Categories
Health Law Highlights

Wade’s Health Law Highlights for June 2, 2026

Fraud & Abuse: OIG Advisory Opinions

  • OIG has approved an orthopedic surgery provider’s proposed warranty program that refunds concierge fees to patients requiring revision surgery within two years of their initial procedure. In Advisory Opinion No. 26-12, the Requestor offers a voluntary Concierge Program, covering items such as wellness coaching, nutritional supplements, app-based health monitoring, leg elevators, and compression garments, for one year following surgery, with fees paid out-of-pocket at fair market value and not reimbursed by any Federal health care program. Under the Warranty, if a patient who substantially complies with the program nonetheless requires revision surgery within two years, the Requestor refunds the concierge fees paid in connection with the initial surgery, with no requirement that the patient return to the Requestor for the revision and no conditioning on exclusive or minimum purchases. OIG found that the arrangement satisfies the applicable elements of the warranty safe harbor at 42 C.F.R. § 1001.952(g), including written undertaking, accurate reporting of refunds on patient invoices, and the patient’s contractual obligation to provide information to the Secretary or State agency upon request. Accordingly, OIG concluded the Proposed Arrangement would not generate prohibited remuneration under the Federal anti-kickback statute or the Beneficiary Inducements CMP, and it would not impose administrative sanctions. Source: OIG Advisory Opinion No. 26-12
  • The OIG issued an advisory opinion on May 13, 2026, that an orthopedic medical device company’s plan to pay physician consultants royalties tied to product line revenue violates the Anti-Kickback Statute’s personal services safe harbor because the payments track the volume or value of referrals. Under the arrangement, physicians who met minimum hours and quality standards would receive a percentage of revenue from all products in a line they advised on, rather than a flat hourly rate, creating a financial incentive to recommend those products to other providers through teaching, training, and proctoring activities. The OIG characterized the structure as a potential payment-for-referrals scheme and cited studies showing physicians are more likely to order products from companies that compensate them, raising risks of patient steering, inappropriate utilization, and increased costs to Medicare and Medicaid. The OIG distinguished compliant arrangements, noting that fixed fair market value fees for documented services, IP royalties not tied to ongoing referrals, and compensation structures that carve out the consultant’s own procedures and affiliated facilities present lower fraud and abuse risk. Device companies should structure physician consulting agreements to satisfy an applicable Anti-Kickback Statute safe harbor and exclude consultants from any position to influence utilization of the products generating their pay. Source: Nixon Peabody LLP

HIPAA Security Rule Developments

HIPAA Privacy: Breach Notification & Patient Consent

  • HIPAA’s Breach Notification Rule effectively requires data mining in large-scale incidents because the law places the burden of proof on covered entities to rebut a presumption that any impermissible access constitutes a reportable breach. Under 45 C.F.R. § 164.402, any acquisition, access, use, or disclosure of protected health information that is not permitted under the Privacy Rule is presumed to be a breach unless the covered entity can demonstrate a low probability of compromise. To rebut that presumption, the entity must conduct a risk assessment addressing at least four enumerated factors, including what data was involved, whether it was accessed, and the likelihood of harm to affected individuals. Failure to conduct or adequately document that assessment leaves the presumption intact, triggering notification obligations to affected individuals, the Secretary of Health and Human Services, and, in incidents, the media. Source: IAPP
  • Electronic health privacy forms routinely use dark patterns to block patients from opting out of data sharing, even when the forms explicitly state that patients have the right to do so. At a Virginia telehealth clinic using Privia Health’s system, patients were presented with an “I accept” button as the only option to proceed through registration, with no visible way to decline data sharing through health information exchanges, despite the privacy notice describing an opt-out right — a design that University of Chicago law professor Lior Strahilevitz identified as both “obstruction” and “visual interference” dark patterns. HIPAA does not require patients to sign a notice of privacy practices, only to acknowledge receipt, and HHS has confirmed that providers are not prohibited from requiring acceptance as a condition of check-in — a gap that legal experts say was never anticipated when the rules were written. State law varies considerably: Florida and New York require explicit patient consent before data can be shared through health information exchanges, while Arizona, Maryland, and Virginia permit sharing by default with opt-out options. HHS is currently working to finalize a rule that would remove the written acknowledgment requirement, though privacy law experts are calling for stronger intervention — including a requirement that any notice describing an opt-out right must include a direct, working link to exercise it. Source: CalMatters

