Wade’s Health Law Highlights for June 16, 2026

Reimbursement & Payment

• CMS has proposed a rule that would cut $774.8 billion in state and federal Medicaid spending over 10 years by capping State Directed Payments (SDPs), far exceeding the $72 billion in cuts anticipated under the One Big Beautiful Bill Act, which the rule purports to implement. Beginning with rating periods on or after July 4, 2025, SDPs for inpatient and outpatient hospitals, nursing facilities, and academic medical center practitioners would be capped at 100% of Medicare rates in Medicaid expansion states and 110% in non-expansion states, with those caps extended to all SDPs for all services and territories starting January 1, 2029. New or renewed uniform increase SDPs would be prohibited beginning January 1, 2028, and grandfathered SDPs approved by December 31, 2025 must phase down by 10% annually starting in 2028. On the fee-for-service side, the rule would shift from aggregate to individual payment limits, capping targeted Medicaid payments — those directed at a subset of providers — at the same Medicare-based thresholds, though disproportionate share hospital payments are excluded. Comments are due July 21, 2026. Source: Morgan Lewis Health Law Scan
• Federal agencies overhauled the No Surprises Act’s independent dispute resolution process to address a backlog of more than 5.1 million dispute submissions since 2022. The rule, published June 4, 2026, cuts the per-party administrative fee from $115 to $15 effective June 11, 2026, and raises the cap on batched claims per dispute from 25 to 50, provided the claims share the same payor, a similar condition, and fall within the same 30-business-day window. Payors must now register with the Departments and obtain a unique federal IDR registration number, and must include standardized claim adjustment reason codes and identifying information — such as their legal name and Federal Employees Health Benefits carrier code — on remittances to out-of-network providers, with an implementation date to be set by December 4, 2026. Eligibility timelines tighten under the rule: non-initiating parties have three business days to raise objections after IDR initiation, and IDR entities must issue eligibility determinations within five business days of arbitrator selection. The rule does not alter payment methodology, which remains under separate rulemaking and subject to enforcement discretion following litigation by the Texas Medical Association. Source: Goodwin

Fraud & Abuse

• The OIG issued a favorable advisory opinion permitting a pharmaceutical manufacturer to provide free preservative-free artificial tears to patients prescribed its product to mitigate REMS-identified ocular toxicity. Advisory Opinion 26-13 replaces AO 21-19 and covers a 60-day supply of single-use eye drop vials (retailing between $108 and $145) distributed through a manufacturer-sponsored Hub to all enrolled patients, including Federal health care program beneficiaries, regardless of prescriber or insurer. Although the free eye drops constitute remuneration under the Federal anti-kickback statute, the OIG declined to impose sanctions because the items are low-cost, non-prescription, and unlikely to drive overutilization of the underlying product, particularly given that patients still bear other treatment costs. The OIG also emphasized that the FDA-approved label, Medication Guide, and REMS Patient Guide all recommend eye drop use at least four times daily, so the arrangement mitigates a known safety risk and helps preserve continuity of therapy. The OIG further concluded that the Beneficiary Inducements CMP is not implicated because the manufacturer is not a provider, practitioner, or supplier, the Hub operates independently of prescribers, and enrollment materials disclose the manufacturer’s sponsorship. Source: OIG Advisory Opinion No. 26-13
• Static valuation formulas and internally prepared analyses in physician and ambulatory surgery center transactions carry significant legal and financial risk under federal fraud enforcement frameworks. Civil fraud recoveries reached record levels in 2025, driven by healthcare qui tam lawsuits, with Community Health Network paying $345 million to settle False Claims Act allegations tied to unsupportable fair market value conclusions in referral relationships. In U.S. ex rel. Simmons v. Meridian Surgical Partners, a former ASC employee alleged that Meridian paid above FMV to acquire physician-owners’ controlling stakes, then sold ownership interests to physician-investors below FMV as referral inducements — a disparity between control and non-control valuations that drove the qui tam action to settlement. ASC control-level EBITDA multiples currently range from 6x–7x, with one to two turns of expansion in certain specialties and markets due to health system and private equity demand, meaning any formula fixed at an earlier multiple will produce conclusions disconnected from current pricing. Internal valuations involving referring physicians face heightened scrutiny because proximity to the transaction can introduce bias, even unintentionally, and EBITDA-based formulas omit capital expenditure requirements, regulatory overhangs, and physician concentration risk that materially affect go-forward value. Source: VMG Health

