Wade’s Health Law Highlights for January 28, 2025

Antitrust & Competition

• The Federal Trade Commission has reached a settlement with private equity firm Welsh, Carson, Anderson & Stowe over U.S. Anesthesia Partners’ market consolidation in Texas. USAP, which operates in 700 facilities with 4,500 clinicians nationwide, acquired multiple anesthesia practices in Dallas between 2014 and 2016, gaining control of 40-50% of the market. The settlement prohibits Welsh Carson from increasing its ownership stake in USAP, limits board representation, and requires FTC notification for future healthcare acquisitions. In a related case, USAP faced similar restrictions in Colorado, where it controlled 86.7% of inpatient surgeries by 2021, leading to a $200,000 settlement and contract divestitures.
• With President Trump taking office and Andrew Ferguson becoming FTC Chair, significant changes are coming to healthcare antitrust enforcement. The Biden administration took an aggressive approach to healthcare antitrust enforcement, challenging mergers, investigating pharmacy benefit managers, and withdrawing previous policy guidance. The Trump administration is expected to continue scrutiny of healthcare industry concentration and PBMs while potentially reinstating clearer guidance for businesses. States like California will maintain their own strict healthcare antitrust enforcement regardless of federal changes. New FTC Chair Ferguson has indicated openness to reforming rather than completely rescinding the 2023 merger guidelines.
• The Federal Trade Commission released a Second Interim Staff Report on January 15, 2025, revealing that prescription drug spending rose from $393 billion in 2016 to $600 billion in 2023. The report found that pharmacies affiliated with the three largest Pharmacy Benefit Managers (PBMs) received 68% of specialty drug revenue in 2023, with markups reaching over 1,000% on some medications. The investigation uncovered that affiliated pharmacies generated $7.3 billion in revenue above acquisition costs, while PBMs earned $1.4 billion through spread pricing practices. The FTC plans to continue its investigation, particularly focusing on potential violations of the Robinson-Patman Act, while states consider additional PBM regulations. The Commission concluded that specialty generic drugs have increasing financial importance and require further investigation into pricing practices.

Emerging Technologies

• The Office for Civil Rights published a final rule on May 6, 2024, regulating the use of AI and other patient care decision support tools in healthcare settings. The rule applies to recipients of federal financial assistance, HHS, and entities under the Affordable Care Act, requiring them to identify and mitigate discrimination risks in their use of these tools. A January 10, 2025 “Dear Colleagues” letter provides guidance on compliance, including requirements for risk identification through methods like AI registries and vendor information gathering. The general prohibition on discrimination took effect July 5, 2024, while requirements for risk identification and mitigation will begin May 1, 2025. A nationwide injunction currently stays enforcement of portions related to gender identity discrimination.
• President Trump has rescinded the Biden administration’s executive order on AI safety, halting requirements for company safety testing reports while existing recommendations and research initiatives remain in place. The Trump administration is pursuing a $100 billion partnership with OpenAI, SoftBank, and Oracle for technology infrastructure development, while maintaining Biden’s executive order on data centers. Industry experts are divided on the implications, with some concerned the move will weaken AI safety efforts globally, while others see opportunities for companies to establish rules under new leadership. Congress and state legislatures continue working on AI legislation as the U.S. approach to AI regulation shifts.

Cybersecurity & Ransomware

• A new report shows that 84% of healthcare organizations detected cyberattacks on their infrastructure in the past year. Phishing emerged as the primary threat for on-premises systems, while account compromise affected 74% of healthcare organizations in cloud environments. The attacks led to financial losses for 69% of healthcare organizations, exceeding the cross-industry average of 60%. The consequences included leadership changes in 21% of cases and legal action in 19% of affected healthcare organizations, both rates higher than the 13% average across other industries.
• The cyberattack on Change Healthcare in February 2024 compromised the data of more people than originally thought. The ALPHV/BlackCat ransomware gang claimed responsibility for the attack, which disrupted over 100 healthcare applications and impacted thousands of pharmacies and healthcare providers. The breach exposed sensitive information including names, Social Security numbers, medical records, and insurance details, resulting in $1.1 billion in costs for UnitedHealth Group. The final impact assessment increased significantly from initial estimates of 100 million affected individuals to the current figure of 190 million.
• In 2024, multiple states enacted data privacy laws, with California and Texas implementing significant regulations while seven other states passed comprehensive privacy legislation. The Federal Trade Commission increased enforcement against data brokers and companies handling sensitive data, requiring new safeguards for location data and expanding breach notification rules. States including California, Colorado, and Utah passed AI-specific regulations targeting high-risk AI systems and requiring safeguards and disclosures. Massachusetts narrowed its wiretapping law scope regarding website tracking technologies, while Washington and Nevada enacted laws protecting consumer health data outside HIPAA. State enforcement actions ramped up, with California and Texas leading investigations into data collection practices and improper data sharing.

