Wade’s Health Law Highlights for February 3, 2026

Drug & Device

• Reference product exclusivity grants biological products 12 years of market protection under the Biologics Price Competition and Innovation Act, during which the FDA will not approve biosimilar applications referencing the product. The FDA may not issue licensure of a biosimilar product under a 351(k) BLA until 12 years after the reference product was first licensed, and biosimilar applications cannot be submitted for FDA review until four years after first licensure. Not all 351(a) BLAs qualify for RPE, including supplements to existing BLAs and applications filed by the same sponsor with changes that do not modify the product structure or affect safety, purity, or potency. Two questions remain unresolved: whether umbrella exclusivity applies to biologics and whether fixed-dose combinations, such as monoclonal antibodies combined with hyaluronidase, qualify for their own RPE. The FDA has not finalized its guidance on RPE, and determination is not automatic at approval but typically initiated at the applicant’s request or when a biosimilar sponsor submits an application. Source: Alston & Bird

Fraud & Abuse

• HHS OIG issued its first Special Advisory Bulletin in nearly 12 years, concluding that pharmaceutical manufacturers can operate direct-to-consumer prescription drug sales programs with low risk of violating the Anti-Kickback Statute if certain safeguards are met. The bulletin specifies that low-risk programs must require prescriptions from independent third-party prescribers, prohibit claims submission to any insurer, avoid conditioning purchases on future sales, and refrain from marketing other federally reimbursable products. Programs must make drugs available for at least one full plan year and should not offer controlled substances. The guidance addresses only transactions between manufacturers and cash-paying patients, leaving questions about arrangements with third parties such as telemedicine vendors, pharmacies, and prescribers. HHS OIG identified two main risks: using discounted drugs to market other reimbursable products and seeding programs that expect future purchases to be billed to federal programs. Source: Morgan Lewis
• The Fifth Circuit is considering whether qui tam provisions of the False Claims Act violate Article II of the Constitution. Cheryl Taylor sued Healthcare Associates of Texas (HCAT) under the 1863 statute, and a jury found HCAT submitted tens of thousands of fraudulent Medicare claims costing taxpayers over $2,000,000. HCAT argues the qui tam provisions are unconstitutional because they permit private litigants to exercise enforcement power vested in the executive branch. The Constitutional Accountability Center filed an amicus brief in January 2026 on behalf of legal scholars, arguing qui tam litigation dates to thirteenth-century England and was practiced by the Framers, including Alexander Hamilton and John Adams. The brief notes that early presidential administrations led by Washington and Jefferson concluded they could not remit penalties recovered by private qui tam litigants, and defendants never challenged qui tam lawsuits as encroaching on executive authority throughout the nineteenth century. Source: Constitutional Accountability Center
• A federal court ordered a California rehabilitation center and its owner to pay over $1.5 million for fraudulently obtaining multiple pandemic relief loans. The United States District Court for the Central District of California granted summary judgment on January 15, 2026, against JMG Investments Inc. and Jeffrey Schwartz for violating the False Claims Act. Schwartz received two Paycheck Protection Program loans in 2020, despite certification requirements that limited borrowers to one loan prior to December 31, 2020. The court ordered them to pay $1,565,294.38 in damages and penalties after they failed to repay the duplicate loan. The case originated from a whistleblower lawsuit filed under the qui tam provisions of the False Claims Act. Source: United States Department of Justice

HIPAA

• Covered entities face a February 16, 2026 deadline to update their Notices of Privacy Practices under HIPAA. The requirement applies to two separate obligations: updates related to the Reproductive Health Privacy Rule, which remain enforceable despite a Texas court decision curtailing other portions of that rule, and updates to address substance use disorder records. HHS finalized a 2024 rule requiring all HIPAA-covered entities that create, receive, maintain, or transmit substance use disorder information to update their notices, including health plans, employers, and other entities that handle these records through care coordination, payment, or health care operations. HHS has not issued an updated model notice, so covered entities and plan sponsors must work with counsel to draft language and confirm distribution procedures before the deadline. Source: Benefits Law Advisor
• The HHS Office for Civil Rights increased penalties for HIPAA violations effective January 28, 2026, as mandated by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. The adjustment was applied more than a year late, as it was due by January 15, 2025. Under the new structure, penalties for willful neglect not corrected within 30 days range from $73,011 to $2,190,294 per violation, with an annual cap of $2,190,294. However, a 2019 Notice of Enforcement Discretion remains in effect, lowering maximum penalties and annual caps in three of the four penalty tiers. Violations of Part 2 regulations carry lower penalties than HIPAA violations despite covering more sensitive data, with penalties ranging from $103 to $1,538,970 depending on the violation tier. Source: HIPAA Journal

