Categories
Health Law Highlights

Wade’s Health Law Highlights for March 24, 2026

Fraud & Abuse / Anti-Kickback

Healthcare Transactions & Business

  • MedTech companies face scrutiny over early partnership agreements when seeking outside capital, as terms negotiated for limited purposes can create obstacles during financing rounds. These collaboration agreements often start small but become central to operations as revenue, product planning, and business assumptions depend on them. Investors focus on how much revenue depends on single agreements, whether expansion requires renegotiation, and whether partners hold rights affecting future decisions. Contract provisions including assignment clauses, fixed pricing terms, exclusivity agreements, and consent rights can affect transaction timing and negotiating leverage during diligence. Companies should review agreements before financing begins to identify terms that limit flexibility, including rigid assignment provisions, pricing protections, consent rights tied to growth decisions, and exclusivity extending beyond the original purpose. Source: Healthcare Law Insights
  • Provider mergers with larger healthcare platforms result in higher reimbursement rates from insurers. Studies show hospital mergers produce price increases of 6-18%, while hospital acquisition of physician practices drives approximately 14% price increases, with nearly half attributable to billing changes that add facility fees. Analysis of billions of price transparency records from major insurers covering more than 26,000 providers across the U.S. confirms a statistically significant relationship between practice size and negotiated prices. The Government Accountability Office found hospital-led physician consolidation consistently linked to higher commercial prices with little evidence of quality improvements. These rate increases translate into higher premiums for employers and employees. Source: Ankura

Cybersecurity & Data Breaches

  • A cyber incident at Stryker has prompted a proposed class action lawsuit alleging security failures compromised health information. The incident affected enterprise systems but did not compromise medical devices or patient safety systems, though disruptions can affect manufacturing operations, order processing, field service operations, and software updates. Medical technology companies face scrutiny from regulators, investors, and boards under FDA guidance that emphasizes secure design and vulnerability management, while HIPAA-regulated entities must maintain safeguards for electronic protected health information. Companies should review incident response plans, business continuity plans, cybersecurity governance, and security monitoring at least annually to comply with overlapping federal and state requirements. The incident underscores that breach-related risk includes private litigation as well as regulatory scrutiny. Source: Fenwick
  • Governor Greg Abbott directed Texas health agencies to address cybersecurity threats from Chinese-manufactured medical equipment. The Texas Health and Human Services Commission, the Department of State Health Services, and public university systems must review cybersecurity and procurement policies and submit findings by April 17. The directive follows January notices from CISA and FDA that identified security vulnerabilities in Chinese-manufactured patient monitors, including the Contec CMS8000 and Epsimed MN-120, which could allow unauthorized remote access and theft of protected health information. State-owned medical facilities must catalog network-connected medical devices and assess cybersecurity protections. Abbott plans to use the findings to inform legislation in the 2027 session. Source: Texas Metro News
  • Delve, a Y Combinator-backed compliance startup, faces allegations that it misled hundreds of customers about their data protection and security compliance status. A pseudonymous Substack report claims the company generated pre-filled evidence, routed customers to two audit firms based in India, and published trust pages listing controls that were never implemented. The company raised $32 million Series A at a $300 million valuation and positions itself as an automation platform for SOC 2, ISO 27001, HIPAA, and other frameworks. Delve denies issuing compliance reports and says it provides templates for customers to document processes, with final opinions delivered by independent auditors. A security researcher also claimed access to sensitive internal data including employee background checks and equity records. Source: FindArticles.com
  • Organizations must prioritize patch management, documentation and data governance to avoid preventable breaches and compliance risks as they navigate global privacy regulations. Netskope executives Tom Baumgartner and Steve Riley discussed how AI and emerging technologies accelerate change while companies operating across borders contend with differing privacy expectations and regulatory regimes. Riley, field CTO at Netskope, stated that many breaches leading to regulatory scrutiny are preventable with basic security hygiene, noting that organizations should prioritize timely updates and maintain clear documentation of security changes to demonstrate compliance to regulators and auditors. Riley advocated for outsourcing patch management to software vendors. The discussion included how global privacy regulations create compliance challenges for multinational organizations, how AI and evolving technology complicate regulatory frameworks, and best practices for data residency, sovereignty and tracking data lineage across lifecycles. Source: GovInfoSecurity

