Wade’s Health Law Highlights for January 27, 2026

Antitrust

• Epic Systems filed 29 affirmative defenses against Texas Attorney General Ken Paxton’s antitrust lawsuit, arguing the state’s claims are invalid under the Texas Deceptive Trade Practices Act. The electronic health record vendor stated that healthcare organizations, not Epic, serve as legal custodians of medical records and determine patient data access through its configurable software. Epic noted that despite a six-month investigation, the state identified no instances where parents were denied access to children’s medical records due to its software. The company cited its interoperability record, including 725 million monthly medical record exchanges and over 500 APIs supporting more than 1,500 third-party applications. Epic also stated that over 99% of third-party API transactions fall into its lowest price categories, including a $0 tier. Source: Healthcare IT News

Cybersecurity

• System hardening reduces the number of vulnerabilities that attackers can exploit in electronic information systems by patching software, removing unneeded programs, and configuring security measures. The HIPAA Security Rule requires covered entities and business associates to ensure the confidentiality, integrity, and availability of electronic protected health information through risk analysis and risk management processes. Organizations must patch operating systems, firmware, and applications regularly, while also removing pre-installed software and disabling default passwords that create security risks. Entities can establish security baselines using resources such as NIST SP 800-53, Microsoft’s Security Baseline Guide, and Department of Defense Security Technical Implementation Guides to standardize security controls. The HIPAA Security Rule mandates periodic review and modification of security measures to maintain protection of electronic protected health information as new threats emerge. Source: HHS Office for Civil Rights
• The Office of Inspector General has called on HHS to adopt a unified cybersecurity approach across all divisions to combat threats facing the healthcare sector. The OIG released its annual report identifying five top challenges for the department: financial integrity, Medicare and Medicaid, public health, beneficiary safety and cybersecurity. The report noted that different organizational approaches to cybersecurity across HHS divisions and programs complicate preparedness efforts to prevent or respond to cybersecurity risks. OIG stated that cybersecurity solutions must be implemented by thousands of HHS contractors and external entities, with each division requiring solutions that address threats specific to them. The report also suggested that HHS’s ability to enforce HIPAA may not be sufficient to address contemporary privacy concerns or increased risks to electronic protected health information security. Source: TechTarget

Data Privacy

• Texas mandates healthcare providers disclose artificial intelligence use to patients under the Texas Responsible Artificial Intelligence Governance Act, which took effect January 1, 2026. Providers must make disclosures in clear, plain language when AI is used in diagnostic or treatment services, at the time care is first provided, with exceptions only for emergencies. The law applies to any machine-based system that generates outputs such as content, decisions, predictions, or recommendations that can influence physical or virtual environments. This disclosure requirement follows September 1, 2025 legislation that permits AI use in electronic health records for diagnostic purposes while requiring practitioners to act within their license scope, comply with applicable laws, and review all AI-generated records according to Texas Medical Board standards. Noncompliance can result in disciplinary action from state licensure agencies and civil penalties. Source: Arnall Golden Gregory LLP
• The Department of Justice secured multiple False Claims Act settlements in 2025 through its Civil Cyber-Fraud Initiative, with defense contractors and health care companies paying millions for cybersecurity compliance failures. MORSE Corp paid $4.6 million for failing to implement NIST SP 800-171 controls and DFARS requirements, while Georgia Tech Research Corporation settled for $875,000 for similar violations. A diagnostics company paid $9.8 million for selling DNA sequencers with cybersecurity vulnerabilities, with DOJ applying a damages multiplier exceeding the standard 2x rate. Defense contractor Aero Turbine Inc. and private equity firm Gallant Capital Partners received a reduced 1.5x multiplier in their $1.75 million settlement after voluntarily self-disclosing violations. DOJ also imposed successor liability in an $8.5 million settlement with Raytheon and Nightwing, holding Nightwing responsible for Raytheon’s cybersecurity failures despite acquiring the business three years after the violation period. Source: Mintz

