Category: Health Law Highlights

340B

• HRSA launched a pilot program on August 1, 2025 that will change how drug manufacturers provide 340B discounts to safety net healthcare providers. Under the new rebate model, covered entities will pay full price for drugs upfront and receive rebates later, rather than receiving discounts at the time of purchase as traditionally done. The pilot program applies only to manufacturers with products on the Medicare Drug Price Negotiation Selected Drug List, which includes 23 drugs subject to pricing negotiations under the Inflation Reduction Act. Manufacturer applications are due September 15, 2025, with the program beginning January 1, 2026, and HRSA is accepting public comments through August 30, 2025. The initiative follows disputes between HRSA and manufacturers over rebate models, which resulted in multiple lawsuits after HRSA blocked manufacturer attempts to implement such systems without approval. Source: Healthcare Law Blog

Cybersecurity

• The Department of Justice secured a $9.8 million settlement from biotechnology company Illumina Inc. on July 30, 2025, marking the first False Claims Act case focused on cybersecurity compliance failures for medical devices. The settlement resolves allegations that Illumina misrepresented compliance with federal cybersecurity requirements for medical device software from January 2016 to April 2023, despite failing to incorporate adequate cybersecurity into product design and development. A former Illumina employee brought the whistleblower lawsuit under the False Claims Act, with the government later intervening in the case. The company allegedly certified compliance to the FDA while maintaining inadequate security programs and failing to correct known vulnerabilities. Illumina denied the allegations but agreed to settle to avoid litigation costs, paying $4.3 million in restitution and $1.9 million to the whistleblower, while stating it remediated the software issues between 2022 and 2024. Source: White & Case LLP

Data Privacy & Breach

• West Texas Oral Facial Surgery notified 11,151 patients of a data breach following a network disruption on May 29, 2025. Third-party cybersecurity experts confirmed unauthorized network access had occurred, though the breach notice did not specify when. A file review completed on July 18, 2025, revealed exposed data included patient names, imaging files, birth dates in some cases, and treatment reasons. Electronic medical records, Social Security numbers, and financial information were not accessed. The Inc Ransom ransomware group claimed responsibility for the attack on June 18, 2025. Source: HIPAA Journal
• Researchers have developed a server-rotating federated machine learning system that enables medical imaging AI models to be trained across different device manufacturers while preserving patient privacy. The system incorporates differential privacy techniques and cryptographic safeguards to prevent patient data from being reverse-engineered from model parameters. Testing on multi-center datasets containing MRI, CT, and digital X-ray images from multiple device manufacturers showed the approach matched or exceeded performance of traditional centralized and conventional federated methods. The framework includes adaptive normalization layers to handle vendor-specific imaging artifacts and scanner discrepancies without requiring data harmonization. Source: BioEngineer

Emerging Tech

• The Texas Responsible Artificial Intelligence Governance Act will require businesses operating in Texas or serving Texas residents to implement comprehensive AI governance policies when it takes effect January 1, 2026. The law applies to both developers and deployers of AI systems, defined as machine-based systems that generate outputs such as content, decisions, predictions, or recommendations. Companies must establish policies covering AI system purpose, data usage, performance evaluation, post-deployment monitoring, user safeguards, anti-discrimination provisions, and user disclosure requirements. Businesses that receive violation notices from the Attorney General have 60 days to cure violations or stop using the non-compliant AI system portion. Texas also created an AI regulatory sandbox program that allows companies to test AI systems for up to 36 months with legal protections while meeting specific safeguard requirements. Source: IAPP

Employee Benefits

• Healthcare employers face mounting regulatory compliance challenges following the 2025 Comprehensive Reform Act, which was signed into law on July 4, 2025. The Act adds complexity to existing requirements including Affordable Care Act compliance for variable-schedule employees, fiduciary oversight of retirement and health plans, and nondiscrimination testing under Code Sections 105(h) and 125. Healthcare organizations increasingly form health and welfare plan committees to manage fiduciary responsibilities and protect boards from litigation related to pharmacy benefit management agreements and excessive fees. Hospital mergers and acquisitions create additional risks when benefits integration is not properly reviewed, potentially resulting in unexpected liabilities from retiree medical plans, multiemployer pension withdrawal liability, or undocumented 403(b) plans. Employers using self-insured plans, flexible spending accounts, or health savings accounts must conduct annual nondiscrimination testing to avoid negative tax consequences for higher-earning participants. Source: Saul Ewing LLP

Fraud & Abuse

• Texas Attorney General sued Eli Lilly, accusing the drugmaker of bribing medical providers to prescribe its medications. The lawsuit alleges the company engaged in kickback schemes to induce providers to prescribe its profitable drugs, including GLP-1 medications Mounjaro and Zepbound used for weight loss and diabetes treatment. The action follows a previous lawsuit against insulin manufacturers, including Lilly, over pricing practices with pharmacy benefit managers. Lilly denied the allegations, stating the claims stem from a corporate relator whose accusations have been dismissed by multiple courts and the federal government. Source: Reuters
• Dr. Ajay Aggarwal agreed to pay $2,053,515 to settle allegations that he defrauded federal healthcare programs by billing for procedures he did not perform. The 63-year-old Houston anesthesiologist and pain medicine doctor allegedly billed Medicare and Workers’ Compensation programs for the surgical implantation of neurostimulator electrodes from November 2021 to March 2023. Instead of performing these invasive procedures that typically require operating rooms and pay thousands of dollars, Aggarwal allegedly provided patients with electro-acupuncture treatments that involved inserting monofilament wire a few millimeters into patients’ ears and taping neurostimulators behind the ear in his clinic. The investigation involved multiple agencies including the U.S. Postal Service Office of Inspector General, Department of Labor Office of Inspector General, and Department of Health and Human Services Office of Inspector General. The settlement resolves allegations only, with no determination of liability. Source: U.S. Attorney’s Office, Southern District of Texas

HIPAA Privacy Rule

• The HHS Office for Civil Rights published updated HIPAA Privacy Rule guidance that expands permitted disclosures of protected health information for value-based care arrangements and broadens patient access rights. The guidance includes a FAQ stating that healthcare providers can disclose PHI to participants in accountable care organizations and other value-based care arrangements without patient authorization when the disclosure supports treatment activities. The update follows a July 30, 2025 White House event where the Trump Administration announced commitments from tech firms to improve healthcare interoperability through data exchange platforms. OCR also updated guidance to specify that individuals can now access consent forms for treatment as part of their health information rights under HIPAA. The changes support CMS efforts to create a digital healthcare ecosystem that reduces provider burden while improving patient outcomes. Source: HIPAA Journal
• The HHS Office for Civil Rights updated its HIPAA Privacy Rule FAQs to provide guidance on protected health information disclosures to value-based care arrangements and patient access rights. The updates support CMS’ July 2025 health tech ecosystem initiative, which aims to create a patient-centric healthcare system through interoperability frameworks and commitments from tech companies, app developers, and payers. OCR clarified that covered entities can disclose PHI to participants in value-based care arrangements for treatment purposes without patient authorization, reasoning that the Privacy Rule’s definition of “treatment” incorporates interaction between multiple entities. The guidance also expanded the types of information patients can request to include consent forms for treatment, adding to the existing list of medical records, billing records, lab reports, and other health data. The FAQs provide clarity to help covered entities navigate HIPAA compliance as federal initiatives work to make the health tech ecosystem more interconnected. Source: TechTarget

Mergers & Acquisitions

• F-reorganizations under federal tax law provide healthcare companies a method to preserve Employer Identification Numbers during mergers and acquisitions, avoiding disruptions to Medicare enrollment and regulatory approvals. Healthcare entities rely on EINs for Medicare enrollment, state licensing, DEA registration, and commercial payer contracts, making EIN changes during transactions costly due to re-enrollment requirements with CMS, credentialing delays, and potential business interruptions. Under IRC § 368(a)(1)(F), F-reorganizations allow businesses to undergo structural changes while the IRS treats pre- and post-reorganization entities as the same taxpayer, preserving the EIN and associated contracts and tax attributes. Private equity firms, health systems, and MSO platforms increasingly use this structure to avoid Medicare enrollment hurdles that can take months and maintain continuity of state licenses tied to EINs. Texas law provides mechanisms including statutory conversions, reverse triangular mergers, and cross-jurisdictional reincorporations to implement F-reorganizations while preserving entity continuity. Source: Clark Hill PLC

OIG Advisory Opinion

• The Office of Inspector General approved a physician ownership arrangement in a medical device company that develops emergency stroke treatment products. The OIG concluded that the arrangement met the conditions of the small entity investment safe harbor. Physician owners comprise 35 percent of the company’s ownership, below the 40 percent threshold that triggers heightened scrutiny under federal regulations. The company certified that investment terms remain consistent across all investors and that profit distributions will be proportional to capital investments. OIG will not impose administrative sanctions on the company under sections 1128A(a)(7) or 1128(b)(7) of the Social Security Act. Source: OIG Advisory Opinion No. 25-09

Patient Harm

• Hospitals failed to capture half of patient harm events that occurred among hospitalized Medicare patients, according to an Office of Inspector General review. The OIG traced harm events from a 2022 report and found that hospitals often applied narrow definitions of harm, with staff not considering many events to be harm or stating it was not standard practice to capture them. Of the harm events hospitals did capture, few were investigated and even fewer resulted in improvements for patient safety. The OIG recommends that the Agency for Healthcare Research and Quality (AHRQ) and CMS work with partners to align harm event definitions and create a patient harm taxonomy, that CMS ensure surveyors prioritize Medicare Quality Assurance and Performance Improvement requirements, and that CMS instruct Quality Improvement Organizations to help hospitals identify weaknesses in their incident reporting systems. Increased federal leadership is needed to drive progress in patient safety after nearly 20 years of high patient harm rates nationwide. Source: OIG Report

Physician Compensation

• Physicians and hospitals are generating higher revenues by increasing workload rather than receiving better reimbursement rates. From the second quarter of 2023 to 2025, median net gain per employed physician rose 8% while median revenue per provider unit of work increased 12% for physicians, but median net patient revenue per provider work unit declined 7%. Support staffing levels dropped 13% over two years, creating potential obstacles for future growth. Hospital operating margins improved to 3% when including shared service costs and 6.6% without those allocations, driven primarily by outpatient revenue increases. The trends reflect ongoing Medicare reimbursement declines that force providers to complete more work to maintain income levels. Source: Fierce Healthcare

Telehealth

• States are implementing permanent telehealth regulations to replace pandemic-era emergency rules as federal waivers approach expiration. The DEA and HHS extended telemedicine prescribing waivers through December 31, 2025, allowing providers to prescribe controlled substances via telehealth without prior in-person examinations. New York finalized rules in May 2025 requiring in-person medical evaluations before prescribing controlled substances through telemedicine, with exceptions for recent evaluations, temporary coverage, and emergency situations. States including California, Delaware, Florida, New Hampshire, and Texas have enacted or proposed legislation with varying approaches to telehealth prescribing requirements. The DEA proposed a special registration system in March 2023 that would establish three types of registrations for remote prescribing of controlled substances with enhanced verification and monitoring requirements. Source: Healthcare Law Blog
• Telemedicine has become a cornerstone of mental health services, with telehealth services for mental health issues increasing 16 to 20 times during the first year of the COVID-19 pandemic according to RAND Corporation data. A nationwide poll by the American Psychiatric Association found that over half of Americans would choose telehealth for mental health needs, with more than one-third preferring it outright. AI-powered platforms from companies like Teladoc Health and IBM Corporation now enable predictive analytics for early intervention in conditions like anxiety and depression, while digital mental health counseling apps like Calm and SilverCloud Health provide 24/7 support through chatbots and virtual therapists. Pittsburgh-area clinics have reduced wait times for psychiatric evaluations by up to 40% through telemedicine implementation, though experts warn against over-reliance on virtual care for cases like schizophrenia. Federal legislation has bolstered telehealth reimbursement and cross-state licensing, but challenges remain around data privacy and equitable access for low-income populations. Source: WebProNews

Value-Based Arrangements

• The American Medical Association has released guidance to help private practices navigate partnerships with “aggregator entities” that manage value-based care arrangements. These aggregators are specialized private companies that help physicians handle the complexities of value-based care without requiring practices to fully invest in the technical infrastructure themselves. The AMA resource addresses three core areas: evaluating aggregator business models, understanding physician considerations when working with aggregators, and planning for potential termination of these relationships. According to Dr. Alexander Sun from the AMA’s Professional Satisfaction and Practice Sustainability unit, the guidance helps practices determine whether aggregator partnerships align with their value-based care goals. The resource is part of the AMA’s broader Business of Medicine education program, which includes materials on revenue-cycle management and accountable care organizations. Source: American Medical Association

Breach Notifications

• Two Texas healthcare facilities disclosed data breaches affecting nearly 10,000 patients combined. Nova Recovery Center in Wimberley detected unauthorized network access on May 25, 2025, which compromised personal information of 7,713 individuals including names, addresses, Social Security numbers, and financial data. The facility confirmed the breach on June 17, 2025, and provided credit monitoring services to affected patients. OB/GYN Medical Center Associates in Houston reported a separate incident involving ConnectOnCall, a voicemail service provider that experienced unauthorized access between February 16, 2024, and May 12, 2024, affecting 2,132 patients. The compromised data included names, medical conditions, medications, procedures, and other personal health information disclosed in voicemail messages. Source: HIPAA Journal
• Oklahoma has enacted Senate Bill 626 that expands data breach notification requirements and will take effect on January 1, 2026. The state Attorney General must be notified about breaches affecting 500 or more residents, or 1,000 or more residents for credit bureau systems, within 60 days of individual notifications being mailed. The law broadens the definition of personal information to include unique electronic identifiers with security codes and biometric data such as fingerprints and retina images. Entities that employ reasonable safeguards and issue breach notifications will be shielded from civil penalties of up to $150,000 per breach. Organizations compliant with HIPAA, the Oklahoma Hospital Cybersecurity Protection Act, or the Gramm-Leach-Bliley Act are deemed compliant with the requirements if they notify the Attorney General within 60 days. Source: HIPAA Journal