AI in Clinical Practice: Compliance & Litigation

  • AI transcription tools in health care create legal exposure under HIPAA, state privacy laws, and the False Claims Act that requires governance treatment equal to any other high-risk clinical process. A single patient encounter can generate multiple PHI-containing records—audio files, transcripts, summaries, draft notes, and system logs—each subject to distinct access, retention, and disclosure obligations that must be addressed in Business Associate Agreements with transcription vendors. Because these tools lack clinical judgment, errors in captured medication names, diagnoses, or dosages can corrupt the medical record and, if incorporated into billing submissions without human review, generate overpayment liability and False Claims Act scrutiny. Some states now require licensed professionals to obtain both oral and written patient consent before using AI tools to record or transcribe therapy sessions, and organizations must audit applicable state recording and confidentiality laws before deployment, particularly in behavioral health settings. Employees who bypass approved systems and use consumer-grade transcription tools—so-called “shadow AI”—can move PHI outside monitored environments and convert a routine compliance gap into a regulatory investigation by the HHS Office for Civil Rights or a state attorney general. Source: Foley & Lardner
  • Health care organizations face mounting litigation risk from AI tools that capture or process patient communications without consent. A class action filed in the Northern District of California targets a third-party “ambient AI” clinical documentation tool, with plaintiffs alleging that physician-patient conversations were recorded, transmitted, and processed without informed consent, in violation of the California Invasion of Privacy Act, the Confidentiality of Medical Information Act, the Unfair Competition Law, common law intrusion upon seclusion, and the federal Wiretap Act. Legal exposure extends beyond how an AI tool functions to how it is implemented, disclosed, governed, and monitored, and a single use case can implicate privacy, consent, data governance, cybersecurity, vendor management, professional liability, and consumer protection law simultaneously. Using a third-party platform does not transfer legal responsibility, so organizations must conduct vendor due diligence, track how data flows through AI systems, and ensure patient notices and authorizations align with actual data practices. Governance frameworks should include an inventory of AI use cases classified by patient impact and data sensitivity, pre-deployment assessments of privacy and clinical risk, human oversight of AI-informed decisions, and clear patient communication about what the technology does and how information is protected. Source: FBT Gibbons

Federal Enforcement & AI-Driven Audits

  • HHS launched AERO on May 21, 2026, using AI to re-score five or more years of Single Audit Act compliance data for every entity receiving $1 million or more in annual federal funds. Hospitals receiving Medicaid DSH payments, Graduate Medical Education funding, NIH and HRSA grants, or COVID and ARPA relief funds fall within scope, and findings against a state Medicaid agency can flow downstream to hospital subrecipients that had no involvement in the underlying audit deficiency. AERO findings can trigger payment withholding, cost disallowances, suspension or termination of awards, and debarment proceedings under 2 CFR Part 180. HHS announced AERO through a press release and letters to governors rather than through notice-and-comment rulemaking as required by the Administrative Procedure Act, and HHS’s own Trustworthy AI Playbook requires bias testing, human oversight, transparency, and OMB pre-clearance before deploying rights-impacting AI — none of which HHS has publicly documented for AERO. Hospitals should file a FOIA request before responding to any AERO correspondence, demanding the AI methodology, training data, validation studies, bias assessments, and OMB M-24-10 pre-clearance documentation, as courts in AI enforcement challenges have used FOIA-obtained records as the evidentiary foundation for invalidating agency actions. Source: Polsinelli

Telehealth & Workforce Compliance

Payer Disputes & No Surprises Act