Fraud, Abuse & Enforcement

• ​Aetna agreed to pay $115 million to settle allegations that it manipulated diagnosis codes to inflate risk scores for Medicare Advantage enrollees. A former risk-adjustment coding auditor filed the lawsuit on behalf of the federal government, claiming Aetna received inflated payments from the Centers for Medicare & Medicaid Services through a process known as upcoding. The Department of Justice alleged that in 2015, Aetna conducted chart reviews and used the results to seek additional payments while ignoring instances where it was overpaid. From 2018 to 2023, the company allegedly submitted morbid obesity diagnosis codes when BMI values indicated patients were not morbidly obese and directed coders to ignore conflicting information. The settlement resolves allegations only, with no determination of liability. Source: Texas Medical Association​
• ​Government investigations into physician organizations often begin without warning and rely on internal communications as evidence. Investigators from the Office of Inspector General, Department of Justice, or state Medicaid Fraud Control Units target emails, board presentations, investor materials, and strategic planning documents that use phrases like “keeping cases in-house,” “driving volume,” or “referral optimization” to establish violations of the Anti-Kickback Statute or Stark Law. Investigations typically begin through whistleblower complaints, billing data analysis, auditor referrals, related investigations, or transaction disclosures. Organizations should engage experienced healthcare regulatory counsel immediately and avoid responding, producing documents, allowing interviews, altering records, or creating new explanatory materials. Pending investigations affect mergers and acquisitions through expanded diligence, altered deal structures, price adjustments, insurance limitations, and timeline delays. Source: Healthcare Law Insights​
• ​The OIG issued a favorable advisory opinion on April 7, 2026, permitting a State-designated domestic crisis provider to bill Medicare and Medicaid for therapy services while waiving cost sharing for domestic violence survivors. The provider, located in a rural, medically underserved area, has historically offered all services—including crisis lines, legal advocacy, emergency shelter, and therapy—at no cost but faced funding losses that necessitated billing Federal health care programs. Although the arrangement would technically generate prohibited remuneration under the Federal anti-kickback statute and the Beneficiary Inducements CMP, the OIG determined the risk of fraud and abuse was sufficiently low. The OIG cited factors including the provider’s historical mission of free services, the prevalence of financial abuse among domestic violence survivors, the independent determination of medical necessity by mental health professionals, and the provider’s commitment not to advertise free therapy or shift costs to Federal programs. Source: OIG Advisory Opinion No. 26-06​
• ​The Office of Inspector General issued Advisory Opinion 25-11 addressing how biopharmaceutical manufacturers can structure discount arrangements for vaccines in compliance with the Anti-Kickback Statute. The OIG reviewed four types of discount structures proposed by a manufacturer, including upfront discounts, purchase requirement discounts, bundled discounts, and bundled rebates offered to pharmacies, group purchasing organizations, and health care providers. While the OIG determined that upfront discounts and purchase requirement discounts meet the discount safe harbor protections, bundled discounts involving products reimbursed under different Medicare systems do not meet the safe harbor but can present low fraud risk if discounts are attributable to each product and offered equally. The OIG concluded all proposed arrangements presented low risk of fraud and abuse, though it emphasized that discounts requiring purchasers to provide marketing services or switch patients between products fall outside safe harbor protections. The opinion signals that manufacturers have flexibility to structure certain discount arrangements that do not precisely meet safe harbor requirements if they include appropriate safeguards. Source: Foley & Lardner​

Regulatory & Competition

• ​The FTC established a Healthcare Task Force on March 20, 2026, to centralize enforcement across competition and consumer protection matters. Chairman Andrew Ferguson created the cross-bureau unit to address consolidation, exclusionary conduct, and deceptive practices that affect prices, quality, and access to care. The Task Force draws staff from the Bureaus of Competition, Consumer Protection, and Economics, and will coordinate with the Department of Health and Human Services and the Department of Justice. The FTC blocked a $945 million medical device merger in January 2026, challenged an IDD services provider merger, opposed a cataract surgery laser system merger in March 2026, and secured a settlement with a pharmacy benefit manager over insulin pricing practices in February 2026. The agency signals it will scrutinize mergers, contracts, and innovation competition in health care markets. Source: Seyfarth Shaw LLP​
• ​The Trump administration has not yet determined whether to proceed with a proposed overhaul of the HIPAA Security Rule that was published by the previous administration in January 2025. Paula Stannard, director of HHS Office for Civil Rights, told attendees at a HIPAA Summit that regulators are reviewing 4,700 public comments on the 125-page proposal, which would eliminate the distinction between “required” and “addressable” implementation specifications and mandate written documentation for all security policies. Stannard noted that the cost of cyberattacks may exceed compliance burdens, and that many entities, particularly smaller organizations, have treated addressable specifications such as encryption as optional. The proposal would also require greater specificity in security risk analyses, which Stannard identified as the most common compliance failure in security rule investigations. Final action on both the Security Rule update and a separate HIPAA Privacy Rule modification is anticipated for May 2025. Source: GovInfoSecurity​
• ​Texas HB 4224 requires healthcare providers to post instructions on how patients can request medical records, contact licensing boards, and file complaints. The law, which took effect September 1, 2025, applies to covered entities that handle personal health information and mandates postings both on websites and at physical facilities. The bill passed the Texas House 149-0 and the Texas Senate 31-0. Entities that exclusively perform claims processing, data processing, data analysis, utilization review, or billing on behalf of healthcare providers are exempt. The law addresses a gap where patients often cannot find clear information about accessing their records or filing complaints against providers. Source: Hendershot Cowart P.C.​

