Category: Health Law Highlights

Texas Public Emergency

• The Department of Health and Human Services has waived certain HIPAA sanctions and penalties for Texas hospitals responding to a public health emergency in Kerr County. President Donald J. Trump signed a Major Disaster Declaration for Kerr County, Texas, and Secretary Robert F. Kennedy, Jr. declared a public health emergency to address consequences of storms, straight-line winds, and flooding. The waiver allows hospitals to bypass five specific HIPAA Privacy Rule requirements, including obtaining patient agreement to speak with family members, honoring opt-out requests from facility directories, distributing privacy notices, and processing patient requests for privacy restrictions and confidential communications. The waiver applies only in the emergency area to hospitals with disaster protocols and lasts up to 72 hours from when the hospital implements its disaster protocol. Hospitals must resume full HIPAA compliance for all patients under their care once the Presidential or Secretarial declaration terminates, regardless of the 72-hour timeframe. Source: HHS.gov

OIG Advisory Opinions

• The OIG determined that a device manufacturer’s proposed arrangement to reimburse purchasers up to $2,500 for actual costs resulting from a needle stick injury caused by the failure of its device does not violate the Federal anti-kickback statute. The manufacturer’s device, used by health care practitioners for injections, includes a safety mechanism, and the reimbursement would only apply if the device’s failure—not user error—causes an injury. The OIG found that the arrangement qualifies for the regulatory safe harbor for warranties, as it is limited to reimbursement for documented actual costs, is not conditioned on exclusive use or minimum purchases, and does not involve price reductions or payments for medical expenses of federal health care program enrollees. The warranty applies for one year from purchase and only covers the device itself, not related services. Source: OIG Advisory Opinion No. 25-05 (Favorable)
• The OIG concluded that a pharmaceutical manufacturer’s program to assist eligible patients with travel, lodging, and related expenses for a one-time gene therapy does not violate federal anti-kickback or beneficiary inducement laws. The manufacturer’s gene therapy treats a rare, fatal genetic disease in children and costs over $4 million, with treatment limited to a small number of specialized centers. Under the arrangement, patients with household incomes below 600% of the Federal Poverty Level and who lack other travel assistance may receive covered transportation, lodging, and daily expenses for themselves and up to two caregivers, but only for medically necessary phases of treatment and only when no other support is available. The program uses a vendor to verify eligibility and prevent duplicate coverage, requires documentation of expenses, and does not promote the assistance as a reason to prescribe the therapy. The OIG found that the arrangement promotes access to care, poses a low risk of fraud or abuse, and does not improperly influence provider or patient choice. Source: OIG Advisory Opinion No. 25-06 (Favorable)
• The OIG determined that a pharmaceutical manufacturer’s program to sponsor a free companion laboratory test for eligible patients prior to prescribing a specific drug does not violate federal anti-kickback or beneficiary inducement laws. The manufacturer’s drug is approved for certain conditions and requires a companion diagnostic test to determine patient eligibility, with the test being offered at no cost to patients who meet specific criteria and have not previously received the test. The arrangement prohibits providers and the laboratory from seeking reimbursement from any third party, ensures that no patient or provider receives direct remuneration, and limits data sharing to de-identified, aggregated information. The program is designed to identify patients who may benefit from the drug and does not promote the drug during disease-awareness activities or use data to target providers or patients for marketing purposes. The OIG concluded that the arrangement poses a low risk of fraud or abuse, does not interfere with clinical decision-making, and satisfies exceptions for promoting access to care. Source: OIG Advisory Opinion No. 25-07 (Favorable)
• The OIG found that a medical device company’s proposal to pay a third-party vendor for access to an electronic billing system used by some customers would generate prohibited remuneration under the Federal anti-kickback statute. The company supplies “bill-only” surgical devices to health care providers, and some customers require the use of a vendor’s billing portal for purchasing these items, for which the vendor charges the company a licensing fee per representative. The company stated that the portal is redundant to its existing billing processes and provides no necessary or desired services, but it would pay the fees to retain and potentially expand business with customers who require use of the portal. The OIG determined that the arrangement could inappropriately steer customers to the company over competitors, presents anti-competitive risks, and does not serve a commercially reasonable business purpose for the company. As a result, the OIG concluded that the arrangement is not sufficiently low risk to warrant a favorable opinion. Source: OIG Advisory Opinion No. 25-08 (Unfavorable)

Cybersecurity

• Healthcare organizations face cybersecurity risks when storing Protected Health Information in cloud environments. PHI includes medical records, diagnoses, treatment details, billing information, patient names, medical record numbers, health insurance details, Social Security numbers, test results, prescriptions, dates of birth, addresses, and billing information. When compromised, PHI can lead to identity theft, medical fraud, unauthorized use of insurance benefits, reputational harm, and loss of trust in healthcare providers. Cloud storage challenges include meeting HIPAA compliance requirements, understanding shared responsibility between providers and organizations, preventing misconfigurations, managing third-party integrations, maintaining visibility and control, and ensuring data location compliance. Healthcare organizations must implement encryption, identity and access management, secure cloud architecture, continuous monitoring, regular backups, disaster recovery plans, and staff training to protect PHI in cloud environments. Source: Geek Vibes Nation

Food & Drug Administration

• The FDA implemented sweeping changes in June 2025 that created uncertainty for cell and gene therapy developers while launching new programs to accelerate drug approvals. The agency halted new clinical trials involving transfer of genetic material to foreign countries including China and terminated both the director and deputy director of the Office of Therapeutic Products, which oversees gene therapy and cellular therapy reviews. FDA also launched the Commissioner’s National Priority Voucher program that promises to reduce drug review times from 10-12 months to 1-2 months for companies aligned with national health priorities such as domestic manufacturing. The agency issued a warning letter to a Florida drug distributor for Drug Supply Chain Security Act violations just two months after inspection, signaling accelerated enforcement of prescription drug security laws. Meanwhile, medical device regulation remained stable and the FDA hired a new deputy director of the Center for Drug Evaluation and Research to advance psychedelic therapy development. Source: Mintz

Fraud & Abuse

• DOJ and HHS of Health and Human Services announced the creation of the False Claims Act Working Group to strengthen civil enforcement of the False Claims Act in healthcare. The Working Group will be jointly led by DOJ’s Civil Division and top HHS officials, including representatives from CMS, the HHS Office of Inspector General, and U.S. Attorneys’ Offices. The initiative will focus on six priority enforcement areas: Medicare Advantage risk adjustment fraud, drug and device pricing, barriers to patient care, kickbacks, defective medical devices, and EHR manipulation designed to inflate Medicare reimbursements. The Working Group will make high-priority FCA referrals from HHS to DOJ, coordinate enforcement decisions, leverage data mining to uncover leads, evaluate payment suspensions, and encourage voluntary disclosures. This marks a shift toward more government-led enforcement and potentially less whistleblower-led enforcement, with healthcare companies facing increased scrutiny and faster investigations. Source: Healthcare Law Insights

Marketing

• Healthcare fraud through phone calls cost Americans over $16 million in the first quarter of 2024. Americans received more than 4.4 billion robocalls in April 2024, with an average of 146.9 million calls per day and 1,700 calls per second. Scammers target the healthcare sector because consumers trust calls from health providers, often using caller ID spoofing to appear as legitimate hospitals or physicians’ offices. Common scams involve fraudsters posing as Medicare or Medicaid workers who request personal data or money while threatening loss of coverage. New technology offers solutions through branded calls that display business logos, names, and reasons for calling, verified through end-to-end call verification systems. Source: HIT Consultant

Medicaid

• President Trump’s tax package will cut more than $1.2 trillion from Medicaid coverage and funding between 2025 and 2034. The cuts include $665 billion that will directly impact hospitals as part of the tax-and-spending-cuts package. States and hospitals will absorb $1.3 trillion in Medicaid funding cuts over the next decade. The reductions affect both Medicaid coverage and funding streams that support healthcare providers. Source: Modern Healthcare

No Surprises Act

• The Fifth Circuit ruled that the No Surprises Act does not allow healthcare providers to bring private lawsuits to enforce Independent Dispute Resolution awards. The case involved two air ambulance providers, Guardian Flight, LLC and Med-Trans Corporation, who sued Health Care Service Corporation after receiving delayed or no payment on IDR awards they had won under the No Surprises Act. The Fifth Circuit rejected all three of the providers’ claims, including violations of the NSA itself, ERISA benefit denials, and state law unjust enrichment. The court determined that Congress intended enforcement to occur through the administrative complaint process overseen by the U.S. Department of Health and Human Services rather than through private litigation. This decision conflicts with district court rulings in Connecticut and other jurisdictions that have found implied enforcement rights, creating a judicial divide that may require Supreme Court resolution. Source: Proskauer Rose LLP

Restrictive Covenants

• Eight states have enacted legislation in 2025 that restricts or bans non-compete agreements for healthcare professionals. Colorado now voids non-compete and non-solicitation covenants for healthcare providers regardless of salary thresholds, while Illinois expanded restrictions for mental health professionals treating veterans and first responders. Indiana banned non-compete agreements between physicians and hospitals or hospital systems, and Montana extended its existing ban to all licensed physicians. Oregon declared non-competition agreements void and unenforceable for physicians, physician assistants, and nurse practitioners, while Texas now requires buyout options capped at annual salary and extended restrictions to dentists, nurses, and physician assistants. Utah prohibits healthcare staffing platforms from requiring non-compete agreements from healthcare workers. Source: Littler
• States are implementing varied restrictions on non-compete agreements for healthcare professionals following the Federal Trade Commission’s failed attempt to ban such agreements nationwide. The new state laws range from blanket prohibitions in states like Arkansas and Wyoming to defined limitations on duration and geographic scope, with most states allowing non-competes lasting up to one year and geographic restrictions varying from five-mile radii in Texas to 30-mile radii in West Virginia. Some states condition enforceability on termination circumstances, while others like Maryland use hybrid approaches that combine compensation thresholds with medical-specific limitations. Texas enacted legislation in June 2025 requiring buyout caps not exceeding annual salary, while Florida passed a bill excluding healthcare practitioners from expanded non-compete limitations and Nevada’s governor vetoed a healthcare non-compete prohibition. The varied approaches reflect competing interests between employer investment protection, practitioner mobility rights, and patient care continuity concerns. Source: Seyfarth Shaw LLP
• Governor Abbott signed Senate Bill 1318 into law, imposing new restrictions on noncompete agreements for physicians and health care practitioners effective September 1. The law limits physician noncompete agreements entered into or renewed after September 1 to one year in duration and five miles in geographic scope from where the physician primarily practiced. Buyout provisions cannot exceed the physician’s total annual salary and wages at the time of separation, and agreements must include clearly written terms. The legislation expands these restrictions to health care practitioners including licensed dentists, nurses, and physician assistants, and voids noncompete agreements when physicians are involuntarily discharged without good cause. While the law only applies to new or renewed agreements after September 1, courts may use these restrictions as guidelines when evaluating the reasonableness of existing noncompete agreements. Source: BakerHostetler

Emerging Tech

• CMS will launch the Wasteful and Inappropriate Service Reduction (WISeR) Model on January 1, 2026, to combat healthcare fraud through artificial intelligence-enhanced prior authorization processes in Traditional Medicare. The model will focus on services vulnerable to fraud, waste and abuse, including skin and tissue substitutes, electrical nerve stimulator implants, and knee arthroscopy for knee osteoarthritis. CMS will partner with technology companies to administer the model across geographic areas, though licensed clinicians will make final prior authorization decisions rather than automated systems. Healthcare providers can choose between using the WISeR Model process or undergoing post-service or pre-payment medical review. The model will run through 2031, with participating companies to be announced after the application period ends on July 25, 2025. Source: TechTarget
• Texas passed two laws regulating artificial intelligence use in healthcare and other sectors. House Bill 149, the Texas Responsible Artificial Intelligence Governance Act (TRAIGA), was signed June 22, 2025, and takes effect January 1, 2026, requiring healthcare providers to disclose AI use in patient diagnosis or treatment. Senate Bill 1188, signed June 20, 2025, and effective September 1, 2025, mandates that licensed practitioners review all AI-generated records and prohibits offshoring electronic medical records. TRAIGA also prohibits discriminatory AI use and requires organizations to implement risk assessment and documentation procedures. The Texas attorney general will enforce TRAIGA through civil penalties. Source: Holland & Knight
• Researchers developed a privacy-preserving artificial intelligence system that achieves 99.48% accuracy in classifying skin lesions while protecting patient data through advanced encryption. The model combines block-scrambling-based encryption with three neural networks (MobileNetV2, GoogLeNet, and AlexNet) to extract features from skin images while maintaining data confidentiality during transmission and storage. The system uses a conditional variational autoencoder for classification and hippopotamus optimization for parameter tuning to enhance performance. Testing on the skin cancer ISIC dataset showed the model outperformed existing methods with superior accuracy and faster execution time of 8.85 seconds compared to competing approaches. The research addresses the critical need for secure medical image analysis, particularly important given that skin diseases affect 30-70% of people globally. Source: Scientific Reports

