Wade’s Health Law Highlights for November 18, 2025

340B

340B covered entities face new rebate models and Medicare Part D claims reporting requirements starting January 1, 2026. The rebate models extend to all 340B covered entity types, all payors, and all dispensing locations, using the Beacon software platform with eight manufacturers participating under different policies. CMS will identify Medicare Part D claims for 340B drugs through a data-driven model that associates prescriber NPIs with covered entities and contract pharmacies, and through a voluntary claims data repository. CMS expects federally qualified health centers, Critical Access Hospitals, and IPPS hospitals to submit claims data during the voluntary testing period, with mandatory reporting anticipated as early as 2027. The changes stem from the Inflation Reduction Act requirement that drug manufacturers provide rebates on drugs with prices increasing faster than inflation, with 340B drug claims excluded from these calculations. Source: McDermott Will & Schulte

Anti-Kickback Statute

The Office of Inspector General determined a medical device manufacturer with 35% physician ownership did not violate federal anti-kickback statutes because it met all eight requirements of the Small Entity Investment safe harbor. The company, which manufactures devices for emergency stroke treatment, sought Advisory Opinion 25-09 after concerns arose that physician owners could order or recommend the company’s products in hospitals while other owners lacked such influence. Federal anti-kickback statutes prohibit remuneration to induce referrals for items reimbursable under federal health care programs. The safe harbor requirements include limits on referral source ownership to 40%, identical investment terms for all investors, prohibition of referral-based incentives, revenue caps from investor referrals, and proportional distributions. OIG declined to take action after the company certified compliance with all standards and demonstrated ongoing monitoring practices. Source: Health Care Law Matters

Data Privacy & Governance

2025 marks a shift in state privacy regulation from new legislation to enforcement and rulemaking. Nine states amended existing comprehensive privacy laws, with Connecticut and Montana making changes to coverage thresholds, consumer rights, and protections for minors. California finalized CCPA regulations covering automated decision-making technology, risk assessments, and cybersecurity audits that take effect January 1, 2026, with businesses required to submit certifications under penalty of perjury starting in 2028. Enforcement actions increased across multiple states, with California settling cases totaling over $2,300,000, Texas securing a $1,375,000,000 settlement, and Florida filing its first lawsuit under the Digital Bill of Rights. Eight states enacted youth privacy laws, while New York, Virginia, and California passed health privacy legislation restricting geofencing and collection of reproductive health data. Source: IAPP
Hospitals are allocating 4.2% of their 2026 budgets to AI governance and safety despite rapid adoption of AI technology across clinical and operational workflows, according to Black Book Research. Only 22% of hospitals report confidence they could deliver an auditable AI explanation within 30 days to regulators or payers, with the gap widening at smaller facilities where just 15% of small hospitals report readiness. Only 29% of hospitals have implemented and enforced AI policies covering model inventory, lineage and sign-offs, while 48% remain in drafting stages. The data shows 41% cite limited explainability artifacts from vendors as their top audit barrier, and 33% report unclear internal ownership between IT, quality/safety and compliance departments. A separate report from the Healthcare Financial Management Association found that 88% of health systems use AI internally, but only 18% have a mature governance structure. Source: Healthcare Finance News

Drug & Device

The FDA’s Digital Health Advisory Committee examined a hypothetical prescription chatbot using generative AI to treat major depressive disorder in adults. The committee provided recommendations on premarket evidence requirements, postmarket monitoring, labeling, and integration into clinical care, marking a step toward regulating generative AI mental health tools that the agency has not yet cleared. The recommendations call for validated depression endpoints, human escalation pathways, equity monitoring across populations and languages, and risk-stratified postmarket surveillance to address risks including hallucinations, model drift, and cybersecurity vulnerabilities. Manufacturers must demonstrate technical reliability, test capability boundaries, and provide transparent labeling about purpose, limits, data practices, and prescriber requirements. States including Illinois and California have enacted legislation requiring user disclosures that confirm interaction with AI solutions and prohibiting branding that implies licensure to deliver therapy. Source: Orrick

