Fraud & Abuse and Enforcement
- OIG Advisory Opinion No. 26-15 concludes that a home health agency’s payment of subscription fees to a vendor for online referral management software would generate prohibited remuneration under the Federal anti-kickback statute if the requisite intent were present. The Requestor, which operates home health agencies (HHAs) serving Federal health care program beneficiaries, pays the vendor a per-hospital subscription fee enabling it to electronically receive and accept hospital discharge referrals, while non-subscribing HHAs must rely on slower methods such as fax, email, or phone. The Arrangement does not qualify for the referral services safe harbor because, among other failures, subscription fees are not assessed uniformly against all participants and vary based on geography and volume-based discounts rather than the vendor’s cost of operating the service. OIG found the Arrangement poses a risk of inappropriate steering and unfair competition, since hospitals refer on a first-come, first-served basis and paying HHAs gain a decisive speed advantage that can effectively exclude non-subscribers regardless of care quality. OIG also identified a risk of overutilization, as subscribing HHAs may face pressure to recoup subscription costs by billing for medically unnecessary services, exposing the Arrangement to sanctions under sections 1128A(a)(7) and 1128(b)(7) of the Act. Source: OIG Advisory Opinion No. 26-15
- The 2026 National Health Care Fraud Takedown charged 455 defendants, including more than 90 licensed medical professionals, in connection with over $6.5 billion in health care fraud and opioid claims. The enforcement action spanned 56 federal districts, 45 states and territories, and 50 state Medicaid Fraud Control Units, and the DOJ seized more than $182 million in cash, vehicles, jewelry, and other assets. Prosecutors relied on data analytics and artificial intelligence tools, including the first criminal prosecution developed through the Data Fusion Center, which identified a $67 million Illinois behavioral health scheme in which a defendant billed more than 500 hours of services a day. CMS suspended 1,079 providers and revoked billing privileges for 1,403 others, while HHS-OIG actions sought more than $10 billion for the Medicare Trust Fund. The DOJ highlighted wound care and hospice fraud, noting Medicare billing for wound care rose from $3.4 billion in 2023 to $14.4 billion in 2025, driven by kickback and fraud schemes rather than medical necessity. Source: HIPAA Journal
- AstraZeneca agreed to pay nearly $34 million to settle Texas Attorney General Ken Paxton’s claims that it operated an illegal kickback scheme tied to prescriptions paid by Texas Medicaid. Paxton sued under the Texas Health Care Program Fraud Prevention Act, alleging AstraZeneca provided free nursing services and reimbursement support to prescribers and paid third parties to deploy nurses and other professionals to recommend its drugs under the guise of non-branded counseling. The company will pay Texas $33,998,000 to resolve the claims and reimburse Medicaid funds the state alleged were improperly influenced. AstraZeneca denied the claims, stating it believes its programs are lawful and ethical and address an area of unmet need for patients. The Attorney General’s office has filed similar lawsuits against Sanofi-Aventis and Eli Lilly as part of a broader effort against health care fraud in Texas. Source: Texas Scorecard
FDA & Drug Regulation
- HHS Secretary Robert F. Kennedy Jr. added nine members to the FDA’s Pharmacy Compounding Advisory Committee, most of whom promote peptide use or have financial ties to wellness clinics offering peptide treatments. The additions bring the committee to 13 members ahead of meetings on July 23 and 24 to consider whether compounding pharmacies may produce seven unproven peptides, including BPC-157, TB-500, and epitalon, for human use. FDA scientists reaffirmed in briefing documents that there is insufficient evidence of safety and efficacy to justify expanding access, consistent with a 2023 determination. The FDA currently bars compounding pharmacies from making the peptides for human use, though the drugs may be sold for research. A further meeting before the end of February 2027 will address five additional peptides. Source: Ars Technica
Artificial Intelligence in Health Care
- University Health and Houston Methodist are complying with Texas’s new clinical AI disclosure law by embedding required disclosures into their existing patient consent processes. The Texas Responsible Artificial Intelligence Governance Act (TRAIGA), effective January 1, requires health care providers to give patients or their representatives conspicuous written disclosure whenever an AI system is used in diagnosis or treatment, before or at the time of the clinical interaction, with a narrow emergency exception. University Health delivers disclosures verbally when AI meaningfully informs a care decision and through standardized language in general consent forms, applying a standard based on what a reasonable patient would consider AI-generated or AI-assisted. Houston Methodist enhanced its consent for treatment to reflect AI use and focuses on transparency at or before interactions such as AI-enabled calls and ambient listening. A December 16 Manatt Health analysis found at least four states have enacted laws governing how health systems must disclose or limit clinical AI use, with states expected to remain the primary regulators of health care AI in 2026. Source: Becker’s Hospital Review
