Category: Health Law Highlights

Artificial Intelligence

• Shadow AI tools used without IT oversight create security risks that cost healthcare organizations $200,000 more per data breach than sanctioned AI incidents. IBM’s 2025 Cost of a Data Breach report found that 20% of organizations across all sectors suffered breaches due to shadow AI incidents, compared to 13% for sanctioned AI tools. A 2025 survey revealed that 86% of healthcare IT executives reported shadow IT instances in their health systems, up from 81% in 2024. Shadow AI displaced security skills shortage as one of the top three factors contributing to breach costs, with personally identifiable information being the most compromised data type and intellectual property compromised in 40% of shadow AI incidents. More than 60% of organizations lack governance policies to manage AI or detect unauthorized AI use, according to IBM research. Source: TechTarget

Fraud & Abuse

• Federal appellate courts remain divided on whether plaintiffs must prove “but-for causation” when bringing False Claims Act cases based on Anti-Kickback Statute violations. The dispute centers on a 2010 amendment to the Anti-Kickback Statute that declares claims “resulting from” kickback violations constitute false claims under the False Claims Act. The First, Sixth, and Eighth circuits have ruled that the “resulting from” language requires but-for causation, meaning plaintiffs must prove the kickback caused the false claim submission. Some courts have suggested alternative pathways exist that bypass the but-for causation requirement, but legal experts argue this interpretation contradicts statutory language and creates illogical outcomes. The Department of Justice opposes the but-for causation requirement, stating it would complicate litigation by forcing extensive analysis of physician motivations for thousands of treatment decisions. Source: Akin Gump Strauss Hauer & Feld LLP
• A federal district court in Tennessee has limited False Claims Act liability for Anti-Kickback Statute violations in a September 22 ruling that could restrict healthcare fraud prosecutions. In United States v. HCA Healthcare, Inc., the court ruled that hospitals did not receive “remuneration” when a laboratory agreed not to seek reimbursement for technical components of pathology services for non-Medicare patients, since hospitals had no legal obligation to pay those costs. The court also established a “but for” causation standard, requiring whistleblowers to prove that providers would not have sought government reimbursement without the alleged kickback violation. The decision rejected claims that were merely “tainted by” kickbacks, calling such allegations too “attenuated” to establish False Claims Act liability. The court characterized the disputed arrangement as normal marketplace competition rather than illegal kickback activity. Source: Warner Norcross + Judd LLP

Hospice

• Hospice providers are expanding their service offerings through diversification into palliative care, home-based primary care, and community aging programs. Hospices are broadening their horizons when it comes to service diversification. Some providers are exploring innovative care models, while others are moving upstream into palliative care and branching out their community-based services. Cost, referral streams and staffing considerations are significant pieces of developing and growing a palliative care program. The federally approved CAPABLE program has been under consideration for Medicare reimbursement since 2019. Currently, services provided under the program are reimbursed through partnerships with Accountable Care Organizations (ACOs) and private insurers. Source: Hospice News

HIPAA

• A federal court vacated reproductive health care provisions of the 2024 HIPAA Privacy Rule while preserving substance use disorder protections. On June 18, 2025, in Purl v. HHS, a federal district court eliminated requirements for group health plans to update policies and Privacy Notices for reproductive health care information protections. The court preserved regulations at 42 CFR part 2 that require group health plans to implement protections for substance use disorder (SUD) records by February 16, 2026. SUD records include patient identity, diagnosis, prognosis, or treatment information maintained in connection with substance use disorder programs conducted or assisted by any U.S. government department. Group health plans cannot disclose SUD records in legal proceedings without written consent or court order, and must update Privacy Notices and distribute them to all participants by the February deadline. Source: Spencer Fane

Marketing

• Texas Senate Bill 140 requires companies sending text messages to or from Texas to comply with telemarketing regulations starting September 1, 2025. The law redefines “telephone solicitation” to include text and multimedia messages, requiring companies to register with the Secretary of State and post a $10,000 bond. Text messages can only be sent between 9 am and 9 pm Monday through Saturday and between noon and 9 pm on Sundays in Central time, with fines reaching thousands of dollars per message for violations. The legislation strengthens consumer enforcement rights under the Texas Deceptive Trade Practices Act and allows consumers to bring multiple lawsuits for continuing violations. The changes come as the US Supreme Court’s June 2025 McLaughlin decision created uncertainty about federal Telephone Consumer Protection Act rules, making state laws more important in regulating text marketing campaigns. Source: Foster Garvey PC

Medicare

• CMS plans to phase out its inpatient-only procedure list over three years starting in 2026, prompting healthcare providers to call for elimination of Medicare’s three-day hospital stay requirement for skilled nursing facility coverage. The proposed removal of 285 procedures, mostly musculoskeletal, threatens access to post-acute care since traditional Medicare beneficiaries must have a three-day inpatient hospital stay within 30 days before qualifying for skilled nursing facility coverage. LeadingAge, representing over 5,400 nonprofit providers, submitted comments to CMS recommending elimination of the rule, which affects 20% to 50% of current skilled nursing facility admissions and only applies to roughly 20% of Medicare beneficiaries on traditional Medicare plans. The organization proposes reimagining skilled nursing facilities as settings for chronic care management and direct physician admissions, allowing patients to avoid hospitals for stabilizing treatments. Industry leaders argue the three-day stay rule forces patients into cycles of hospital visits and compromises quality of life while driving up costs. Source: Skilled Nursing News

Medicaid

• Texas overpaid $10.5 million to hospices due to lack of oversight policies during fiscal years 2020 through 2022. The Office of Inspector General found that 174 hospices, representing 36 percent of hospices that received payments, were overpaid because Texas had no policies and procedures for calculating and collecting hospice cap overpayments. Of the total overpayments, $6.9 million represents the Federal share that should have been returned to the Federal Government. The OIG recommends that Texas collect the $10.5 million in overpayments and refund the Federal share, and also develop policies and procedures for future cap overpayment calculations. Texas agreed with the second recommendation but did not indicate concurrence or nonconcurrence with the first recommendation. Source: Office of Inspector General

Mergers & Acquisitions

• The FTC and DOJ reported 32 merger enforcement actions in fiscal year 2024 while processing 1,973 transactions under the Hart-Scott-Rodino Act. The agencies issued 59 second requests for additional information, representing approximately 3% of all reported transactions. Healthcare transactions accounted for 3% of reported deals, with the FTC issuing second requests for two hospital acquisitions and two ambulatory healthcare service acquisitions. Healthcare sector enforcement will remain a top priority going forward. Source: Stevens & Lee

Non-Competes

• The Federal Trade Commission issued warning letters to healthcare employers and staffing firms, urging them to review their noncompete agreements for legal compliance. The letters, signed by Chairman Andrew Ferguson, advised recipients to immediately discontinue any agreements that do not comply with law and notify employees accordingly. The action follows the FTC’s withdrawal of its defense of a nationwide noncompete ban that federal courts had enjoined. The FTC also issued a request for information from the public about noncompete agreements in healthcare, seeking examples that have affected wages, hiring difficulties, or competition within specific geographic areas. The Commission stated these restrictions can limit healthcare professionals’ employment options and patient choices, particularly in rural areas where medical services face constraints. Source: Stevens & Lee

Pharmacies

• Four Texas pharmacy professionals received prison sentences for operating a pill mill that distributed over half a million opioid pills. Arthur Billings, 61, the owner of Health Fit Pharmacy in Houston, was sentenced to 12 years in prison and ordered to forfeit $2.6 million for his role in the conspiracy. Three pharmacists who worked at the facility received sentences ranging from 20 months to six years in prison, with forfeiture orders between $5,000 and $68,931. The cash-only pharmacy dispensed hydrocodone and oxycodone to individuals posing as patients for drug traffickers, using fraudulent prescriptions issued under stolen physician identities. The operation continued despite repeated warnings from the Texas State Board of Pharmacy, the Texas Department of Public Safety, and the Drug Enforcement Administration. Source: U.S. Department of Justice

Private Equity

• Private equity firms are investing in hormone replacement therapy businesses as the treatment gains mainstream acceptance following the debunking of a 2002 study that set back menopause care for two decades. HRT has expanded from endocrinology and gynecology practices into primary care, dermatology, and aesthetic medicine. Investors view HRT as a source of recurring revenue and higher customer lifetime value, as patients commit to long-term treatment plans and the service provides stability during economic downturns. However, challenges include regulatory compliance, recruiting medical staff, patient education requirements, and tensions over insurance coverage versus cash-pay models. Several PE firms exemplify this trend through partnerships to integrate HRT services across various platforms and expand into new markets. Source: VMG Health

Website Tracking

• Four federal courts delivered mixed rulings in August on Electronic Communications Privacy Act claims against healthcare companies using website tracking technologies like Meta Pixel and Google Analytics. The decisions reveal a split among courts on invoking ECPA’s “crime-tort exception,” with Illinois courts producing contradictory outcomes—some allowing claims to proceed where plaintiffs alleged transmission of protected health information to third parties, while others dismissed cases for lack of specificity about what information was disclosed. A Washington court permitted an addiction treatment case to advance, finding that results from an online addiction survey coupled with appointment requests constituted protected health information. Courts emphasized that successful ECPA claims require plaintiffs to provide details about what health information was disclosed and how it relates to individual health status, rather than general assertions about website usage. The rulings demonstrate that the outcome of these cases depends on the specifics of alleged HIPAA violations and whether tracking data can identify individuals and relate to their health conditions. Source: Byte Back

Advertising

• The FDA announced a crackdown on direct-to-consumer pharmaceutical advertising on September 9, following a presidential memorandum directing action against misleading advertising practices. The agency issued thousands of template letters to pharmaceutical companies warning them to remove misleading advertising and sent hundreds of cease-and-desist letters to companies violating advertising rules. FDA plans to increase enforcement actions from the current 10-20 untitled letters annually to hundreds per year, with focus on social media and digital advertising content. The agency targets violations of “fair balance” requirements between drug risks and benefits, with attention to how seniors access risk information and influencer posts that fail to follow regulations. FDA also intends to eliminate the “adequate provision” rule that currently allows drug manufacturers to avoid listing all safety risks in broadcast advertisements if they direct consumers to additional information sources. Source: Loeb & Loeb LLP

Cybersecurity

• Healthcare organizations must understand cloud lifecycle management beyond initial migration to achieve cost optimization and security compliance. Healthcare systems have increased cloud adoption over the past five to seven years, with providers like Amazon Web Services offering compliance and security features that reduce concerns about hosting protected health information in the cloud. Organizations face challenges including stakeholder buy-in, security concerns around PHI, selecting appropriate cloud architecture, and maintaining HIPAA compliance throughout the cloud lifecycle. Cloud lifecycle management begins with planning and determining what to host in the cloud, followed by migration, operationalizing with a FinOps approach for financial responsibility, continuous workload optimization, and eventual decommissioning or modernization. Technology partners such as Mission Cloud Services can guide healthcare organizations through each stage of cloud lifecycle management, with cloud infrastructure serving as a foundation for accessing AI and machine learning tools. Source: HealthTech Magazine

Data Privacy

• Texas mandates electronic health records must be stored within the United States starting January 1, 2026. Senate Bill 1188 requires all electronic health records under the control of covered entities to be physically maintained in the United States or U.S. territories, regardless of whether the records are stored by the covered entity or a third party. The law defines “covered entity” more broadly than HIPAA, encompassing nearly any entity that assembles, collects, analyzes, uses, evaluates, stores, or transmits protected health information, including healthcare providers, payors, schools, researchers, and business associates. Violations can result in civil penalties between $5,000 and $250,000, and regulatory agencies may revoke or suspend licenses, registrations, or certifications. The Texas Health and Human Services Commission and the Texas Attorney General are authorized to investigate and penalize non-compliance with the storage requirements. Source: Katten Muchin Rosenman LLP

Economics

• Hospitals in economically disadvantaged areas adopt health information technologies at lower rates than those in affluent regions, according to a study of 16,646 hospital observations from 2018-2023. Hospitals in the most deprived areas were less likely to implement treatment-stage telehealth, postdischarge telehealth, electronic data query systems, and data availability functions compared to hospitals in the least deprived areas. The research found that hospital participation in accountable care organizations was associated with higher adoption rates across all technology types, with ACO-participating hospitals showing adoption probabilities 2-7 percentage points higher than non-participating facilities. Despite persistent gaps, health information technology adoption increased over time across all hospitals regardless of area deprivation level, with adoption rates rising from 2018 to 2023. Hospital characteristics including bed size, urban versus rural location, and ACO participation explained 60-104% of the observed disparities in technology adoption between advantaged and disadvantaged areas. Source: JAMA Health Forum

Fraud & Abuse

• Healthcare whistleblowers now use AI algorithms to analyze public datasets and flag statistical anomalies that signal potential fraud. The Department of Justice recorded 979 qui tam actions in 2024, marking the second-highest number of False Claims Act cases in program history, with many initiated through mathematical outliers rather than insider tips. The Centers for Medicare & Medicaid Services pioneered this approach in 2011 with their Fraud Prevention System, which prevented or caught $820 million in inappropriate payments within three years by running predictive analytics on 100% of Medicare fee-for-service claims. Analysis of nearly 3,500 analytics-driven audits reveals an 18% error rate, roughly double what traditional probe audits detect, while traditional audits examine only 10 encounters per provider and miss over 90% of potential issues. Healthcare organizations can now use tools like VMG Health’s Compliance Risk Analyzer to identify the same billing patterns and anomalies before external investigators spot them. Source: VMG Health
• The federal government made $162 billion in improper payments during fiscal year 2024, representing a $74 billion decrease from the $236 billion recorded in 2023. The decline occurred primarily due to the termination of pandemic-related programs, with the Department of Labor’s Pandemic Unemployment Assistance program alone accounting for a $44 billion reduction. Of the total improper payments, $135 billion (84%) were overpayments to recipients, while the remainder included underpayments, unknown payment errors, and procedural violations. Five programs concentrated 75% of all improper payments: Medicare, Medicaid, the Earned Income Tax Credit, SNAP, and the Restaurant Revitalization Fund. Since 2003, the federal government has made an estimated $2.8 trillion in improper payments across various programs and agencies. Source: U.S. GAO

IV Hydration

• Texas enacted House Bill 3749, known as “Jenifer’s Law,” to regulate IV therapy services outside traditional medical facilities following a death at a Texas spa in 2023. The law, effective September 1, 2025, requires physicians to prescribe or order all elective IV therapy in non-facility locations such as spas, mobile units, and homes. Only physician assistants, advanced practice registered nurses, and registered nurses may administer IVs under physician supervision, ending the practice of unlicensed staff providing these services. The law mandates written prescriptive authority agreements between physicians and delegated clinicians, with registration required through the Texas Medical Board. Source: Healthcare Empowered

