Fraud, Abuse & Enforcement

• ​The Texas Health and Human Services Office of Inspector General recovered more than $95.7 million from home health providers between December 1, 2025, and February 28, 2026, according to its quarterly report. Home health agencies accounted for 21 percent of preliminary investigations and 15 percent of full-scale investigations during this period. The agency identified four primary billing errors: failure to have registered nurses perform in-home assessments before seeking authorization for private duty nursing services, documentation deficiencies in client records, inadequate documentation to verify services were rendered, and billing irregularities such as charging for services when clients were hospitalized or misrepresenting which type of nurse provided care. Settlements with providers ranged from $10,587 to $1,721,586, while one case resulted in a 17-year federal prison sentence and $227,377 in restitution for a Lubbock woman who defrauded Texas Medicaid in February 2026. The agency launched a new OIG Referral System on December 15, 2025, making it easier for the public to report suspected fraud. Source: Holland & Knight​
• ​Federal authorities have launched prosecutions against medical spa providers for distributing unapproved peptides and counterfeit drugs. On April 1, 2026, the Department of Justice indicted Utah osteopathic physician Dr. Watkins for allegedly receiving and selling misbranded peptides to over 200 patients, including substances such as Tirzepatide, Semaglutide, BPC-157, and TB500 that appear on the 503A do not compound list. The same day, the FDA issued its first warning letter to a clinic for sourcing prescription drugs from unauthorized trading partners. Massachusetts medspa owner Rebecca Fadanelli pled guilty on April 7, 2026, to performing thousands of injections using counterfeit Botox and fillers imported from China and Brazil. The enforcement follows a trend that began in 2020 when GLP-1 shortages during COVID-19 led compounding pharmacies to exploit loopholes, with Florida now introducing legislation to mandate licensing and public databases for facilities handling such medications. Source: Stevens & Lee​
• ​Aetna agreed to pay $117.7 million to settle allegations that it violated the False Claims Act by submitting false patient diagnosis data to inflate payments from the Centers for Medicare and Medicaid Services. The Justice Department alleged that the CVS Health unit submitted or failed to withdraw inaccurate diagnosis codes for Medicare Advantage enrollees to receive higher monthly payments, as insurers receive more money for sicker beneficiaries expected to incur higher healthcare costs. The Department of Health and Human Services said the settlement demonstrates that no company is beyond accountability regardless of size. Aetna said it disagrees with the allegations and settled to avoid the uncertainty and expenses of litigation. The company stated the settlement should not be seen as an acknowledgment of liability. Source: MSN​
• ​A Second Circuit ruling in United States ex rel. Camburn v. Novartis Pharmaceuticals Corp. lets qui tam relators plead Anti-Kickback Statute scienter by pointing to a drugmaker’s tracking of prescriber return on investment. On March 30, 2026, the Second Circuit formally adopted the “at-least-one-purpose” rule, requiring only that inducing prescriptions be one purpose of remuneration rather than the primary motivation. On remand, the Southern District of New York held that former Novartis sales employee Steven Camburn pleaded scienter under Rule 9(b) by alleging Novartis tracked physician prescription volumes and measured whether speaker payments yielded a return on investment. Camburn also alleged that the speaker program included events with no attendees, payments for canceled events, and speaker selection keyed to prescribing volume. The alert warns that marketing analytics measuring prescription volume and ROI may now be pleaded as evidence of scienter under the False Claims Act. Source: Crowell & Moring​
• ​HHS OIG will not impose sanctions on a physician’s ambulatory surgery center ownership transfer structured as estate and retirement planning even though the arrangement does not fully fit any Anti-Kickback Statute safe harbor​Advisory Opinion 26-04, issued March 9, 2026, involved a physician owner transferring interests through gifts to family members and fair market value sales to other physicians. Succession planning does not have to fit squarely within a safe harbor, and OIG will evaluate the totality of the circumstances. Key safeguards include documenting bona fide estate or retirement purpose, executing all transfers at fair market value, keeping profit distributions strictly proportional to ownership, and ensuring non-physician transferees cannot generate or influence referrals. Retiring physicians must certify that they will not influence referrals after leaving the ASC. Source: Parker Poe​

Antitrust & Provider Contracting

• ​The Department of Justice filed antitrust lawsuits against OhioHealth and NewYork-Presbyterian in 2026, accusing both systems of using market power to negotiate contracts that raise healthcare costs for patients. The DOJ alleges NewYork-Presbyterian prevents payers from offering health plans that exclude its facilities or forbids lower copays at rival facilities, while OhioHealth forces payers to include its facilities in all networks despite lower-priced alternatives. Acting Assistant Attorney General stated the department has adopted a “zero-tolerance policy” against such practices. Market consolidation enables these contracts, with one or two health systems controlling the entire inpatient hospital market in 47% of metropolitan areas in 2024, according to KFF data. Both health systems deny the allegations and maintain their practices comply with the law. Source: Healthcare Brew​
• ​The Department of Justice filed an antitrust lawsuit against New York Presbyterian Hospital on March 26, 2026, challenging contractual restrictions the government alleges prevent insurers from offering lower-cost plans. The complaint targets four categories of provisions: all-or-nothing network participation requirements, prohibitions on narrow network plans that exclude NYP, anti-tiering provisions requiring most-favored benefit status, and site-of-service steering restrictions. NYP holds approximately 25 to 30 percent market share in the relevant geographic areas, and the DOJ bases market power on pricing leverage, must-have status with payors, and the ability to impose terms unilaterally. The action follows a February 2026 suit against OhioHealth Corporation and forms part of a coordinated enforcement push against hospital contracting practices. Hospital systems should audit payor contracting terms for antitrust exposure, because the theory does not require dominant market share. Source: Katten​