Fraud & Abuse

The Office of Inspector General determined that a medical device manufacturer with 35% physician ownership did not violate federal anti-kickback statutes because the company met all eight requirements of the Small Entity Investment safe harbor. The company, which manufactures devices for emergency stroke treatment, sought OIG Advisory Opinion 25-09 after concerns arose that physician owners could order or recommend the company’s devices in hospitals. The safe harbor requirements include caps on referral source ownership (40% maximum), identical investment terms for all investors, and revenue limits from investor referrals (40% maximum in a 12-month period). OIG acknowledged the scenario appeared suspicious but found no violations because the company certified compliance with all standards, including proportional distributions and no special treatment for physician investors. The opinion recommends that companies with physician investors implement compliance policies, conduct regular training, and maintain ongoing monitoring of ownership structures and revenue thresholds. Source: Health Care Law Matters
Seven women face charges in a Fort Bend County Medicare fraud scheme that allegedly billed the government more than $100 million for hospice care provided to patients who were not terminally ill. Four defendants were indicted by a federal grand jury on Oct. 8, joining three previously charged women. Two women owned multiple hospices and group homes in Fort Bend County and allegedly received more than $87 million from 2019 to 2025 through fraudulent billing after bribing a doctor to falsify patient qualification documents. One woman now faces 48 felonies including 14 money laundering counts, and the Justice Department seeks to seize more than $4.5 million in assets and two homes connected to her. All seven women have pleaded not guilty and await trial next year. Source: Yahoo News

HIPAA

Senator Bill Cassidy (R-LA) has proposed legislation to extend HITECH Act privacy and security requirements to entities that handle health information outside the traditional HIPAA framework. The bill would require entities not subject to HIPAA to provide plain language disclosures when accessing health data, informing individuals that their information will no longer receive HIPAA protections and obtaining consent before selling the data. The legislation would mandate that health and wellness apps, regardless of their size or current compliance obligations, provide notices about the loss of HIPAA protection and offer opt-out rights for data use. Companies would face expanded breach notification duties and would need to implement more stringent information security protections that align with HIPAA security standards, including documentation, retention, training, and logging requirements. The bill would also require written authorization for sharing information, which would restrict marketing practices that rely on cookies and other data-sharing mechanisms. Source: Privacy Compliance & Data Security
Healthcare providers have incurred over $100 million in fines in recent years due to unauthorized data sharing through tracking pixels on websites. Tracking pixels embedded in patient portals and telehealth platforms may inadvertently transmit protected health information to third parties such as analytics and social media companies, prompting enforcement actions by the Office for Civil Rights and Federal Trade Commission. Standard Business Associate Agreements often fail to address risks from AI-driven analytics, behavioral tracking, and secondary data use. New York’s Information Security Breach and Notification Act now imposes a 30-day breach notification deadline and expands protected data definitions to include medical history and health insurance identifiers, affecting both HIPAA-covered entities and non-regulated organizations. Organizations should conduct vendor risk assessments, customize Business Associate Agreements, and implement continuous oversight of vendor performance to ensure HIPAA compliance. Source: Stevens & Lee

Medicare & Medicaid

An appellate court ruling emphasized that Medicaid applicants for long-term care must meet clinical eligibility requirements in addition to financial standards. To qualify for long-term care Medicaid, applicants must require hands-on assistance with at least three Activities of Daily Living, including bathing, dressing, eating, toileting, and mobility, as determined through a Pre-Admission Screening. The case involved an individual denied benefits who could complete some Activities of Daily Living but required prompting, oversight, and assistance to remain safe. The court specified that clinical evaluations must assess physical capability, cognitive function, safety awareness, and the ability to perform tasks without supervision. Attorneys Richard I. Miller and Donald A. Dennison noted that individuals who need help with fewer than three Activities of Daily Living remain ineligible for coverage even if they cannot live independently. Source: Mandelbaum Barrett PC
Medicare Advantage provider directories contain errors that mislead enrollees about available care. A report from the Department of Health and Human Services Office of Inspector General found that 55% of behavioral health providers listed in Medicare Advantage plan networks did not provide care for plan enrollees. The average Medicare Advantage plan contracts with only 16% of behavioral health providers in their area, below the 25% threshold that defines a “limited network.” The Centers for Medicare & Medicaid Services created a temporary Special Election Period for individuals who enrolled in Medicare Advantage plans through Medicare Plan Finder based on directory information and discovered within three months that their provider was not in-network. To qualify, enrollees must contact 1-800-MEDICARE and can then switch to a different Medicare Advantage plan or return to Original Medicare. Source: Medicare Rights Center