Litigation

• Healthcare tech companies face mounting class action lawsuits that threaten investor confidence and stock stability. The sector has become a target for litigation due to digitization, data privacy concerns, and regulatory scrutiny, with UnitedHealth Group settling for $69 million in 2024 after accusations of prioritizing business relationships over 401(k) fund performance. Data breach lawsuits surged in 2024, with plaintiffs filing more cases than in any prior year, despite amendments to privacy laws that reduced per-scan damages. Companies that demonstrate transparency and strategic pivots during legal disputes recover faster than those with poor leadership, while servant and transformational leadership styles help mitigate risks through proactive compliance. Investors should monitor leadership actions such as cybersecurity spending increases as indicators of a company’s ability to manage legal challenges and maintain long-term stability. Source: AInvest

Medical Devices

• The FDA has escalated enforcement against AI health apps by issuing warning letters to SeniorLife Technologies and Whoop for marketing diagnostic features without proper authorization. SeniorLife received an August 21, 2025 warning letter for its AI app that assesses mobility and cognitive health, predicts fall risk, and detects Alzheimer’s signs without premarket clearance, while also lacking basic quality system controls like complaint handling and employee training procedures. Whoop received a July 14, 2025 warning letter for its Blood Pressure Insights feature that estimates systolic and diastolic blood pressure, which FDA determined to be inherently diagnostic and tied to hypertension conditions. Both companies violated regulations by falsely claiming FDA approval in their marketing materials and failing to submit required 510(k) applications for their diagnostic software functions. The enforcement actions signal FDA’s position that AI-enabled health software performing diagnostic functions must undergo premarket review regardless of how companies frame the features as “wellness” tools. Source: Hogan Lovells
• The Office of Inspector General approved physician ownership in a medical device company through Advisory Opinion 25-09 while maintaining scrutiny of such arrangements. The opinion involved an emergency stroke treatment device company where physician investors owned 35 percent of the company and could order or recommend the device to hospitals. OIG found no Federal Anti-Kickback Statute violation because the arrangement met all requirements of the small entity investment safe harbor, including keeping physician ownership under 40 percent and providing equal investment terms to all investors. Despite the approval, OIG reaffirmed that physician-owned medical device companies remain “inherently suspect” and warned that such arrangements can create incentives to overutilize services and distort clinical judgment. The opinion confirms that compliance pathways exist for physician investment in medical device companies when structures align with safe harbor requirements. Source: Orrick

Non-Competes

• FTC Chairman Ferguson sent letters to healthcare employers and staffing companies warning them to review and eliminate anticompetitive noncompete agreements. The letters emphasize that enforcement against unreasonable noncompetes remains a top FTC priority, with the agency targeting provisions that limit clinician job opportunities and reduce patient choice, particularly in rural areas. The FTC focused on large healthcare employers and staffing firms, noting that enforcement will target roles including nurses, physicians, and other medical professionals. This outreach follows the FTC’s withdrawal from defending its nationwide noncompete ban and the creation of a Joint Labor Task Force in February 2025 to prosecute anticompetitive labor practices. While the FTC cannot seek damages for overbroad noncompetes, it can issue cease-and-desist orders and seek civil remedies in federal court. Source: McDermott Will & Emery
• Texas Senate Bill 1318 imposed strict new limits on healthcare non-compete agreements that took effect September 1, 2025, requiring immediate compliance from employers whose contracts renew automatically. The law applies to physicians, dentists, nurses, and physician assistants and restricts geographic limitations to a maximum five-mile radius from the practitioner’s primary practice location, while capping duration at one year from termination. Buyout provisions must now be limited to the practitioner’s total annual salary and wages at termination, and contract terms must be written in plain language. Non-compete agreements become void if physicians are discharged without good cause, defined as conduct, job performance, or employment record issues. Healthcare employers face potential liability for attorney fees if they attempt to enforce non-compliant agreements that were renewed or entered into after the September 1 effective date. Source: Hendershot Cowart P.C.

Qui Tam Actions

• A federal judge rejected TriHealth’s constitutional challenge to the False Claims Act but certified the case for appeal to the Sixth Circuit Court. On July 28, 2025, U.S. District Judge Douglas Russell Cole stayed the False Claims Act lawsuit in United States of America et al. v. TriHealth Inc. et al. while the constitutional challenge proceeds. TriHealth argued that the FCA’s qui tam provisions violate the Constitution’s Article II Appointments and Take Care Clauses and that whistleblowers Thomas Murphy and Dr. Set Shahbabian lack standing under Article III. The court ruled that relators are not officers under the Appointments Clause and that the Executive Branch retains control over relator conduct, rejecting TriHealth’s constitutional arguments. This case represents the third federal court of appeals to examine the constitutionality of qui tam provisions, with legal experts predicting the issue will eventually reach the Supreme Court. Source: Whistleblowers Blog

Reimbursement

• CMS is conducting more frequent and targeted RADV audits to increase oversight of risk adjustment programs. These audits pressure healthcare organizations and payers to ensure precise Hierarchical Condition Category (HCC) coding and documentation, as coding errors can trigger repayment demands and penalties. For payers, RADV audits validate risk-adjusted payments and can uncover financial discrepancies leading to recoupment of overpayments, while providers face repayment demands and penalties for documentation or coding errors. Organizations must implement internal controls, conduct regular coding validations, and invest in provider education to reduce audit exposure. Clinical documentation serves as evidence that validates diagnoses, requiring specificity, clarity, and completeness to avoid claims being flagged during audits. Source: VMG Health

Telehealth

• Telehealth delivers financial benefits to healthcare organizations through increased revenue, reduced losses, and decreased operational costs. The technology helps prevent patient attrition by offering virtual visits and self-scheduling capabilities that meet consumer expectations for convenience and access. Healthcare organizations can avoid government penalties through remote physiological monitoring programs, with 2,499 hospitals facing Medicare readmission penalties averaging $208,000 per hospital in 2022. Telehealth reduces recruitment costs by improving clinician satisfaction and combating burnout, which decreases staff turnover rates. Organizations can also lower facility costs since telehealth work can be performed from clinicians’ homes, allowing multiple providers to share exam rooms and expanding geographic reach without additional physical space. Source: Telehealth.org
• The telehealth obesity market has experienced explosive growth, reaching $57.75 billion in 2024 and projected to hit $392.89 billion by 2033 with a 24% compound annual growth rate. The U.S. telehealth weight-loss market saw a 300% year-over-year increase in patient consultations for GLP-1 prescriptions in 2025, with platforms like Noom and LifeMD bundling these medications with AI-driven coaching services. The FDA has issued over 100 warning letters to telehealth providers for promoting compounded GLP-1 drugs as equivalents to FDA-approved medications, creating opportunities for compliant companies like Weight Watchers (WW), which has attracted 87,000+ subscribers with its hybrid model combining FDA-approved medications and behavioral support. An estimated 40 million people will use GLP-1 medications by 2029, generating $126 billion in sales. Source: Ainvest

OIG Advisory Opinion No. 25-10

• The OIG issued a favorable advisory opinion for a grant-funded family-powered therapy arrangement. The Company’s mission is to provide care for individuals with a certain disorder, particularly for those individuals who lack adequate access to care. The therapy for the disorder is generally covered by insurance, including Medicare. The Company created a tax-exempt Foundation that awards monthly grants directly to families of children receiving this therapy from any provider, based on verified treatment hours, adherence, and financial need. The Foundation’s grant decisions are made under policies approved by an independent board and outside counsel, do not vary by provider choice, and require that a child already have a treatment plan in place; families may change providers and remain eligible. The OIG found low risk of overutilization or inappropriate steering because the Company’s donations are unrestricted, the Foundation operates autonomously, funds go to families (not providers), and eligibility is provider‑neutral and needs‑based. Source: OIG Advisory Opinion No. 25-10 (Sept. 8, 2025)

Antitrust

• States are expanding antitrust oversight of healthcare transactions to target private equity and other for-profit entities in healthcare mergers and acquisitions. Washington and Colorado implemented premerger notification laws that went into effect on July 27 and August 6, 2025, while Indiana modified its transaction notice law and New Mexico enacted a permanent version of its notification law. Pennsylvania proposed H.B. 1460 to authorize the Attorney General to block healthcare transactions involving private equity companies that are “against the public interest,” while California’s A.B. 1415 would expand OHCA review requirements to include private equity companies, hedge funds, and management services organizations. Illinois introduced S.B. 1998 to require private equity and hedge funds to obtain Attorney General consent for financing healthcare transactions, and Massachusetts is considering multiple bills to strengthen its transaction review process, including requiring bonds from private equity groups and authorizing post-transaction reviews. Source: Healthcare Law Blog

Cybersecurity

• The Department of Justice is using the False Claims Act to pursue cybersecurity violations by government contractors and healthcare companies. Two settlements demonstrate this expansion: a defense contractor and private equity firm paid $1.75 million for failing to implement NIST cybersecurity controls and control access to Controlled Unclassified Information between 2018-2020, while a biotechnology company paid $9.8 million for selling genomic sequencing systems with cybersecurity vulnerabilities to the federal government from 2016-2023. These cases mark the first FCA cybersecurity settlement involving healthcare Quality System Regulations and the first to include a private equity firm alongside a defense contractor. The DOJ launched its Civil Cyber-Fraud Initiative in 2021 and recently reformed the DOJ-HHS False Claims Act Working Group to focus on medical device investigations. FCA settlements exceeded $2.9 billion in fiscal year 2024, with per-claim penalties now exceeding $28,000. Source: Healthcare Law Blog

Data Blocking

• The U.S. Department of Health and Human Services escalated enforcement of information blocking regulations, directing additional resources toward identifying violations under the 21st Century Cures Act. Secretary Robert F. Kennedy Jr. instructed the Office of Inspector General and the Office of the National Coordinator for Health Information Technology to pursue enforcement actions against healthcare providers, health IT developers, and health information networks that block patient access to electronic health information. Civil monetary penalties can reach $1 million per violation for certified health IT developers and health information exchanges, while Medicare-participating providers face penalties under three Medicare payment programs. The agencies have received approximately 1,300 information blocking claims since April 2021, with most submitted by patients against healthcare providers. HHS will prioritize enforcement in cases involving longstanding practices, patient harm, care delivery impacts, or financial losses to federal programs or private entities. Source: Health Industry Washington Watch

Durable Medical Equipment

• CMS has launched initiatives using artificial intelligence to combat fraud in the durable medical equipment industry. The agency created a competition to leverage AI and machine learning for detecting anomalies in Medicare claims data, targeting fee-for-service hospice, Part B and DME claims through a two-phase process. AI results from private payers have been mixed due to the nuances in DME claims. CMS is also implementing the Wasteful and Inappropriate Service Reduction (WISeR) model and promoting competitive bidding as fraud-reduction measures. Industry experts anticipate increased audits this year from Unified Program Integrity Contractors (UPIC), particularly targeting catheters, surgical dressings, supplies and respiratory claims. Source: HME News

Equity and Access

• Researchers have developed an interpretable deep learning model that predicts healthcare access in underserved communities while addressing fairness concerns. The study by Saxena, Sharma, Kumar Johari, and collaborators tackles the “black box” problem in AI by creating a model that stakeholders can understand and trust. The researchers used multi-source data from health and demographic datasets to provide insights into factors affecting healthcare access, from socioeconomic status to geographic location. The model emphasizes fairness by ensuring predictions do not systematically disadvantage any particular group. This approach enables more efficient resource allocation and can inform policies aimed at reducing healthcare disparities. Source: BioEngineer

Food and Drug Administration

• The FDA will now publish Complete Response Letters in real time through a centralized database, marking a shift in transparency for drug and biologic applications. The agency will post CRLs for pending New Drug Applications and Biologics License Applications shortly after transmission to sponsors, while also releasing historical letters from 2024 forward. The FDA has already published 89 archived CRLs and will continue releasing letters tied to withdrawn or abandoned applications. While confidential commercial information and trade secrets will be redacted, sponsor identities and high-level scientific and regulatory deficiencies will remain visible. The letters are searchable by product, sponsor, or therapeutic area through the openFDA database, creating new competitive intelligence opportunities and compliance challenges for pharmaceutical companies. Source: Orrick

Fraud & Abuse

• A former laboratory CEO and nine healthcare professionals agreed to pay over $6 million to settle federal allegations of kickback schemes involving laboratory testing referrals. Christopher Grottenthaler, former CEO of True Health Diagnostics in Frisco, Texas, will pay $4.25 million to resolve claims he orchestrated kickbacks disguised as managed service organization distributions to induce doctors’ laboratory referrals to Medicare, Medicaid, and TRICARE from January 2015 to May 2018. Two physicians, Dr. Hong Davis and Dr. Elizabeth Seymour, along with seven marketers, agreed to pay an additional $1,818,462 for their participation in the scheme. The settlements are part of a broader Department of Justice effort that has recovered over $59 million in civil False Claims Act settlements for healthcare kickbacks disguised as MSO investment distributions, involving 50 physicians. The Anti-Kickback Statute prohibits offering or receiving remuneration to induce referrals of services covered by federal healthcare programs to ensure medical decisions are based on patient interests rather than financial incentives. Source: U.S. Department of Justice

Friendly PC Model

• Private equity firms using “Friendly PC” structures must implement three specific agreements to comply with Corporate Practice of Medicine regulations. The structure allows physician-owned Professional Corporations to sell non-clinical assets to PE buyers while a designated “Friendly Provider” maintains ownership of clinical operations. The Administrative/Management Services Agreement handles non-clinical services but must avoid creating a partnership between the management entity and practice. Employment Agreements must guarantee clinical professionals retain autonomy in patient care decisions without employer interference. The Clinical Liaison Agreement enables the Friendly Provider to oversee clinical staff supervision and policy development as the only legally authorized party for such services. Source: Dickinson Wright

Medical Marijuana

• Texas implemented an expanded medical marijuana program that adds chronic pain as a qualifying condition. The law signed by Gov. Greg Abbott also adds traumatic brain injury, Crohn’s disease, and other inflammatory bowel diseases to the list of qualifying conditions. A recent poll of 391 cannabis consumers found 91% believe cannabis treats chronic pain, with 65% calling it “very effective” and 26% “mildly effective.” The Department of Public Safety will issue 12 new dispensary licenses across Texas, expanding from the current three facilities, with the first nine licenses awarded December 1 from 139 applicants who applied in 2023. Federal data shows at least two million Texans use cannabis regularly. Source: Marijuana Moment

