans in 2020 while certifying they were not engaged in illegal activity, but the owner later pled guilty to Medicaid fraud covering 2018-2021, resulting in a 180-day jail sentence and $146,000 restitution order. The Justice Department now seeks $5.4 million plus penalties from the agency and its owner, arguing the SBA would not have forgiven the PPP loans had they known about the fraudulent Medicaid billing. The case demonstrates how past certifications can create additional liability when criminal conduct is discovered, even years after the fact.
The Fourth Circuit Court of Appeals has rejected a challenge from the Pharmaceutical Coalition for Patient Access regarding an unfavorable advisory opinion on their proposed Medicare Part D assistance program. The Coalition had planned to implement a program where drug manufacturers would subsidize copayments for cancer patients meeting specific income criteria who were prescribed their medications. The Office of Inspector General (OIG) determined this program could violate the Anti-Kickback Statute by inducing patients to select specific drugs based on financial incentives rather than medical necessity and allowing manufacturers to charge higher prices. The Fourth Circuit upheld the OIG’s opinion, interpreting “induce” and “remuneration” broadly under the Anti-Kickback Statute and dismissing arguments about multiple manufacturers negating quid pro quo arrangements. The court also ruled that claims of disparate treatment were unreviewable since enforcement decisions lie solely with the agency.
The 2016 21st Century Cures Act established rules against information blocking in healthcare electronic records to promote data sharing and competition. The Department of Health and Human Services and Federal Trade Commission collaborated to implement these rules, requiring fair licensing terms for protected health information. In January 2024, Real Time Medical Systems filed the first lawsuit under these rules against PointClickCare Technologies, alleging that PCC blocked access to health records through unsolvable CAPTCHA walls to hinder competition. The District Court of Maryland granted Real Time a preliminary injunction, and the case is now on appeal to the Fourth Circuit. The case marks the first enforcement action of the Cures Act’s information blocking provisions since its enactment.
Insurance
A new American Medical Association survey reveals that prior authorization requirements create barriers to patient care, with physicians reporting increased denials over the past five years and concerns about AI-driven review systems. The survey found that prior authorization led to care delays, with 77% of physicians reporting patients had to attempt ineffective treatments first, and 23% noting hospitalizations due to authorization delays. A Senate report indicated that AI systems deny claims up to 16 times more frequently than human reviewers, prompting the AMA to warn against unregulated AI in medical decision-making. Despite lawmaker scrutiny and legal challenges, experts predict insurers will continue implementing AI review systems, potentially forcing providers to adopt their own AI tools for claims submission.
A new American Medical Association survey reveals that 61% of doctors worry about insurers using AI to increase treatment pre-approval denials. The survey found that 93% of physicians report prior authorization delays care, while 82% say patients sometimes abandon treatment due to these delays. Despite 66% of doctors using AI in their practices, 49% want increased regulatory oversight of how insurers employ AI in the approval process. Hospitals report increasing claim denials attributed to AI tools, with 89% of doctors stating that prior authorization battles contribute to burnout. The process impacts patient care, with 29% of doctors reporting serious adverse events due to authorization delays, and 23% noting patients requiring hospitalization as a result.
Security
The Department of Health and Human Services has proposed updates to the HIPAA Security Rule on January 6, 2025, with comments open until March 7, 2025. The updates eliminate the distinction between “required” and “addressable” standards, making all security measures mandatory for healthcare entities. The new requirements include encryption, multifactor authentication, regular security audits, vulnerability scans, data backup procedures, and network mapping. The Privacy Rule changes reduce patient record request fulfillment time from 30 to 15 days and allow patients to photograph their health information in designated private areas. Healthcare providers must implement these changes and retrain staff on the new requirements once finalized.
The U.S. Department of Health and Human Services proposes updates to the HIPAA Security Rule due to widespread adoption of electronic health records, with 80% of physicians’ offices and 96% of hospitals using them as of 2021. The updates aim to address increased cybersecurity risks in healthcare delivery systems and establish centralized security standards, as current voluntary guidelines have seen inconsistent implementation. HHS chose a prescriptive approach rather than recognizing existing frameworks for safe harbor incentives, despite the 2021 HITECH Act amendments. The proposed changes, which have a public comment deadline of March 7, 2025, would raise security standards and potentially burden smaller providers, though HHS maintains the rules allow for flexibility in implementation.
Taxation
The Fifth Circuit Court upheld the Tax Court’s denial of tax-exempt status for Memorial Hermann Accountable Care Organization (MHACO) under Section 501(c)(4). MHACO, formed in 2012 as a not-for-profit corporation, participated in the Medicare Shared Savings Program while also serving patients with Medicare Advantage and employer-sponsored health plans. The court applied the substantial-nonexempt-purpose test, determining that MHACO’s operations primarily benefited commercial insurers rather than promoting social welfare, as 81% of its patients had employer-sponsored insurance. The court noted that MHACO’s members-only structure, which excluded uninsured individuals, failed to benefit the greater Houston community and thus did not qualify for tax exemption.
Transgender Care
Texas has filed a lawsuit against Dr. Hector Granados and two other doctors for allegedly violating a 2023 law banning gender-affirming care for minors. The state claims Granados prescribed testosterone to a 16-year-old patient after the ban, while he maintains he only prescribed it for hormone deficiencies, not gender transition. Texas is among 27 states that have restricted or banned treatments like puberty blockers and hormone therapy for minors, with some families now seeking care in states like New Mexico where such treatments remain legal. The trial is set for October, and if found guilty, Granados and his co-defendants, Dr. May Lau and Dr. M. Brett Cooper, could lose their medical licenses and face fines. Attorney General Ken Paxton states his office will enforce the ban, while doctors must choose between their ethical duties and maintaining their ability to practice medicine.