FDA & Product Regulation

• The FDA issued a draft guidance overhauling the rules governing drug and device manufacturer communications with payors, formulary committees, and similar entities, incorporating two statutory changes from the Consolidated Appropriations Act, 2023. The draft extends the healthcare economic information (HCEI) safe harbor under FDCA 502(a) expressly to medical devices — previously covered only by FDA policy — and adds a new statutory safe harbor under FDCA 502(gg) protecting communications about investigational products from misbranding liability, provided manufacturers include disclosures on approval status, development stage, study design, labeling, and material updates. The draft also broadens the prohibition on misrepresentation by removing the “misleadingly” qualifier, meaning any representation that off-label clinical assumptions have been found safe and effective by FDA is prohibited regardless of context, and shifts the risk disclosure standard from “varies from” to “materially different” from approved labeling. Three previously optional recommendations — updating payors when communicated information becomes materially outdated, describing study methodology and limitations, and presenting both positive and negative findings — are now mandatory requirements. Public comments on the draft are due August 3, 2026. Source: Sheppard

Privacy, HIPAA & Data Security

• HIPAA was never designed as a health privacy law—its coverage gaps are a direct consequence of its origins as a 1996 labor-mobility statute aimed at letting workers with pre-existing conditions carry employer-sponsored insurance between jobs. Privacy entered the law as a third-layer add-on to administrative simplification provisions, and when Congress failed to enact substantive privacy rules within its self-imposed three-year deadline, it delegated rulemaking to HHS, which wrote the Privacy Rule (45 C.F.R. Parts 160 and 164) from scratch—constrained only by the statute’s pre-existing definition of covered entities: health plans, healthcare providers submitting standard electronic transactions, and clearinghouses. That definition excludes pharmaceutical companies, life insurers, disability and workers’ compensation carriers, employers, and most consumer health apps, none of which fit the portability or electronic-transaction framework, despite holding extensive personal health data. The employer-plan firewall that HHS created to prevent termination of workers with costly conditions is structurally weak in practice because most companies lack the organizational separation to keep group health plan data away from HR functions. Layered on top of HIPAA, roughly 22 to 23 states have enacted general consumer privacy laws, California and Texas have HIPAA-parallel health statutes, and Washington’s My Health My Data Act (Wash. Rev. Code § 70.372, 2023) has become the template for legislation targeting the entities HIPAA does not reach—producing overlapping, inconsistent obligations that risk impairing the functioning of the healthcare system itself. Source: UC Berkeley Law – BCLT
• The HIPAA Privacy Rule defines protected health information far more broadly than most patients or practitioners assume, extending full protection to any personally identifying information a covered entity holds about a person because they are a patient or insured—including health insurance enrollment forms containing nothing more than a name, address, and list of dependents. HHS deliberately eliminated the patient consent requirement for treatment, payment, and healthcare operations, concluding that genuine consent rights in those contexts would paralyze the healthcare system, while requiring signed, specific, individual authorization for any use outside those categories or the rule’s enumerated national priority purposes such as public health reporting. Two statutory carve-outs create real-world disparities: student health clinic records fall under FERPA rather than HIPAA, allowing universities to obtain those records in litigation—a protection that disappears if the student sought care at an off-campus hospital—and employment records held by a covered entity in its employer capacity, including FMLA and workers’ compensation documentation, are excluded entirely. HHS extended the rule’s reach to vendors through the business associate framework, requiring covered entities to impose HIPAA obligations by contract on any service provider whose work involves PHI, a model that remained purely contractual for the rule’s first decade until the HITECH Act and 2013 regulations made business associates directly subject to government enforcement; a cloud-storage firm hosting only encrypted patient records it cannot access is still a business associate because the service involves PHI. Once data meets HIPAA’s low-risk-of-re-identification de-identification standard the rule no longer applies and the patient is deemed to retain no privacy interest, a conclusion the Seventh Circuit rejected in quashing a DOJ subpoena for redacted abortion-procedure records, holding that “even if there were no possibility that a patient’s identity might be learned from a redacted medical record, there would be an invasion of privacy.” Source: UC Berkeley Law
• Bayside Dental experienced a cybersecurity incident that potentially compromised the protected health information of up to 10,216 patients. Unauthorized network access was identified on January 5, 2026, at the practice, which has locations in Rowlett, Texas, and Anacortes, Washington. A forensic investigation confirmed on March 13, 2026, that files containing names, dates of birth, Social Security numbers, medical and insurance information, and other data were accessed. The Sinobi ransomware group claimed responsibility for the attack and stated it stole 580 gigabytes of data. Bayside Dental has offered affected patients 12 months of credit monitoring services. Source: HIPAA Journal
• Healthcare’s vendor compliance certifications, like SOC 2, HITRUST, and Business Associate Agreements, do not verify that security controls are actually working, they only reflect what a vendor claims. Compliance automation startup Delve, valued at $300 million, was accused of systematically fabricating audit reports for hundreds of clients; a leaked internal spreadsheet revealed 494 nearly identical SOC 2 reports with pre-written auditor conclusions inserted before clients submitted any evidence. Healthcare organizations that relied on those fabricated documents face HIPAA willful neglect penalties of up to $50,000 per violation and potential criminal liability. The 2013 HIPAA Omnibus rule extended liability to every downstream vendor and subcontractor, yet most health systems cannot confirm how protected health information is handled beyond their direct vendors, a gap the Change Healthcare attack exposed at scale. SOC 2, HITRUST, and BAAs should be treated as starting points, and vendor risk decisions should rest on direct, verifiable evidence that controls are functioning — not on the existence of documentation. Source: MedCity News

