Fraud, Abuse & False Claims Enforcement
- The Justice Department’s Civil Division launched the FOCUS (Fraud Oversight through Careful Use of Statistics) initiative to formalize its relationship with data miners filing qui tam complaints under the False Claims Act. Qui tam filings have surged in recent years, driven increasingly by data miners — companies or individuals who analyze public government data for fraud signals — rather than traditional insider whistleblowers. Under FOCUS, data miners may request pre-filing meetings with the Civil Fraud Section to present their methodologies and demonstrate how their data signals correlate to fraud, though such meetings are not required before filing. The Department will prioritize cases from data miners who show pre-filing diligence, knowledge of program rules, and legally sound allegations. Source: U.S. Department of Justice
- The HHS Office of Inspector General recently determined that a management services organization owning and operating a clinical laboratory serving affiliated urgent care centers does not violate the federal Anti-Kickback Statute, provided no remuneration flows between the laboratory and referral sources. The arrangement reviewed involved an MSO affiliated with four urgent care centers that proposed to own an offsite laboratory through a separate legal entity, with the laboratory billing payors directly, provider compensation unlinked to test volume, and patients receiving written notice of the affiliation along with the option to use an unaffiliated laboratory. The OIG conditioned its approval on the absence of any direct or indirect remuneration between the laboratory and the urgent care centers and on the EHR system permitting orders to multiple laboratories without preference. The opinion warns that similar arrangements involving payments to referral sources — including sham consulting deals, sham investment opportunities, or free personnel or equipment — would implicate the AKS and “would not be low risk.” Even where AKS risk is avoided, such arrangements may still implicate the Stark Law, state analogues, or the Ending Kickbacks in Recovery Act of 2018, which bars referral payments for laboratory services regardless of payor. Source: McDermott Will & Emery
Medicare Reimbursement & Coverage
- CMS and FDA have created a joint coverage pathway that compresses Medicare national coverage decisions for Breakthrough Devices from over a year to as little as two months after FDA market authorization. The Regulatory Alignment for Predictable and Immediate Device (RAPID) pathway applies to certain FDA-designated Class II and Class III Breakthrough Devices that address unmet medical needs among Medicare beneficiaries, requiring that eligible devices be the subject of an Investigational Device Exemption (IDE) study enrolling Medicare beneficiaries with clinical outcomes agreed upon by both agencies. Under the pathway, CMS will issue a proposed National Coverage Determination (NCD) on the same day an eligible device receives FDA market authorization, triggering a 30-day public comment period. The Transitional Coverage for Emerging Technologies (TCET) pathway will be paused for new candidates while CMS implements RAPID. A proposed procedural notice will be published in the Federal Register with a 60-day public comment period before a final notice takes effect. Source: CMS
- The 2026 Medicare Physician Fee Schedule restructures physician reimbursement through three changes that directly affect how physician productivity is measured and compensated. CMS finalized an efficiency adjustment that reduces work relative value units (wRVUs) for 91% of physician services, targeting non-time-based procedural codes while leaving evaluation and management services unchanged, meaning procedural specialists will see lower reported wRVU productivity even if clinical volume holds steady. CMS also overhauled practice expense methodology by cutting indirect practice expense allocated per wRVU by 50% for facility-based services — rejecting the AMA’s updated survey data on methodological grounds — shifting reimbursement toward office-based settings on a budget-neutral basis to advance site neutrality. For the first time since the MPFS was established in 1992, CMS implemented two separate conversion factors, one for providers participating in Advanced Alternative Payment Models and one for those who are not, requiring organizations with mixed provider populations to maintain separate revenue forecasts and clarify which conversion factor governs percentage-of-Medicare contracts. Compensation rates, productivity thresholds, salary guarantees, and professional services agreements tied to wRVUs should be recalculated to reflect these changes. Source: VMG Health
Privacy, Cybersecurity & Data Breaches
- The HIPAA Security Rule is set for its most significant update in over a decade, with changes expected to be finalized in 2026 and a compliance window as short as 60 days once the rule takes effect. The updates eliminate the longstanding “addressable” safeguard category, converting previously optional measures — including encryption, multi-factor authentication, asset inventories, and network mapping — into requirements. Organizations must document where electronic protected health information (ePHI) exists, who can access it, and how it is protected and recoverable following a breach. The rule applies to all covered entities and business associates regardless of size, placing the same expectations on small and mid-sized practices as on large health systems. To prepare, organizations should conduct a risk analysis, document current policies and safeguards, close gaps in access controls and data protection, and build a compliance roadmap. Source: Healthcare Dive
- Nine of the ten largest publicly traded US health companies have advertising and analytics trackers installed on login and registration pages, transmitting patient data to vendors including Meta, Google, LinkedIn, and TikTok without patients’ knowledge or consent. About 15% of health websites examined could capture exact keystrokes on login pages, exposing Social Security numbers, passwords, appointment times, billing details, and medical diagnoses to third parties. A 2023 joint warning from the Office for Civil Rights and the FTC to roughly 130 hospitals and telehealth providers failed to produce change, and a June 2024 federal court ruling in Texas — which found that HHS had exceeded its authority in extending HIPAA to unauthenticated webpage tracking — further weakened the regulatory path to enforcement. Once patient data leaves a hospital’s domain, the hospital has limited control over it, and the chain of resale through the programmatic advertising ecosystem is opaque enough that even the original tracker vendor cannot fully account for where it ends up. No regulatory action, class-action settlement, or reputational consequence has yet proven sufficient to change standard practice, leaving the use of an ad-blocker and a privacy-focused browser as the default protection for a category of data that federal statute treats as protected. Source: The Next Web