Privacy, Cybersecurity & HIPAA

• ​Texas has emerged as a major cybersecurity battleground for healthcare organizations, with security leaders now serving as strategists directly tied to patient outcomes and organizational trust. The state’s health systems and research institutions have elevated eight security executives who are shaping cybersecurity practices across the sector. Ron Mehring has led cybersecurity strategy at Texas Health Resources since 2011, while Randy Yates has served as CISO at Memorial Hermann Health System for over two decades. Gordon Groschl spent nearly two decades at Texas Children’s Hospital implementing Zero Trust architecture before moving to City of Hope, and George Finney oversees cybersecurity for millions of patients and students across the University of Texas System. Other leaders include Teresa Tonthat at Cook Children’s Health Care System, Fernando Blanco at CHRISTUS Health with operations spanning Latin America, Ian Schneller formerly of Health Care Service Corporation with background at U.S. Cyber Command and NSA, and Ashish Shah leading cybersecurity at MD Anderson Cancer Center. Source: Security Boulevard​
• ​The Office for Civil Rights of the U.S. Department of Health and Human Services published a proposed rule on January 6, 2025, to update HIPAA Security Rule requirements in response to increased cyberattacks targeting electronic protected health information. The proposed rule eliminates the distinction between “required” and “addressable” specifications, mandates written security documentation, and requires ongoing technology asset inventories and network mapping. Technical safeguards would include multi-factor authentication, encryption of data at rest and in transit, network segmentation, and penetration testing at least annually. The OCR indicated the rule remains on its agenda for finalization in May 2026, with compliance required within 240 days of publication, or early 2027. The proposed framework expands scrutiny to business associates, subcontractors, cloud service providers, and entities on the fringes of the health sector that handle health data. Source: Constangy Cyber Advisor​
• ​The Department of Health and Human Services Office for Civil Rights published a proposed rule on January 6, 2025, that would significantly amend the HIPAA Security Rule, with a final rule expected in May 2026. The proposed rule responds to increases in cyberattacks, expanded use of cloud and mobile technologies, and inconsistent compliance findings. The rule would mandate encryption of ePHI at rest and in transit, require multi-factor authentication, and add requirements for anti-malware, removal of unnecessary software, and disabling unnecessary network ports. Organizations would need to establish written procedures to restore systems and data within 72 hours of service disruption, develop incident response plans with periodic testing, and provide notice within 24 hours when workforce member access to ePHI is changed or terminated. Covered entities and business associates would have 180 days from the effective date to comply. Source: Healthcare IT News​
• ​The DOJ’s Bulk Sensitive Data Transfer Rule establishes compliance requirements for health care and life sciences organizations that provide foreign entities access to sensitive personal data, with thresholds as low as 100 individuals for genomic data. The rule, which originated from Executive Order 14117 and became effective in April 2025, targets data transactions with six countries of concern: China, Russia, Iran, North Korea, Cuba, and Venezuela. The regulation applies to four categories of transactions—data brokerage, vendor agreements, employment agreements, and investment agreements—and is triggered by the ability to access data, not just formal transfers, even when data has been de-identified or anonymized. Enforcement authority rests with DOJ’s National Security Division, with civil penalties up to $368,136 or twice the transaction value and criminal penalties up to $1 million and 20 years imprisonment. Organizations must conduct data mapping exercises to assess compliance, as HIPAA compliance alone does not satisfy the new requirements, though exemptions exist for federally authorized research and FDA-required regulatory activities. Source: Epstein Becker Green​