Privacy & Patient Data Rights

  • OCR faces uncertainty over whether its proposed HIPAA Security Rule update will progress to a final rule after receiving more than 4,700 comments, including calls from over 100 hospital systems and provider associations to withdraw the proposal. The Notice of Proposed Rulemaking, issued on December 27, 2024, represents the first update to the HIPAA Security Rule in more than two decades and introduces new security requirements for electronic protected health information. Healthcare providers criticized the proposed rule for placing financial burdens on HIPAA-regulated entities and establishing an unreasonable implementation timeline. OCR Director Paula M. Stannard stated the Trump administration may have a different view on the burdens and benefits of the proposed changes, and if the final rule is released, OCR could extend the compliance deadline beyond the standard 180 days. The proposed update followed OCR’s publication of voluntary Health Care and Public Health Cybersecurity Performance Goals in January 2024, which were intended to advise future rulemaking. Source: HIPAA Journal
  • Patient concerns about health data rights drove compliance risks for healthcare providers in 2025, shifting focus from regulatory enforcement to patient-driven issues. Patients increasingly requested electronic health record audit logs showing who accessed their medical information, though current HIPAA and HITECH Act regulations do not require providers to produce these security logs. Amendment requests also rose as patients sought to remove information from medical records, but providers retain discretion to deny such requests and typically add clarifications rather than delete historical documentation. A California health system faced a proposed class action lawsuit over using AI transcription technology in exam rooms without patient consent, highlighting questions about disclosure and consent requirements for AI use. Healthcare organizations should update privacy notices, establish AI governance processes, and train staff to address patient questions about data rights and technology use. Source: Hall Render
  • Healthcare organizations face a readiness challenge before they can monetize their clinical records, claims histories, imaging repositories, genomic data, and real-world outcomes. Life sciences companies, technology developers, payers, and analytics firms are driving demand for healthcare data to support real-world evidence, AI initiatives, and product development, but licensees scrutinize governance frameworks, consent documentation, and compliance exposure when determining value. Organizations fall into categories ranging from data-rich but governance-light to those with research collaborations, and value increases as uncertainty decreases around rights of use, patient consent, and operational capacity. Leadership teams must clarify whether they hold defensible rights, what patient consent permits for secondary use, and what operational support partnerships require before discussing licensing fees that depend on income projections, market comparables, or replication costs. Licensing structures including time-limited licenses, subscriptions, research collaborations, or revenue-sharing arrangements shape long-term positioning, with term length, exclusivity, and field-of-use restrictions affecting both value and flexibility. Source: VMG Health
  • Companies across industries are facing wiretapping lawsuits from California residents based on website tracking technologies. The lawsuits, filed under the California Information Privacy Act, claim that companies allow third parties to eavesdrop on website visitors through tracking tools like Google Analytics that share data about clicks, searches, and browsing behavior. CIPA permits $5,000 per violation, and plaintiffs argue each tracking technology constitutes a separate violation, meaning one website visit with 8 tracking tools could generate a $40,000 demand. The U.S. Supreme Court has agreed to review a case involving the Video Privacy Protection Act that could affect how older statutes apply to tracking technologies. Companies are advised to implement disclosure pop-ups before tracking begins, audit their tracking technologies, and establish data retention and deletion protocols. Source: Amundsen Davis

AI in Healthcare

  • Healthcare organizations face patient confidentiality risks when implementing AI tools that process protected health information. Hospitals, physician groups, and insurers are integrating AI into clinical workflows for applications including medical imaging, predictive analytics, automated coding, transcription, and chatbots, but these systems often require access to large volumes of patient data governed by HIPAA. Confidentiality risks emerge when AI platforms store user inputs outside secure environments, when third-party vendors access PHI without proper Business Associate Agreements, when de-identified data can be re-identified, and when staff use generative AI tools without governance policies. The Department of Health and Human Services has begun examining how HIPAA applies to AI technologies while the Federal Trade Commission signals enforcement actions against companies that misuse health data. Organizations can reduce risks by establishing AI governance policies, conducting vendor due diligence, limiting data exposure, and training employees on privacy obligations. Source: Chartwell Law
  • AI enables healthcare providers to tailor treatments to patients’ genetic profiles, predicting disease risk through mutation detection and selecting therapies based on individual responses to maximize treatment effectiveness. In oncology, AI tools guide medical professionals in classifying tumors based on genetic profile, allowing oncologists to customize treatment plans for cancer patients. However, AI models require vast amounts of data for training and function as “black boxes” that fail to explain how they reach conclusions, raising concerns about data privacy and the potential to infer personally identifiable information even from anonymized datasets. The Patent Office released updated guidance on AI patentability in 2024 and 2025, clarifying that AI-assisted inventions remain patent eligible if one or more persons made a contribution to the claimed invention, maintaining the requirement of human conception. Source: Knobbe Martens
  • Physicians using AI for clinical documentation must maintain responsibility for the accuracy of patient records despite the technology’s ability to transcribe physician-patient conversations into draft notes. When selecting AI documentation tools, physicians should evaluate cost, integration with electronic medical records systems, device compatibility, and HIPAA compliance. Practices must obtain both written and verbal patient consent for each visit, documenting any declined or revoked consent in the patient’s chart. AI tools may inaccurately capture medical terms and produce errors, and physicians should avoid using AI for medical decision-making such as diagnosing diseases or creating treatment plans. Practices should coordinate with IT vendors, consult legal counsel, verify insurance coverage, train staff, and conduct periodic evaluations of AI tool effectiveness. Source: Kerr Russell

Healthcare Litigation

Patient Safety & Quality