Emerging Tech

• Texas enacted a law that prohibits AI systems from intentionally encouraging people to commit self-harm, harm others, or engage in criminal activity. The Texas Responsible Artificial Intelligence Governance Act took effect January 1, 2026, after passing on June 22, 2025, and establishes penalties ranging from $10,000 to $12,000 for curable violations and $80,000 to $200,000 for uncurable violations. The law applies to anyone who promotes business in Texas, produces products used by Texas residents, or develops AI systems in the state, with the Texas attorney general holding enforcement authority. The law includes provisions on biometric data use by government entities and provides safe harbors for AI testing. States including Illinois, Utah, and Nevada have passed similar laws regulating AI for mental health purposes, while Congress has not established federal legislation in this area. Source: Forbes
• Model Context Protocol serves as a standardized integration layer connecting AI agents to clinical data systems in healthcare. MCP functions as a universal interface that allows AI agents to request and receive information from back-end systems without requiring custom integrations for each connection. The healthcare AI market is projected to grow 40-45% annually and could exceed $5 billion within five years. MCP provides three core benefits: standardization that eliminates custom integrations, governance features that log all agent requests for compliance tracking, and scalability that allows multiple AI agents to access clinical data through a single integration layer. The protocol addresses the challenge that 78% of organizations face when trying to connect generative AI systems to clinical databases that require secure, validated access. Source: Wolters Kluwer
• Healthcare AI depends on data quality rather than model sophistication. An recent survey of more than 500 physicians and administrators found that 64% of clinicians reported documentation-related AI reduces their workload, with nearly half identifying time saved as AI’s most important benefit. However, clinicians face barriers to accessing information, with nearly half encountering inconsistent formats or hard-to-locate data and only 2% reporting timely, comprehensive visibility across systems. To unlock AI’s value: curate meaningful data instead of accumulating more, standardize data formats and definitions, make patient information portable across systems, and support interpretation that reinforces clinician judgment. AI can draft documentation and reduce administrative burden, but its effectiveness depends on complete, consistent, and interpretable information. Source: Fast Company
• Researchers at Northeastern University developed a method to detect racial bias in healthcare AI by examining the internal decision-making processes of large language models. Researchers used a tool called a sparse autoencoder to convert the incomprehensible intermediate representations of LLMs into human-understandable concepts called “latents.” Testing clinical notes from the MIMIC dataset through the Gemma-2 LLM, they found the model associated Black individuals with stigmatizing concepts like “incarceration,” “gunshot,” and “cocaine use.” The tool allows physicians to identify when race is being factored into AI recommendations, enabling them to intervene or retrain the model. This marks the first use of sparse autoencoders in a clinical setting with physician notes as input. Source: Northeastern University News

Fraud & Abuse

• The Department of Justice recovered $6.8 billion through False Claims Act settlements and judgments in fiscal year 2025, the highest amount in the law’s history. Health care fraud accounted for $5.7 billion of the total, with funds returned to Medicare, Medicaid, and TRICARE. Whistleblowers filed 1,297 qui tam lawsuits during the year, surpassing the 2024 record of 980 cases, and these whistleblower actions generated $5.3 billion in recoveries. The government opened 401 investigations and launched a Trade Fraud Task Force to combat evasion of tariffs and customs duties. Since Congress strengthened the False Claims Act in 1986, total settlements and judgments now exceed $85 billion. Source: U.S. Department of Justice
• The Office of Inspector General approved market share discounts under the Discount Safe Harbor for the first time in Advisory Opinion 25-11, issued at the end of 2025. OIG determined that discounts contingent on achieving market share targets qualify for protection if they do not require purchasers to provide services such as marketing products or switching patients from one product to another. The opinion clarified that “same reimbursement methodology” refers to each of Medicare’s parts, meaning products under Medicare Part B can be bundled together under safe harbor protection, though bundles mixing Part B and Part D products do not qualify for safe harbor protection but may present low fraud risk under certain conditions. OIG also concluded for the first time that manufacturers may adjust rebate terms mid-contract at low risk if the agreement discloses that possibility upfront and changes are made to meet competition. The opinion leaves unresolved questions about the boundaries between permissible market share incentives and prohibited service requirements. Source: Hogan Lovells
• Dr. Brian August agreed to pay $200,000 to resolve allegations he violated the Controlled Substances Act, the False Claims Act, and the Texas Health Care Program Fraud Prevention Act. The El Paso physician allegedly issued 255 prescriptions for Schedule II and Schedule IV controlled substances to 15 individuals between December 23, 2017, and May 22, 2021, without complying with Texas requirements for treating pain patients or documenting legitimate medical purposes. The 15 recipients were Medicare Part D or Texas Medicaid beneficiaries, and the prescriptions resulted in improper reimbursements of $994.22 from Texas Medicaid and $44,380.55 from Medicare Part D. August surrendered his DEA registration and Texas medical license as part of the settlement. The U.S. Attorney’s Office for the Western District of Texas, DEA, FBI, and Texas Office of the Attorney General coordinated the resolution. Source: DEA
• The First Circuit ruled that laboratories can generally rely on a physician’s order as proof of medical necessity when submitting Medicare claims under the False Claims Act. In United States ex rel. Omni Healthcare Inc. v. MD Spine Sols. LLC (160 F.4th 248 (1st Cir. 2025)), the court affirmed summary judgment for MD Spine Solutions, which had been accused of billing Medicare for tests that were allegedly unnecessary despite being ordered by treating physicians. The court applied the subjective knowledge standard from the Supreme Court’s SuperValu decision, requiring proof that the laboratory had actual knowledge, deliberate ignorance, or reckless disregard that claims were false at the time of submission. The court identified exceptions where laboratories cannot rely on physician orders, including when they have reason to doubt the recommendation, ignore regulatory warnings, manipulate orders, or engage in misleading marketing practices. The decision shifts the burden to the government or relator to rebut the presumption that a physician’s order establishes medical necessity. Source: Eye on Enforcement

