Categories
Health Law Highlights

Wade’s Health Law Highlights for August 12, 2025

Breach Notifications

  • Two Texas healthcare facilities disclosed data breaches affecting nearly 10,000 patients combined. Nova Recovery Center in Wimberley detected unauthorized network access on May 25, 2025, which compromised personal information of 7,713 individuals including names, addresses, Social Security numbers, and financial data. The facility confirmed the breach on June 17, 2025, and provided credit monitoring services to affected patients. OB/GYN Medical Center Associates in Houston reported a separate incident involving ConnectOnCall, a voicemail service provider that experienced unauthorized access between February 16, 2024, and May 12, 2024, affecting 2,132 patients. The compromised data included names, medical conditions, medications, procedures, and other personal health information disclosed in voicemail messages. Source: HIPAA Journal
  • Oklahoma has enacted Senate Bill 626 that expands data breach notification requirements and will take effect on January 1, 2026. The state Attorney General must be notified about breaches affecting 500 or more residents, or 1,000 or more residents for credit bureau systems, within 60 days of individual notifications being mailed. The law broadens the definition of personal information to include unique electronic identifiers with security codes and biometric data such as fingerprints and retina images. Entities that employ reasonable safeguards and issue breach notifications will be shielded from civil penalties of up to $150,000 per breach. Organizations compliant with HIPAA, the Oklahoma Hospital Cybersecurity Protection Act, or the Gramm-Leach-Bliley Act are deemed compliant with the requirements if they notify the Attorney General within 60 days. Source: HIPAA Journal

Cybersecurity

  • Texas has enacted Senate Bill 2610, becoming the fifth state to implement cybersecurity safe harbor protections that shield businesses from punitive damages in data breach cases. Governor Greg Abbott signed the law, which formally recognizes the Center for Internet Security Critical Security Controls as a standard for demonstrating reasonable cybersecurity practices. The legislation establishes a tiered system where businesses with fewer than 20 employees face simplified requirements, those with 20-99 employees must implement CIS Controls Implementation Group 1, and companies with 100-249 employees must comply with frameworks such as NIST CSF or ISO/IEC 27000-series standards. Texas joins Ohio, Utah, Connecticut, and Iowa in offering safe harbor protections, and follows Nevada in recognizing CIS Controls as a benchmark for reasonable cybersecurity practices. The law incentivizes businesses to adopt cybersecurity programs by providing legal protection when they meet specific cybersecurity criteria. Source: KGET
  • Proposed amendments to the HIPAA Security Rule mandate comprehensive cybersecurity requirements for healthcare organizations handling electronic protected health information (ePHI). The modifications require mandatory encryption of ePHI at rest and in transit, multi-factor authentication, annual compliance audits, vulnerability scanning every six months, and penetration testing annually. Organizations must maintain written documentation for all Security Rule policies and procedures, develop technology asset inventories and network maps annually, and conduct risk assessments that include AI systems accessing ePHI. The rules specifically address AI governance by requiring documentation of AI system training, prediction models, and algorithm data, while mandating organizations monitor AI tools for vulnerabilities and potential impacts on ePHI confidentiality, integrity, and availability. While initially scheduled to take effect January 6, 2025, with a compliance deadline of January 6, 2026, the new administration has paused all HHS regulation updates. Source: Ankura

Data Privacy

  • Differential privacy protects personal data by adding mathematical noise to datasets, allowing organizations to analyze and share information without revealing individual identities. The technique uses two parameters, epsilon and delta, to control the amount of randomness added to data, ensuring algorithms cannot determine whether specific individuals’ information is included in a database. Companies including Apple, Google, and Microsoft have implemented differential privacy in their products, while the U.S. government uses it for census data collection to protect survey participants’ identities. The method has applications across healthcare research, mobile user behavior analysis, and advertising campaign assessment, though it faces limitations with small datasets where accuracy becomes compromised. Despite these constraints, differential privacy enables broader data sharing while maintaining mathematical guarantees that individual privacy remains protected. Source: Built In
  • Healthcare facilities face mounting cybersecurity risks as IoT device adoption grows and patient data moves to cloud storage systems. Personal health information trades for 10-20 times more than stolen credit card data on the dark web, making healthcare networks prime targets for cybercriminals. Major vulnerabilities include devices with default passwords, unencrypted data transmission, cloud misconfigurations, and unpatched firmware in medical equipment. The 2017 WannaCry ransomware attack demonstrated these risks when it compromised over 300,000 systems across 150 countries, severely impacting UK’s NHS hospitals running outdated Windows software. Healthcare organizations must implement end-to-end encryption, zero trust architecture, device hardening, network segmentation, and real-time monitoring systems to protect patient data and maintain compliance with HIPAA and GDPR regulations. Source: Programming Insider

