Texas Children’s Hospital has developed an AI model to assess bone age in pediatric patients, reducing radiologist image reading time by 30-50% since its November launch. The AI interprets X-rays to estimate bone age, which radiologists then verify, allowing them to focus on more complex procedures like interventional radiology. This bone age tool is part of Texas Children’s broader initiative that has produced twelve in-house AI solutions, including models for employee recognition, patient no-shows, and readmissions. The hospital maintains a comprehensive AI governance framework with representatives from clinical, operational, information security, and legal departments to ensure ethical use, prevent bias, and protect data privacy.
The Trump Administration released two revised policies on April 3, 2025, replacing previous AI guidelines with new frameworks for federal agencies. OMB Memorandum M-25-21 encourages agencies to implement AI solutions that maximize taxpayer value while identifying healthcare applications as “high-impact AI” due to their role in medical devices, patient diagnosis, and insurance decisions. The second policy, OMB Memorandum M-25-22, requires agencies including HHS to update acquisition procedures for AI systems, establish cross-functional teams for decision-making, and ensure appropriate intellectual property terms in contracts. These updates must be completed by December 29, 2025, replacing policies from the previous administration that were rescinded through Executive Order 14179 in January 2025.
Business Associates
Molecular Testing Labs (MTL) is suing its business associate Ntirety over alleged failures to comply with HIPAA Security Rule requirements following a March 12, 2025 ransomware attack. MTL claims Ntirety failed to implement appropriate safeguards required by their 2018 business associate agreement, which led to a breach of patient data by a suspected Russian cybercriminal group. Following the attack, Ntirety reportedly provided inadequate support and demanded payment for breach response assistance despite contractual obligations to provide such services. MTL is seeking indemnification for expenses related to the forensic investigation, breach notifications, credit monitoring, and potential regulatory actions after Ntirety failed to respond to formal demands.
Data Access and Breach
Data silos in healthcare create fragmented information landscapes that hinder patient care, delay diagnosis, and force clinical staff to perform time-consuming clerical tasks. The Trusted Exchange Framework and Common Agreement (TEFCA) aims to break down these silos by connecting health information networks and imposing financial penalties for information blocking. Healthcare organizations can improve data integration by creating stakeholder incentives, implementing strong governance frameworks, empowering patients to control their data, and adopting cloud-native management technologies. Eliminating data silos optimizes clinical workflows, reduces errors, enables specialist collaboration, and creates a foundation for AI applications that can identify patients at risk for adverse outcomes.
Blue Shield of California confirmed on April 9 that a misconfigured Google Analytics implementation exposed protected health information of 4.7 million patients between April 2021 and January 2024. The breach, identified as the largest healthcare data breach of 2025, potentially shared patient names, locations, gender, family size, medical services information, and search criteria with Google Ads for targeted advertising. Blue Shield stated no malicious actors were involved and the exposed data did not include Social Security numbers, driver’s licenses, or financial information. The company has advised affected members to monitor their accounts and credit reports for suspicious activity.
The U.S. Department of Health and Human Services Office for Civil Rights has reached a $600,000 settlement with PIH Health, Inc. over HIPAA violations. The California health care network reported a June 2019 phishing attack that compromised 45 employee email accounts and exposed the protected health information of 189,763 individuals. OCR’s investigation found PIH failed to properly protect health information, conduct thorough risk analysis, and notify affected parties within the required timeframe. As part of the settlement, PIH must implement a corrective action plan including risk analysis, management planning, policy development, and staff training, which will be monitored by OCR for two years.
Fraud & Abuse
The U.S. District Court for the Northern District of Texas reduced a $448 million False Claims Act penalty against Healthcare Associates of Texas to $16.5 million. The court ruled on February 26, 2025, that the original penalty violated the Eighth Amendment’s Excessive Fines Clause as it was over 100 times the $2.75 million in actual damages from Medicare billing violations. The jury had found HCAT submitted 21,844 false claims, but the court determined that per-claim penalties resulted in disproportionate liability compared to the rules violations at issue. The court instead applied treble damages, setting a precedent for healthcare providers to raise constitutional challenges to excessive FCA penalties.
The Eleventh Circuit ruled that merely alleging a scheme to submit false claims does not satisfy the “reliable indicia” standard under the False Claims Act and Rule 9(b). In United States ex rel. Vargas v. Lincare, Inc., the court partially reversed a dismissal, allowing claims about battery upcoding to proceed because relators provided specific claim details, but affirmed dismissal of co-pay waiver allegations where no specific claims were identified. The ruling clarifies that relators must either allege details of specific false claims or demonstrate direct personal knowledge of claim submissions. This decision reinforces the strict pleading requirements in FCA cases within the Eleventh Circuit, rejecting the notion that describing a fraudulent scheme alone is sufficient.
Two former laboratory sales executives were sentenced to federal prison for violating the Anti-Kickback Statute. The scheme involved two rural Texas hospitals partnering with True Health Diagnostics laboratory, where hospitals billed insurers at higher rates for blood tests and shared revenues with marketers who paid physicians for referrals through fake investment opportunities. Eight individuals were indicted in 2022 for disguising kickbacks as investment returns to physicians who ordered tests from the affiliated laboratory.
Hospitals
Preliminary data shows that “tens of thousands” of patients who were not “lawfully” in the United States were treated by Texas hospitals in recent months and the cost for their care is in the millions of dollars. Governor Greg Abbott ordered Texas hospitals last summer to collect citizenship status information from patients, with data from 558 hospitals expected to be finalized this week. Representative Mike Olcott has proposed a bill to formalize Abbott’s order into an annual report, citing concerns about rural hospital closures due to uncompensated care. Texas hospitals spend $3.1 billion annually on uninsured care, though advocates note much of this cost comes from the 4 million uninsured Texas citizens rather than non-citizens. The data collection began in November 2024, though it remains unclear if the forthcoming report covers just that month or subsequent months as well.
Medicare
CMS issued its annual Hospital Inpatient Prospective Payment System and Long-Term Care Hospital Prospective Payment System Proposed Rule for FY 2026 on April 11, 2025. The proposal includes a 2.4% increase in operating payment rates for general acute care hospitals and a 2.6% increase for LTCH standard payment rates, with expected IPPS payment increases of $4 billion. CMS plans to discontinue the low wage index hospital policy following a court order, reduce the labor-related share from 67.6% to 66%, and modify the nursing and allied health payment formula by changing the order of operations for calculating reimbursable net costs. The proposal also announces the reallocation of FTE cap slots from two closed teaching hospitals and increases the uncompensated care payment pool to $7.14 billion for FY 2026, with comments due by June 10, 2025.
Healthcare providers face potential revenue losses of $80 billion in 2026 due to looming Medicaid cuts, with hospitals at greatest risk if states drop expansion programs. Federal policy changes may include reducing assistance percentages, capping funds, intensifying eligibility requirements, and increasing scrutiny of payments, which could accelerate hospital closures particularly in rural and low-income areas. Healthcare organizations must respond by improving margins, expanding alternative revenue streams, optimizing operations, enhancing care coordination, and strengthening documentation compliance to survive these financial challenges.
Mergers & Acquisitions
States are rapidly enacting health care transaction review laws that require pre-transaction notification and often approval from state agencies before health care entities can complete mergers, acquisitions, or ownership changes. These laws can be categorized into four types: those amending material change transaction processes, bills seeking disclosure, legislation enhancing antitrust laws, and proposals prohibiting private equity and hedge funds from controlling health care entities. California’s proposals AB 1415 and SB 351 seek to broaden the Office of Health Care Affordability’s review authority over transactions involving management services organizations and reinforce prohibitions against corporate practice of medicine, particularly targeting private equity and hedge funds.
Non-Competes
Arkansas passed legislation that voids noncompete agreements restricting physicians’ practice within their scope. The law, expected to take effect around July 15, 2025, applies to medical doctors and osteopaths licensed under Arkansas statutes. The Act does not specify whether it will invalidate existing physician noncompete agreements or only apply to future contracts. While physician noncompetes are now prohibited, other restrictive covenants such as non-solicitation agreements, confidentiality agreements, and standard employment terms remain enforceable for physicians in Arkansas.
Pharmacies & Benefit Managers
The pharmacy industry confronts significant challenges as 29% of retail pharmacies closed between 2010-2021, with closures disproportionately affecting communities serving Medicaid and Medicare patients. Drug shortages persist due to vulnerable supply chains heavily dependent on foreign manufacturing of pharmaceutical ingredients from China and India, which legislative efforts like California’s CalRx initiative and the federal Affordable Drug Manufacturing Act aim to address. President Trump’s February 2025 Executive Order mandates enhanced transparency in drug pricing, requiring agencies to propose new guidelines within 90 days. The pharmacy sector is simultaneously exploring artificial intelligence to improve medication management and patient care, though implementation faces obstacles including high costs, potential lack of human touch, data quality concerns, and ethical considerations around patient information.
CMS published a final rule requiring Part D pharmacies to enroll in the Medicare Transaction Facilitator Data Module to facilitate the Medicare Drug Price Negotiation Program established by the Inflation Reduction Act. The Data Module will help manufacturers verify eligibility and accelerate retrospective refunds to pharmacies for the ten negotiated drug products in 2026, while an optional Payment Module will facilitate fund transfers and manage claims revisions. Enrollment begins in June 2025 after the rule takes effect on June 3, with chain pharmacies able to enroll through one centralized submission and dispensing entities permitted to use Pharmacy Service Administrative Organizations to receive Maximum Fair Price refunds.
In a federal court ruling, Tennessee’s “any willing pharmacy” law was deemed preempted by ERISA because it impermissibly affected plan structure rather than merely regulating costs. The McKee decision aligns with the Tenth Circuit’s ruling in PCMA v. Mulready, which invalidated Oklahoma’s law requiring PBMs to follow certain pharmacy network standards. Courts have consistently held that while states can regulate PBM reimbursement rates, they cannot interfere with plan operation or network design. Self-funded group health plans currently face conflicting state PBM laws across multiple jurisdictions, creating a regulatory challenge that requires resolution by either the Supreme Court or Congress.