- Physicians who enter protected health information into consumer AI tools such as ChatGPT or Gemini without a business associate agreement commit a breach of the HIPAA Privacy and Security Rules. By 2024, 66% of U.S. physicians reported using some form of AI in practice, but consumer platforms do not sign BAAs, and under 45 CFR §164.502 a covered entity may not disclose PHI to a third party without patient authorization or a valid BAA. Liability for unauthorized disclosure rests with the practice as the covered entity and does not transfer to the AI vendor. Any AI tool that processes PHI must be covered by a BAA before first use and, under 45 CFR §164.308, preceded by a documented security risk analysis. Recommended safeguards include inventorying current AI use, verifying BAA status, conducting risk analyses, adopting written acceptable-use policies, and providing AI-specific training. Source: Medical Economics
- HHS outlined plans to accelerate AI adoption in clinical care after receiving more than 7,000 comments on using AI to lower health care costs. Issued under the Make America Healthy Again initiative, the RFI sought input on how digital health regulatory frameworks should evolve, whether reimbursement structures could better support deflationary technologies, and how research investment could strengthen implementation. HHS leaders reported broad consensus for better coordination across HHS agencies, support in creating governance structures, and guidance on identifying effective AI tools. U.S. health care spending rose 7.3% to a record $5.7 trillion in 2025 and is projected to exceed 20.5% of GDP by 2034. HHS cited steps already underway, including development of AI agents to manage cardiovascular disease care and FDA work to clarify regulation of autonomous AI-enabled medical technologies proportionate to their risk. Source: HIPAA Journal
HIPAA & Data Security
- HIPAA Security Rule compliance requires an ongoing security program rather than a one-time project, and health care companies that treat it as complete accumulate risk and enforcement exposure. The Security Rule requires accurate, thorough, and periodic analysis of risks to the confidentiality, integrity, and availability of electronic protected health information, with a new or focused analysis whenever a material change occurs, such as new technology, new vendors handling ePHI, workforce restructuring, or a security incident. Following each analysis, entities must maintain a risk management plan that prioritizes remediation, assigns ownership, and sets timelines, supported by continuous monitoring including log reviews, vulnerability scanning, access control auditing, and vendor security monitoring. The 2026 BakerHostetler Data Security Incident Response Report found threat actors increasingly move from initial access to data exfiltration without deploying encryption, making ransomware-style detection insufficient. OCR’s Risk Analysis Initiative penalizes companies that have not performed adequate risk analyses, and multiple state attorneys general launched investigations into health care companies in 2025, often concurrent with or following closed OCR investigations. Source: Baker Data Counsel
Reimbursement & Coding Compliance
- The Texas Medical Association is urging federal regulators and lawmakers to strengthen enforcement of No Surprises Act payment protections against health plans that delay, underpay, or ignore independent dispute resolution awards. TMA co-signed two American Medical Association letters, sent April 27 and May 11, asserting that some health plans fail to pay physicians within the statutory 30-day timeframe after an IDR determination, pay only partially, or shift additional cost-sharing onto patients when awards exceed the insurer’s initial offer. Fort Worth radiologist Tilden Childs III, MD, noted that Radiology Associates of North Texas prevailed in roughly 95% of federal IDR disputes yet has more than $3.5 million in awarded balances unpaid by a Texas health plan. Organized medicine is backing the proposed NSA Enforcement Act, which would impose congressional reporting requirements, mandate insurer notification to HHS of required payments, and authorize penalties for parties that miss IDR payment timelines. TMA is also awaiting a decision in a pending federal lawsuit after the Fifth Circuit granted it a rehearing held in September 2025. Source: Texas Medicine
- VMG Health built an urgent care risk model into its Compliance Risk Analyzer platform that benchmarks urgent care coding against all-payer urgent care data rather than primary care or Medicare-only norms. The model treats urgent care as a distinct compliance category because its all-payer, all-age patient mix drives evaluation and management coding toward higher-level codes that generic benchmarks flag as high-risk. It blends Medicare-derived benchmarks with all-payer claims data to build an urgent care reference distribution and evaluates E/M distribution, relative value unit intensity, modifier use, and time-based coding at the provider level against urgent care peers. Risk scores are calibrated by severity, ranging from documentation-driven E/M variance flagged for education to place-of-service mismatches with revenue impact flagged for immediate review. The module operates entirely on claims data without chart review and integrates into existing Compliance Risk Analyzer dashboards and the Code Trakker secondary-review workflow. Source: VMG Health