Dental Service Organizations (DSOs)

  • DSO transactions face complex regulatory challenges that require careful structuring to comply with state laws prohibiting corporate practice of dentistry. Most states prevent non-dentists from directly owning dental practices, forcing DSOs to operate through management agreements with dentist-owned entities rather than direct ownership structures. Buyers must address practitioner retention through production-based compensation and non-compete agreements, though enforceability varies by state and must comply with healthcare fraud and abuse laws. Physical clinic locations present risks when lease agreements contain change-of-control provisions that require landlord consent for transactions. Additional transaction complexities include managing deferred revenue obligations from prepaid services, conducting billing compliance audits to identify potential upcoding issues, and navigating state healthcare transaction review laws that may require pre-closing notice or approval. Source: Bass, Berry & Sims PLC

Emerging Tech

  • Mount Sinai researchers found that six large language models demonstrated hallucination rates between 50% and 83% when exposed to fabricated medical information. The study, published in Nature, tested 300 clinical cases containing false medical details and measured how frequently each model elaborated on the incorrect information. GPT4o performed best with hallucination rates of 50.0% for short cases and 53.3% for long cases, while DeepSeek performed worst with rates of 82.7% and 80.0% respectively. The other models tested—Llama 3.3, Phi-4, Gemma-2-27b-it, and Qwen-2.25-72b—showed hallucination rates ranging from 58.7% to 82.0%. Prompt mitigation techniques reduced hallucination rates from an average of 65.9% to 44.2% but failed to eliminate the errors completely. Source: Healthcare IT News
  • AI systems in healthcare face two distinct types of errors that pose risks to patient safety. Hallucinations occur when AI generates completely fabricated information that does not exist in training data or reality, such as inventing medical conditions or citing nonexistent studies. Confabulations happen when AI misrepresents or distorts real information, such as citing legitimate sources but misinterpreting their findings or applying them incorrectly. Both types of errors can lead to misdiagnoses, inappropriate treatments, and loss of trust in digital tools. Healthcare organizations can prevent these errors through five methods: using peer-reviewed training data, implementing validation testing, incorporating human oversight, using confidence scoring systems, and restricting AI outputs to verified knowledge sources. Source: Wolters Kluwer
  • AI-ready data serves as the foundation for next-generation radiology tools as healthcare systems face mounting imaging volumes and increasing complexity. AI-ready data refers to patient studies that are curated, standardized, and integrated for artificial intelligence systems, including high-quality images, comprehensive annotations by radiologists, standardized formats like DICOM, rich metadata with clinical context, and de-identified secure data. Machine learning algorithms require vast amounts of well-annotated, diverse data to recognize patterns and detect abnormalities with precision, while curated datasets help minimize biases and ensure AI tools perform reliably across different patient populations and imaging modalities. The process involves data collection from diverse sources, expert annotation by radiologists, quality assurance verification, standardization and structuring of metadata, and continuous monitoring with real-world data to refine systems over time. Challenges remain in data variability, privacy protection, bias mitigation, clinical validation, and maintaining human oversight where radiologists retain decision-making authority supported by AI. Source: Healthcare Dive

Fraud & Abuse

HIPAA

  • HIPAA applies to far fewer organizations than commonly believed, contrary to the widespread assumption that all health and medical data falls under federal regulation. The law only covers three categories of “covered entities”: health plans, health care clearinghouses, and health care providers that electronically transmit health information in connection with transactions like insurance claims, payments, or eligibility verification. Healthcare providers that operate on a cash-only basis and do not accept insurance—such as specialty practices, small medical offices, or certain pharmacies—typically fall outside HIPAA’s scope. Companies that incorrectly assume they are subject to HIPAA may face penalties for non-compliance, while those that wrongly believe they are covered could miss obligations under state privacy laws that apply when HIPAA does not. The distinction has become more critical as data breaches targeting healthcare providers have increased, particularly among smaller providers with vulnerable security systems. Source: BCLP – Bryan Cave Leighton Paisner