Ransomware
Three healthcare organizations—DaVita, Bell Ambulance, and Alabama Ophthalmology Associates—recently suffered ransomware attacks that compromised sensitive patient data including names, Social Security numbers, and medical information. The Bell Ambulance attack affected 114,000 individuals while the Alabama Ophthalmology Associates breach impacted 131,576 people, with different ransomware groups claiming responsibility for each attack. Healthcare organizations remain prime targets for cybercriminals due to the sensitive nature of patient data, with ransomware attacks against the sector increasing 300% since 2015 according to Microsoft. Security experts recommend focusing on basic security measures like strong passwords, multifactor authentication, and properly segmented networks to protect healthcare systems from these threats.
The U.S. Department of Health and Human Services Office for Civil Rights has reached a settlement with Comprehensive Neurology regarding a HIPAA Security Rule violation following a ransomware attack. The December 2020 breach compromised the protected health information of 6,800 individuals, including names, clinical information, insurance details, and Social Security numbers. OCR’s investigation determined that the neurology practice failed to conduct a thorough risk analysis of potential vulnerabilities to electronic protected health information. Under the settlement terms, Comprehensive Neurology must implement a corrective action plan monitored for two years and paid $25,000 to OCR, marking the agency’s 12th ransomware enforcement action and 8th enforcement action in its Risk Analysis Initiative.
A recent survey found that healthcare professionals expect AI to have the greatest impact on administrative tasks (52.4%), followed by EHR management (47.6%) and diagnostic accuracy (41.9%). The survey of 105 professionals across 73 U.S. healthcare organizations revealed that 81.6% of physicians and 78.8% of administrators are eager to adopt AI tools to address workforce shortages and burnout. Nearly 64.8% of respondents view AI as critical for reducing workloads, while 37.1% believe it will improve decision-making in precision medicine, diagnostics, and treatment planning through real-time data insights.
The National Academy of Medicine released a report comparing generative AI with conventional predictive AI in healthcare. The 15-page publication examines five key differences between these technologies: output evaluation methods, bias manifestation patterns, performance degradation characteristics, societal impacts, and compliance considerations. While predictive AI produces quantitative predictions with straightforward performance metrics, generative AI creates subjective content requiring monitoring for coherence and factual accuracy. The report also introduces a 4-point responsibility matrix categorizing stakeholders as “informed,” “consulted,” “accountable,” or “responsible” to guide implementation in clinical decision-making, administrative efficiency, and patient engagement contexts.
Antitrust
States are requiring more premerger filings by enacting “baby-HSR” laws modeled after the federal Hart-Scott-Rodino Act, with Washington becoming the first state to expand beyond healthcare to cover all industries. Washington’s law requires parties to submit HSR filings to the state Attorney General if they have their principal place of business in Washington or if in-state annual sales exceed 20% of the HSR filing threshold ($126.4 million). Several other states including California, Colorado, Hawaii, Nevada, Utah, West Virginia, and DC have introduced similar legislation based on the Uniform Premerger Notification Act, while fifteen states already have laws requiring pre-transaction notification for healthcare-related mergers and acquisitions. State attorneys general are increasingly active in merger enforcement, with the National Association of Attorneys General Antitrust Committee chair warning companies to ignore state AGs “at your own peril.”
Healthcare equipment leases come in two main types: operating leases (short-term agreements lasting 1-5 years with lower monthly payments) and capital leases (10-20 year agreements with purchase options). Healthcare organizations can benefit from leasing through improved cash flow management, avoiding large upfront costs, and gaining tax advantages as operating leases allow for interest and depreciation deductions. Leasing provides flexibility to upgrade equipment as technology evolves, with 60% of healthcare institutions reporting a 15% increase in equipment expenses over the past two years. Understanding lease structures, fair market value, and residual values helps healthcare organizations make informed decisions about equipment acquisition.
Data Privacy
Three healthcare organizations reported data breaches affecting thousands of patients in recent months. Central Texas Pediatric Orthopedics experienced a network server hack on March 3, 2025, compromising personal and medical information of 140,000 patients, with the Qilin ransomware group claiming responsibility. Omni Healthcare Financial Holdings reported unauthorized network access between January 18-19, 2024, affecting 16,701 individuals, but only completed notifications on April 9, 2025, fifteen months after the breach. Community Dental Care in Minnesota discovered unauthorized access to their network on December 20, 2024, with confirmation on March 24, 2025 that names, addresses, Social Security numbers, and medical information were exposed, though the total number of affected individuals remains unclear.
Six current and former employees have filed a class action lawsuit against University of Maryland Medical System Corporation and University of Maryland Medical Center. Former UMMC pharmacist Matthew Bathula allegedly installed keylogging software on approximately 400 hospital devices over a decade, obtaining credentials of at least 80 staff members and using them to access victims’ personal accounts, webcams, and home security cameras. The lawsuit claims UMMC had inadequate security that enabled Bathula to target primarily young female medical professionals, recording them in private moments including breastfeeding and intimate activities. After terminating Bathula, UMMC replaced compromised computers and implemented additional cybersecurity controls, but the lawsuit alleges the hospital was aware of potential hacking for years without identifying the perpetrator.
Data privacy and data security represent distinct concepts that organizations often mistakenly treat as interchangeable. Data privacy focuses on individual control over personal information and regulatory compliance with laws like GDPR and HIPAA, while data security involves technical protections against unauthorized access through measures like encryption and fraud detection. The DOGE incident, where unauthorized access was gained to Treasury Department records, demonstrates how compliance with privacy regulations does not guarantee security from breaches. Organizations must establish separate teams with clear responsibilities—privacy oversight by compliance teams and security management by IT security professionals—to prevent vulnerabilities. Companies that fail to distinguish between these concepts risk regulatory penalties, consumer distrust, operational disruptions, and financial losses from both privacy violations and security breaches.
Equity
Health care entities managed or funded by HHS face approaching deadlines for Section 1557 compliance, with requirements to review decision-making tools for bias, adopt new policies, and train employees by May 1, 2025, while providers receiving only Medicare Part B funds have until May 6. By July 5, 2025, covered entities must distribute notices about non-English assistance availability, replacing previous foreign language taglines. The enforcement outlook remains uncertain as key components of these regulations conflict with the current administration’s policy goals, particularly regarding transgender protections and foreign language assistance requirements, following executive orders that established English as the official U.S. language.
Fraud & Abuse
The Seventh Circuit Court of Appeals overturned a landmark Anti-Kickback Statute conviction. Mark Sorensen, the owner of SyMed Inc., had been sentenced to 42 months in prison for allegedly paying kickbacks to marketing firms, a DME manufacturer, and a billing company in connection with Medicare-billed orthopedic braces. The appellate court ruled that Sorensen’s payments did not violate the law because there was insufficient evidence that any recipients influenced healthcare decisions, noting that 80% of prescriptions were rejected by physicians who maintained independent decision-making authority. This ruling clarifies that marketing recommendations are not necessarily illegal referrals and that percentage-based compensation structures are not automatically unlawful under the Anti-Kickback Statute.
Laboratories
Recent False Claims Act litigation demonstrates critical compliance risks for medical laboratories. In Jensen ex rel. United States of America v. Genesis Laboratory, the court dismissed qui tam claims that Genesis submitted false claims to Medicare for unnecessary tests and violated the Anti-Kickback Statute by waiving copayments to induce referrals, citing insufficient evidence. The takeaway is that laboratories must exercise independent judgment on medical necessity despite physician certifications, ensure requisition forms comply with Medicare regulations, review copayment waiver policies, and maintain documentation of compliance efforts. Laboratories should implement robust compliance programs, provide staff training, document processes thoroughly, and consult legal counsel to mitigate regulatory risks.
Medicare
CMS issued the fiscal year 2026 Medicare Hospital Inpatient Prospective Payment System proposed rule on April 11, 2025, with comments due by June 10, 2025. The rule proposes a 2.4% increase in operating payment rates for qualifying acute care hospitals, creates several new MS-DRG categories while deleting others, and increases uncompensated care payments to $7.29 billion for FY 2026. Special rural designations including the Medicare-dependent hospital program and low-volume hospital payment adjustment are set to expire on September 30, 2025, with hospitals previously qualifying for MDH status to be paid based on the federal rate thereafter. The rule also proposes updates to the Transforming Episode Accountability Model, which will begin as a five-year mandatory model on January 1, 2026.
The Trump administration released two final regulatory documents for Medicare Advantage (MA) for 2026, with CMS finalizing a basic payment update of +5.06% that will increase MA payments by $25 billion. CMS did not finalize proposals to expand coverage of anti-obesity medications or implement health equity requirements for utilization management policies, but did codify IRA provisions requiring $0 cost sharing for ACIP-recommended vaccines and $35 monthly caps for insulin. The final rule also includes provisions for Dual Eligible Special Needs Plans, inpatient setting protections, and guardrails for supplemental benefits, while the new risk model will be fully implemented in 2026, saving Medicare trust funds approximately $13 billion.
Pharmacy Benefit Managers
Arlington-based Texas Health Resources is suing six drugmakers and pharmacy benefit managers, alleging they colluded to raise insulin prices by up to 1,000% over two decades while collecting secret rebates and fees. The nonprofit system filed the federal lawsuit on March 26 in New Jersey District Court against Express Scripts, CVS Caremark, Optum Rx, Sanofi, Eli Lilly, and Novo Nordisk, claiming violations of the RICO Act and Texas consumer protection laws. Texas Health Resources, which covers about 40,000 beneficiaries through its self-funded insurance plan, joins more than 400 other entities that have filed similar lawsuits against these companies. All defendants have denied the allegations, with CVS Caremark, Sanofi, Novo Nordisk, Optum Rx, and Eli Lilly each issuing statements calling the lawsuit baseless or meritless and defending their pricing practices.