Cybersecurity

• Texas has enacted Senate Bill 2610, becoming the fifth state to implement cybersecurity safe harbor protections that shield businesses from punitive damages in data breach cases. Governor Greg Abbott signed the law, which formally recognizes the Center for Internet Security Critical Security Controls as a standard for demonstrating reasonable cybersecurity practices. The legislation establishes a tiered system where businesses with fewer than 20 employees face simplified requirements, those with 20-99 employees must implement CIS Controls Implementation Group 1, and companies with 100-249 employees must comply with frameworks such as NIST CSF or ISO/IEC 27000-series standards. Texas joins Ohio, Utah, Connecticut, and Iowa in offering safe harbor protections, and follows Nevada in recognizing CIS Controls as a benchmark for reasonable cybersecurity practices. The law incentivizes businesses to adopt cybersecurity programs by providing legal protection when they meet specific cybersecurity criteria. Source: KGET
• Proposed amendments to the HIPAA Security Rule mandate comprehensive cybersecurity requirements for healthcare organizations handling electronic protected health information (ePHI). The modifications require mandatory encryption of ePHI at rest and in transit, multi-factor authentication, annual compliance audits, vulnerability scanning every six months, and penetration testing annually. Organizations must maintain written documentation for all Security Rule policies and procedures, develop technology asset inventories and network maps annually, and conduct risk assessments that include AI systems accessing ePHI. The rules specifically address AI governance by requiring documentation of AI system training, prediction models, and algorithm data, while mandating organizations monitor AI tools for vulnerabilities and potential impacts on ePHI confidentiality, integrity, and availability. While initially scheduled to take effect January 6, 2025, with a compliance deadline of January 6, 2026, the new administration has paused all HHS regulation updates. Source: Ankura

Data Privacy

• Differential privacy protects personal data by adding mathematical noise to datasets, allowing organizations to analyze and share information without revealing individual identities. The technique uses two parameters, epsilon and delta, to control the amount of randomness added to data, ensuring algorithms cannot determine whether specific individuals’ information is included in a database. Companies including Apple, Google, and Microsoft have implemented differential privacy in their products, while the U.S. government uses it for census data collection to protect survey participants’ identities. The method has applications across healthcare research, mobile user behavior analysis, and advertising campaign assessment, though it faces limitations with small datasets where accuracy becomes compromised. Despite these constraints, differential privacy enables broader data sharing while maintaining mathematical guarantees that individual privacy remains protected. Source: Built In
• Healthcare facilities face mounting cybersecurity risks as IoT device adoption grows and patient data moves to cloud storage systems. Personal health information trades for 10-20 times more than stolen credit card data on the dark web, making healthcare networks prime targets for cybercriminals. Major vulnerabilities include devices with default passwords, unencrypted data transmission, cloud misconfigurations, and unpatched firmware in medical equipment. The 2017 WannaCry ransomware attack demonstrated these risks when it compromised over 300,000 systems across 150 countries, severely impacting UK’s NHS hospitals running outdated Windows software. Healthcare organizations must implement end-to-end encryption, zero trust architecture, device hardening, network segmentation, and real-time monitoring systems to protect patient data and maintain compliance with HIPAA and GDPR regulations. Source: Programming Insider

Dental Service Organizations (DSOs)

• DSO transactions face complex regulatory challenges that require careful structuring to comply with state laws prohibiting corporate practice of dentistry. Most states prevent non-dentists from directly owning dental practices, forcing DSOs to operate through management agreements with dentist-owned entities rather than direct ownership structures. Buyers must address practitioner retention through production-based compensation and non-compete agreements, though enforceability varies by state and must comply with healthcare fraud and abuse laws. Physical clinic locations present risks when lease agreements contain change-of-control provisions that require landlord consent for transactions. Additional transaction complexities include managing deferred revenue obligations from prepaid services, conducting billing compliance audits to identify potential upcoding issues, and navigating state healthcare transaction review laws that may require pre-closing notice or approval. Source: Bass, Berry & Sims PLC

Emerging Tech

• Mount Sinai researchers found that six large language models demonstrated hallucination rates between 50% and 83% when exposed to fabricated medical information. The study, published in Nature, tested 300 clinical cases containing false medical details and measured how frequently each model elaborated on the incorrect information. GPT4o performed best with hallucination rates of 50.0% for short cases and 53.3% for long cases, while DeepSeek performed worst with rates of 82.7% and 80.0% respectively. The other models tested—Llama 3.3, Phi-4, Gemma-2-27b-it, and Qwen-2.25-72b—showed hallucination rates ranging from 58.7% to 82.0%. Prompt mitigation techniques reduced hallucination rates from an average of 65.9% to 44.2% but failed to eliminate the errors completely. Source: Healthcare IT News
• AI systems in healthcare face two distinct types of errors that pose risks to patient safety. Hallucinations occur when AI generates completely fabricated information that does not exist in training data or reality, such as inventing medical conditions or citing nonexistent studies. Confabulations happen when AI misrepresents or distorts real information, such as citing legitimate sources but misinterpreting their findings or applying them incorrectly. Both types of errors can lead to misdiagnoses, inappropriate treatments, and loss of trust in digital tools. Healthcare organizations can prevent these errors through five methods: using peer-reviewed training data, implementing validation testing, incorporating human oversight, using confidence scoring systems, and restricting AI outputs to verified knowledge sources. Source: Wolters Kluwer
• AI-ready data serves as the foundation for next-generation radiology tools as healthcare systems face mounting imaging volumes and increasing complexity. AI-ready data refers to patient studies that are curated, standardized, and integrated for artificial intelligence systems, including high-quality images, comprehensive annotations by radiologists, standardized formats like DICOM, rich metadata with clinical context, and de-identified secure data. Machine learning algorithms require vast amounts of well-annotated, diverse data to recognize patterns and detect abnormalities with precision, while curated datasets help minimize biases and ensure AI tools perform reliably across different patient populations and imaging modalities. The process involves data collection from diverse sources, expert annotation by radiologists, quality assurance verification, standardization and structuring of metadata, and continuous monitoring with real-world data to refine systems over time. Challenges remain in data variability, privacy protection, bias mitigation, clinical validation, and maintaining human oversight where radiologists retain decision-making authority supported by AI. Source: Healthcare Dive

Fraud & Abuse

• The HHS Office of Inspector General issued an unfavorable advisory opinion finding that a medical device company’s payment of vendor fees to access an electronic billing portal violates the Anti-Kickback Statute. In Advisory Opinion 25-08 published July 7, 2025, the OIG determined that a medical device company’s proposal to pay $395 per year for each representative to access a third-party billing portal used by hospital customers presents anti-competitive risks and constitutes prohibited remuneration. The company supplies “bill-only” medical devices to hospitals and could face up to $1.2 million in annual fees for 3,000 representatives if hospitals require use of the portal as a condition of doing business. The OIG found the arrangement violates the Anti-Kickback Statute because the vendor would arrange for hospital purchases of the company’s products, and the payments could inappropriately steer customers away from competitors unwilling to pay the fees. The company told the OIG the portal was redundant with its own billing processes and provided no additional benefits, making the fees commercially unreasonable. Source: The National Law Review

HIPAA

• HIPAA applies to far fewer organizations than commonly believed, contrary to the widespread assumption that all health and medical data falls under federal regulation. The law only covers three categories of “covered entities”: health plans, health care clearinghouses, and health care providers that electronically transmit health information in connection with transactions like insurance claims, payments, or eligibility verification. Healthcare providers that operate on a cash-only basis and do not accept insurance—such as specialty practices, small medical offices, or certain pharmacies—typically fall outside HIPAA’s scope. Companies that incorrectly assume they are subject to HIPAA may face penalties for non-compliance, while those that wrongly believe they are covered could miss obligations under state privacy laws that apply when HIPAA does not. The distinction has become more critical as data breaches targeting healthcare providers have increased, particularly among smaller providers with vulnerable security systems. Source: BCLP – Bryan Cave Leighton Paisner

Medicare Reimbursement

• MIPS has streamlined its Improvement Activities requirements for 2025 by eliminating the weighting system and reducing the number of measures healthcare practices must select. Small practices with 15 or fewer NPIs now need to choose only one of 104 available IA measures, while larger practices must select just two measures. The changes come as healthcare faces a projected shortage of 17,800–48,000 primary care physicians and 21,000–77,100 non-primary care physicians by 2034, with ophthalmologists reaching crisis levels by 2035. Key IA measures include promoting clinician wellbeing through surveys and implementation plans, participating in private payer clinical practice improvement activities, and developing written policies to ensure equal treatment of Medicaid patients. These measures focus on care delivery, patient engagement, and operational efficiency rather than just compliance scoring. Source: VMG Health
• CMS established a mandatory payment model targeting specialists who treat heart failure and low back pain patients. The Ambulatory Specialty Model, announced July 10, 2025, will run from 2027 through 2031 and represents CMS’s first mandatory alternative payment model for specialists treating chronic conditions in outpatient settings. Participation becomes mandatory for clinicians who treat at least 20 episodes annually of heart failure or low back pain, with targeted specialties including anesthesiology, pain management, neurosurgery, orthopedic surgery, interventional pain management, and physical medicine and rehabilitation. The model evaluates participants using MIPS framework across quality, clinical practice improvement, cost, and interoperability domains, with payment adjustments of up to 9 percent positive or negative based on performance. CMS selected these conditions because they represent 6 percent of total annual spending for traditional Medicare, and the agency is accepting public comments through September 12, 2025. Source: The National Law Review
• CMS will deploy AI technology to screen prior authorization requests for Medicare services starting January 2026 through its Wasteful and Inappropriate Services Reduction program. The program, introduced July 1, 2025, requires prior authorization for select fee-for-service Medicare treatments in Arizona, New Jersey, Ohio, Oklahoma, Texas, and Washington, targeting procedures such as nerve stimulators, cervical fusions, and incontinence treatments. CMS will partner with Medicare Advantage plans and other payors as “model participants” who will use AI tools to review and approve or reject treatment requests, including determinations of medical necessity. Model participants will receive compensation based on a share of expenditures they prevent, creating financial incentives that may increase denials for covered services. The program may conflict with state laws limiting AI use in utilization management, and providers should prepare for increased denials and enhanced documentation requirements before the 2026 launch. Source: Jones Day

Physician Compensation

• Texas Senate Bill 1318 will impose new restrictions on noncompete agreements for physicians and healthcare workers beginning September 1, 2025. The law extends noncompete requirements beyond physicians to include dentists, professional and vocational nurses, and physician assistants for the first time. All noncompete agreements entered into or renewed after the effective date must include a buyout cap not exceeding the employee’s annual salary, limit geographic scope to a five-mile radius, restrict the term to one year, and state all conditions in writing. The legislation voids physician noncompete agreements when the doctor is terminated without “good cause,” defined as conduct, performance, or employment record issues. The new requirements apply only to medical practice roles, with an exception for physicians and healthcare practitioners serving solely in administrative capacities. Source: Haynes Boone
• CMS proposes payment increases and cost-cutting measures in its 2026 Medicare Physician Fee Schedule. The Centers for Medicare and Medicaid Services proposed rule establishes two conversion factors that would increase payments by 3.83% for providers participating in Advanced Alternative Payment Models ($33.59) and 3.62% for non-participants ($33.42). The proposal includes a new mandatory Ambulatory Specialty Model launching in 2027 that focuses on heart failure and lower back pain management, requiring providers to take on two-sided financial risk. CMS also proposes to cut skin substitute payments by approximately 90% by reclassifying them from biologicals to incident-to supplies, and to create three new G-codes for behavioral health integration services. Healthcare providers have until September 12 to submit public comments before CMS finalizes the rule. Source: MSLaw Blog

330 Grants

• The U.S. Department of Health and Human Services now classifies the Health Center Program as a “Federal public benefit” under the Personal Responsibility and Work Opportunity Reconciliation Act, restricting non-qualified aliens’ access to most federally funded services at community health centers and federally qualified health centers. The policy, effective immediately with no grace period, requires health centers to verify patients’ immigration status before delivering services funded by Section 330 grants, with exceptions only for emergency care, immunizations, and communicable disease treatment. Health centers face compliance risks including federal funding clawbacks and False Claims Act violations if they provide services to ineligible patients without alternative funding sources. The centers must overhaul patient intake workflows, electronic health record systems, and staff training while potentially absorbing costs for uncompensated care or seeking state and local funding alternatives. The immediate implementation creates operational conflicts between federal eligibility requirements and health centers’ mission to serve all patients regardless of ability to pay. Source: Hinshaw Law

Data Breach

• HCA Healthcare agreed to settle class action litigation stemming from a July 2023 data breach that affected 11,270,000 patients across 20 states. Hackers accessed an external storage location and stole a database containing 27.7 million records, including names, contact information, dates of birth, and appointment information. The breach prompted 27 class action lawsuits that were consolidated in Tennessee federal court, with the company denying wrongdoing but negotiating a settlement estimated to exceed $9 million based on attorney fees. Class members can claim credit monitoring services and reimbursement for documented losses up to $5,000 per person. The settlement requires claims submission by September 25, 2025, with a final hearing scheduled for October 27, 2025. Source: HIPAA Journal

Data Privacy

• Healthcare organizations face consent system failures as platforms like WhatsApp introduce advertising models that expose patient data to monetization. Laws like HIPAA protect healthcare providers but fail to cover the expanding ecosystem of data collectors including wearable manufacturers and messaging platforms that now monetize health information through advertisements. When patients use free health tracking applications, their data becomes the product being sold, with information flowing from devices to smartphones and eventually to proprietary servers where third parties can gain access. Big Tech companies including Apple, Amazon, and Microsoft are racing to capture and commercialize health data at scale through their healthcare platforms and services. Healthcare organizations must implement four strategies to address these risks: clarify consent practices, audit data flows, engage in vendor risk management, and invest in privacy-by-design approaches. Source: Built In