Artificial Intelligence

• Health care AI adoption hit 85 percent by end of 2024, but 63 percent of organizations have no governance policies in place, shadow AI is present in 40 percent of hospitals, and only 29 percent of providers are aware of their organization’s main AI policies. The governance gap has produced litigation — including class actions over AI ambient scribes recording patients without consent — and Pennsylvania filed the first state enforcement action against Character.AI after a chatbot falsely claimed to be a licensed psychiatrist. In September 2025, the Coalition for Health AI and The Joint Commission published the Responsible Use of AI in Healthcare framework, the first formal AI governance standard from a U.S. health care accreditation body, followed by CHAI governance playbooks in May 2026; The Joint Commission also launched a voluntary certification program that provides third-party-validated evidence of responsible AI practices. Forty-five states have introduced AI legislation as of early 2026, with enacted laws in multiple states requiring clinician oversight of AI outputs, patient disclosure of AI use, human review before prior-authorization denials, and consent before ambient-listening tools are deployed. The FDA has authorized more than 1,400 AI-enabled medical devices, and the bipartisan AI LEAD Act and the March 2026 Trump America AI Act discussion draft would impose products-liability frameworks on AI developers — including health systems that substantially modify or fine-tune AI tools for clinical use. Source: Baker Donelson
• Heartflow, Inc. filed a 180-page patent infringement lawsuit in the U.S. District Court for the Eastern District of Texas in April 2026, alleging that a former consultant who signed a nondisclosure and invention assignment agreement with Heartflow in 2010, secretly founded rival company Cleerly, Inc. in 2016 while still bound by confidentiality, non-compete, and assignment obligations. Heartflow claims Min used its confidential information to develop Cleerly’s competing products and that Cleerly also hired Heartflow’s former chief commercial officer, who was likewise bound by confidentiality obligations. The suit alleges direct and induced infringement of six patents covering AI-powered cardiac imaging analysis — including methods for anatomic segmentation, blood flow estimation, plaque vulnerability prediction, and vessel evaluation — out of a portfolio of more than 600 patents, and notes that Cleerly cited Heartflow’s patents in its own patent filings. Heartflow seeks lost profits, injunctive relief, treble damages, and attorneys’ fees; Cleerly has called the suit an attempt to limit competition and its answer is due July 8, 2026. Source: Epstein Becker Green

Healthcare Transactions & M&A

• AI-driven diligence tools are reshaping home health and hospice M&A by enabling buyers to analyze entire populations of clinical, billing, and operational records rather than limited samples, causing issues to surface shortly after LOI that previously escaped detection altogether. Documentation practices that appear acceptable across a small sample can look materially different when reviewed across thousands of records, and branch-level performance inconsistencies that once went unnoticed are now visible before definitive agreements are signed. When findings emerge after management has already presented growth trends and margin performance, the consequences include re-trades, expanded diligence requests, pressure on pricing, and delayed closings. To counter this, sellers are conducting internal operational and compliance reviews before going to market — examining denial trends, coding practices, reimbursement support, and branch-level reporting — and some are deploying technology-assisted review to identify gaps before buyers do. Sellers that reconcile operational data, organize diligence materials, and understand where diligence pressure is likely to concentrate before launch are better positioned to maintain negotiating leverage once the process accelerates. Source: Arnall Golden Gregory LLP
• DSO consolidation has shifted from a growth-at-all-costs model to one where operational discipline, compliance, and infrastructure determine whether a deal gets done and at what terms. Buyers are now placing greater weight on sustainable profitability and scalable systems than on top-line expansion, and organizations that pursued rapid growth are restructuring portfolios or seeking new strategic paths. Platforms operating across fragmented practice management systems, revenue cycle workflows, and compensation structures have struggled to achieve projected synergies. During diligence, compliance gaps, inconsistent financial reporting, unresolved governance questions, and limited operational visibility across acquired practices erode buyer confidence and weaken transaction terms. Sellers that can demonstrate aligned leadership, clean financials, and a defined integration and liquidity plan are better positioned to command stronger valuations and move through transactions efficiently. Source: VMG Health