Private Equity
Texas’ Corporate Practice of Medicine doctrine prohibits corporations and non-physicians from practicing medicine or employing physicians to provide medical services. Private equity firms use Management Service Organization models to invest in healthcare while attempting to comply with CPOM restrictions, but many management service agreements contain provisions that transfer excessive control to non-physician entities. Courts have identified several red flags that indicate CPOM violations, including excessive fee structures, control over medical personnel, financial control, influence over clinical decision-making, and restrictive clauses that limit physicians’ ability to terminate relationships. Contracts that violate the CPOM doctrine are likely unenforceable under Texas law, giving physicians potential legal grounds to terminate problematic MSO relationships without penalty.ata Privacy
Three healthcare organizations reported data breaches affecting thousands of patients in recent months. Central Texas Pediatric Orthopedics experienced a network server hack on March 3, 2025, compromising personal and medical information of 140,000 patients, with the Qilin ransomware group claiming responsibility. Omni Healthcare Financial Holdings reported unauthorized network access between January 18-19, 2024, affecting 16,701 individuals, but only completed notifications on April 9, 2025, fifteen months after the breach. Community Dental Care in Minnesota discovered unauthorized access to their network on December 20, 2024, with confirmation on March 24, 2025 that names, addresses, Social Security numbers, and medical information were exposed, though the total number of affected individuals remains unclear.
Ransomware
Ransomware group Qilin posted 42 gigabytes of data stolen from Central Texas Pediatric Orthopedics on the dark web in February, with the practice now notifying 140,121 affected individuals. The unauthorized access occurred between January 23-26, 2025, compromising patient information including names, government IDs, medical data, insurance details, birth dates, and X-ray images of minors. CTPO has reported the breach to the FBI and implemented security enhancements including endpoint detection software, password resets, and server rebuilding. Experts warn that pediatric healthcare records are particularly valuable targets due to children’s pristine credit histories, with several law firms already investigating the incident for potential class action litigation.
Reimbursement
An estimated 450 million medical claims are denied annually in the US, with Texas having a 22% denial rate for in-network ACA claims. The American Medical Association reports that AI tools used by insurers can produce denial rates up to 16 times higher than typical. The Texas Senate has advanced bill SB 815 to restrict insurers from using AI for claim decisions, while new AI platforms like Claimable and Fight Health Insurance have emerged to help patients appeal denials. These AI appeal tools aim to level the playing field against insurers who have established an early advantage in using technology for claims processing.
Skilled Nursing Facilities
CMS has extended the deadline for Skilled Nursing Facilities (SNFs) to submit Medicare revalidations to August 1, 2025, following a previous extension from the original deadline to May 1, 2025. The extension comes as AHCA/NACL reports less than 20% of SNFs had submitted applications by mid-March, with many applications being returned with requests for additional information. The revalidation process now includes Attachment 1, which collects new categories of information on ownership, management, organization, and administration. CMS updated its guidance on April 9, 2025, with additions to Section IV and FAQs regarding requirements for reporting Additional Disclosable Parties.
Favorable opinion regarding an arrangement whereby Requestor— designated as a community health center pursuant to Section 330 of the Public Health Service Act—proposes, during the provision of certain social services to individuals, to: (1) identify individuals in need of primary care services; (2) inform them of the availability of such services; and (3) schedule an appointment for them to receive primary care services from Requestor or refer them to a local primary care provider.
🔍What’s the Issue?
A federally designated Community Health Center (the “Requestor”) asked the Office of Inspector General (OIG) if it could legally do the following as part of its community outreach:
Identify individuals in need of primary care during their visits for social services (like childcare, food, or safety support).
Inform them about available primary care providers.
Help them schedule appointments—either with the Health Center itself or another local provider.
They wanted to make sure this setup wouldn’t violate federal anti-kickback laws or other rules meant to prevent improper patient referrals.
🏥Background on the Health Center
Offers free or low-cost medical and social services to underserved communities.
Also gives out non-healthcare goods, like diapers, books, and help for crime victims.
Many people come for the social services but don’t realize they can also get affordable medical care there.
⚖️Legal Concerns
two key laws at play:
Anti-Kickback Statute – Prohibits giving something of value to induce someone to use federally funded healthcare services.
Beneficiary Inducements CMP – Prohibits offering free stuff to patients to influence their choice of healthcare provider.
✅OIG’s Conclusion: Allowable with conditions
OIG said they will not impose penalties because:
The Health Center does not push patients to choose them—they provide a neutral list of providers in alphabetical order.
Other providers can be included on the list (“any willing provider” rule).
People can still get social services even if they don’t want or need healthcare.
The goal is to connect underserved people with care they might otherwise skip due to cost or confusion.
OIG found the setup aligns with the Health Center’s mission to help underserved populations and isn’t a scheme to inappropriately gain more patients.
🚦 Bottom Line
The arrangement is legally allowable as long as it’s carried out fairly and transparently. The Health Center must stick to the safeguards they promised—neutral lists, no pressure to choose them, and full freedom for individuals to pick any provider or none at all.
Data Privacy
A dental management firm is notifying 173,400 people across six states about an email hack that exposed sensitive information including names, Social Security numbers, and medical data. The Nashville-based firm, which provides HR and finance services to 60 dental practices and 10 group practices, faces at least four federal class action lawsuits alleging negligence in safeguarding patient information. The breach was discovered on September 11, 2024, when suspicious activity was detected in an employee’s email account, making it the largest of three major dental-related data breaches reported in 2025. In 2024, about two dozen dental practice breaches affected more than 1.2 million individuals, highlighting the sector’s vulnerability to cyberattacks.
HIPAA compliance faces significant changes in 2025 as HHS implements new security measures following a 264% increase in ransomware attacks in 2024. The Office for Civil Rights is enforcing stricter security risk analysis requirements while proposing updates to the HIPAA Security Rule that would mandate technical improvements like encryption and multifactor authentication. Patient access rights remain a priority with multiple enforcement actions in 2024-2025, alongside new information blocking rules effective December 2024. Additionally, HHS issued a final rule protecting reproductive health care information privacy in December 2024, though this faces legal challenges from Texas in federal court.
False Claims Act
A Fifth Circuit Judge has questioned the constitutionality of the False Claims Act’s qui tam provision in a concurring opinion in United States ex rel Montcrief v. Peripheral Vascular Assocs., P.A. Justice Duncan argues the provision violates the Appointments Clause by allowing private citizens to exercise executive branch power without proper appointment, echoing a 2024 ruling by Florida District Judge Kathryn Mizelle in United States ex rel. Zafirov v. Fla. Med. Assocs., LLC. Both judges cite Justice Clarence Thomas’s dissent in Polansky, which contends that Congress cannot authorize private relators to represent United States interests in civil litigation. The Fifth Circuit remanded a $28.7 million Medicare fraud judgment against PVA while Duncan noted that when the government declines to intervene in qui tam cases, private relators exercise government power without executive branch oversight.
Medicare Reimbursement
A new Medicare policy aims to combat fraud in the skin substitutes market where spending quadrupled in four years, costing taxpayers nearly $10 billion annually. The Local Coverage Determination (LCD) ensures Medicare only covers treatments with clinical evidence while maintaining access to over a dozen proven skin substitutes. The policy targets companies that exploited loopholes to generate nine-figure revenues without research or FDA review, and will take effect April 13, 2025. Medicare Administrative Contractors implemented this measure to proactively prevent fraud rather than relying on lengthy investigations after damage is done.
Mergers & Acquisitions
The U.S. Department of Health and Human Services is closing six of its ten Office of the General Counsel regional offices and reducing its workforce by 20,000 employees. This consolidation will likely cause disruptions to Change of Ownership approvals needed for healthcare mergers and acquisitions, as well as delays in enforcement actions and compliance determinations. The four remaining OGC offices will redistribute workload across larger geographic areas, potentially resulting in loss of localized expertise and creating challenges for Medicare contractors. Healthcare investors and providers are advised to consult with experienced attorneys to navigate these changes and minimize transaction disruptions.
The Texas House of Representatives introduced House Bill 2747, requiring health care entities to provide 90-day advance notice to the Texas Attorney General for transactions resulting in material ownership, operations, or governance changes. The bill, which would take effect September 1, 2025 if passed, applies to a broad range of health care entities including providers, facilities, provider organizations, and pharmacy benefit managers. The legislation grants the Texas Attorney General power to conduct market studies on health care market conditions and transaction impacts, with violations potentially resulting in a $10,000 civil penalty. Texas joins numerous states implementing increased oversight of health care transactions, with common focus on competition, market concentration, and care quality.
The Department of Justice announced the formation of an Anticompetitive Regulations Task Force aimed at eliminating state and federal laws that undermine market competition. The Task Force will focus on five key sectors: housing, transportation, food and agriculture, healthcare, and energy, while taking a whole-of-government approach with attorneys and economists from across the Antitrust Division and other agencies. Public comments will be accepted until May 26, 2025, to help identify problematic regulations, with the initiative following a similar effort from the first Trump administration in 2018. Questions remain about the Task Force’s jurisdiction over state laws and regulations, particularly regarding the state action immunity doctrine that protects state and local governments from federal antitrust claims.
Compliance, Audits, and Enforcement
Healthcare experts emphasize that proper documentation and regular internal audits are essential for medical billing compliance. Medical billers, coders, and nurse reviewers provide critical services including medical record reviews, billing analysis, and assessment of treatment appropriateness for healthcare providers, attorneys, and insurance companies. Healthcare providers remain responsible for billing accuracy even when using third-party billing services, making practice managers with compliance expertise a valuable investment that can prevent claim denials and expand revenue. In litigation contexts, these specialists can identify billing discrepancies, evaluate standard of care, and help establish links between injuries and medical events, transforming what begins as malpractice cases into fraud investigations when necessary.
The Office of Inspector General (OIG) recently released a report identifying 287 audit issues across all twelve Medicare Administrative Contractor (MAC) jurisdictions during fiscal years 2019-2021, with each jurisdiction failing to meet the 95% performance threshold for Review and Audit Quality standards in at least one year. The report categorized issues into five areas: improper reviews, inadequate oversight of medical education reimbursement, improper review of cost allocations, improper calculations for nursing programs, and inadequate review of bad debts. OIG recommended that CMS provide MACs with better explanations of evaluation results, update audit programs with revised requirements, and offer additional training, to which CMS responded that it already meets weekly with MACs and is working to incorporate updated guidance into audit programs.