Fraud & Abuse

• The Justice Department charged 324 defendants in connection with over $14.6 billion in health care fraud schemes, marking the largest health care fraud takedown in the department’s history. The defendants include 96 doctors, nurse practitioners, pharmacists, and other licensed medical professionals across 50 federal districts and 12 state attorneys general offices. The government seized over $245 million in cash, luxury vehicles, cryptocurrency, and other assets, while the Centers for Medicare and Medicaid Services prevented over $4 billion from being paid on fraudulent claims and suspended or revoked billing privileges for 205 providers. The schemes included transnational criminal organizations submitting over $12 billion in fraudulent claims, with Operation Gold Rush alone involving $10.6 billion in fraudulent Medicare claims using stolen identities of over one million Americans. The Justice Department announced plans to create a Health Care Fraud Data Fusion Center to leverage artificial intelligence and advanced analytics to identify emerging fraud schemes. Source: United States Department of Justice
• More than a dozen Houston-area medical professionals have been indicted in what prosecutors call the largest health care fraud crackdown in Department of Justice history. The nationwide operation charged over 320 people and uncovered nearly $15 billion in false claims, with 22 cases filed in federal court in Houston. Among those charged are Dr. David Jenson and his business partner, who allegedly billed Medicare $90 million for unnecessary “second skin” procedures and received $45 million in reimbursements, and the owners of United Palliative & Hospice Care in Fort Bend County, accused of fraudulently billing $87 million for end-of-life care for patients who were not dying. Other schemes involved fraudulent COVID-19 testing that netted $293 million, illegal kickbacks for genetic testing, and billing for mental health services never provided. The cases represent various types of health care fraud including Medicare and Medicaid billing fraud, pandemic relief fund fraud, and the unlawful distribution of controlled substances. Source: Houston Chronicle
• Federal prosecutors charged nearly 50 people in the Southern District of Texas as part of a national health care fraud takedown involving over $360 million fraudulently billed to Medicare and the distribution of nearly 12 million pills. The charges include 22 cases involving unlawful distribution of controlled substances, hospice fraud, kickbacks, and Medicare/Medicaid fraud schemes for services like genetic tests and durable medical equipment. The cases include a $110 million hospice fraud scheme where patients were enrolled in hospice services despite not being terminally ill, and a pill mill operation that distributed over 2 million controlled substance pills to the black market. Other schemes involved fraudulent billing for COVID-19 treatment services, mental health therapy, and skin substitute products for patients without qualifying wounds. The Texas cases are part of a nationwide enforcement action that resulted in charges against 324 defendants and the seizure of over $245 million in assets. Source: U.S. Attorney’s Office, Southern District of Texas
• The U.S. Justice Department charged 324 individuals in a record-breaking healthcare fraud crackdown involving $14.6 billion in schemes. The DOJ debuted its Health Care Fraud Data Fusion Center, which uses AI, cloud computing, and analytics to shift from reactive investigation to proactive detection of fraud patterns. The centerpiece operation, “Operation Gold Rush,” exposed a transnational catheter supply fraud led by Russian and Eastern European criminal networks that filed over $10.6 billion in false claims using stolen U.S. identities. Authorities seized over $245 million in assets and the Centers for Medicare and Medicaid Services suspended payments on over $4 billion in pending claims deemed fraudulent. Source: PYMNTS

Healthcare Privacy

• A Texas federal district court vacated the HIPAA Reproductive Health Rule nationwide on June 18, 2025, in the case Purl v. HHS. The court ruled that HHS exceeded its authority and violated procedural requirements when creating the rule, which the Biden Administration had implemented after Dobbs v. Jackson Women’s Health Organizations to prohibit disclosure of reproductive health information for investigating or prosecuting reproductive healthcare that was legal where performed. Healthcare providers can now disregard the rule’s requirements and must undo actions they took to implement it, as HIPAA reverts to its pre-December 2024 form where reproductive health information is treated like any other protected health information. HHS is unlikely to appeal the decision given Trump Administration policies and has not requested a stay. The ruling does not affect substance use disorder provisions, meaning providers must still update their privacy notices by February 2026. Source: Holland & Hart’s Health Law Blog
• The Southern District of New York allowed eight privacy claims to proceed against Teladoc Health for using website tracking technologies that transmitted patient health information to third parties. On June 25, 2025, the court denied Teladoc’s motion to dismiss after plaintiffs alleged the company installed tracking pixels and APIs on its telehealth platform that shared protected health information for advertising purposes. The court ruled that Teladoc’s tracking technology created an independent criminal purpose through HIPAA violations, defeating consent-based defenses under the Electronic Communications Privacy Act. The court determined Teladoc functioned as a healthcare provider rather than a technology platform and that medical conditions constitute contents of communications under state privacy laws. Eight claims survived including federal wiretapping violations and state privacy claims under New York, Florida, and California laws. Source: Duane Morris LLP
• US healthcare companies face restrictions when offshoring patient data operations due to state and federal privacy regulations. While HIPAA does not prohibit storing protected health information outside the United States, states including Wisconsin, Texas, Florida, and Arizona have enacted data localization laws that require patient information to remain within US borders. The Centers for Medicare & Medicaid Services requires Medicare Advantage Organizations to obtain attestation certificates from healthcare providers who use offshore vendors, detailing safeguards for patient information protection. Healthcare companies can mitigate offshoring risks through business associate agreements with international arbitration clauses, encryption requirements, and annual audits of offshore subcontractors. Offshore vendors must demonstrate HIPAA compliance and may need to establish US-based operations or partner with domestic intermediaries to work with American healthcare organizations. Source: MWE
• Microsoft and Google email platforms may be transmitting healthcare data without encryption, potentially violating HIPAA requirements. A recent study found that Google Workspace still uses deprecated TLS 1.0 and 1.1 encryption protocols, while Microsoft 365 sends messages unencrypted when encryption fails without warning senders. The research involved controlled experiments where Paubox set up recipient mail systems that only accept legacy TLS protocols and sent test messages containing simulated protected health information. Healthcare organizations rely on email for lab results, care instructions, and appointment notifications, all of which must be encrypted under HIPAA regulations. The findings suggest that healthcare organizations depending on these platforms for compliance may be unknowingly transmitting unencrypted patient data. Source: MediaPost

Inpatient Rehab Facilities

• Freestanding inpatient rehabilitation facilities are outperforming hospital-based units through partnerships, achieving 24% Medicare margins compared to 1% for departmental IRFs in 2023. The number of freestanding IRFs grew 7.4% from 345 to 371 facilities between 2022 and 2023, while Medicare IRF admissions increased 7.3% overall. States without certificate of need laws show higher IRF utilization rates at 7.5% of acute care discharges compared to 5.6% in CON states, prompting reforms in South Carolina, Florida, and Tennessee. Hospital systems are increasingly partnering with IRF operators through joint ventures, joint operating agreements, or management agreements to transition departmental units to freestanding facilities, which cost $15,000 per stay compared to $21,000 for hospital-based stays. Source: VMG Health

Non-Competes

• The Texas legislature passed SB 1318 on June 20, 2025, establishing stricter requirements for noncompete agreements in healthcare. The amended statute mandates that noncompete agreements include clear language and become unenforceable if a physician was terminated without cause. Agreements involving physicians, dentists, nurses, and physician assistants must contain buyout clauses and are restricted to one year in duration and a five-mile radius. The changes take effect September 1, 2025, but exclude physicians serving only in managerial or administrative roles. Source: American Bar Association

OIG

• The Office of Inspector General approved a telehealth arrangement that allows physician-owned entities to lease healthcare professionals from telehealth platforms without violating federal anti-kickback laws. The June 6, 2025 advisory opinion covers an arrangement where a Requestor Professional Corporation leases healthcare professionals from Platform Professional Corporations on an hourly basis, with fees determined by provider type and paid regardless of third-party reimbursement. The OIG determined the arrangement complies with anti-kickback statutes because it includes written agreements, independent fee validation, and compensation structures that remain separate from referral volume or business generation. The arrangement aligns with federal safe harbor provisions for personal services and management contracts, which require detailed written agreements with fixed terms of one year or longer. The advisory opinion applies only to the specific parties involved, meaning other organizations must seek their own legal review for similar arrangements. Source: Hinshaw Law

OIG Advisory Opinions

• The HHS OIG approved a telehealth platform arrangement involving management service organizations and physician corporations. The arrangement allows a management support organization and physician-owned professional corporation to contract with third-party telehealth platforms to lease clinicians and obtain administrative services including accounting, marketing, and IT support. OIG determined the proposal was protected by the federal anti-kickback statute safe harbor for personal services and management contracts because payments are fixed at fair market value and not based on referral volume or value. The arrangement aims to expand access to in-network telehealth services for patients in underserved and rural areas through contracts covering over 400 payors representing 80% of commercially covered lives and 65% of Medicare Advantage covered lives. OIG noted the decision could serve as a model for other management services and care delivery organizations considering similar arrangements. Source: OIG Advisory Opinion No. 25-03
• The Office of Inspector General (OIG) has determined that a medical device company’s proposal to pay for third-party exclusion screening and compliance monitoring services would, if undertaken with the requisite intent, constitute prohibited remuneration under the Federal anti-kickback statute. The company intended to pay annual fees to a third-party for screening and monitoring that customers would otherwise pay, potentially inducing customers to purchase items or services reimbursable by Federal health care programs. OIG found that this arrangement could relieve customers of financial burdens and create risks of inappropriate steering and anti-competitive practices, as the payments may influence purchasing decisions. No regulatory safe harbor applied, and the OIG noted that the arrangement could result in sanctions, including civil monetary penalties and exclusion from federal health care programs. Source: OIG Advisory Opinion No. 25-04

Clinical Trials

• Medical device manufacturers face critical decisions in clinical trial planning that can determine company survival. Companies must collect clinical data for pre-market submissions through processes that consume time and money while putting business existence at risk. Three pathways exist for medical device investigations based on risk levels: minimal risk, nonsignificant risk (NSR), and significant risk (SR) studies, with each requiring different oversight and regulatory requirements. Before conducting pivotal trials, companies must define their intended use, indications, and claims since FDA market authorization depends on clinical trial results. Companies should establish FDA communication plans and work with expert statisticians, clinicians, and regulatory counsel to mitigate risks and ensure proper execution. Source: Gardner Law

Corporate Practice of Medicine

• Healthcare entities face compliance challenges when expanding across state lines due to varying corporate practice of medicine laws and ownership requirements. The corporate practice of medicine doctrine varies significantly by state, with jurisdictions like New York establishing strict prohibitions while others allow more flexibility in corporate structures. Professional entity ownership requirements differ across states, with some mandating wholly or majority ownership by licensed professionals while others like Delaware permit non-physician ownership under certain limitations. Healthcare entities may need to create new entities, revise ownership agreements, or establish management services organization structures to comply with jurisdictional requirements. Legal counsel recommends conducting thorough due diligence and preparing new governance agreements before expanding operations into new markets. Source: Stevens & Lee

Cybersecurity

• Congress introduced bipartisan legislation to strengthen cybersecurity coordination between federal agencies protecting the healthcare sector. The Healthcare Cybersecurity Act of 2025 was introduced in the House by Representatives Jason Crow (D-CO) and Brian Fitzpatrick (R-PA), with a companion bill in the Senate by Senators Jacky Rosen (D-NV) and Todd Young (R-IN). The legislation would require the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to collaborate on cybersecurity improvements, establish a liaison between the agencies, authorize cybersecurity training for personnel, and conduct a study identifying sector risks. Healthcare cyberattacks have escalated with over 700 data breaches affecting 500 or more individuals reported annually for the past four years, including 278 million individuals affected in 2024. The 2024 Change Healthcare ransomware attack, which compromised an estimated 190 million records and disrupted healthcare operations nationwide, exemplifies the sector’s vulnerability to cyber threats. Source: HIPAA Journal