Emerging Tech

• Texas enacted comprehensive AI governance legislation that will take effect January 1, 2026, regulating businesses and government entities that develop or deploy artificial intelligence systems in the state. The Act prohibits using AI systems to promote self-harm or violence, bars government entities from implementing social scoring systems, and requires transparency notices when consumers interact with AI systems, including in healthcare settings. The legislation establishes a 36-month sandbox program allowing companies to test AI systems without standard licensing requirements and creates the Texas Artificial Intelligence Council to oversee ethical AI development. The Texas Attorney General will enforce the law with civil penalties ranging from $10,000 to $200,000 depending on violation severity, though violators receive a 60-day cure period after written notice. The Act does not create private rights of action for individuals and nullifies local AI ordinances across Texas. Source: Healthcare Law Blog
• University hospitals are adopting automated software testing to address burnout and safety issues in electronic health record systems. Since 2020, university medical systems have prioritized EHR modernization following the COVID-19 pandemic, but over 70% of physicians at academic hospitals report burnout due to poor usability and workflow disruption. Nurses have identified EHR design flaws as sources of patient harm through data entry errors, alert fatigue, and automation failures. The Department of Veterans Affairs’ EHR rollout experienced problems with incomplete records and pharmacy order failures due to inadequate testing and weak end-user validation. University hospitals face distinct challenges because their EHR systems must support clinical workflows, research data capture, student training, and compliance requirements while operating with limited resources compared to private networks. Source: Healthcare IT Today
• AI reduces manual medical record screening workload by 83% in emergency department injury surveillance systems. Natural language processing algorithms using transformer models automate detection of injured patients and generate injury event summaries from triage notes. AI models demonstrate accuracy rates between 86% and 97% for tasks including patient triage, injury information extraction, and child abuse detection. Implementation requires addressing data privacy concerns through anonymization techniques, secure access systems, and patient consent protocols. The World Health Organization promotes injury surveillance for systematic data collection to enable injury prevention priorities and intervention effectiveness evaluation. Source: JAMA Network

Fraud & Abuse

• The First Circuit Court of Appeals affirmed dismissal of a whistleblower’s complaint against dialysis provider Fresenius, applying a strict “but-for” causation standard for False Claims Act cases involving alleged kickbacks. Relator Martin Flanagan, who worked for Fresenius for 29 years, filed a qui tam complaint in March 2014 alleging the company violated the Anti-Kickback Statute and False Claims Act by providing financial incentives to hospitals and physicians to induce patient referrals. The alleged kickbacks included limiting costs to hospitals, hiring hospital nephrologists as medical directors, providing free services, and entering into lease and joint venture agreements with physicians. The First Circuit applied the causation standard from United States v. Regeneron Pharmaceuticals and held that Flanagan failed to adequately plead that the government claims would not have occurred “but-for” the alleged kickbacks. The decision aligns the First Circuit with the Sixth and Eighth circuits in requiring whistleblowers to meet demanding pleading requirements demonstrating direct causation between kickbacks and false claims. Source: King & Spalding
• The Eleventh Circuit ruled that a physician’s False Claims Act qui tam action was barred by res judicata due to a prior employment retaliation lawsuit in Milner v. Baptist Health Montgomery. The physician had sued his former employer-hospital, claiming he was terminated for whistleblowing on opioid overprescribing, but the district court dismissed the case with prejudice after finding he had not engaged in protected conduct under the FCA. Following that dismissal, the physician filed a qui tam action, which the district court also dismissed as barred by his prior retaliation case. The Eleventh Circuit affirmed the dismissal, determining that both lawsuits involved the same parties and arose from the same factual predicate of the physician’s reporting of overprescriptions. The court held that relators have “unrestricted participation” in litigation, making the physician individually a party in both cases, and that employment retaliation actions and FCA qui tam actions generally arise from the same nucleus of operative fact. Source: Eleventh Circuit Business Blog

Gender Care

• The Department of Justice issued more than 20 subpoenas to physicians and clinics providing gender-affirming care to minors on July 9, 2025, as part of investigations into healthcare fraud and misconduct. The subpoenas signal the government’s intent to pursue False Claims Act cases against providers who bill federal healthcare programs for gender-affirming care for minors, including puberty blockers, hormone therapy and surgeries. The government appears to be building three theories of liability: miscoding or misbilling procedures, lack of informed consent from minors and parents, and lack of medical necessity for the treatments. These enforcement actions follow a series of government measures in 2025, including a January executive order directing federal agencies to stop supporting gender transitions for individuals under 19, an April Attorney General memo directing DOJ to investigate providers, and May letters from CMS requesting financial data from hospitals. The False Claims Act provides for treble damages and penalties of up to $28,619 per claim. Source: Healthcare Law Blog

Litigation

• Multiple healthcare entities compete for recovery rights from the same settlement funds, leaving injured claimants with reduced compensation. Medicare Parts A, B, C, and D, the Department of Veterans Affairs, Medicaid, and private insurers all assert recovery rights from settlement amounts. The VA issued new guidance in 2023 under the Federal Medical Care Recovery Act to exercise its recovery rights, while private insurers operate under different regulations including FEHB and ERISA frameworks. Insurers attempt to recover full treatment costs without considering payments made by other carriers or out-of-pocket expenses by claimants. Lien resolution administrators with expertise in healthcare recovery can negotiate with these entities to maximize settlement amounts for injured parties. Source: Epiq

Physician Compensation

• Healthcare organizations are implementing value-based compensation models to move physician payment structures away from traditional fee-for-service arrangements toward incentives tied to quality outcomes and cost efficiency. VMG Health outlines a five-step framework for implementing these models, starting with defining program goals, participants, and target populations, followed by determining funding sources. The framework emphasizes selecting five to ten outcome-focused metrics over process measures, ensuring physicians have demonstrable impact on results, and avoiding compensation “stacking” issues. Third-party funded programs typically offer more flexibility and lower compliance risk compared to internally funded models. Organizations must structure these incentive programs to align with regulatory requirements while driving improvements in care quality and physician engagement. Source: VMG Health
• A federal district court in Ohio allowed whistleblower claims to proceed against TriHealth, finding that physician compensation arrangements violated federal anti-kickback and self-referral laws. On July 28, the Southern District of Ohio issued orders in two related False Claims Act cases, Murphy and Shahbabian, where whistleblowers alleged that a physician group overpaid employed doctors beyond their productivity to incentivize referrals to affiliated hospitals. The court determined these arrangements violated both the Anti-Kickback Statute and Stark Law because the compensation took into account the volume and value of physician referrals, and defendants could not claim protection under employment safe harbors. The court also certified for appeal the question of whether the FCA’s qui tam provisions violate Article II of the Constitution, noting that three Supreme Court justices have expressed concerns about the constitutionality of allowing private citizens to file lawsuits on behalf of the government. The cases highlight risks for healthcare providers in structuring physician compensation that could be tied to referral patterns. Source: Warner Norcross + Judd LLP

Value-Based Reimbursement

• Value-based care programs in the United States remain limited in scope despite nearly two decades of development since their 2006 introduction. A review of 50 global value-based care initiatives published in the Journal of the American Medical Association Health Forum found most programs, particularly in the United States, operate in isolation within departments or individual hospitals rather than as part of system-wide transformations. National programs like the Comprehensive Care for Joint Replacement and Bundled Payments for Care Improvement function at the provider level instead of integrating into broader regional or national strategies. The healthcare system faces barriers including structural fragmentation with multiple payers, disconnected data systems, fee-for-service incentives, and lack of digital infrastructure for tracking outcomes and costs. Organizations like CHESS Health Solutions demonstrate that physician-led models can scale when clinical transformation combines with strategic contracting and data analytics, while community settings, primary care, and Medicaid programs show promise for national expansion. Source: bakersfield.com

Accountable Care Organizations

• Health policy experts anticipate the second Trump administration will revive the Geographic Direct Contracting Model that was suspended by the Biden administration before implementation. The model would assign entire geographic regions to accountable entities responsible for managing care and costs for all Medicare beneficiaries in those areas, unlike current models that focus only on patients already connected to participating providers. Authors recommend modifications including leveraging Medicare’s 1.3 percent administrative costs rather than replacing them with private insurance overhead of 12-15 percent, starting with modest discount requirements of 1-2 percent instead of the original 3-5 percent, and building on existing provider-led ACOs rather than insurance companies. The successor ACO REACH program generated $1.6 billion in gross savings and $695 million in net savings to CMS in 2023, with 73 out of 83 participating ACOs meeting continuous improvement requirements. The authors argue a revised model could combine Medicare’s efficiency with population health innovations while serving as regional sentinels against fraud, waste, and abuse. Source: Health Affairs

AI Transcription

• Healthcare organizations using AI scribes to transcribe patient encounters face HIPAA compliance risks that could result in unauthorized disclosure of protected health information. AI scribes function as third-party service providers that listen to doctor-patient conversations, requiring healthcare providers to establish Business Associate Agreements with vendors. There are two main compliance challenges: (1) data use rights and (2) patient consent requirements under federal wiretapping laws. Many AI scribe vendors are new to healthcare and unfamiliar with regulatory requirements, while some doctors download and use these apps without organizational oversight. Healthcare leaders must vet vendors, build governance into EHR workflows, limit unauthorized data use, update risk analyses, and train providers to ensure compliance. Source: HealthLeaders Media

Antitrust

• Washington and Colorado will require companies filing Hart-Scott-Rodino premerger notifications to simultaneously submit copies to state attorneys general starting this summer. Washington’s law takes effect July 27, 2025, while Colorado’s becomes effective August 6, 2025, applying to companies with their principal place of business in the state or with annual net sales of at least $25.28 million in goods or services involved in the transaction. The laws impose no filing fees but carry penalties of up to $10,000 per day for non-compliance, and they do not create waiting periods that would prevent deal closings. Both states based their legislation on the Uniform Antitrust Premerger Notification Act approved by the Uniform Law Commission in July 2024, which provides a model for state attorneys general to receive HSR filings at the same time as federal antitrust agencies. Hawaii, West Virginia, District of Columbia, California, and New York are considering similar legislation, with New York’s proposed law extending beyond the model act to require all businesses conducting operations in the state to file with the attorney general. Source: Hogan Lovells

Business Entities

• Texas enacted two bills in May 2025 that reshape corporate governance to attract businesses away from Delaware. Senate Bill 29, effective immediately, codifies the business judgment rule for directors and officers, allows companies to require internal disputes be heard exclusively in Texas courts, permits jury trial waivers, and restricts shareholder inspection rights to exclude emails and social media unless they directly relate to corporate actions. The law also requires minimum ownership thresholds of up to 3% for derivative suits and prohibits attorney fee awards in disclosure-only cases. Senate Bill 1057, effective September 1, 2025, imposes stricter requirements on shareholder proposals by mandating that shareholders hold $1 million in market value or 3% of voting stock for at least six months and solicit 67% of voting power. These changes position Texas to compete with Delaware in the corporate law space as states seek to attract incorporation business. Source: Seyfarth Shaw LLP

Compassionate Use

• Texas expanded its medical cannabis program through HB 46, which Governor Greg Abbott signed into law on June 21, 2025. The law, effective September 1, 2025, adds chronic pain, Crohn’s disease, traumatic brain injury, terminal illnesses, and hospice care as qualifying conditions. The legislation increases THC limits from 1% by weight to 10 milligrams per dose with packages not exceeding 1 gram of THC, and expands delivery methods to include lotions, patches, suppositories, and non-smoked inhalation devices. The Department of Public Safety will issue 12 additional licenses for dispensing organizations, bringing the total to 15, while the Texas Board of Pharmacy will monitor dispensed cannabis through the Prescription Monitoring Program. Patient recommendations remain valid for one year with four 90-day refills, and patient registry information stays confidential with access limited to the department, registered physicians, and dispensing organizations. Source: Marijuana Policy Project

Concierge Medicine

• President Trump signed the “One Big Beautiful Bill Act” on July 4, 2025, allowing Health Savings Account holders to use their funds for direct primary care services. The law removes the previous disqualification that prevented individuals from contributing to HSAs when they paid direct primary care fees, which were formerly considered health plans. Under the legislation, monthly fees are capped at $150 for individuals and $300 for families, and must cover only primary care services provided by primary care practitioners. The law excludes procedures requiring general anesthesia, prescription drugs other than vaccines, and laboratory services not typically administered in ambulatory primary care settings. The legislation takes effect after December 31, 2025. Source: Roetzel & Andress

Data Privacy

• Colorado and California became the first US states to enact privacy laws governing neural data in 2024, with at least six other states now proposing similar legislation. The two states took different approaches, with Colorado requiring opt-in consent before collecting neural data while California only provides consumers with limited opt-out rights for uses beyond requested services. Current federal laws like HIPAA provide minimal protection for neural data, covering it only when collected by healthcare entities. Connecticut, Illinois, Massachusetts, Minnesota, Montana, and Vermont have pending bills that vary in scope, with some treating neural data as biometric information and others creating standalone protections. Companies collecting neural data from brain-computer interfaces and neurotechnology devices face compliance challenges due to the inconsistent state-by-state regulatory approach. Source: Arnold & Porter
• Healthcare organizations face mounting cybersecurity threats as data breach costs reach $4.88 million globally, representing a 10 percent increase from the previous year. Electronic health records containing protected health information have become prime targets for cybercriminals using phishing and ransomware attacks. Generative AI tools are expanding the attack surface by introducing vulnerabilities through flawed code, data exposure risks, and threats like prompt injection and deep fakes. A HIMSS/Trimex study reveals that 74 percent of healthcare organizations feel understaffed to handle rising cyber threats. Healthcare providers must implement staff education programs, physical and technical security controls, data encryption, role-based access control, and vetted third-party partnerships while achieving HITRUST certification as the gold standard for data security compliance. Source: HIT Consultant

