Texas passed two laws regulating artificial intelligence use in healthcare and other sectors. House Bill 149, the Texas Responsible Artificial Intelligence Governance Act (TRAIGA), was signed June 22, 2025, and takes effect January 1, 2026, requiring healthcare providers to disclose AI use in patient diagnosis or treatment. Senate Bill 1188, signed June 20, 2025, and effective September 1, 2025, mandates that licensed practitioners review all AI-generated records and prohibits offshoring electronic medical records. TRAIGA also prohibits discriminatory AI use and requires organizations to implement risk assessment and documentation procedures. The Texas attorney general will enforce TRAIGA through civil penalties. Source: Holland & Knight
Researchers developed a privacy-preserving artificial intelligence system that achieves 99.48% accuracy in classifying skin lesions while protecting patient data through advanced encryption. The model combines block-scrambling-based encryption with three neural networks (MobileNetV2, GoogLeNet, and AlexNet) to extract features from skin images while maintaining data confidentiality during transmission and storage. The system uses a conditional variational autoencoder for classification and hippopotamus optimization for parameter tuning to enhance performance. Testing on the skin cancer ISIC dataset showed the model outperformed existing methods with superior accuracy and faster execution time of 8.85 seconds compared to competing approaches. The research addresses the critical need for secure medical image analysis, particularly important given that skin diseases affect 30-70% of people globally. Source: Scientific Reports
Fraud & Abuse
The Justice Department charged 324 defendants in connection with over $14.6 billion in health care fraud schemes, marking the largest health care fraud takedown in the department’s history. The defendants include 96 doctors, nurse practitioners, pharmacists, and other licensed medical professionals across 50 federal districts and 12 state attorneys general offices. The government seized over $245 million in cash, luxury vehicles, cryptocurrency, and other assets, while the Centers for Medicare and Medicaid Services prevented over $4 billion from being paid on fraudulent claims and suspended or revoked billing privileges for 205 providers. The schemes included transnational criminal organizations submitting over $12 billion in fraudulent claims, with Operation Gold Rush alone involving $10.6 billion in fraudulent Medicare claims using stolen identities of over one million Americans. The Justice Department announced plans to create a Health Care Fraud Data Fusion Center to leverage artificial intelligence and advanced analytics to identify emerging fraud schemes. Source: United States Department of Justice
More than a dozen Houston-area medical professionals have been indicted in what prosecutors call the largest health care fraud crackdown in Department of Justice history. The nationwide operation charged over 320 people and uncovered nearly $15 billion in false claims, with 22 cases filed in federal court in Houston. Among those charged are Dr. David Jenson and his business partner, who allegedly billed Medicare $90 million for unnecessary “second skin” procedures and received $45 million in reimbursements, and the owners of United Palliative & Hospice Care in Fort Bend County, accused of fraudulently billing $87 million for end-of-life care for patients who were not dying. Other schemes involved fraudulent COVID-19 testing that netted $293 million, illegal kickbacks for genetic testing, and billing for mental health services never provided. The cases represent various types of health care fraud including Medicare and Medicaid billing fraud, pandemic relief fund fraud, and the unlawful distribution of controlled substances. Source: Houston Chronicle
The U.S. Justice Department charged 324 individuals in a record-breaking healthcare fraud crackdown involving $14.6 billion in schemes. The DOJ debuted its Health Care Fraud Data Fusion Center, which uses AI, cloud computing, and analytics to shift from reactive investigation to proactive detection of fraud patterns. The centerpiece operation, “Operation Gold Rush,” exposed a transnational catheter supply fraud led by Russian and Eastern European criminal networks that filed over $10.6 billion in false claims using stolen U.S. identities. Authorities seized over $245 million in assets and the Centers for Medicare and Medicaid Services suspended payments on over $4 billion in pending claims deemed fraudulent. Source: PYMNTS
Healthcare Privacy
A Texas federal district court vacated the HIPAA Reproductive Health Rule nationwide on June 18, 2025, in the case Purl v. HHS. The court ruled that HHS exceeded its authority and violated procedural requirements when creating the rule, which the Biden Administration had implemented after Dobbs v. Jackson Women’s Health Organizations to prohibit disclosure of reproductive health information for investigating or prosecuting reproductive healthcare that was legal where performed. Healthcare providers can now disregard the rule’s requirements and must undo actions they took to implement it, as HIPAA reverts to its pre-December 2024 form where reproductive health information is treated like any other protected health information. HHS is unlikely to appeal the decision given Trump Administration policies and has not requested a stay. The ruling does not affect substance use disorder provisions, meaning providers must still update their privacy notices by February 2026. Source: Holland & Hart’s Health Law Blog