Emerging Tech

• Health systems across the U.S. are accelerating partnerships with tech companies to embed AI into clinical care, operations and administrative workflows. Mayo Clinic partnered with hellocare.ai in June to advance ambient clinical intelligence, aiming to support early detection, reduce clinician workload and enhance proactive inpatient care. Northwestern Medicine entered a multi-year collaboration with PathAI to transform pathology diagnostics through AI, including joint research, clinical innovation programs and co-development of machine learning-powered diagnostic algorithms. Oracle Health, Cleveland Clinic and G42 announced a partnership in May to build an AI-driven platform for healthcare delivery in both the U.S. and UAE, leveraging national-scale data analytics, clinical applications and precision medicine tools. These partnerships reflect a push among health systems and tech companies to ensure AI tools are grounded in clinical realities while benefiting from technical expertise. Source: Becker’s Hospital Review

Fair Market Valuations

• Healthcare organizations must follow eight documentation steps to maintain compliance during fair market value processes for provider compensation arrangements. The documentation requirements include gathering provider profiles, service descriptions, business justifications, productivity metrics, compensation terms, FMV analyses, contract documents, and team approvals to meet Stark Law and Anti-kickback Statute requirements. Organizations should seek third-party FMV opinions when arrangements involve high referral risk, complex compensation structures, or when internal resources lack access to market data sources and valuation expertise. Primary care and orthopedic specialties present higher referral risks compared to pathology or emergency medicine, while arrangements involving co-management, telehealth, or value-based payments require specialized valuation approaches. Many healthcare organizations are moving FMV reviews in-house to reduce costs and improve turnaround times, but must ensure they have the resources and training to conduct these reviews effectively. Source: VMG Health

Health Data

• Four states sent personal health data from their insurance websites to technology companies including Google, LinkedIn, and Snapchat. Nevada’s exchange transmitted prescription drug names and dosages to LinkedIn and Snapchat, while Maine and Rhode Island sent prescription information and doctor names to Google through analytics tools. Massachusetts Health Connector shared whether visitors reported being pregnant, blind, or disabled with LinkedIn. The Markup and CalMatters discovered this data sharing through web trackers on state exchanges established under the Affordable Care Act after auditing websites from all 19 states that operate their own health insurance marketplaces. Nevada and Massachusetts stopped transmitting data to these companies after reporters contacted them about the findings. Source: The Markup

HIPAA

• The U.S. Department of Health and Human Services is implementing new HIPAA regulations in 2025 to strengthen patient privacy and security. The updates respond to the rise of telemedicine, growing use of electronic health records, and a 264% increase in ransomware attacks against healthcare systems in 2024. Healthcare organizations must comply with expanded patient access requirements by July 2025 and update vendor management practices by December 2025, while implementing multi-factor authentication, data encryption, and penetration testing. The regulations include new protections for reproductive health information and requirements for AI tools and telehealth platforms to comply with privacy and security rules. Healthcare professionals express concerns about the cost and technical complexity of implementing these changes, particularly for small practices with outdated technology. Source: Security Boulevard

Legislation

• Texas lawmakers passed legislation requiring food manufacturers to remove certain ingredients or add warning labels to products. The Texas House approved SB 25 on May 26, 2025, with bipartisan support, targeting ingredients like Red 40 and titanium dioxide that are banned in other countries. The bill requires manufacturers to either eliminate these substances or display warnings stating the ingredient is not recommended by authorities in Australia, Canada, the European Union, or the United Kingdom. High fructose corn syrup was removed from the prohibited list after food companies opposed its inclusion, though legislators rejected industry efforts to eliminate the warning label requirement entirely. The legislation now awaits Governor Greg Abbott’s signature and would take effect September 1, 2025. Source: The Daily Intake

Private Equity

• Private equity investors maintain interest in healthcare services and technology companies despite higher borrowing costs and increased regulatory scrutiny as of mid-2025. Macroeconomic volatility has compressed valuations and extended deal timelines through the first half of 2025, but demographic trends and fragmentation among provider groups continue to attract growth-oriented capital. PE firms are targeting outpatient care models, physician specialty platforms, behavioral health services, home-based care, AI-driven clinical decision support, and value-based care platforms. Federal enforcement from the FTC and DOJ has intensified challenges to physician group consolidation, while state laws increasingly require material change notifications for healthcare mergers and acquisitions. Labor shortages and wage inflation present additional risks, particularly for home health, skilled nursing facilities, and behavioral health settings. Source: ArentFox Schiff

Accountable Care Organizations

• Hospitals participating in CMS accountable care organizations require more than two years of maturity before seeing improvements in patient care costs and quality, according to a study comparing 121 ACO-participating hospitals with 853 non-participating hospitals from 2010 to 2013. Researchers found that hospitals with an ACO maturity score of zero performed worse than non-participants in acute myocardial infarction mortality rates and perioperative pulmonary embolism or deep vein thrombosis rates, but these differences disappeared as ACO maturity increased. The study showed that higher ACO maturity scores correlated with reductions in accidental punctures and lacerations among participating hospitals. Researchers noted that early ACOs focused primarily on enhancing care coordination and strengthening primary care rather than transforming inpatient care processes during the initial 18 months. Currently, only 1,450 of more than 5,000 Medicare-enrolled hospitals participate in CMS ACOs, leaving room for expansion as the agency aims to transition all traditional Medicare beneficiaries to accountable care by 2030. Source: American Journal of Managed Care

Cybersecurity

• Healthcare organizations face an escalating cybersecurity crisis with 33 attacks recorded in 2025 and global healthcare ransomware surging 31%. Over 90% of healthcare cyberattacks are phishing scams enhanced by AI, while healthcare data sells for up to 50 times more than financial information on black markets. Third-party vendors cause 50-60% of data breaches, prompting healthcare organizations to adopt the HITRUST framework for vendor risk assessment. The government is implementing mandatory cybersecurity standards through the Health Infrastructure Security and Accountability Act and proposed HIPAA Security Rule modifications requiring encryption, multi-factor authentication, and vulnerability testing. Healthcare providers are deploying AI-powered threat detection systems and zero-trust architectures to combat these threats in real time. Source: Information Security Buzz

Drugs & Devices

• Sixteen states have proposed or passed legislation to make ivermectin available over the counter despite scientific evidence showing the deworming drug does not treat COVID-19 or cancer. Idaho, Arkansas, and Tennessee have enacted such laws, while Louisiana passed a bill awaiting the governor’s signature, driven by social media claims that ivermectin treats cancer, COVID-19, foot pain, arthritis, lupus, and acne. High-quality clinical trials found ivermectin ineffective against COVID-19, and doctors report patients with treatable cancers have delayed treatment to try ivermectin, only to return with advanced disease. Despite state laws, pharmacies remain unable to sell ivermectin over the counter because it remains federally regulated by the FDA, with NBC News finding no pharmacists willing to dispense it without a prescription in states with permissive laws. Pharmacists cite liability concerns since the prescription drug lacks over-the-counter packaging with consumer directions and safety statements. Source: Ars Technica

EMTALA

• CMS rescinded July 2022 guidance on EMTALA obligations for pregnant patients and pregnancy loss cases. The Department of Health and Human Services and Centers for Medicare & Medicaid Services announced on June 3, 2025, that they are withdrawing two hospital guidance documents (QSO-22-22-Hospitals and QSO-21-22-Hospitals) and a letter from the former Secretary of Health and Human Services because these documents do not reflect current administration policy. CMS stated it will continue to enforce EMTALA, which protects all individuals who present to hospital emergency departments seeking examination or treatment, including for emergency medical conditions that place the health of a pregnant woman or her unborn child in serious jeopardy. The agency said it will work to rectify perceived legal confusion and instability created by the former administration’s actions. Source: CMS

Fraud & Abuse

• Healthcare fraud enforcement under the False Claims Act reached $1.67 billion in settlements and judgments in 2024, representing 57% of all FCA recoveries. The Department of Justice secured settlements from Independent Health ($98 million for upcoding Medicare diagnoses), Gilead Sciences ($202 million for kickbacks to HIV medication practitioners), and Teva Pharmaceuticals ($450 million for Medicare copay conspiracies and generic drug price fixing). Attorney General Pam Bondi and Deputy Assistant Attorney General Michael Granston have committed to enforcement, with DOJ guidance instructing prosecutors to prioritize healthcare fraud cases. The government recovers three dollars for every dollar spent fighting fraud, according to DOJ officials. Enforcement now extends beyond traditional healthcare to include Walgreens ($350 million for opioid prescription violations) and McKinsey ($650 million for consulting on OxyContin sales acceleration). Source: Forensic Risk

HIPAA

• The US Department of Health and Human Services Office for Civil Rights has escalated enforcement of HIPAA risk analysis requirements through a dedicated initiative that has resulted in nine settlements totaling over $1 million in penalties since October 2024. The Risk Analysis Initiative targets healthcare entities that fail to conduct proper assessments of potential risks to electronic protected health information, a requirement under the HIPAA Security Rule that OCR describes as the foundation for cybersecurity practices. Healthcare organizations face increasing pressure as ransomware breaches have surged 264% since 2018, with settlements ranging from $10,000 to $350,000 for violations involving breaches affecting between 4,304 and 585,621 individuals. The enforcement effort has continued across both the Biden and Trump administrations, with OCR finding that many entities’ risk analyses were based on incomplete inventories of where protected health information is stored and transmitted. The initiative encompasses various breach types including ransomware attacks, server misconfigurations, and unauthorized access to medical imaging systems. Source: ArentFox Schiff
• Healthcare organizations continue to struggle with HIPAA compliance implementation despite awareness of their obligations, according to survey results from hundreds of organizations across the United States. The survey found that many organizations have not appointed dedicated HIPAA Privacy Officers with sufficient decision-making authority and continue to provide training less frequently than annually, often excluding business associates from compliance education. Organizations also lack written documentation for complex or emerging risks, with some not updating their HIPAA risk assessments in several years despite increasing cybersecurity threats. Only a minority of respondents indicated they feel confident their organization could effectively respond to an Office for Civil Rights compliance audit or data breach investigation. The Office for Civil Rights is scrutinizing risk assessments under its enforcement initiative, with organizations facing a high probability of financial penalties for noncompliance. Source: HIPAA Journal

Medicare

• Medicare paid $124 million for evaluation and management services billed alongside eye injections that violated federal requirements. The Office of Inspector General found that for 42 percent of the 3.3 million intravitreal injections provided during June 2022 through May 2023, providers billed for evaluation and management services on the same day using modifier 25, which bypassed system controls designed to prevent improper payments. Documentation for 22 of 24 sampled services did not support the use of modifier 25, as the services were not significant and separately identifiable from the injection procedures. The Centers for Medicare & Medicaid Services lacked adequate internal controls to detect and prevent these potentially improper payments, including clear requirements for modifier 25 use and medical reviews of claims. The audit recommends that CMS update billing requirements, conduct medical reviews to recover up to $124 million in improper payments, and provide better education to providers about appropriate billing practices. Source: HHS.gov

Med Spas

• Private equity investment in med spa practices faces complex financial due diligence challenges that require careful analysis of cash-based accounting systems. The med spa industry experienced growth in 2024 driven by demand for neurotoxins, skin rejuvenation, and weight loss procedures including Semaglutides and CoolSculpting. Cash-pay business models create misleading financial statements due to prepaid packages, memberships, and gift card sales that distort revenue recognition timing. The industry faces margin pressure through Q1 2025 from rising supply and personnel costs while competition limits price increases. Med spas are expanding services to include hormone replacement therapy and regenerative medicine to boost same-store sales growth. Source: VMG Health