President Trump issued an Executive Order on February 25, 2025 to strengthen enforcement of healthcare price transparency regulations, building upon a 2019 order and rooted in the Affordable Care Act’s 2010 amendments. A 2024 audit revealed only 46 percent of hospitals were compliant with transparency rules, with penalties ranging from $300 to $5,500 per day depending on hospital capacity. Healthcare organizations face increased risks including administrative penalties, civil enforcement actions, and potential criminal liability, prompting recommendations for internal audits, enhanced compliance programs, legal counsel engagement, and robust reporting mechanisms.
Cybersecurity and Data Protection
Biosensors in healthcare face complex regulatory challenges across different regions, with the FDA in the US using a three-tier risk classification system while the EU implements stricter Medical Device and In Vitro Diagnostic Regulations. Data security remains problematic with 40% of FDA-approved wearables lacking robust encryption, while ethical concerns persist regarding data ownership and privacy, exemplified by a study showing 60% of diabetes apps sell user data without clear consent. Technological innovation outpaces regulatory frameworks, creating validation bottlenecks for startups and highlighting the need for global harmonization, as only 15 countries have adopted the WHO’s Global Model Regulatory Framework. Market access varies significantly between countries, with reimbursement policies and affordability creating barriers to equitable distribution of biosensor technology.
According to CIO’s 2024 Security Priorities study, 40% of tech leaders prioritize strengthening confidential data protection as organizations implement comprehensive security frameworks including encryption, Zero Trust Architecture, and multi-factor authentication to combat cyber threats. Security experts recommend data governance frameworks with clear standards for quality, accuracy, and relevance, alongside Master Data Management to create a single source of truth for critical business entities. Organizations must address human error through regular cybersecurity training, simulated threats, and interactive awareness programs to transform employees into a strong defense line. AI technologies are being deployed to detect and mitigate cyber threats in real time while also optimizing operations through intelligent automation and enabling personalized customer experiences.
Drug Regulation
The popularity of GLP-1 drugs for weight loss and diabetes has triggered multiple litigation fronts in the U.S.. FDA drug shortages led to legal battles between brand manufacturers and compounding pharmacies, with recent cases challenging FDA decisions to remove drugs like tirzepatide and semaglutide from shortage lists. Patent litigation follows the Hatch-Waxman framework with varying timelines based on FDA exclusivity periods – liraglutide’s first generic was approved in December 2024, semaglutide faces ongoing patent challenges through 2025, and tirzepatide’s exclusivity extends to 2027. The International Trade Commission provides another venue for enforcement, with Eli Lilly pursuing action against online pharmacies selling compounded tirzepatide, potentially resulting in import bans.
The Eastern District of Texas vacated the FDA’s Laboratory Developed Test (LDT) Final Rule, ruling in favor of laboratory plaintiffs who argued that LDTs are services rather than devices under the Federal Food, Drug and Cosmetic Act. The court determined that LDTs are “proprietary methodologies” outside FDA jurisdiction, as the agency can only regulate tangible goods like test kits, not professional medical services. The ruling establishes that Congress gave the Centers for Medicare and Medicaid Services authority to regulate clinical laboratories and their tests under the Clinical Laboratory Improvements Act, not the FDA. The decision prevents nearly 80,000 existing LDTs and over 1,100 laboratories from falling under FDA’s regulatory framework that was scheduled to take effect in May 2025.
Medical Malpractice
While AI can reduce medical errors, experts debate who bears liability when AI-assisted healthcare goes wrong. The Federation of State Medical Boards recommends holding clinicians responsible for AI errors, not technology creators, with 3 in 5 physicians now using AI in their practice. Medical liability insurer Indigo believes AI will ultimately reduce malpractice rates, though legal experts note there’s no clear framework for determining fault in AI-related medical mistakes. Healthcare organizations are urged to establish AI usage guidelines for staff, as clinicians face challenges verifying AI recommendations amid time constraints and staffing shortages.
Mergers & Acquisitions
The physician practice M&A market is experiencing a revival with pharmaceutical companies, pharmaceutical services providers, and insurers emerging as strategic buyers in the physician practice management space. Despite headwinds including regulatory pressure, macroeconomic challenges, and operational difficulties, major transactions have occurred such as Cencora’s $4.6 billion acquisition of Retina Consultants of America and Cardinal Health’s $2.8 billion stake in GI Alliance. Strategic buyers pursue these acquisitions to diversify their businesses, achieve vertical integration, and gain control over care delivery, with future consolidation likely driven by buyers with available capital and interest in diversification.
Veterinary Medicine and Telehealth
A Texas State Senator has proposed legislation to expand telehealth practices to veterinary medicine, which would update Texas law to allow veterinarians to establish client-patient relationships electronically without requiring initial physical examinations. The Texas Veterinary Medical Association opposes the bill, warning that serious conditions could be misdiagnosed without physical examinations, potentially threatening animal health and the state’s $15 billion animal agriculture industry. Supporters argue telehealth would benefit rural areas with limited veterinary access.
Senate Bill 31, known as the Life of the Mother Act, aims to clarify medical exceptions to Texas abortion laws that currently permit the procedure only when the mother’s life or major bodily function is at risk. The bill would specify that doctors need not delay treatment if doing so increases risk to the pregnant woman, broadens definitions for ectopic pregnancy and premature water breaks, and protects physician-patient discussions about abortion options from being considered “aiding and abetting.” With bipartisan support including 12 Republican senators and Lt. Gov. Dan Patrick’s backing, the legislation would require the Texas Medical Board to offer educational courses about physicians’ rights under the law. Texas doctors have reported confusion about existing laws, with 29% lacking clear understanding of abortion regulations, leading to delayed care and increased complications for pregnant women.
Artificial Intelligence
Healthcare organizations implementing LLMs face eight critical challenges including over-reliance on AI without domain expertise integration, unresolved data quality issues across fragmented systems, and ethical risks in handling sensitive healthcare data. Additional pitfalls include poor workflow integration, inadequate model validation post-deployment, neglect of regulatory requirements, overpromising AI capabilities to stakeholders, and failure to customize models for specific healthcare needs. Healthcare companies must maintain human expertise in the loop, implement robust data governance, ensure regulatory compliance, and set realistic expectations to successfully deploy LLMs that enhance rather than compromise patient care and operational efficiency.
Compliance Programs & Audits
Compliance auditing has become mandatory in today’s regulatory environment, with federal and state laws requiring companies to conduct regular reviews of their practices. The Office of Inspector General’s Compliance Program Guidance identifies auditing as a core element that helps organizations detect fraud, assess policy adherence, and mitigate risks before they escalate into enforcement actions. Recent settlements demonstrate the consequences of inadequate compliance monitoring, with companies like Pfizer, Teva, Innovasis, and Endo Health Solutions paying millions or billions in penalties for violations related to kickbacks, improper marketing, and other infractions. Companies should prioritize auditing high-risk areas including speaker programs, healthcare professional arrangements, promotional materials, and patient assistance programs using a risk-based approach.
Contracting
Healthcare AI vendor contracts require thorough pre-negotiation preparation, including comprehensive risk assessment and stakeholder engagement. Organizations must evaluate AI tools within a governance framework using resources like HEAT maps and the NIST AI Risk Management Framework to categorize risks. Contract negotiations should address data rights, with customers seeking ownership of inputs and outputs while vendors aim to retain rights to their services and products. Key contract provisions include privacy, security, regulatory compliance, indemnification, and liability limitations, with special attention to HIPAA compliance when patient health information is involved.
Cybersecurity & Privacy
Healthcare cyberattacks have increased dramatically, with annual large breaches nearly tripling from 242 (2010-2014) to 713 (2020-2024), with 81% caused by hacking or IT incidents in 2024 alone. The 2024 Change Healthcare breach affected 190 million individuals, making it the largest healthcare data breach to date. When protected health information is compromised, organizations must notify affected individuals, media outlets, state agencies, and the Office for Civil Rights, potentially facing investigations, enforcement actions, and costly settlements. Healthcare entities must strengthen defenses through annual security risk assessments, multi-factor authentication, and comprehensive incident response plans, with HHS proposing updates to the HIPAA Security Rule to mandate these protective measures.
[The Office for Civil Rights has announced a $3 million settlement with Solara Medical Supplies for HIPAA violations](HHS Settles HIPAA Security Breach Stemming from Phishing Cyberattack for $3 Million). A phishing attack compromised eight employee email accounts, exposing protected health information of over 100,000 individuals, followed by a second breach when notification letters were sent to incorrect addresses affecting 1,500 more people. OCR investigation determined Solara failed to conduct proper risk analysis, implement adequate security measures, and notify affected parties in a timely manner. The settlement includes a corrective action plan requiring risk analysis, implementation of a risk management plan, policy development, and staff training on HIPAA compliance.
The Seventh Circuit ruled in Hulce v. Zipongo that communications promoting free services do not qualify as “telephone solicitations” under the TCPA. Plaintiff Hulce received approximately 20 calls and texts from Foodsmart about services available at no cost through his healthcare plan, with payment coming from the insurer rather than Hulce. Foodsmart successfully argued that since their communications encouraged use of free services rather than purchase of services, they fell outside the TCPA’s definition of solicitation. The court determined that encouraging use of a service available at no cost to the recipient does not constitute encouraging a purchase, even when a third party pays for the service.
The Department of Health and Human Services plans to cut 10,000 full-time jobs as part of a larger reduction that will decrease total headcount by 20,000 employees, saving $1.8 billion annually according to HHS. The cuts will affect multiple agencies including 3,500 workers at FDA, 2,400 at CDC, 1,200 at NIH, and 300 at CMS, though HHS claims the reductions will not impact core services like Medicare, Medicaid, or food and drug reviews. The reorganization includes consolidating 28 redundant offices into 15 new divisions, reducing regional offices from 10 to five, and creating new entities like the Administration for a Healthy America, which will combine multiple existing health offices. Democratic lawmakers and health advocates have criticized the cuts, warning they could harm vulnerable populations and disrupt essential services.