- Phishing accounted for more than one-third of all unauthorized network access incidents in Q1 2026, making it the leading method of network intrusion. State-sponsored and criminal actors are using large language models to develop phishing lures, write malicious scripts, and evade detection — all without writing code. Health care and government sectors are the primary targets of these AI-assisted campaigns. To reduce exposure, organizations should implement properly configured multi-factor authentication, conduct patch management, and establish centralized logging across their environments. Source: Data Privacy + Cybersecurity Insider
- Integrated Pain Associates, a Killeen, Texas-based pain and spine practice, disclosed a data breach involving unauthorized network access on or around February 24, 2026. The incident was identified in February 2026 and announced on April 30, 2026. Data involved includes names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnosis and medication information, health insurance information, provider names, treatment information, and financial account information. The organization is offering credit monitoring and identity theft protection services to affected individuals. The breach has not yet appeared on the Office of the Texas Attorney General website or the HHS Office for Civil Rights breach portal. Source: HIPAA Journal
Private Equity & Healthcare Transactions
- A wave of state laws is tightening oversight of private equity investment in healthcare, filling a void left by federal inaction. Oregon’s SB 951, effective June 9, 2025, restricts management services organization (MSO) and PE control of healthcare practices and voids certain restrictive covenants, while California’s AB 1415 and SB 351, effective January 1, 2026, expand transaction notice requirements to include private equity firms and hedge funds and codify corporate practice of medicine limits on unlicensed entity influence over licensed healthcare professionals. Rhode Island enacted a pre-merger notification rule requiring 60 days’ advance notice of material changes in medical practice groups with fines up to $100,000 for noncompliance, and Washington signed legislation on March 25, 2026 expanding reporting and pre- and post-closing notification requirements for healthcare entity control changes. Indiana, New York, Hawaii, Vermont, Pennsylvania, and Illinois have each introduced or advanced legislation in 2026 requiring greater ownership disclosure, post-closing reporting, or advance notice for material healthcare transactions. States are also adopting “mini-HSR” laws requiring Hart-Scott-Rodino filings to be submitted to state attorneys general, broadening antitrust oversight of healthcare-related mergers at the state level. Source: Paul Hastings LLP
Drug & Pharmacy Regulation
- Most compounded peptides being marketed to wellness and chiropractic practices today fall outside the legal pathways that federal law requires for lawful compounding, and practitioners who add them to their service offerings carry the legal risk themselves. Under Section 503A of the Federal Food, Drug, and Cosmetic Act, a bulk drug substance can only be legally compounded if it appears on the final 503A bulks list, holds Category 1 interim status, is a component of an FDA-approved drug, or has a USP or NF monograph — and as of April 2026, none of the popular compounded peptides, including BPC-157, TB-500, CJC-1295, ipamorelin, and melanotan II, meet any of those criteria. The FDA removed twelve of those substances from Category 2 and referred them to the Pharmacy Compounding Advisory Committee on April 15, 2026, but that referral is a procedural step, not an authorization, and pharmacies that compound them remain subject to enforcement. The DOJ reinforced that exposure on April 1, 2026, when it indicted a Utah physician for selling misbranded peptides to more than 200 patients, placing the prescribing provider — not just the pharmacy — inside the criminal liability chain. In Texas, chiropractors face additional layers of risk from turnkey vendor platforms, including fee-splitting violations under the Texas Patient Solicitation Act, unlicensed pharmacy operations if peptides are stored on-site, scope-of-practice violations under the Texas Chiropractic Practice Act, and malpractice coverage gaps because peptide therapy falls outside the scope chiropractic policies are written to cover. Source: Healthcare Empowered
- Rescheduling marijuana from Schedule I to Schedule III eliminates the Section 280E tax penalty for state-licensed medical cannabis operators, cutting effective federal tax rates from over 70% down to the standard 21% corporate rate. Section 280E bars all ordinary business deductions for trafficking in Schedule I or II controlled substances but does not mention Schedule III, so the rescheduling order — effective April 22, 2026 — removes the penalty by its own statutory terms for qualifying medical operators. Treasury’s transition rule treats the relief as applying to the full 2026 calendar year, meaning medical operators can deduct wages, rent, utilities, and all other operating expenses for the entire year without mid-year allocation. Adult-use operators receive no relief; 280E remains fully in effect for recreational marijuana, and a separate rescheduling hearing beginning June 29 is the only near-term path to change that. Retroactive relief for prior tax years (roughly 2022–2025) is unresolved — the DOJ order encourages Treasury to consider it, but Treasury has made no commitment, leaving more than $1.6 billion in disputed 280E positions industry-wide, including approximately $445 million carried by Trulieve alone, in limbo pending further guidance. Source: Budding Trends
Congressional Oversight
- The healthcare sector faces bipartisan congressional investigations that will persist regardless of the 2026 midterm outcomes, with affordability serving as the unifying thread across inquiries into drug pricing, pharmacy benefit managers, group purchasing organizations, hospital consolidation, private equity ownership, Medicare Advantage, and prior authorization practices. Republican committee chairs have already pursued investigations through hearings, information requests, and subpoenas targeting GPOs, PBMs, ACA plans, healthcare fraud, insurance costs, data breaches, and hospital systems. If Democrats gain a majority in either chamber, investigations would expand to include conflicts of interest among Trump Administration appointees, pharmaceutical manufacturer negotiations over most-favored-nation pricing arrangements such as the GLOBE and GUARD models, and AI-driven algorithmic decision-making in care denial. Democratic staff have begun issuing document retention letters and engaging watchdog groups ahead of any majority, signaling that private-sector actors — not just the executive branch — are the near-term focus. Congressional inquiries in healthcare carry compounded risk because they routinely run parallel to state attorney general actions and plaintiffs’ bar litigation. Source: Holland & Knight