Categories
Health Law Highlights

Wade’s Health Law Highlights for April 7, 2026

Healthcare Transactions & Private Equity

  • Private equity firms have invested over $1 trillion in debt-financed healthcare transactions over the past decade, with 93% of healthcare companies carrying speculative debt being private equity-sponsored. A JAMA 2023 study showed a 25% increase in complications such as infections and falls following private equity investment in healthcare facilities. Private equity-sponsored healthcare businesses face a 10X increased risk of insolvency and account for two-thirds of healthcare bankruptcies, including seven of the eight largest bankruptcy cases in 2024. Rural and underserved communities experience the most pronounced consequences due to limited access to alternative providers. The NYU Stern report proposes reforms including full public disclosure of finances, prohibitions on sale-leasebacks for dividend payments, state authority to block transactions, and investor liability for healthcare fraud. Source: Rivkin Rounds
  • Language used in healthcare transaction materials can create regulatory risk even when the underlying business economics are defensible. Phrases such as “internal pipeline,” “keep more cases,” “move volume,” and “drive cases to the ASC” can be interpreted as plans to steer referrals for financial return, triggering expanded diligence and increased escrows from buyers. Buyers assume deal materials reflect how growth will occur and what drives the financial model, treating any suggestion that growth depends on changing physician referral patterns as a risk allocation issue. Government investigators request internal communications including emails, texts, draft decks, and spreadsheets to prove causation and organizational mindset regarding compensation and referral arrangements. Organizations should describe capacity and access rather than routing, keep messaging grounded in operations, and separate economics from referral patterns. Source: Healthcare Law Insights
  • Federal and state legislators introduced numerous bills in Q1 2026 to expand oversight of healthcare consolidation, though most state measures stalled. Of the state bills introduced, only 2 passed while 10 stalled and 10 remain active in battleground states. On the federal level, the U.S. District Court for the Eastern District of Texas vacated the FTC’s 2024 Hart-Scott-Rodino Final Rule on February 12, 2026, returning to pre-February 2025 rules while appeals proceed. Congress reintroduced the Stop Corporate Crimes Against Health Care Act of 2026, which would create federal crimes with up to six years prison time and allow clawback of executive compensation when actions contribute to patient injury or death, and introduced the Take Back Our Hospitals Act of 2026, which would prohibit Medicare payments to hospitals or nursing facilities owned or controlled by private equity funds or REITs. State legislation shifted focus from private equity alone to include real estate investment trusts, management services organizations, and health insurers, while revisiting corporate practice of medicine doctrine and considering private rights of action for violations. Source: Holland & Knight

Fraud & Enforcement

  • The Texas Attorney General filed two lawsuits against dental providers and marketing companies over alleged kickback schemes in the Medicaid program. The state alleges that dental practices worked with marketing firms Dental Axis and Dental Market One, paying them per patient, and the marketers then offered Medicaid patients cash, gift cards, or other incentives to influence their choice of provider. Under Texas law, compensation tied to patient referrals or inducements of value can taint any resulting Medicaid claims. The cases focus on marketing violations rather than clinical care, specifically targeting per-patient payments, patient incentives, and volume-based agreements. Dentists now account for 29% of full-scale provider investigations according to the March OIG quarterly report, placing them at the top of the list despite generating only 9% of initial complaints. Source: Texas Dentists for Medicaid Reform
  • The Ninth Circuit ruled on March 17, 2026, that False Claims Act claims related to alleged 340B Drug Pricing Program overcharges may proceed. In United States ex rel. Adventist Health System of West v. AbbVie Inc., the court reversed dismissal of a qui tam action where the relator alleged that drug manufacturers charged covered entities above the statutory ceiling price, particularly in scenarios requiring a $0.01 “penny price.” The court held that FCA claims are independent and not automatically barred simply because covered entities lack a private right to sue under the 340B statute. The relator alleged that manufacturers’ pricing practices harmed government programs by increasing Medicaid payments, Medicare cost-based reimbursements, and direct government purchases. The decision recognizes a pathway for alleged 340B issues to be litigated as FCA claims where overcharges tie to government payment, though the case remains at the pleading stage and returns to district court. Source: Husch Blackwell