Management Services Organizations

• Physicians entering Management Services Organization arrangements face risks that require documentation and negotiation to protect their interests. MSOs handle administrative functions like billing and compliance while allowing physicians to focus on clinical work, but disputes can emerge when these arrangements involve private equity or joint ventures. Physicians must document all compensation terms including salary, bonuses, equity rights, and expense reimbursements across multiple agreements, as verbal agreements prove difficult to enforce. Termination provisions require attention to prevent physicians from being removed without recourse, including restrictions on no-cause termination and clear definitions of termination “for cause” with cure periods. All agreements must preserve physician autonomy over medical decisions and comply with healthcare fraud and abuse laws. Source: Stevens & Lee

Medicaid

• CMS has issued new federal payment limits for State Directed Payments in Medicaid managed care to combat fraud and preserve program integrity. The guidance implements requirements from the One Big Beautiful Bill Act, limiting SDPs for hospital and nursing facility services to 100% of Medicare rates in Medicaid expansion states and 110% in non-expansion states, effective July 4, 2025. States can qualify for a grandfathering period until January 1, 2028, for certain SDPs submitted before the deadline, followed by a phased reduction to meet the new limits. The restrictions come as SDP usage has exploded from just 2 states in 2016 to 39 states today, with CMS projecting annual spending of $124.3 billion for FY 2025 and $144.6 billion for FY 2026. States must now revise pending SDP submissions to comply with Section 71116 requirements before CMS will continue review. Source: CMS Guidance

Non-Competes

• Healthcare employers must carefully review non-compete provisions in employment contracts as state laws vary and have recently changed. Ericka Adler, shareholder at Roetzel & Andress, advises that enforceable non-competes require three factors to be reasonable: geography should match patient location (such as 3 miles if patients come from within 3 miles), scope should limit restrictions to the employee’s role or practice functions, and duration should typically range from one to two years. Some states require notice language allowing employees to consult counsel before signing, while many states mandate consideration for non-compete agreements. Employees commonly request carve-outs that void non-competes if terminated without cause or if the employer breaches the contract. When violations occur, employers can send cease and desist letters to the employee and their new employer, along with pursuing other legal remedies to protect their practice. Source: Roetzel & Andress

Pharmaceuticals

• The FTC and DOJ concluded three listening sessions on pharmaceutical competition as part of an effort to lower drug prices. The sessions featured panels of legal experts, patient advocates, academics, Congressional staffers, and industry representatives who discussed generic and biosimilar competition, patent issues, regulatory barriers, and pharmacy benefit managers. Panelists debated whether pharmaceutical companies misuse patents to prevent generic competition through practices like pay-for-delay agreements, patent thickets, and product-hopping, with some arguing the patent system drives innovation while others claimed it creates barriers. Key recommendations included implementing generics-first policies across federal programs, increasing transparency in pharmaceutical supply chains, and eliminating separate interchangeability designations for biosimilars. FTC Chair Andrew Ferguson stated the information will feed into a final report with recommendations to guide legislation and regulatory reform for prescription drug access. Source: Hogan Lovells

Physician Compensation

• Hospitals face mounting financial pressures as Medicare cuts physician reimbursement while provider costs rise and workforce shortages intensify. The Centers for Medicare & Medicaid Services cut the Medicare conversion factor by 2.8% in 2025 to $32.35, marking the fifth consecutive year of reductions and bringing total cuts to over 10% since 2020. Meanwhile, 20% of practicing physicians are age 65 or older and another 22% are between 55-64, creating a projected shortage of up to 86,000 physicians by 2036. Hospital salary costs have risen 5% annually from 2018 through 2022, while 63% of medical groups planned to add advanced practice provider roles in 2024 to maintain coverage. Health systems are responding with recruitment incentives including relocation allowances (55% of positions), signing bonuses (51%), and loan forgiveness (17%), while anesthesia and radiology groups are seeking subsidies that sometimes double current agreements. Source: VMG Health

Remote Monitoring

• The Department of Health and Human Services Office of Inspector General issued a report calling for increased oversight of remote patient monitoring Medicare billing due to concerns about fraud and abuse. Medicare payments for RPM services reached $536 million in 2024, representing a 31% increase from 2023, with nearly one million Medicare beneficiaries receiving these services. The OIG identified concerning billing patterns, including 45 medical practices that billed RPM services for patients with whom they had no prior medical relationship for over 80% of cases, and some practices billing for over 100 new enrollees monthly compared to an average of five. The report recommended that the Centers for Medicare and Medicaid Services and Medicare Advantage Organizations monitor practices that bill without established patient relationships, track treatment management billing rates, and watch for duplicate services across multiple providers. The OIG also flagged practices billing for multiple monitoring devices per patient per month when Medicare generally covers only one device monthly. Source: Health Law Diagnosis

Synthetic Data

• Synthetic data represents algorithm-generated information that mimics real-world data while preserving privacy, and government adoption is expected to accelerate despite current resistance. This artificial data retains the statistical properties of original datasets and has been used since the early 1990s in applications ranging from census research to traffic management, with companies like Replica raising $52 million to develop these technologies. While 32 percent of government decision-makers worldwide refuse to consider synthetic data compared to 23 percent in other industries, Utah has emerged as a leader by incorporating synthetic data definitions into its Consumer Privacy Act and having officials advocate for its adoption. The U.S. Census Bureau controversially used synthetic data in the 2020 census to protect individual privacy while analyzing income and poverty trends, though critics worried about errors and manipulation. A noted research firm predicts that 75 percent of businesses will use generative AI to create synthetic data by 2026, with potential government applications including school performance analysis, agricultural research, and smart city management. Source: Government Technology

Wound Care

• Home health agencies are transforming wound care practices as payment models shift from volume-based to outcomes-based reimbursement under value-based purchasing programs. The transition requires providers to move from frequent dressing changes to longer wear-time products that optimize healing while reducing care burden on clinicians and caregivers. Accountable care organizations now demand streamlined, evidence-based product formularies that homecare agencies must adopt to remain partners in coordinated care networks. Under CMS’s Patient Driven Groupings Model, wound care represents one of the highest-paying clinical categories, but only when documentation supports medical necessity and skilled intervention. The model places homecare agencies under pressure to demonstrate outcomes through data reporting while managing a 7.4% annual growth rate and widespread caregiver shortages affecting 59% of agencies. Source: Homecare Magazine

Antitrust

• Hospital associations challenge new merger notification rules as burdensome and unnecessary. The Federal Trade Commission under Lina Khan adopted changes to Hart-Scott-Rodino premerger notification requirements that took effect February 10, 2025, increasing information volume and preparation time by four times. On August 8, 2025, the American Hospital Association and Federation of American Hospitals filed an amicus brief supporting business groups’ lawsuit seeking injunctive relief against the changes. The hospital associations argued the FTC failed to identify any anticompetitive hospital merger that went undetected under prior reporting requirements. They contended the rule changes function as a tax on hospitals and aim to discourage mergers in an industry facing economic pressures. Source: Epstein Becker Green
• The Trump administration’s antitrust regulators maintain focus on healthcare competition but reject the Biden era’s emphasis on private equity and corporate greed in favor of targeting regulatory barriers to market entry. The Federal Trade Commission and Department of Justice demonstrate willingness to approve mergers through consent decrees involving divestitures, as seen in the UnitedHealth Group-Amedisys deal that required selling 164 home health and hospice locations. The FTC issued a Second Request to examine Aya Healthcare’s $615 million acquisition of Cross Country Healthcare over concerns about self-preferencing in travel nurse staffing services. The DOJ launched an investigation into NewYork-Presbyterian’s contracting practices following union complaints about anti-steering provisions that prevent insurers from excluding the health system from their networks. The FTC released findings showing that 38% of physicians belonged to practices affected by mergers between 2015 and 2020, representing consolidation across approximately 2,000 transactions. Source: Goodwin

Data Privacy & Cybersecurity

• The Office for Civil Rights published two new HIPAA Privacy Rule FAQs on August 11, 2025, clarifying PHI disclosure rules and patient access rights. The first FAQ permits healthcare providers to disclose protected health information to value-based care arrangements for treatment purposes without individual authorization, supporting payment models that tie compensation to patient outcomes. The second FAQ confirms that treatment consent forms fall within designated record sets that patients can access, removing ambiguity about these documents. The guidance aligns with the Centers for Medicare & Medicaid Services’ July 30, 2025, announcement of its Health Tech Ecosystem initiative, which over 60 organizations including Epic, Oracle Health, CVS Health, and major tech companies have pledged to adopt. OCR has announced 53 enforcement actions since launching its Right of Access Initiative in 2019, including a $200,000 penalty imposed in March 2025 against a provider that failed to provide timely patient record access. Source: Data Privacy + Cybersecurity Insider
• Ransomware attacks on hospitals create cascading effects that overwhelm neighboring healthcare facilities and endanger patients throughout entire communities. When a hospital’s systems go offline, surrounding facilities must absorb diverted ambulances and walk-in patients, creating overcapacity situations that can lead to worse patient outcomes and potential deaths. Health-ISAC tracked 446 ransomware events in healthcare during 2024, with 281 incidents occurring in just the first half of 2025, indicating the threat continues to escalate. Rural communities face greater risks than urban areas because longer ambulance travel times to alternate facilities can delay treatment and worsen medical conditions. Both the Ascension and Change Healthcare attacks stemmed from lack of multifactor authentication for remote access, highlighting how basic security gaps enable attackers to target patient care systems for maximum leverage. Source: Dark Reading

Emerging Tech

• Hospital executives believe in AI’s potential but lack readiness for implementation. A recent survey of 101 executives across integrated delivery networks, academic medical centers and independent hospitals, found that 83% believe AI can improve clinical decision-making and 75% think it could reduce operational costs. While 67% report current investments in AI for patient care and 66% pursue solutions for administrative operations, only 13% have a strategy for integrating AI into clinical workflows. Just 12% trust today’s AI algorithms as reliable enough for use, and only 10% report their organizations aggressively pursue AI implementation. Nearly half of respondents (49%) cite appropriate use of AI as one of their top three challenges. Source: Becker’s Hospital Review

False Claims Act

• Paul Njoku received a 75-month federal prison sentence for orchestrating a Medicare fraud scheme through his home health care agency. The 64-year-old owner and CEO of Opnet Health Care Services Inc. forged signatures of doctors and nurses by cutting out old signatures and taping them onto new medical documents required for Medicare payments. Njoku continued using a registered nurse’s signature on nursing notes and assessments in 2018 and 2019 without her knowledge after she left the company in 2017, and he bribed a doctor to approve home health services. From 2015 to 2019, Opnet billed Medicare over $400,000 in claims and received over $360,000, with many claims lacking required documentation or based on falsified records. A jury found Njoku guilty on all counts after deliberating for less than two hours following a three-day trial. Source: U.S. Attorney’s Office, Southern District of Texas
• The Sixth Circuit affirmed a district court’s dismissal of a False Claims Act case against three Kentucky cancer centers, ruling that Medicare does not require radiation services be performed by board-certified radiologists or radiation oncologists. In United States ex rel. Robert C. O’Laughlin, M.D. v. Radiation Therapy Services, P.S.C. et al., the court rejected Dr. O’Laughlin’s allegations of Medicare fraud after nearly a decade of litigation. The court found that CMS manuals permit any physician to perform radiation services regardless of specialty, making billing by non-specialist physicians proper. The relator failed to provide evidence linking specific Medicare claims to instances where qualified providers were absent during radiation or chemotherapy treatments. The court established that whistleblowers must present concrete, claim-specific proof rather than relying on scheduling documents or statistical inferences to survive summary judgment under the False Claims Act. Source: CaseMine

Marketing

• Texas Senate Bill 140 takes effect September 1, 2025, expanding the state’s telemarketing regulations to cover text messages and SMS marketing. The law allows consumers to file private lawsuits against businesses for violations and removes caps on cumulative damage recoveries. Companies that send marketing texts to Texas phone numbers must register each business location with the Texas Secretary of State, pay a $200 filing fee, and post a $10,000 security bond. The Texas Attorney General can impose penalties of up to $5,000 per violation, while consumers can seek actual damages or treble damages for knowing violations. Exemptions include banks, insurance companies, nonprofits, and communications with current or former customers, though the law does not define what constitutes a “customer.” Source: Thompson Hine LLP

Medical Devices

• Illumina agreed to pay $9.8 million to settle False Claims Act allegations with the Department of Justice for selling genomic sequencing systems with cybersecurity vulnerabilities to federal agencies. The biotechnology company allegedly falsely represented that its LRM and UCS software adhered to cybersecurity standards including ISO and NIST from February 2016 through September 2023. The settlement represents the first cybersecurity-focused False Claims Act enforcement action in the healthcare industry and arose from a whistleblower complaint filed by Illumina’s former Director for Platform Management. The former employee will receive $1.9 million from the settlement, and the case is notable because it focused on failures to implement cybersecurity programs regardless of whether actual breaches occurred. The resolution signals that cybersecurity representations and certifications will become a focus area for future False Claims Act enforcement actions against medical device companies. Source: Orrick

Management Services Organizations

• The California legislature is advancing two bills that target private equity groups, hedge funds, and management services organizations operating in the state’s healthcare industry. AB 1415 would require management services organizations to notify the Office of Health Care Affordability of asset sales and changes of control, expanding reporting obligations that currently apply only to payors, providers, and delivery systems. SB 351 would clarify where private equity groups and hedge funds may provide advisory support while ensuring physicians and dentists retain ultimate authority over clinical decisions. AB 1415 has passed the Senate Appropriations Committee and is set for a third reading by the Senate, while SB 351 has cleared the Assembly Committee on Appropriations and awaits an Assembly vote. The bills would increase compliance burdens for management services organizations and reinforce restrictions on private equity participation in healthcare. Source: Polsinelli

Patient Care

• Medicare enrollees left acute-care hospitals against medical advice at rising rates since 2006, spiking during the COVID-19 public health emergency and remaining slightly elevated in 2023. From 2006 to 2019, AMA discharge rates grew from about 0.68% to 0.99%, peaked near 1.17% during the PHE, and ended at 1.00% in 2023, with those leaving AMA showing higher 30-day readmission (34.6% vs. 16.2%) and mortality (4.23% vs. 2.09%) than those discharged home. AMA rates were inversely correlated with CMS Overall Hospital Quality Star Ratings, with lowest-rated hospitals nearly three times more likely to have AMA discharges than highest-rated hospitals (1.95% vs. 0.66%). Dual Medicare-Medicaid enrollees and patients with a mental health diagnosis were more likely to leave AMA than Medicare-only enrollees and those without such diagnoses, including within each Star Rating tier. The brief notes CMS lacks specific guidance on designating and managing AMA discharges, and indicates findings may inform future guidance to improve outcomes and reduce costs. Source: HHS OIG Data Brief A-04-24-03003

Pharmacies

• New Medicare regulations that took effect January 1, 2025 have increased criminal prosecution risks for pharmacies facing claim reversals. The Centers for Medicare and Medicaid Services overhauled regulations under the federal Overpayment Statute, redefining when pharmacies “identify” overpayments and limiting internal investigation periods to 180 days maximum. Pharmacies can face criminal charges for violations including failure to submit “clean claims,” noncompliance with prescription rules, and billing errors involving prescription drugs. Criminal penalties include fines up to $250,000 for individuals and $500,000 for businesses, plus potential federal imprisonment up to five years under the False Claims Act. Investigations by the FBI and Department of Health and Human Services Office of Inspector General can result from claim rejections by Part D sponsors and other Medicare billing compliance failures. Source: Oberheiden P.C.

