Categories
Health Law Highlights

Wade’s Health Law Highlights for March 3, 2026

Drug & Device

Emerging Tech

  • Health care organizations require warranties in AI contracts to allocate risk and ensure vendor accountability. Warranties serve as legally binding assurances about AI system behavior, quality, and legal compliance, addressing the probabilistic and dynamic nature of AI tools. Core warranty categories include compliance with applicable law (data privacy, intellectual property, anti-discrimination, and algorithmic regulation), performance standards (conformance to documentation, transparency, traceability, and data governance), and bias mitigation practices. Vendors should commit to periodic updates or retraining to maintain performance and legal compliance, warrant that AI tools were not trained using data or methods that would infringe third-party rights, and confirm they have secured all required licenses and third-party permissions. These warranties help health care organizations adopt AI tools while managing legal, regulatory, and ethical risk. Source: Thompson Coburn LLP
  • The White House issued an executive order establishing a framework for a unified national AI policy that could override state healthcare regulations. The order directs the Secretary of Commerce to review state AI laws within 90 days and identify those deemed burdensome or conflicting with federal standards, with states that fail to comply potentially losing eligibility for federal funds from programs such as the Broadband Equity and Access and Deployment Programs. Meanwhile, healthcare providers face a fragmented regulatory landscape as states including Colorado, Texas, and Utah have enacted comprehensive AI governance laws, while others have passed narrower legislation addressing specific concerns such as insurance denials and mental health services. State legislation prioritizes three areas: preventing AI-driven discrimination, preserving healthcare professionals’ clinical decision-making authority, and requiring transparency through patient disclosures when AI is used in care. The executive order cannot invalidate state laws, as only Congress has authority to enact preemption through legislation. Source: Healthcare Law Insights

Fraud & Abuse

HIPAA & Health Tech

  • Cyberattacks on third-party vendors and business associates in the healthcare sector affected 184 million individuals in 2024, with more than 31 million impacted in the first half of 2025. The reliance on dozens or hundreds of vendors creates risk, as security depends on the weakest link in the chain, with more than one-third of data breaches stemming from third-party supplier compromises. Connected medical devices and cloud-based applications often integrate third-party software components that may not meet the same security standards as healthcare providers’ internal systems. Proposed updates to the HIPAA Security Rule would require healthcare organizations to implement multifactor authentication, data encryption, and security testing across their vendor networks. Healthcare organizations cannot outsource accountability for patient data protection, and business associate agreements do not absolve providers of responsibility when breaches occur at the vendor level. Source: Healthcare Law Insights
  • Healthcare providers face mounting lawsuits over AI scribe technology deployed without proper consent protocols. In November 2025, patient Jose Saucedo filed a class action against Sharp HealthCare in San Diego Superior Court, alleging the organization used Abridge’s ambient AI documentation tool to record over 100,000 clinical encounters without patient consent, violating California’s all-party consent wiretapping statute and the Confidentiality of Medical Information Act. The lawsuit claims Sharp’s EHR notes contained fabricated consent language stating patients had been advised of and consented to recording when no such consent occurred. The U.S. AI medical scribing market grew from $397 million in 2024 to a projected $3 billion by 2033, with spending on ambient scribe technology increasing 2.4x in 2025 alone to generate $600 million in revenue. Thirteen states including California, Florida, and Massachusetts require all-party consent to record conversations, while California’s AB 3030, effective January 1, 2025, requires healthcare providers using generative AI to include disclaimers in patient communications. Source: Health Law Attorney Blog
  • HIPAA enforcement has returned to pre-pandemic levels, requiring telehealth providers to use compliant platforms and implement strict data protections. Edward Kaftarian, MD, speaking at Psych Congress Elevate 2025, stated that the flexible enforcement approach the government adopted during COVID-19 has ended. Healthcare professionals must now practice medicine on HIPAA-compliant platforms and protect patient data across all care settings. Data breaches have accelerated, with approximately 75-80% of the top 100 all-time breaches by individuals affected occurring within the last 2-3 years. Kaftarian, who serves on the Psych Congress Steering Committee and chairs Orbit Health Telepsychiatry, advised clinicians to partner with organizations that prioritize data security for telehealth video visits. Source: HMP Global Learning Network
  • Healthcare organizations often fail to address HIPAA compliance until problems emerge, according to a recent analysis of the healthcare industry. HIPAA compliance services help organizations identify where patient data exists, determine who has access, close gaps, create workflows that reduce risk, and respond to issues. Most violations stem from gaps between systems, teams, and expectations rather than malicious intent. Compliance requires ongoing risk assessments, updated policies, continuous staff education, monitoring, and response plans. As operations grow, internal teams struggle to manage compliance alone, making external expertise necessary for identifying risks and maintaining systems that protect both data and patient trust. Source: NERDBOT