Patient Rights

• The Fifth Circuit upheld Texas parental consent requirements that prevent minors from confidentially accessing contraception at federally funded Title X clinics. Alexander Deanda, a father of three daughters, filed suit in 2020 challenging the Department of Health and Human Services’ administration of Title X, arguing he wanted notification if his children sought contraceptives based on his Christian beliefs. Title X, enacted in 1970, provides family planning services to low-income individuals and in 2021 HHS prohibited parental consent requirements for minors seeking services. The district court ruled in Deanda’s favor, finding that federal law did not preempt Texas Family Code provisions requiring parental consent for medical care, but the Fifth Circuit avoided deciding the constitutional question of balancing parental and minor rights by using the doctrine of constitutional avoidance. The ruling threatens minors’ access to confidential reproductive care through mechanisms like judicial bypass. Source: Harvard Law Review

Senior Living Facilities

• Cyber attacks on senior living and care facilities have escalated dramatically, with 92% of healthcare organizations reporting attacks in 2024 compared to 88% in 2023. Healthcare facilities averaged 2,434 attacks per week in the third quarter of 2024, representing an 81% increase from the previous year. In the first quarter of 2025, more than six nursing homes and rehabilitation centers reported hacking incidents affecting over 130,000 individuals. The sector’s vulnerability stems from lagging technology adoption, proliferation of network-connected devices, and the high value of healthcare data to criminals. The primary threat comes from employees opening malicious emails and clicking links that expose credentials, according to cybersecurity experts. Source: McKnight’s Senior Living

Accountable Care Organizations

• The CMS Innovation Center is implementing significant updates to the ACO REACH Model financial methodology starting in 2026 to achieve cost savings while maintaining care quality. These changes respond to a preview evaluation report showing increased net spending despite positive gross savings and quality care results in the program’s first year. The modifications aim to decrease net spending for 2026 while improving patient outcomes without disrupting care delivery. Accountable Care Organizations participating in ACO REACH serve as partners who assume financial risk for patients while offering enhanced benefits like telehealth visits, post-hospital home care, co-pay assistance, and condition management support. CMS has published both the financial methodology changes and the evaluation report that necessitated these updates to ensure the model meets the Innovation Center’s statutory mandate. Source: CMS
• Next Generation Accountable Care Organizations rarely used voluntary alignment systems that allow Medicare beneficiaries to self-select their healthcare providers, with only 29% of organizations attributing 1% or more of their population through this method. A mixed-methods study analyzing data from 2016 through 2021 found that beneficiaries who chose voluntary alignment were sicker and cost $5,068 more annually than those aligned through traditional claims-based methods ($16,187 vs $11,119). NGACO leaders cited implementation challenges, short administrative time frames, and limited population growth as barriers to voluntary alignment adoption, while acknowledging benefits including attribution flexibility and enhanced patient engagement. Source: The American Journal of Managed Care
• Value-based care adoption continues to accelerate across healthcare organizations, with more than 60% expecting revenue increases from VBC arrangements in 2025. A survey of 168 executives and clinical leaders at 142 healthcare organizations by Innovaccer and the National Association of ACOs found that 64% anticipate a revenue shift toward VBC this year compared to 2024. Currently, 30% of organizations derive at least 25% of their revenue from VBC contracts, while 13% have surpassed the 50% mark. Organizations are investing in data analytics and AI (31.2%), care management solutions (30%), and staff training (22.6%) to accelerate their VBC transitions, though barriers remain including financial risk (87%), provider resistance (80%), and data interoperability issues (75%). The report recommends a patient-centered approach, clinician support, financial risk management, and integrated data platforms to ease VBC transitions. Source: Advisory Board

Data Breach

• U.S. Dermatology Partners (Texas), a network of over 100 dermatology practices across several states, recently announced a cyberattack and data breach that occurred in June 2024. The network disruption on June 19, 2024, was indicative of a cyberattack, and subsequent investigations by third-party digital forensics experts confirmed unauthorized access and data exfiltration. By April 2, 2025, a thorough review revealed that the stolen data included personal information such as names, dates of birth, medical record numbers, health insurance information, and specific details about dermatology services received. Additionally, a limited number of individuals had their Social Security and/or driver’s license numbers compromised. Notification letters to affected individuals began mailing on May 30, 2025. USDP has offered complimentary credit monitoring and identity protection services to those whose Social Security numbers and/or driver’s license numbers were involved. This breach underscores the importance of robust cybersecurity measures to protect sensitive health information. Source: HIPAA Journal

Emerging Tech

• Intelligence Amplification technology is revolutionizing healthcare compliance management through systems like Compliance Risk Analyzer that detect and mitigate billing and coding risks. Unlike artificial general intelligence that aims to replace human decision-making, IA augments human capabilities through predictive analytics, statistical modeling, and heuristic methods that identify high-risk patterns by comparing provider data to national benchmarks. The system generates provider-specific risk analysis reports, creates targeted audit action plans, and enables benchmarking against industry standards, resulting in proactive risk mitigation, increased efficiency, cost savings, and improved audit accuracy. While delivering significant benefits, Compliance Risk Analyzer functions optimally as part of a hybrid model where IA supports human auditors, recognizing that healthcare compliance requires nuanced human judgment alongside computational assistance. Source: VMG Health

EMTALA

• The Trump administration rescinded Biden-era guidance requiring hospitals to perform emergency abortions under federal law. The Department of Health and Human Services issued guidance in July 2022 that required doctors to perform abortions in emergency departments under the Emergency Medical Treatment and Labor Act (EMTALA), even in states where abortion is banned, when the procedure serves as stabilizing treatment for conditions like ectopic pregnancy or preeclampsia. The guidance was part of the Biden administration’s efforts to preserve abortion access after the Supreme Court overturned Roe v. Wade. CMS announced they rescinded the guidance because it does not reflect current administration policy, though they said they will continue enforcing EMTALA for emergency medical conditions affecting pregnant women. Source: ABC News
• A federal investigation found that a Texas hospital violated law by sending a woman home without treating her life-threatening ectopic pregnancy. The Centers for Medicare and Medicaid Services determined that Ascension Seton Williamson in Round Rock failed to provide proper medical screening and stabilizing treatment to Kyleigh Thurman in February 2023. Thurman returned to the hospital multiple times with bleeding before her fallopian tube ruptured, requiring surgery that removed part of her reproductive system. The hospital violated the federal Emergency Medical Treatment and Labor Act, which requires emergency rooms to provide stabilizing treatment to all patients. The Trump administration announced it would revoke Biden-era guidance that directed hospitals to provide emergency abortions for women experiencing medical emergencies. Source: PBS News

Food & Drug Administration

• The Trump administration’s FY26 budget proposal for the FDA reveals significant structural changes while maintaining overall operational capacity. The $6.8 billion proposal represents a 3.9% decrease from FY25 levels, balancing reduced discretionary funding ($3.2 billion, down 11.4%) with increased user fees ($3.6 billion, up 4%). The budget prioritizes the “Make America Healthy Again” agenda with $234.6 million for food safety and chronic disease initiatives, including plans to phase out certain food dyes and modernize safety protocols. Workforce reductions continue with the budget reflecting cuts of 1,940 full-time employees and $456.6 million in support of the “Reduction of Federal Bureaucracy initiative,” while projecting $626 million in savings from streamlined agency functions. Congressional appropriations committees have begun reviewing the proposal and will continue the funding process through September 2025. Source: Akin Gump
• The FDA will implement artificial intelligence across all its centers by the end of June to combat regulatory delays caused by recent layoffs. The agency completed a pilot scientific review using generative AI that will reduce non-productive busywork in the review process. The AI rollout comes as the FDA has missed target decision dates for drug approvals and faces staffing cuts from the Health and Human Services Secretary, who put 3,500 FDA jobs on the chopping block. All FDA centers must begin implementing the AI approach immediately, with plans to tailor AI models to each center’s needs. Source: BioSpace

Fraud & Abuse

• Dr. Benjamin Tiongson, a pain management physician practicing in Houston, Sugar Land, and Katy, has agreed to pay $390,082 to resolve allegations of Medicare fraud. Between December 2021 and December 2022, Tiongson allegedly billed Medicare for surgical implantation of neurostimulator electrodes, procedures that typically require operating rooms and command thousands of dollars in reimbursement. Instead of performing these invasive surgeries, Tiongson reportedly provided electro-acupuncture treatments that merely involved inserting thin wires into patients’ ears and taping devices behind them, all conducted in clinic settings without surgical incisions. The settlement, reached after investigation by the U.S. Attorney’s Office and Department of Health and Human Services, resolves these allegations without determination of liability. Source: United States Department of Justice
• A Frisco physician has agreed to pay $3.5 million to resolve allegations of COVID-19 billing fraud. Dr. Samad Khan, owner of SK Primary Care, allegedly submitted approximately 400,000 false claims to the COVID-19 Uninsured Program between April 2020 and October 2021 for evaluation and management services that were never performed. The United States contends that Khan’s COVID-19 testing sites were staffed by medical assistants who only performed specimen collection, yet he billed for higher-level services that required qualified healthcare professionals and often submitted two claims per patient—one for testing and another for providing results. Khan knowingly used incorrect billing codes that provided substantially higher reimbursements than the appropriate specimen collection codes, according to the settlement that resolves these allegations without a determination of liability. Source: United States Department of Justice

HIPAA

• Healthcare organizations must implement comprehensive vendor management strategies to mitigate significant HIPAA compliance risks from third-party relationships. While properly executing Business Associate Agreements is crucial, experts emphasize it must be part of a broader risk-based approach that includes thorough initial vetting, continuous monitoring, and incident response planning. Organizations should implement tiered vendor assessments based on data access levels and sensitivity, with particular scrutiny for vendors handling Protected Health Information. Common compliance failures include treating BAAs as mere checkboxes, insufficient upfront diligence, inadequate ongoing monitoring, and failure to assess subcontractor relationships. Healthcare entities cannot outsource accountability and must treat vendors as extensions of their organization while maintaining clear boundaries regarding day-to-day operations to properly manage liability. Source: Relias Media

Med Spas

• Texas House Bill 3749, known as “Jenifer’s Law,” has undergone complete revision from its original form that could have shuttered many IV hydration clinics to legislation that may actually reduce regulatory restrictions on the industry. The bill was prompted by the death of Jenifer Cleveland in July 2023 after receiving an IV infusion at a Wortham, Texas medical spa, where an investigation revealed an absent medical director, lack of protocols, and treatment by an unlicensed individual. The legislation passed both the House and Senate by large margins and awaits Governor Greg Abbott’s signature, with an effective date of September 1, 2025. The most significant change in the final bill is its characterization of IV therapy as “elective” rather than medically necessary treatment, shifting the focus from documenting medical necessity to ensuring safety through contraindication screening. This change may permit the return of “menu medicine” where patients can select IV treatments from a menu of options without requiring a diagnosis or proof that the treatment addresses a specific medical condition. Source: HCH Lawyers

Medicare & Medicaid

• Trump directs Health and Human Services to cap Medicaid payments at Medicare rates to eliminate fraud schemes. The memorandum targets state programs that tax healthcare providers then return the money as Medicaid payments, which triggers federal matching funds and allows providers to receive nearly three times Medicare rates. State Directed Payments under this system quadrupled over four years and reached $110 billion in 2024. The directive instructs the Secretary of Health and Human Services to ensure Medicaid payment rates do not exceed Medicare levels. Trump claims the current system allows states to avoid contributing funds while enriching healthcare providers through federal matching payments. Source: The White House
• CMS will audit all Medicare Advantage contracts for each payment year in newly initiated audits following an announcement on May 21, 2025. The agency plans to complete audits for payment years 2018 through 2024, as CMS is several years behind in completing Risk Adjustment Data Validation (RADV) audits that verify diagnosis codes submitted by MA plans are supported by patient medical records. The Medicare Payment Advisory Commission estimates MA plans may overbill the government $43 billion per year through risk-adjusted payments based on enrollee diagnoses. CMS Administrator Dr. Mehmet Oz stated the agency has a duty to ensure MA plans bill the government accurately, and the Trump Administration aims to complete remaining audits by early 2026. To meet this goal, CMS will increase medical coders from 40 to 2,000 people beginning in September 2025 and deploy technology to flag unsupported diagnoses. Source: King & Spalding
• The Center for Medicare and Medicaid Innovation plans to expand digital health technology and artificial intelligence integration across federal health care programs. CMMI released a white paper on May 13, 2025, outlining its strategy that emphasizes virtual care expansion, mobile health applications, and AI implementation for value-based care organizations. CMS Administrator Dr. Mehmet Oz and CMMI Director Abe Sutton stated that AI can increase health care supply and announced plans to create clearer reimbursement pathways for AI technologies. The agency seeks public input on certifying health-focused mobile applications for Medicare inclusion and is requesting comments on digital health through June 16, 2025. Sutton cautioned that some AI systems may increase costs by enabling providers to capture more services, requiring targeted reforms to focus on technologies that both expand care supply and reduce expenses. Source: Jones Day