Accountable Care Organizations (ACOs)

• Hospital participation in Medicare accountable care organizations failed to reduce emergency department admission rates, length of stay, or costs for unplanned admissions, according to a new study that challenges the effectiveness of hospital-led ACO cost-saving strategies. Researchers analyzed 995 hospitals that joined Medicare ACOs between 2012 and 2017, tracking their performance for up to five years using Medicare claims data from 2008 to 2019. The findings remained consistent across different ACO programs, contract risk levels, and performance benchmarks, suggesting that hospitals did not alter their care delivery practices for unplanned hospitalizations after joining an ACO. The study indicates that physician-led ACOs outperform hospital-led models in generating cost savings, raising questions about the value of hospital participation in these programs. Researchers recommend that policymakers consider stronger financial incentives, such as global budgeting and multipayer alignment, to enhance hospital engagement in value-based care. Source: The American Journal of Managed Care

Data Breach and Ransonware

• The U.S. Department of Health and Human Services settled a HIPAA Security Rule investigation with BST & Co. CPAs, LLP for $175,000 following a ransomware attack that compromised protected health information. The New York accounting firm discovered ransomware had infected part of its network on December 7, 2019, impacting client health information. OCR’s investigation determined that BST failed to conduct a risk analysis to assess vulnerabilities to electronic protected health information. Under the settlement agreement, BST must implement a two-year corrective action plan that includes conducting risk analysis, developing risk management procedures, updating HIPAA policies, and providing workforce training. This enforcement action represents OCR’s 15th ransomware case and 10th action in its Risk Analysis Initiative. Source: HHS.gov

Data Privacy

• Researchers have developed a new blockchain framework that significantly enhances security and efficiency for electronic health records while reducing storage costs. The PDA-HIHM system combines traditional blockchain technology with a hybrid hashing approach that integrates SHA-256 with entropy-based dynamic hashing and data compression techniques. Testing showed the system achieved 27% reduced storage usage and 35% faster data retrieval compared to conventional blockchain-based health record systems. The framework demonstrated a 99.8% access control success rate with zero hash collisions during security testing, while also showing improvements in patient trust metrics of 97.62% and system efficiency of 97.43%. The system employs smart contracts for role-based access control and creates immutable audit trails for all data transactions. Source: Scientific Reports
• A study reveals that 98% of small healthcare organizations incorrectly believe they are HIPAA compliant despite using inadequate email encryption systems. The survey of 214 healthcare IT leaders at organizations with fewer than 250 employees found that most rely on Microsoft 365 or Google Workspace tools that fail to provide consistent encryption, with nearly half of healthcare email breaches stemming from Microsoft 365 alone. Common misconceptions include 83% believing patient consent eliminates encryption requirements and 20% lacking email archiving systems needed for compliance audits. Phishing attacks now account for over 70% of healthcare data breaches, with 43% of small practices experiencing such incidents in the past year while 99% have not implemented secure email transfer protocols. Recent breach penalties range from $25,000 to $9.76 million, with healthcare incidents taking an average of 308 days to detect and contain. Source: Business Wire

Emerging Tech

• The White House and Centers for Medicare and Medicaid Services launched the HealthTech Initiative, a digital health technology ecosystem that aims to create standardized health data exchange between patients and providers. The initiative enables patients who voluntarily enroll to share their medical history with third-party apps like sleep trackers and weight loss applications through the CMS Interoperability Framework. Patients will access diabetes and obesity management tools plus conversational AI assistants through an app library on Medicare.gov that draws from CMS-Aligned Networks. The program emerged from a May 2025 request for information that received approximately 1,400 stakeholder comments and supports HHS Secretary Robert F. Kennedy Jr.’s technology-centered healthcare agenda. The initiative currently lacks formal enforcement mechanisms, making privacy and security dependent on participating entities’ commitment to maintain standards rather than regulatory mandates. Source: Orrick
• Healthcare stakeholders must comply with existing privacy laws when implementing AI systems, despite legislation not keeping pace with technology advances. GlobalData forecasts AI in healthcare will reach a $19 billion valuation by 2027, with applications ranging from transcribing patient communications to evaluating radiologic images. Legal expert Shannon Hartsfield from Holland & Knight states that AI tools are subject to HIPAA and state privacy laws, requiring patient consent for recording in states like Florida and prohibiting vendors from using protected health information for their own purposes. HIPAA mandates covered entities conduct risk analyses to identify security threats to patient data when using AI tools. Hartsfield notes ongoing tension exists between advancing AI capabilities and regulating potential negative effects. Source: Medical Device Network

Fraud & Abuse

• The Department of HHS/OIG approved a physician-owned medical device company investment structure that complies with federal Anti-Kickback Statute requirements. On August 7, the OIG issued Advisory Opinion No. 25-09 regarding a company that develops emergency stroke treatment devices, where physicians hold approximately 35% of equity interests. The arrangement met all eight conditions of the “small entity investment safe harbor” under federal regulations, including ownership thresholds below 40%, uniform investment terms for all investors, and prohibitions on referral requirements or preferential treatment. The company implemented safeguards such as proportional profit distributions based on capital invested and written policies preventing special arrangements for physician investors. The advisory opinion provides a compliance framework for structuring physician investment arrangements in medical device companies, though it applies only to the specific facts presented and has no precedential effect. Source: ArentFox Schiff
• The Ninth Circuit Court of Appeals issued the first appellate decision interpreting the Eliminating Kickbacks in Recovery Act (EKRA) in United States v. Schena, ruling that the statute applies to payments made to marketers and not just physicians. Mark Schena, who owned Arrayit laboratory, was convicted of healthcare fraud and EKRA violations after paying marketers on a percentage-of-revenue basis to promote unnecessary allergy testing alongside COVID tests. The court rejected Schena’s argument that EKRA only prohibited payments to those who directly refer patients, finding that the statute covers situations where marketers cause individuals to obtain referrals from physicians. The court determined that percentage-based compensation structures do not violate EKRA alone, but become unlawful when marketers exert “undue influence” by misleading referral sources about the nature and need for services. The decision establishes that EKRA compliance will depend on the specific facts and circumstances of each arrangement. Source: Dykema

Medical Privacy

• Texas Senate Bill No. 1188 establishes requirements for electronic health record storage, artificial intelligence disclosure, and parental access to minor medical records starting September 1, 2025. The law mandates that healthcare practitioners and covered entities maintain electronic health records within the United States or its territories, with the geographic restriction taking effect January 1, 2026. Healthcare practitioners must inform patients when artificial intelligence tools are used in diagnosis or treatment, and they must review all AI-generated records according to Texas Medical Board standards. The legislation requires covered entities to provide parents and guardians complete and unrestricted access to their minor children’s electronic health records immediately, unless restricted by state or federal law or court order. Violations carry civil penalties ranging from $5,000 to $250,000 per violation, with the Texas Attorney General authorized to seek injunctive relief and the Texas Health and Human Services Commission empowered to investigate alleged violations. Source: Hall Render
• HIPAA compliance requirements for GPT-5 depend on who uses the AI platform and in what context. OpenAI announced GPT-5’s release last week, stating the platform should be used for healthcare navigation. HIPAA does not apply when individuals share their own health information with GPT-5, but regulations do apply when doctors use the platform to process patient data or direct patients to use it with provided access. In January, industry leaders announced Project Stargate, a $500 billion investment to build AI infrastructure focused on healthcare. While AI offers benefits like faster problem-solving and drug discovery, healthcare systems require cybersecurity built into AI platforms from the start to protect against data poisoning and other threats. Source: Mobi Health News
• Texas enacts a law delaying electronic release of cancer test results to patients by three days to allow physicians to communicate findings first. Senate Bill 922, effective September 1, pauses the immediate release of pathology and radiology reports that may show malignancy or genetic markers, giving doctors time to review and contact patients before results appear in electronic health records. The 2025 Texas Legislature passed the law in response to federal requirements under the 21st Century Cures Act that mandated immediate release of all health information to patient portals since spring 2021. Prior to this law, patients received test results electronically before physicians could review them, causing confusion when patients could not understand the medical terminology. The law allows physicians to call patients with results at any time during the three-day period. Source: Texas Medical Association
• The U.S. Department of Health and Human Services Office for Civil Rights issued new guidance clarifying that health care providers can share patient information with value-based care organizations for treatment purposes without obtaining patient authorization. The new FAQ specifically addresses protected health information disclosure to accountable care organizations and other value-based care arrangements under HIPAA Privacy Rule provisions. An updated FAQ also reinforces patients’ rights to access all information in their designated record sets, including clinical, billing, and other records used for decision-making about the individual. These changes align with the Centers for Medicare & Medicaid Services’ initiative to create a patient-centric, digital health care ecosystem announced on July 30, 2025. Health care providers must review their HIPAA policies, conduct internal audits, and ensure their systems can support complete responses to patient record requests within required timelines. Source: Baker Donelson

Licensure

• Texas enacted legislation creating an alternative licensure pathway for foreign-trained physicians to address doctor shortages. The new law requires qualifying physicians to have work authorization in the United States and demonstrate English proficiency. The legislation targets experienced foreign-trained doctors who can help fill gaps in the state’s medical workforce. The measure was passed by the Texas Legislature as part of healthcare reform efforts. Source: Dallas Morning News

Litigation

• HCA Healthcare agreed to pay $3.5 million to settle allegations from California, Colorado, and Nevada attorneys general that the hospital operator misled nurses about training repayment agreements. The states alleged that HCA failed to disclose that nurses would need to repay training costs of $4,000 in California and $10,000 in Colorado if they left their jobs within two years, affecting approximately 34,500 nurses in California alone since 2018. Under the settlement terms, California will receive $1,162,900 plus restitution for affected nurses, Nevada will get $862,276 in reimbursements and penalties, and Colorado will receive $1,393,008 for consumer redress and enforcement. The consent judgments permanently prohibit HCA from engaging in training repayment agreement practices and void all existing debts, requiring the company to request credit reporting agencies delete related information. HCA denied wrongdoing but agreed to the settlement in what it called the best interests of its nurses and hospitals. Source: Regulatory Oversight
• The Fifth Circuit Court of Appeals established that class action plaintiffs need only prove individual standing at the certification stage, not class-wide standing. The July 17, 2025 ruling in Wilson v. Centene Management Co. resolved an open question in the circuit and aligned the Fifth Circuit with the First, Third, Sixth, and Ninth Circuits in adopting the “class certification approach” over the “standing approach.” The court held that merits-based evaluation of expert testimony is inappropriate when determining standing at the class certification stage. The decision separates the threshold standing inquiry from class certification requirements under Rule 23. This ruling may make it easier for class action plaintiffs in the Fifth Circuit to satisfy standing requirements and obtain class certification. Source: Inside Class Actions

Mergers & Acquisitions

• The Federal Trade Commission sued to block Edwards Lifesciences Corp.’s $945 million acquisition of JenaValve Technology, Inc. on August 6. The deal would combine the two companies competing to develop transcatheter aortic valve replacement devices to treat aortic regurgitation, a heart condition with no currently approved treatments. Edwards previously acquired JC Medical in August 2024, whose J-Valve device is undergoing clinical trials, while JenaValve’s Trilogy TAVR device awaits FDA approval. The FTC built its case on evidence of head-to-head competition rather than traditional market share analysis, arguing the merger would eliminate competition between the only two firms with active US clinical trials. The all-Republican Commission voted 3-0 to challenge the acquisition, demonstrating the Trump administration’s focus on pipeline competition and healthcare market enforcement. Source: Katten Muchin Rosenman LLP

340B

• HRSA launched a pilot program on August 1, 2025 that will change how drug manufacturers provide 340B discounts to safety net healthcare providers. Under the new rebate model, covered entities will pay full price for drugs upfront and receive rebates later, rather than receiving discounts at the time of purchase as traditionally done. The pilot program applies only to manufacturers with products on the Medicare Drug Price Negotiation Selected Drug List, which includes 23 drugs subject to pricing negotiations under the Inflation Reduction Act. Manufacturer applications are due September 15, 2025, with the program beginning January 1, 2026, and HRSA is accepting public comments through August 30, 2025. The initiative follows disputes between HRSA and manufacturers over rebate models, which resulted in multiple lawsuits after HRSA blocked manufacturer attempts to implement such systems without approval. Source: Healthcare Law Blog

Cybersecurity

• The Department of Justice secured a $9.8 million settlement from biotechnology company Illumina Inc. on July 30, 2025, marking the first False Claims Act case focused on cybersecurity compliance failures for medical devices. The settlement resolves allegations that Illumina misrepresented compliance with federal cybersecurity requirements for medical device software from January 2016 to April 2023, despite failing to incorporate adequate cybersecurity into product design and development. A former Illumina employee brought the whistleblower lawsuit under the False Claims Act, with the government later intervening in the case. The company allegedly certified compliance to the FDA while maintaining inadequate security programs and failing to correct known vulnerabilities. Illumina denied the allegations but agreed to settle to avoid litigation costs, paying $4.3 million in restitution and $1.9 million to the whistleblower, while stating it remediated the software issues between 2022 and 2024. Source: White & Case LLP

