Categories
Health Law Highlights

Wade’s Health Law Highlights for April 14, 2026

Fraud, Abuse & Enforcement

  • Aetna agreed to pay $115 million to settle allegations that it manipulated diagnosis codes to inflate risk scores for Medicare Advantage enrollees. A former risk-adjustment coding auditor filed the lawsuit on behalf of the federal government, claiming Aetna received inflated payments from the Centers for Medicare & Medicaid Services through a process known as upcoding. The Department of Justice alleged that in 2015, Aetna conducted chart reviews and used the results to seek additional payments while ignoring instances where it was overpaid. From 2018 to 2023, the company allegedly submitted morbid obesity diagnosis codes when BMI values indicated patients were not morbidly obese and directed coders to ignore conflicting information. The settlement resolves allegations only, with no determination of liability. Source: Texas Medical Association
  • Government investigations into physician organizations often begin without warning and rely on internal communications as evidence. Investigators from the Office of Inspector General, Department of Justice, or state Medicaid Fraud Control Units target emails, board presentations, investor materials, and strategic planning documents that use phrases like “keeping cases in-house,” “driving volume,” or “referral optimization” to establish violations of the Anti-Kickback Statute or Stark Law. Investigations typically begin through whistleblower complaints, billing data analysis, auditor referrals, related investigations, or transaction disclosures. Organizations should engage experienced healthcare regulatory counsel immediately and avoid responding, producing documents, allowing interviews, altering records, or creating new explanatory materials. Pending investigations affect mergers and acquisitions through expanded diligence, altered deal structures, price adjustments, insurance limitations, and timeline delays. Source: Healthcare Law Insights
  • The OIG issued a favorable advisory opinion on April 7, 2026, permitting a State-designated domestic crisis provider to bill Medicare and Medicaid for therapy services while waiving cost sharing for domestic violence survivors. The provider, located in a rural, medically underserved area, has historically offered all services—including crisis lines, legal advocacy, emergency shelter, and therapy—at no cost but faced funding losses that necessitated billing Federal health care programs. Although the arrangement would technically generate prohibited remuneration under the Federal anti-kickback statute and the Beneficiary Inducements CMP, the OIG determined the risk of fraud and abuse was sufficiently low. The OIG cited factors including the provider’s historical mission of free services, the prevalence of financial abuse among domestic violence survivors, the independent determination of medical necessity by mental health professionals, and the provider’s commitment not to advertise free therapy or shift costs to Federal programs. Source: OIG Advisory Opinion No. 26-06
  • The Office of Inspector General issued Advisory Opinion 25-11 addressing how biopharmaceutical manufacturers can structure discount arrangements for vaccines in compliance with the Anti-Kickback Statute. The OIG reviewed four types of discount structures proposed by a manufacturer, including upfront discounts, purchase requirement discounts, bundled discounts, and bundled rebates offered to pharmacies, group purchasing organizations, and health care providers. While the OIG determined that upfront discounts and purchase requirement discounts meet the discount safe harbor protections, bundled discounts involving products reimbursed under different Medicare systems do not meet the safe harbor but can present low fraud risk if discounts are attributable to each product and offered equally. The OIG concluded all proposed arrangements presented low risk of fraud and abuse, though it emphasized that discounts requiring purchasers to provide marketing services or switch patients between products fall outside safe harbor protections. The opinion signals that manufacturers have flexibility to structure certain discount arrangements that do not precisely meet safe harbor requirements if they include appropriate safeguards. Source: Foley & Lardner

Regulatory & Competition

  • The FTC established a Healthcare Task Force on March 20, 2026, to centralize enforcement across competition and consumer protection matters. Chairman Andrew Ferguson created the cross-bureau unit to address consolidation, exclusionary conduct, and deceptive practices that affect prices, quality, and access to care. The Task Force draws staff from the Bureaus of Competition, Consumer Protection, and Economics, and will coordinate with the Department of Health and Human Services and the Department of Justice. The FTC blocked a $945 million medical device merger in January 2026, challenged an IDD services provider merger, opposed a cataract surgery laser system merger in March 2026, and secured a settlement with a pharmacy benefit manager over insulin pricing practices in February 2026. The agency signals it will scrutinize mergers, contracts, and innovation competition in health care markets. Source: Seyfarth Shaw LLP
  • The Trump administration has not yet determined whether to proceed with a proposed overhaul of the HIPAA Security Rule that was published by the previous administration in January 2025. Paula Stannard, director of HHS Office for Civil Rights, told attendees at a HIPAA Summit that regulators are reviewing 4,700 public comments on the 125-page proposal, which would eliminate the distinction between “required” and “addressable” implementation specifications and mandate written documentation for all security policies. Stannard noted that the cost of cyberattacks may exceed compliance burdens, and that many entities, particularly smaller organizations, have treated addressable specifications such as encryption as optional. The proposal would also require greater specificity in security risk analyses, which Stannard identified as the most common compliance failure in security rule investigations. Final action on both the Security Rule update and a separate HIPAA Privacy Rule modification is anticipated for May 2025. Source: GovInfoSecurity
  • Texas HB 4224 requires healthcare providers to post instructions on how patients can request medical records, contact licensing boards, and file complaints. The law, which took effect September 1, 2025, applies to covered entities that handle personal health information and mandates postings both on websites and at physical facilities. The bill passed the Texas House 149-0 and the Texas Senate 31-0. Entities that exclusively perform claims processing, data processing, data analysis, utilization review, or billing on behalf of healthcare providers are exempt. The law addresses a gap where patients often cannot find clear information about accessing their records or filing complaints against providers. Source: Hendershot Cowart P.C.

Privacy, Cybersecurity & Data Breaches

AI in Healthcare