Wade’s Health Law Highlights for January 21, 2025

Advisory Opinion

• The Office of Inspector General (OIG) issued Advisory Opinion 25-01, concluding that a pharmaceutical company’s arrangement to provide free access to a specific drug for eligible patients does not warrant administrative sanctions under the Federal anti-kickback statute or the Beneficiary Inducements Civil Monetary Penalty (CMP) provisions. The drug in question is an infusion therapy for a disease with limited alternative treatments. The program provides free medication to patients meeting specific financial and clinical criteria, including uninsured individuals or those unable to afford out-of-pocket costs. The OIG determined the arrangement poses a low risk of fraud or abuse, as it neither interferes with clinical decision-making nor steers patients toward specific providers or plans. Patients and providers must adhere to strict conditions, including ensuring the drug is used only for designated individuals and not reimbursed by any payor.

AI Regulation in Healthcare

• The House Bipartisan Task Force on Artificial Intelligence released a 253-page report on December 17, 2024, outlining key recommendations for AI implementation in healthcare. The report highlights AI’s potential to reduce drug development time and costs from the current 12-year average, with the FDA having approved over 800 non-generative AI/ML-enabled medical devices. The Task Force identified challenges including interoperability issues between systems, liability standards for AI-related medical decisions, and the need to revise physician reimbursement models as AI increases efficiency. The report concludes with five recommendations focusing on safety, research support, risk management, liability standards, and payment mechanisms, while emphasizing that medical practitioners must maintain responsibility for AI-augmented decisions. The Task Force’s findings come as the incoming Trump administration signals a departure from the Biden-Harris Executive Order on AI regulation.
• The U.S. Department of Health and Human Services has released its AI Strategic Plan, a 200-page document outlining four key goals for AI in healthcare: catalyzing innovation, promoting trustworthy development, democratizing access, and cultivating AI-empowered workforces. The plan aims to accelerate scientific breakthroughs, improve clinical outcomes, enhance healthcare delivery, and respond to public health threats through AI implementation. HHS will provide funding through programs like Bridge2AI and TARGET, while addressing biosecurity and privacy risks through national guidelines and industry collaboration sandboxes. The initiative includes partnerships with organizations like NIH’s AIM-AHEAD consortium to ensure equitable AI access for underserved populations, while Premier Inc. has expressed support for the plan’s alignment with healthcare workforce enhancement and value-based care goals. The strategy includes development of talent pipelines through programs such as NIH’s DATA National Service Scholar Program to ensure long-term successful AI adoption in medical research and discovery.
• California Attorney General released two legal advisories addressing AI regulation in California, with one focusing on general AI applications generally and another specifically targeting healthcare. The first advisory outlines existing California laws that apply to AI development and usage, including consumer protection, civil rights, and data protection laws, while also detailing new AI regulations effective January 1, 2025, covering disclosure requirements, likeness protection, and election material guidelines. The second advisory specifically addresses AI in healthcare settings, requiring healthcare entities to test, validate, and audit AI systems for safety and lawful use. Healthcare providers must maintain transparency about AI usage in patient care and data training.
• At CES 2025, FTC Commissioners discussed the agency’s approach to AI regulation. The Commissioners agreed on pursuing cases involving AI-related fraud and deception, though they differed on the extent of developer liability for AI tools misused by third parties, as evidenced in the Rytr and Sitejabber settlements. Both Commissioners expressed concerns about voice cloning fraud, with the FTC implementing an Impersonation Rule and launching a Voice Cloning Challenge to combat such scams. The discussion highlighted plans to investigate children’s interactions with AI chatbots through potential market studies. The Commissioners maintained a pro-innovation stance while acknowledging their differing views on enforcement approaches, suggesting continued FTC engagement with AI regulation in the next Administration.

Antitrust & Competition

• Welsh Carson agrees to pare back anesthesia market power to avoid new FTC suit. The Federal Trade Commission has reached a settlement with private equity firm Welsh Carson following allegations of anticompetitive behavior in the Texas anesthesia market through its portfolio company U.S. Anesthesia Partners. The agreement requires Welsh Carson to freeze its investment in USAP at minority levels, reduce its board representation to one seat, and obtain FTC approval for future anesthesia investments nationwide. The settlement comes after a federal court dismissed the FTC’s initial lawsuit in May 2024, and the FTC commissioners voted 5-0 to accept the agreement days before President-elect Trump’s administration takes office.
• The State of Colorado reached an agreement with Dallas-based U.S. Anesthesia Partners (USAP) requiring the company to divest contracts at five hospitals, modify noncompete agreements, and pay $200,000 in restitution. USAP, which employs 4,500 clinicians across 700 facilities nationwide, controlled 86.7% of Denver-area hospital anesthesia services by 2021 and charged 30-40% higher rates than competitors. The Federal Trade Commission filed a case in Texas’ Southern District in December 2023, alleging USAP engaged in similar practices there, where it has become the dominant provider in major cities through acquisitions of over a dozen practices, 1,000 doctors, and 750 nurses since 2012. The company’s reimbursement rates in Texas are double the median rate of other anesthesia providers in the state.