Data Privacy & Breach

• West Texas Oral Facial Surgery notified 11,151 patients of a data breach following a network disruption on May 29, 2025. Third-party cybersecurity experts confirmed unauthorized network access had occurred, though the breach notice did not specify when. A file review completed on July 18, 2025, revealed exposed data included patient names, imaging files, birth dates in some cases, and treatment reasons. Electronic medical records, Social Security numbers, and financial information were not accessed. The Inc Ransom ransomware group claimed responsibility for the attack on June 18, 2025. Source: HIPAA Journal
• Researchers have developed a server-rotating federated machine learning system that enables medical imaging AI models to be trained across different device manufacturers while preserving patient privacy. The system incorporates differential privacy techniques and cryptographic safeguards to prevent patient data from being reverse-engineered from model parameters. Testing on multi-center datasets containing MRI, CT, and digital X-ray images from multiple device manufacturers showed the approach matched or exceeded performance of traditional centralized and conventional federated methods. The framework includes adaptive normalization layers to handle vendor-specific imaging artifacts and scanner discrepancies without requiring data harmonization. Source: BioEngineer

Emerging Tech

• The Texas Responsible Artificial Intelligence Governance Act will require businesses operating in Texas or serving Texas residents to implement comprehensive AI governance policies when it takes effect January 1, 2026. The law applies to both developers and deployers of AI systems, defined as machine-based systems that generate outputs such as content, decisions, predictions, or recommendations. Companies must establish policies covering AI system purpose, data usage, performance evaluation, post-deployment monitoring, user safeguards, anti-discrimination provisions, and user disclosure requirements. Businesses that receive violation notices from the Attorney General have 60 days to cure violations or stop using the non-compliant AI system portion. Texas also created an AI regulatory sandbox program that allows companies to test AI systems for up to 36 months with legal protections while meeting specific safeguard requirements. Source: IAPP

Employee Benefits

• Healthcare employers face mounting regulatory compliance challenges following the 2025 Comprehensive Reform Act, which was signed into law on July 4, 2025. The Act adds complexity to existing requirements including Affordable Care Act compliance for variable-schedule employees, fiduciary oversight of retirement and health plans, and nondiscrimination testing under Code Sections 105(h) and 125. Healthcare organizations increasingly form health and welfare plan committees to manage fiduciary responsibilities and protect boards from litigation related to pharmacy benefit management agreements and excessive fees. Hospital mergers and acquisitions create additional risks when benefits integration is not properly reviewed, potentially resulting in unexpected liabilities from retiree medical plans, multiemployer pension withdrawal liability, or undocumented 403(b) plans. Employers using self-insured plans, flexible spending accounts, or health savings accounts must conduct annual nondiscrimination testing to avoid negative tax consequences for higher-earning participants. Source: Saul Ewing LLP

Fraud & Abuse

• Texas Attorney General sued Eli Lilly, accusing the drugmaker of bribing medical providers to prescribe its medications. The lawsuit alleges the company engaged in kickback schemes to induce providers to prescribe its profitable drugs, including GLP-1 medications Mounjaro and Zepbound used for weight loss and diabetes treatment. The action follows a previous lawsuit against insulin manufacturers, including Lilly, over pricing practices with pharmacy benefit managers. Lilly denied the allegations, stating the claims stem from a corporate relator whose accusations have been dismissed by multiple courts and the federal government. Source: Reuters
• Dr. Ajay Aggarwal agreed to pay $2,053,515 to settle allegations that he defrauded federal healthcare programs by billing for procedures he did not perform. The 63-year-old Houston anesthesiologist and pain medicine doctor allegedly billed Medicare and Workers’ Compensation programs for the surgical implantation of neurostimulator electrodes from November 2021 to March 2023. Instead of performing these invasive procedures that typically require operating rooms and pay thousands of dollars, Aggarwal allegedly provided patients with electro-acupuncture treatments that involved inserting monofilament wire a few millimeters into patients’ ears and taping neurostimulators behind the ear in his clinic. The investigation involved multiple agencies including the U.S. Postal Service Office of Inspector General, Department of Labor Office of Inspector General, and Department of Health and Human Services Office of Inspector General. The settlement resolves allegations only, with no determination of liability. Source: U.S. Attorney’s Office, Southern District of Texas

HIPAA Privacy Rule

• The HHS Office for Civil Rights published updated HIPAA Privacy Rule guidance that expands permitted disclosures of protected health information for value-based care arrangements and broadens patient access rights. The guidance includes a FAQ stating that healthcare providers can disclose PHI to participants in accountable care organizations and other value-based care arrangements without patient authorization when the disclosure supports treatment activities. The update follows a July 30, 2025 White House event where the Trump Administration announced commitments from tech firms to improve healthcare interoperability through data exchange platforms. OCR also updated guidance to specify that individuals can now access consent forms for treatment as part of their health information rights under HIPAA. The changes support CMS efforts to create a digital healthcare ecosystem that reduces provider burden while improving patient outcomes. Source: HIPAA Journal
• The HHS Office for Civil Rights updated its HIPAA Privacy Rule FAQs to provide guidance on protected health information disclosures to value-based care arrangements and patient access rights. The updates support CMS’ July 2025 health tech ecosystem initiative, which aims to create a patient-centric healthcare system through interoperability frameworks and commitments from tech companies, app developers, and payers. OCR clarified that covered entities can disclose PHI to participants in value-based care arrangements for treatment purposes without patient authorization, reasoning that the Privacy Rule’s definition of “treatment” incorporates interaction between multiple entities. The guidance also expanded the types of information patients can request to include consent forms for treatment, adding to the existing list of medical records, billing records, lab reports, and other health data. The FAQs provide clarity to help covered entities navigate HIPAA compliance as federal initiatives work to make the health tech ecosystem more interconnected. Source: TechTarget

Mergers & Acquisitions

• F-reorganizations under federal tax law provide healthcare companies a method to preserve Employer Identification Numbers during mergers and acquisitions, avoiding disruptions to Medicare enrollment and regulatory approvals. Healthcare entities rely on EINs for Medicare enrollment, state licensing, DEA registration, and commercial payer contracts, making EIN changes during transactions costly due to re-enrollment requirements with CMS, credentialing delays, and potential business interruptions. Under IRC § 368(a)(1)(F), F-reorganizations allow businesses to undergo structural changes while the IRS treats pre- and post-reorganization entities as the same taxpayer, preserving the EIN and associated contracts and tax attributes. Private equity firms, health systems, and MSO platforms increasingly use this structure to avoid Medicare enrollment hurdles that can take months and maintain continuity of state licenses tied to EINs. Texas law provides mechanisms including statutory conversions, reverse triangular mergers, and cross-jurisdictional reincorporations to implement F-reorganizations while preserving entity continuity. Source: Clark Hill PLC

OIG Advisory Opinion

• The Office of Inspector General approved a physician ownership arrangement in a medical device company that develops emergency stroke treatment products. The OIG concluded that the arrangement met the conditions of the small entity investment safe harbor. Physician owners comprise 35 percent of the company’s ownership, below the 40 percent threshold that triggers heightened scrutiny under federal regulations. The company certified that investment terms remain consistent across all investors and that profit distributions will be proportional to capital investments. OIG will not impose administrative sanctions on the company under sections 1128A(a)(7) or 1128(b)(7) of the Social Security Act. Source: OIG Advisory Opinion No. 25-09

Patient Harm

• Hospitals failed to capture half of patient harm events that occurred among hospitalized Medicare patients, according to an Office of Inspector General review. The OIG traced harm events from a 2022 report and found that hospitals often applied narrow definitions of harm, with staff not considering many events to be harm or stating it was not standard practice to capture them. Of the harm events hospitals did capture, few were investigated and even fewer resulted in improvements for patient safety. The OIG recommends that the Agency for Healthcare Research and Quality (AHRQ) and CMS work with partners to align harm event definitions and create a patient harm taxonomy, that CMS ensure surveyors prioritize Medicare Quality Assurance and Performance Improvement requirements, and that CMS instruct Quality Improvement Organizations to help hospitals identify weaknesses in their incident reporting systems. Increased federal leadership is needed to drive progress in patient safety after nearly 20 years of high patient harm rates nationwide. Source: OIG Report

Physician Compensation

• Physicians and hospitals are generating higher revenues by increasing workload rather than receiving better reimbursement rates. From the second quarter of 2023 to 2025, median net gain per employed physician rose 8% while median revenue per provider unit of work increased 12% for physicians, but median net patient revenue per provider work unit declined 7%. Support staffing levels dropped 13% over two years, creating potential obstacles for future growth. Hospital operating margins improved to 3% when including shared service costs and 6.6% without those allocations, driven primarily by outpatient revenue increases. The trends reflect ongoing Medicare reimbursement declines that force providers to complete more work to maintain income levels. Source: Fierce Healthcare

Telehealth

• States are implementing permanent telehealth regulations to replace pandemic-era emergency rules as federal waivers approach expiration. The DEA and HHS extended telemedicine prescribing waivers through December 31, 2025, allowing providers to prescribe controlled substances via telehealth without prior in-person examinations. New York finalized rules in May 2025 requiring in-person medical evaluations before prescribing controlled substances through telemedicine, with exceptions for recent evaluations, temporary coverage, and emergency situations. States including California, Delaware, Florida, New Hampshire, and Texas have enacted or proposed legislation with varying approaches to telehealth prescribing requirements. The DEA proposed a special registration system in March 2023 that would establish three types of registrations for remote prescribing of controlled substances with enhanced verification and monitoring requirements. Source: Healthcare Law Blog
• Telemedicine has become a cornerstone of mental health services, with telehealth services for mental health issues increasing 16 to 20 times during the first year of the COVID-19 pandemic according to RAND Corporation data. A nationwide poll by the American Psychiatric Association found that over half of Americans would choose telehealth for mental health needs, with more than one-third preferring it outright. AI-powered platforms from companies like Teladoc Health and IBM Corporation now enable predictive analytics for early intervention in conditions like anxiety and depression, while digital mental health counseling apps like Calm and SilverCloud Health provide 24/7 support through chatbots and virtual therapists. Pittsburgh-area clinics have reduced wait times for psychiatric evaluations by up to 40% through telemedicine implementation, though experts warn against over-reliance on virtual care for cases like schizophrenia. Federal legislation has bolstered telehealth reimbursement and cross-state licensing, but challenges remain around data privacy and equitable access for low-income populations. Source: WebProNews

Value-Based Arrangements

• The American Medical Association has released guidance to help private practices navigate partnerships with “aggregator entities” that manage value-based care arrangements. These aggregators are specialized private companies that help physicians handle the complexities of value-based care without requiring practices to fully invest in the technical infrastructure themselves. The AMA resource addresses three core areas: evaluating aggregator business models, understanding physician considerations when working with aggregators, and planning for potential termination of these relationships. According to Dr. Alexander Sun from the AMA’s Professional Satisfaction and Practice Sustainability unit, the guidance helps practices determine whether aggregator partnerships align with their value-based care goals. The resource is part of the AMA’s broader Business of Medicine education program, which includes materials on revenue-cycle management and accountable care organizations. Source: American Medical Association

Breach Notifications

• Two Texas healthcare facilities disclosed data breaches affecting nearly 10,000 patients combined. Nova Recovery Center in Wimberley detected unauthorized network access on May 25, 2025, which compromised personal information of 7,713 individuals including names, addresses, Social Security numbers, and financial data. The facility confirmed the breach on June 17, 2025, and provided credit monitoring services to affected patients. OB/GYN Medical Center Associates in Houston reported a separate incident involving ConnectOnCall, a voicemail service provider that experienced unauthorized access between February 16, 2024, and May 12, 2024, affecting 2,132 patients. The compromised data included names, medical conditions, medications, procedures, and other personal health information disclosed in voicemail messages. Source: HIPAA Journal
• Oklahoma has enacted Senate Bill 626 that expands data breach notification requirements and will take effect on January 1, 2026. The state Attorney General must be notified about breaches affecting 500 or more residents, or 1,000 or more residents for credit bureau systems, within 60 days of individual notifications being mailed. The law broadens the definition of personal information to include unique electronic identifiers with security codes and biometric data such as fingerprints and retina images. Entities that employ reasonable safeguards and issue breach notifications will be shielded from civil penalties of up to $150,000 per breach. Organizations compliant with HIPAA, the Oklahoma Hospital Cybersecurity Protection Act, or the Gramm-Leach-Bliley Act are deemed compliant with the requirements if they notify the Attorney General within 60 days. Source: HIPAA Journal

Cybersecurity

• Texas has enacted Senate Bill 2610, becoming the fifth state to implement cybersecurity safe harbor protections that shield businesses from punitive damages in data breach cases. Governor Greg Abbott signed the law, which formally recognizes the Center for Internet Security Critical Security Controls as a standard for demonstrating reasonable cybersecurity practices. The legislation establishes a tiered system where businesses with fewer than 20 employees face simplified requirements, those with 20-99 employees must implement CIS Controls Implementation Group 1, and companies with 100-249 employees must comply with frameworks such as NIST CSF or ISO/IEC 27000-series standards. Texas joins Ohio, Utah, Connecticut, and Iowa in offering safe harbor protections, and follows Nevada in recognizing CIS Controls as a benchmark for reasonable cybersecurity practices. The law incentivizes businesses to adopt cybersecurity programs by providing legal protection when they meet specific cybersecurity criteria. Source: KGET
• Proposed amendments to the HIPAA Security Rule mandate comprehensive cybersecurity requirements for healthcare organizations handling electronic protected health information (ePHI). The modifications require mandatory encryption of ePHI at rest and in transit, multi-factor authentication, annual compliance audits, vulnerability scanning every six months, and penetration testing annually. Organizations must maintain written documentation for all Security Rule policies and procedures, develop technology asset inventories and network maps annually, and conduct risk assessments that include AI systems accessing ePHI. The rules specifically address AI governance by requiring documentation of AI system training, prediction models, and algorithm data, while mandating organizations monitor AI tools for vulnerabilities and potential impacts on ePHI confidentiality, integrity, and availability. While initially scheduled to take effect January 6, 2025, with a compliance deadline of January 6, 2026, the new administration has paused all HHS regulation updates. Source: Ankura

Data Privacy

• Differential privacy protects personal data by adding mathematical noise to datasets, allowing organizations to analyze and share information without revealing individual identities. The technique uses two parameters, epsilon and delta, to control the amount of randomness added to data, ensuring algorithms cannot determine whether specific individuals’ information is included in a database. Companies including Apple, Google, and Microsoft have implemented differential privacy in their products, while the U.S. government uses it for census data collection to protect survey participants’ identities. The method has applications across healthcare research, mobile user behavior analysis, and advertising campaign assessment, though it faces limitations with small datasets where accuracy becomes compromised. Despite these constraints, differential privacy enables broader data sharing while maintaining mathematical guarantees that individual privacy remains protected. Source: Built In
• Healthcare facilities face mounting cybersecurity risks as IoT device adoption grows and patient data moves to cloud storage systems. Personal health information trades for 10-20 times more than stolen credit card data on the dark web, making healthcare networks prime targets for cybercriminals. Major vulnerabilities include devices with default passwords, unencrypted data transmission, cloud misconfigurations, and unpatched firmware in medical equipment. The 2017 WannaCry ransomware attack demonstrated these risks when it compromised over 300,000 systems across 150 countries, severely impacting UK’s NHS hospitals running outdated Windows software. Healthcare organizations must implement end-to-end encryption, zero trust architecture, device hardening, network segmentation, and real-time monitoring systems to protect patient data and maintain compliance with HIPAA and GDPR regulations. Source: Programming Insider