AI & Healthcare Technology

• ​The White House issued a National Policy Framework for AI on March 20, 2026, that calls on Congress to preempt state laws imposing burdens on AI development. The Framework follows a December 2025 Executive Order and addresses six objectives, with a focus on protecting children and encouraging AI innovation in healthcare. State AI laws in Utah, Colorado, and California remain in effect until Congress acts, and states are expected to challenge federal preemption in courts. The Framework directs existing agencies such as CMS, DOJ, and FDA to continue oversight of healthcare AI rather than creating a new federal body. The Department of Commerce has not released its evaluation of state AI laws that was due March 11, 2026. Source: Sheppard​
• ​Medical technology contracts with evergreen renewal clauses can commit healthcare providers to vendor terms that permit undisclosed AI use of provider data. Automatic renewal absent timely notice forecloses renegotiation of data-use, liability, cybersecurity, regulatory, and pricing provisions. Vendors increasingly deploy AI features through software updates characterized as enhancements, using provider data to train models, refine algorithms, or develop new products without affirmative disclosure or consent. Providers should inventory existing agreements, scrutinize permitted data-use scope including model-training rights, confirm HIPAA Business Associate Agreement alignment, and require affirmative consent for AI deployment along with audit and reporting rights. Contract audits before renewal cycles preserve leverage to narrow data rights and reallocate liability for AI-generated errors. Source: Buchalter​
• ​Pharmaceutical buyers and partners must diligence data provenance when acquiring or licensing AI-driven biotech models, because consent gaps and license restrictions in the underlying training data now drive deal risk. Data provenance — the historical record of a dataset’s authenticity, authorship, and modifications — determines whether a model’s outputs can be deployed without running afoul of HIPAA, GDPR Article 9’s special-category protections, or the EU AI Act. Older patient-consent forms often predate AI applications, forcing acquirers to evaluate whether secondary use is permitted or whether the target must locate patients to re-consent. FTC enforcement against BetterHelp, GoodRx, Flo Health, and Kochava — disgorgement, civil fines, and mandatory deletion of improperly collected data — sets the baseline for what noncompliance costs. The January 2026 FDA/EMA Guiding Principles of Good AI Practice in Drug Development now inform diligence scope, and deals increasingly separate the model from the underlying data or allocate risk through AI-specific representations, indemnities, and escrow. Source: A&O Shearman​
• ​A lawsuit filed in the U.S. District Court for the Northern District of California accuses Sutter Health and Memorial Healthcare Services of violating the Federal Wiretap Act and state consumer privacy laws by using an AI platform that recorded patient-clinician conversations without patient consent. The plaintiffs allege they were unaware that Abridge AI’s platform was recording their conversations and transmitting audio files to external servers for processing into clinical notes. The system captured protected health information including symptoms, diagnoses, prescription information, treatment plans, family medical histories, and mental health information. While the lawsuit does not claim HIPAA violations, it seeks class action certification, damages for each violation, and court orders requiring the defendants to implement consent procedures before intercepting medical information. Sutter Health stated that technology used in clinical settings is evaluated and implemented in accordance with applicable laws and regulations. Source: HIPAA Journal​

FDA & Drug Development

• ​President Trump signed an executive order on April 18, 2026, directing federal agencies to expand access to psychedelic therapies and research. The order allocates $50 million for federal-state collaboration on psychedelic research programs and establishes a Right to Try pathway for eligible patients to access investigational psychedelic drugs that meet safety requirements. It directs the FDA to issue priority review vouchers to qualifying psychedelic drugs that hold Breakthrough Therapy designation. The order references ibogaine twice but does not address protections for religious use of psychedelics. Source: Bill of Health​

Rural Health & Funding

• ​The Centers for Medicare & Medicaid Services is directing $50 billion through the Rural Health Transformation Program to improve healthcare in rural areas from 2026 to 2030. The program funds state-level initiatives for care innovation, workforce development, and technology implementation. States including Alaska, Delaware, Indiana, Iowa, Kentucky, Minnesota, Montana, Nevada, North Carolina, North Dakota, Oklahoma, South Carolina, South Dakota, Texas, Vermont, and West Virginia have released requests for proposals with deadlines ranging from March to June 2026. The funding opportunities support initiatives such as school-based health centers, teledentistry services, workforce recruitment and retention, medical equipment procurement, maternal health services, and behavioral health modernization. Source: VMG Health​

Telehealth

• ​Telehealth providers face medical malpractice exposure when they fail to recognize the clinical limits of a virtual visit and do not escalate to in-person evaluation or additional testing. Florida Statute § 456.47 holds telehealth providers to the prevailing professional standard of practice that applies to health care professionals providing the same services in person. Misdiagnosis accounts for 65 to 70 percent of telehealth malpractice claims, compared with 40 to 50 percent in traditional medicine. Virtual visits preclude palpation, assessment of skin color and coordination, olfactory indicators, and in-person communication cues that inform diagnosis. Actionable scenarios include misidentifying cancerous lesions without recommending biopsy, failing to recommend emergency care for heart-attack symptoms, prescribing without reviewing medical history, misdiagnosing acute abdominal pain later found to be appendiceal rupture, and overlooking respiratory distress. Source: Searcy Denney​

Employment & Labor

• ​A Texas appeals court upheld a non-compete injunction against four nurse anesthetists barring them from practicing within a 20-mile radius of their former workplaces for three years. The Court of Appeals for the Ninth District of Texas at Beaumont found that Chad Dubois, Kenneth Simmons III, Monica Bentzen, and Lance Mendoza violated their agreements with Anesthesia Associates when they left on August 1, 2025, to work for EmergencHealth at the same CHRISTUS facilities in Beaumont. Each had signed contracts with a three-year non-compete clause, a 20-mile radius restriction, and a $30,000 liquidated damages provision, which the court ruled existed alongside the right to seek injunctive relief rather than as a buyout. EmergencHealth had promised to pay all legal fees, damages, and expenses, but the court found that a competitor’s promise to absorb consequences does not neutralize a non-compete restriction. Source: Human Resources Director​