Immigration
Hospitals and healthcare systems nationwide are experiencing increased random inspections by USCIS targeting H-1B visa holders. Immigration officers from the Fraud Detection and National Security Directorate conduct unannounced site visits to verify compliance with H-1B program requirements, focusing on Public Access Files, work location accuracy, and position/salary verification. Non-compliance can result in fines, program debarment, operational disruption, and reputation damage. Healthcare facilities are advised to conduct system-wide compliance reviews, train staff on inspection protocols, collaborate with immigration counsel, standardize recordkeeping, and stay informed about policy changes to maintain compliance.
Taxation
Continuing Care Retirement Communities (CCRCs) provide comprehensive senior care from independent living to skilled nursing, with entrance fees averaging $400,000 and monthly fees around $3,450. Residents can deduct portions of these fees as medical expenses on their taxes if their total medical costs exceed 7.5% of their adjusted gross income. The deductible percentage varies by facility and is calculated based on the community’s aggregate healthcare costs, not individual usage. This tax benefit applies from day one of residency regardless of current healthcare needs and requires itemizing deductions on Schedule A of Form 1040. Alternative senior living arrangements like assisted living facilities and home modifications may also qualify for similar tax advantages if they meet IRS criteria for medical necessity.
Telehealth
The DEA has further delayed the effective dates of two telemedicine prescribing rules until December 31, 2025. The rules would expand prescribing of buprenorphine for opioid use disorder and controlled substances for VA patients via telemedicine. Originally scheduled to become effective February 18, 2025, then delayed to March 21, 2025, the Department of Justice now seeks additional time to review questions of fact, law, and policy despite some commenters requesting immediate implementation. Meanwhile, practitioners can continue prescribing controlled medications via telemedicine without prior in-person visits under COVID-19 flexibilities through the end of 2025.
Healthcare price transparency laws implemented since 2021 require hospitals and health plans to publish pricing information online and prohibit gag clauses that restrict sharing of cost and claims data. The Consolidated Appropriations Act of 2021 codified these prohibitions, requiring annual attestation of compliance through the Gag Clause Prohibition Compliance Attestation process, with the first submission deadline on December 31, 2023. Healthcare providers can leverage these regulations by requesting comprehensive pricing data, benchmarking against competitors, and highlighting value metrics to negotiate better reimbursement rates with payers. Despite these regulatory advances, challenges remain including limited enforcement, complex data formats, and the need for stricter penalties to ensure compliance from health plans.
Texas Attorney General Ken Paxton announced the arrest of Maria Margarita Rojas, a 48-year-old midwife who operated multiple clinics in the Houston area. Rojas, known as “Dr. Maria,” was charged with performing illegal abortions and practicing medicine without a license, both serious offenses under Texas law. Her network included three clinics—in Waller, Cypress, and Spring—where unlicensed individuals allegedly posed as medical professionals. The Attorney General’s office has filed for a temporary restraining order to shut down these facilities and may seek civil penalties of at least $100,000 per violation under the Texas Human Life Protection Act of 2021. Texas law specifically holds abortion providers, not patients, criminally responsible for unlawful procedures.
A second person has been arrested in connection with illegal abortion services at clinics operated by a midwife near Houston. Jose Manuel Cendan Ley, a 29-year-old medical assistant, faces charges of performing an illegal abortion and practicing without a license, while Rojas was previously arrested for operating three clinics that allegedly performed illegal abortion procedures. Texas Attorney General Ken Paxton announced that Rubildo Labanino Matos was also arrested for practicing medicine without a license in connection to the investigation. Texas law bans abortion at all stages of pregnancy with exceptions only for life-threatening conditions, with those convicted of performing illegal abortions facing up to 20 years in prison. This case represents the first criminal charges filed under Texas’s near-total abortion ban.
AI in Healthcare
AI healthcare models trained on limited institutional data face challenges in broader applications. Healthcare institutions currently train AI models using data from their own populations, creating systems that work well locally but fail when deployed in different settings due to variations in practice patterns, genetic factors, and lifestyle differences across regions. The isolation of medical data in institutional silos prevents AI from reaching its potential to standardize and improve healthcare globally. To address this, healthcare organizations must implement cross-institutional data sharing frameworks and ensure AI models are trained on diverse populations. The solution requires collaboration between health systems, regulatory support, and transparent validation processes to create AI models that can be trusted and effective across all healthcare settings.
Google is developing multiple AI healthcare initiatives, including TxGemma for drug discovery, Articulate Medical Intelligence Explorer for patient data collection, and a “co-scientist” chatbot for research assistance. The company has partnered with medical centers like Beth Israel Deaconess in Boston and Princess Maxima Center in the Netherlands, where doctors report tasks that once took days now complete in seconds. Meanwhile, Congress continues to extend pandemic-era telehealth rules through short-term solutions rather than permanent legislation, causing concern among healthcare providers about long-term investment in remote care technologies.
The FUTURE-AI framework provides international consensus guidelines for developing trustworthy healthcare AI systems through six guiding principles: fairness, universality, traceability, usability, robustness, and explainability. Developed by a consortium of 117 experts from 50 countries over a two-year period, the framework includes 30 detailed recommendations covering the entire AI lifecycle from design to deployment. FUTURE-AI is designed as a dynamic framework that will evolve with technological advancements and stakeholder feedback to ensure AI tools are technically robust, clinically safe, ethically sound, and legally compliant.
Cybersecurity
HIPAA regulations require healthcare providers and business associates to protect patient information in electronic communications. When communicating PHI to patients via email or text, covered entities must either encrypt the information or warn patients about security risks and obtain their consent to proceed with unsecured communications. For communications from patients, providers can assume email is acceptable if initiated by the patient, though warning about risks is recommended. Communications with other providers or third parties require stricter security measures, as simply warning about risks is insufficient; these messages must comply with Security Rule standards through encryption or other safeguards.
Healthcare data breaches reached record levels in 2024, with a 9.96% increase from 2023. The healthcare sector ranks second to finance in sensitive data volume, with 68% of medical devices expected to be connected by 2025, creating increased security risks through wireless communication and cloud storage. The industry faces future challenges from quantum computing threats, with NIST developing post-quantum cryptography standards while organizations still struggle with basic security measures like multi-factor authentication.
A vulnerability in ChatGPT identified last year is being exploited to target healthcare organizations, with 35% of analyzed organizations unprotected due to security misconfigurations. A recent report documented over 10,000 cyberattack attempts in one week, despite the vulnerability being classified as medium severity. The American Hospital Association warns these attacks could lead to data breaches, unauthorized transactions, and regulatory penalties. Healthcare remains the costliest sector for cyberattacks, with the average breach costing nearly $11 million—more than three times the global average.
The U.S. Department of Health and Human Services’ Office for Civil Rights has reached a $227,816 settlement with Health Fitness Corporation for HIPAA Security Rule violations. The settlement, which marks the fifth enforcement action in OCR’s Risk Analysis Initiative, resolves an investigation triggered by four breach reports filed between October 2018 and January 2019, where electronic protected health information became discoverable online due to a server misconfiguration. Health Fitness failed to conduct a thorough risk analysis until January 2024, affecting approximately 4,304 individuals whose data was exposed beginning in August 2015 but not discovered until June 2018. Under the agreement, Health Fitness must implement a corrective action plan including annual risk analyses, risk management planning, and policy development, which OCR will monitor for two years.
Dentistry
[The Texas Health and Human Services Commission has adopted an amendment to the Texas Government Code](Adopted Rules Title 25) that requires providers to be reimbursed for teledentistry services. This amendment allows dentists to use synchronous audiovisual technologies to conduct oral evaluations of established clients. As a result, oral evaluations are now more accessible, reducing unnecessary travel for clients in the Texas Health Steps Program.
FDA
FDA regulations prohibit compounding pharmacies from creating “essentially a copy” of commercially available drugs unless the modification produces a “significant difference” for an individual patient. Adding B12 to name brand weight loss drugs does not automatically exempt them from being considered copies under Sections 503A and 503B of the Federal Food, Drug, and Cosmetic Act. For a compounded drug to be permissible, the prescribing practitioner must document that the modification creates a significant difference for the specific patient. The FDA established these rules to prevent compounders from circumventing regulatory requirements by making minor changes to commercially available medications.
Medicaid
Medicaid program integrity involves both federal and state responsibilities, with states handling day-to-day administration while the federal government provides support and oversight. There is no comprehensive measure of fraud in Medicaid, though most fraud is committed by providers rather than beneficiaries, with the Health Care Fraud and Abuse Control program recovering $3.4 billion across Medicaid and Medicare in FY 2023. Improper payments, which had a 5.1% rate in 2024, are not equivalent to fraud, as 79.1% resulted from insufficient documentation or administrative errors rather than payments to ineligible recipients. HHS and CMS develop strategies to address program integrity issues, focusing on prevention and early detection rather than just recovery of misspent funds.
HIPAA was designed to balance privacy protections with healthcare efficiency but was never intended as a comprehensive health information privacy law. The healthcare privacy landscape has become increasingly complex due to the explosion of non-HIPAA health data from mobile apps, wearables, and tech platforms that remain largely unregulated. States have created overlapping privacy laws with inconsistent requirements, while the FTC and state attorneys general use general consumer protection authority to fill regulatory gaps. Federal legislation is unlikely to resolve these issues as proposals typically exempt HIPAA-covered entities, potentially creating dual regulatory systems that complicate compliance and impede medical research, public health initiatives, and healthcare innovation.
[The Fifth Circuit Court of Appeals affirmed that Memorial Hermann Accountable Care Organization does not qualify for tax-exempt status under Section 501(c)(4)](Accountable Care Organization Denied Tax-Exempt Status | Gordon Feinblatt LLC). The court applied the “substantial non-exempt purpose” test, determining that Memorial primarily benefited healthcare providers and insurance companies rather than promoting social welfare. Memorial had argued for the application of the “primary purpose test” from Treasury Regulations, but the court rejected this approach while noting it would have reached the same conclusion under either standard. Though currently binding only in Louisiana, Mississippi, and Texas, the ruling suggests Accountable Care Organizations elsewhere may face similar tax treatment.