Dental Service Organizations (DSOs)

• DSO transactions face complex regulatory challenges that require careful structuring to comply with state laws prohibiting corporate practice of dentistry. Most states prevent non-dentists from directly owning dental practices, forcing DSOs to operate through management agreements with dentist-owned entities rather than direct ownership structures. Buyers must address practitioner retention through production-based compensation and non-compete agreements, though enforceability varies by state and must comply with healthcare fraud and abuse laws. Physical clinic locations present risks when lease agreements contain change-of-control provisions that require landlord consent for transactions. Additional transaction complexities include managing deferred revenue obligations from prepaid services, conducting billing compliance audits to identify potential upcoding issues, and navigating state healthcare transaction review laws that may require pre-closing notice or approval. Source: Bass, Berry & Sims PLC

Emerging Tech

• Mount Sinai researchers found that six large language models demonstrated hallucination rates between 50% and 83% when exposed to fabricated medical information. The study, published in Nature, tested 300 clinical cases containing false medical details and measured how frequently each model elaborated on the incorrect information. GPT4o performed best with hallucination rates of 50.0% for short cases and 53.3% for long cases, while DeepSeek performed worst with rates of 82.7% and 80.0% respectively. The other models tested—Llama 3.3, Phi-4, Gemma-2-27b-it, and Qwen-2.25-72b—showed hallucination rates ranging from 58.7% to 82.0%. Prompt mitigation techniques reduced hallucination rates from an average of 65.9% to 44.2% but failed to eliminate the errors completely. Source: Healthcare IT News
• AI systems in healthcare face two distinct types of errors that pose risks to patient safety. Hallucinations occur when AI generates completely fabricated information that does not exist in training data or reality, such as inventing medical conditions or citing nonexistent studies. Confabulations happen when AI misrepresents or distorts real information, such as citing legitimate sources but misinterpreting their findings or applying them incorrectly. Both types of errors can lead to misdiagnoses, inappropriate treatments, and loss of trust in digital tools. Healthcare organizations can prevent these errors through five methods: using peer-reviewed training data, implementing validation testing, incorporating human oversight, using confidence scoring systems, and restricting AI outputs to verified knowledge sources. Source: Wolters Kluwer
• AI-ready data serves as the foundation for next-generation radiology tools as healthcare systems face mounting imaging volumes and increasing complexity. AI-ready data refers to patient studies that are curated, standardized, and integrated for artificial intelligence systems, including high-quality images, comprehensive annotations by radiologists, standardized formats like DICOM, rich metadata with clinical context, and de-identified secure data. Machine learning algorithms require vast amounts of well-annotated, diverse data to recognize patterns and detect abnormalities with precision, while curated datasets help minimize biases and ensure AI tools perform reliably across different patient populations and imaging modalities. The process involves data collection from diverse sources, expert annotation by radiologists, quality assurance verification, standardization and structuring of metadata, and continuous monitoring with real-world data to refine systems over time. Challenges remain in data variability, privacy protection, bias mitigation, clinical validation, and maintaining human oversight where radiologists retain decision-making authority supported by AI. Source: Healthcare Dive

Fraud & Abuse

• The HHS Office of Inspector General issued an unfavorable advisory opinion finding that a medical device company’s payment of vendor fees to access an electronic billing portal violates the Anti-Kickback Statute. In Advisory Opinion 25-08 published July 7, 2025, the OIG determined that a medical device company’s proposal to pay $395 per year for each representative to access a third-party billing portal used by hospital customers presents anti-competitive risks and constitutes prohibited remuneration. The company supplies “bill-only” medical devices to hospitals and could face up to $1.2 million in annual fees for 3,000 representatives if hospitals require use of the portal as a condition of doing business. The OIG found the arrangement violates the Anti-Kickback Statute because the vendor would arrange for hospital purchases of the company’s products, and the payments could inappropriately steer customers away from competitors unwilling to pay the fees. The company told the OIG the portal was redundant with its own billing processes and provided no additional benefits, making the fees commercially unreasonable. Source: The National Law Review

HIPAA

• HIPAA applies to far fewer organizations than commonly believed, contrary to the widespread assumption that all health and medical data falls under federal regulation. The law only covers three categories of “covered entities”: health plans, health care clearinghouses, and health care providers that electronically transmit health information in connection with transactions like insurance claims, payments, or eligibility verification. Healthcare providers that operate on a cash-only basis and do not accept insurance—such as specialty practices, small medical offices, or certain pharmacies—typically fall outside HIPAA’s scope. Companies that incorrectly assume they are subject to HIPAA may face penalties for non-compliance, while those that wrongly believe they are covered could miss obligations under state privacy laws that apply when HIPAA does not. The distinction has become more critical as data breaches targeting healthcare providers have increased, particularly among smaller providers with vulnerable security systems. Source: BCLP – Bryan Cave Leighton Paisner

Medicare Reimbursement

• MIPS has streamlined its Improvement Activities requirements for 2025 by eliminating the weighting system and reducing the number of measures healthcare practices must select. Small practices with 15 or fewer NPIs now need to choose only one of 104 available IA measures, while larger practices must select just two measures. The changes come as healthcare faces a projected shortage of 17,800–48,000 primary care physicians and 21,000–77,100 non-primary care physicians by 2034, with ophthalmologists reaching crisis levels by 2035. Key IA measures include promoting clinician wellbeing through surveys and implementation plans, participating in private payer clinical practice improvement activities, and developing written policies to ensure equal treatment of Medicaid patients. These measures focus on care delivery, patient engagement, and operational efficiency rather than just compliance scoring. Source: VMG Health
• CMS established a mandatory payment model targeting specialists who treat heart failure and low back pain patients. The Ambulatory Specialty Model, announced July 10, 2025, will run from 2027 through 2031 and represents CMS’s first mandatory alternative payment model for specialists treating chronic conditions in outpatient settings. Participation becomes mandatory for clinicians who treat at least 20 episodes annually of heart failure or low back pain, with targeted specialties including anesthesiology, pain management, neurosurgery, orthopedic surgery, interventional pain management, and physical medicine and rehabilitation. The model evaluates participants using MIPS framework across quality, clinical practice improvement, cost, and interoperability domains, with payment adjustments of up to 9 percent positive or negative based on performance. CMS selected these conditions because they represent 6 percent of total annual spending for traditional Medicare, and the agency is accepting public comments through September 12, 2025. Source: The National Law Review
• CMS will deploy AI technology to screen prior authorization requests for Medicare services starting January 2026 through its Wasteful and Inappropriate Services Reduction program. The program, introduced July 1, 2025, requires prior authorization for select fee-for-service Medicare treatments in Arizona, New Jersey, Ohio, Oklahoma, Texas, and Washington, targeting procedures such as nerve stimulators, cervical fusions, and incontinence treatments. CMS will partner with Medicare Advantage plans and other payors as “model participants” who will use AI tools to review and approve or reject treatment requests, including determinations of medical necessity. Model participants will receive compensation based on a share of expenditures they prevent, creating financial incentives that may increase denials for covered services. The program may conflict with state laws limiting AI use in utilization management, and providers should prepare for increased denials and enhanced documentation requirements before the 2026 launch. Source: Jones Day

Physician Compensation

• Texas Senate Bill 1318 will impose new restrictions on noncompete agreements for physicians and healthcare workers beginning September 1, 2025. The law extends noncompete requirements beyond physicians to include dentists, professional and vocational nurses, and physician assistants for the first time. All noncompete agreements entered into or renewed after the effective date must include a buyout cap not exceeding the employee’s annual salary, limit geographic scope to a five-mile radius, restrict the term to one year, and state all conditions in writing. The legislation voids physician noncompete agreements when the doctor is terminated without “good cause,” defined as conduct, performance, or employment record issues. The new requirements apply only to medical practice roles, with an exception for physicians and healthcare practitioners serving solely in administrative capacities. Source: Haynes Boone
• CMS proposes payment increases and cost-cutting measures in its 2026 Medicare Physician Fee Schedule. The Centers for Medicare and Medicaid Services proposed rule establishes two conversion factors that would increase payments by 3.83% for providers participating in Advanced Alternative Payment Models ($33.59) and 3.62% for non-participants ($33.42). The proposal includes a new mandatory Ambulatory Specialty Model launching in 2027 that focuses on heart failure and lower back pain management, requiring providers to take on two-sided financial risk. CMS also proposes to cut skin substitute payments by approximately 90% by reclassifying them from biologicals to incident-to supplies, and to create three new G-codes for behavioral health integration services. Healthcare providers have until September 12 to submit public comments before CMS finalizes the rule. Source: MSLaw Blog

330 Grants

• The U.S. Department of Health and Human Services now classifies the Health Center Program as a “Federal public benefit” under the Personal Responsibility and Work Opportunity Reconciliation Act, restricting non-qualified aliens’ access to most federally funded services at community health centers and federally qualified health centers. The policy, effective immediately with no grace period, requires health centers to verify patients’ immigration status before delivering services funded by Section 330 grants, with exceptions only for emergency care, immunizations, and communicable disease treatment. Health centers face compliance risks including federal funding clawbacks and False Claims Act violations if they provide services to ineligible patients without alternative funding sources. The centers must overhaul patient intake workflows, electronic health record systems, and staff training while potentially absorbing costs for uncompensated care or seeking state and local funding alternatives. The immediate implementation creates operational conflicts between federal eligibility requirements and health centers’ mission to serve all patients regardless of ability to pay. Source: Hinshaw Law

Data Breach

• HCA Healthcare agreed to settle class action litigation stemming from a July 2023 data breach that affected 11,270,000 patients across 20 states. Hackers accessed an external storage location and stole a database containing 27.7 million records, including names, contact information, dates of birth, and appointment information. The breach prompted 27 class action lawsuits that were consolidated in Tennessee federal court, with the company denying wrongdoing but negotiating a settlement estimated to exceed $9 million based on attorney fees. Class members can claim credit monitoring services and reimbursement for documented losses up to $5,000 per person. The settlement requires claims submission by September 25, 2025, with a final hearing scheduled for October 27, 2025. Source: HIPAA Journal

Data Privacy

• Healthcare organizations face consent system failures as platforms like WhatsApp introduce advertising models that expose patient data to monetization. Laws like HIPAA protect healthcare providers but fail to cover the expanding ecosystem of data collectors including wearable manufacturers and messaging platforms that now monetize health information through advertisements. When patients use free health tracking applications, their data becomes the product being sold, with information flowing from devices to smartphones and eventually to proprietary servers where third parties can gain access. Big Tech companies including Apple, Amazon, and Microsoft are racing to capture and commercialize health data at scale through their healthcare platforms and services. Healthcare organizations must implement four strategies to address these risks: clarify consent practices, audit data flows, engage in vendor risk management, and invest in privacy-by-design approaches. Source: Built In

Emerging Tech

• Texas enacted comprehensive AI governance legislation that will take effect January 1, 2026, regulating businesses and government entities that develop or deploy artificial intelligence systems in the state. The Act prohibits using AI systems to promote self-harm or violence, bars government entities from implementing social scoring systems, and requires transparency notices when consumers interact with AI systems, including in healthcare settings. The legislation establishes a 36-month sandbox program allowing companies to test AI systems without standard licensing requirements and creates the Texas Artificial Intelligence Council to oversee ethical AI development. The Texas Attorney General will enforce the law with civil penalties ranging from $10,000 to $200,000 depending on violation severity, though violators receive a 60-day cure period after written notice. The Act does not create private rights of action for individuals and nullifies local AI ordinances across Texas. Source: Healthcare Law Blog
• University hospitals are adopting automated software testing to address burnout and safety issues in electronic health record systems. Since 2020, university medical systems have prioritized EHR modernization following the COVID-19 pandemic, but over 70% of physicians at academic hospitals report burnout due to poor usability and workflow disruption. Nurses have identified EHR design flaws as sources of patient harm through data entry errors, alert fatigue, and automation failures. The Department of Veterans Affairs’ EHR rollout experienced problems with incomplete records and pharmacy order failures due to inadequate testing and weak end-user validation. University hospitals face distinct challenges because their EHR systems must support clinical workflows, research data capture, student training, and compliance requirements while operating with limited resources compared to private networks. Source: Healthcare IT Today
• AI reduces manual medical record screening workload by 83% in emergency department injury surveillance systems. Natural language processing algorithms using transformer models automate detection of injured patients and generate injury event summaries from triage notes. AI models demonstrate accuracy rates between 86% and 97% for tasks including patient triage, injury information extraction, and child abuse detection. Implementation requires addressing data privacy concerns through anonymization techniques, secure access systems, and patient consent protocols. The World Health Organization promotes injury surveillance for systematic data collection to enable injury prevention priorities and intervention effectiveness evaluation. Source: JAMA Network

Fraud & Abuse

• The First Circuit Court of Appeals affirmed dismissal of a whistleblower’s complaint against dialysis provider Fresenius, applying a strict “but-for” causation standard for False Claims Act cases involving alleged kickbacks. Relator Martin Flanagan, who worked for Fresenius for 29 years, filed a qui tam complaint in March 2014 alleging the company violated the Anti-Kickback Statute and False Claims Act by providing financial incentives to hospitals and physicians to induce patient referrals. The alleged kickbacks included limiting costs to hospitals, hiring hospital nephrologists as medical directors, providing free services, and entering into lease and joint venture agreements with physicians. The First Circuit applied the causation standard from United States v. Regeneron Pharmaceuticals and held that Flanagan failed to adequately plead that the government claims would not have occurred “but-for” the alleged kickbacks. The decision aligns the First Circuit with the Sixth and Eighth circuits in requiring whistleblowers to meet demanding pleading requirements demonstrating direct causation between kickbacks and false claims. Source: King & Spalding
• The Eleventh Circuit ruled that a physician’s False Claims Act qui tam action was barred by res judicata due to a prior employment retaliation lawsuit in Milner v. Baptist Health Montgomery. The physician had sued his former employer-hospital, claiming he was terminated for whistleblowing on opioid overprescribing, but the district court dismissed the case with prejudice after finding he had not engaged in protected conduct under the FCA. Following that dismissal, the physician filed a qui tam action, which the district court also dismissed as barred by his prior retaliation case. The Eleventh Circuit affirmed the dismissal, determining that both lawsuits involved the same parties and arose from the same factual predicate of the physician’s reporting of overprescriptions. The court held that relators have “unrestricted participation” in litigation, making the physician individually a party in both cases, and that employment retaliation actions and FCA qui tam actions generally arise from the same nucleus of operative fact. Source: Eleventh Circuit Business Blog