Antitrust & Competition

• A federal court’s decision blocking Edwards Lifesciences’ acquisition of two pre-commercial medical device companies signals that antitrust agencies can challenge mergers involving products not yet approved or sold. In Edwards/JenaValve, the district court accepted the FTC’s theory of a “TAVR-AR device market” even though no such device had received FDA premarket approval, blocking Edwards from acquiring both JenaValve Technology and JC Medical, which were each in clinical trials for catheter-based aortic valve replacement devices. The FTC has also elevated scrutiny of the “failing firm” defense in healthcare mergers, with FTC staff now independently contacting potential alternative buyers early in the Second Request process—and frequently finding that third parties were unaware the asset was available—and Duke Health’s subsequent acquisition of Lake Norman Regional Hospital after Novant abandoned its deal is viewed as evidence that the original seller’s buyer search was inadequate. Roughly half of all U.S. hospital mergers involve hospitals in separate geographic markets, and while neither the FTC nor DOJ has yet brought an enforcement action on a cross-market theory, California has imposed price and conduct conditions on three hospital mergers since 2020 on that basis, and Oregon recently conducted a review of a healthcare transaction with no in-state overlaps. Healthcare companies face antitrust scrutiny even without traditional geographic overlap or a commercially available product. Source: Axinn, Veltrop & Harkrider LLP
• Texas ranks second in the nation for ASC count, with 497 facilities, and operates without a certificate-of-need law, giving it one of the least restrictive development environments in the country. States without CON regulation posted compound annual growth rates of 2% to 4% in Medicare-certified ASC development between 2019 and 2023, according to L.E.K. Consulting’s 2024 ASC Insights Study. The FTC sued U.S. Anesthesia Partners and private equity backer Welsh, Carson, Anderson and Stowe in September 2023, alleging the firms bought up nearly every large anesthesia practice in Texas to establish a dominant provider capable of extracting higher prices; Welsh Carson settled in January 2025, and USAP reached an agreement in principle with the FTC in April 2026, with a federal court staying the case in May while USAP implements required relief over 180 days. The FTC also required Ascension to divest seven AmSurg ASCs—including one in Waco—before closing its $3.9 billion acquisition, identifying those Texas markets as areas where the deal would substantially reduce competition. Texas is one of six states included in CMS’ WISeR prior authorization pilot, which took effect January 1 and runs through 2031, requiring prior authorization for procedures including epidural steroid injections, nerve stimulator implants, and image-guided lumbar decompression. Source: Becker’s ASC

Clinical Laboratories

• Clinical laboratories face insolvency from converging pressures of more than $4 billion in Medicare payment cuts over three years, AI-driven payer audits, rising labor and supply costs, and tightening regulatory enforcement that penalizes compliant labs for the fraud of others. Of the more than 320,000 clinical labs in the US, approximately 80% are small businesses with no diversified service lines or reserves, making them acutely vulnerable to payment disruptions; Medicare Part B alone spent $8.4 billion on diagnostic lab tests in 2024. When a lab enters distress, restructuring advisors must triage legal and regulatory exposure first — including False Claims Act risk, Anti-Kickback Statute liability, and CLIA compliance — because unresolved regulatory exposure can render a lab unsalvageable regardless of its financial profile. Revenue cycle management failures, including unworked claim denials, incorrect CPT coding, and claims aging beyond 120 days, are the most common operational drivers of insolvency and must be addressed through a 13-week cash-flow forecast before any restructuring pathway is selected. Depending on the severity of the distress, Chapter 11 reorganization, a § 363 asset sale — where CLIA certification and state licenses carry transferable value that allows buyers to bypass months of administrative setup — or a structured wind-down are the three viable exits, with the correct choice determined by whether regulatory exposure is curable, revenue cycle problems are reversible, and core testing operations remain cash-flow positive. Source: J.S. Held / ABI Journal