Cybersecurity & Ransomware

• A new report examines the major cybersecurity challenges facing healthcare organizations in 2025 . The data reveals that 72% of medical imaging systems are internet-connected with vulnerabilities, while 82% of healthcare organizations report attacks originating from third parties. The report identifies three primary threat vectors: social engineering attacks, internet-facing devices with known exploitable vulnerabilities, and third-party risks. According to the 2024 Claroty State of CPS Survey, 26% of healthcare organizations lack proper threat detection capabilities, and 56% fail to utilize threat intelligence for cyber physical systems. The article concludes that healthcare organizations must implement comprehensive cybersecurity measures including multi-factor authentication, regular software updates, and strict access controls to protect patient safety and service continuity.
• A new report revealed 1,204 confirmed ransomware attacks in 2024, with 195.4 million records compromised and $133.5 million paid in ransoms. The healthcare sector experienced 223 confirmed attacks, with 181 targeting healthcare providers and 42 affecting non-provider healthcare organizations, compromising over 141 million healthcare records total. The Change Healthcare attack was the most significant of 2024, resulting in $2.9 billion in losses and affecting 100 million individuals’ protected health information. RansomHub emerged as the most active ransomware group with 89 confirmed attacks, while the average ransom demand across all sectors was $3.5 million. In response, the HHS Office for Civil Rights has proposed updates to the HIPAA Security Rule, requiring healthcare organizations to implement enhanced cybersecurity measures including regular vulnerability scans, penetration testing, and encryption protocols.

Fraud & Abuse

• The Department of Justice released its annual report showing total civil fraud recoveries of $2.9 billion for FY2024, marking the fourth-lowest recovery since 2010. Healthcare industry recoveries hit a decade low at $1.67 billion, representing 57.3% of total recoveries, down from historical averages of over 80%. The number of qui tam lawsuits reached a record high of 979 in FY2024, with 609 cases outside healthcare, while qui tam recoveries accounted for 82% of total civil fraud recoveries at $2.2 billion. FY2025 has begun with $850 million in recoveries from Teva Pharmaceuticals and Raytheon, while the DOJ continues to focus on Medicare Advantage fraud, Anti-Kickback Statute violations, cybersecurity issues, and pandemic-related fraud schemes.
• A former Texas hospital CEO was sentenced to 36 months in federal prison and ordered to pay $5,343,630 for his role in a healthcare kickback conspiracy. The scheme involved Little River Healthcare, Stamford Memorial Hospital, and Boston Heart Diagnostics, where hospitals billed insurers at inflated rates for blood tests and shared profits with marketers who paid kickbacks to referring physicians through fake investment opportunities. A total of 21 defendants were indicted in the conspiracy, with several receiving prison sentences, while others pleaded guilty before trial. Peter Bennett was convicted for laundering over $2.7 million in kickback proceeds through sham trusts and shell corporations, while Robert O’Neal pleaded guilty to conspiracy charges related to arranging physician referrals and money laundering.
• A physician and his son plead guilty to a kickback conspiracy. The scheme involved the physician’s pain management clinic referring prescriptions for compound drugs to pharmacies where his son worked as a marketer, resulting in $6.6 million in kickback payments. The pair faces up to 5 years in prison and $250,000 in fines.
• A Fredericksburg physician was sentenced to 10 years in prison for a $70 million Medicare fraud scheme. A 61-year-old physician signed prescriptions and medical records for over 13,000 Medicare beneficiaries without examining them, resulting in $70 million in fraudulent Medicare claims for medical equipment and cancer genetic testing. The physician received $475,000 for his role in the scheme and must pay $26 million in restitution. In May 2024, he was convicted of conspiracy to commit healthcare fraud and three counts of false statements related to healthcare matters.
• A McAllen pharmacist has pleaded guilty in a $110 million healthcare fraud scheme. Between 2014 and 2016, the pharmacist paid $24 million in kickbacks to marketers who directed prescriptions for compound drugs to his pharmacy, resulting in $110 million in billings to federal health care programs. The pharmacist will be sentenced on March 25, where he faces up to five years in federal prison and a potential $250,000 fine.