Hospitals

• Rural hospitals are deploying AI tools to address staffing shortages and expand care access. An American Hospital Association report released Jan. 26 documents how facilities like Sanford Health and Central Montana Medical Center use AI applications for documentation, scheduling, and care coordination. Central Montana Medical Center implemented ambient AI scribing that reduced after-hours charting demands for physicians at the 25-bed hospital. Sanford Health’s AI-powered outreach system raised appointment connect rates from 40% to 56% and enabled over 12,000 patients to access mental health services through virtual care programs. The hospitals implemented these tools without adding staff or infrastructure. Source: Becker’s Hospital Review

Labor & Employment

• Healthcare employers face ongoing challenges from privacy regulations, staffing shortages, and workplace safety requirements that began in 2025 and continue into 2026. In 2025, privacy litigation increased as employers navigated ADA compliance, federal privacy protections for substance-abuse records and reproductive health information, state AI and health data laws, and heightened HIPAA enforcement by HHS. Healthcare employers encountered wage and hour considerations stemming from proposed FLSA exemption changes, civil awards for worker misclassification, state court rulings on meal and rest periods, restrictions on noncompetition provisions, and a $100,000 federal fee for H-1B visa petitions that impacted the supply of healthcare professionals. Healthcare employers reported among the highest numbers of workplace safety incidents, including patient assaults against workers, and faced new state laws regarding threats, viral exposure expectations, workplace violence prevention measures in eight states, and proposed rulemaking on COVID-19 exposure in healthcare settings. In 2026, states continue to pass AI employment laws, including Illinois legislation limiting discriminatory AI in employment decisions and Colorado’s Artificial Intelligence Act set for summer 2026 effectiveness, while Washington and Minnesota enacted legislation affecting healthcare worker meal and rest period breaks. Source: Ogletree

Med Spas

• MedSpa owners must navigate corporate practice of medicine (CPOM) laws that restrict non-physician ownership and control of medical services in states including California, New York, and Texas. California requires physicians to own at least 51% of medical entities, while non-clinician investors may participate through management services organizations (MSOs) under the “Friendly PC Model,” though Oregon, Massachusetts, and California are advancing legislation to strengthen CPOM enforcement. Fee-splitting laws prohibit physicians from sharing profits with non-physicians related to medical procedures, and state anti-kickback laws ban payments tied to patient referrals or business volume. Medical-grade treatments must be performed by licensed professionals within their scope of practice, with physician supervision requirements varying by state—California limits physicians to supervising four mid-level providers at a time, though 104 NP applications opening January 1, 2026, will allow some nurse practitioners to practice independently. MedSpas must ensure marketing materials are accurate, obtain written informed consent outlining risks and benefits, comply with HIPAA and state privacy laws, and maintain insurance coverage including professional liability, general liability, and cyber liability policies. Source: Healthcare Law Blog

Medicare Reimbursement

• CMS issued a proposed rule to strengthen oversight of Organ Procurement Organizations and increase organ availability for transplant patients. The rule builds on 2020 reforms that doubled the number of top-performing OPOs from 15 to 30 between 2021 and 2023, while organ donors increased by 31% and transplants by 25% over four years. The proposal removes pancreata used for islet cell research from transplantation rate calculations and establishes separate evaluation of each donation service area, allowing CMS to remove OPO designation from underperforming regions. CMS proposes eliminating the requirement that limits certification to OPOs recertified between 2002-2005, opening a path for new organizations to enter the system. The agency seeks public comment on conflicts of interest in organ procurement and automated electronic referrals from donor hospitals. Source: CMS