If you’re a healthcare provider, you likely rely on vendors who handle patient information—your EHR system, billing company, IT support, and more. But how well do you know their security practices?
Before entrusting them with PHI (protected health information), conduct due diligence. Here are some red flags to watch for:
🔴 No mention of HIPAA compliance on their website? That’s a problem.
🔴 Misspelling HIPAA as “HIPPA”? If they can’t spell it, they probably don’t understand it.
🔴 No third-party security certifications? That’s a risk.
🔴 Small vendor with no resources for security audits? That could be a liability.
Don’t assume vendors know what they’re doing—ask tough questions. At the end of the day, your practice is responsible for protecting patient data, and a reckless vendor could expose you to massive penalties.
Have questions? Drop a comment or email me at wade@texashealthlaw.com.
🔒 Privacy is everyone’s responsibility. Take it seriously.
340B
Multiple legal developments occurred in 340B program litigation across the United States. Two amicus briefs were filed supporting a state in a contract pharmacy law appeal case, while a court permitted withdrawal of a preliminary injunction motion in an HRSA audit process case. In a Medicare Advantage payment dispute, the court issued a split decision on accessing damages documentation. Six cases challenging HRSA’s rejection of drug manufacturers’ rebate models saw various legal actions, including the granting of intervention motions and the filing of amicus briefs supporting the defendant. Intervenors in one rebate model case filed supplemental authority, prompting responses from both the plaintiff and supporting amici.
Abortion
Texas and Louisiana have filed lawsuits against a New York physician for providing telehealth abortion services across state lines. The cases challenge shield laws designed to protect out-of-state clinicians who prescribe abortion medication via telehealth, with New York Governor Hochul refusing to comply with extradition requests. Several states including Vermont, Maine, California, Colorado, Massachusetts, and New York have enacted shield laws to protect clinicians from legal consequences when providing abortion care to out-of-state patients. The outcomes of these cases could impact the broader landscape of telemedicine by setting precedents for how states can enforce healthcare laws beyond their borders.
Biometric Data
Texas Representative Capriglione has introduced a bill (HB 3755) aimed at amending the state’s biometric privacy legislation. This bill seeks to include a definition of artificial intelligence and clarifies that the law does not pertain to AI or associated training, processing, or storage, unless conducted for the purpose of uniquely identifying a specific individual.
Data Breaches
A new report analyzing 180 healthcare email breaches from 2024 to 2025 reveals that 43.3% of incidents involved Microsoft 365 misconfigurations. Healthcare organizations face an average breach cost of $9.8 million, with ransomware attacks increasing 264% since 2018. The HHS Office for Civil Rights has intensified enforcement, issuing significant fines including a $9.76 million settlement with Solara Medical Supplies. Despite a 50% increase in cybersecurity spending since 2018, 98.9% of breached organizations lacked basic email security protocols, and only 1.1% maintained a low-risk security posture. The OCR continues to push for proactive HIPAA compliance as email remains the primary attack vector in healthcare.
Central Texas Pediatric Orthopedics, an Austin-based medical practice filed a data breach notice with the Texas Attorney General on March 6, 2025. The breach exposed sensitive patient information including names, medical information, health insurance details, and government-issued identification for at least 90,000 people. The practice has begun sending notification letters to affected individuals, though they have not posted a website notice or press release about the incident. The source of the breach remains unclear, as it could have originated from either CTPO directly or one of their vendors.
In 2024, healthcare data breaches affected 53% of the U.S. population, with 13 breaches impacting over 1 million records each, including a record breach affecting 100 million individuals. In response, the Department of Health and Human Services issued a Notice of Proposed Rulemaking to modify HIPAA’s Security Rule, addressing AI systems and electronic protected health information for the first time. The new requirements mandate regulated entities to develop technology asset inventories, conduct risk analyses, and monitor vulnerabilities related to AI systems handling health data. Healthcare organizations must now implement AI governance programs that include maintaining lists of AI tools, reviewing data access protocols, and addressing security gaps. The proposed changes aim to protect against emerging threats like offensive AI, which can mutate and evade detection while learning from its environment.
Emerging Technologies
A research paper published in the Journal of Theoretical and Computational Advances in Scientific Research presents a framework combining blockchain and AI technologies for healthcare data integration. The blockchain component provides a secure platform for sharing medical records between healthcare providers, patients, and researchers. AI algorithms process the integrated data to enable predictive analysis, automated diagnostics, and personalized treatment recommendations. The framework addresses challenges in healthcare data privacy, interoperability, and efficiency through secure data integration and intelligent decision-making.
Fraud & Abuse
A Plano pharmacist was sentenced to 17.5 years in prison and ordered to pay $115 million in restitution for orchestrating a $145 million healthcare fraud scheme. Between 2014 and 2017, Dehshid Nourian and his co-conspirators paid bribes to doctors who prescribed unnecessary compound creams to federal workers, which were mixed by teenagers for $15 but billed to the Department of Labor for up to $16,000 per prescription. The pharmacies collected $90 million through this scheme while attempting to evade $24 million in taxes through money laundering operations. A federal jury convicted Nourian on multiple counts of healthcare fraud, money laundering, and tax evasion, leading to the forfeiture of $405 million in assets including brokerage accounts, real estate, and vehicles. The case represents the largest healthcare fraud forfeiture in Department of Justice history.
An El Paso physician has agreed to pay $468,626 to resolve allegations under the Federal False Claims Act. The United States alleged that Dr. John Patterson received kickbacks from Nursemind Home Care Inc. to falsely certify ineligible patients for hospice services, resulting in fraudulent claims to federal healthcare programs. Patterson received cooperation credit for assisting with the investigation and agreeing to testify in related criminal cases. The investigation led to the criminal prosecution of Nursemind Home Care owner Zenia Chavez, who pleaded guilty to conspiracy charges.
Texas has secured a $40 million settlement from Molina Healthcare through the state’s Healthcare Program Enforcement Division. The case involved Molina Healthcare, a Fortune 500 company that manages care for Medicaid STAR+PLUS program members who are disabled, blind, or over 65 years old. The settlement stems from allegations that Molina failed to conduct timely assessments of Medicaid beneficiaries and hid this non-compliance from Texas authorities. A whistleblower initiated the case under the Texas Health Care Program Fraud Prevention Act’s qui tam provisions.
Healthcare fraud enforcement will remain a priority despite potential regulatory rollbacks under a second Trump administration, according to a new report. The COVID-19 Fraud Enforcement Task Force has pursued over 3,500 criminal cases and secured $1.4 billion in seizures, with nursing homes facing scrutiny over false claims and misuse of relief funds. Recent court decisions, including Zafirov which ruled whistleblower-led False Claims cases unconstitutional, and Loper Bright which eliminated deference to regulatory agencies, may provide new defenses for healthcare providers. The Supreme Court’s Jarkesy decision, requiring jury trials for civil penalties, could impact 20 pending cases before the HHS Departmental Appeals Board.
Office of Inspector General
The U.S. Department of Health and Human Services Office of Inspector General has released updated compliance guidance for nursing facilities, marking its first revision since 2008. The guidance focuses on preventing fraud and abuse through proper billing practices, documentation requirements, and monitoring of financial arrangements between facilities and referral sources. Nursing facilities must implement robust compliance programs that include regular audits, staff training, and oversight from responsible individuals including investors. The OIG specifically highlights concerns about joint ventures, pharmacy arrangements, hospice relationships, and “tunneling” practices that could violate anti-kickback laws.
A federal audit found that Texas failed to fully comply with federal waiver and state health, safety, and administrative requirements at all 20 adult day activity and health service facilities examined. The Office of Inspector General (OIG) reported 253 instances of provider noncompliance, including deficiencies in facility maintenance, staff qualifications, and regulatory adherence. Of the 20 audited providers, 19 failed to meet one or more health and safety requirements, while 19 also violated administrative regulations. The report recommended corrective actions, improved oversight, and enhanced facility staffing and training. Texas agreed with the recommendations and outlined steps to address the issues.
Patents
A Federal Circuit addressed the patentability of “obvious” pharmaceutical dosing methods, In the case of ImmunoGen, Inc. v. Stewart, the parties agreed that a method of using the recited immunoconjugate (also known as IMGN853) to treat FOLR1-expressing ovarian cancer or cancer of the peritoneum was known in the art at the time of filing. Therefore, whether the claims were patentable from an obviousness perspective turned on whether the recited dosing limitation of “6 mg per kg of AIDW of the patient” would have been obvious to a person of ordinary skill in the art (POSITA) at the time of filing. The Court determined that the dosing method would have been obvious to try since it overlapped with known dosing schemes, and therefore, was not patentable. The ruling sets a high bar for proving non-obviousness of dosing regimens for known drugs, even when dealing with unpredictable effects.
Weight Loss Drugs
A U.S. District Court ruled in favor of the FDA on March 5, 2025, denying the Outsourcing Facilities Association’s motion for a preliminary injunction and stay regarding tirzepatide compounding. The case emerged after tirzepatide products Mounjaro and Zepbound were placed on the drug shortage list in December 2022 due to high demand, allowing compounding facilities to produce copies under specific regulations. The FDA declared the shortage resolved, ending the compounding permission for 503A pharmacies immediately and setting a March 19, 2025 deadline for 503B facilities. The OFA filed an appeal on March 10, 2025, while questions remain about whether modified compound versions of the drug could continue under patient-specific need provisions. The FDA has not yet taken a position on these modified compounds, though their status may depend on whether they are considered copies of commercially available products.
Dr. David Young, 61, of Fredericksburg, Texas, has been sentenced to 10 years in prison for Medicare fraud. The physician signed thousands of fake prescriptions and medical records for orthotic braces and cancer genetic testing for over 13,000 Medicare beneficiaries, resulting in more than $70 million in fraudulent healthcare program billing. Young received $475,000 for signing the fake prescriptions and must pay $26,622,522 in restitution.