A recent American Medical Association survey of 1,183 physicians shows AI usage among doctors increased from 38% in 2023 to 66% in 2024. Physicians use AI primarily for visit documentation, discharge summaries, care plans, translation services, and medical research summaries, with 68% reporting AI provides advantages in patient care. While 36% of physicians express excitement about AI, up from 30% in 2023, 47% believe increased oversight is needed to build trust in the technology. The survey reveals physicians want features like feedback channels, data privacy assurances, EHR integration, and proper training to advance AI adoption in healthcare.
Healthcare will transform from centralized hospitals to an invisible, integrated system woven into daily life through AI and edge computing. The shift is driven by younger generations demanding personalized care, advancing biometric technology, and the convergence of diagnostic capabilities into smaller devices. By 2051, healthcare will move into homes and repurposed community spaces, with AI-powered preventive care and mental health support becoming standard features of everyday environments. Wearable technology will predict health issues decades in advance, while household items will continuously collect health data and provide real-time monitoring.
Organizations are shifting from static AI compliance to continuous governance models as AI systems become more integrated into business operations. The EU AI Act and U.S. regulations require companies to implement real-time monitoring, vendor oversight, and cross-functional governance structures to manage AI risks. Organizations must address challenges including model drift, data provenance, third-party transparency, and AI liability through continuous auditing and risk assessment frameworks. Companies need to balance AI explainability with intellectual property protection while ensuring compliance with privacy regulations like GDPR and CCPA. Those who adopt proactive AI governance frameworks position themselves for competitive advantage in responsible AI innovation.
The FDA announced on February 21 that the semaglutide injection product shortage has ended, removing it from the Drug Shortage List where it had been since 2022. The medication, used for Type 2 diabetes and weight loss, will face new restrictions on compounding, with state-licensed pharmacies and physicians having until April 22, 2025, and outsourcing facilities until May 22, 2025, to comply with FDA regulations. Healthcare providers will no longer be able to compound versions of semaglutide that are copies of brand-name products, requiring patients to switch to brand-name medications. The changes will impact medical practices, pharmacies, outsourcing facilities, and telehealth companies that have been providing compounded versions of the medication at lower costs than brand-name alternatives. Healthcare providers must consult with attorneys to ensure compliance with the new regulations before the deadlines.
Fraud & Abuse
The United States Court of Appeals for the First Circuit ruled that kickbacks must be the “but-for” cause of claim submissions to establish falsity in False Claims Act cases based on Anti-Kickback Statute violations. The ruling emerged from United States of America v. Regeneron Pharmaceuticals, Inc., which examined whether Medicare claims for Eylea influenced by kickback violations through copayment coverages constituted false claims. While Regeneron advocated for the stricter but-for causation standard already adopted by the Sixth and Eighth Circuits, the government pushed for the Third Circuit’s more lenient approach requiring only proof of a causal link between claims and AKS violations. The First Circuit’s decision to adopt the but-for standard will limit the scope of actionable FCA claims and affect how the government and whistleblowers pursue damages for AKS violations in federal healthcare programs.
The Justice Department has launched a civil fraud investigation into UnitedHealth Group’s Medicare billing practices, focusing on how the company records diagnoses that trigger extra payments from Medicare Advantage plans. The investigation follows Wall Street Journal reports that UnitedHealth received $8.7 billion in federal payments in 2021 for diagnoses added to patient records without doctor treatment, with each nurse home visit generating an average of $2,735 in additional payments. The DOJ has interviewed medical providers about UnitedHealth’s practices of promoting specific diagnoses and offering incentives to add them to patient records, while the company’s shares fell 7% on news of the investigation, erasing $30 billion in market value. This probe adds to existing scrutiny of the $400 billion company, which includes a separate antitrust investigation and a lawsuit to block its $3.3 billion acquisition of Amedisys.
A Texas State Senator filed a bill requiring explicit consent for medical research on corpses in Texas. The legislation responds to an NBC News investigation that revealed UNT Health Science Center used unclaimed bodies for experiments and leased body parts to companies without contacting families. Current Texas law allows medical institutions to use unclaimed bodies after attempting to notify relatives within 72 hours, but the new bill would require prior written consent from the deceased or next of kin. Following the investigation, UNT Health Science Center leaders were fired, the Willed Body Program was suspended, and the university president stepped down, while Tarrant County ended its relationship with the program.
HIPAA
The U.S. Department of Health and Human Services has proposed updates to HIPAA Security Rule requirements in a new Notice of Proposed Rulemaking. The updates include mandatory implementation specifications for contingency plans, requiring exact backup copies of electronic protected health information and system restoration within 72 hours of an event. The proposal introduces a new vulnerability management standard requiring automated scanning every six months, ongoing monitoring of known vulnerabilities, annual penetration testing, and timely software patches. Business associates must notify covered entities within 24 hours of activating contingency plans, and regulated entities must maintain written security incident response procedures. The public comment period for these proposed changes ends March 7, 2025.
The US Department of Health and Human Services issued a proposed update to the HIPAA Security Rule in June 2024 to strengthen cybersecurity requirements for electronic protected health information. Mobile healthcare apps present unique security challenges, with 79% of healthcare organizations experiencing API-related security incidents in 2023. The proposed rule needs specific requirements for mobile app security, including protection against cloned apps, device manipulation, man-in-the-middle attacks, and API key exposure.
Medicare
Medicare Advantage plans required approximately two prior authorizations per enrollee in 2023, while Traditional Medicare required only 0.01 per beneficiary. Prior authorization requirements for Medicare Advantage plans increased to 50 million in 2023, up from 42 million in 2022, despite CMS rules aimed at reducing these requirements. A Senate report revealed that the three largest Medicare Advantage insurers intentionally denied prior authorizations to increase profits, with United Healthcare’s denial rate for skilled nursing facility stays rising 800% between 2019 and 2022. While 3.2 million prior authorization requests were denied in 2023, only 11.7% were appealed, though 81.7% of appeals resulted in overturned denials. The process impacts skilled nursing facilities through delayed admissions, reduced patient volume, and revenue loss.