Gender Care

• The Department of Justice issued more than 20 subpoenas to physicians and clinics providing gender-affirming care to minors on July 9, 2025, as part of investigations into healthcare fraud and misconduct. The subpoenas signal the government’s intent to pursue False Claims Act cases against providers who bill federal healthcare programs for gender-affirming care for minors, including puberty blockers, hormone therapy and surgeries. The government appears to be building three theories of liability: miscoding or misbilling procedures, lack of informed consent from minors and parents, and lack of medical necessity for the treatments. These enforcement actions follow a series of government measures in 2025, including a January executive order directing federal agencies to stop supporting gender transitions for individuals under 19, an April Attorney General memo directing DOJ to investigate providers, and May letters from CMS requesting financial data from hospitals. The False Claims Act provides for treble damages and penalties of up to $28,619 per claim. Source: Healthcare Law Blog

Litigation

• Multiple healthcare entities compete for recovery rights from the same settlement funds, leaving injured claimants with reduced compensation. Medicare Parts A, B, C, and D, the Department of Veterans Affairs, Medicaid, and private insurers all assert recovery rights from settlement amounts. The VA issued new guidance in 2023 under the Federal Medical Care Recovery Act to exercise its recovery rights, while private insurers operate under different regulations including FEHB and ERISA frameworks. Insurers attempt to recover full treatment costs without considering payments made by other carriers or out-of-pocket expenses by claimants. Lien resolution administrators with expertise in healthcare recovery can negotiate with these entities to maximize settlement amounts for injured parties. Source: Epiq

Physician Compensation

• Healthcare organizations are implementing value-based compensation models to move physician payment structures away from traditional fee-for-service arrangements toward incentives tied to quality outcomes and cost efficiency. VMG Health outlines a five-step framework for implementing these models, starting with defining program goals, participants, and target populations, followed by determining funding sources. The framework emphasizes selecting five to ten outcome-focused metrics over process measures, ensuring physicians have demonstrable impact on results, and avoiding compensation “stacking” issues. Third-party funded programs typically offer more flexibility and lower compliance risk compared to internally funded models. Organizations must structure these incentive programs to align with regulatory requirements while driving improvements in care quality and physician engagement. Source: VMG Health
• A federal district court in Ohio allowed whistleblower claims to proceed against TriHealth, finding that physician compensation arrangements violated federal anti-kickback and self-referral laws. On July 28, the Southern District of Ohio issued orders in two related False Claims Act cases, Murphy and Shahbabian, where whistleblowers alleged that a physician group overpaid employed doctors beyond their productivity to incentivize referrals to affiliated hospitals. The court determined these arrangements violated both the Anti-Kickback Statute and Stark Law because the compensation took into account the volume and value of physician referrals, and defendants could not claim protection under employment safe harbors. The court also certified for appeal the question of whether the FCA’s qui tam provisions violate Article II of the Constitution, noting that three Supreme Court justices have expressed concerns about the constitutionality of allowing private citizens to file lawsuits on behalf of the government. The cases highlight risks for healthcare providers in structuring physician compensation that could be tied to referral patterns. Source: Warner Norcross + Judd LLP

Value-Based Reimbursement

• Value-based care programs in the United States remain limited in scope despite nearly two decades of development since their 2006 introduction. A review of 50 global value-based care initiatives published in the Journal of the American Medical Association Health Forum found most programs, particularly in the United States, operate in isolation within departments or individual hospitals rather than as part of system-wide transformations. National programs like the Comprehensive Care for Joint Replacement and Bundled Payments for Care Improvement function at the provider level instead of integrating into broader regional or national strategies. The healthcare system faces barriers including structural fragmentation with multiple payers, disconnected data systems, fee-for-service incentives, and lack of digital infrastructure for tracking outcomes and costs. Organizations like CHESS Health Solutions demonstrate that physician-led models can scale when clinical transformation combines with strategic contracting and data analytics, while community settings, primary care, and Medicaid programs show promise for national expansion. Source: bakersfield.com

Accountable Care Organizations

• Health policy experts anticipate the second Trump administration will revive the Geographic Direct Contracting Model that was suspended by the Biden administration before implementation. The model would assign entire geographic regions to accountable entities responsible for managing care and costs for all Medicare beneficiaries in those areas, unlike current models that focus only on patients already connected to participating providers. Authors recommend modifications including leveraging Medicare’s 1.3 percent administrative costs rather than replacing them with private insurance overhead of 12-15 percent, starting with modest discount requirements of 1-2 percent instead of the original 3-5 percent, and building on existing provider-led ACOs rather than insurance companies. The successor ACO REACH program generated $1.6 billion in gross savings and $695 million in net savings to CMS in 2023, with 73 out of 83 participating ACOs meeting continuous improvement requirements. The authors argue a revised model could combine Medicare’s efficiency with population health innovations while serving as regional sentinels against fraud, waste, and abuse. Source: Health Affairs

AI Transcription

• Healthcare organizations using AI scribes to transcribe patient encounters face HIPAA compliance risks that could result in unauthorized disclosure of protected health information. AI scribes function as third-party service providers that listen to doctor-patient conversations, requiring healthcare providers to establish Business Associate Agreements with vendors. There are two main compliance challenges: (1) data use rights and (2) patient consent requirements under federal wiretapping laws. Many AI scribe vendors are new to healthcare and unfamiliar with regulatory requirements, while some doctors download and use these apps without organizational oversight. Healthcare leaders must vet vendors, build governance into EHR workflows, limit unauthorized data use, update risk analyses, and train providers to ensure compliance. Source: HealthLeaders Media

Antitrust

• Washington and Colorado will require companies filing Hart-Scott-Rodino premerger notifications to simultaneously submit copies to state attorneys general starting this summer. Washington’s law takes effect July 27, 2025, while Colorado’s becomes effective August 6, 2025, applying to companies with their principal place of business in the state or with annual net sales of at least $25.28 million in goods or services involved in the transaction. The laws impose no filing fees but carry penalties of up to $10,000 per day for non-compliance, and they do not create waiting periods that would prevent deal closings. Both states based their legislation on the Uniform Antitrust Premerger Notification Act approved by the Uniform Law Commission in July 2024, which provides a model for state attorneys general to receive HSR filings at the same time as federal antitrust agencies. Hawaii, West Virginia, District of Columbia, California, and New York are considering similar legislation, with New York’s proposed law extending beyond the model act to require all businesses conducting operations in the state to file with the attorney general. Source: Hogan Lovells

Business Entities

• Texas enacted two bills in May 2025 that reshape corporate governance to attract businesses away from Delaware. Senate Bill 29, effective immediately, codifies the business judgment rule for directors and officers, allows companies to require internal disputes be heard exclusively in Texas courts, permits jury trial waivers, and restricts shareholder inspection rights to exclude emails and social media unless they directly relate to corporate actions. The law also requires minimum ownership thresholds of up to 3% for derivative suits and prohibits attorney fee awards in disclosure-only cases. Senate Bill 1057, effective September 1, 2025, imposes stricter requirements on shareholder proposals by mandating that shareholders hold $1 million in market value or 3% of voting stock for at least six months and solicit 67% of voting power. These changes position Texas to compete with Delaware in the corporate law space as states seek to attract incorporation business. Source: Seyfarth Shaw LLP

Compassionate Use

• Texas expanded its medical cannabis program through HB 46, which Governor Greg Abbott signed into law on June 21, 2025. The law, effective September 1, 2025, adds chronic pain, Crohn’s disease, traumatic brain injury, terminal illnesses, and hospice care as qualifying conditions. The legislation increases THC limits from 1% by weight to 10 milligrams per dose with packages not exceeding 1 gram of THC, and expands delivery methods to include lotions, patches, suppositories, and non-smoked inhalation devices. The Department of Public Safety will issue 12 additional licenses for dispensing organizations, bringing the total to 15, while the Texas Board of Pharmacy will monitor dispensed cannabis through the Prescription Monitoring Program. Patient recommendations remain valid for one year with four 90-day refills, and patient registry information stays confidential with access limited to the department, registered physicians, and dispensing organizations. Source: Marijuana Policy Project

Concierge Medicine

• President Trump signed the “One Big Beautiful Bill Act” on July 4, 2025, allowing Health Savings Account holders to use their funds for direct primary care services. The law removes the previous disqualification that prevented individuals from contributing to HSAs when they paid direct primary care fees, which were formerly considered health plans. Under the legislation, monthly fees are capped at $150 for individuals and $300 for families, and must cover only primary care services provided by primary care practitioners. The law excludes procedures requiring general anesthesia, prescription drugs other than vaccines, and laboratory services not typically administered in ambulatory primary care settings. The legislation takes effect after December 31, 2025. Source: Roetzel & Andress

Data Privacy

• Colorado and California became the first US states to enact privacy laws governing neural data in 2024, with at least six other states now proposing similar legislation. The two states took different approaches, with Colorado requiring opt-in consent before collecting neural data while California only provides consumers with limited opt-out rights for uses beyond requested services. Current federal laws like HIPAA provide minimal protection for neural data, covering it only when collected by healthcare entities. Connecticut, Illinois, Massachusetts, Minnesota, Montana, and Vermont have pending bills that vary in scope, with some treating neural data as biometric information and others creating standalone protections. Companies collecting neural data from brain-computer interfaces and neurotechnology devices face compliance challenges due to the inconsistent state-by-state regulatory approach. Source: Arnold & Porter
• Healthcare organizations face mounting cybersecurity threats as data breach costs reach $4.88 million globally, representing a 10 percent increase from the previous year. Electronic health records containing protected health information have become prime targets for cybercriminals using phishing and ransomware attacks. Generative AI tools are expanding the attack surface by introducing vulnerabilities through flawed code, data exposure risks, and threats like prompt injection and deep fakes. A HIMSS/Trimex study reveals that 74 percent of healthcare organizations feel understaffed to handle rising cyber threats. Healthcare providers must implement staff education programs, physical and technical security controls, data encryption, role-based access control, and vetted third-party partnerships while achieving HITRUST certification as the gold standard for data security compliance. Source: HIT Consultant

Eliminating Kickbacks in Recovery Act

• The Ninth Circuit Court of Appeals expanded the scope of the Eliminating Kickbacks in Recovery Act (EKRA) to include payments to marketing intermediaries who induce patient referrals through misleading practices. On July 11, 2025, the court affirmed laboratory operator’s convictions for paying marketers percentage-based compensation to pitch his laboratory services to medical professionals using misleading information about tests that were unnecessary, costly, and inferior to other methods. The court rejected a district court interpretation that limited EKRA’s application only to direct payments to referring providers, ruling instead that the law covers any payment designed to cause downstream referrals. The Ninth Circuit clarified that percentage-based compensation alone does not violate EKRA, but payments combined with undue influence or wrongful inducement do constitute violations. The decision provides healthcare providers with guidance on sales staff compensation but stops short of establishing clear-cut rules for compliance. Source: Healthcare Law Blog

Fraud & Abuse

• UnitedHealth Group disclosed Thursday it faces criminal and civil investigations from the Department of Justice. The company said in an SEC filing it was complying with DOJ requests and had reached out to the department after media reports about probes into its Medicare practices. The investigation adds to a year of challenges for the healthcare company, which became the worst performer on the Dow Jones Industrial Average during the first half of 2025 following the fatal shooting of CEO Brian Thompson and the departure of the company’s CEO in May. The Wall Street Journal previously reported the DOJ’s healthcare-fraud unit was investigating possible Medicare fraud at the company, along with potential antitrust violations and Medicare billing practices. UnitedHealth’s stock declined 1.5 percent in morning trading following the announcement, though the company maintains it has “full confidence” in its practices. Source: ABC News

Medical Debt

• A federal court has vacated the Consumer Financial Protection Bureau’s Medical Debt Rule after finding the agency exceeded its authority under federal law. The United States District Court for the Eastern District of Texas approved a consent judgment this month, ruling that the CFPB violated the Fair Credit Reporting Act and the Administrative Procedure Act when it finalized the rule in January 2025. The rule would have prohibited credit reporting agencies from including any medical debt information in consumer reports and barred creditors from considering such information in credit decisions. Trade associations representing credit unions and consumer data industries challenged the rule, and the CFPB under new leadership agreed with the challengers. The decision restores the framework where credit reporting agencies can report coded medical debt information that protects patient privacy. Source: Health Care Law Matters

Medicare Reimbursement

• CMS released the calendar year 2026 Medicare Physician Fee Schedule and Quality Payment Program proposed rule that establishes different payment rates for physicians based on their participation in alternative payment models. The proposed conversion factor for qualifying alternative payment model participants is $33.59, representing a 3.83% increase, while non-participants would receive $33.42, a 3.62% increase from 2025. CMS proposes applying a -2.5% efficiency adjustment to work relative value units for non-time-based services, excluding evaluation and management services, care management, behavioral health, and telehealth services. The agency will recognize higher indirect practice expense costs for office-based practitioners compared to facility settings due to the decline in private practice physicians. CMS also introduced a mandatory Ambulatory Specialty Model for specialists treating low back pain or heart failure that will assess individual physicians on quality metrics and apply payment adjustments ranging from -9% to +9% from 2027 through 2031. Source: AAMC
• CMS launched the WISeR model in June, using artificial intelligence to review Medicare payments for select services during a six-year pilot program from January 2026 to December 2031. The program applies only to original Medicare plans and initially covers skin and tissue substitutes, electrical nerve stimulator implants, and knee arthroscopy for osteoarthritis, while excluding emergency services and treatments that pose risks if delayed. Model participants receive compensation based on a percentage of savings from denied services, raising concerns about financial incentives for denials given that similar AI programs have faced lawsuits where over 90% of denials were later overturned on appeal. A Senate subcommittee report from October 2024 found that Medicare Advantage plans using predictive analysis increased automatic denials for post-acute services without regard to patient need. Providers can earn “gold card” status to become exempt from reviews by demonstrating high authorization approval rates, and experts recommend that providers engage with CMS during the pilot phase and monitor denial patterns for algorithm errors. Source: Phelps Dunbar LLP