Medicare Reimbursement

  • MIPS has streamlined its Improvement Activities requirements for 2025 by eliminating the weighting system and reducing the number of measures healthcare practices must select. Small practices with 15 or fewer NPIs now need to choose only one of 104 available IA measures, while larger practices must select just two measures. The changes come as healthcare faces a projected shortage of 17,800–48,000 primary care physicians and 21,000–77,100 non-primary care physicians by 2034, with ophthalmologists reaching crisis levels by 2035. Key IA measures include promoting clinician wellbeing through surveys and implementation plans, participating in private payer clinical practice improvement activities, and developing written policies to ensure equal treatment of Medicaid patients. These measures focus on care delivery, patient engagement, and operational efficiency rather than just compliance scoring. Source: VMG Health
  • CMS established a mandatory payment model targeting specialists who treat heart failure and low back pain patients. The Ambulatory Specialty Model, announced July 10, 2025, will run from 2027 through 2031 and represents CMS’s first mandatory alternative payment model for specialists treating chronic conditions in outpatient settings. Participation becomes mandatory for clinicians who treat at least 20 episodes annually of heart failure or low back pain, with targeted specialties including anesthesiology, pain management, neurosurgery, orthopedic surgery, interventional pain management, and physical medicine and rehabilitation. The model evaluates participants using MIPS framework across quality, clinical practice improvement, cost, and interoperability domains, with payment adjustments of up to 9 percent positive or negative based on performance. CMS selected these conditions because they represent 6 percent of total annual spending for traditional Medicare, and the agency is accepting public comments through September 12, 2025. Source: The National Law Review
  • CMS will deploy AI technology to screen prior authorization requests for Medicare services starting January 2026 through its Wasteful and Inappropriate Services Reduction program. The program, introduced July 1, 2025, requires prior authorization for select fee-for-service Medicare treatments in Arizona, New Jersey, Ohio, Oklahoma, Texas, and Washington, targeting procedures such as nerve stimulators, cervical fusions, and incontinence treatments. CMS will partner with Medicare Advantage plans and other payors as “model participants” who will use AI tools to review and approve or reject treatment requests, including determinations of medical necessity. Model participants will receive compensation based on a share of expenditures they prevent, creating financial incentives that may increase denials for covered services. The program may conflict with state laws limiting AI use in utilization management, and providers should prepare for increased denials and enhanced documentation requirements before the 2026 launch. Source: Jones Day

Physician Compensation

  • Texas Senate Bill 1318 will impose new restrictions on noncompete agreements for physicians and healthcare workers beginning September 1, 2025. The law extends noncompete requirements beyond physicians to include dentists, professional and vocational nurses, and physician assistants for the first time. All noncompete agreements entered into or renewed after the effective date must include a buyout cap not exceeding the employee’s annual salary, limit geographic scope to a five-mile radius, restrict the term to one year, and state all conditions in writing. The legislation voids physician noncompete agreements when the doctor is terminated without “good cause,” defined as conduct, performance, or employment record issues. The new requirements apply only to medical practice roles, with an exception for physicians and healthcare practitioners serving solely in administrative capacities. Source: Haynes Boone
  • CMS proposes payment increases and cost-cutting measures in its 2026 Medicare Physician Fee Schedule. The Centers for Medicare and Medicaid Services proposed rule establishes two conversion factors that would increase payments by 3.83% for providers participating in Advanced Alternative Payment Models ($33.59) and 3.62% for non-participants ($33.42). The proposal includes a new mandatory Ambulatory Specialty Model launching in 2027 that focuses on heart failure and lower back pain management, requiring providers to take on two-sided financial risk. CMS also proposes to cut skin substitute payments by approximately 90% by reclassifying them from biologicals to incident-to supplies, and to create three new G-codes for behavioral health integration services. Healthcare providers have until September 12 to submit public comments before CMS finalizes the rule. Source: MSLaw Blog