Medicare physician payments have seen only an 11% increase from 2001 to 2021 while practice costs rose 39%. The Centers for Medicare & Medicaid Services implemented a 2.83% reimbursement cut for 2025, prompting concerns about practice viability and patient access. Congress replaced the problematic Sustainable Growth Rate formula with MACRA in 2015, introducing value-based payment models through MIPS and APMs. A bipartisan bill called the Medicare Patient Access and Practice Stabilization Act was introduced in January 2025 to reverse the cuts, with a critical March 14 deadline looming for Congress to act on budget measures that could affect physician payments.
Colorado’s new Artificial Intelligence Act will take effect on February 1, 2026, requiring healthcare providers to prevent algorithmic discrimination in AI systems that make consequential decisions about patient care. The law mandates that organizations using high-risk AI systems implement risk management policies, conduct impact assessments, and provide transparency about AI usage to patients. Healthcare providers must notify individuals before AI makes consequential decisions and allow appeals for adverse outcomes, while the Colorado Attorney General holds exclusive enforcement authority. Organizations with fewer than 50 employees who don’t train their own AI models are exempt from many compliance requirements, though the law’s reach extends to any business serving Colorado residents.
Antitrust
President Trump’s return to the White House signals a shift in antitrust enforcement approach for private equity firms. The administration has appointed Andrew Ferguson as FTC chair and nominated Gail Slater to lead the DOJ’s antitrust division, replacing Lina Khan and Jonathan Kanter respectively. The Trump administration is expected to be more accepting of negotiated settlements and divestitures involving private equity, moving away from the Biden administration’s stricter stance on merger enforcement and roll-up acquisitions. While antitrust scrutiny will continue, particularly in Big Tech and healthcare sectors, new HSR premerger notification rules taking effect in February 2025 will require closer monitoring of interlocking directorates. PE firms must maintain compliance protocols for board appointments as the new HSR form enhances the ability to detect potential violations of Section 8 of the Clayton Act.
States are taking a more active role in healthcare antitrust enforcement through state-level transaction notification regimes known as “Baby HSRs” or “Mini HSRs.” These state regulations impose requirements on healthcare transactions that may fall below federal HSR Act thresholds, with states implementing additional scrutiny for private equity involvement in healthcare deals. States cite concerns that profit motives could reduce quality of care as justification for increased oversight of private equity transactions. The regulations vary by state, with some imposing more stringent requirements than federal rules, and many states continue to implement or expand their healthcare transaction approval processes.
Biometric Data
Three states in the U.S. – Illinois, Texas, and Washington – have established laws to regulate biometric data collection and usage. Illinois’ BIPA stands as the strictest law, requiring written notice, explicit consent, and public data retention schedules, while allowing individuals to file lawsuits for violations. Texas’ CUBI and Washington’s statute mandate notice requirements and data protection measures but do not permit private lawsuits. Organizations must comply with these regulations when collecting biometric data such as facial features, voice patterns, and fingerprints, while implementing security measures to protect this information.
Drugs & Devices
A Texas judge ordered Dr. Maggie Carpenter to pay over $100,000 in penalties for prescribing abortion pills via telemedicine to a woman near Dallas. New York Governor Kathy Hochul rejected Louisiana’s request to extradite Carpenter, who faces criminal charges in Louisiana for prescribing abortion pills to a minor. The Texas ruling includes an injunction preventing Carpenter from prescribing abortion medication to Texas residents, while Louisiana’s case marks the first criminal charges against a doctor for prescribing abortion pills across state lines. Both cases will test New York’s shield law, which protects doctors who prescribe abortion medication to states where abortion is restricted.
Texas convenience stores are selling synthesized Kratom products containing 7-Hydroxymitragynine, a substance that acts like opioids in the brain. While natural Kratom has been used traditionally in Southeast Asia, companies are now creating concentrated pills that are 97% pure 7-OH, far exceeding the 2% limit set by Texas law. The Texas Kratom Consumer Protection Act outlaws these synthetic versions, but state officials are not enforcing the regulations. The Global Kratom Coalition reports 24 million Americans use Kratom, though the synthesized versions sold in stores can lead to addiction and withdrawal symptoms.
The FDA has published final guidance on communications about unapproved uses of approved medical products on January 6, 2025. The guidance defines SIUU communications as firm-initiated exchanges with healthcare providers about scientific information on unapproved uses, requiring specific disclosures and source publications. The document clarifies what constitutes “scientifically sound” studies, removes requirements for plain language, and provides new rules about separating promotional from scientific communications. The guidance also addresses “calls to value,” prohibiting communications that pre-judge product benefits while allowing those that present scientific information for clinical decision-making. The FDA maintains core policies while requiring firms to update their internal procedures to align with the new guidance.
The FDA has issued its first guidance on using artificial intelligence models in drug development and regulatory submissions, with a public comment period open through April 7. The guidance introduces a seven-step risk-based framework for assessing AI model credibility, covering nonclinical, clinical, postmarketing, and manufacturing phases while excluding drug discovery and operational efficiencies. FDA recommends implementing life cycle maintenance plans to monitor AI models’ ongoing performance and ensure they remain suitable for their context of use. The guidance emphasizes early engagement with FDA through various programs like the Center for Clinical Trial Innovation and the Complex Innovative Trial Design Meeting Program. President Trump signed an executive order on January 23 to remove barriers to AI leadership, rescinding previous Biden administration restrictions on AI development.
Fraud & Abuse
Healthcare fraud schemes are increasingly using AI to generate false claims and clone medical records, with losses representing 3% of total healthcare expenditures, amounting to $144 billion annually based on 2023’s $4.8 trillion U.S. health spending. Healthcare organizations are implementing both supervised and unsupervised machine learning models to detect fraud patterns and suspicious billing behaviors. The technology helps special investigation units identify emerging fraud schemes more quickly than traditional rules-based systems. Health plans are advised to use AI as a complement to human expertise while implementing strategies such as cross-plan data analysis and verification of member tips.
