The Department of Health and Human Services has waived certain HIPAA sanctions and penalties for Texas hospitals responding to a public health emergency in Kerr County. President Donald J. Trump signed a Major Disaster Declaration for Kerr County, Texas, and Secretary Robert F. Kennedy, Jr. declared a public health emergency to address consequences of storms, straight-line winds, and flooding. The waiver allows hospitals to bypass five specific HIPAA Privacy Rule requirements, including obtaining patient agreement to speak with family members, honoring opt-out requests from facility directories, distributing privacy notices, and processing patient requests for privacy restrictions and confidential communications. The waiver applies only in the emergency area to hospitals with disaster protocols and lasts up to 72 hours from when the hospital implements its disaster protocol. Hospitals must resume full HIPAA compliance for all patients under their care once the Presidential or Secretarial declaration terminates, regardless of the 72-hour timeframe. Source: HHS.gov
The OIG concluded that a pharmaceutical manufacturer’s program to assist eligible patients with travel, lodging, and related expenses for a one-time gene therapy does not violate federal anti-kickback or beneficiary inducement laws. The manufacturer’s gene therapy treats a rare, fatal genetic disease in children and costs over $4 million, with treatment limited to a small number of specialized centers. Under the arrangement, patients with household incomes below 600% of the Federal Poverty Level and who lack other travel assistance may receive covered transportation, lodging, and daily expenses for themselves and up to two caregivers, but only for medically necessary phases of treatment and only when no other support is available. The program uses a vendor to verify eligibility and prevent duplicate coverage, requires documentation of expenses, and does not promote the assistance as a reason to prescribe the therapy. The OIG found that the arrangement promotes access to care, poses a low risk of fraud or abuse, and does not improperly influence provider or patient choice. Source: OIG Advisory Opinion No. 25-06 (Favorable)
The OIG determined that a pharmaceutical manufacturer’s program to sponsor a free companion laboratory test for eligible patients prior to prescribing a specific drug does not violate federal anti-kickback or beneficiary inducement laws. The manufacturer’s drug is approved for certain conditions and requires a companion diagnostic test to determine patient eligibility, with the test being offered at no cost to patients who meet specific criteria and have not previously received the test. The arrangement prohibits providers and the laboratory from seeking reimbursement from any third party, ensures that no patient or provider receives direct remuneration, and limits data sharing to de-identified, aggregated information. The program is designed to identify patients who may benefit from the drug and does not promote the drug during disease-awareness activities or use data to target providers or patients for marketing purposes. The OIG concluded that the arrangement poses a low risk of fraud or abuse, does not interfere with clinical decision-making, and satisfies exceptions for promoting access to care. Source: OIG Advisory Opinion No. 25-07 (Favorable)
The OIG found that a medical device company’s proposal to pay a third-party vendor for access to an electronic billing system used by some customers would generate prohibited remuneration under the Federal anti-kickback statute. The company supplies “bill-only” surgical devices to health care providers, and some customers require the use of a vendor’s billing portal for purchasing these items, for which the vendor charges the company a licensing fee per representative. The company stated that the portal is redundant to its existing billing processes and provides no necessary or desired services, but it would pay the fees to retain and potentially expand business with customers who require use of the portal. The OIG determined that the arrangement could inappropriately steer customers to the company over competitors, presents anti-competitive risks, and does not serve a commercially reasonable business purpose for the company. As a result, the OIG concluded that the arrangement is not sufficiently low risk to warrant a favorable opinion. Source: OIG Advisory Opinion No. 25-08 (Unfavorable)
Cybersecurity
Healthcare organizations face cybersecurity risks when storing Protected Health Information in cloud environments. PHI includes medical records, diagnoses, treatment details, billing information, patient names, medical record numbers, health insurance details, Social Security numbers, test results, prescriptions, dates of birth, addresses, and billing information. When compromised, PHI can lead to identity theft, medical fraud, unauthorized use of insurance benefits, reputational harm, and loss of trust in healthcare providers. Cloud storage challenges include meeting HIPAA compliance requirements, understanding shared responsibility between providers and organizations, preventing misconfigurations, managing third-party integrations, maintaining visibility and control, and ensuring data location compliance. Healthcare organizations must implement encryption, identity and access management, secure cloud architecture, continuous monitoring, regular backups, disaster recovery plans, and staff training to protect PHI in cloud environments. Source: Geek Vibes Nation
Food & Drug Administration
The FDA implemented sweeping changes in June 2025 that created uncertainty for cell and gene therapy developers while launching new programs to accelerate drug approvals. The agency halted new clinical trials involving transfer of genetic material to foreign countries including China and terminated both the director and deputy director of the Office of Therapeutic Products, which oversees gene therapy and cellular therapy reviews. FDA also launched the Commissioner’s National Priority Voucher program that promises to reduce drug review times from 10-12 months to 1-2 months for companies aligned with national health priorities such as domestic manufacturing. The agency issued a warning letter to a Florida drug distributor for Drug Supply Chain Security Act violations just two months after inspection, signaling accelerated enforcement of prescription drug security laws. Meanwhile, medical device regulation remained stable and the FDA hired a new deputy director of the Center for Drug Evaluation and Research to advance psychedelic therapy development. Source: Mintz