Telehealth & Pharmacy
- The Texas State Board of Pharmacy proposed a rule that would, for the first time, impose informed consent, documentation, and record retention requirements on pharmacist-provided telehealth services. Proposed 22 Texas Administrative Code §291.13 would require a pharmacist to obtain informed consent, in writing or verbally, from the patient or a legally authorized decision-maker before providing a telehealth service. The documentation must reflect patient agreement on three areas: treatment, collection of data, and sharing of data. The rule applies whether the interaction occurs through video conferencing or audio-only telephone communication, meaning a clinical phone consultation could trigger the same obligations as a dedicated telehealth platform. Consent documentation must remain at the licensed pharmacy, be retained for at least two years, and be produced within 72 hours of a request by an authorized Board representative. Source: Buchanan Ingersoll & Rooney
Transactions & the ASC Market
- Texas’s ambulatory surgery center market is expanding through new facility development, health system joint ventures, and consolidation, alongside continued False Claims Act enforcement. Texas operates one of the largest ASC markets in the country, with no certificate-of-need law and population growth driving development. Austin-based Advanced Pain Care and its founder Mark Malone, MD, agreed to pay $13.6 million to resolve False Claims Act allegations tied to improper billing and referral arrangements. Methodist Richardson Medical Center and Austin Regional Clinic opened new facilities in early 2026, while Southlake-based Solara Surgical Partners is pivoting toward de novo development and physician-led projects as acquisition inventory thins amid aggressive buying by United Surgical Partners International, SCA Health, and Surgery Partners. Texas recorded four new ASC openings in 2025, among the most active development states in the South after North Carolina and California. Source: Becker’s ASC Review
Healthcare Workforce
- The Texas Workforce Commission appointed 13 members to a new Healthcare Workforce Advisory Board, which held its first meeting on June 25 to address health care workforce shortages. The 89th Texas Legislature established the board to enhance collaboration between health care providers and higher education institutions. Appointees represent two- and four-year institutions, local workforce development boards, statewide hospital and healthcare professional organizations, and community health center organizations, including representatives from the Texas Medical Association, Christus Health, and the Texas Organization of Rural & Community Hospitals. The board will develop a collaboration toolkit and resource guide to facilitate local partnerships among providers, workforce boards, and higher education. The final guide must be submitted to the Texas Legislature no later than November 1, 2026. Source: Texas Workforce Commission
- A Texas Doula Association survey of 156 active doulas found that most earn less than $10,000 annually from doula services, raising concerns about the profession’s financial sustainability. Conducted between May and June 2025, the Texas Doula Workforce Survey reported an average annual doula income of approximately $19,000, with 55% of respondents earning under $10,000 from doula services in 2024. Respondents averaged about six years of practice, with most identifying as birth doulas (84%) and many also providing postpartum (58%), full-spectrum (35%), and loss (23%) care. Doulas reported working across a wider range of Texas counties than they live in, with the highest concentrations in Central Texas. The association, which advocates for fair wages and Medicaid reimbursement, said the findings show doulas struggle to sustain the work financially despite family demand. Source: National Law Review
Litigation & Premises Liability
- A Houston veterinary technician sued the Texas Medical Center for more than $10 million, alleging that preventable security failures led to a violent attack in a public parking garage. According to the petition, Baleigh Burmaster was attacked around 6:30 a.m. on May 11 moments after exiting her vehicle in Texas Medical Center Public Parking Garage 1, where the assailant repeatedly stabbed her and forced her back into the car during an ordeal attorneys estimate lasted 10 to 15 minutes. The lawsuit alleges the garage had no operational surveillance cameras or on-site security personnel, and that the suspect entered hours earlier and remained undetected. Attorneys argue the attack was foreseeable, citing at least four violent crimes reported in and around the medical center in a two-week span, and note the suspect was identified using Houston METRO surveillance video rather than garage cameras. The filing points to security improvements made after the incident, including increased patrols and additional signage, as evidence stronger protections were available. Source: KPRC Click2Houston