Reproductive Rights

• A Texas man filed a federal lawsuit against a California doctor for allegedly mailing abortion pills to his girlfriend, marking a new strategy to challenge blue state shield laws that protect abortion providers. Jerry Rodriguez, represented by anti-abortion lawyer Jonathan Mitchell, seeks $75,000 in damages from Dr. Remy Coeytaux and claims his girlfriend used the medications to terminate two pregnancies in 2024. The federal court filing differs from previous state court challenges and could potentially bypass the enforcement issues seen in a similar case where New York refused to honor a Texas judgment against another doctor. The lawsuit also invokes the 19th century Comstock Act, which has not been enforced for over a century, as part of what legal experts describe as a multi-pronged attack on abortion access. The litigation coincides with the Texas Legislature’s consideration of sweeping legislation to crack down on the manufacturing and mailing of abortion pills during a special session. Source: The Texas Tribune

Skilled Nursing Facilities

• CMS has extended the deadline for skilled nursing facilities to submit enhanced ownership disclosure requirements from August 1, 2025, to January 1, 2026. The new guidance implements Section 1124(c) of the Social Security Act through a revised Form CMS-855A that requires SNFs to disclose detailed information about governing body members, additional disclosable parties with operational or financial control, and organizational structures of related entities. The enhanced requirements, effective October 1, 2024, apply to all SNFs enrolling, revalidating, reactivating, or undergoing ownership changes, expanding beyond current Section 1124(a) disclosures to include parties providing management services, leasing real property, or exercising control over facility operations. All SNFs must complete revalidation applications by the uniform January 1, 2026 deadline regardless of when they received notification letters from Medicare Administrative Contractors. SNFs experiencing difficulty obtaining required information from third parties must document maximum feasible efforts to secure the data before notifying their contractors of any gaps. Source: CMS Guidance for SNF Attachment on Form CMS-855A
• The HHS Office of Inspector General imposed over $1.6 million in penalties against 20 healthcare facilities for employing individuals excluded from federal healthcare programs. On May 29, 2025, HHS-OIG announced a $1,565,374.11 settlement with 19 skilled nursing facilities across California, Texas, Ohio, and Nevada to resolve allegations that they knew or should have known they employed excluded individuals who provided services billed to federal programs. The agency also reached a separate $35,597.37 settlement with CareLink Home Health, LLC in Illinois for employing an excluded individual who worked as a nurse and case manager while on the exclusions list. HHS-OIG excludes individuals and entities from Medicare and Medicaid programs for various reasons, with exclusion periods ranging from discretionary terms to permanent bans for repeat offenders. Healthcare organizations must check the HHS-OIG List of Excluded Individuals/Entities before hiring new employees or vendors and conduct regular checks of current staff to avoid civil monetary penalty liability. Source: HIPAA Journal

Business of Healthcare

• Healthcare organizations face financial losses from compliance failures, with non-compliance leading to penalties, reputational damage, and operational disruption. The company helped an academic institution save $310,000 using their Compliance Risk Analyzer software, which provides statistical analysis of audit risk for physician claims. VMG Health offers services including fair market value opinions, coding audits, transaction support, and staff training to help healthcare organizations navigate compliance challenges. The firm has developed FMV-MD software to standardize valuation management processes and reduce risks associated with physician compensation arrangements under Stark Law. With 30 years of experience focused on healthcare, VMG Health provides compliance services across all healthcare sectors. Source: VMG Health
• Physician groups must evaluate tax efficiency, legal structure, and compliance issues before considering strategic transactions to avoid pitfalls and devaluation. Medical practice consolidation has increased in recent years with lucrative valuations, but groups need consensus before exploring transactions—full consensus for smaller groups of 2-4 physicians and substantial consensus of 80% or more for larger groups of 5-30+ physicians. Groups must agree on proceeds allocation early and address compliance issues including monthly exclusion checks, Stark/DHS compliance, HIPAA policies, co-pay waiver violations, and employee classification problems. Real estate leases between physician owners and practices should reflect fair market value terms rather than friendly arrangements. Engaging experienced healthcare transaction attorneys and advisors is crucial for proper advance planning and positioning. Source: Medical Economics

Clinical Laboratories

• The U.S. Department of Health and Human Services Office of Inspector General announced in June 2025 a new Work Plan review examining Medicare payments for clinical diagnostic laboratory tests in 2024. This annual review, mandated by the Protecting Access to Medicare Act of 2014, will analyze the top 25 laboratory tests by Medicare expenditures, including tests such as comprehensive metabolic panels, complete blood counts, Hemoglobin A1c, and lipid panels. The OIG’s findings could result in future payment rate adjustments, increased audit scrutiny, or enforcement actions against providers identified as outliers. Clinical laboratories and healthcare providers must ensure their billing practices comply with Medicare regulations, maintain documentation supporting medical necessity, and implement compliance programs with internal audits and staff training. Recent False Claims Act litigation, including Jensen ex rel. United States of America v. Genesis Laboratory, demonstrates the risks laboratories face for non-compliance with federal regulations regarding medical necessity and the Anti-Kickback Statute. Source: Healthcare Law Insights

Cybersecurity & Data Breaches

• Healthcare became the most targeted industry for ransomware attacks in 2024, with data breaches costing organizations an average of $9.77 million. Medical records sell for up to 50 times more than credit card numbers on the dark web because they cannot be cancelled and enable identity theft and insurance fraud. The sector faces vulnerabilities from outdated systems, with 71% of medical devices running obsolete software in 2019 and 60% of French hospitals operating on outdated infrastructure in 2022. Human error accounts for 70% of successful cyberattacks in healthcare in France, with phishing serving as the most common entry point. The analysis recommends treating obsolete IT systems as systemic risks, reimagining spending models to allow flexibility between capital and operational expenditures, mandating cybersecurity training, encouraging regional collaboration, and securing electronic health records as priorities. Source: Cisco
• Healthcare organizations face mounting pressure to deliver personalized care while protecting patient data privacy. A 2023 poll found 95% of patients worry about medical record breaches, while a 2022 American Medical Association survey revealed 92% of respondents believe privacy is a right regarding their health data. Patients trust healthcare providers more than tech companies with their information, with 64-75% comfortable sharing data with doctors and hospitals compared to over 67% who are uncomfortable sharing with technology companies. Nearly half of patients report not getting all questions answered during provider visits, creating opportunities for health plans to fill gaps through educational content that uses aggregate data analysis rather than accessing protected health information. Solutions exist that allow care management teams to personalize member experiences through tiered approaches including self-service resources, automated engagement for rising-risk members, and care manager support for higher-risk populations. Source: Wolters Kluwer
• In June 2025, Winkler County Hospital District notified 637 patients about an insider incident involving the unauthorized disclosure of their protected health information. The incident occurred in April 2025 when a former employee emailed patient data to a personal account. Source: HIPAA Journal

Electronic Health Record

• Texas Governor Greg Abbott signed S.B. 1188 into law, creating data localization requirements for electronic health records. The law requires covered entities to physically maintain all electronic health records of Texas patients within the United States, including those stored by third-party cloud computing services. Healthcare practitioners may use AI for diagnostic purposes only if they disclose its use to patients, operate within their licensing scope, and review AI-generated records according to Texas Medical Board standards. The law establishes a definition of “biological sex” based on reproductive systems and restricts amendments to biological sex information in health records to clerical error corrections or sexual development disorder diagnoses. Violations can result in civil penalties ranging from $5,000 to $250,000 per violation, with most provisions taking effect September 1, 2025, and data localization requirements beginning January 1, 2026. Source: Hunton Andrews Kurth

Emergency Preparedness

• Texas HB 3595 establishes statewide emergency preparedness standards for assisted living communities while allowing providers flexibility in how they meet backup power requirements. The law, effective September 1, requires communities to maintain areas of refuge with temperatures between 68 and 82 degrees during emergencies and conduct full building evaluations of electricity needs. Communities must report power outages lasting more than 12 hours to state agencies, triggering ongoing monitoring conversations to ensure resident safety. The legislation was prompted by Winter Storm Uri, which killed 107 Texas older adults from hypothermia in 2021, and Hurricane Beryl, which caused 28 deaths among older adults, half from overheating. Industry groups support the flexible approach over statewide generator mandates, noting that only 47% of Texas assisted living communities have generators, and more than half of the state’s 2,000 communities house fewer than 17 residents. Source: McKnight’s Senior Living

Emerging Tech

• Texas will implement the Texas Responsible Artificial Intelligence Governance Act on January 1, 2026, regulating businesses operating in the state, those with products used by Texans, or those developing AI systems in Texas. The law prohibits using AI to incite criminal activity, cause harm, violate discrimination laws, impair constitutional rights, or create child pornography and deepfake imagery. Companies must obtain consent before using biometric identifiers for commercial AI purposes and destroy the data within one year after the collection purpose expires. Healthcare providers must notify patients before using AI tools in treatment, and the law establishes a 36-month regulatory sandbox program allowing approved businesses to test AI systems without prosecution. The Texas attorney general will enforce the law, which includes safe harbor provisions for companies that promptly remediate violations and a rebuttable presumption of care for following recognized industry standards. Source: Sheppard Mullin Richter & Hampton LLP
• Healthcare platforms combining artificial intelligence, Internet of Things, and blockchain technology are creating self-learning ecosystems that transform patient care from reactive to proactive. These cognitive healthcare platforms use IoT devices such as fitness trackers and hospital equipment to continuously collect patient data including heart rate, blood pressure, and glucose levels, enabling early intervention before symptoms appear. Blockchain technology ensures secure, tamper-proof storage and sharing of medical records, allowing authorized healthcare providers to access complete patient histories while preventing data breaches and fraud. AI analyzes the real-time data streams to identify patterns and predict health risks such as early signs of diabetes or cancer from subtle changes in body metrics. The platforms reduce administrative burdens for healthcare providers while offering patients transparent access to their health records and remote consultation capabilities, though implementation faces challenges including infrastructure limitations in rural areas and interoperability issues between different hospital systems. Source: Healthcare Asia Magazine

Fraud & Abuse

• The HHS Office of Inspector General issued an unfavorable advisory opinion on July 7, 2025, ruling that flat fee payment structures do not protect healthcare arrangements from Anti-Kickback Statute violations. The Advisory Opinion 25-08 involved a proposed arrangement between a medical device company and a software vendor, where the device company would pay $395 per license annually (totaling $1.2 million) to access software that facilitates device sales to hospitals and surgical centers. The OIG determined the arrangement failed to meet the Personal Services and Management Contracts Safe Harbor because the software services were “redundant” to the company’s existing accounts receivable processes and provided no tangible benefits beyond accessing referrals from surgical providers. The opinion emphasized that payments primarily intended to access referrals rather than obtain legitimate services can violate the Anti-Kickback Statute regardless of whether compensation is structured as a flat fee. The OIG also expressed concerns about anti-competitive behavior, noting that such arrangements could inappropriately steer healthcare providers toward companies willing to pay these fees while disadvantaging competitors. Source: Holland & Knight
• Medical practices must navigate two federal laws designed to prevent financial conflicts of interest that could influence patient referrals. The Stark Law prohibits physicians from referring Medicare patients for designated health services to entities with which they or their family members have financial relationships unless specific exceptions apply, and violations can occur regardless of intent since it is a strict liability statute. The Anti-Kickback Statute criminalizes exchanges of value to induce referrals for federal healthcare program services and requires proof of intent but applies more broadly to all federal programs. In 2024, the Department of Justice resolved multiple cases involving alleged violations, including a Delaware health system that paid $42.5 million to settle allegations it provided free clinical support to a neonatology practice that then billed for services performed by staff. The Office of Inspector General recommends medical practices implement a seven-element compliance framework that includes internal audits, written policies, designated compliance officers, training programs, prompt violation response, open communication, and disciplinary standards. Source: CSH Law

Medicare Reimbursement

• CMS will require specialists in selected regions to participate in a new payment model targeting heart failure and low back pain starting January 1, 2027. The Ambulatory Specialty Model will run for five years through December 31, 2031, and initially cover specialists in roughly one-quarter of core-based statistical areas who treat Original Medicare patients. Participation will be mandatory for cardiologists treating heart failure and specialists in anesthesiology, pain management, neurosurgery, orthopedic surgery, and physical medicine treating low back pain, provided they have historically treated at least 20 episodes per year. The model rewards specialists for improving patient health outcomes and coordinating with primary care providers to reduce avoidable hospitalizations and unnecessary procedures. CMS expects the program to lower costs to Original Medicare while improving patient experience and outcomes. Source: CMS
• CMS announced a proposed rule to slash Medicare reimbursement for skin substitutes by nearly 90% to combat what it calls “abusive pricing practices” in the wound care industry. The 2026 Medicare Physician Fee Schedule would pay for skin substitutes as incident-to-supplies at a flat rate of $125.38 per square cm instead of the current biologicals framework, which allows products to be priced as much as $2,000 per square inch. Medicare spending on these cellular and tissue-based products that treat chronic wounds jumped from $252 million in 2019 to more than $10 billion in 2024. The proposal would categorize skin substitutes by their FDA regulatory status and aims to incentivize products with clinical evidence while saving billions in taxpayer dollars. Industry stakeholders have until September 12 to provide comments, with manufacturers warning the cuts could limit patient access and reduce innovation while advocacy groups support the cost-control measures. Source: MedPage Today

Mergers & Acquisition

• Healthcare mergers and acquisitions demonstrate resilience in 2025, with transaction levels nearly double pre-2020 volumes despite economic and regulatory challenges. Private equity participates in roughly 40% of healthcare transactions, driven by large reserves of undeployed capital and urgency to generate returns. Behavioral health and home health/hospice sectors remain top targets for deals, while revenue cycle management and infusion therapy show increased momentum due to their tech-enabled potential and operational scalability. The Federal Trade Commission and state attorneys general have heightened scrutiny around private equity ownership and market concentration, slowing deal timelines but not halting activity. Organizations now conduct annual strategic portfolio reviews instead of three- to five-year planning cycles, with many preparing to bring deals to market for the remainder of 2025. Source: Modern Healthcare

Transgender Care

• Physician groups must evaluate tax efficiency, legal structure, and compliance issues before considering strategic transactions to avoid pitfalls and devaluation. Medical practice consolidation has increased in recent years with lucrative valuations, but groups need consensus before exploring transactions—full consensus for smaller groups of 2-4 physicians and substantial consensus of 80% or more for larger groups of 5-30+ physicians. Groups must agree on proceeds allocation early and address compliance issues including monthly exclusion checks, Stark/DHS compliance, HIPAA policies, co-pay waiver violations, and employee classification problems. Real estate leases between physician owners and practices should reflect fair market value terms rather than friendly arrangements. Engaging experienced healthcare transaction attorneys and advisors is crucial for proper advance planning and positioning. Source: Medical Economics