Healthcare Fraud Enforcement & Anti-Kickback
- The Office of Inspector General approved an arrangement allowing a management company affiliated with urgent care centers to establish an independent clinical laboratory without violating the Anti-Kickback Statute. OIG issued Advisory Opinion No. 26-02 on February 12, 2026, concluding that the arrangement would not generate prohibited remuneration because the laboratory and management entity provided no payments for referrals, urgent care providers held no ownership interest in the laboratory, and patients received written notice of the relationship and could choose any laboratory. The laboratory billed insurers directly and did not supply free personnel to the urgent care centers. OIG warned that arrangements involving remuneration for referrals, such as sham ownership interests or free staff, may violate the statute. The opinion applies only to the requestor and does not address the Stark Law, state corporate practice rules, or False Claims Act liability. Source: Harris Beach Murtha
- Texas authorities are prosecuting dental and orthodontic fraud with focus on Medicaid billing violations. The Texas Attorney stated in 2025 that the Medicaid Fraud Control Unit targets pediatric dental chains that bill for exams that never occurred or were performed by technicians without dentists present. A Houston dentist received 120 months in prison for submitting $6.9 million in fraudulent Medicaid claims from 2018 to 2021 and paying kickbacks to bring patients to his clinic. Another dental clinic settled for $23.9 million in January 2018 to resolve claims they billed state Medicaid programs for procedures that were either not performed or medically unnecessary. Texas Medicaid providers face exclusion from the program for offering cash, gifts, or transportation to influence patient decisions, though items under $15 such as toothbrushes remain permissible. Source: Eye on Enforcement
- The Texas Attorney General’s Office filed three lawsuits against healthcare entities in one week during February 2026, continuing an enforcement campaign that began in 2025. On February 18, 2026, the office sued Children’s Health System of Texas and Dr. Jason Jarin for billing Texas Medicaid for gender-affirming care in violation of the Texas Healthcare Fraud Prevention Act. On February 19, 2026, the office intervened in a qui tam suit against Sanofi-Aventis, alleging the company provided kickbacks to providers through a Free Nurse Program and Support Services Program that reduced costs for patient care and prescribing. On February 24, 2026, the office filed a petition against Aid Access entities for shipping abortion-inducing drugs into Texas. The office’s Medicaid Fraud Control Unit has arrested over 120 individuals and collected over $125 million. Source: False Claims Act Blog
Privacy, Data Security & Health Information
- The Department of Justice implemented regulations restricting bulk transfers of health data to China, Cuba, Iran, North Korea, Russia, and Venezuela following Executive Order 14117 signed by President Biden on February 28, 2024. The rule, which took effect on April 8, 2025, defines bulk data as exceeding thresholds of 10,000 U.S. persons for health data, 100 persons for genomic data, and 1,000 persons for other ‘omic data and biometric identifiers within a 12-month period. The regulations prohibit data brokerage transactions providing covered persons access to bulk data and ban sharing of bulk human ‘omic data or biospecimens with entities in countries of concern unless authorized by DOJ license. Healthcare organizations engaging in restricted transactions with offshore vendors, cloud services, or AI systems must implement CISA security requirements including encryption, multifactor authentication, and data minimization. Violations carry civil penalties up to $377,700 per violation or twice the transaction value, while willful violations can result in criminal fines up to $1,000,000 and imprisonment up to 20 years. Source: Healthcare Law Insights
- Ransomware attacks on hospitals resulted in patient deaths and operational disruptions, with a 2023 University of Minnesota study estimating that delays in care contributed to 42 to 67 Medicare patient deaths between 2016 and 2021. In 2024, 259 million Americans had their protected health information compromised, and in 2025, over 445 ransomware attacks targeted hospitals and direct care providers, with the average breach costing $9.77 million. Healthcare spends 4-7% of IT budgets on security versus 15% in finance, and over 80% of stolen healthcare records originate from third-party vendors rather than hospitals. D3 Morpheus, an AI-autonomous SOC platform, ingests alerts from existing security tools and uses a cybersecurity threat LLM to correlate alerts across the security stack, reconstructing attack paths while keeping humans in control of remediation decisions. HIPAA’s regulatory framework is undergoing its most significant overhaul in over a decade, with proposed updates eliminating flexibility and making encryption, MFA, asset inventories, vulnerability scanning, annual audits, and 72-hour system restoration mandatory. Source: Security Boulevard
- Healthcare providers must update HIPAA documentation to comply with changes related to substance use disorder patient records under 42 CFR Part 2. The Notice of Privacy Practices must be revised to indicate that certain uses and disclosures permitted by HIPAA may be prohibited or limited by Part 2, including restrictions on using or disclosing Part 2 information in civil, criminal, administrative, or legislative proceedings against patients except in limited circumstances. These revisions apply not only to Part 2 programs that provide substance use disorder treatment but also to any providers that may receive such records from Part 2 programs. Additionally, Alabama raised its age of medical consent from 14 to 16 years old effective October 1, 2025, and parents and guardians retain the right to access their child’s medical records until age 19, with limited exceptions, regardless of who consents to treatment. Providers must update their HIPAA policies and procedures to reflect both the federal changes and Alabama’s state law modifications. Source: Burr & Forman LLP
- Federally assisted substance use disorder programs must update business associate agreements by February 16, 2026, to comply with new confidentiality rules. Part 2 Programs that are HIPAA covered entities must ensure their agreements with qualified service organizations (QSOs) include terms acknowledging the QSO is bound by Part 2 regulations and will resist judicial efforts to obtain patient identifying information except as permitted under the rules. The Part 2 rules prohibit disclosure of substance use disorder information without patient consent, but allow an exception for QSOs if a written agreement exists requiring compliance with Part 2. Part 2 Programs should review existing business associate agreements to ensure they do not permit uses or disclosures of substance use disorder records beyond what Part 2 allows, as Part 2 is more restrictive than HIPAA. Source: Holland & Hart’s Health Law Blog