Eliminating Kickbacks in Recovery Act

• The Ninth Circuit Court of Appeals expanded the scope of the Eliminating Kickbacks in Recovery Act (EKRA) to include payments to marketing intermediaries who induce patient referrals through misleading practices. On July 11, 2025, the court affirmed laboratory operator’s convictions for paying marketers percentage-based compensation to pitch his laboratory services to medical professionals using misleading information about tests that were unnecessary, costly, and inferior to other methods. The court rejected a district court interpretation that limited EKRA’s application only to direct payments to referring providers, ruling instead that the law covers any payment designed to cause downstream referrals. The Ninth Circuit clarified that percentage-based compensation alone does not violate EKRA, but payments combined with undue influence or wrongful inducement do constitute violations. The decision provides healthcare providers with guidance on sales staff compensation but stops short of establishing clear-cut rules for compliance. Source: Healthcare Law Blog

Fraud & Abuse

• UnitedHealth Group disclosed Thursday it faces criminal and civil investigations from the Department of Justice. The company said in an SEC filing it was complying with DOJ requests and had reached out to the department after media reports about probes into its Medicare practices. The investigation adds to a year of challenges for the healthcare company, which became the worst performer on the Dow Jones Industrial Average during the first half of 2025 following the fatal shooting of CEO Brian Thompson and the departure of the company’s CEO in May. The Wall Street Journal previously reported the DOJ’s healthcare-fraud unit was investigating possible Medicare fraud at the company, along with potential antitrust violations and Medicare billing practices. UnitedHealth’s stock declined 1.5 percent in morning trading following the announcement, though the company maintains it has “full confidence” in its practices. Source: ABC News

Medical Debt

• A federal court has vacated the Consumer Financial Protection Bureau’s Medical Debt Rule after finding the agency exceeded its authority under federal law. The United States District Court for the Eastern District of Texas approved a consent judgment this month, ruling that the CFPB violated the Fair Credit Reporting Act and the Administrative Procedure Act when it finalized the rule in January 2025. The rule would have prohibited credit reporting agencies from including any medical debt information in consumer reports and barred creditors from considering such information in credit decisions. Trade associations representing credit unions and consumer data industries challenged the rule, and the CFPB under new leadership agreed with the challengers. The decision restores the framework where credit reporting agencies can report coded medical debt information that protects patient privacy. Source: Health Care Law Matters

Medicare Reimbursement

• CMS released the calendar year 2026 Medicare Physician Fee Schedule and Quality Payment Program proposed rule that establishes different payment rates for physicians based on their participation in alternative payment models. The proposed conversion factor for qualifying alternative payment model participants is $33.59, representing a 3.83% increase, while non-participants would receive $33.42, a 3.62% increase from 2025. CMS proposes applying a -2.5% efficiency adjustment to work relative value units for non-time-based services, excluding evaluation and management services, care management, behavioral health, and telehealth services. The agency will recognize higher indirect practice expense costs for office-based practitioners compared to facility settings due to the decline in private practice physicians. CMS also introduced a mandatory Ambulatory Specialty Model for specialists treating low back pain or heart failure that will assess individual physicians on quality metrics and apply payment adjustments ranging from -9% to +9% from 2027 through 2031. Source: AAMC
• CMS launched the WISeR model in June, using artificial intelligence to review Medicare payments for select services during a six-year pilot program from January 2026 to December 2031. The program applies only to original Medicare plans and initially covers skin and tissue substitutes, electrical nerve stimulator implants, and knee arthroscopy for osteoarthritis, while excluding emergency services and treatments that pose risks if delayed. Model participants receive compensation based on a percentage of savings from denied services, raising concerns about financial incentives for denials given that similar AI programs have faced lawsuits where over 90% of denials were later overturned on appeal. A Senate subcommittee report from October 2024 found that Medicare Advantage plans using predictive analysis increased automatic denials for post-acute services without regard to patient need. Providers can earn “gold card” status to become exempt from reviews by demonstrating high authorization approval rates, and experts recommend that providers engage with CMS during the pilot phase and monitor denial patterns for algorithm errors. Source: Phelps Dunbar LLP

Reproductive Rights

• A Texas man filed a federal lawsuit against a California doctor for allegedly mailing abortion pills to his girlfriend, marking a new strategy to challenge blue state shield laws that protect abortion providers. Jerry Rodriguez, represented by anti-abortion lawyer Jonathan Mitchell, seeks $75,000 in damages from Dr. Remy Coeytaux and claims his girlfriend used the medications to terminate two pregnancies in 2024. The federal court filing differs from previous state court challenges and could potentially bypass the enforcement issues seen in a similar case where New York refused to honor a Texas judgment against another doctor. The lawsuit also invokes the 19th century Comstock Act, which has not been enforced for over a century, as part of what legal experts describe as a multi-pronged attack on abortion access. The litigation coincides with the Texas Legislature’s consideration of sweeping legislation to crack down on the manufacturing and mailing of abortion pills during a special session. Source: The Texas Tribune

Skilled Nursing Facilities

• CMS has extended the deadline for skilled nursing facilities to submit enhanced ownership disclosure requirements from August 1, 2025, to January 1, 2026. The new guidance implements Section 1124(c) of the Social Security Act through a revised Form CMS-855A that requires SNFs to disclose detailed information about governing body members, additional disclosable parties with operational or financial control, and organizational structures of related entities. The enhanced requirements, effective October 1, 2024, apply to all SNFs enrolling, revalidating, reactivating, or undergoing ownership changes, expanding beyond current Section 1124(a) disclosures to include parties providing management services, leasing real property, or exercising control over facility operations. All SNFs must complete revalidation applications by the uniform January 1, 2026 deadline regardless of when they received notification letters from Medicare Administrative Contractors. SNFs experiencing difficulty obtaining required information from third parties must document maximum feasible efforts to secure the data before notifying their contractors of any gaps. Source: CMS Guidance for SNF Attachment on Form CMS-855A
• The HHS Office of Inspector General imposed over $1.6 million in penalties against 20 healthcare facilities for employing individuals excluded from federal healthcare programs. On May 29, 2025, HHS-OIG announced a $1,565,374.11 settlement with 19 skilled nursing facilities across California, Texas, Ohio, and Nevada to resolve allegations that they knew or should have known they employed excluded individuals who provided services billed to federal programs. The agency also reached a separate $35,597.37 settlement with CareLink Home Health, LLC in Illinois for employing an excluded individual who worked as a nurse and case manager while on the exclusions list. HHS-OIG excludes individuals and entities from Medicare and Medicaid programs for various reasons, with exclusion periods ranging from discretionary terms to permanent bans for repeat offenders. Healthcare organizations must check the HHS-OIG List of Excluded Individuals/Entities before hiring new employees or vendors and conduct regular checks of current staff to avoid civil monetary penalty liability. Source: HIPAA Journal

Business of Healthcare

• Healthcare organizations face financial losses from compliance failures, with non-compliance leading to penalties, reputational damage, and operational disruption. The company helped an academic institution save $310,000 using their Compliance Risk Analyzer software, which provides statistical analysis of audit risk for physician claims. VMG Health offers services including fair market value opinions, coding audits, transaction support, and staff training to help healthcare organizations navigate compliance challenges. The firm has developed FMV-MD software to standardize valuation management processes and reduce risks associated with physician compensation arrangements under Stark Law. With 30 years of experience focused on healthcare, VMG Health provides compliance services across all healthcare sectors. Source: VMG Health
• Physician groups must evaluate tax efficiency, legal structure, and compliance issues before considering strategic transactions to avoid pitfalls and devaluation. Medical practice consolidation has increased in recent years with lucrative valuations, but groups need consensus before exploring transactions—full consensus for smaller groups of 2-4 physicians and substantial consensus of 80% or more for larger groups of 5-30+ physicians. Groups must agree on proceeds allocation early and address compliance issues including monthly exclusion checks, Stark/DHS compliance, HIPAA policies, co-pay waiver violations, and employee classification problems. Real estate leases between physician owners and practices should reflect fair market value terms rather than friendly arrangements. Engaging experienced healthcare transaction attorneys and advisors is crucial for proper advance planning and positioning. Source: Medical Economics

Clinical Laboratories

• The U.S. Department of Health and Human Services Office of Inspector General announced in June 2025 a new Work Plan review examining Medicare payments for clinical diagnostic laboratory tests in 2024. This annual review, mandated by the Protecting Access to Medicare Act of 2014, will analyze the top 25 laboratory tests by Medicare expenditures, including tests such as comprehensive metabolic panels, complete blood counts, Hemoglobin A1c, and lipid panels. The OIG’s findings could result in future payment rate adjustments, increased audit scrutiny, or enforcement actions against providers identified as outliers. Clinical laboratories and healthcare providers must ensure their billing practices comply with Medicare regulations, maintain documentation supporting medical necessity, and implement compliance programs with internal audits and staff training. Recent False Claims Act litigation, including Jensen ex rel. United States of America v. Genesis Laboratory, demonstrates the risks laboratories face for non-compliance with federal regulations regarding medical necessity and the Anti-Kickback Statute. Source: Healthcare Law Insights

Cybersecurity & Data Breaches

• Healthcare became the most targeted industry for ransomware attacks in 2024, with data breaches costing organizations an average of $9.77 million. Medical records sell for up to 50 times more than credit card numbers on the dark web because they cannot be cancelled and enable identity theft and insurance fraud. The sector faces vulnerabilities from outdated systems, with 71% of medical devices running obsolete software in 2019 and 60% of French hospitals operating on outdated infrastructure in 2022. Human error accounts for 70% of successful cyberattacks in healthcare in France, with phishing serving as the most common entry point. The analysis recommends treating obsolete IT systems as systemic risks, reimagining spending models to allow flexibility between capital and operational expenditures, mandating cybersecurity training, encouraging regional collaboration, and securing electronic health records as priorities. Source: Cisco
• Healthcare organizations face mounting pressure to deliver personalized care while protecting patient data privacy. A 2023 poll found 95% of patients worry about medical record breaches, while a 2022 American Medical Association survey revealed 92% of respondents believe privacy is a right regarding their health data. Patients trust healthcare providers more than tech companies with their information, with 64-75% comfortable sharing data with doctors and hospitals compared to over 67% who are uncomfortable sharing with technology companies. Nearly half of patients report not getting all questions answered during provider visits, creating opportunities for health plans to fill gaps through educational content that uses aggregate data analysis rather than accessing protected health information. Solutions exist that allow care management teams to personalize member experiences through tiered approaches including self-service resources, automated engagement for rising-risk members, and care manager support for higher-risk populations. Source: Wolters Kluwer
• In June 2025, Winkler County Hospital District notified 637 patients about an insider incident involving the unauthorized disclosure of their protected health information. The incident occurred in April 2025 when a former employee emailed patient data to a personal account. Source: HIPAA Journal

Electronic Health Record

• Texas Governor Greg Abbott signed S.B. 1188 into law, creating data localization requirements for electronic health records. The law requires covered entities to physically maintain all electronic health records of Texas patients within the United States, including those stored by third-party cloud computing services. Healthcare practitioners may use AI for diagnostic purposes only if they disclose its use to patients, operate within their licensing scope, and review AI-generated records according to Texas Medical Board standards. The law establishes a definition of “biological sex” based on reproductive systems and restricts amendments to biological sex information in health records to clerical error corrections or sexual development disorder diagnoses. Violations can result in civil penalties ranging from $5,000 to $250,000 per violation, with most provisions taking effect September 1, 2025, and data localization requirements beginning January 1, 2026. Source: Hunton Andrews Kurth

Emergency Preparedness

• Texas HB 3595 establishes statewide emergency preparedness standards for assisted living communities while allowing providers flexibility in how they meet backup power requirements. The law, effective September 1, requires communities to maintain areas of refuge with temperatures between 68 and 82 degrees during emergencies and conduct full building evaluations of electricity needs. Communities must report power outages lasting more than 12 hours to state agencies, triggering ongoing monitoring conversations to ensure resident safety. The legislation was prompted by Winter Storm Uri, which killed 107 Texas older adults from hypothermia in 2021, and Hurricane Beryl, which caused 28 deaths among older adults, half from overheating. Industry groups support the flexible approach over statewide generator mandates, noting that only 47% of Texas assisted living communities have generators, and more than half of the state’s 2,000 communities house fewer than 17 residents. Source: McKnight’s Senior Living

Emerging Tech

• Texas will implement the Texas Responsible Artificial Intelligence Governance Act on January 1, 2026, regulating businesses operating in the state, those with products used by Texans, or those developing AI systems in Texas. The law prohibits using AI to incite criminal activity, cause harm, violate discrimination laws, impair constitutional rights, or create child pornography and deepfake imagery. Companies must obtain consent before using biometric identifiers for commercial AI purposes and destroy the data within one year after the collection purpose expires. Healthcare providers must notify patients before using AI tools in treatment, and the law establishes a 36-month regulatory sandbox program allowing approved businesses to test AI systems without prosecution. The Texas attorney general will enforce the law, which includes safe harbor provisions for companies that promptly remediate violations and a rebuttable presumption of care for following recognized industry standards. Source: Sheppard Mullin Richter & Hampton LLP
• Healthcare platforms combining artificial intelligence, Internet of Things, and blockchain technology are creating self-learning ecosystems that transform patient care from reactive to proactive. These cognitive healthcare platforms use IoT devices such as fitness trackers and hospital equipment to continuously collect patient data including heart rate, blood pressure, and glucose levels, enabling early intervention before symptoms appear. Blockchain technology ensures secure, tamper-proof storage and sharing of medical records, allowing authorized healthcare providers to access complete patient histories while preventing data breaches and fraud. AI analyzes the real-time data streams to identify patterns and predict health risks such as early signs of diabetes or cancer from subtle changes in body metrics. The platforms reduce administrative burdens for healthcare providers while offering patients transparent access to their health records and remote consultation capabilities, though implementation faces challenges including infrastructure limitations in rural areas and interoperability issues between different hospital systems. Source: Healthcare Asia Magazine