Fraud & Abuse

• The Second Circuit Court of Appeals has joined other federal circuits in adopting the “at least one purpose rule” in Anti-Kickback Statute violations. AKS prohibits payments by defendants if any single purpose of a payment was to induce patient referrals, even if other legitimate reasons exist. In the case before the court, Steven Camburn alleged Novartis violated the False Claims Act by providing improper payments to physicians through speaker programs to encourage prescriptions of their multiple sclerosis drug Gilenya. The Second Circuit found sufficient evidence in three categories of allegations: speaker programs without legitimate attendees, excessive compensation for canceled events, and strategic speaker selection to induce prescriptions. The court joins the Third, Fifth, Seventh, Ninth, and Tenth Circuits in applying this interpretation, with the First and Fourth Circuits also assuming this standard.
• The Department of Justice and qui tam relators filed a record-breaking 1,402 new False Claims Act cases in 2024, representing a 16% increase from 2023’s previous record. Total recoveries reached $2.9 billion, with $2.2 billion coming from qui tam suits where DOJ intervened. A Florida federal court ruled the FCA’s qui tam provisions unconstitutional under the Appointments Clause, though this decision faces uncertain prospects on appeal. The second Trump administration is expected to continue aggressive FCA enforcement while potentially limiting reliance on sub-regulatory guidance and increasing voluntary dismissals of qui tam cases. President Biden also signed into law the Administrative False Claims Act, expanding agencies’ ability to pursue claims up to $1 million through administrative proceedings.
• Three Texas healthcare providers settled Stark Law violation cases for a total of $21.3 million in 2024. Horizon Medical Center paid $14.2 million for improper service identification and problematic financial relationships, while Little River Healthcare’s CEO Jeffrey Madison paid $5.3 million for illegal kickback schemes and received a 25-year exclusion from federal healthcare programs. Dr. Mohammad Athari in Houston paid $1.8 million for referring patients to his own diagnostic centers between 2014 and 2021, violating laws that prohibit physicians from referring patients to facilities where they maintain financial interests. The Department of Justice continues to pursue healthcare fraud cases, focusing on both institutions and executives who violate federal healthcare regulations.
• Northwest Anesthesiology and Pain Services (NWAP) has agreed to pay $999,999 to resolve Medicare claims violations. The Houston-based provider hired Stacey Green and Remedy Physician Solutions in 2019 to manage pain practices, where Green implemented bonus payments based on lab referrals rather than productivity. Between 2019 and 2021, NWAP paid $1.8 million in bonus payments through this system, which the government deemed improper kickbacks for referrals. NWAP self-disclosed the violations to authorities and cooperated with the investigation conducted by the U.S. Attorney’s Office and Department of Health and Human Services Office of Inspector General.

Health Policy

• Drug pricing and health care fraud remain central issues as Robert F. Kennedy Jr. and Marty Makary await confirmation as HHS secretary and FDA commissioner. The Trump administration continues implementation of drug price negotiations under the Inflation Reduction Act despite pharmaceutical industry litigation, while ACA subsidies face expiration in 2025. Health care fraud enforcement priorities include clinical trial fraud, cybersecurity, and product referral arrangements, with FDA focusing on medical device cybersecurity and AI software guidance. The reauthorization of OMUFA in 2025 presents opportunities to address drug shortages, biosimilar substitution rules, and dietary supplement regulations, while the FDA maintains its focus on the opioid epidemic and real-world evidence for rare disease treatments.