FDA
A U.S. District Court has allowed Novo Nordisk to intervene in a case between the FDA and compounding pharmacies. Compounders sued the FDA for removing weight loss drugs from its shortage list, which had previously allowed them to produce copycat versions of Novo’s semaglutide products. The compounders claim the agency’s decisions were arbitrary and that shortages persist. Novo Nordisk cited safety concerns and investment protection in its motion to intervene, which was unopposed by both the FDA and the compounders. Eli Lilly has also filed a motion to intervene in the ongoing legal proceedings.
Medicare
CMS has revised its Medicare overpayment rule, replacing the “reasonable diligence” standard with a “knowingly” standard that only requires action when providers are aware of overpayments. The update extends the investigation timeline, giving healthcare organizations 180 days to conduct investigations before the 60-day repayment clock begins. Organizations must keep documentation of compliance efforts and implement processes for identifying, reporting, and returning overpayments. Healthcare providers who fail to address identified overpayments risk penalties under the False Claims Act, which can include treble damages and civil penalties. The new framework tries to streamline compliance while maintaining accountability through structured investigation protocols and documentation requirements.
Medicare reimbursement rates for radiologists have declined by 24.9% from 2005 to 2021 after inflation adjustments, while the average starting salary for radiologists reached $472,000 in 2023, representing a 17.7% increase since 2020. The workforce faces significant pressures with 56.4% of diagnostic radiologists being 55 or older, while new trainees are only increasing by 2.5% annually. The implementation of the No Surprises Act has complicated reimbursements for out-of-network services, and healthcare cybersecurity costs have reached $10.93 million per data breach in 2023. These challenges are pushing independent radiology groups to seek financial subsidies from hospital partners to maintain operations.
Nonprofits
Nonprofit healthcare organizations are increasingly pursuing mergers to address economic challenges and improve care delivery. These mergers can take the form of either member substitutions, where one organization becomes a controlling member while both entities remain separate, or true mergers that combine organizations into a single legal entity. The consolidations try to achieve cost efficiencies, increase bargaining power with insurance companies, and improve access to capital for technology investments and facility improvements. Mergers also enable organizations to expand their geographic reach, enhance quality of care, and invest in innovations like telemedicine and data analytics. The process requires careful consideration of mission alignment, organizational culture, and governance structures to ensure the merged entity can effectively serve its community while maintaining financial stability.
Physician-Patient
Healthcare providers who wish to terminate a patient relationship must follow specific protocols to avoid patient abandonment claims. The process requires providers to notify patients in writing of the termination, explain the reasons professionally, and give patients reasonable time (typically 30 days) to find new care. During the transition period, providers must continue necessary care and facilitate the transfer of medical records to the new provider. While providers can terminate patient relationships for valid reasons like non-compliance or non-payment, they must follow applicable laws regarding discrimination and emergency care, with exceptions only for situations posing immediate safety risks.
Ransomware
Cybersecurity firm Cyble reports 599 new ransomware victims in February 2025, up from 518 in January, with U.S. organizations experiencing a 149% increase in attacks compared to 2024. North American targets face increased attacks due to their perceived likelihood of paying ransoms, despite overall ransom payments declining by 35% year-over-year according to Chainalysis. The ransomware landscape has shifted as LockBit’s dominance waned following law enforcement intervention, while Cl0p now leads with 81 attacks, followed by Akira, Lynx, and Qilin. Construction, professional services, and healthcare remain primary targets, with construction experiencing 50 attacks, professional services 47, and healthcare 33 attacks in 2025. IT services companies continue to face attacks due to their potential as gateways to downstream clients.
Healthcare organizations have sent a letter to President Trump and HHS requesting the withdrawal of proposed HIPAA Security Rule updates. The healthcare sector has experienced 5,887 large data breaches since 2009, with hacking incidents increasing by 239% between 2018 and 2023, now accounting for 79.7% of all breaches. Healthcare groups cite concerns about financial burdens, conflicts with the HITECH Act, and implementation timeline challenges in their opposition to the proposed security updates. The Office for Civil Rights currently has 857 data breaches under investigation, with limited progress in clearing the backlog due to funding constraints. While earlier breaches primarily resulted from lost or stolen records, the current threat landscape shows a shift toward hacking and ransomware attacks as primary security challenges.
Stark Law
The Centers for Medicare & Medicaid Services settled 314 Stark Law self-disclosures in 2024, collecting $24.7 million in settlements. The number of settlements in 2024 exceeded the combined total of the previous two record years and represented over one-third of all settlements in the program’s 14-year history. The average settlement amount was $78,781.39, consistent with trends from recent years, while 51 submissions were withdrawn during 2024. CMS has increased its processing speed for settlements, with some cases now resolved within the same calendar year as submission, marking a significant improvement from previous processing times. The smallest settlement in 2024 was $4, while the largest settlement on record remains $1,196,188 from 2018.
Transparency
On February 25, 2025, President Trump signed an executive order focusing on healthcare price transparency. The order instructs the secretaries of Treasury, Labor, and Health and Human Services to implement new requirements within 90 days, mandating disclosure of actual prices rather than estimates. The directive tries to standardize pricing information across hospitals and health plans while updating enforcement policies for transparent reporting. Under current rules, hospitals must publish machine-readable files of standard charges using Centers for Medicare & Medicaid Services templates and provide price estimator tools for shoppable services.
Twenty US states have enacted comprehensive privacy laws that regulate health data usage in digital advertising. The Federal Trade Commission and state regulators have expanded definitions of health data to include browsing histories, location information, and medical purchases, with Washington and Nevada implementing specific consumer health data laws requiring detailed consent. The Dobbs v. Jackson Women’s Health decision has accelerated concerns about health data privacy, particularly regarding reproductive healthcare information. Companies are adapting through various strategies including national opt-in consent standards, data suppression in certain states, increased due diligence, and demographic-based targeting instead of individual health data. Despite potential changes in federal enforcement under new administration, state-level regulation of health data is expected to increase, particularly in Democratic-leaning states.
Artificial Intelligence
AI in healthcare currently faces mixed results across different applications. AI-powered ambient scribing tools for clinical documentation show varying effectiveness, with some studies indicating time savings while others suggest increased time spent on records. Clinical decision support tools, particularly for sepsis detection, struggle with accuracy and false positives, though tools like Sayvant offer promise in medical decision-making documentation. AI also shows potential for medical record summarization, though current limitations necessitate a measured approach focused on targeted innovations rather than transformation.
OpenAI and Oracle have announced the Stargate AI infrastructure project, a $500 billion initiative backed by Softbank and MGX to develop next-generation AI infrastructure over four years. Project leaders claim it will revolutionize healthcare through capabilities like 48-hour personalized cancer vaccines and improved disease treatments, while studies show AI can match doctor accuracy in diagnoses. However, experts suggest there are implementation challenges including payment systems, clinician training, and integration across healthcare facilities.
Corporate Practice of Medicine
Physician Practice Management (PPM) structures split operations between a physician practice professional corporation and a management services organization to comply with medical practice laws. Combining employees from both entities under one health plan creates a multiple employer welfare arrangement (MEWA), which faces regulatory burdens and potential state law violations. To avoid MEWA complications, organizations can implement mirror plans with pooled stop-loss insurance, establish separate level-funded plans, or purchase coverage through a professional employer organization (PEO). These alternatives help PPM entities maintain compliant health coverage while avoiding the complexities of MEWA regulations. The solutions enable cost savings through larger group ratings while preserving the intended separation between clinical and business operations.
Fraud, Abuse and Waste
The U.S. Department of Justice filed a False Claims Act complaint against an Idaho home health agency and its owner on February 25, 2025. The agency received $1.8 million in PPP loans in 2020 while certifying they were not engaged in illegal activity, but the owner later pled guilty to Medicaid fraud covering 2018-2021, resulting in a 180-day jail sentence and $146,000 restitution order. The Justice Department now seeks $5.4 million plus penalties from the agency and its owner, arguing the SBA would not have forgiven the PPP loans had they known about the fraudulent Medicaid billing. The case demonstrates how past certifications can create additional liability when criminal conduct is discovered, even years after the fact.
The Fourth Circuit Court of Appeals has rejected a challenge from the Pharmaceutical Coalition for Patient Access regarding an unfavorable advisory opinion on their proposed Medicare Part D assistance program. The Coalition had planned to implement a program where drug manufacturers would subsidize copayments for cancer patients meeting specific income criteria who were prescribed their medications. The Office of Inspector General (OIG) determined this program could violate the Anti-Kickback Statute by inducing patients to select specific drugs based on financial incentives rather than medical necessity and allowing manufacturers to charge higher prices. The Fourth Circuit upheld the OIG’s opinion, interpreting “induce” and “remuneration” broadly under the Anti-Kickback Statute and dismissing arguments about multiple manufacturers negating quid pro quo arrangements. The court also ruled that claims of disparate treatment were unreviewable since enforcement decisions lie solely with the agency.
The 2016 21st Century Cures Act established rules against information blocking in healthcare electronic records to promote data sharing and competition. The Department of Health and Human Services and Federal Trade Commission collaborated to implement these rules, requiring fair licensing terms for protected health information. In January 2024, Real Time Medical Systems filed the first lawsuit under these rules against PointClickCare Technologies, alleging that PCC blocked access to health records through unsolvable CAPTCHA walls to hinder competition. The District Court of Maryland granted Real Time a preliminary injunction, and the case is now on appeal to the Fourth Circuit. The case marks the first enforcement action of the Cures Act’s information blocking provisions since its enactment.
Insurance
A new American Medical Association survey reveals that prior authorization requirements create barriers to patient care, with physicians reporting increased denials over the past five years and concerns about AI-driven review systems. The survey found that prior authorization led to care delays, with 77% of physicians reporting patients had to attempt ineffective treatments first, and 23% noting hospitalizations due to authorization delays. A Senate report indicated that AI systems deny claims up to 16 times more frequently than human reviewers, prompting the AMA to warn against unregulated AI in medical decision-making. Despite lawmaker scrutiny and legal challenges, experts predict insurers will continue implementing AI review systems, potentially forcing providers to adopt their own AI tools for claims submission.