The Department of Health and Human Services has postponed the effective date of modifications to NCPDP Retail Pharmacy Standards and Medicaid Pharmacy Subrogation Standard to April 14, 2025. The delay follows President Trump’s January 20 memorandum calling for a regulatory freeze pending review, with Acting Secretary Dorothy A. Fink citing the need to review questions of fact, law, and policy. The final rule updates standards for electronic healthcare transactions, including claims, eligibility, authorization, and benefits coordination. The postponement will affect the compliance timeline, pushing the full compliance date beyond February 2028, and allows time to correct an error in the transition period calculation that was originally set to begin August 11, 2027, but should have been June 11, 2027. The HHS has waived notice and comment requirements, making the delay effective immediately upon Federal Register publication.
Private Equity
A report released by federal agencies analyzing over 2,000 public comments reveals concerns about healthcare industry consolidation and private equity investment. The report identifies issues including higher prices from provider consolidation, quality reductions in PE-backed transactions, and PE firms controlling up to 50% of physician practices in some metropolitan areas. Studies show PE acquisitions correlate with safety issues and reduced quality in healthcare facilities, while physicians report concerns about understaffing and restricted referrals. In response, Massachusetts passed legislation in 2025 granting new powers to review healthcare transactions involving PE firms, though the federal agencies’ continued focus on PE may shift under the Trump administration.
Private equity firms were connected to 56% of large corporate bankruptcies across industries in 2024, with healthcare showing a particularly high rate. Of eight major healthcare bankruptcies with liabilities over $500 million, seven involved companies with private equity ownership history. The healthcare sector’s 21% rate of private equity-related bankruptcies exceeded the broader economy’s 11% rate and matched 2023 levels. The Private Equity Stakeholder Project reports these bankruptcies can result in healthcare facility closures and disrupted patient care. Valentina Dabos from PESP emphasizes these trends raise concerns for policymakers, investors, and consumers.
Healthcare mergers and acquisitions are expected to increase in 2025 as inflation eases and interest rates decline. Private equity transactions with physician practices typically involve a combination of cash payment and rollover equity through management services organizations, with rollover equity potentially comprising up to 40% of deal value. While orthopedic and spine surgery groups have historically resisted private equity investment due to their profitable ancillary services, this resistance is weakening except among mega-groups. Transaction success requires broad stakeholder support, experienced advisors, regulatory compliance, and careful structuring of tax treatment and indemnification terms. Generational differences often emerge in these deals, as older physicians typically receive larger portions of purchase price while younger doctors face career-long relationships with financial investors.
The Senate Budget Committee and HHS released reports in January 2025 examining private equity ownership in healthcare. The reports identified concerns including reduced care quality, facility closures, higher costs, understaffing, and lack of ownership transparency. HHS proposed new oversight measures including expanded transparency requirements, lower merger reporting thresholds, and increased enforcement against hospital consolidation. The reports recommend PE firms maintain compliance through monitoring regulations, documenting quality metrics, and implementing strong compliance programs. The impact of these potential changes under the Trump administration remains uncertain.
Telehealth
Healthcare technology trends in 2025 include a shift in telehealth usage to focus on behavioral health and specialist care. Hospitals are expanding AI applications through dedicated centers and AI scribes, while implementing LiDAR sensors and wearable devices for patient monitoring. Remote patient monitoring and hospital-at-home programs continue to grow as medical centers face staffing challenges. Cybersecurity remains critical after ransomware attacks doubled in 2024, affecting over 1,000 U.S. hospitals and prompting healthcare organizations to strengthen their security measures and vendor oversight. AI tools are being developed to detect network breaches and automate tasks like appointment scheduling and medical billing.
United Surgical Partners International, Surgical Care Affiliates, and Amsurg Corporation lead the ambulatory surgery center market with 520, 320, and 250 centers respectively. CMS approved 21 new procedures for ASC coverage in 2025, focusing on dental and regenerative therapy services, while implementing a 2.9% Medicare payment increase. Major consolidation occurred through acquisitions and partnerships, with USPI acquiring 45 new centers including Covenant Physician Partners, though 67% of ASCs remained independent. Several states reformed Certificate of Need laws, with North Carolina and Tennessee planning full repeals for ASCs by 2025 and 2027 respectively, while Georgia introduced exemptions for single-specialty centers. The migration of high-acuity procedures to ASCs continued, with Surgery Partners reporting a 50% increase in total joint cases, while lower-acuity procedures moved to office-based settings.
Several healthcare organizations faced ransomware attacks in January 2025, including New York Blood Center Enterprises which affected locations across multiple states, and Frederick Health in Maryland which disrupted IT systems and led to patient diversions. Matagorda County, Texas experienced a network outage due to a cyberattack, while Texas Tech University Health Sciences Center disclosed a ransomware attack affecting 533,874 individuals. Despite these incidents, blockchain analysis firm Chainalysis reported a 35% decrease in ransom payments in 2024 compared to 2023, attributing this decline to increased law enforcement action and more victims refusing to pay.
The HHS Office for Civil Rights has proposed new cybersecurity measures for healthcare providers under HIPAA, including mandatory vulnerability scanning every 6 months and expanded annual risk analyses. Healthcare providers must implement cybersecurity protections through staff training, limited access controls, and strong password protocols to prevent data breaches. New regulations require signed attestations for reproductive health information disclosures, with additional privacy protections becoming mandatory by February 16, 2026.
Emerging Technology
Healthcare law in 2025 will focus on four key areas of technological advancement and regulation. AI implementation in healthcare requires new legal frameworks to address risks, errors, and biases, while HIPAA and HITECH compliance becomes critical for protecting patient data against cyberattacks. Telehealth expansion drives changes in licensing requirements and reimbursement policies, while the healthcare industry continues its shift from fee-for-service to value-based care models following the ACA’s implementation. These changes necessitate new regulations for data-sharing, antitrust considerations, and risk-sharing arrangements to protect both patients and healthcare professionals.
