Wade’s Health Law Highlights for February 11, 2025

Ambulatory Surgery Centers

• United Surgical Partners International, Surgical Care Affiliates, and Amsurg Corporation lead the ambulatory surgery center market with 520, 320, and 250 centers respectively. CMS approved 21 new procedures for ASC coverage in 2025, focusing on dental and regenerative therapy services, while implementing a 2.9% Medicare payment increase. Major consolidation occurred through acquisitions and partnerships, with USPI acquiring 45 new centers including Covenant Physician Partners, though 67% of ASCs remained independent. Several states reformed Certificate of Need laws, with North Carolina and Tennessee planning full repeals for ASCs by 2025 and 2027 respectively, while Georgia introduced exemptions for single-specialty centers. The migration of high-acuity procedures to ASCs continued, with Surgery Partners reporting a 50% increase in total joint cases, while lower-acuity procedures moved to office-based settings.

Cybersecurity & Ransomware

• The Trump administration has indefinitely suspended all meetings of the Health Information Technology Advisory Committee (HITAC). The committee, established by the 21st Century Cures Act in 2016, consists of 25 members who recommend policies and standards for healthcare data and technologies to the federal government. The Trump administration has also paused other health agency communications and removed certain healthcare data from federal websites.
• Several healthcare organizations faced ransomware attacks in January 2025, including New York Blood Center Enterprises which affected locations across multiple states, and Frederick Health in Maryland which disrupted IT systems and led to patient diversions. Matagorda County, Texas experienced a network outage due to a cyberattack, while Texas Tech University Health Sciences Center disclosed a ransomware attack affecting 533,874 individuals. Despite these incidents, blockchain analysis firm Chainalysis reported a 35% decrease in ransom payments in 2024 compared to 2023, attributing this decline to increased law enforcement action and more victims refusing to pay.
• The HHS Office for Civil Rights has proposed new cybersecurity measures for healthcare providers under HIPAA, including mandatory vulnerability scanning every 6 months and expanded annual risk analyses. Healthcare providers must implement cybersecurity protections through staff training, limited access controls, and strong password protocols to prevent data breaches. New regulations require signed attestations for reproductive health information disclosures, with additional privacy protections becoming mandatory by February 16, 2026.

Emerging Technology

• Healthcare law in 2025 will focus on four key areas of technological advancement and regulation. AI implementation in healthcare requires new legal frameworks to address risks, errors, and biases, while HIPAA and HITECH compliance becomes critical for protecting patient data against cyberattacks. Telehealth expansion drives changes in licensing requirements and reimbursement policies, while the healthcare industry continues its shift from fee-for-service to value-based care models following the ACA’s implementation. These changes necessitate new regulations for data-sharing, antitrust considerations, and risk-sharing arrangements to protect both patients and healthcare professionals.
• Healthcare providers currently use AI for tasks including disease diagnosis, chart preparation, and treatment planning. The technology presents legal risks in four main areas: HIPAA privacy violations when using public-facing AI platforms, malpractice concerns in the informed consent process, uncertainty about liability when AI recommendations lead to incorrect treatments, and potential billing errors that could trigger false claims allegations. Healthcare providers must maintain human oversight of AI systems and cannot use AI reliance as a defense against malpractice claims, while failure to use available AI technology could also create liability risks. Doctors must disclose AI use to patients during the informed consent process and ensure all AI systems comply with HIPAA requirements.
• Healthcare systems have transformed to prioritize patient accessibility through technology-enabled solutions. Remote consultations, online prescriptions, and digital platforms now allow patients to receive care without disrupting their routines. Healthcare providers maintain safety through strict regulatory compliance and secure technology for patient data protection. Artificial intelligence and wearable devices enable real-time monitoring and early detection of health risks, while electronic health records improve communication between medical professionals. The integration of these technologies creates a healthcare system that balances convenience with quality care standards.
• AI is being used in healthcare for tasks including disease diagnosis, chart preparation, pre-authorization, and treatment planning. Healthcare providers must ensure AI systems meet HIPAA requirements and avoid using public-facing AI platforms that could compromise patient privacy. Doctors remain liable for malpractice even when using AI for diagnosis and treatment recommendations, and must disclose AI use to patients during the informed consent process. The technology can create liability for coding and billing errors if incorrect recommendations are followed.