Fraud & Abuse

• The HHS Office of Inspector General issued an unfavorable advisory opinion on July 7, 2025, ruling that flat fee payment structures do not protect healthcare arrangements from Anti-Kickback Statute violations. The Advisory Opinion 25-08 involved a proposed arrangement between a medical device company and a software vendor, where the device company would pay $395 per license annually (totaling $1.2 million) to access software that facilitates device sales to hospitals and surgical centers. The OIG determined the arrangement failed to meet the Personal Services and Management Contracts Safe Harbor because the software services were “redundant” to the company’s existing accounts receivable processes and provided no tangible benefits beyond accessing referrals from surgical providers. The opinion emphasized that payments primarily intended to access referrals rather than obtain legitimate services can violate the Anti-Kickback Statute regardless of whether compensation is structured as a flat fee. The OIG also expressed concerns about anti-competitive behavior, noting that such arrangements could inappropriately steer healthcare providers toward companies willing to pay these fees while disadvantaging competitors. Source: Holland & Knight
• Medical practices must navigate two federal laws designed to prevent financial conflicts of interest that could influence patient referrals. The Stark Law prohibits physicians from referring Medicare patients for designated health services to entities with which they or their family members have financial relationships unless specific exceptions apply, and violations can occur regardless of intent since it is a strict liability statute. The Anti-Kickback Statute criminalizes exchanges of value to induce referrals for federal healthcare program services and requires proof of intent but applies more broadly to all federal programs. In 2024, the Department of Justice resolved multiple cases involving alleged violations, including a Delaware health system that paid $42.5 million to settle allegations it provided free clinical support to a neonatology practice that then billed for services performed by staff. The Office of Inspector General recommends medical practices implement a seven-element compliance framework that includes internal audits, written policies, designated compliance officers, training programs, prompt violation response, open communication, and disciplinary standards. Source: CSH Law

Medicare Reimbursement

• CMS will require specialists in selected regions to participate in a new payment model targeting heart failure and low back pain starting January 1, 2027. The Ambulatory Specialty Model will run for five years through December 31, 2031, and initially cover specialists in roughly one-quarter of core-based statistical areas who treat Original Medicare patients. Participation will be mandatory for cardiologists treating heart failure and specialists in anesthesiology, pain management, neurosurgery, orthopedic surgery, and physical medicine treating low back pain, provided they have historically treated at least 20 episodes per year. The model rewards specialists for improving patient health outcomes and coordinating with primary care providers to reduce avoidable hospitalizations and unnecessary procedures. CMS expects the program to lower costs to Original Medicare while improving patient experience and outcomes. Source: CMS
• CMS announced a proposed rule to slash Medicare reimbursement for skin substitutes by nearly 90% to combat what it calls “abusive pricing practices” in the wound care industry. The 2026 Medicare Physician Fee Schedule would pay for skin substitutes as incident-to-supplies at a flat rate of $125.38 per square cm instead of the current biologicals framework, which allows products to be priced as much as $2,000 per square inch. Medicare spending on these cellular and tissue-based products that treat chronic wounds jumped from $252 million in 2019 to more than $10 billion in 2024. The proposal would categorize skin substitutes by their FDA regulatory status and aims to incentivize products with clinical evidence while saving billions in taxpayer dollars. Industry stakeholders have until September 12 to provide comments, with manufacturers warning the cuts could limit patient access and reduce innovation while advocacy groups support the cost-control measures. Source: MedPage Today

Mergers & Acquisition

• Healthcare mergers and acquisitions demonstrate resilience in 2025, with transaction levels nearly double pre-2020 volumes despite economic and regulatory challenges. Private equity participates in roughly 40% of healthcare transactions, driven by large reserves of undeployed capital and urgency to generate returns. Behavioral health and home health/hospice sectors remain top targets for deals, while revenue cycle management and infusion therapy show increased momentum due to their tech-enabled potential and operational scalability. The Federal Trade Commission and state attorneys general have heightened scrutiny around private equity ownership and market concentration, slowing deal timelines but not halting activity. Organizations now conduct annual strategic portfolio reviews instead of three- to five-year planning cycles, with many preparing to bring deals to market for the remainder of 2025. Source: Modern Healthcare

Transgender Care

• Physician groups must evaluate tax efficiency, legal structure, and compliance issues before considering strategic transactions to avoid pitfalls and devaluation. Medical practice consolidation has increased in recent years with lucrative valuations, but groups need consensus before exploring transactions—full consensus for smaller groups of 2-4 physicians and substantial consensus of 80% or more for larger groups of 5-30+ physicians. Groups must agree on proceeds allocation early and address compliance issues including monthly exclusion checks, Stark/DHS compliance, HIPAA policies, co-pay waiver violations, and employee classification problems. Real estate leases between physician owners and practices should reflect fair market value terms rather than friendly arrangements. Engaging experienced healthcare transaction attorneys and advisors is crucial for proper advance planning and positioning. Source: Medical Economics

Texas Public Emergency

• The Department of Health and Human Services has waived certain HIPAA sanctions and penalties for Texas hospitals responding to a public health emergency in Kerr County. President Donald J. Trump signed a Major Disaster Declaration for Kerr County, Texas, and Secretary Robert F. Kennedy, Jr. declared a public health emergency to address consequences of storms, straight-line winds, and flooding. The waiver allows hospitals to bypass five specific HIPAA Privacy Rule requirements, including obtaining patient agreement to speak with family members, honoring opt-out requests from facility directories, distributing privacy notices, and processing patient requests for privacy restrictions and confidential communications. The waiver applies only in the emergency area to hospitals with disaster protocols and lasts up to 72 hours from when the hospital implements its disaster protocol. Hospitals must resume full HIPAA compliance for all patients under their care once the Presidential or Secretarial declaration terminates, regardless of the 72-hour timeframe. Source: HHS.gov

OIG Advisory Opinions

• The OIG determined that a device manufacturer’s proposed arrangement to reimburse purchasers up to $2,500 for actual costs resulting from a needle stick injury caused by the failure of its device does not violate the Federal anti-kickback statute. The manufacturer’s device, used by health care practitioners for injections, includes a safety mechanism, and the reimbursement would only apply if the device’s failure—not user error—causes an injury. The OIG found that the arrangement qualifies for the regulatory safe harbor for warranties, as it is limited to reimbursement for documented actual costs, is not conditioned on exclusive use or minimum purchases, and does not involve price reductions or payments for medical expenses of federal health care program enrollees. The warranty applies for one year from purchase and only covers the device itself, not related services. Source: OIG Advisory Opinion No. 25-05 (Favorable)
• The OIG concluded that a pharmaceutical manufacturer’s program to assist eligible patients with travel, lodging, and related expenses for a one-time gene therapy does not violate federal anti-kickback or beneficiary inducement laws. The manufacturer’s gene therapy treats a rare, fatal genetic disease in children and costs over $4 million, with treatment limited to a small number of specialized centers. Under the arrangement, patients with household incomes below 600% of the Federal Poverty Level and who lack other travel assistance may receive covered transportation, lodging, and daily expenses for themselves and up to two caregivers, but only for medically necessary phases of treatment and only when no other support is available. The program uses a vendor to verify eligibility and prevent duplicate coverage, requires documentation of expenses, and does not promote the assistance as a reason to prescribe the therapy. The OIG found that the arrangement promotes access to care, poses a low risk of fraud or abuse, and does not improperly influence provider or patient choice. Source: OIG Advisory Opinion No. 25-06 (Favorable)
• The OIG determined that a pharmaceutical manufacturer’s program to sponsor a free companion laboratory test for eligible patients prior to prescribing a specific drug does not violate federal anti-kickback or beneficiary inducement laws. The manufacturer’s drug is approved for certain conditions and requires a companion diagnostic test to determine patient eligibility, with the test being offered at no cost to patients who meet specific criteria and have not previously received the test. The arrangement prohibits providers and the laboratory from seeking reimbursement from any third party, ensures that no patient or provider receives direct remuneration, and limits data sharing to de-identified, aggregated information. The program is designed to identify patients who may benefit from the drug and does not promote the drug during disease-awareness activities or use data to target providers or patients for marketing purposes. The OIG concluded that the arrangement poses a low risk of fraud or abuse, does not interfere with clinical decision-making, and satisfies exceptions for promoting access to care. Source: OIG Advisory Opinion No. 25-07 (Favorable)
• The OIG found that a medical device company’s proposal to pay a third-party vendor for access to an electronic billing system used by some customers would generate prohibited remuneration under the Federal anti-kickback statute. The company supplies “bill-only” surgical devices to health care providers, and some customers require the use of a vendor’s billing portal for purchasing these items, for which the vendor charges the company a licensing fee per representative. The company stated that the portal is redundant to its existing billing processes and provides no necessary or desired services, but it would pay the fees to retain and potentially expand business with customers who require use of the portal. The OIG determined that the arrangement could inappropriately steer customers to the company over competitors, presents anti-competitive risks, and does not serve a commercially reasonable business purpose for the company. As a result, the OIG concluded that the arrangement is not sufficiently low risk to warrant a favorable opinion. Source: OIG Advisory Opinion No. 25-08 (Unfavorable)

Cybersecurity

• Healthcare organizations face cybersecurity risks when storing Protected Health Information in cloud environments. PHI includes medical records, diagnoses, treatment details, billing information, patient names, medical record numbers, health insurance details, Social Security numbers, test results, prescriptions, dates of birth, addresses, and billing information. When compromised, PHI can lead to identity theft, medical fraud, unauthorized use of insurance benefits, reputational harm, and loss of trust in healthcare providers. Cloud storage challenges include meeting HIPAA compliance requirements, understanding shared responsibility between providers and organizations, preventing misconfigurations, managing third-party integrations, maintaining visibility and control, and ensuring data location compliance. Healthcare organizations must implement encryption, identity and access management, secure cloud architecture, continuous monitoring, regular backups, disaster recovery plans, and staff training to protect PHI in cloud environments. Source: Geek Vibes Nation

Food & Drug Administration

• The FDA implemented sweeping changes in June 2025 that created uncertainty for cell and gene therapy developers while launching new programs to accelerate drug approvals. The agency halted new clinical trials involving transfer of genetic material to foreign countries including China and terminated both the director and deputy director of the Office of Therapeutic Products, which oversees gene therapy and cellular therapy reviews. FDA also launched the Commissioner’s National Priority Voucher program that promises to reduce drug review times from 10-12 months to 1-2 months for companies aligned with national health priorities such as domestic manufacturing. The agency issued a warning letter to a Florida drug distributor for Drug Supply Chain Security Act violations just two months after inspection, signaling accelerated enforcement of prescription drug security laws. Meanwhile, medical device regulation remained stable and the FDA hired a new deputy director of the Center for Drug Evaluation and Research to advance psychedelic therapy development. Source: Mintz

Fraud & Abuse

• DOJ and HHS of Health and Human Services announced the creation of the False Claims Act Working Group to strengthen civil enforcement of the False Claims Act in healthcare. The Working Group will be jointly led by DOJ’s Civil Division and top HHS officials, including representatives from CMS, the HHS Office of Inspector General, and U.S. Attorneys’ Offices. The initiative will focus on six priority enforcement areas: Medicare Advantage risk adjustment fraud, drug and device pricing, barriers to patient care, kickbacks, defective medical devices, and EHR manipulation designed to inflate Medicare reimbursements. The Working Group will make high-priority FCA referrals from HHS to DOJ, coordinate enforcement decisions, leverage data mining to uncover leads, evaluate payment suspensions, and encourage voluntary disclosures. This marks a shift toward more government-led enforcement and potentially less whistleblower-led enforcement, with healthcare companies facing increased scrutiny and faster investigations. Source: Healthcare Law Insights

Marketing

• Healthcare fraud through phone calls cost Americans over $16 million in the first quarter of 2024. Americans received more than 4.4 billion robocalls in April 2024, with an average of 146.9 million calls per day and 1,700 calls per second. Scammers target the healthcare sector because consumers trust calls from health providers, often using caller ID spoofing to appear as legitimate hospitals or physicians’ offices. Common scams involve fraudsters posing as Medicare or Medicaid workers who request personal data or money while threatening loss of coverage. New technology offers solutions through branded calls that display business logos, names, and reasons for calling, verified through end-to-end call verification systems. Source: HIT Consultant

Medicaid

• President Trump’s tax package will cut more than $1.2 trillion from Medicaid coverage and funding between 2025 and 2034. The cuts include $665 billion that will directly impact hospitals as part of the tax-and-spending-cuts package. States and hospitals will absorb $1.3 trillion in Medicaid funding cuts over the next decade. The reductions affect both Medicaid coverage and funding streams that support healthcare providers. Source: Modern Healthcare

No Surprises Act

• The Fifth Circuit ruled that the No Surprises Act does not allow healthcare providers to bring private lawsuits to enforce Independent Dispute Resolution awards. The case involved two air ambulance providers, Guardian Flight, LLC and Med-Trans Corporation, who sued Health Care Service Corporation after receiving delayed or no payment on IDR awards they had won under the No Surprises Act. The Fifth Circuit rejected all three of the providers’ claims, including violations of the NSA itself, ERISA benefit denials, and state law unjust enrichment. The court determined that Congress intended enforcement to occur through the administrative complaint process overseen by the U.S. Department of Health and Human Services rather than through private litigation. This decision conflicts with district court rulings in Connecticut and other jurisdictions that have found implied enforcement rights, creating a judicial divide that may require Supreme Court resolution. Source: Proskauer Rose LLP