Healthcare providers currently use AI for tasks including disease diagnosis, chart preparation, and treatment planning. The technology presents legal risks in four main areas: HIPAA privacy violations when using public-facing AI platforms, malpractice concerns in the informed consent process, uncertainty about liability when AI recommendations lead to incorrect treatments, and potential billing errors that could trigger false claims allegations. Healthcare providers must maintain human oversight of AI systems and cannot use AI reliance as a defense against malpractice claims, while failure to use available AI technology could also create liability risks. Doctors must disclose AI use to patients during the informed consent process and ensure all AI systems comply with HIPAA requirements.
Healthcare systems have transformed to prioritize patient accessibility through technology-enabled solutions. Remote consultations, online prescriptions, and digital platforms now allow patients to receive care without disrupting their routines. Healthcare providers maintain safety through strict regulatory compliance and secure technology for patient data protection. Artificial intelligence and wearable devices enable real-time monitoring and early detection of health risks, while electronic health records improve communication between medical professionals. The integration of these technologies creates a healthcare system that balances convenience with quality care standards.
AI is being used in healthcare for tasks including disease diagnosis, chart preparation, pre-authorization, and treatment planning. Healthcare providers must ensure AI systems meet HIPAA requirements and avoid using public-facing AI platforms that could compromise patient privacy. Doctors remain liable for malpractice even when using AI for diagnosis and treatment recommendations, and must disclose AI use to patients during the informed consent process. The technology can create liability for coding and billing errors if incorrect recommendations are followed.
Fraud & Abuse
Phoenix couple pleaded guilty to orchestrating a $1.2 billion healthcare fraud scheme through their companies Apex Medical LLC and Viking Medical Consultants LLC from November 2022 to May 2024. The couple used untrained sales representatives to target elderly and terminally ill patients in care facilities, ordering unnecessary wound grafts and submitting fraudulent claims to Medicare and other insurers. Their scheme resulted in actual payments of $614 million from federal and private healthcare programs, with $279 million in kickbacks from an allograft distributor. The couple was arrested at Phoenix Sky Harbor International Airport while attempting to flee to London, and they now face up to 20 years in prison and must pay restitution exceeding $600 million each.
A federal district court in Florida ruled on September 30, 2024, that the False Claims Act’s qui tam provision is unconstitutional in the case of U.S. ex rel. Zafirov v. Florida Medical Associates LLC. The Department of Justice reported that whistleblowers filed 712 qui tam suits in fiscal year 2023, resulting in $2.3 billion in settlements and judgments. The court determined that relators act as “Officers” of the United States executive branch without proper appointment under Article II of the Constitution. The case will likely be appealed to the 11th Circuit Court and may reach the Supreme Court, as Justice Thomas has previously expressed concerns about qui tam provisions. If upheld, this ruling could limit private parties’ ability to pursue fraud cases on behalf of the government, potentially reducing the number of enforcement actions due to government resource constraints.
Gender-Affirming Care
Texas Attorney General Ken Paxton has sued three doctors – Dr. May Lau, Dr. Brett Cooper, and Dr. Hector Granados – for allegedly providing gender-affirming care to transgender minors. Lau and Cooper entered Rule 11 agreements in January that prevent them from practicing medicine on patients while allowing them to continue research and academic work, while Granados is under a court-ordered temporary injunction. The lawsuits stem from Senate Bill 14, which prohibits medical providers from providing gender-affirming care to trans minors in Texas, though treatment remains legal for cisgender patients. The Texas Medical Board can revoke licenses of physicians who violate the ban, though doctors may continue treating existing patients to safely discontinue prescriptions.
HIPAA
The U.S. Department of Health and Human Services announced new HIPAA security rules taking effect March 7, 2025. The updates remove the distinction between “required” and “addressable” standards, making all security measures mandatory with limited exceptions. The changes mandate encryption for all electronic protected health information, require multi-factor authentication, and establish requirements for vulnerability scanning and penetration testing. Healthcare organizations and their business associates must comply with these rules or face penalties up to $50,000 per violation with a maximum of $1.9 million per year, plus potential jail time of 1-10 years. Human error remains the leading cause of healthcare data breaches at 76%, highlighting the need for these enhanced security measures.
HIPAA-regulated entities must report 2024 data breaches affecting fewer than 500 individuals to the HHS Office for Civil Rights by March 1, 2025. The HIPAA Breach Notification Rule requires entities to notify affected individuals within 60 days of breach discovery, with breaches affecting 500 or more residents requiring additional media notifications. For smaller breaches affecting fewer than 500 individuals, organizations can submit reports annually through the OCR data breach portal, with each breach reported separately. Business associates must notify covered entities of breaches within 60 days, though covered entities can delegate notification responsibilities back to their business associates while retaining ultimate responsibility for compliance. Failure to meet these deadlines may result in financial penalties for non-compliance.
Physician Fee Schedule
The Medicare Physician Fee Schedule for 2025 introduces a conversion factor decrease to $32.3465, representing a 2.83% reduction from 2024. The Medicare Economic Index projects a 4.9% increase in practice costs while payments decline, creating financial pressure on healthcare providers. Care management services see notable increases, with chronic care management codes rising 8-15% and new behavioral health integration codes gaining 12-18%. Geographic Practice Cost Indices show significant adjustments in major metropolitan areas, with San Francisco maintaining the highest PE GPCI at 1.842. The MIPS program maintains its 75-point threshold with potential penalties reaching 9% for underperformers, while high performers can receive bonuses averaging 1.31%.
The FDA and CISA have identified security vulnerabilities in patient monitors that could allow unauthorized access and manipulation of the devices. Certain monitors, which display patient vital signs in healthcare and home settings, contain a hidden backdoor in their software that enables cybersecurity controls to be bypassed and patient data to be accessed. The FDA has not identified any incidents related to these vulnerabilities but advises disconnecting affected devices from the internet and using local monitoring features only. Healthcare facilities must unplug and stop using devices that rely on remote monitoring, as no software patch exists to address these risks. The warning comes as healthcare data breaches have increased by 100% from 2018 to 2023, with the number of affected individuals rising by 1000%.