Health Administration

• VMG Health explores how Occam’s Razor principles can improve healthcare administration. The principle advocates for simplifying complex healthcare systems by focusing on essential elements in areas like patient discharge, resource allocation, and regulatory compliance. Healthcare organizations can streamline operations through vendor consolidation, automated compliance platforms, and simplified communication protocols. The approach emphasizes removing unnecessary steps while maintaining quality care and meeting regulatory requirements. The article While simplification is beneficial, administrators must balance efficiency with the inherent complexity of healthcare operations.

HIPAA: Enforcement

• The U.S. Department of Health and Human Services Office for Civil Rights has announced six enforcement actions in early 2025, focusing on three key initiatives: Right of Access, Risk Analysis, and Ransomware protection. The enforcement actions include penalties ranging from $10,000 to $3,000,000 for violations involving ransomware attacks, phishing incidents, and failure to provide timely access to medical records. The cases affected over 175,000 individuals’ protected health information and involved both healthcare providers and business associates. OCR emphasizes that organizations must conduct regular risk analyses, implement security measures, and ensure prompt access to patient records to avoid future enforcement actions.

HIPAA: Privacy Rule

• The U.S. Department of Justice has dropped charges against Dr. Eithan Haim, who faced prosecution for obtaining protected health information about transgender surgeries at Texas Children’s Hospital. The case began when journalist Christopher Rufo reported in 2023 that the hospital continued performing transgender procedures on minors after announcing they would stop. Dr. Haim, who provided the whistleblower documents to Rufo, faced up to 10 years in prison and a $250,000 fine for accessing patient information without authorization. U.S. District Judge David Hittner dismissed all counts with prejudice.

HIPAA: Security Rule

• The U.S. Department of Health and Human Services published proposed updates to the HIPAA Security Rule on January 6, 2025, marking the first major revision since 2013. The new requirements mandate business associates to notify covered entities within 24 hours of activating contingency plans and provide annual verification of technical safeguards. Business Associate Agreements must be updated to include these new provisions within one year and 60 days after the Final Rule publication, with a transition period available for existing agreements. The proposal allows covered entities to appoint business associates as Security Officers while maintaining ultimate compliance responsibility, and the HHS Office for Civil Rights will accept comments through March 7, 2025. The changes will affect both current and future business associate relationships, requiring updates to vendor management programs and security risk assessment processes.
• The Department of Health and Human Services Office for Civil Rights has published a notice of proposed rulemaking to strengthen HIPAA Security Rule requirements. The proposal eliminates flexible “addressable” specifications in favor of mandatory security controls and requires implementation of multifactor authentication, encryption, and data backup systems. Healthcare organizations must conduct annual risk analyses, compliance audits, and obtain written verification from business associates regarding security measures. The rule, open for comments through March 7, 2025, will take effect 60 days after final publication with a 180-day compliance period. Organizations must update their Business Associate Agreements within one year and implement stricter technical controls, including removing system access within one hour of employee termination.

Regulation & Oversight

• The White House removed inspectors general from most cabinet-level agencies through immediate termination emails sent on January 24. Between 12 and 17 inspectors general were dismissed without the legally required 30-day notice to Congress, with only the Department of Justice and Homeland Security IGs remaining in place. The dismissals sparked bipartisan concern, with Republican Senator Charles Grassley requesting explanation and Democratic leaders condemning the action as an attack on government oversight. At least one dismissed IG plans to report to work Monday, arguing the terminations violated federal law, while Hannibal Ware, chair of the Council of IGs, stated the removals appear legally insufficient. The White House provided no explanation for the dismissals beyond citing “changing priorities” in the termination notices.

Texas Medical Board Rules

• The Texas Medical Board implemented new rules that require medical spas and IV hydration clinics to post physician information and ensure staff wear identification. The rules consolidate delegation requirements under Chapter 169, mandating written documentation of all medical delegations and allowing physician assistants and advanced practice nurses to provide emergency consultations. Practitioner-patient relationships can now be established through in-person visits or telemedicine, while the Board plans to issue standardized forms for alternative medicine and review ketamine treatment regulations. The Board removed office medication dispensing limits but reminds physicians that state law still restricts supplying drugs beyond immediate patient needs.