Price Transparency

• CMS published guidance and a Request for Information on Hospital Price Transparency rules following President Trump’s February 25, 2025 Executive Order on healthcare pricing transparency. The guidance instructs hospitals to stop using “999999999” as a placeholder when calculating “estimated allowed amounts” and instead use actual average dollar amounts from electronic remittance advice data from the past 12 months. The Request for Information seeks public input on improving hospital compliance and enforcement processes through six questions covering data accuracy, completeness, and suggestions for enhancing the quality of machine-readable files. CMS wants feedback on defining data accuracy and completeness terms, identifying external data sources for validation, and improving compliance tools like the CMS validator. Source: King & Spalding

Emerging Tech

• Alibaba’s healthcare AI model has achieved medical expertise comparable to senior physicians in China. The model, powered by Qwen 2.5-32B foundation technology, passed medical qualification exams at the “Deputy Chief Physician” level across 12 disciplines with 74.8% accuracy, outperforming competitors including OpenAI’s GPT-4o. Now integrated into Alibaba’s Quark AI assistant app with 200 million users, the model automatically handles health-related inquiries and has been refined through collaboration with medical institutions. Source: South China Morning Post
• Digital health companies using AI for patient communication face significant legal exposure under the Telephone Consumer Protection Act (TCPA). While many companies focus solely on HIPAA compliance, the TCPA restricts automated calls, texts, and artificial voice messages without prior express consent, with written consent required for marketing communications. The FCC’s 2024 ruling classified AI-generated voices as “artificial voices” under the TCPA, though courts continue to wrestle with how this applies to chatbots and text-based systems. Digital health companies should conduct TCPA risk assessments, audit consent processes, obtain express written consent when in doubt, and monitor evolving litigation trends. Despite a 2021 Supreme Court decision narrowing the definition of automatic telephone dialing systems, TCPA compliance remains challenging as state regulations may differ and create legal risks even for companies without telemarketing intent. Source: Foley & Lardner LLP
• The U.S. House of Representatives has passed legislation imposing a 10-year federal moratorium on state AI regulation. The “One Big Beautiful Bill Act” (H.R. 1) narrowly passed on May 22, 2025 by a 215-214 vote, containing a provision that would preempt state laws regulating artificial intelligence systems, potentially nullifying healthcare protections enacted in states like California, Connecticut, and Maryland. The moratorium threatens state initiatives requiring human oversight of AI in healthcare decisions, particularly those preventing insurers from using AI to autonomously deny coverage or process claims. The proposal faces significant opposition from state officials, including a bipartisan group of 35 California lawmakers and the National Conference of State Legislatures, while also potentially violating the Senate’s Byrd Rule as it may be considered extraneous to budgetary matters in a reconciliation bill. Source: Arnall Golden Gregory LLP

Data Breaches

• WellNow Urgent Care has reached a $4.4 million settlement following a 2023 ransomware attack that compromised the protected health information of approximately 597,000 individuals. The cyberattack exposed sensitive data including names, birth dates, and for some victims, Social Security numbers, leading to consolidated lawsuits filed in March 2024 that alleged negligence and breach of implied contract. The settlement divides affected individuals into two subclasses: 541,870 people whose Social Security numbers were not compromised (eligible for up to $3.3 million in benefits) and 55,131 people whose Social Security numbers were exposed (eligible for up to $1.1 million in benefits). Class members can claim compensation for lost time and documented expenses up to $7,500, with those in the SSN subclass having the additional option of receiving a pro rata cash payment. Source: HIPAA Journal
• Four healthcare organizations across the United States recently reported data breaches exposing sensitive patient information. Cooper Health System in New Jersey experienced the largest breach, affecting 57,412 individuals whose names and Social Security numbers were compromised after unusual network activity was detected on May 14, 2024. Union County Children and Youth Services in Pennsylvania suffered a ransomware attack on March 13, 2025, with at least 501 individuals affected, while Balance Autism in Iowa reported unauthorized access affecting 1,281 clients between March 11-17, 2025. The Carpenter Health Network in Louisiana identified a security incident between February 4-28, 2025, compromising personal and health information of 878 individuals, with all four organizations implementing additional security measures and offering credit monitoring services to affected individuals. Source: HIPAA Journal

Food & Drug Administration

• The FDA is expanding the use of artificial intelligence across all product centers following a successful pilot program that dramatically improved application review times. After years of providing AI guidance to industry, the FDA is deploying AI-based review programs targeting full integration by June 30, 2025. One reviewer reported completing tasks in minutes that previously took three days, with AI systems helping to summarize clinical trials, flag anomalies, identify safety signals, and support benefit-risk assessments. While promising efficiency gains, the FDA acknowledges risks requiring careful management, including maintaining scientific rigor, preventing algorithmic bias, and ensuring transparency to stakeholders. The agency’s AI implementation raises important questions about potential impacts on approval timelines, user fees, market readiness for accelerated approvals, and the value of Priority Review Vouchers. Source: Loeb & Loeb Quick Takes

Med Spas

• Texas House Bill 3749 has been revised to focus solely on regulating elective IV therapies administered outside traditional medical settings, abandoning its original scope that would have increased oversight of med spas. The bill, which originally sought to establish comprehensive regulations for med spas including additional physician supervision requirements, now exclusively addresses IV therapy protocols and delegation of authority. Under the revised legislation, physicians may delegate IV therapy prescriptive authority to physician assistants and nurse practitioners, while administration can be performed by these professionals or registered nurses under adequate physician supervision. The bill has passed the Texas House and awaits Senate review, with potential implementation scheduled for September 1, 2025. Med spa operators not offering IV therapies will see no immediate regulatory changes, though industry observers note that future legislative sessions may revisit med spa regulations. Source: McQuire Woods
• Medical spa owners face critical decisions when selling their businesses, with private equity partnerships and broker engagement representing two primary pathways. Private equity firms offer substantial capital, industry expertise, and growth acceleration but come with potential downsides including loss of control, high performance expectations, predetermined exit strategies, and capital costs. Brokers provide valuable market knowledge, industry connections, confidentiality protection, negotiation skills, and time savings, though their services include commission fees and require careful selection. The optimal approach depends on individual goals, risk tolerance, and long-term vision. Source: VMG Health

Medicare

• The Center for Medicare and Medicaid Innovation has pivoted to a market-based approach that prioritizes prevention, patient choice, and competition. Announced on May 13, 2025, the new strategy includes preventive care measures in all models, provides patients with health data to support decision-making, and incentivizes participation from independent physician practices outside of larger health systems. This direction differs from the previous Biden administration focus on health equity, multi-payer alignment, and person-centered care, though some goals like expanding accountable care relationships remain. CMMI Director Abe Sutton emphasized the organization’s commitment to fiscally responsible models that protect taxpayer dollars while preserving quality of care. The strategy will likely result in new models that increase provider financial risk and discontinue programs that fail to meet cost-saving criteria. Source: Mintz
• The Centers for Medicare and Medicaid Services (CMS) implemented the Accountable Care Prospective Trend (ACPT) in 2024 as part of changes to how benchmarks are set in the Medicare Shared Savings Program (MSSP). The ACPT growth rate (4.9%) falls significantly below the 7.5-9.0% growth reported by Accountable Care Organizations (ACOs) and independent analysts, creating financial challenges for organizations entering new agreements in 2024. The ACPT aims to address the “collective success problem” by separating benchmark updates from actual spending growth, potentially making participation more attractive long-term while creating short-term disincentives. CMS established guardrails for when gaps occur between projected and actual spending, including the option to reduce the ACPT weight, which the author recommends implementing for 2024 to mitigate financial impacts on participating ACOs. Source: Health Affairs

Private Equity

• Private equity firms investing in healthcare face mounting legal and regulatory challenges across multiple fronts. The FTC and DOJ have intensified antitrust scrutiny of healthcare roll-up strategies, with enforcement actions targeting even smaller acquisitions that accumulate market power, as demonstrated by the recent USAP case resulting in a final consent order with notification and compliance requirements. States including New York, Massachusetts, Vermont, Rhode Island, and Connecticut have enacted laws requiring pre-transaction notice or approval for healthcare mergers and acquisitions, while the Corporate Practice of Medicine doctrine continues to restrict non-physician ownership of medical practices in states like New Jersey and New York. PE-backed healthcare entities face increased scrutiny through False Claims Act investigations related to billing practices, as seen in the $15.3 million settlement with Alliance Family of Companies, while simultaneously confronting public criticism that PE ownership prioritizes profits over patient care. Proactive legal planning and ongoing compliance monitoring have become essential for PE firms to navigate this complex environment and protect long-term investments in healthcare. Source: Greenbaum, Rowe, Smith & Davis LLP

Real Estate

• Specialized appraisers are essential in healthcare real estate due to the sector’s unique complexities. Healthcare properties require appraisers with expertise in four critical areas: understanding healthcare operations across various facility types, navigating complex lease structures including timeshare arrangements, interpreting healthcare market trends and demographics that affect property values, and evaluating diverse property types from hospitals to specialized treatment centers with unique design requirements. These specialized appraisers can accurately determine property values by comprehending how buildings operate, evaluating unique lease structures, forecasting market trends, and recognizing the specific functional needs of different healthcare facilities. Source: VMG Health

Smart Devices

• Smart devices are revolutionizing healthcare by shifting the industry from reactive treatment to proactive prevention through continuous monitoring technologies. These devices collect real-time physiological data including heart rate, blood oxygen levels, and glucose measurements, which AI algorithms analyze to detect patterns and predict health risks before symptoms appear. Wearable technologies like smartwatches with ECG capabilities can identify irregular heart rhythms, infectious diseases, and neurological disorders while enabling remote monitoring and integration with telehealth platforms. Emerging innovations include advanced biosensors that detect biomarkers through sweat or tears, miniaturized implantable devices for internal monitoring, and digital twins that create virtual replicas of patients to predict disease progression and optimal treatments. The transformation toward predictive healthcare faces challenges in ensuring data security, developing explainable AI systems that clinicians can trust, and providing equitable access across populations. Source: Healthcare Tech Outlook
• Consumer health AI technologies are rapidly entering a complex regulatory environment as they shift from an unregulated space to one governed by various state privacy laws. These technologies often fall outside HIPAA’s scope but are increasingly subject to regulations like the California Consumer Privacy Act, Washington’s My Health My Data Act, and Texas’s Data Privacy and Security Act. The resulting regulatory patchwork varies by location and treats combined geolocation and healthcare data as particularly sensitive information. Tech companies using AI in consumer health applications will need to adapt to these unfamiliar privacy and security requirements that govern the collection and sharing of sensitive personal data. Source: GovInfoSecurity

Taxation

• CMS has proposed new rules to eliminate a Medicaid financing loophole that could save the federal government $33 billion over five years. The May 15, 2025 proposal aims to prevent states from disproportionately taxing Medicaid services to draw down federal matching funds by adding stricter requirements for healthcare-related tax waivers. Seven states with existing waivers, including California, New York, Michigan, and Massachusetts, would be affected, with recently approved waivers receiving no transition period and requiring immediate compliance when the rule is finalized. The changes would prevent states from imposing higher tax rates on Medicaid-related services than on non-Medicaid services, forcing significant restructuring of state healthcare taxes. This regulatory effort parallels congressional action, as the House Energy and Commerce Committee recently advanced similar provisions in the 2025 budget reconciliation bill. Source: Sheppard Mullin Richter & Hampton LLP