Dental
Dental plans distinguish between non-covered services and disallowed services in their payment policies. Non-covered services are those not included in a patient’s dental plan due to limitations or exclusions, while disallowed services are covered procedures that the plan refuses to pay for due to deficiencies or improper execution. Participating dentists must follow fee schedule limits even for non-covered services and file claims unless patients pay out-of-pocket and request no filing under HIPAA rules. When services are disallowed, dentists cannot bill patients or retain payments, though they may contest these determinations through their participation agreements. HIPAA allows patients to prevent claim filing by paying in full and making a written request.
Fraud & Abuse
The U.S. Department of Justice recovered $1.67 billion in healthcare fraud settlements in 2024, with major developments including a new whistleblower program targeting private insurer fraud. The DOJ launched increased scrutiny of private equity and venture capital firms in healthcare, examining their influence on portfolio companies and patient care. The Civil Cyber Fraud Initiative secured $14 million in settlements related to cybersecurity violations, while the FDA strengthened its focus on medical device cybersecurity through new guidance documents and enforcement actions. The government expanded whistleblower incentives with rewards up to 30% of recovered funds for the first $100 million, signaling continued emphasis on fraud detection and prevention.
Healthcare Delivery
The United States faces a physician shortage of 50,000 doctors, with projections indicating this number could reach 80,000 by 2035. The shortage affects multiple specialties, with cardiology expected to experience a 17% deficit by 2035, while thoracic surgery and ophthalmology face potential deficits of 31% and 30% respectively. The situation in cardiology appears particularly concerning as 54% of general cardiologists are 55 or older, compared to 38-40% of primary care providers in the same age range. Training new physicians requires 12 or more years of education, making immediate solutions difficult. AMN Healthcare’s report suggests focusing on workforce management and improving working conditions to retain existing physicians.
Amazon has partnered with Teladoc Health to expand its healthcare offerings, including virtual care and chronic condition management through its Health Benefits Connector. Walmart has launched same-day pharmacy delivery across 49 states, integrating pharmacy, merchandise, and grocery into a single online order with 15,000 pharmacists nationwide. AWS has partnered with General Catalyst to develop AI-driven healthcare solutions, while also expanding its collaboration with Booz Allen Hamilton for government technology solutions. Walmart plans to launch a drone delivery system at its Kaufman, Texas location through a $750,000 project with Alphabet’s Wing. The companies continue to compete through technological innovation, with Amazon projecting double-digit revenue growth over the next five years.
The U.S. Department of Health and Human Services has proposed new HIPAA Security Rule updates through a Notice of Proposed Rulemaking that will affect group health plans and their sponsors. The updates require plan documents to explicitly connect safeguards to provisions applying to covered entities and business associates, while mandating sponsors report security incidents within 24 hours of contingency plan activation. Plan sponsors must amend existing documents to reflect these changes, though many may already have compliant procedures in place. HHS is seeking input on implementation deadlines and potential transition periods for document amendments, with future updates expected to address encryption, multi-factor authentication, and administrative controls.
Hospice
The U.S. hospice care industry faces significant transformation as private equity firms acquire providers, with nearly three-quarters now under for-profit ownership. The number of Americans aged 65 and older will increase 47% to 82 million by 2050, intensifying demand for hospice services. For-profit ownership has led to challenges including staff burnout, reduced care quality, and increased billing issues, while workforce shortages limit access to services. Non-profit organizations are positioned to address these challenges through integration with broader healthcare systems, increased collaboration between providers, and adoption of new technologies like AI and telehealth. The industry must focus on improving quality standards and accessibility while maintaining the core mission of providing comprehensive end-of-life care.
Innovative Technology
The FDA issued draft guidance on January 7, 2025, establishing a framework to assess AI model credibility in drug and biological product development. The guidance outlines a 7-step process for evaluating AI models throughout the drug product lifecycle, including defining questions of interest, determining context of use, assessing risks, developing credibility plans, executing plans, documenting results, and determining model adequacy. The framework requires sponsors to provide detailed documentation about model development, training data, and evaluation processes while emphasizing ongoing performance monitoring. The FDA is accepting public comments until April 7, 2025, and encourages early engagement with organizations on AI credibility assessment.
German researchers have developed a method to repair heart damage using stem cells, with trials showing results in both primates and humans. The heart contains specialized muscle cells called cardiomyocytes which stop dividing after maturity, meaning damage from injury or infection becomes permanent. Blocked blood vessels can kill these cells, leading to reduced heart function and death. Scientists attempted to address this by converting induced pluripotent stem cells into cardiomyocytes and injecting them into damaged hearts, though initial animal experiments showed mixed results.
Proposed House Bill 2298, relating to a health care facility grant program supporting the use of artificial intelligence technology in scanning medical images, would establish a grant program in Texas to support health care facilities in utilizing artificial intelligence (AI) technology for cancer detection through medical imaging. Eligible applicants include hospitals and federally qualified health centers within the state. The program, administered by a commission, requires applicants to provide matching funds and submit a detailed plan for AI technology use, including physician oversight and scanning capacity. Grants, limited to $250,000, are awarded annually to no more than five recipients. Recipients must report on the effectiveness of AI in cancer detection within a year.
Insurance & Reimbursement
California enacted the Physicians Make Decisions Act in September 2024, prohibiting health insurers from using AI alone to deny medical claims based on medical necessity. The law, which took effect January 1, requires physician oversight for medical necessity decisions while still allowing insurers to use AI tools under specific guidelines and state inspection requirements. The legislation comes amid class action lawsuits against Cigna and United Healthcare for allegedly using AI to deny physician-approved claims. While the Act makes violations a crime, providers cannot enforce it directly but may pursue remedies through other state laws, and other states are expected to follow with similar legislation.
Medicaid
In Texas, where postpartum Medicaid coverage was extended from 2 months to 12 months in 2023, implementation has faced significant challenges. The program now covers more than 265,000 pregnant and postpartum Texans, but many patients remain unaware of their extended benefits and struggle to access care. Texas healthcare providers report confusion about the new coverage rules, with many doctors learning about the changes through billing departments rather than official communications. The state’s recent removal of people from Medicaid rolls has complicated matters further, with many postpartum women having to fight to reinstate their coverage. Structural issues like provider shortages and limited mental health screening coverage continue to hinder access to care under the expanded program.