Restrictive Covenants

• Eight states have enacted legislation in 2025 that restricts or bans non-compete agreements for healthcare professionals. Colorado now voids non-compete and non-solicitation covenants for healthcare providers regardless of salary thresholds, while Illinois expanded restrictions for mental health professionals treating veterans and first responders. Indiana banned non-compete agreements between physicians and hospitals or hospital systems, and Montana extended its existing ban to all licensed physicians. Oregon declared non-competition agreements void and unenforceable for physicians, physician assistants, and nurse practitioners, while Texas now requires buyout options capped at annual salary and extended restrictions to dentists, nurses, and physician assistants. Utah prohibits healthcare staffing platforms from requiring non-compete agreements from healthcare workers. Source: Littler
• States are implementing varied restrictions on non-compete agreements for healthcare professionals following the Federal Trade Commission’s failed attempt to ban such agreements nationwide. The new state laws range from blanket prohibitions in states like Arkansas and Wyoming to defined limitations on duration and geographic scope, with most states allowing non-competes lasting up to one year and geographic restrictions varying from five-mile radii in Texas to 30-mile radii in West Virginia. Some states condition enforceability on termination circumstances, while others like Maryland use hybrid approaches that combine compensation thresholds with medical-specific limitations. Texas enacted legislation in June 2025 requiring buyout caps not exceeding annual salary, while Florida passed a bill excluding healthcare practitioners from expanded non-compete limitations and Nevada’s governor vetoed a healthcare non-compete prohibition. The varied approaches reflect competing interests between employer investment protection, practitioner mobility rights, and patient care continuity concerns. Source: Seyfarth Shaw LLP
• Governor Abbott signed Senate Bill 1318 into law, imposing new restrictions on noncompete agreements for physicians and health care practitioners effective September 1. The law limits physician noncompete agreements entered into or renewed after September 1 to one year in duration and five miles in geographic scope from where the physician primarily practiced. Buyout provisions cannot exceed the physician’s total annual salary and wages at the time of separation, and agreements must include clearly written terms. The legislation expands these restrictions to health care practitioners including licensed dentists, nurses, and physician assistants, and voids noncompete agreements when physicians are involuntarily discharged without good cause. While the law only applies to new or renewed agreements after September 1, courts may use these restrictions as guidelines when evaluating the reasonableness of existing noncompete agreements. Source: BakerHostetler

Emerging Tech

• CMS will launch the Wasteful and Inappropriate Service Reduction (WISeR) Model on January 1, 2026, to combat healthcare fraud through artificial intelligence-enhanced prior authorization processes in Traditional Medicare. The model will focus on services vulnerable to fraud, waste and abuse, including skin and tissue substitutes, electrical nerve stimulator implants, and knee arthroscopy for knee osteoarthritis. CMS will partner with technology companies to administer the model across geographic areas, though licensed clinicians will make final prior authorization decisions rather than automated systems. Healthcare providers can choose between using the WISeR Model process or undergoing post-service or pre-payment medical review. The model will run through 2031, with participating companies to be announced after the application period ends on July 25, 2025. Source: TechTarget
• Texas passed two laws regulating artificial intelligence use in healthcare and other sectors. House Bill 149, the Texas Responsible Artificial Intelligence Governance Act (TRAIGA), was signed June 22, 2025, and takes effect January 1, 2026, requiring healthcare providers to disclose AI use in patient diagnosis or treatment. Senate Bill 1188, signed June 20, 2025, and effective September 1, 2025, mandates that licensed practitioners review all AI-generated records and prohibits offshoring electronic medical records. TRAIGA also prohibits discriminatory AI use and requires organizations to implement risk assessment and documentation procedures. The Texas attorney general will enforce TRAIGA through civil penalties. Source: Holland & Knight
• Researchers developed a privacy-preserving artificial intelligence system that achieves 99.48% accuracy in classifying skin lesions while protecting patient data through advanced encryption. The model combines block-scrambling-based encryption with three neural networks (MobileNetV2, GoogLeNet, and AlexNet) to extract features from skin images while maintaining data confidentiality during transmission and storage. The system uses a conditional variational autoencoder for classification and hippopotamus optimization for parameter tuning to enhance performance. Testing on the skin cancer ISIC dataset showed the model outperformed existing methods with superior accuracy and faster execution time of 8.85 seconds compared to competing approaches. The research addresses the critical need for secure medical image analysis, particularly important given that skin diseases affect 30-70% of people globally. Source: Scientific Reports

Fraud & Abuse

• The Justice Department charged 324 defendants in connection with over $14.6 billion in health care fraud schemes, marking the largest health care fraud takedown in the department’s history. The defendants include 96 doctors, nurse practitioners, pharmacists, and other licensed medical professionals across 50 federal districts and 12 state attorneys general offices. The government seized over $245 million in cash, luxury vehicles, cryptocurrency, and other assets, while the Centers for Medicare and Medicaid Services prevented over $4 billion from being paid on fraudulent claims and suspended or revoked billing privileges for 205 providers. The schemes included transnational criminal organizations submitting over $12 billion in fraudulent claims, with Operation Gold Rush alone involving $10.6 billion in fraudulent Medicare claims using stolen identities of over one million Americans. The Justice Department announced plans to create a Health Care Fraud Data Fusion Center to leverage artificial intelligence and advanced analytics to identify emerging fraud schemes. Source: United States Department of Justice
• More than a dozen Houston-area medical professionals have been indicted in what prosecutors call the largest health care fraud crackdown in Department of Justice history. The nationwide operation charged over 320 people and uncovered nearly $15 billion in false claims, with 22 cases filed in federal court in Houston. Among those charged are Dr. David Jenson and his business partner, who allegedly billed Medicare $90 million for unnecessary “second skin” procedures and received $45 million in reimbursements, and the owners of United Palliative & Hospice Care in Fort Bend County, accused of fraudulently billing $87 million for end-of-life care for patients who were not dying. Other schemes involved fraudulent COVID-19 testing that netted $293 million, illegal kickbacks for genetic testing, and billing for mental health services never provided. The cases represent various types of health care fraud including Medicare and Medicaid billing fraud, pandemic relief fund fraud, and the unlawful distribution of controlled substances. Source: Houston Chronicle
• Federal prosecutors charged nearly 50 people in the Southern District of Texas as part of a national health care fraud takedown involving over $360 million fraudulently billed to Medicare and the distribution of nearly 12 million pills. The charges include 22 cases involving unlawful distribution of controlled substances, hospice fraud, kickbacks, and Medicare/Medicaid fraud schemes for services like genetic tests and durable medical equipment. The cases include a $110 million hospice fraud scheme where patients were enrolled in hospice services despite not being terminally ill, and a pill mill operation that distributed over 2 million controlled substance pills to the black market. Other schemes involved fraudulent billing for COVID-19 treatment services, mental health therapy, and skin substitute products for patients without qualifying wounds. The Texas cases are part of a nationwide enforcement action that resulted in charges against 324 defendants and the seizure of over $245 million in assets. Source: U.S. Attorney’s Office, Southern District of Texas
• The U.S. Justice Department charged 324 individuals in a record-breaking healthcare fraud crackdown involving $14.6 billion in schemes. The DOJ debuted its Health Care Fraud Data Fusion Center, which uses AI, cloud computing, and analytics to shift from reactive investigation to proactive detection of fraud patterns. The centerpiece operation, “Operation Gold Rush,” exposed a transnational catheter supply fraud led by Russian and Eastern European criminal networks that filed over $10.6 billion in false claims using stolen U.S. identities. Authorities seized over $245 million in assets and the Centers for Medicare and Medicaid Services suspended payments on over $4 billion in pending claims deemed fraudulent. Source: PYMNTS

Healthcare Privacy

• A Texas federal district court vacated the HIPAA Reproductive Health Rule nationwide on June 18, 2025, in the case Purl v. HHS. The court ruled that HHS exceeded its authority and violated procedural requirements when creating the rule, which the Biden Administration had implemented after Dobbs v. Jackson Women’s Health Organizations to prohibit disclosure of reproductive health information for investigating or prosecuting reproductive healthcare that was legal where performed. Healthcare providers can now disregard the rule’s requirements and must undo actions they took to implement it, as HIPAA reverts to its pre-December 2024 form where reproductive health information is treated like any other protected health information. HHS is unlikely to appeal the decision given Trump Administration policies and has not requested a stay. The ruling does not affect substance use disorder provisions, meaning providers must still update their privacy notices by February 2026. Source: Holland & Hart’s Health Law Blog
• The Southern District of New York allowed eight privacy claims to proceed against Teladoc Health for using website tracking technologies that transmitted patient health information to third parties. On June 25, 2025, the court denied Teladoc’s motion to dismiss after plaintiffs alleged the company installed tracking pixels and APIs on its telehealth platform that shared protected health information for advertising purposes. The court ruled that Teladoc’s tracking technology created an independent criminal purpose through HIPAA violations, defeating consent-based defenses under the Electronic Communications Privacy Act. The court determined Teladoc functioned as a healthcare provider rather than a technology platform and that medical conditions constitute contents of communications under state privacy laws. Eight claims survived including federal wiretapping violations and state privacy claims under New York, Florida, and California laws. Source: Duane Morris LLP
• US healthcare companies face restrictions when offshoring patient data operations due to state and federal privacy regulations. While HIPAA does not prohibit storing protected health information outside the United States, states including Wisconsin, Texas, Florida, and Arizona have enacted data localization laws that require patient information to remain within US borders. The Centers for Medicare & Medicaid Services requires Medicare Advantage Organizations to obtain attestation certificates from healthcare providers who use offshore vendors, detailing safeguards for patient information protection. Healthcare companies can mitigate offshoring risks through business associate agreements with international arbitration clauses, encryption requirements, and annual audits of offshore subcontractors. Offshore vendors must demonstrate HIPAA compliance and may need to establish US-based operations or partner with domestic intermediaries to work with American healthcare organizations. Source: MWE
• Microsoft and Google email platforms may be transmitting healthcare data without encryption, potentially violating HIPAA requirements. A recent study found that Google Workspace still uses deprecated TLS 1.0 and 1.1 encryption protocols, while Microsoft 365 sends messages unencrypted when encryption fails without warning senders. The research involved controlled experiments where Paubox set up recipient mail systems that only accept legacy TLS protocols and sent test messages containing simulated protected health information. Healthcare organizations rely on email for lab results, care instructions, and appointment notifications, all of which must be encrypted under HIPAA regulations. The findings suggest that healthcare organizations depending on these platforms for compliance may be unknowingly transmitting unencrypted patient data. Source: MediaPost

Inpatient Rehab Facilities

• Freestanding inpatient rehabilitation facilities are outperforming hospital-based units through partnerships, achieving 24% Medicare margins compared to 1% for departmental IRFs in 2023. The number of freestanding IRFs grew 7.4% from 345 to 371 facilities between 2022 and 2023, while Medicare IRF admissions increased 7.3% overall. States without certificate of need laws show higher IRF utilization rates at 7.5% of acute care discharges compared to 5.6% in CON states, prompting reforms in South Carolina, Florida, and Tennessee. Hospital systems are increasingly partnering with IRF operators through joint ventures, joint operating agreements, or management agreements to transition departmental units to freestanding facilities, which cost $15,000 per stay compared to $21,000 for hospital-based stays. Source: VMG Health

Non-Competes

• The Texas legislature passed SB 1318 on June 20, 2025, establishing stricter requirements for noncompete agreements in healthcare. The amended statute mandates that noncompete agreements include clear language and become unenforceable if a physician was terminated without cause. Agreements involving physicians, dentists, nurses, and physician assistants must contain buyout clauses and are restricted to one year in duration and a five-mile radius. The changes take effect September 1, 2025, but exclude physicians serving only in managerial or administrative roles. Source: American Bar Association

OIG

• The Office of Inspector General approved a telehealth arrangement that allows physician-owned entities to lease healthcare professionals from telehealth platforms without violating federal anti-kickback laws. The June 6, 2025 advisory opinion covers an arrangement where a Requestor Professional Corporation leases healthcare professionals from Platform Professional Corporations on an hourly basis, with fees determined by provider type and paid regardless of third-party reimbursement. The OIG determined the arrangement complies with anti-kickback statutes because it includes written agreements, independent fee validation, and compensation structures that remain separate from referral volume or business generation. The arrangement aligns with federal safe harbor provisions for personal services and management contracts, which require detailed written agreements with fixed terms of one year or longer. The advisory opinion applies only to the specific parties involved, meaning other organizations must seek their own legal review for similar arrangements. Source: Hinshaw Law

OIG Advisory Opinions

• The HHS OIG approved a telehealth platform arrangement involving management service organizations and physician corporations. The arrangement allows a management support organization and physician-owned professional corporation to contract with third-party telehealth platforms to lease clinicians and obtain administrative services including accounting, marketing, and IT support. OIG determined the proposal was protected by the federal anti-kickback statute safe harbor for personal services and management contracts because payments are fixed at fair market value and not based on referral volume or value. The arrangement aims to expand access to in-network telehealth services for patients in underserved and rural areas through contracts covering over 400 payors representing 80% of commercially covered lives and 65% of Medicare Advantage covered lives. OIG noted the decision could serve as a model for other management services and care delivery organizations considering similar arrangements. Source: OIG Advisory Opinion No. 25-03
• The Office of Inspector General (OIG) has determined that a medical device company’s proposal to pay for third-party exclusion screening and compliance monitoring services would, if undertaken with the requisite intent, constitute prohibited remuneration under the Federal anti-kickback statute. The company intended to pay annual fees to a third-party for screening and monitoring that customers would otherwise pay, potentially inducing customers to purchase items or services reimbursable by Federal health care programs. OIG found that this arrangement could relieve customers of financial burdens and create risks of inappropriate steering and anti-competitive practices, as the payments may influence purchasing decisions. No regulatory safe harbor applied, and the OIG noted that the arrangement could result in sanctions, including civil monetary penalties and exclusion from federal health care programs. Source: OIG Advisory Opinion No. 25-04