Mergers & Acquisitions

The healthcare M&A market remains active but operates with increased selectivity in Q4 2025, with deal volume down from 2021-22 levels as buyers focus on technology-enabled care, distressed assets, and provider consolidation. Ambulatory surgery centers, behavioral health, home health, AI platforms, and revenue cycle management tools attract the most investor interest, while the FTC and DOJ maintain scrutiny over provider consolidation and local market concentration. Buyers are using earn-outs, seller financing, minority stakes, and joint ventures to bridge valuation gaps as financing costs remain elevated. Analysts predict a measured rebound in deal volume for 2026, driven by lower interest rates and middle-market transactions, though regulatory oversight will intensify around roll-up transactions and AI-driven clinical tools. The firm recommends that acquirers engage legal counsel early to address data governance, workforce risk, and integration planning. Source: Arnall Golden Gregory LLP

Mobile Devices

Cyberattacks targeting Android mobile devices in healthcare increased by 224% in the year ending May 2025, according to a 2025 Mobile, IoT & OT Threat Report. The energy sector experienced the highest increase at 387%, while manufacturing saw a 111% rise in mobile attacks. Android malware transactions increased by 67%, with 239 malicious applications downloaded 42 million times from the Google Play Store. The rise in hybrid work, bring-your-own-device policies, and proliferation of IoT devices in healthcare operations has expanded the attack surface, with malware families such as Mirai, Mozi, and Gafgyt targeting vulnerabilities to breach networks. Experts predict continued growth in AI-driven exploits and recommends implementing zero-trust architectures for internet-facing devices to defend against threats. Source: HIPAA Journal

Pharmacy Benefit Managers

Alternative pharmacy benefit managers are gaining market share as the three largest PBMs face federal scrutiny for allegedly overcharging for drugs and favoring their own pharmacies. Federal lawsuits and investigations have accused CVS Health’s Caremark, Cigna’s Express Scripts, and UnitedHealth Group’s Optum Rx of pocketing savings and giving perks to their vertically integrated insurance companies and pharmacies. Alternative PBMs such as Navitus, AffirmedRx, and Rightway Healthcare use fee-for-service models and claim to pass 100% of negotiated discounts to clients, unlike the Big 3 which the FTC accused of making $1.4 billion through spread pricing from 2017 to 2022. A September report found that 61% of 324 employers surveyed have moved away from or are considering leaving the Big 3 in the next three years. Navitus has secured 800 clients covering 18 million lives since 2003, while competitors AffirmedRx and Rightway have attracted clients including 7-Eleven, Purdue University, and Tyson Foods. Source: Healthcare Brew

Revenue Cycle Management

Hospitals are adopting accounts payable automation to address cost pressures as U.S. health spending reached $4.9 trillion in 2023, with hospital expenditures up 10.4%, the fastest pace since 2003. Administrative expenses account for 15%-25% of national health expenditures, making automation a lever for margin protection. More than 60% of finance leaders are deploying automation to improve efficiency and resilience. Temple University Health System, with $2.7 billion in net patient revenue and 290,000 invoices processed annually, implemented AP automation through workflow redesign, ERP assessment, KPI establishment, and cross-department governance summits. AP automation delivers lower operating costs, faster processing, compliance readiness, and working capital optimization. Source: Grant Thornton

Substance Use Disorder (42 CFR Part 2)

The federal government updated 42 CFR Part 2 regulations governing substance use disorder records to align with HIPAA while maintaining patient protections, with enforcement beginning February 16, 2026. The changes, issued in April 2024, introduce a single patient consent that authorizes uses and disclosures of Part 2 records for treatment, payment, and healthcare operations, allowing HIPAA covered entities to redisclose records in accordance with HIPAA. The regulations establish “SUD counseling notes” as a protected category that requires specific patient consent for disclosure, similar to psychotherapy notes under HIPAA. HHS Office for Civil Rights will enforce Part 2 using the HIPAA civil and criminal penalty framework, and the HIPAA Breach Notification Rule now applies to Part 2 records held by covered entities and business associates. Organizations subject to Part 2 must update notices, consent forms, contracts, and training programs before the compliance date. Source: Foley Hoag LLP

Workplace

Healthcare workers face workplace violence at rates five times higher than other industries, according to Bureau of Labor Statistics data. A 2024 survey found 91% of emergency physicians have either experienced violence at work or know a colleague who has, while one-fourth of nurses have been physically assaulted on the job. Violent incidents in hospitals increased 63% between 2011 and 2018, with the cost of violence reaching $18.27 billion in 2023, of which $14.6 billion went to post-incident costs. Modern hospital security systems combine access control, AI-enhanced video surveillance, alarm systems, emergency notification systems, and trained security personnel, with approximately 92% of hospitals having some form of access control. Source: Omnilert