Skip to the contentAccountable Care Organizations (ACOs)
- Hospital participation in Medicare accountable care organizations failed to reduce emergency department admission rates, length of stay, or costs for unplanned admissions, according to a new study that challenges the effectiveness of hospital-led ACO cost-saving strategies. Researchers analyzed 995 hospitals that joined Medicare ACOs between 2012 and 2017, tracking their performance for up to five years using Medicare claims data from 2008 to 2019. The findings remained consistent across different ACO programs, contract risk levels, and performance benchmarks, suggesting that hospitals did not alter their care delivery practices for unplanned hospitalizations after joining an ACO. The study indicates that physician-led ACOs outperform hospital-led models in generating cost savings, raising questions about the value of hospital participation in these programs. Researchers recommend that policymakers consider stronger financial incentives, such as global budgeting and multipayer alignment, to enhance hospital engagement in value-based care. Source: The American Journal of Managed Care
Data Breach and Ransonware
Data Privacy
- Researchers have developed a new blockchain framework that significantly enhances security and efficiency for electronic health records while reducing storage costs. The PDA-HIHM system combines traditional blockchain technology with a hybrid hashing approach that integrates SHA-256 with entropy-based dynamic hashing and data compression techniques. Testing showed the system achieved 27% reduced storage usage and 35% faster data retrieval compared to conventional blockchain-based health record systems. The framework demonstrated a 99.8% access control success rate with zero hash collisions during security testing, while also showing improvements in patient trust metrics of 97.62% and system efficiency of 97.43%. The system employs smart contracts for role-based access control and creates immutable audit trails for all data transactions. Source: Scientific Reports
- A study reveals that 98% of small healthcare organizations incorrectly believe they are HIPAA compliant despite using inadequate email encryption systems. The survey of 214 healthcare IT leaders at organizations with fewer than 250 employees found that most rely on Microsoft 365 or Google Workspace tools that fail to provide consistent encryption, with nearly half of healthcare email breaches stemming from Microsoft 365 alone. Common misconceptions include 83% believing patient consent eliminates encryption requirements and 20% lacking email archiving systems needed for compliance audits. Phishing attacks now account for over 70% of healthcare data breaches, with 43% of small practices experiencing such incidents in the past year while 99% have not implemented secure email transfer protocols. Recent breach penalties range from $25,000 to $9.76 million, with healthcare incidents taking an average of 308 days to detect and contain. Source: Business Wire
Emerging Tech
Fraud & Abuse
- The Department of HHS/OIG approved a physician-owned medical device company investment structure that complies with federal Anti-Kickback Statute requirements. On August 7, the OIG issued Advisory Opinion No. 25-09 regarding a company that develops emergency stroke treatment devices, where physicians hold approximately 35% of equity interests. The arrangement met all eight conditions of the “small entity investment safe harbor” under federal regulations, including ownership thresholds below 40%, uniform investment terms for all investors, and prohibitions on referral requirements or preferential treatment. The company implemented safeguards such as proportional profit distributions based on capital invested and written policies preventing special arrangements for physician investors. The advisory opinion provides a compliance framework for structuring physician investment arrangements in medical device companies, though it applies only to the specific facts presented and has no precedential effect. Source: ArentFox Schiff
- The Ninth Circuit Court of Appeals issued the first appellate decision interpreting the Eliminating Kickbacks in Recovery Act (EKRA) in United States v. Schena, ruling that the statute applies to payments made to marketers and not just physicians. Mark Schena, who owned Arrayit laboratory, was convicted of healthcare fraud and EKRA violations after paying marketers on a percentage-of-revenue basis to promote unnecessary allergy testing alongside COVID tests. The court rejected Schena’s argument that EKRA only prohibited payments to those who directly refer patients, finding that the statute covers situations where marketers cause individuals to obtain referrals from physicians. The court determined that percentage-based compensation structures do not violate EKRA alone, but become unlawful when marketers exert “undue influence” by misleading referral sources about the nature and need for services. The decision establishes that EKRA compliance will depend on the specific facts and circumstances of each arrangement. Source: Dykema
Medical Privacy
- Texas Senate Bill No. 1188 establishes requirements for electronic health record storage, artificial intelligence disclosure, and parental access to minor medical records starting September 1, 2025. The law mandates that healthcare practitioners and covered entities maintain electronic health records within the United States or its territories, with the geographic restriction taking effect January 1, 2026. Healthcare practitioners must inform patients when artificial intelligence tools are used in diagnosis or treatment, and they must review all AI-generated records according to Texas Medical Board standards. The legislation requires covered entities to provide parents and guardians complete and unrestricted access to their minor children’s electronic health records immediately, unless restricted by state or federal law or court order. Violations carry civil penalties ranging from $5,000 to $250,000 per violation, with the Texas Attorney General authorized to seek injunctive relief and the Texas Health and Human Services Commission empowered to investigate alleged violations. Source: Hall Render