HIPAA & Patient Confidentiality

• The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has intensified its focus on health data security and artificial intelligence. The agency published updates to the HIPAA Security Rule on January 6, 2025, requiring new security measures including encryption, multi-factor authentication, and annual audits. Between December 2024 and January 2025, OCR announced nine enforcement actions related to health data security and launched HIPAA audits of 50 regulated entities. The agency issued guidance on responsible AI use through Section 1557 regulations and a “Dear Colleague” letter, with new discrimination prevention requirements taking effect May 1, 2025. Healthcare organizations must review HIPAA risk analyses, strengthen security measures, and implement AI compliance protocols to meet OCR’s enhanced requirements.
• The U.S. Department of Health and Human Services Office for Civil Rights has reached a $3,000,000 settlement with Solara Medical Supplies following HIPAA violations related to a phishing attack that compromised 114,007 patients’ electronic protected health information through eight employee email accounts between April and June 2019. A second breach occurred when Solara sent 1,531 breach notification letters to incorrect addresses in January 2020. The investigation revealed Solara failed to conduct risk analysis, implement security measures, and provide timely breach notifications. Under the settlement terms, Solara must implement a two-year corrective action plan that includes risk analysis, security management, policy updates, and staff training.
• Memorial Healthcare System has settled an alleged HIPAA Right of Access violation with the U.S. Department of Health and Human Services’ Office for Civil Rights. The case involved a patient who made multiple requests for EEG records starting December 30, 2020, but didn’t receive them until September 29, 2021, nine months after the initial request and only after OCR initiated an investigation. The HIPAA Privacy Rule requires healthcare providers to furnish patient records within 30 days of request, with a possible 30-day extension in limited circumstances. While OCR initially proposed a $100,000 penalty, Memorial Healthcare System contested the findings and ultimately agreed to pay $60,000 to resolve the litigation. The settlement was announced on January 15, 2025, after negotiations between OCR and Memorial Healthcare System concluded.

Medicare & Medicaid

• The Department of Health and Human Services has announced 15 drugs for the second round of Medicare price negotiations. The negotiations will begin in 2025 with prices taking effect in 2027, following the first round which achieved price reductions of 38% to 79% on 10 drugs. Wegovy ($1,350) and Ozempic ($1,000) lead the list of medications, which includes treatments for conditions ranging from diabetes to cancer. The selected drugs were used by 5.3 million Medicare beneficiaries between 2023-2024, representing $41 billion in prescription drug costs. The first round of negotiations is expected to save Medicare beneficiaries $1.5 billion in out-of-pocket costs when implemented in 2026.

Mergers, Acquisitions & Private Equity

• Healthcare M&A transactions declined by 2.8% in Q3 2024, marking the lowest level since Q3 2020, with private equity participation dropping to 7% from 12% in Q2. Major deals included TowerBrook Capital Partners and Clayton, Dubilier & Rice’s $8.9 billion acquisition of R1 RCM Inc., Carlyle’s $3.8 billion purchase of Baxter International’s Kidney Care segment, and Orlando Health’s $439.4 million acquisition of three Florida hospitals from Steward Health Care. Professional Services dominated the sector with 54.8% of total deal volume, while the Hospital sector saw a 50% increase in transaction activity due to Steward Health Care’s divestitures. The Federal Reserve’s interest rate cuts and California’s veto of Assembly Bill 3129 signal potential growth in healthcare M&A activity for 2025, despite ongoing regulatory scrutiny.
• A recent report by the Federal Trade Commission warns that private equity ownership introduces “new and unique risks” to healthcare, surpassing those associated with general industry consolidation. The investigation, which reviewed over 2,000 public comments, highlights concerns such as higher consumer prices, operational changes, and staffing reductions linked to private equity-backed healthcare services. The agencies urge Congress and state legislators to enhance oversight by lowering the federal reporting threshold for mergers and acquisitions and expanding transparency rules regarding nursing home ownership. The report notes that private equity firms have significant investments across various healthcare sectors, including physician practices, emergency room staffing, nursing homes, mental health facilities, and hospitals. It also points out that companies with private equity ties are more prone to bankruptcies.