Management Services Organizations (MSOs)

Pharma & 340B

  • HRSA has restarted the process to change the 340B drug discount program from an upfront model to a rebate system, reigniting conflict between drugmakers and hospitals. The 340B program provides up to 50% discounts on pharmaceuticals to safety-net hospitals treating low-income, uninsured patients, which they can sell at regular price and keep the difference. HRSA proposed a rebate model in August 2025 that would require hospitals to submit data within 45 days of dispensing medication to receive discounts, but a federal judge paused the pilot program in late December and HHS abandoned it on February 5, only for HRSA to send out a request for information on February 13 to restart the process. PhRMA supports the rebate model, claiming the program allows facilities to pocket $1.6 billion in duplicate discounts, while 340B Health, representing roughly 1,600 hospitals, estimates the rebate model would force disproportionate-share hospitals to float an average $72 million annually. A 2024 report estimated drugmakers lose about 7% of annual US revenue to the 340B program. Source: Healthcare Brew
  • The White House launched TrumpRx.gov, a cash-only platform for purchasing prescription drugs, but workers with insurance may not see savings. The platform connects users to sites selling medications like Wegovy and Gonal-F at prices negotiated with 16 pharmaceutical companies under a “most favored nation” model. The platform operates on a cash-only basis and cannot be used with insurance, which 85% of Americans have through employers, Medicare, or Medicaid. Experts say insurance coverage typically provides lower costs than TrumpRx, and cash purchases do not count toward out-of-pocket maximums. The platform may benefit patients seeking weight loss or fertility drugs, which only 19% and 27% of large employers cover, respectively. Source: HR Brew

Reimbursement

  • Entities receiving HHS funding must comply with digital accessibility standards by May 2026. HHS published a Final Rule on May 9, 2024, requiring facilities with 15 or more employees to meet Web Content Accessibility Guidelines (WCAG) 2.1 Level A and AA standards by May 11, 2026, while those with fewer than 15 employees have until May 10, 2027. The requirements apply to hospitals, clinics, research institutions, medical schools, insurers, and other organizations receiving federal financial assistance, covering websites, mobile apps, patient portals, kiosks, and third-party platforms. Exceptions include archived content, legacy documents posted before deadlines, user-generated forum posts, password-protected records for individuals, and social media posts predating compliance dates. Noncompliance can result in loss of federal funding, HHS Office for Civil Rights enforcement actions, or lawsuits under Section 504’s private right of action. Source: Healthcare Law Insights
  • The HHS Office of Inspector General issued Medicare Advantage compliance guidance, the first update since 1999. The guidance identifies seven compliance risk areas for Medicare Advantage Organizations and related entities: access to care, marketing and enrollment, risk adjustment, quality of care, third party oversight, vertically integrated organizations, and submission of claims. OIG warns that MAOs may face liability under the False Claims Act, Federal Anti-Kickback Statute, and Civil Monetary Penalties Law for violations including inaccurate provider directories, improper prior authorization denials, deceptive marketing, and unsupported diagnoses used for risk adjustment. The guidance states MAOs can be held liable for third party actions beyond their accountability to CMS for delegated functions. OIG recommends MAOs establish safeguards that exceed CMS regulations, particularly for utilization management practices involving artificial intelligence algorithms. Source: Sheppard

Taxation