Wade’s Health Law Highlights for December 16, 2025

Antitrust

• Texas Attorney General Ken Paxton filed a lawsuit against Epic alleging the company monopolizes the electronic health record market and restricts parental access to children’s medical records. The lawsuit claims Epic, which controls 42% of the hospital EHR market and maintains records for 325 million patients, uses exclusionary tactics to prevent competition from partners, customers and employees, and interferes with hospitals’ ability to use their own patient data. Paxton alleges Epic automatically hides children’s medication lists, treatment notes and provider messages from parents when the child turns 12, violating Texas law that grants parents unrestricted access to their children’s medical records. Epic responded that doctors and health systems, not the company, determine parental access to children’s records, and that the lawsuit fails to understand Epic’s business model and market position. The lawsuit is part of Paxton’s initiative to investigate EHR vendors’ compliance with state laws on parental access, following a settlement earlier this year with Austin Diagnostic Clinic that restored parental proxy access for children aged 12 to 17. Source: Fierce Healthcare

Artificial Intelligence

• AI implementation in healthcare functions as an intangible asset that can be valued through income, market, and cost approaches. The technology reduces workforce expenses and human error while improving efficiency through labor cuts, error reduction, and resource allocation, which can result in fewer medical supplies being used. Healthcare organizations face risks from AI adoption, including HIPAA violations when protected health information enters non-compliant systems, malpractice liability from AI-guided physical therapy appointments, and potential errors from poor data quality. AI that identifies coding errors, documentation gaps, and billing anomalies reduces exposure to audits and penalties, supporting more stable financial projections. Some healthcare businesses already use AI through software vendors for patient charting and billing without full awareness, creating compliance vulnerabilities. Source: VMG Health
• The technology industry is undergoing a shift from the “Rule of 40” to a new “Rule of Data” as open-source AI models achieve parity with proprietary alternatives. The median Rule of 40 score dropped to 12% in Q1 2025, while investors now prioritize proprietary data assets over revenue growth metrics. AI-Native companies command valuation multiples of 20x-50x revenue compared to 5x-10x for AI-Enabled firms, with biological data emerging as the most defensible asset class. The Burn Multiple (Net Burn divided by Net New ARR) has become the key metric, with ratios below 1.5x considered optimal. In Q3 2025, AI funding represented 46% of all venture capital dollars, with investors paying premiums for companies demonstrating data flywheels while seed funding for wrapper startups has declined. Source: Healthcare Digital

Enforcement

• Federal agencies will deploy machine learning tools in 2026 to detect healthcare fraud faster and more broadly than before. The DOJ, HHS-OIG, and CMS are expanding use of AI to analyze claims data, referral patterns, and prescribing practices in Medicare and Medicaid programs. DOJ and HHS established a False Claims Act Working Group and will pursue expanded liability theories, particularly for Medicare Advantage risk-adjustment submissions. Enforcement will target telehealth providers for remote prescribing of controlled substances, pharmacies and PBMs for opioid-related practices, and value-based care arrangements for improper incentive structures and quality-metric manipulation. States are increasing fraud enforcement in Medicaid and commercial-payer markets through mandatory fraud reporting and AI detection initiatives. Source: Arnall Golden Gregory LLP

HIPAA

• The Office for Civil Rights has mandated that healthcare providers grant parents access to minors’ non-confidential health records through patient portals, marking the first time OCR has made this requirement explicit and an enforcement priority. The guidance followed a complaint about a school-administered vaccine given to a minor without parental consent. Under HIPAA, parents serve as personal representatives with rights to access protected health information, except when state law permits minors to consent to services independently or when parents agree to confidential relationships between minors and providers. Many healthcare organizations previously blocked all parental portal access for adolescents due to technical limitations in separating confidential from routine care within electronic health record systems. OCR now states that denying parents electronic access to non-confidential information may violate the HIPAA Privacy Rule, requiring organizations to reconfigure systems, modify default settings, and work with vendors to isolate confidential services. Source: Holt Law
• CHIME and more than 100 hospital systems and provider organizations have called for HHS to withdraw proposed updates to the HIPAA Security Rule. The proposed update, issued in December 2024 under the Biden administration, spans over 390 pages and mandates cybersecurity measures that convert previously voluntary performance goals into requirements. In a December 8, 2025 letter to HHS Secretary Robert F. Kennedy, Jr., signatories requested withdrawal of the rule and a collaborative approach to develop standards without what they characterize as crushing regulatory burdens. The organizations cite concerns about financial costs and implementation timelines given the complexities of healthcare delivery systems. While the signatories support updating cybersecurity standards and recognize cybersecurity as a patient safety issue, they advocate for policy development that includes input from providers and patients. Source: HIPAA Journal

Reimbursement

• Congress passed Medicaid cuts that will reduce federal spending by $700 billion over the next decade, marking the program’s largest contraction since its inception. The policy measures include tighter eligibility rules, lower federal matching rates, and restrictions on hospital and nursing home payments eligible for federal reimbursement. More than 37 million children and millions of long-term care patients will lose coverage, as Medicaid covers 40% of pediatric office visits, nearly 50% of pediatric hospital admissions, and 60% of extended nursing home stays. Healthcare providers will face fewer covered patients and lower reimbursement rates while still absorbing uncompensated emergency care costs, yet federal healthcare fraud enforcement is expanding, with the Department of Justice adding Massachusetts to its healthcare fraud Strike Force. False Claims Act settlements routinely exceed any revenue lost to Medicaid cuts, making compliance spending cuts a risk for companies facing revenue pressure. Source: Goodwin Law

Risk Management

• AI models trained on patient health information pose security risks that extend beyond traditional data breaches. Healthcare systems integrate AI across telehealth, diagnostics, billing, claims, and scheduling, but models fine-tuned on PHI, imaging, EHRs, or claims data can become gateways to HIPAA-protected content. An IBM report found that 13% of organizations have experienced breaches of AI models or applications, and 97% lacked proper access controls. The training process opens vulnerabilities through data leakage, model inversion, and prompt injection. Organizations should implement three security pillars: PHI minimization and data policy (limiting training datasets, isolating models, establishing retention timelines aligned with HIPAA), segmented AI environments (creating smaller purpose-built models by department or dataset), and continuous monitoring and validation (automated logging and auditing for abnormal access patterns, data leakage, model manipulation, and credential drift). Source: Health IT Answers

Telehealth

• President Trump signed legislation on November 12, 2025, extending Medicare telehealth flexibilities through January 1, 2026. H.R. 5371 reverses a rollback of pandemic-era telehealth rules that occurred following a government shutdown. The extension permits Medicare beneficiaries to receive telehealth services from their homes without geographic restrictions, allows audio-only telehealth coverage, and expands the list of practitioners who can furnish and bill for Medicare telehealth services. The legislation also permits federally qualified health centers and rural health clinics to continue serving as distant site practitioners and defers in-person visit requirements. The Centers for Medicare and Medicaid is expected to issue guidance on claim submissions and retroactive reimbursement, but providers must prepare for potential changes when these flexibilities expire. Source: Greenbaum, Rowe, Smith & Davis LLP