Mergers & Acquisitions

• Three sectors dominated private equity investment in 2025 despite headwinds from high interest rates and extended holding periods. Healthcare deal value reached $299.1 billion in 2025, a 21.8% increase from 2024, with dental service organizations accounting for at least 130 deals as of June 2025. The energy sector saw a 49% increase in average capital invested compared to 2024, driven by electricity demand growth of 4.3% in 2024 and data center expansion. Technology deals totaled $285.9 billion through the third quarter of 2025, with applied AI investments reaching $17.4 billion, up 47% from the previous year. The sectors face regulatory uncertainty around tariffs and increased scrutiny at state and federal levels, particularly in healthcare. Source: Norton Rose Fulbright
• Dental service organizations remain among the most active healthcare investment sectors entering 2026, with transaction volume exceeding 100 deals annually in recent years. Private equity-backed DSOs continue to deploy capital through add-on acquisitions by established platforms, with industry analysts projecting continued activity focused on specialty dentistry, multi-state expansion, and platform recapitalizations. Orthodontics, oral surgery, pediatric dentistry, and endodontics attract investment due to case complexity and margin profiles. However, success depends on execution across valuation, compensation economics, integration, and compliance, with risks including inconsistent revenue recognition, integration challenges, and regulatory exposure from multi-state growth. DSOs increasingly require fair market value assessments for compensation arrangements and standardized coding practices as scale magnifies compliance risks. Source: VMG Health

Overpayments

• Florida enacted CS/CS/SB 1808, requiring health care facilities and practitioners to refund patient overpayments within 30 days of determination. The law, which takes effect January 1, 2026, applies to health care facility licensees including hospitals and ambulatory surgical centers, as well as practitioners such as physicians, nurses, dentists, and pharmacists. The statute is codified across four sections of Florida law, with facilities facing fines up to $500 per violation and practitioners subject to professional discipline. Each day of a continuing violation can be counted as a separate offense, causing penalties to compound. Providers must update revenue cycle policies, define when overpayments are determined, and establish documentation procedures to comply with the statute. Source: Health Care Law Matters

Privacy

• Privacy concerns drive consumer decisions on wearable devices as adoption reaches over 1 billion users. A Clutch survey reveals that 74% of respondents worry about how their wearable devices handle personal data, while only 58% express confidence in data protection. Most respondents said they would consider switching brands if they had concerns about data privacy, with confidence levels varying by brand. Users ranked accuracy as the most valued factor in wearable technology, followed by battery life and device design. Wearable device makers in the U.S. operate outside the scope of HIPAA protections, and data collected moves from devices through mobile apps, networks, and cloud platforms, creating exposure at each step. Source: Help Net Security
• Privacy has become the operational core of AI governance as multiple regulatory frameworks take effect between 2024 and 2026. The Colorado AI Act takes effect June 30, 2026, California’s ADMT compliance obligations trigger January 1, 2027, and the EU AI Act’s high-risk requirements are already in force. Privacy violations in AI systems arise from prompt injection attacks that reveal training data, unintended training on proprietary data when employees use commercial AI tools, and algorithmic inferences that constitute personal information. Commercial AI tools including ChatGPT, Gemini, and Claude default to allowing training on user inputs unless privacy settings are disabled, while enterprise licenses typically include opt-out protections by default. Organizations face three priorities: mapping high-risk AI systems affecting employment, education, credit, housing, healthcare, or essential services; auditing vendor training settings; and updating privacy notices to address AI use. Source: Jones Walker LLP

Reproductive Rights

• Texas Attorney General filed a lawsuit against Delaware nurse practitioner Debra Lynch for prescribing abortion medication to Texas residents. Lynch operates Her Safe Harbor, an online clinic that sends packages containing mifepristone and misoprostol to women across the country, including Texas cities such as Houston, El Paso, and Beaumont. The state charged Lynch with violating Texas’ Human Life Protection Act and practicing medicine without a license, seeking two injunctions to prohibit her from performing abortions and practicing medicine in Texas. This marks Texas’ second lawsuit against an out-of-state abortion provider after a December 2024 case against a New York provider was dismissed under that state’s shield laws. The case will test Delaware’s shield laws, which differ from New York’s protections and were strengthened in 2025 through House Bill 205. Source: The Texas Tribune

Substance Abuse – Part 2

• The Office for Civil Rights now has enforcement authority over substance use disorder patient record regulations under 42 CFR Part 2. On August 25, 2025, the Department of Health and Human Services authorized the OCR Director to enforce these regulations, which were finalized in February 2024 and protect the confidentiality of patients’ substance use disorder treatment records. OCR can impose civil penalties, issue subpoenas, and take corrective actions for noncompliance. Covered entities must review and update their HIPAA Privacy Policies and Notices of Privacy Practices by February 16, 2026, though they no longer need to update documents for reproductive health care protections following a federal court decision in Texas that vacated those rules. Source: Beneficially Yours