- HIPAA compliance requirements for GPT-5 depend on who uses the AI platform and in what context. OpenAI announced GPT-5’s release last week, stating the platform should be used for healthcare navigation. HIPAA does not apply when individuals share their own health information with GPT-5, but regulations do apply when doctors use the platform to process patient data or direct patients to use it with provided access. In January, industry leaders announced Project Stargate, a $500 billion investment to build AI infrastructure focused on healthcare. While AI offers benefits like faster problem-solving and drug discovery, healthcare systems require cybersecurity built into AI platforms from the start to protect against data poisoning and other threats. Source: Mobi Health News
- Texas enacts a law delaying electronic release of cancer test results to patients by three days to allow physicians to communicate findings first. Senate Bill 922, effective September 1, pauses the immediate release of pathology and radiology reports that may show malignancy or genetic markers, giving doctors time to review and contact patients before results appear in electronic health records. The 2025 Texas Legislature passed the law in response to federal requirements under the 21st Century Cures Act that mandated immediate release of all health information to patient portals since spring 2021. Prior to this law, patients received test results electronically before physicians could review them, causing confusion when patients could not understand the medical terminology. The law allows physicians to call patients with results at any time during the three-day period. Source: Texas Medical Association
- The U.S. Department of Health and Human Services Office for Civil Rights issued new guidance clarifying that health care providers can share patient information with value-based care organizations for treatment purposes without obtaining patient authorization. The new FAQ specifically addresses protected health information disclosure to accountable care organizations and other value-based care arrangements under HIPAA Privacy Rule provisions. An updated FAQ also reinforces patients’ rights to access all information in their designated record sets, including clinical, billing, and other records used for decision-making about the individual. These changes align with the Centers for Medicare & Medicaid Services’ initiative to create a patient-centric, digital health care ecosystem announced on July 30, 2025. Health care providers must review their HIPAA policies, conduct internal audits, and ensure their systems can support complete responses to patient record requests within required timelines. Source: Baker Donelson
Licensure
Litigation
- HCA Healthcare agreed to pay $3.5 million to settle allegations from California, Colorado, and Nevada attorneys general that the hospital operator misled nurses about training repayment agreements. The states alleged that HCA failed to disclose that nurses would need to repay training costs of $4,000 in California and $10,000 in Colorado if they left their jobs within two years, affecting approximately 34,500 nurses in California alone since 2018. Under the settlement terms, California will receive $1,162,900 plus restitution for affected nurses, Nevada will get $862,276 in reimbursements and penalties, and Colorado will receive $1,393,008 for consumer redress and enforcement. The consent judgments permanently prohibit HCA from engaging in training repayment agreement practices and void all existing debts, requiring the company to request credit reporting agencies delete related information. HCA denied wrongdoing but agreed to the settlement in what it called the best interests of its nurses and hospitals. Source: Regulatory Oversight
- The Fifth Circuit Court of Appeals established that class action plaintiffs need only prove individual standing at the certification stage, not class-wide standing. The July 17, 2025 ruling in Wilson v. Centene Management Co. resolved an open question in the circuit and aligned the Fifth Circuit with the First, Third, Sixth, and Ninth Circuits in adopting the “class certification approach” over the “standing approach.” The court held that merits-based evaluation of expert testimony is inappropriate when determining standing at the class certification stage. The decision separates the threshold standing inquiry from class certification requirements under Rule 23. This ruling may make it easier for class action plaintiffs in the Fifth Circuit to satisfy standing requirements and obtain class certification. Source: Inside Class Actions
Mergers & Acquisitions
- The Federal Trade Commission sued to block Edwards Lifesciences Corp.’s $945 million acquisition of JenaValve Technology, Inc. on August 6. The deal would combine the two companies competing to develop transcatheter aortic valve replacement devices to treat aortic regurgitation, a heart condition with no currently approved treatments. Edwards previously acquired JC Medical in August 2024, whose J-Valve device is undergoing clinical trials, while JenaValve’s Trilogy TAVR device awaits FDA approval. The FTC built its case on evidence of head-to-head competition rather than traditional market share analysis, arguing the merger would eliminate competition between the only two firms with active US clinical trials. The all-Republican Commission voted 3-0 to challenge the acquisition, demonstrating the Trump administration’s focus on pipeline competition and healthcare market enforcement. Source: Katten Muchin Rosenman LLP