Fraud & Abuse

• Phoenix couple pleaded guilty to orchestrating a $1.2 billion healthcare fraud scheme through their companies Apex Medical LLC and Viking Medical Consultants LLC from November 2022 to May 2024. The couple used untrained sales representatives to target elderly and terminally ill patients in care facilities, ordering unnecessary wound grafts and submitting fraudulent claims to Medicare and other insurers. Their scheme resulted in actual payments of $614 million from federal and private healthcare programs, with $279 million in kickbacks from an allograft distributor. The couple was arrested at Phoenix Sky Harbor International Airport while attempting to flee to London, and they now face up to 20 years in prison and must pay restitution exceeding $600 million each.
• A federal district court in Florida ruled on September 30, 2024, that the False Claims Act’s qui tam provision is unconstitutional in the case of U.S. ex rel. Zafirov v. Florida Medical Associates LLC. The Department of Justice reported that whistleblowers filed 712 qui tam suits in fiscal year 2023, resulting in $2.3 billion in settlements and judgments. The court determined that relators act as “Officers” of the United States executive branch without proper appointment under Article II of the Constitution. The case will likely be appealed to the 11th Circuit Court and may reach the Supreme Court, as Justice Thomas has previously expressed concerns about qui tam provisions. If upheld, this ruling could limit private parties’ ability to pursue fraud cases on behalf of the government, potentially reducing the number of enforcement actions due to government resource constraints.

Gender-Affirming Care

• Texas Attorney General Ken Paxton has sued three doctors – Dr. May Lau, Dr. Brett Cooper, and Dr. Hector Granados – for allegedly providing gender-affirming care to transgender minors. Lau and Cooper entered Rule 11 agreements in January that prevent them from practicing medicine on patients while allowing them to continue research and academic work, while Granados is under a court-ordered temporary injunction. The lawsuits stem from Senate Bill 14, which prohibits medical providers from providing gender-affirming care to trans minors in Texas, though treatment remains legal for cisgender patients. The Texas Medical Board can revoke licenses of physicians who violate the ban, though doctors may continue treating existing patients to safely discontinue prescriptions.

HIPAA

• The U.S. Department of Health and Human Services announced new HIPAA security rules taking effect March 7, 2025. The updates remove the distinction between “required” and “addressable” standards, making all security measures mandatory with limited exceptions. The changes mandate encryption for all electronic protected health information, require multi-factor authentication, and establish requirements for vulnerability scanning and penetration testing. Healthcare organizations and their business associates must comply with these rules or face penalties up to $50,000 per violation with a maximum of $1.9 million per year, plus potential jail time of 1-10 years. Human error remains the leading cause of healthcare data breaches at 76%, highlighting the need for these enhanced security measures.
• HIPAA-regulated entities must report 2024 data breaches affecting fewer than 500 individuals to the HHS Office for Civil Rights by March 1, 2025. The HIPAA Breach Notification Rule requires entities to notify affected individuals within 60 days of breach discovery, with breaches affecting 500 or more residents requiring additional media notifications. For smaller breaches affecting fewer than 500 individuals, organizations can submit reports annually through the OCR data breach portal, with each breach reported separately. Business associates must notify covered entities of breaches within 60 days, though covered entities can delegate notification responsibilities back to their business associates while retaining ultimate responsibility for compliance. Failure to meet these deadlines may result in financial penalties for non-compliance.

Physician Fee Schedule

• The Medicare Physician Fee Schedule for 2025 introduces a conversion factor decrease to $32.3465, representing a 2.83% reduction from 2024. The Medicare Economic Index projects a 4.9% increase in practice costs while payments decline, creating financial pressure on healthcare providers. Care management services see notable increases, with chronic care management codes rising 8-15% and new behavioral health integration codes gaining 12-18%. Geographic Practice Cost Indices show significant adjustments in major metropolitan areas, with San Francisco maintaining the highest PE GPCI at 1.842. The MIPS program maintains its 75-point threshold with potential penalties reaching 9% for underperformers, while high performers can receive bonuses averaging 1.31%.