Private Equity
Private equity firms have invested hundreds of billions of dollars in healthcare over the past 15 years, leading to increased scrutiny from the Department of Justice under the False Claims Act. PE firms typically use leveraged buyouts to purchase companies, leaving portfolio companies with substantial debt burdens that can complicate FCA enforcement and recoveries. The DOJ has two main options for addressing fraud in PE-owned healthcare companies: pursuing fraudulent transfer claims under the Federal Debt Collection Procedures Act and targeting individual liability, particularly former owners who received cash payouts during buyouts.
The Federal Trade Commission has reached a settlement with private equity firm Welsh, Carson, Anderson & Stowe over U.S. Anesthesia Partners’ market consolidation in Texas. USAP, which operates in 700 facilities with 4,500 clinicians nationwide, acquired multiple anesthesia practices in Dallas between 2014 and 2016, gaining control of 40-50% of the market. The settlement prohibits Welsh Carson from increasing its ownership stake in USAP, limits board representation, and requires FTC notification for future healthcare acquisitions. In a related case, USAP faced similar restrictions in Colorado, where it controlled 86.7% of inpatient surgeries by 2021, leading to a $200,000 settlement and contract divestitures.
With President Trump taking office and Andrew Ferguson becoming FTC Chair, significant changes are coming to healthcare antitrust enforcement. The Biden administration took an aggressive approach to healthcare antitrust enforcement, challenging mergers, investigating pharmacy benefit managers, and withdrawing previous policy guidance. The Trump administration is expected to continue scrutiny of healthcare industry concentration and PBMs while potentially reinstating clearer guidance for businesses. States like California will maintain their own strict healthcare antitrust enforcement regardless of federal changes. New FTC Chair Ferguson has indicated openness to reforming rather than completely rescinding the 2023 merger guidelines.
The Federal Trade Commission released a Second Interim Staff Report on January 15, 2025, revealing that prescription drug spending rose from $393 billion in 2016 to $600 billion in 2023. The report found that pharmacies affiliated with the three largest Pharmacy Benefit Managers (PBMs) received 68% of specialty drug revenue in 2023, with markups reaching over 1,000% on some medications. The investigation uncovered that affiliated pharmacies generated $7.3 billion in revenue above acquisition costs, while PBMs earned $1.4 billion through spread pricing practices. The FTC plans to continue its investigation, particularly focusing on potential violations of the Robinson-Patman Act, while states consider additional PBM regulations. The Commission concluded that specialty generic drugs have increasing financial importance and require further investigation into pricing practices.
Emerging Technologies
The Office for Civil Rights published a final rule on May 6, 2024, regulating the use of AI and other patient care decision support tools in healthcare settings. The rule applies to recipients of federal financial assistance, HHS, and entities under the Affordable Care Act, requiring them to identify and mitigate discrimination risks in their use of these tools. A January 10, 2025 “Dear Colleagues” letter provides guidance on compliance, including requirements for risk identification through methods like AI registries and vendor information gathering. The general prohibition on discrimination took effect July 5, 2024, while requirements for risk identification and mitigation will begin May 1, 2025. A nationwide injunction currently stays enforcement of portions related to gender identity discrimination.
President Trump has rescinded the Biden administration’s executive order on AI safety, halting requirements for company safety testing reports while existing recommendations and research initiatives remain in place. The Trump administration is pursuing a $100 billion partnership with OpenAI, SoftBank, and Oracle for technology infrastructure development, while maintaining Biden’s executive order on data centers. Industry experts are divided on the implications, with some concerned the move will weaken AI safety efforts globally, while others see opportunities for companies to establish rules under new leadership. Congress and state legislatures continue working on AI legislation as the U.S. approach to AI regulation shifts.
Cybersecurity & Ransomware
A new report shows that 84% of healthcare organizations detected cyberattacks on their infrastructure in the past year. Phishing emerged as the primary threat for on-premises systems, while account compromise affected 74% of healthcare organizations in cloud environments. The attacks led to financial losses for 69% of healthcare organizations, exceeding the cross-industry average of 60%. The consequences included leadership changes in 21% of cases and legal action in 19% of affected healthcare organizations, both rates higher than the 13% average across other industries.
The cyberattack on Change Healthcare in February 2024 compromised the data of more people than originally thought. The ALPHV/BlackCat ransomware gang claimed responsibility for the attack, which disrupted over 100 healthcare applications and impacted thousands of pharmacies and healthcare providers. The breach exposed sensitive information including names, Social Security numbers, medical records, and insurance details, resulting in $1.1 billion in costs for UnitedHealth Group. The final impact assessment increased significantly from initial estimates of 100 million affected individuals to the current figure of 190 million.
In 2024, multiple states enacted data privacy laws, with California and Texas implementing significant regulations while seven other states passed comprehensive privacy legislation. The Federal Trade Commission increased enforcement against data brokers and companies handling sensitive data, requiring new safeguards for location data and expanding breach notification rules. States including California, Colorado, and Utah passed AI-specific regulations targeting high-risk AI systems and requiring safeguards and disclosures. Massachusetts narrowed its wiretapping law scope regarding website tracking technologies, while Washington and Nevada enacted laws protecting consumer health data outside HIPAA. State enforcement actions ramped up, with California and Texas leading investigations into data collection practices and improper data sharing.
Fraud & Abuse
The Second Circuit Court of Appeals has joined other federal circuits in adopting the “at least one purpose rule” in Anti-Kickback Statute violations. AKS prohibits payments by defendants if any single purpose of a payment was to induce patient referrals, even if other legitimate reasons exist. In the case before the court, Steven Camburn alleged Novartis violated the False Claims Act by providing improper payments to physicians through speaker programs to encourage prescriptions of their multiple sclerosis drug Gilenya. The Second Circuit found sufficient evidence in three categories of allegations: speaker programs without legitimate attendees, excessive compensation for canceled events, and strategic speaker selection to induce prescriptions. The court joins the Third, Fifth, Seventh, Ninth, and Tenth Circuits in applying this interpretation, with the First and Fourth Circuits also assuming this standard.