Antitrust

• State attorneys general are intensifying antitrust enforcement across multiple fronts. States are implementing “baby HSR” statutes requiring merging companies to file notifications directly with state AGs, with Washington recently adopting such laws and Colorado’s taking effect in August 2025. Litigation activity is increasing around healthcare and labor issues, exemplified by Michigan’s lawsuit against pharmacy benefit managers for price fixing and California’s action against no-poach agreements in the food processing industry. States are also bolstering criminal enforcement through initiatives like BRACE—a bid-rigging and criminal enforcement working group—while legislatures in California and New York advance bills to increase criminal penalties for antitrust violations. Companies must now consider state enforcement as carefully as federal oversight, with particular attention to transaction notifications, litigation risk, and enhanced criminal enforcement. Source: McCarter & English, LLP
• The Department of Justice secured its first criminal wage-fixing conviction when a federal jury found a home health care operator guilty of conspiring with competitors to fix wages for home healthcare nurses. The April 14, 2025 verdict in the District of Nevada case relied heavily on text messages between the operator and competitors that referenced a “mutual agreement” on wages. This landmark conviction follows the DOJ’s 2016 guidance that wage-fixing agreements among labor-market competitors are per se illegal and subject to criminal prosecution, despite previous unsuccessful attempts to secure jury convictions in similar cases. The case is a cautionary tale of the risks of communications outside normal corporate monitoring. Source: Lathrop GPM

Bioprinting

• 3D printing is revolutionizing healthcare by enabling a shift from mass-produced solutions to customized treatments tailored to individual patients. The technology has transformed multiple medical fields, including prosthetics that can be made affordably for children, custom implants for facial reconstruction and spine repairs, and anatomical models that allow surgeons to practice complex procedures before operations. In pharmaceuticals, 3D printing creates personalized drug dosages and delivery systems, with the FDA approving the first 3D-printed drug Spritam in 2015. While bioprinting has progressed to creating tissue structures like liver tissue, developing full functional organs remains experimental, with current research focusing on smaller tissues and improving cell viability. Despite challenges with regulations, standardization, and accessibility, the integration of artificial intelligence with 3D printing promises further advances in medical applications through optimized designs and materials. Source: Ars Technica

Data Privacy

• The Department of Justice’s new Data Security Program imposes extensive restrictions on healthcare organizations handling sensitive personal data with international partners. Effective April 8, 2025, the program regulates six categories of sensitive data including health information, biometric, and genomic data, with no exemptions for anonymized or de-identified information. Healthcare organizations must implement contractual safeguards when sharing data with any foreign entity, not just those in designated “countries of concern” (China, Russia, Iran, North Korea, Cuba, and Venezuela), with violations reportable within 14 days. The rule provides limited exemptions for federally-funded research, clinical investigations, and transactions required by federal law, while requiring organizations to develop comprehensive compliance programs before full enforcement begins July 8, 2025. Source: Baker Donelson

Drug & Devices

• Biotech companies are increasingly turning to collaborative deal structures to navigate FDA staffing shortages and financial constraints. With FDA retirements and layoffs extending approval timelines, biotechs facing limited cash runways are using licensing agreements and development partnerships to secure alternative financing while reducing operational costs. These collaborations typically involve upfront payments, milestone-based compensation, and royalties, as exemplified by Zealand Pharma’s recent $5.3 billion collaboration with Roche for obesity treatment technology. However, Hart-Scott-Rodino filing requirements for transactions exceeding certain thresholds (now $126.4 million in 2025) may delay deal completions, with new rules extending filing timelines from under 10 days to at least 30 days and increased scrutiny from the FTC and DOJ on pharmaceutical industry transactions. Source: JD Supra

Emerging Technology

• Brain-computer interface technology is advancing rapidly with four leading companies poised to expand human trials significantly in 2025. Paradromics, Synchron, Precision Neuroscience, and Neuralink each employ different implantation approaches, from Synchron’s blood vessel-based electrodes to Neuralink’s deep brain implants that penetrate seven millimeters into brain tissue. The number of people with these interfaces will more than double in the next 12 months as companies advance their FDA-approved trials, while Apple has announced plans to make its devices compatible with these implants. Though medical experts caution against viewing this technology as a consumer product due to surgical risks, Morgan Stanley projects the brain-computer implant market will reach $1 billion annually by 2041. These interfaces already enable paralyzed patients to control computers and communicate, with potential future applications including thought-to-speech translation and prosthetic limb manipulation. Source: Wall Street Journal
• Taiwan is pioneering AI healthcare integration with Nurabot, an AI-powered robot nurse that handles routine hospital tasks to address nurse burnout. Developed through collaboration between Foxconn and Kawasaki Heavy Industries, Nurabot delivers medications, patrols wards, and guides visitors, allowing human nurses to focus on critical patient care as the world faces a projected shortage of 4.5 million nurses by 2030. The technology leverages NVIDIA supercomputers and digital twins—virtual replicas of hospital wards—to simulate and optimize operations before real-world implementation. Taichung Veterans General Hospital is currently conducting field trials with Nurabot, while future iterations may communicate in multiple languages, recognize faces, and assist in lifting patients. Despite challenges like data privacy concerns, Taiwan’s approach offers potential solutions to global healthcare staffing issues through AI integration. Source: Rude Baguette
• IoT technology revolutionizes healthcare billing through automation and real-time data access. The systems enable automatic recording of usage and charges without manual compilation, providing staff with precise information for error-free bills while reducing labor costs. Patients gain transparency through digital portals displaying detailed bill breakdowns, which reduces disputes and encourages timely payments. Implementation challenges include data privacy concerns (59% of patients fear misuse of medical information), regulatory compliance with laws like HIPAA, compatibility issues between vendor systems, and high upfront costs despite long-term savings. Source: IoT For All

Fraud & Abuse

• Texas rheumatologist Jorge Zamora-Quezada was sentenced to 10 years in prison for a massive health care fraud scheme that generated over $118 million in false claims. The 68-year-old doctor falsely diagnosed patients with rheumatoid arthritis and administered unnecessary toxic medications to defraud Medicare, Medicaid, TRICARE, and Blue Cross Blue Shield, resulting in insurers paying over $28 million. Patients suffered severe side effects including strokes, necrosis, hair loss, and liver damage from the unneeded treatments, while former employees described a workplace culture of fear with strict procedure quotas. Following his conviction on health care fraud and obstruction charges, Zamora-Quezada was ordered to forfeit $28,245,454 in assets, including 13 real estate properties, a private jet, and a Maserati that he purchased with his ill-gotten gains. Source: United States Department of Justice
• The U.S. Department of Justice launched a new Civil Rights Fraud Initiative to leverage the False Claims Act against organizations receiving federal funding. The initiative, announced on May 19, 2025, targets entities that tolerate antisemitism, permit men in women’s spaces or female athletic competitions, or implement DEI practices deemed unlawful while certifying compliance with civil rights laws. DOJ will focus on organizations that knowingly engage in what the memorandum describes as “racist preferences” through DEI programs that allocate benefits based on race, ethnicity, or national origin. The department encourages private parties to participate by filing lawsuits as qui tam relators under the FCA, with potential implications for federal contractors, educational institutions, and other federal funding recipients. Source: The FCA Insider
• A jury has convicted 64-year-old Paul Njoku on all counts for orchestrating a Medicare fraud scheme through his home health care agency in Houston. Evidence showed Njoku forged signatures of doctors and nurses on medical documents, continued using a departed nurse’s signature without permission, and bribed a doctor to approve services. From 2015 to 2019, his company Opnet Health Care Services billed Medicare over $400,000 and received more than $360,000 for claims without proper documentation. Njoku now faces maximum penalties of 10 years for conspiracy to commit health care fraud, five years for false statements, and two additional years for identity theft, along with potential fines of $250,000 per count. Source: United States Department of Justice
• Fresno-based Community Health System and affiliate Physician Network Advantage paid $31.5 million to settle allegations of an elaborate kickback scheme involving their Epic EHR system. According to a 2019 whistleblower lawsuit, the organizations provided physicians with extravagant incentives to adopt the Epic EHR system, including access to a $1.1 million wine and cigar lounge, luxury trips, gifts worth tens of thousands of dollars, and hiring family members of executives and physicians. The former controller who filed the lawsuit discovered approximately 1,000 bottles of wine after a fire at the organization’s offices, which sparked the investigation into the alleged scheme that included subsidies for EHR adoption in exchange for government healthcare program referrals. While Community Health System claims the lawsuit contains inaccurate information that doesn’t reflect their standards, Physician Network Advantage stated the settlement concludes the matter without admission of legal liability. Source: Becker’s Hospital Review

Gender-Affirming Care

• Attorney General Pam Bondi has directed the Department of Justice to pursue extensive investigations and prosecutions against providers of gender-affirming care for transgender minors. The unverified internal memorandum outlines three primary directives: criminal investigation of what the memo terms “FGM” cases with potential 10-year prison sentences, investigation of pharmaceutical companies for alleged violations of the Food, Drug and Cosmetic Act related to puberty blockers and hormones, and pursuit of False Claims Act violations for billing federal healthcare programs for gender-affirming procedures. Bondi has also instructed the Office of Legislative Affairs to draft legislation creating a private right of action for children and parents who received such care, with long statutes of limitations and retroactive liability. The Attorney General declared these directives a “top priority,” stating, “Under my leadership, the Department of Justice will bring these practices to an end.” Source: Healthcare Law Insights
• The Texas House approved a bill requiring medical records to include a field for sex assigned at birth, with penalties up to $250,000 for providers who violate its provisions. The legislation includes provisions for healthcare providers’ use of digital servers and artificial intelligence while mandating disclosure of AI use for diagnoses. Democrats opposed the measure, arguing it forces transgender patients to have a gender marker they don’t identify with displayed in their records, while proponents contend it ensures physicians have complete medical information for accurate care. The bill also grants parents unrestricted access to their minor children’s medical records unless blocked by court order. The bill requires one more House vote before heading to the Senate and potentially to Governor Abbott’s desk. Source: The Texas Tribune

Medical Malpractice

• Four key states are implementing significant medical malpractice reforms that fundamentally reshape how liability cases proceed through the legal system. Texas restricts evidence to actual payments rather than billed amounts while requiring disclosure of third-party litigation funding, Georgia eliminates “anchoring” tactics by plaintiffs and imposes procedural barriers including discovery stays, Utah establishes minimum insurance requirements and reporting mechanisms to address rural provider shortages, and South Carolina narrows joint liability by requiring fault allocation across all parties. These state-level reforms demonstrate a shift away from headline-grabbing damage caps toward granular changes to legal mechanics that advantage defendants earlier in proceedings, potentially signaling a nationwide trend in malpractice litigation rules. Source: Scott Righthand

Medicare

• The Centers for Medicare & Medicaid Services will implement annual audits of Medicare Advantage plans to address overpayment issues. The new measure represents a significant shift in CMS oversight of the Medicare Advantage program. This action aims to recover funds from insurers who receive payments for conditions not properly documented in patient records. Source: Modern Healthcare
• The Supreme Court has significantly narrowed Disproportionate Share Hospital (DSH) reimbursement by ruling that only Medicare patients who received cash Supplemental Security Income payments during their hospitalization month can be counted in payment calculations. In a 7-2 decision in Advocate Christ Medical Center v. Kennedy, the Court rejected arguments from over 200 hospitals that sought to include all SSI-enrolled patients regardless of whether they received payment in the specific month. The Court determined that “entitled to SSI benefits” refers strictly to monthly cash payments rather than general program enrollment or non-cash benefits like continued Medicaid eligibility. This ruling aligns with the Department of Health and Human Services’ interpretation that SSI eligibility is assessed month-by-month based on income and resources. The decision will likely reduce financial support for safety-net hospitals serving economically disadvantaged Medicare patients, as they can no longer count patients enrolled in—but not actively receiving—SSI payments during their hospitalization. Source: Health Care Law Brief

Mental Health

• Federal departments have suspended enforcement of the 2024 Mental Health Parity regulations until ongoing litigation concludes plus 18 months . The suspension, announced on May 15, 2025, reinstates the 2013 Final Rule and affects three key requirements: outcomes-based testing, mandatory meaningful benefits across classifications, and fiduciary certification obligations. Plan sponsors and insurers must still conduct nonquantitative treatment limitation comparative analyses and maintain compliance with statutory obligations under the Consolidated Appropriations Act. The departments indicated they will reexamine their enforcement approaches while encouraging states to adopt similar enforcement positions. Despite the suspension, health plans should continue good-faith compliance efforts with the remaining mental health parity requirements. Source: McDermott Will & Emery