- HHS initiated enforcement against information blocking practices in September 2025. The agency can impose civil monetary penalties up to $1 million per violation against health IT developers, health information networks, and health information exchanges under regulations stemming from the 21st Century Cures Act of 2016. Healthcare providers participating in Medicare and other programs face program-specific disincentives, including loss of incentive payments or exclusion from value-based purchasing programs. Under Secretary Robert F. Kennedy Jr., HHS established portals and hotlines for reporting violations and issued enforcement alerts through the Office of Inspector General and the Office of the Assistant Secretary for Technology Policy/National Coordinator for Health IT. As of December 2025, no public enforcement actions have been announced. Source: Healthcare Law Insights
AI & Technology in Healthcare
- Physicians face compliance risks when using AI tools without institutional approval. Experts warn against “shadow AI,” where physicians use HIPAA-compliant tools without their institution’s authorization, noting that 57% of healthcare professionals encountered or used unauthorized AI platforms in 2025. Some AI vendors include indemnification clauses that shift liability to physicians for errors from deployment or misuse of the technology. Experts recommend that employed physicians communicate with their institutions about approved AI systems, while independent physicians should create governance policies outlining AI use. He advises all physicians to review contracts with AI developers alongside lawyers with experience in technology and healthcare. Source: Texas Medical Association
- MedTech startups face data ownership challenges when partnering with academic medical centers for technology validation. Clinical trial data ownership is often contested, and sponsors cannot assume they have automatic rights to use or share data from these collaborations. Publication review windows of 30 to 90 days may not provide enough time for startups to file patent applications before researchers disclose results, as academic career success depends on publication. The Bayh Dole Act allows academic institutions to retain patent rights in inventions developed with federal funding, and this ownership expectation extends to collaborations with for-profit partners. Investors examine data rights and consent frameworks during due diligence, and weaknesses in these areas can prevent deals from closing. Source: Healthcare Law Insights
Healthcare Industry Consolidation & Private Equity
- States are expanding oversight of healthcare transactions involving private equity firms through new legislation enacted in 2025 and proposed in 2026. Seven states enacted transaction review laws in 2025, including California, Indiana, Maine, Massachusetts, New Mexico, Rhode Island, and Washington, requiring pre-closing notice periods ranging from 60 to 90 days to state attorneys general or health agencies. At least 11 states have proposed legislation in 2026 that would impose notice requirements of 30 to 180 days and grant state agencies authority to approve, conditionally approve, or disapprove transactions. Maine placed a one-year moratorium on private equity companies and real estate investment trusts acquiring ownership or control of hospitals, set to expire June 15. The legislation focuses on transactions involving private equity firms, management services organizations, and healthcare consolidation, with states using the National Academy for State Health Policy’s 2024 model law as a framework. Source: BakerHostetler
- Senators Elizabeth Warren and Josh Hawley introduced the Break Up Big Medicine Act on February 10, 2026, targeting common ownership of health plans and providers. The bill would prohibit ownership of both providers or management services organizations and insurance companies or pharmacy benefit managers, requiring divestment within one year of enactment. The legislation’s failure to define “insurance company” creates ambiguity that may force health systems with subsidiary health plans to divest, beyond the health care conglomerates it targets. Enforcement would involve the FTC, DOJ Antitrust Division, HHS Office of Inspector General, state attorneys general, and a private cause of action allowing citizens to recover treble damages. The bill has been referred to the Judiciary Committee. Source: Jones Day
- The FTC proposed a settlement with Express Scripts on February 4, 2026, requiring the pharmacy benefit manager to offer plan sponsors a “Standard Offering” that ties patient out-of-pocket costs to net drug prices rather than list prices. The order, set to take effect January 1, 2027, prohibits Express Scripts from favoring high-priced drug versions over low-priced versions in formularies and bars PBM compensation tied to list prices. The settlement stems from a September 2024 FTC complaint against the three largest PBMs, alleging their rebate practices inflated insulin list prices while excluding lower-priced options from coverage. Plan sponsors are not required to adopt the Standard Offering, and the order’s impact depends on whether they choose to do so. If approved, the order will remain in effect for 10 years with a three-year independent monitor overseeing compliance. Source: Hogan Lovells
Healthcare Operations & Compliance
- Healthcare providers face varying sales tax treatment across states for medical devices and equipment. States apply different rules to medical devices, with Illinois taxing bone growth stimulation devices and wheelchair ramps at regular rates while wheelchairs receive lower rates. Hospitals seeking sales tax refunds face strict requirements to prove exemption qualifications, with Indiana and California denying refunds when hospitals could not provide documentation. States frequently update medical equipment tax laws, as seen when South Carolina changed rules for Medicare and Medicaid equipment sellers and Washington modified billing disclosure requirements. Product labeling determines tax rates in Illinois, where medicines and vitamins receive reduced rates only when labels indicate treatment or prevention purposes, while bundled sales receive lower rates when food or medicine comprises more than half the value. Hospitals’ tax treatment depends on profit status and billing methods, with not-for-profit institutions receiving more exemptions than for-profit facilities. Source: Kilpatrick Townsend & Stockton LLP