Labor & Employment

• Healthcare providers face restrictions in employment agreements that limit outside activities such as expert witness work, academic positions, and medspa ownership. Hospitals, clinics, and health systems include noncompete clauses, moonlighting policies, and exclusivity requirements in contracts to protect patient retention and resource allocation. Providers can negotiate carve-outs by framing exceptions around geography, activity type, or time allocation, though leverage is often limited when the employer is a large health system. State laws vary, with Pennsylvania extending restrictions on noncompetes for certain practitioners and Maryland implementing bans for professionals earning under a threshold. Employers typically will not extend malpractice insurance coverage to outside activities. Source: Stevens & Lee
• California mandates fertility coverage for large employers starting January 1, 2026, under Senate Bill 729 signed by Governor Gavin Newsom on September 29, 2024. The law requires fully insured large group health plans with 101 or more employees to cover infertility diagnosis and treatment, including up to three egg retrievals and unlimited embryo transfers. The definition of infertility expands to include same-sex couples, single parents by choice, individuals unable to conceive, and those with repeated miscarriages. Cost sharing for infertility services must match other medical benefits without discrimination based on gender, marital status, or sexual orientation. Self-funded plans, religious employers, and certain state programs remain exempt from the mandate. Source: Labor & Employment Law Blog

Mergers & Acquisitions

• Healthcare investors are shifting capital toward pharmacy infrastructure and away from value-based care providers exposed to Medicare Advantage risk. Value-based care providers face challenges in 2026 from budget uncertainty and pharmacy spend, prompting investors to focus on PBMs, PBAs, and specialty pharmacies. Health systems depend on the 340B program to sustain margins, and policy changes to the program could affect their finances. The behavioral health sector faces legal controversies over fraud allegations that are suppressing sales and creating entry opportunities for new platforms with compliance-focused models. Quantum AI is expected to transition from concept to deployment in 2026, accelerating innovation in personalized medicine and diagnostics while regulatory agencies work to establish guidance on data integrity and patient protections. Source: Bradley

Medicaid

• Governor Greg Abbott issued a directive on January 16, 2026, to the Texas Health and Human Services Commission and its Office of Inspector General to combat Medicaid fraud. The directive requires all Medicaid Managed Care Organizations to maintain fully staffed Special Investigations Units and demonstrate completion of all investigative activities required by law. The Office of Inspector General and Health and Human Services Commission will perform targeted reviews of MCO policies, with autism services designated as the first target for utilization review under a June 2026 reporting deadline. The Office of Inspector General will reallocate resources to investigate fraudulent activity using authority under Chapter 544 of the Texas Government Code, and the state will provide training to MCO Special Investigations Units. The Governor set a March 15, 2026 deadline for agencies to provide a progress report. Source: Foley & Lardner LLP