Clinical Trials

• Medical device manufacturers face critical decisions in clinical trial planning that can determine company survival. Companies must collect clinical data for pre-market submissions through processes that consume time and money while putting business existence at risk. Three pathways exist for medical device investigations based on risk levels: minimal risk, nonsignificant risk (NSR), and significant risk (SR) studies, with each requiring different oversight and regulatory requirements. Before conducting pivotal trials, companies must define their intended use, indications, and claims since FDA market authorization depends on clinical trial results. Companies should establish FDA communication plans and work with expert statisticians, clinicians, and regulatory counsel to mitigate risks and ensure proper execution. Source: Gardner Law

Corporate Practice of Medicine

• Healthcare entities face compliance challenges when expanding across state lines due to varying corporate practice of medicine laws and ownership requirements. The corporate practice of medicine doctrine varies significantly by state, with jurisdictions like New York establishing strict prohibitions while others allow more flexibility in corporate structures. Professional entity ownership requirements differ across states, with some mandating wholly or majority ownership by licensed professionals while others like Delaware permit non-physician ownership under certain limitations. Healthcare entities may need to create new entities, revise ownership agreements, or establish management services organization structures to comply with jurisdictional requirements. Legal counsel recommends conducting thorough due diligence and preparing new governance agreements before expanding operations into new markets. Source: Stevens & Lee

Cybersecurity

• Congress introduced bipartisan legislation to strengthen cybersecurity coordination between federal agencies protecting the healthcare sector. The Healthcare Cybersecurity Act of 2025 was introduced in the House by Representatives Jason Crow (D-CO) and Brian Fitzpatrick (R-PA), with a companion bill in the Senate by Senators Jacky Rosen (D-NV) and Todd Young (R-IN). The legislation would require the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to collaborate on cybersecurity improvements, establish a liaison between the agencies, authorize cybersecurity training for personnel, and conduct a study identifying sector risks. Healthcare cyberattacks have escalated with over 700 data breaches affecting 500 or more individuals reported annually for the past four years, including 278 million individuals affected in 2024. The 2024 Change Healthcare ransomware attack, which compromised an estimated 190 million records and disrupted healthcare operations nationwide, exemplifies the sector’s vulnerability to cyber threats. Source: HIPAA Journal

Emerging Tech

• Health systems across the U.S. are accelerating partnerships with tech companies to embed AI into clinical care, operations and administrative workflows. Mayo Clinic partnered with hellocare.ai in June to advance ambient clinical intelligence, aiming to support early detection, reduce clinician workload and enhance proactive inpatient care. Northwestern Medicine entered a multi-year collaboration with PathAI to transform pathology diagnostics through AI, including joint research, clinical innovation programs and co-development of machine learning-powered diagnostic algorithms. Oracle Health, Cleveland Clinic and G42 announced a partnership in May to build an AI-driven platform for healthcare delivery in both the U.S. and UAE, leveraging national-scale data analytics, clinical applications and precision medicine tools. These partnerships reflect a push among health systems and tech companies to ensure AI tools are grounded in clinical realities while benefiting from technical expertise. Source: Becker’s Hospital Review

Fair Market Valuations

• Healthcare organizations must follow eight documentation steps to maintain compliance during fair market value processes for provider compensation arrangements. The documentation requirements include gathering provider profiles, service descriptions, business justifications, productivity metrics, compensation terms, FMV analyses, contract documents, and team approvals to meet Stark Law and Anti-kickback Statute requirements. Organizations should seek third-party FMV opinions when arrangements involve high referral risk, complex compensation structures, or when internal resources lack access to market data sources and valuation expertise. Primary care and orthopedic specialties present higher referral risks compared to pathology or emergency medicine, while arrangements involving co-management, telehealth, or value-based payments require specialized valuation approaches. Many healthcare organizations are moving FMV reviews in-house to reduce costs and improve turnaround times, but must ensure they have the resources and training to conduct these reviews effectively. Source: VMG Health

Health Data

• Four states sent personal health data from their insurance websites to technology companies including Google, LinkedIn, and Snapchat. Nevada’s exchange transmitted prescription drug names and dosages to LinkedIn and Snapchat, while Maine and Rhode Island sent prescription information and doctor names to Google through analytics tools. Massachusetts Health Connector shared whether visitors reported being pregnant, blind, or disabled with LinkedIn. The Markup and CalMatters discovered this data sharing through web trackers on state exchanges established under the Affordable Care Act after auditing websites from all 19 states that operate their own health insurance marketplaces. Nevada and Massachusetts stopped transmitting data to these companies after reporters contacted them about the findings. Source: The Markup

HIPAA

• The U.S. Department of Health and Human Services is implementing new HIPAA regulations in 2025 to strengthen patient privacy and security. The updates respond to the rise of telemedicine, growing use of electronic health records, and a 264% increase in ransomware attacks against healthcare systems in 2024. Healthcare organizations must comply with expanded patient access requirements by July 2025 and update vendor management practices by December 2025, while implementing multi-factor authentication, data encryption, and penetration testing. The regulations include new protections for reproductive health information and requirements for AI tools and telehealth platforms to comply with privacy and security rules. Healthcare professionals express concerns about the cost and technical complexity of implementing these changes, particularly for small practices with outdated technology. Source: Security Boulevard

Legislation

• Texas lawmakers passed legislation requiring food manufacturers to remove certain ingredients or add warning labels to products. The Texas House approved SB 25 on May 26, 2025, with bipartisan support, targeting ingredients like Red 40 and titanium dioxide that are banned in other countries. The bill requires manufacturers to either eliminate these substances or display warnings stating the ingredient is not recommended by authorities in Australia, Canada, the European Union, or the United Kingdom. High fructose corn syrup was removed from the prohibited list after food companies opposed its inclusion, though legislators rejected industry efforts to eliminate the warning label requirement entirely. The legislation now awaits Governor Greg Abbott’s signature and would take effect September 1, 2025. Source: The Daily Intake

Private Equity

• Private equity investors maintain interest in healthcare services and technology companies despite higher borrowing costs and increased regulatory scrutiny as of mid-2025. Macroeconomic volatility has compressed valuations and extended deal timelines through the first half of 2025, but demographic trends and fragmentation among provider groups continue to attract growth-oriented capital. PE firms are targeting outpatient care models, physician specialty platforms, behavioral health services, home-based care, AI-driven clinical decision support, and value-based care platforms. Federal enforcement from the FTC and DOJ has intensified challenges to physician group consolidation, while state laws increasingly require material change notifications for healthcare mergers and acquisitions. Labor shortages and wage inflation present additional risks, particularly for home health, skilled nursing facilities, and behavioral health settings. Source: ArentFox Schiff

Accountable Care Organizations

• Hospitals participating in CMS accountable care organizations require more than two years of maturity before seeing improvements in patient care costs and quality, according to a study comparing 121 ACO-participating hospitals with 853 non-participating hospitals from 2010 to 2013. Researchers found that hospitals with an ACO maturity score of zero performed worse than non-participants in acute myocardial infarction mortality rates and perioperative pulmonary embolism or deep vein thrombosis rates, but these differences disappeared as ACO maturity increased. The study showed that higher ACO maturity scores correlated with reductions in accidental punctures and lacerations among participating hospitals. Researchers noted that early ACOs focused primarily on enhancing care coordination and strengthening primary care rather than transforming inpatient care processes during the initial 18 months. Currently, only 1,450 of more than 5,000 Medicare-enrolled hospitals participate in CMS ACOs, leaving room for expansion as the agency aims to transition all traditional Medicare beneficiaries to accountable care by 2030. Source: American Journal of Managed Care

Cybersecurity

• Healthcare organizations face an escalating cybersecurity crisis with 33 attacks recorded in 2025 and global healthcare ransomware surging 31%. Over 90% of healthcare cyberattacks are phishing scams enhanced by AI, while healthcare data sells for up to 50 times more than financial information on black markets. Third-party vendors cause 50-60% of data breaches, prompting healthcare organizations to adopt the HITRUST framework for vendor risk assessment. The government is implementing mandatory cybersecurity standards through the Health Infrastructure Security and Accountability Act and proposed HIPAA Security Rule modifications requiring encryption, multi-factor authentication, and vulnerability testing. Healthcare providers are deploying AI-powered threat detection systems and zero-trust architectures to combat these threats in real time. Source: Information Security Buzz

Drugs & Devices

• Sixteen states have proposed or passed legislation to make ivermectin available over the counter despite scientific evidence showing the deworming drug does not treat COVID-19 or cancer. Idaho, Arkansas, and Tennessee have enacted such laws, while Louisiana passed a bill awaiting the governor’s signature, driven by social media claims that ivermectin treats cancer, COVID-19, foot pain, arthritis, lupus, and acne. High-quality clinical trials found ivermectin ineffective against COVID-19, and doctors report patients with treatable cancers have delayed treatment to try ivermectin, only to return with advanced disease. Despite state laws, pharmacies remain unable to sell ivermectin over the counter because it remains federally regulated by the FDA, with NBC News finding no pharmacists willing to dispense it without a prescription in states with permissive laws. Pharmacists cite liability concerns since the prescription drug lacks over-the-counter packaging with consumer directions and safety statements. Source: Ars Technica

EMTALA

• CMS rescinded July 2022 guidance on EMTALA obligations for pregnant patients and pregnancy loss cases. The Department of Health and Human Services and Centers for Medicare & Medicaid Services announced on June 3, 2025, that they are withdrawing two hospital guidance documents (QSO-22-22-Hospitals and QSO-21-22-Hospitals) and a letter from the former Secretary of Health and Human Services because these documents do not reflect current administration policy. CMS stated it will continue to enforce EMTALA, which protects all individuals who present to hospital emergency departments seeking examination or treatment, including for emergency medical conditions that place the health of a pregnant woman or her unborn child in serious jeopardy. The agency said it will work to rectify perceived legal confusion and instability created by the former administration’s actions. Source: CMS

Fraud & Abuse

• Healthcare fraud enforcement under the False Claims Act reached $1.67 billion in settlements and judgments in 2024, representing 57% of all FCA recoveries. The Department of Justice secured settlements from Independent Health ($98 million for upcoding Medicare diagnoses), Gilead Sciences ($202 million for kickbacks to HIV medication practitioners), and Teva Pharmaceuticals ($450 million for Medicare copay conspiracies and generic drug price fixing). Attorney General Pam Bondi and Deputy Assistant Attorney General Michael Granston have committed to enforcement, with DOJ guidance instructing prosecutors to prioritize healthcare fraud cases. The government recovers three dollars for every dollar spent fighting fraud, according to DOJ officials. Enforcement now extends beyond traditional healthcare to include Walgreens ($350 million for opioid prescription violations) and McKinsey ($650 million for consulting on OxyContin sales acceleration). Source: Forensic Risk

HIPAA

• The US Department of Health and Human Services Office for Civil Rights has escalated enforcement of HIPAA risk analysis requirements through a dedicated initiative that has resulted in nine settlements totaling over $1 million in penalties since October 2024. The Risk Analysis Initiative targets healthcare entities that fail to conduct proper assessments of potential risks to electronic protected health information, a requirement under the HIPAA Security Rule that OCR describes as the foundation for cybersecurity practices. Healthcare organizations face increasing pressure as ransomware breaches have surged 264% since 2018, with settlements ranging from $10,000 to $350,000 for violations involving breaches affecting between 4,304 and 585,621 individuals. The enforcement effort has continued across both the Biden and Trump administrations, with OCR finding that many entities’ risk analyses were based on incomplete inventories of where protected health information is stored and transmitted. The initiative encompasses various breach types including ransomware attacks, server misconfigurations, and unauthorized access to medical imaging systems. Source: ArentFox Schiff
• Healthcare organizations continue to struggle with HIPAA compliance implementation despite awareness of their obligations, according to survey results from hundreds of organizations across the United States. The survey found that many organizations have not appointed dedicated HIPAA Privacy Officers with sufficient decision-making authority and continue to provide training less frequently than annually, often excluding business associates from compliance education. Organizations also lack written documentation for complex or emerging risks, with some not updating their HIPAA risk assessments in several years despite increasing cybersecurity threats. Only a minority of respondents indicated they feel confident their organization could effectively respond to an Office for Civil Rights compliance audit or data breach investigation. The Office for Civil Rights is scrutinizing risk assessments under its enforcement initiative, with organizations facing a high probability of financial penalties for noncompliance. Source: HIPAA Journal

Medicare

• Medicare paid $124 million for evaluation and management services billed alongside eye injections that violated federal requirements. The Office of Inspector General found that for 42 percent of the 3.3 million intravitreal injections provided during June 2022 through May 2023, providers billed for evaluation and management services on the same day using modifier 25, which bypassed system controls designed to prevent improper payments. Documentation for 22 of 24 sampled services did not support the use of modifier 25, as the services were not significant and separately identifiable from the injection procedures. The Centers for Medicare & Medicaid Services lacked adequate internal controls to detect and prevent these potentially improper payments, including clear requirements for modifier 25 use and medical reviews of claims. The audit recommends that CMS update billing requirements, conduct medical reviews to recover up to $124 million in improper payments, and provide better education to providers about appropriate billing practices. Source: HHS.gov

Med Spas

• Private equity investment in med spa practices faces complex financial due diligence challenges that require careful analysis of cash-based accounting systems. The med spa industry experienced growth in 2024 driven by demand for neurotoxins, skin rejuvenation, and weight loss procedures including Semaglutides and CoolSculpting. Cash-pay business models create misleading financial statements due to prepaid packages, memberships, and gift card sales that distort revenue recognition timing. The industry faces margin pressure through Q1 2025 from rising supply and personnel costs while competition limits price increases. Med spas are expanding services to include hormone replacement therapy and regenerative medicine to boost same-store sales growth. Source: VMG Health