Privacy, Cybersecurity & Data Breaches

• ​Him & Hers, a telehealth company serving 2.5 million subscribers, suffered a data breach between February 4 and February 7, 2026, when an unauthorized party accessed its customer service platform through a social engineering attack. The company identified the suspicious activity on February 5 and confirmed on March 3 that support tickets containing names and contact information were compromised, though medical records and communications with healthcare providers were not accessed. Him & Hers notified law enforcement and regulators, including the California Attorney General, and is providing affected individuals with 12 months of credit monitoring and identity theft protection. According to Bleeping Computer, the ShinyHunters threat group used a compromised Okta SSO account to access the company’s Zendesk instance and stole millions of support tickets. The company has not disclosed the number of individuals affected by the incident. Source: HIPAA Journal​
• ​Privacy programs face pressure from enforcement bodies that now prioritize operationalized compliance over written policies. The IAPP 2026 Global Summit addressed online tracking and cookies through both EU consent requirements and US wiretapping statutes, with California-based and health-related services identified as enforcement flashpoints. Conference sessions examined health data definitions beyond HIPAA-covered entities, children’s privacy under COPPA and state laws, and dark patterns across product design and consent flows. AI governance was integrated into existing privacy frameworks rather than treated as a separate regulatory category, with speakers emphasizing that laws apply to use cases regardless of technology type. California and other jurisdictions are building audit-style oversight capabilities focused on systemic compliance gaps and data minimization standards. Source: Hinshaw & Culbertson LLP​

AI in Healthcare

• ​Several California patients filed a class-action lawsuit against Sutter Health and MemorialCare in federal court in San Francisco, alleging the healthcare providers used Abridge AI to record their medical visits without consent. The plaintiffs claim the AI system captured and processed confidential physician-patient communications within the past six months, including medical histories, symptoms, diagnoses, medications, and treatment discussions. The complaint states patients did not receive notice that their conversations would be recorded by an AI platform, transmitted outside the clinical setting, or processed through third-party systems. Abridge AI, valued at $5.3 billion as of June 2025, has been deployed across healthcare providers including Kaiser Permanente, Mayo Clinic, and Duke Health to capture, transcribe, and summarize doctor-patient conversations into clinical notes. Sutter Health, which partnered with Abridge two years ago, stated it evaluates technology in accordance with regulations, while MemorialCare declined to comment on the litigation. Source: Ars Technica​
• ​Healthcare providers face compliance requirements under existing HIPAA regulations when deploying AI tools, despite the absence of finalized federal AI standards. Federal civil penalties for HIPAA violations now exceed $2,000,000 annually for repeated violations, while state penalties can exceed $250,000 per violation. Texas enacted SB 1188 and HB 149, requiring healthcare providers to disclose AI use to patients and maintain electronic health records data within the US by January 2026. At least 38 states have enacted AI-related legislation with almost 400 AI bills pending in state legislatures. Sharing protected health information with an AI vendor requires a Business Associate Agreement, and covered entities must conduct risk analyses before adopting AI tools that handle protected health information. Source: Norton Rose Fulbright​
• ​Researchers at the University of Texas at Arlington are deploying AI to predict cancer cure rates, model Alzheimer’s disease progression, and accelerate vaccine development. Associate professor Suvra Pal received a $1.8 million, five-year grant from the National Institutes of Health to develop models that estimate the probability of cure for breast cancer patients based on genetics, lab results, and clinical history, with integration into practice expected within 5 to 10 years. Assistant professor Pedro Maia, working with colleagues at the University of California–San Francisco, built a model showing how tau proteins spread through the brain in Alzheimer’s disease and how genes influence this process. Professor Junzhou Huang secured a $3.1 million R01 grant from NIH to create AI-powered models that design antibodies binding to viruses, potentially shortening the timeline for developing diagnostics, therapies, and vaccines. Source: The University of Texas at Arlington​
• ​One in three adults used AI for health information in the past year, with uninsured individuals (40%) and younger adults ages 18 to 29 (36%) turning to these tools at higher rates than the general population. Adults under 30 were six times more likely than those 50 and older to cite lack of a regular provider or inability to get an appointment as a reason for using AI (38% versus 6%), and more than twice as likely to cite cost (29% versus 12%). Among AI users, 92% reported being at least somewhat satisfied with the responses, and 65% considered AI as reliable as a health care provider. Only 58% of users followed up with a doctor after consulting AI for physical health questions, and 42% did so for mental health. Despite 77% of adults expressing concern about privacy, 41% of AI users uploaded medical information such as test results or doctor’s notes into AI tools. Source: Texas 2036​