Academic Medical Centers

• The Department of Justice’s Final Rule implementing Executive Order 14117 creates significant restrictions for Academic Medical Centers engaged in international clinical research. The rule, published January 8, 2025, prohibits or limits transactions involving sensitive personal data with “Countries of Concern” including China, Russia, Iran, North Korea, Cuba, and Venezuela, targeting eight categories of “Covered Data” such as biometric identifiers, genomic data, and health information. Academic Medical Centers must review existing and proposed international collaborations, ensure vendors aren’t affiliated with designated countries, and implement enhanced data governance frameworks to maintain compliance. Violations carry severe penalties, including civil fines up to $368,136 or twice the transaction amount, and potential criminal penalties of up to $1 million and 20 years imprisonment for willful violations. Source: Foley & Lardner LLP

Data Breach

• Vision Upright MRI has settled with the HHS Office for Civil Rights for HIPAA violations after a data breach exposed 21,778 patients’ medical images. The California-based imaging provider never conducted a required HIPAA risk analysis and failed to notify affected individuals within the mandatory 60-day timeframe following breach discovery. Under the settlement terms, Vision Upright MRI paid $5,000 and must implement a two-year corrective action plan including breach notifications, risk analysis, management plans, HIPAA-compliant policies, and staff training. Source: HHS.gov

Fraud & Abuse

• The Department of Justice has prioritized False Claims Act theories in its criminal enforcement agenda. The Criminal Division’s top priorities include health care fraud and government contracts fraud, trade and customs fraud, and violations of controlled substances laws—all central focuses of False Claims Act enforcement. These enforcement priorities suggest the DOJ views civil FCA liability and criminal penalties as connected pathways in addressing high-priority misconduct. Businesses in regulated industries now face potential parallel criminal investigations alongside civil FCA scrutiny, making robust compliance systems increasingly critical. Recent changes to DOJ enforcement policies regarding self-disclosure, cooperation, and remediation further emphasize that compliance missteps may carry heavier penalties than before. Source: Skadden, Arps, Slate, Meagher & Flom LLP

Health Data

• Patient data faces significant vulnerabilities when health tech companies fold, due to inadequate regulations and inconsistent security practices. Despite the health tech industry’s growth to $908.5 billion in 2023 with projections to reach $3.1 trillion by 2033, approximately 90% of health tech startups eventually fail, as exemplified by Forward’s abrupt closure in 2024 which left patients struggling to retrieve health records and maintain prescription access. Currently, only 20 states have instituted rules for patient health data protection, with most safeguards relying on user agreements that 91% of consumers don’t read, as seen when 23andMe’s bankruptcy prompted customers to rush to delete their data before possible transfer. Security experts recommend companies implement solid encryption, access controls, proper data deletion procedures with 30-day buffers, and rapid response plans to protect patient information when companies shut down. Source: Healthcare Brew

Insurance Coverage

• The Tenth Circuit Court of Appeals has ruled that hospital excess liability insurance policies must treat each patient claim as a separate “medical incident.” The May 2, 2025 decision in AdHealth Limited v. PorterCare Adventist Health Systems affirmed that each claim must individually exceed the $2 million self-insurance retention to qualify for excess coverage. PorterCare had sought $40 million in coverage after settling lawsuits from thousands of patients exposed to infection risks due to inadequate sterilization procedures. The court rejected PorterCare’s argument that all claims constituted a single medical incident, instead interpreting the policy language “any one person” as unambiguously limiting coverage to individual claimants. The ruling highlights the importance of policy language in determining how multiple related claims will be treated for insurance purposes. Source: Carlton Fields

Long-Term Care

• A federal court has struck down key provisions of the Centers for Medicare & Medicaid Services’ staffing mandate for long-term care facilities. The Northern District of Texas vacated requirements for 24/7 registered nurse staffing and minimum staffing ratios of 3.48 hours per resident per day that were set to begin implementation in May 2026. The court determined CMS exceeded its statutory authority by contradicting existing law that requires RN services for only eight consecutive hours daily and by imposing uniform staffing ratios that fail to account for facilities’ unique needs. This ruling follows the Supreme Court’s decision in Loper Bright Enterprises v. Raimondo, which limits federal agencies to authority clearly delegated by Congress and enhances judicial oversight of regulatory actions. While providing regulatory relief, long-term care facilities should continue addressing staffing challenges and monitor potential appeals of this decision. Source: Troutman Pepper Locke

Medicare Advantage

• UnitedHealth Group faces multiple federal investigations amid leadership changes and financial struggles. According to The Wall Street Journal, the Department of Justice has been conducting a criminal fraud investigation into UnitedHealthcare’s Medicare Advantage business since at least summer 2024, though the company claims no knowledge of such an investigation. This comes alongside an existing antitrust probe examining the relationship between UnitedHealthcare and Optum, plus a civil investigation into Medicare Advantage billing practices. UnitedHealth reported poor first-quarter performance in 2025 with medical costs exceeding expectations. The company’s stock has reached multi-year lows following these developments. Source: Fierce Healthcare

Mergers & Acquisitions

• Healthcare transaction activity hit its lowest point since Q3 2020, with Q4 2024 volumes decreasing 10.4% from Q3 and 11.7% compared to Q4 2023. Professional Services, Outsourced Services, and Behavioral Health dominated the landscape, accounting for 73.2% of all transactions, with significant deals including New Enterprise Associates’ $1.3 billion acquisition of NeueHealth and Cencora’s $4.6 billion purchase of Retina Consultants of America. Despite an overall 4.9% decline in 2024 transactions compared to 2023, certain sectors showed growth, including Behavioral Health (+7.5%), Managed Care (+10.6%), and Specialty Outpatient Facilities (+14.0%). Healthcare investors continue to face regulatory scrutiny and elevated interest rates, though the incoming Trump administration is expected to create a more favorable M&A environment in 2025 with a less aggressive approach to merger regulation and potential tax cuts. Source: [Ankura](https://www.jdsupra.com/legalnews/quarterly-healthcare-transactions-4427961/

Part 2

• The U.S. Department of Health and Human Services has updated 42 CFR Part 2 to align substance use disorder record confidentiality requirements with HIPAA and HITECH standards. The New Rule allows patients to sign a single consent form for future disclosures rather than requiring separate authorizations for each disclosure, while also implementing HIPAA-like breach notification requirements. Penalties for violations now include both civil fines up to $1.5 million per calendar year and criminal penalties up to $250,000 with potential imprisonment from one to ten years. Healthcare entities subject to Part 2 must update their policies regarding patient consent, information disclosure, medical records, breach notification, privacy notices, and data storage. Organizations must comply with these new requirements by February 16, 2026 to avoid significant penalties in the increasingly stringent enforcement landscape. Source: Katton

Regulation

• The Federal Trade Commission and Department of Justice have directed federal agency heads to identify anticompetitive regulations for potential elimination, with a focus on healthcare sector regulations. Following President Trump’s Executive Order 14267, agencies must submit their lists by June 18, 2025, to facilitate review of regulations that create monopolies, establish barriers to entry, or otherwise limit market competition. The May 5 joint letter specifically highlights concerns about healthcare regulations under the Affordable Care Act potentially pushing low-cost insurance plans out of the market and inducing vertical consolidation that raises prices. The letter also notes that pharmaceutical regulations may delay the introduction of more affordable medicines, though no specific regulations were identified for elimination. This initiative follows the DOJ’s launch of an Anticompetitive Regulations Task Force and the FTC’s Request for Information seeking public input on regulations with anticompetitive effects. Source: Epstein Becker Green

Artificial Intelligence in Healthcare

• Bipartisan senators have introduced the Health Tech Investment Act (S. 1399), which would create a Medicare reimbursement pathway for FDA-cleared AI-enabled medical devices. The bill, sponsored by Senators Mike Rounds (R-S.D.) and Martin Heinrich (D-N.M.), would establish a new technology ambulatory payment classification for eligible algorithm-based devices with pricing determined by manufacturer cost data. If approved, AI-enabled services would remain in this classification for at least five years and must have a defined beginning, middle, and end while being distinct from underlying services. This legislation follows another AI healthcare bill (H.R.238) introduced earlier in 2023 that would allow AI systems to autonomously prescribe FDA-approved medications if authorized by states. Source: MobiHealthNews
• Limitations on the current model of AI deployment has given way to a proposal for a new framework for clinical trials of medical AI. The current linear model of AI deployment, where models are trained and then deployed with fixed parameters, is not well-suited for adaptive large language models (LLMs). This paper introduces “dynamic deployment,” a systems-level approach where AI models continuously learn and adapt from new data and user interactions during deployment. This method allows for real-time monitoring and clinical validation, addressing the gap between AI research and real-world patient benefit. While challenges such as infrastructure, cost, and regulation exist, dynamic deployment offers a path for integrating continually learning AI systems into healthcare. Source: NJP Digital Medicine

Fraud & Abuse

• The Seventh and Second Circuits issued opinions narrowing the scope of advertising, marketing, and booking fee activities that violate the federal Anti-Kickback Statute (AKS). In Sorenson, the Seventh Circuit reversed a conviction by ruling that payments to marketing firms for generating leads don’t constitute illegal kickbacks when physicians retain independent judgment and the payments represent compensation for advertising rather than inducement for referrals. Similarly, in Sisselman, the Second Circuit affirmed dismissal of claims against Zocdoc, finding that the company’s reliance on favorable HHS-OIG advisory opinions about its booking fee model defeated the scienter requirement necessary for AKS violations. These rulings establish that marketing activities are not automatically illegal under the AKS when marketers don’t directly influence healthcare decisions and that obtaining favorable advisory opinions can provide protection against both AKS and False Claims Act allegations. Source: Venable
• The U.S. Attorney’s Office for the Southern District of New York announced a $202 million civil False Claims Act settlement with Gilead, resolving allegations that the company’s speaker program violated the Anti-Kickback Statute. Between 2011 and 2017, Gilead paid 548 healthcare providers more than $23.7 million in honoraria, meals, and travel expenses, which prosecutors claimed induced recipients to prescribe Gilead’s HIV medications. The government questioned these programs’ educational value, citing issues including venue selection, alcohol service, and commercial influence on speaker selection, while sales personnel reportedly circumvented meal limits by recording food costs as room fees. This settlement serves as a reminder that authorities analyze speaker program data to identify compliance issues, encouraging companies to implement rigorous controls such as headquarters-based review of speakers and restricting repeat attendance at similar programs. Source: Skadden
• Attorney General Pam Bondi has directed the Department of Justice to investigate pharmaceutical companies and healthcare providers involved in gender transition treatments for potential violations of federal law. The April 22, 2025 memorandum implements Executive Order 14187, which reversed Biden Administration policies supporting gender transition treatments and procedures. The DOJ will pursue potential False Claims Act violations against providers who submit reimbursement claims for gender transition medications or procedures to federal healthcare programs, along with Food, Drug, and Cosmetic Act violations for “off-label” promotion of medications used for transitions. Bondi announced the creation of the Coalition Against Child Mutilation to coordinate with state attorneys general, expressed eagerness to work with qui tam whistleblowers, and stated the DOJ will no longer follow World Professional Association for Transgender Health guidelines. Healthcare and life sciences companies are advised to review promotional materials, billing practices, and internal whistleblowing procedures to mitigate enforcement risks. Source: DLA Piper
• Four individuals have been sentenced to federal prison for orchestrating a $110 million healthcare fraud scheme in Texas. John Rodriguez, a former pharmacist who owned Pharr Family Pharmacy, received 60 months imprisonment while his co-conspirators Mohammad Chowdhury received 30 months, and Hector de la Cruz and Alex Flores each received 46 months. The group paid kickbacks to medical providers who referred prescriptions to Rodriguez’s pharmacy, which then billed federal programs including the Department of Labor, TRICARE, and Medicare. From 2014 to 2016, the pharmacy submitted more than $110 million in claims to federal health care programs for compound drugs, with all defendants now required to serve three years of supervised release following their prison terms. The investigation involved multiple federal agencies including the FBI, with U.S. Attorney Nicholas Ganjei stating that “Illegal kickbacks are the engine that drives health care fraud.” Source: United States Department of Justice

Hospitals

• According to a recent report, hospitals are losing an average of $306,792 per physician annually, representing a 5% increase from the previous year. The financial strain stems from eroding reimbursement advantages, volume-focused incentives that don’t guarantee profitability, and heavy administrative integration costs. The report warns that health systems cannot sustain this financial burden indefinitely. Hospitals are advised to explore alternatives beyond direct physician employment, including ASC joint ventures, transitioning clinics to federally qualified health center look-alikes, and embracing value-based care models. The goal is to maintain market presence while improving financial viability without requiring traditional physician employment structures. Source: Becker’s ASC Review