Patient Rights

• The Fifth Circuit upheld Texas parental consent requirements that prevent minors from confidentially accessing contraception at federally funded Title X clinics. Alexander Deanda, a father of three daughters, filed suit in 2020 challenging the Department of Health and Human Services’ administration of Title X, arguing he wanted notification if his children sought contraceptives based on his Christian beliefs. Title X, enacted in 1970, provides family planning services to low-income individuals and in 2021 HHS prohibited parental consent requirements for minors seeking services. The district court ruled in Deanda’s favor, finding that federal law did not preempt Texas Family Code provisions requiring parental consent for medical care, but the Fifth Circuit avoided deciding the constitutional question of balancing parental and minor rights by using the doctrine of constitutional avoidance. The ruling threatens minors’ access to confidential reproductive care through mechanisms like judicial bypass. Source: Harvard Law Review

Senior Living Facilities

• Cyber attacks on senior living and care facilities have escalated dramatically, with 92% of healthcare organizations reporting attacks in 2024 compared to 88% in 2023. Healthcare facilities averaged 2,434 attacks per week in the third quarter of 2024, representing an 81% increase from the previous year. In the first quarter of 2025, more than six nursing homes and rehabilitation centers reported hacking incidents affecting over 130,000 individuals. The sector’s vulnerability stems from lagging technology adoption, proliferation of network-connected devices, and the high value of healthcare data to criminals. The primary threat comes from employees opening malicious emails and clicking links that expose credentials, according to cybersecurity experts. Source: McKnight’s Senior Living

Accountable Care Organizations

• The CMS Innovation Center is implementing significant updates to the ACO REACH Model financial methodology starting in 2026 to achieve cost savings while maintaining care quality. These changes respond to a preview evaluation report showing increased net spending despite positive gross savings and quality care results in the program’s first year. The modifications aim to decrease net spending for 2026 while improving patient outcomes without disrupting care delivery. Accountable Care Organizations participating in ACO REACH serve as partners who assume financial risk for patients while offering enhanced benefits like telehealth visits, post-hospital home care, co-pay assistance, and condition management support. CMS has published both the financial methodology changes and the evaluation report that necessitated these updates to ensure the model meets the Innovation Center’s statutory mandate. Source: CMS
• Next Generation Accountable Care Organizations rarely used voluntary alignment systems that allow Medicare beneficiaries to self-select their healthcare providers, with only 29% of organizations attributing 1% or more of their population through this method. A mixed-methods study analyzing data from 2016 through 2021 found that beneficiaries who chose voluntary alignment were sicker and cost $5,068 more annually than those aligned through traditional claims-based methods ($16,187 vs $11,119). NGACO leaders cited implementation challenges, short administrative time frames, and limited population growth as barriers to voluntary alignment adoption, while acknowledging benefits including attribution flexibility and enhanced patient engagement. Source: The American Journal of Managed Care
• Value-based care adoption continues to accelerate across healthcare organizations, with more than 60% expecting revenue increases from VBC arrangements in 2025. A survey of 168 executives and clinical leaders at 142 healthcare organizations by Innovaccer and the National Association of ACOs found that 64% anticipate a revenue shift toward VBC this year compared to 2024. Currently, 30% of organizations derive at least 25% of their revenue from VBC contracts, while 13% have surpassed the 50% mark. Organizations are investing in data analytics and AI (31.2%), care management solutions (30%), and staff training (22.6%) to accelerate their VBC transitions, though barriers remain including financial risk (87%), provider resistance (80%), and data interoperability issues (75%). The report recommends a patient-centered approach, clinician support, financial risk management, and integrated data platforms to ease VBC transitions. Source: Advisory Board

Data Breach

• U.S. Dermatology Partners (Texas), a network of over 100 dermatology practices across several states, recently announced a cyberattack and data breach that occurred in June 2024. The network disruption on June 19, 2024, was indicative of a cyberattack, and subsequent investigations by third-party digital forensics experts confirmed unauthorized access and data exfiltration. By April 2, 2025, a thorough review revealed that the stolen data included personal information such as names, dates of birth, medical record numbers, health insurance information, and specific details about dermatology services received. Additionally, a limited number of individuals had their Social Security and/or driver’s license numbers compromised. Notification letters to affected individuals began mailing on May 30, 2025. USDP has offered complimentary credit monitoring and identity protection services to those whose Social Security numbers and/or driver’s license numbers were involved. This breach underscores the importance of robust cybersecurity measures to protect sensitive health information. Source: HIPAA Journal

Emerging Tech

• Intelligence Amplification technology is revolutionizing healthcare compliance management through systems like Compliance Risk Analyzer that detect and mitigate billing and coding risks. Unlike artificial general intelligence that aims to replace human decision-making, IA augments human capabilities through predictive analytics, statistical modeling, and heuristic methods that identify high-risk patterns by comparing provider data to national benchmarks. The system generates provider-specific risk analysis reports, creates targeted audit action plans, and enables benchmarking against industry standards, resulting in proactive risk mitigation, increased efficiency, cost savings, and improved audit accuracy. While delivering significant benefits, Compliance Risk Analyzer functions optimally as part of a hybrid model where IA supports human auditors, recognizing that healthcare compliance requires nuanced human judgment alongside computational assistance. Source: VMG Health

EMTALA

• The Trump administration rescinded Biden-era guidance requiring hospitals to perform emergency abortions under federal law. The Department of Health and Human Services issued guidance in July 2022 that required doctors to perform abortions in emergency departments under the Emergency Medical Treatment and Labor Act (EMTALA), even in states where abortion is banned, when the procedure serves as stabilizing treatment for conditions like ectopic pregnancy or preeclampsia. The guidance was part of the Biden administration’s efforts to preserve abortion access after the Supreme Court overturned Roe v. Wade. CMS announced they rescinded the guidance because it does not reflect current administration policy, though they said they will continue enforcing EMTALA for emergency medical conditions affecting pregnant women. Source: ABC News
• A federal investigation found that a Texas hospital violated law by sending a woman home without treating her life-threatening ectopic pregnancy. The Centers for Medicare and Medicaid Services determined that Ascension Seton Williamson in Round Rock failed to provide proper medical screening and stabilizing treatment to Kyleigh Thurman in February 2023. Thurman returned to the hospital multiple times with bleeding before her fallopian tube ruptured, requiring surgery that removed part of her reproductive system. The hospital violated the federal Emergency Medical Treatment and Labor Act, which requires emergency rooms to provide stabilizing treatment to all patients. The Trump administration announced it would revoke Biden-era guidance that directed hospitals to provide emergency abortions for women experiencing medical emergencies. Source: PBS News

Food & Drug Administration

• The Trump administration’s FY26 budget proposal for the FDA reveals significant structural changes while maintaining overall operational capacity. The $6.8 billion proposal represents a 3.9% decrease from FY25 levels, balancing reduced discretionary funding ($3.2 billion, down 11.4%) with increased user fees ($3.6 billion, up 4%). The budget prioritizes the “Make America Healthy Again” agenda with $234.6 million for food safety and chronic disease initiatives, including plans to phase out certain food dyes and modernize safety protocols. Workforce reductions continue with the budget reflecting cuts of 1,940 full-time employees and $456.6 million in support of the “Reduction of Federal Bureaucracy initiative,” while projecting $626 million in savings from streamlined agency functions. Congressional appropriations committees have begun reviewing the proposal and will continue the funding process through September 2025. Source: Akin Gump
• The FDA will implement artificial intelligence across all its centers by the end of June to combat regulatory delays caused by recent layoffs. The agency completed a pilot scientific review using generative AI that will reduce non-productive busywork in the review process. The AI rollout comes as the FDA has missed target decision dates for drug approvals and faces staffing cuts from the Health and Human Services Secretary, who put 3,500 FDA jobs on the chopping block. All FDA centers must begin implementing the AI approach immediately, with plans to tailor AI models to each center’s needs. Source: BioSpace

Fraud & Abuse

• Dr. Benjamin Tiongson, a pain management physician practicing in Houston, Sugar Land, and Katy, has agreed to pay $390,082 to resolve allegations of Medicare fraud. Between December 2021 and December 2022, Tiongson allegedly billed Medicare for surgical implantation of neurostimulator electrodes, procedures that typically require operating rooms and command thousands of dollars in reimbursement. Instead of performing these invasive surgeries, Tiongson reportedly provided electro-acupuncture treatments that merely involved inserting thin wires into patients’ ears and taping devices behind them, all conducted in clinic settings without surgical incisions. The settlement, reached after investigation by the U.S. Attorney’s Office and Department of Health and Human Services, resolves these allegations without determination of liability. Source: United States Department of Justice
• A Frisco physician has agreed to pay $3.5 million to resolve allegations of COVID-19 billing fraud. Dr. Samad Khan, owner of SK Primary Care, allegedly submitted approximately 400,000 false claims to the COVID-19 Uninsured Program between April 2020 and October 2021 for evaluation and management services that were never performed. The United States contends that Khan’s COVID-19 testing sites were staffed by medical assistants who only performed specimen collection, yet he billed for higher-level services that required qualified healthcare professionals and often submitted two claims per patient—one for testing and another for providing results. Khan knowingly used incorrect billing codes that provided substantially higher reimbursements than the appropriate specimen collection codes, according to the settlement that resolves these allegations without a determination of liability. Source: United States Department of Justice

HIPAA

• Healthcare organizations must implement comprehensive vendor management strategies to mitigate significant HIPAA compliance risks from third-party relationships. While properly executing Business Associate Agreements is crucial, experts emphasize it must be part of a broader risk-based approach that includes thorough initial vetting, continuous monitoring, and incident response planning. Organizations should implement tiered vendor assessments based on data access levels and sensitivity, with particular scrutiny for vendors handling Protected Health Information. Common compliance failures include treating BAAs as mere checkboxes, insufficient upfront diligence, inadequate ongoing monitoring, and failure to assess subcontractor relationships. Healthcare entities cannot outsource accountability and must treat vendors as extensions of their organization while maintaining clear boundaries regarding day-to-day operations to properly manage liability. Source: Relias Media

Med Spas

• Texas House Bill 3749, known as “Jenifer’s Law,” has undergone complete revision from its original form that could have shuttered many IV hydration clinics to legislation that may actually reduce regulatory restrictions on the industry. The bill was prompted by the death of Jenifer Cleveland in July 2023 after receiving an IV infusion at a Wortham, Texas medical spa, where an investigation revealed an absent medical director, lack of protocols, and treatment by an unlicensed individual. The legislation passed both the House and Senate by large margins and awaits Governor Greg Abbott’s signature, with an effective date of September 1, 2025. The most significant change in the final bill is its characterization of IV therapy as “elective” rather than medically necessary treatment, shifting the focus from documenting medical necessity to ensuring safety through contraindication screening. This change may permit the return of “menu medicine” where patients can select IV treatments from a menu of options without requiring a diagnosis or proof that the treatment addresses a specific medical condition. Source: HCH Lawyers

Medicare & Medicaid

• Trump directs Health and Human Services to cap Medicaid payments at Medicare rates to eliminate fraud schemes. The memorandum targets state programs that tax healthcare providers then return the money as Medicaid payments, which triggers federal matching funds and allows providers to receive nearly three times Medicare rates. State Directed Payments under this system quadrupled over four years and reached $110 billion in 2024. The directive instructs the Secretary of Health and Human Services to ensure Medicaid payment rates do not exceed Medicare levels. Trump claims the current system allows states to avoid contributing funds while enriching healthcare providers through federal matching payments. Source: The White House
• CMS will audit all Medicare Advantage contracts for each payment year in newly initiated audits following an announcement on May 21, 2025. The agency plans to complete audits for payment years 2018 through 2024, as CMS is several years behind in completing Risk Adjustment Data Validation (RADV) audits that verify diagnosis codes submitted by MA plans are supported by patient medical records. The Medicare Payment Advisory Commission estimates MA plans may overbill the government $43 billion per year through risk-adjusted payments based on enrollee diagnoses. CMS Administrator Dr. Mehmet Oz stated the agency has a duty to ensure MA plans bill the government accurately, and the Trump Administration aims to complete remaining audits by early 2026. To meet this goal, CMS will increase medical coders from 40 to 2,000 people beginning in September 2025 and deploy technology to flag unsupported diagnoses. Source: King & Spalding
• The Center for Medicare and Medicaid Innovation plans to expand digital health technology and artificial intelligence integration across federal health care programs. CMMI released a white paper on May 13, 2025, outlining its strategy that emphasizes virtual care expansion, mobile health applications, and AI implementation for value-based care organizations. CMS Administrator Dr. Mehmet Oz and CMMI Director Abe Sutton stated that AI can increase health care supply and announced plans to create clearer reimbursement pathways for AI technologies. The agency seeks public input on certifying health-focused mobile applications for Medicare inclusion and is requesting comments on digital health through June 16, 2025. Sutton cautioned that some AI systems may increase costs by enabling providers to capture more services, requiring targeted reforms to focus on technologies that both expand care supply and reduce expenses. Source: Jones Day

Price Transparency

• CMS published guidance and a Request for Information on Hospital Price Transparency rules following President Trump’s February 25, 2025 Executive Order on healthcare pricing transparency. The guidance instructs hospitals to stop using “999999999” as a placeholder when calculating “estimated allowed amounts” and instead use actual average dollar amounts from electronic remittance advice data from the past 12 months. The Request for Information seeks public input on improving hospital compliance and enforcement processes through six questions covering data accuracy, completeness, and suggestions for enhancing the quality of machine-readable files. CMS wants feedback on defining data accuracy and completeness terms, identifying external data sources for validation, and improving compliance tools like the CMS validator. Source: King & Spalding