Fraud & Abuse
DOJ and HHS of Health and Human Services announced the creation of the False Claims Act Working Group to strengthen civil enforcement of the False Claims Act in healthcare. The Working Group will be jointly led by DOJ’s Civil Division and top HHS officials, including representatives from CMS, the HHS Office of Inspector General, and U.S. Attorneys’ Offices. The initiative will focus on six priority enforcement areas: Medicare Advantage risk adjustment fraud, drug and device pricing, barriers to patient care, kickbacks, defective medical devices, and EHR manipulation designed to inflate Medicare reimbursements. The Working Group will make high-priority FCA referrals from HHS to DOJ, coordinate enforcement decisions, leverage data mining to uncover leads, evaluate payment suspensions, and encourage voluntary disclosures. This marks a shift toward more government-led enforcement and potentially less whistleblower-led enforcement, with healthcare companies facing increased scrutiny and faster investigations. Source: Healthcare Law Insights
Marketing
Healthcare fraud through phone calls cost Americans over $16 million in the first quarter of 2024. Americans received more than 4.4 billion robocalls in April 2024, with an average of 146.9 million calls per day and 1,700 calls per second. Scammers target the healthcare sector because consumers trust calls from health providers, often using caller ID spoofing to appear as legitimate hospitals or physicians’ offices. Common scams involve fraudsters posing as Medicare or Medicaid workers who request personal data or money while threatening loss of coverage. New technology offers solutions through branded calls that display business logos, names, and reasons for calling, verified through end-to-end call verification systems. Source: HIT Consultant
The Fifth Circuit ruled that the No Surprises Act does not allow healthcare providers to bring private lawsuits to enforce Independent Dispute Resolution awards. The case involved two air ambulance providers, Guardian Flight, LLC and Med-Trans Corporation, who sued Health Care Service Corporation after receiving delayed or no payment on IDR awards they had won under the No Surprises Act. The Fifth Circuit rejected all three of the providers’ claims, including violations of the NSA itself, ERISA benefit denials, and state law unjust enrichment. The court determined that Congress intended enforcement to occur through the administrative complaint process overseen by the U.S. Department of Health and Human Services rather than through private litigation. This decision conflicts with district court rulings in Connecticut and other jurisdictions that have found implied enforcement rights, creating a judicial divide that may require Supreme Court resolution. Source: Proskauer Rose LLP
Restrictive Covenants
Eight states have enacted legislation in 2025 that restricts or bans non-compete agreements for healthcare professionals. Colorado now voids non-compete and non-solicitation covenants for healthcare providers regardless of salary thresholds, while Illinois expanded restrictions for mental health professionals treating veterans and first responders. Indiana banned non-compete agreements between physicians and hospitals or hospital systems, and Montana extended its existing ban to all licensed physicians. Oregon declared non-competition agreements void and unenforceable for physicians, physician assistants, and nurse practitioners, while Texas now requires buyout options capped at annual salary and extended restrictions to dentists, nurses, and physician assistants. Utah prohibits healthcare staffing platforms from requiring non-compete agreements from healthcare workers. Source: Littler
States are implementing varied restrictions on non-compete agreements for healthcare professionals following the Federal Trade Commission’s failed attempt to ban such agreements nationwide. The new state laws range from blanket prohibitions in states like Arkansas and Wyoming to defined limitations on duration and geographic scope, with most states allowing non-competes lasting up to one year and geographic restrictions varying from five-mile radii in Texas to 30-mile radii in West Virginia. Some states condition enforceability on termination circumstances, while others like Maryland use hybrid approaches that combine compensation thresholds with medical-specific limitations. Texas enacted legislation in June 2025 requiring buyout caps not exceeding annual salary, while Florida passed a bill excluding healthcare practitioners from expanded non-compete limitations and Nevada’s governor vetoed a healthcare non-compete prohibition. The varied approaches reflect competing interests between employer investment protection, practitioner mobility rights, and patient care continuity concerns. Source: Seyfarth Shaw LLP
Governor Abbott signed Senate Bill 1318 into law, imposing new restrictions on noncompete agreements for physicians and health care practitioners effective September 1. The law limits physician noncompete agreements entered into or renewed after September 1 to one year in duration and five miles in geographic scope from where the physician primarily practiced. Buyout provisions cannot exceed the physician’s total annual salary and wages at the time of separation, and agreements must include clearly written terms. The legislation expands these restrictions to health care practitioners including licensed dentists, nurses, and physician assistants, and voids noncompete agreements when physicians are involuntarily discharged without good cause. While the law only applies to new or renewed agreements after September 1, courts may use these restrictions as guidelines when evaluating the reasonableness of existing noncompete agreements. Source: BakerHostetler
