Categories
Health Law Highlights

Wade’s Health Law Highlights for May 20, 2025

Academic Medical Centers

Data Breach

Fraud & Abuse

  • The Department of Justice has prioritized False Claims Act theories in its criminal enforcement agenda. The Criminal Division’s top priorities include health care fraud and government contracts fraud, trade and customs fraud, and violations of controlled substances laws—all central focuses of False Claims Act enforcement. These enforcement priorities suggest the DOJ views civil FCA liability and criminal penalties as connected pathways in addressing high-priority misconduct. Businesses in regulated industries now face potential parallel criminal investigations alongside civil FCA scrutiny, making robust compliance systems increasingly critical. Recent changes to DOJ enforcement policies regarding self-disclosure, cooperation, and remediation further emphasize that compliance missteps may carry heavier penalties than before. Source: Skadden, Arps, Slate, Meagher & Flom LLP

Health Data

  • Patient data faces significant vulnerabilities when health tech companies fold, due to inadequate regulations and inconsistent security practices. Despite the health tech industry’s growth to $908.5 billion in 2023 with projections to reach $3.1 trillion by 2033, approximately 90% of health tech startups eventually fail, as exemplified by Forward’s abrupt closure in 2024 which left patients struggling to retrieve health records and maintain prescription access. Currently, only 20 states have instituted rules for patient health data protection, with most safeguards relying on user agreements that 91% of consumers don’t read, as seen when 23andMe’s bankruptcy prompted customers to rush to delete their data before possible transfer. Security experts recommend companies implement solid encryption, access controls, proper data deletion procedures with 30-day buffers, and rapid response plans to protect patient information when companies shut down. Source: Healthcare Brew

Insurance Coverage

  • The Tenth Circuit Court of Appeals has ruled that hospital excess liability insurance policies must treat each patient claim as a separate “medical incident.” The May 2, 2025 decision in AdHealth Limited v. PorterCare Adventist Health Systems affirmed that each claim must individually exceed the $2 million self-insurance retention to qualify for excess coverage. PorterCare had sought $40 million in coverage after settling lawsuits from thousands of patients exposed to infection risks due to inadequate sterilization procedures. The court rejected PorterCare’s argument that all claims constituted a single medical incident, instead interpreting the policy language “any one person” as unambiguously limiting coverage to individual claimants. The ruling highlights the importance of policy language in determining how multiple related claims will be treated for insurance purposes. Source: Carlton Fields

Long-Term Care

  • A federal court has struck down key provisions of the Centers for Medicare & Medicaid Services’ staffing mandate for long-term care facilities. The Northern District of Texas vacated requirements for 24/7 registered nurse staffing and minimum staffing ratios of 3.48 hours per resident per day that were set to begin implementation in May 2026. The court determined CMS exceeded its statutory authority by contradicting existing law that requires RN services for only eight consecutive hours daily and by imposing uniform staffing ratios that fail to account for facilities’ unique needs. This ruling follows the Supreme Court’s decision in Loper Bright Enterprises v. Raimondo, which limits federal agencies to authority clearly delegated by Congress and enhances judicial oversight of regulatory actions. While providing regulatory relief, long-term care facilities should continue addressing staffing challenges and monitor potential appeals of this decision. Source: Troutman Pepper Locke

Medicare Advantage

  • UnitedHealth Group faces multiple federal investigations amid leadership changes and financial struggles. According to The Wall Street Journal, the Department of Justice has been conducting a criminal fraud investigation into UnitedHealthcare’s Medicare Advantage business since at least summer 2024, though the company claims no knowledge of such an investigation. This comes alongside an existing antitrust probe examining the relationship between UnitedHealthcare and Optum, plus a civil investigation into Medicare Advantage billing practices. UnitedHealth reported poor first-quarter performance in 2025 with medical costs exceeding expectations. The company’s stock has reached multi-year lows following these developments. Source: Fierce Healthcare

Mergers & Acquisitions

  • Healthcare transaction activity hit its lowest point since Q3 2020, with Q4 2024 volumes decreasing 10.4% from Q3 and 11.7% compared to Q4 2023. Professional Services, Outsourced Services, and Behavioral Health dominated the landscape, accounting for 73.2% of all transactions, with significant deals including New Enterprise Associates’ $1.3 billion acquisition of NeueHealth and Cencora’s $4.6 billion purchase of Retina Consultants of America. Despite an overall 4.9% decline in 2024 transactions compared to 2023, certain sectors showed growth, including Behavioral Health (+7.5%), Managed Care (+10.6%), and Specialty Outpatient Facilities (+14.0%). Healthcare investors continue to face regulatory scrutiny and elevated interest rates, though the incoming Trump administration is expected to create a more favorable M&A environment in 2025 with a less aggressive approach to merger regulation and potential tax cuts. Source: [Ankura](https://www.jdsupra.com/legalnews/quarterly-healthcare-transactions-4427961/

Part 2

  • The U.S. Department of Health and Human Services has updated 42 CFR Part 2 to align substance use disorder record confidentiality requirements with HIPAA and HITECH standards. The New Rule allows patients to sign a single consent form for future disclosures rather than requiring separate authorizations for each disclosure, while also implementing HIPAA-like breach notification requirements. Penalties for violations now include both civil fines up to $1.5 million per calendar year and criminal penalties up to $250,000 with potential imprisonment from one to ten years. Healthcare entities subject to Part 2 must update their policies regarding patient consent, information disclosure, medical records, breach notification, privacy notices, and data storage. Organizations must comply with these new requirements by February 16, 2026 to avoid significant penalties in the increasingly stringent enforcement landscape. Source: Katton

Regulation