The Department of Justice and qui tam relators filed a record-breaking 1,402 new False Claims Act cases in 2024, representing a 16% increase from 2023’s previous record. Total recoveries reached $2.9 billion, with $2.2 billion coming from qui tam suits where DOJ intervened. A Florida federal court ruled the FCA’s qui tam provisions unconstitutional under the Appointments Clause, though this decision faces uncertain prospects on appeal. The second Trump administration is expected to continue aggressive FCA enforcement while potentially limiting reliance on sub-regulatory guidance and increasing voluntary dismissals of qui tam cases. President Biden also signed into law the Administrative False Claims Act, expanding agencies’ ability to pursue claims up to $1 million through administrative proceedings.
Three Texas healthcare providers settled Stark Law violation cases for a total of $21.3 million in 2024. Horizon Medical Center paid $14.2 million for improper service identification and problematic financial relationships, while Little River Healthcare’s CEO Jeffrey Madison paid $5.3 million for illegal kickback schemes and received a 25-year exclusion from federal healthcare programs. Dr. Mohammad Athari in Houston paid $1.8 million for referring patients to his own diagnostic centers between 2014 and 2021, violating laws that prohibit physicians from referring patients to facilities where they maintain financial interests. The Department of Justice continues to pursue healthcare fraud cases, focusing on both institutions and executives who violate federal healthcare regulations.
Northwest Anesthesiology and Pain Services (NWAP) has agreed to pay $999,999 to resolve Medicare claims violations. The Houston-based provider hired Stacey Green and Remedy Physician Solutions in 2019 to manage pain practices, where Green implemented bonus payments based on lab referrals rather than productivity. Between 2019 and 2021, NWAP paid $1.8 million in bonus payments through this system, which the government deemed improper kickbacks for referrals. NWAP self-disclosed the violations to authorities and cooperated with the investigation conducted by the U.S. Attorney’s Office and Department of Health and Human Services Office of Inspector General.
Health Policy
Drug pricing and health care fraud remain central issues as Robert F. Kennedy Jr. and Marty Makary await confirmation as HHS secretary and FDA commissioner. The Trump administration continues implementation of drug price negotiations under the Inflation Reduction Act despite pharmaceutical industry litigation, while ACA subsidies face expiration in 2025. Health care fraud enforcement priorities include clinical trial fraud, cybersecurity, and product referral arrangements, with FDA focusing on medical device cybersecurity and AI software guidance. The reauthorization of OMUFA in 2025 presents opportunities to address drug shortages, biosimilar substitution rules, and dietary supplement regulations, while the FDA maintains its focus on the opioid epidemic and real-world evidence for rare disease treatments.
Health Administration
VMG Health explores how Occam’s Razor principles can improve healthcare administration. The principle advocates for simplifying complex healthcare systems by focusing on essential elements in areas like patient discharge, resource allocation, and regulatory compliance. Healthcare organizations can streamline operations through vendor consolidation, automated compliance platforms, and simplified communication protocols. The approach emphasizes removing unnecessary steps while maintaining quality care and meeting regulatory requirements. The article While simplification is beneficial, administrators must balance efficiency with the inherent complexity of healthcare operations.
The U.S. Department of Health and Human Services published proposed updates to the HIPAA Security Rule on January 6, 2025, marking the first major revision since 2013. The new requirements mandate business associates to notify covered entities within 24 hours of activating contingency plans and provide annual verification of technical safeguards. Business Associate Agreements must be updated to include these new provisions within one year and 60 days after the Final Rule publication, with a transition period available for existing agreements. The proposal allows covered entities to appoint business associates as Security Officers while maintaining ultimate compliance responsibility, and the HHS Office for Civil Rights will accept comments through March 7, 2025. The changes will affect both current and future business associate relationships, requiring updates to vendor management programs and security risk assessment processes.
The Department of Health and Human Services Office for Civil Rights has published a notice of proposed rulemaking to strengthen HIPAA Security Rule requirements. The proposal eliminates flexible “addressable” specifications in favor of mandatory security controls and requires implementation of multifactor authentication, encryption, and data backup systems. Healthcare organizations must conduct annual risk analyses, compliance audits, and obtain written verification from business associates regarding security measures. The rule, open for comments through March 7, 2025, will take effect 60 days after final publication with a 180-day compliance period. Organizations must update their Business Associate Agreements within one year and implement stricter technical controls, including removing system access within one hour of employee termination.
Regulation & Oversight
The White House removed inspectors general from most cabinet-level agencies through immediate termination emails sent on January 24. Between 12 and 17 inspectors general were dismissed without the legally required 30-day notice to Congress, with only the Department of Justice and Homeland Security IGs remaining in place. The dismissals sparked bipartisan concern, with Republican Senator Charles Grassley requesting explanation and Democratic leaders condemning the action as an attack on government oversight. At least one dismissed IG plans to report to work Monday, arguing the terminations violated federal law, while Hannibal Ware, chair of the Council of IGs, stated the removals appear legally insufficient. The White House provided no explanation for the dismissals beyond citing “changing priorities” in the termination notices.
Texas Medical Board Rules
The Texas Medical Board implemented new rules that require medical spas and IV hydration clinics to post physician information and ensure staff wear identification. The rules consolidate delegation requirements under Chapter 169, mandating written documentation of all medical delegations and allowing physician assistants and advanced practice nurses to provide emergency consultations. Practitioner-patient relationships can now be established through in-person visits or telemedicine, while the Board plans to issue standardized forms for alternative medicine and review ketamine treatment regulations. The Board removed office medication dispensing limits but reminds physicians that state law still restricts supplying drugs beyond immediate patient needs.