A new American Medical Association survey reveals that 61% of doctors worry about insurers using AI to increase treatment pre-approval denials. The survey found that 93% of physicians report prior authorization delays care, while 82% say patients sometimes abandon treatment due to these delays. Despite 66% of doctors using AI in their practices, 49% want increased regulatory oversight of how insurers employ AI in the approval process. Hospitals report increasing claim denials attributed to AI tools, with 89% of doctors stating that prior authorization battles contribute to burnout. The process impacts patient care, with 29% of doctors reporting serious adverse events due to authorization delays, and 23% noting patients requiring hospitalization as a result.
Security
The Department of Health and Human Services has proposed updates to the HIPAA Security Rule on January 6, 2025, with comments open until March 7, 2025. The updates eliminate the distinction between “required” and “addressable” standards, making all security measures mandatory for healthcare entities. The new requirements include encryption, multifactor authentication, regular security audits, vulnerability scans, data backup procedures, and network mapping. The Privacy Rule changes reduce patient record request fulfillment time from 30 to 15 days and allow patients to photograph their health information in designated private areas. Healthcare providers must implement these changes and retrain staff on the new requirements once finalized.
The U.S. Department of Health and Human Services proposes updates to the HIPAA Security Rule due to widespread adoption of electronic health records, with 80% of physicians’ offices and 96% of hospitals using them as of 2021. The updates aim to address increased cybersecurity risks in healthcare delivery systems and establish centralized security standards, as current voluntary guidelines have seen inconsistent implementation. HHS chose a prescriptive approach rather than recognizing existing frameworks for safe harbor incentives, despite the 2021 HITECH Act amendments. The proposed changes, which have a public comment deadline of March 7, 2025, would raise security standards and potentially burden smaller providers, though HHS maintains the rules allow for flexibility in implementation.
Taxation
The Fifth Circuit Court upheld the Tax Court’s denial of tax-exempt status for Memorial Hermann Accountable Care Organization (MHACO) under Section 501(c)(4). MHACO, formed in 2012 as a not-for-profit corporation, participated in the Medicare Shared Savings Program while also serving patients with Medicare Advantage and employer-sponsored health plans. The court applied the substantial-nonexempt-purpose test, determining that MHACO’s operations primarily benefited commercial insurers rather than promoting social welfare, as 81% of its patients had employer-sponsored insurance. The court noted that MHACO’s members-only structure, which excluded uninsured individuals, failed to benefit the greater Houston community and thus did not qualify for tax exemption.
Transgender Care
Texas has filed a lawsuit against Dr. Hector Granados and two other doctors for allegedly violating a 2023 law banning gender-affirming care for minors. The state claims Granados prescribed testosterone to a 16-year-old patient after the ban, while he maintains he only prescribed it for hormone deficiencies, not gender transition. Texas is among 27 states that have restricted or banned treatments like puberty blockers and hormone therapy for minors, with some families now seeking care in states like New Mexico where such treatments remain legal. The trial is set for October, and if found guilty, Granados and his co-defendants, Dr. May Lau and Dr. M. Brett Cooper, could lose their medical licenses and face fines. Attorney General Ken Paxton states his office will enforce the ban, while doctors must choose between their ethical duties and maintaining their ability to practice medicine.
A recent American Medical Association survey of 1,183 physicians shows AI usage among doctors increased from 38% in 2023 to 66% in 2024. Physicians use AI primarily for visit documentation, discharge summaries, care plans, translation services, and medical research summaries, with 68% reporting AI provides advantages in patient care. While 36% of physicians express excitement about AI, up from 30% in 2023, 47% believe increased oversight is needed to build trust in the technology. The survey reveals physicians want features like feedback channels, data privacy assurances, EHR integration, and proper training to advance AI adoption in healthcare.
Healthcare will transform from centralized hospitals to an invisible, integrated system woven into daily life through AI and edge computing. The shift is driven by younger generations demanding personalized care, advancing biometric technology, and the convergence of diagnostic capabilities into smaller devices. By 2051, healthcare will move into homes and repurposed community spaces, with AI-powered preventive care and mental health support becoming standard features of everyday environments. Wearable technology will predict health issues decades in advance, while household items will continuously collect health data and provide real-time monitoring.
Organizations are shifting from static AI compliance to continuous governance models as AI systems become more integrated into business operations. The EU AI Act and U.S. regulations require companies to implement real-time monitoring, vendor oversight, and cross-functional governance structures to manage AI risks. Organizations must address challenges including model drift, data provenance, third-party transparency, and AI liability through continuous auditing and risk assessment frameworks. Companies need to balance AI explainability with intellectual property protection while ensuring compliance with privacy regulations like GDPR and CCPA. Those who adopt proactive AI governance frameworks position themselves for competitive advantage in responsible AI innovation.
The FDA announced on February 21 that the semaglutide injection product shortage has ended, removing it from the Drug Shortage List where it had been since 2022. The medication, used for Type 2 diabetes and weight loss, will face new restrictions on compounding, with state-licensed pharmacies and physicians having until April 22, 2025, and outsourcing facilities until May 22, 2025, to comply with FDA regulations. Healthcare providers will no longer be able to compound versions of semaglutide that are copies of brand-name products, requiring patients to switch to brand-name medications. The changes will impact medical practices, pharmacies, outsourcing facilities, and telehealth companies that have been providing compounded versions of the medication at lower costs than brand-name alternatives. Healthcare providers must consult with attorneys to ensure compliance with the new regulations before the deadlines.
Fraud & Abuse
The United States Court of Appeals for the First Circuit ruled that kickbacks must be the “but-for” cause of claim submissions to establish falsity in False Claims Act cases based on Anti-Kickback Statute violations. The ruling emerged from United States of America v. Regeneron Pharmaceuticals, Inc., which examined whether Medicare claims for Eylea influenced by kickback violations through copayment coverages constituted false claims. While Regeneron advocated for the stricter but-for causation standard already adopted by the Sixth and Eighth Circuits, the government pushed for the Third Circuit’s more lenient approach requiring only proof of a causal link between claims and AKS violations. The First Circuit’s decision to adopt the but-for standard will limit the scope of actionable FCA claims and affect how the government and whistleblowers pursue damages for AKS violations in federal healthcare programs.
The Justice Department has launched a civil fraud investigation into UnitedHealth Group’s Medicare billing practices, focusing on how the company records diagnoses that trigger extra payments from Medicare Advantage plans. The investigation follows Wall Street Journal reports that UnitedHealth received $8.7 billion in federal payments in 2021 for diagnoses added to patient records without doctor treatment, with each nurse home visit generating an average of $2,735 in additional payments. The DOJ has interviewed medical providers about UnitedHealth’s practices of promoting specific diagnoses and offering incentives to add them to patient records, while the company’s shares fell 7% on news of the investigation, erasing $30 billion in market value. This probe adds to existing scrutiny of the $400 billion company, which includes a separate antitrust investigation and a lawsuit to block its $3.3 billion acquisition of Amedisys.
A Texas State Senator filed a bill requiring explicit consent for medical research on corpses in Texas. The legislation responds to an NBC News investigation that revealed UNT Health Science Center used unclaimed bodies for experiments and leased body parts to companies without contacting families. Current Texas law allows medical institutions to use unclaimed bodies after attempting to notify relatives within 72 hours, but the new bill would require prior written consent from the deceased or next of kin. Following the investigation, UNT Health Science Center leaders were fired, the Willed Body Program was suspended, and the university president stepped down, while Tarrant County ended its relationship with the program.
HIPAA
The U.S. Department of Health and Human Services has proposed updates to HIPAA Security Rule requirements in a new Notice of Proposed Rulemaking. The updates include mandatory implementation specifications for contingency plans, requiring exact backup copies of electronic protected health information and system restoration within 72 hours of an event. The proposal introduces a new vulnerability management standard requiring automated scanning every six months, ongoing monitoring of known vulnerabilities, annual penetration testing, and timely software patches. Business associates must notify covered entities within 24 hours of activating contingency plans, and regulated entities must maintain written security incident response procedures. The public comment period for these proposed changes ends March 7, 2025.
The US Department of Health and Human Services issued a proposed update to the HIPAA Security Rule in June 2024 to strengthen cybersecurity requirements for electronic protected health information. Mobile healthcare apps present unique security challenges, with 79% of healthcare organizations experiencing API-related security incidents in 2023. The proposed rule needs specific requirements for mobile app security, including protection against cloned apps, device manipulation, man-in-the-middle attacks, and API key exposure.
Medicare
Medicare Advantage plans required approximately two prior authorizations per enrollee in 2023, while Traditional Medicare required only 0.01 per beneficiary. Prior authorization requirements for Medicare Advantage plans increased to 50 million in 2023, up from 42 million in 2022, despite CMS rules aimed at reducing these requirements. A Senate report revealed that the three largest Medicare Advantage insurers intentionally denied prior authorizations to increase profits, with United Healthcare’s denial rate for skilled nursing facility stays rising 800% between 2019 and 2022. While 3.2 million prior authorization requests were denied in 2023, only 11.7% were appealed, though 81.7% of appeals resulted in overturned denials. The process impacts skilled nursing facilities through delayed admissions, reduced patient volume, and revenue loss.
Medicare physician payments have seen only an 11% increase from 2001 to 2021 while practice costs rose 39%. The Centers for Medicare & Medicaid Services implemented a 2.83% reimbursement cut for 2025, prompting concerns about practice viability and patient access. Congress replaced the problematic Sustainable Growth Rate formula with MACRA in 2015, introducing value-based payment models through MIPS and APMs. A bipartisan bill called the Medicare Patient Access and Practice Stabilization Act was introduced in January 2025 to reverse the cuts, with a critical March 14 deadline looming for Congress to act on budget measures that could affect physician payments.