The Southern District of New York allowed eight privacy claims to proceed against Teladoc Health for using website tracking technologies that transmitted patient health information to third parties. On June 25, 2025, the court denied Teladoc’s motion to dismiss after plaintiffs alleged the company installed tracking pixels and APIs on its telehealth platform that shared protected health information for advertising purposes. The court ruled that Teladoc’s tracking technology created an independent criminal purpose through HIPAA violations, defeating consent-based defenses under the Electronic Communications Privacy Act. The court determined Teladoc functioned as a healthcare provider rather than a technology platform and that medical conditions constitute contents of communications under state privacy laws. Eight claims survived including federal wiretapping violations and state privacy claims under New York, Florida, and California laws. Source: Duane Morris LLP
US healthcare companies face restrictions when offshoring patient data operations due to state and federal privacy regulations. While HIPAA does not prohibit storing protected health information outside the United States, states including Wisconsin, Texas, Florida, and Arizona have enacted data localization laws that require patient information to remain within US borders. The Centers for Medicare & Medicaid Services requires Medicare Advantage Organizations to obtain attestation certificates from healthcare providers who use offshore vendors, detailing safeguards for patient information protection. Healthcare companies can mitigate offshoring risks through business associate agreements with international arbitration clauses, encryption requirements, and annual audits of offshore subcontractors. Offshore vendors must demonstrate HIPAA compliance and may need to establish US-based operations or partner with domestic intermediaries to work with American healthcare organizations. Source: MWE
Microsoft and Google email platforms may be transmitting healthcare data without encryption, potentially violating HIPAA requirements. A recent study found that Google Workspace still uses deprecated TLS 1.0 and 1.1 encryption protocols, while Microsoft 365 sends messages unencrypted when encryption fails without warning senders. The research involved controlled experiments where Paubox set up recipient mail systems that only accept legacy TLS protocols and sent test messages containing simulated protected health information. Healthcare organizations rely on email for lab results, care instructions, and appointment notifications, all of which must be encrypted under HIPAA regulations. The findings suggest that healthcare organizations depending on these platforms for compliance may be unknowingly transmitting unencrypted patient data. Source: MediaPost
Inpatient Rehab Facilities
Freestanding inpatient rehabilitation facilities are outperforming hospital-based units through partnerships, achieving 24% Medicare margins compared to 1% for departmental IRFs in 2023. The number of freestanding IRFs grew 7.4% from 345 to 371 facilities between 2022 and 2023, while Medicare IRF admissions increased 7.3% overall. States without certificate of need laws show higher IRF utilization rates at 7.5% of acute care discharges compared to 5.6% in CON states, prompting reforms in South Carolina, Florida, and Tennessee. Hospital systems are increasingly partnering with IRF operators through joint ventures, joint operating agreements, or management agreements to transition departmental units to freestanding facilities, which cost $15,000 per stay compared to $21,000 for hospital-based stays. Source: VMG Health
The Office of Inspector General approved a telehealth arrangement that allows physician-owned entities to lease healthcare professionals from telehealth platforms without violating federal anti-kickback laws. The June 6, 2025 advisory opinion covers an arrangement where a Requestor Professional Corporation leases healthcare professionals from Platform Professional Corporations on an hourly basis, with fees determined by provider type and paid regardless of third-party reimbursement. The OIG determined the arrangement complies with anti-kickback statutes because it includes written agreements, independent fee validation, and compensation structures that remain separate from referral volume or business generation. The arrangement aligns with federal safe harbor provisions for personal services and management contracts, which require detailed written agreements with fixed terms of one year or longer. The advisory opinion applies only to the specific parties involved, meaning other organizations must seek their own legal review for similar arrangements. Source: Hinshaw Law