Legislation

• Two bills were introduced that would create new regulatory requirements for healthcare organizations undergoing ownership, operational, or governance changes. House Bill 2747 would require healthcare entities to notify the Texas attorney general 90 days before material change transactions and authorizes penalties up to $10,000 per violation. Senate Bill 1595 mandates healthcare entities report ownership and control information to the secretary of state annually and during material change transactions, with substantial penalties for non-compliance. The reporting requirements for material change transactions apply to entities with at least $10 million in assets or revenue, with penalties reaching $500,000 per violation for larger organizations. Both bills would take effect September 1, 2025, if passed. Source: King & Spalding
• The Texas House of Representatives has approved two bills designed to facilitate access to psychedelic-assisted therapy once federal approval is granted. The first bill, HB 4014, passed 115-31 and establishes a state-backed study into the use of psilocybin, MDMA, and ketamine for treating conditions like PTSD and depression, with the study to be conducted in consultation with researchers at Baylor College of Medicine and UT Austin. The second bill, HB 4813, passed unanimously and ensures substances reclassified under federal law will be similarly controlled under state law “as soon as practicable,” aimed specifically at expediting access to psychedelic therapies for Texas veterans once FDA approval occurs. The legislation builds on a 2021 measure that studied psychedelics for treating veterans with PTSD, which supporters say helped make Texas “a pioneer in this space.” Source: Marijuana Moment

Life Science

• Private equity firms investing in life science companies face regulatory challenges across multiple domains including AI, fraud enforcement, and pharmaceutical pricing. The Trump Administration has revamped regulatory frameworks through executive orders that mandate agency restructuring and significant deregulation across health agencies. DOJ continues investigating fraud in the sector with heightened scrutiny of investor involvement in portfolio company operations, though establishing FCA liability for sponsors remains legally challenging. New trade policies implementing baseline and reciprocal tariffs affect the healthcare industry, with pharmaceutical imports under national security investigation through Section 232. Medicare drug price negotiations proceed while executive orders seek to lower costs through accelerated approvals for generics and improved drug importation programs. Source: White & Case

Medicare

• The Supreme Court has ruled that hospitals can only count Medicare patients as “entitled to supplemental security income benefits” in their DSH calculations if those patients were eligible for cash SSI payments during their hospitalization month. In the case Advocate Christ Medical Center v. Kennedy, the Court sided with HHS in a 7-2 decision, rejecting arguments from over 200 hospitals that the phrase should include all SSI program enrollees regardless of monthly payment eligibility. The hospitals contended that SSI benefits included non-cash benefits and that eligibility persists throughout enrollment, but the majority found these arguments unpersuasive, stating it “makes little sense to say that individuals are ‘entitled’ to the benefit in months when they are not even eligible for it.” The Court left open whether CMS properly captures all patients eligible for cash payments, while the dissent argued the majority’s interpretation undercounts low-income patients served by hospitals. Source: King & Spalding

Non-Competes

• Several states have enacted legislation taking effect in 2025 that restricts noncompete agreements for healthcare workers. Arkansas will ban physician noncompetes completely while Louisiana limits them to three years for primary care physicians and five years for other physicians. Maryland restricts noncompetes to one year and within ten miles for healthcare workers earning under $350,000, while Pennsylvania caps them at one year for doctors and certain nursing professionals. Utah prohibits “health care services platforms” from requiring noncompetes, joining states like Texas, Florida, and Colorado that already have established limitations on physician noncompete agreements. Source: Foley & Lardner

Nursing

• A survey by the Texas Center for Nursing Workforce Studies shows three out of four Texas nurses experienced violence, sexual harassment, or verbal abuse in the past year. Violence against nurses has increased since 2016, with physical assaults rising from 25% to 35% and sexual harassment from 23.5% to 33%. Hospital nurses face the highest risk, with 93% reporting workplace violence during their careers, causing 40% to consider changing jobs and 25% to plan leaving the profession. Nurses cite lack of respect, patient expectations, and staffing shortages as primary causes for the increase in violence. Texas passed a law in 2023 requiring healthcare facilities to implement violence prevention plans and training, though many nurses still don’t report incidents because they believe nothing will change. Source: Houston Chronical

Artificial Intelligence

• Houston Methodist is teaming up with Ambience Healthcare to integrate AI into emergency departments and inpatient care settings to address documentation and workflow challenges. The technology will capture provider-patient conversations, gather details for admissions and documentation, extract information from charts, and understand specific coding needs of each care setting. Emergency department clinicians report high burnout levels and complete approximately 4,000 mouse clicks during busy shifts, while the new AI aims to reduce this “click mileage” by eliminating copy-pasting documentation. Dr. Jordan Dale, chief medical information officer at Houston Methodist, stated they are committed to finding new ways to relieve clinicians with AI technology that enhances the patient-provider experience.
• The University of Texas Medical Branch (UTMB) uses AI to automatically analyze all CT scans for cardiac risk, identifying patients with coronary artery calcification who might otherwise go undetected. The system calculates an Agatston score through convolutional neural networks, categorizes patients into risk tiers, and sends automated notifications to high-risk patients and their physicians, evaluating approximately 450 scans monthly with 5-10 high-risk cases identified. UTMB also employs AI for rapid stroke and pulmonary embolism detection, with algorithms that notify care teams within seconds of imaging, and uses AI to assist with inpatient admission decisions by analyzing electronic health records.

Data Breach

• Ascension Health has announced having some of its patients’ data potentially exfiltrated following a December attack that compromised a former business partner’s third-party software. Patient information from care sites in Alabama, Indiana, Michigan, Tennessee, and Texas was inadvertently shared with the breached business partner, including names, birthdates, addresses, phone numbers, email addresses, Social Security numbers, race, gender, and clinical details. Ascension says their own systems, networks, and electronic health records were not involved in this incident. This disclosure follows a previous Black Basta ransomware attack reported months ago that affected 5.6 million individuals and disrupted Ascension’s electronic health records system and some hospital emergency care operations.

Food as Medicine

• Food as medicine encompasses nutritional interventions to prevent or treat disease through programs like medically tailored meals and produce prescriptions. Medicare Advantage offers food as medicine through supplemental benefits, special benefits for chronically ill enrollees, and the Value-Based Insurance Design Model, while Medicaid provides coverage through Section 1115 waivers and other authorities. There is uncertainty about future federal funding for food as medicine initiatives. Private funding faces challenges as employer health plans must classify food interventions as qualified medical expenses, requiring physician documentation and third-party verification.

Fraud & Abuse

• A Harlingen couple has pleaded guilty to defrauding Medicare through their business, Southwest Medical Home, which claimed to provide parts and repairs for power wheelchairs . The couple admitted to billing Medicare approximately $14 million between 2019 and 2023 for services never performed, including $736,072 for one specific beneficiary. They used the fraudulent proceeds to purchase cryptocurrency, a vehicle, electronics, collectibles, and purses. They face up to 10 years in federal prison and a possible $250,000 maximum fine.
• The Second Circuit ruled that an online healthcare appointment platform did not violate the Anti-Kickback Statute or False Claims Act when it relied on favorable OIG advisory opinions . The platform charges providers annual listing fees and additional fees for new patient bookings, with altered search rankings for those who don’t pay certain fees. A New York doctor filed a qui tam complaint alleging these fees constituted improper “success fees” that steered patients to providers willing to pay, but the court dismissed the case. The Second Circuit upheld this dismissal, finding the relator failed to establish fraudulent intent since the defendant had implemented its fee structure in accordance with OIG guidance.
• The Department of Justice has filed a lawsuit against CVS Health, Elevance Health, and Humana for allegedly paying hundreds of millions in kickbacks to brokerage platforms eHealth, GoHealth, and SelectQuote between 2016 and 2021. The complaint claims these insurers disguised illegal commissions as marketing payments to steer patients toward their Medicare Advantage plans while discouraging enrollment of people with disabilities. The case originated from a whistleblower report in 2021, with the DOJ seeking damages under the False Claims Act, while all accused companies deny the allegations and promise to defend themselves.
• The Eleventh Circuit issued a decision that requires False Claims Act plaintiffs to detail how alleged schemes caused submission of false claims to the government, not merely allege general fraudulent conduct. The court in Vargas ex rel. Alvarez v. Lincare, Inc. reversed dismissal only for the “upcoding” theory where relators provided specific patients, claim numbers, and reimbursement amounts, while affirming dismissal of co-payment waiver, automatic shipping, and kickback allegations that lacked these specifics. For the Anti-Kickback Statute claim, the court ruled that paying Contract Field Technicians for legitimate CPAP setup work does not violate the law without evidence connecting payments to referrals. The ruling emphasizes that FCA complaints must establish direct links between alleged misconduct and specific false claims rather than making “inferential leaps” or relying on conclusory statements. The Eleventh Circuit’s standard requires plaintiffs to demonstrate causation with particularity under Federal Rule of Civil Procedure 9(b), rejecting claims based on speculation or unsupported allegations.

Geriatrics

• Geriatric care managers (GCMs) from backgrounds in social work, nursing, and gerontology, partner with elder law attorneys to provide comprehensive support for aging individuals. GCMs offer services including needs assessment, care planning, crisis intervention, advocacy, guardianship evaluations, family mediation, and resource connection. This collaboration creates a holistic approach to aging-related legal and healthcare matters, ensuring seniors receive both legal counsel and practical support. For families navigating elder care complexities, the partnership between GCMs and elder law attorneys helps achieve optimal outcomes for seniors.

Medicare Beneficiaries

• Medicare requirements follow patients regardless of a provider’s cash-based practice model, with three provider categories determining Medicare billing obligations. Participating providers enroll in Medicare and accept assignment on all claims, billing Medicare directly for covered services. Non-participating providers enroll in Medicare but choose which claims to accept assignment on, must submit all claims to Medicare, and face limitations on what they can charge beneficiaries. Opt-out providers must file an affidavit valid for two years, enter specific contracts with Medicare beneficiaries, and can charge patients without Medicare limitations, though certain provider types cannot opt out of Medicare.

Provider Networks

• Network rental agreements in healthcare allow payers to access each other’s provider networks and fee schedules, which can circumvent negotiated contracts and subject providers to unfavorable rates. These arrangements may violate antitrust laws as horizontal price-fixing schemes under Section 1 of the Sherman Act, with courts applying the per se rule to find them unreasonably restrictive of trade. In January 2025, AIDS Health Foundation won over $10 million in damages after an arbitrator ruled that a network rental agreement between Prime Therapeutics and Express Scripts constituted illegal price-fixing, while a similar class action by Osterhaus Pharmacy against Express Scripts is proceeding after surviving a motion to dismiss in February 2025. Oklahoma has proposed legislation (SB789) to prohibit pharmacy benefit managers from making their provider networks available to other PBMs, potentially effective November 2025.

Staffing

• The United States District Court for the Northern District of Texas has invalidated the Nursing Home Minimum Staffing Rule that established staffing requirements for federally funded long-term care facilities. The Rule, which went into effect in June 2024, was challenged by the American Health Care Association and the Texas Attorney General who secured a nationwide injunction. The court vacated the 24/7 staffing requirement and other minimum standards, ruling that they violated the Administrative Procedure Act. In its decision, the court cited the Supreme Court’s Loper Bright ruling that eliminated Chevron Deference, determining that CMS lacked authority to impose stricter standards than the 8-hour nursing presence already specified by Congress.

Texas Medicaid

• The Texas Health and Human Services Commission denied Cook Children’s Health Plan a renewed Medicaid contract in March 2024, putting healthcare for 125,000 members at risk starting September, including 10,000 children with complex medical needs. The decision could force families to switch to one of four national for-profit plans, potentially disrupting established care relationships and eliminating local community-based coordination that has served Fort Worth families for 25 years. Cook Children’s has filed legal action against the commission after their protest was denied, while state lawmakers have introduced bills to change how Medicaid contracts are awarded to protect local healthcare management. The contract termination could impact 400 Fort Worth employees, 1,455 primary care providers, and 2,550 specialists, causing 75.6% insurance plan turnover in Tarrant County.