Privacy & Data Security

  • Nacogdoches Memorial Hospital disclosed a data breach that exposed information on more than 257,000 patients. The hospital became aware of the attack on January 31 and notified law enforcement while launching an investigation. Hackers accessed names, addresses, Social Security numbers, dates of birth, medical record numbers, health plan details, and patient photos. The hospital began notifying those affected on March 31 and has reported no instances of identity theft linked to the breach, though it declined to offer credit monitoring services. No hacker group has claimed responsibility, and the method of attack remains undisclosed. Source: HealthExec
  • Health data now exists across marketing platforms, analytics tools, and scheduling systems outside the reach of HIPAA regulations. Data from appointment scheduling, symptom checkers, call center recordings, and website browsing can reveal conditions and treatments even when it does not qualify as protected health information. In 2025, California Attorney General Rob Bonta reached a $1.55 million settlement with Healthline under the California Consumer Privacy Act for sharing users’ article views about medical conditions with advertising partners without honoring opt-out rights. State laws including the CCPA and Washington’s My Health My Data Act now regulate health data based on what it reveals rather than where it resides, while the EU GDPR treats health data as a category requiring heightened protection regardless of who collects it. Organizations should evaluate health data based on sensitivity and implement protections for information that reveals health status, even when HIPAA does not formally apply. Source: IAPP
  • Small medical practices can implement HIPAA-aligned DevSecOps without enterprise budgets by focusing on basic security controls rather than expensive tools. These organizations handle sensitive patient data through portals, scheduling systems, and cloud applications, yet often struggle with common security gaps including excessive admin permissions, secrets stored in plain text, and untested backup recovery procedures. AWS provides encryption services, CloudTrail, CloudWatch, and Secrets Manager that can support security efforts, but using these tools does not automatically ensure HIPAA compliance without proper architecture and monitoring. DevSecOps integrates security into software development and deployment processes through CI/CD pipelines that scan dependencies, detect exposed secrets, and restrict production deployments. According to Andrii Klepak, DevOps Engineer and founder of CloudCare Pro, small practices need a baseline of limited admin access, MFA, encrypted storage, controlled deployments, and tested recovery rather than enterprise security programs. Source: HIT Consultant

Artificial Intelligence in Healthcare

  • Tennessee prohibits AI systems from being marketed as mental health professionals under a law signed April 1, 2026. SB 1580 bars developers or deployers of AI systems from advertising that such systems can act as qualified mental health professionals, effective July 1, 2026. The law defines AI as models and systems capable of performing functions associated with human intelligence, including reasoning and learning. Violations constitute violations of the Tennessee Consumer Protection Act of 1977 and carry civil penalties up to $5,000 per violation, with enforcement available through a private right of action. Tennessee lawmakers are considering companion bills that would make it a felony to train AI to encourage suicide or homicide. Source: Troutman Privacy

Regulatory Compliance

  • Recipients of federal financial assistance from the Department of Health and Human Services must ensure their digital content complies with WCAG 2.1 Levels A and AA standards by May 11, 2026, if they have 15 or more employees, or by May 10, 2027, if they have fewer than 15 employees. The rule, issued by HHS on May 9, 2024, represents the first comprehensive update to Section 504 regulations in nearly 50 years and applies to hospitals, physician practices, health centers, long-term care facilities, health plans, research institutions, and medical schools that receive HHS funds. The standards cover websites, mobile apps, social media accounts, patient portals, and telehealth platforms, though five exceptions exist for archived content, preexisting documents, password-protected individualized documents, preexisting social media posts, and content posted by third parties. Medicare Part B reimbursement alone triggers coverage under the rule. Noncompliance can result in investigations, suspension or termination from government programs, loss of federal funding, and private litigation. Source: Alston & Bird
  • Clinicians can communicate orders via text message to clinical staff under specific conditions. The Centers for Medicare and Medicaid Services and The Joint Commission allow text message orders when sent through HIPAA-compliant, secure texting platforms consistent with Medicare Conditions of Participation. Clinicians must ensure messages are sent securely, orders are promptly entered and authenticated in the medical record, and EHR documentation remains accurate and accessible. Many communication platforms claim HIPAA compliance, but free versions often lack this protection for texting. Organizations must routinely assess the security and integrity of their texting platforms to prevent risks to patient privacy and safety. Source: American Medical Association
  • Certain federal and state agencies can conduct unannounced inspections of companies without warrants or prior notice under “walk-in authority.” Companies in regulated sectors such as healthcare, government contracting, pharmaceuticals, and environmental face inherent risk of surprise compliance inspections. Agencies with walk-in authority include the Food and Drug Administration, the Occupational Safety and Health Administration, the Environmental Protection Agency, and the Centers for Medicare and Medicaid Services, but each agency can only request materials related to its regulatory area. Agencies without walk-in authority, such as the Federal Bureau of Investigation, the Drug Enforcement Administration, and the Internal Revenue Service, must obtain a warrant or subpoena to conduct unannounced inspections. Companies can prepare by designating a communication point person, maintaining organized records, training staff, and establishing relationships with outside counsel. Source: Smith Anderson
  • CMS has implemented two regulatory changes that restrict ownership transactions and new enrollments for DMEPOS suppliers. The agency extended the 36-month rule to DMEPOS suppliers through a final rule published December 2, 2025, effective January 1, 2026, which prevents Medicare billing privileges from transferring to new owners when a change in majority ownership occurs within 36 months of initial enrollment or the most recent ownership change. On February 27, 2026, CMS imposed a nationwide six-month moratorium on new Medicare enrollments for certain DMEPOS medical supply companies across all 50 states, U.S. territories, and the District of Columbia. The intersection of these regulations means that suppliers undergoing ownership changes within the 36-month window during the moratorium period cannot reenroll in Medicare, potentially eliminating Medicare revenue from acquired businesses. Florida has followed suit with its own six-month moratorium on new DME provider enrollments in the state Medicaid program effective March 2026. Source: Katten Muchin Rosenman LLP

Insurance & Reimbursement