What's New

• Affordable Care Act
• Artificial Intelligence
• Business Associates
• Data Access and Breach
• Fraud & Abuse
• Hospitals
• Medicare
• Mergers & Acquisitions
• Non-Competes
• Pharmacies & Benefit Managers
• Ransomware

Affordable Care Act

• ​The U.S. Supreme Court heard arguments on April 21 regarding the constitutionality of the U.S. Preventive Services Task Force, which determines what preventive care health insurers must cover at no cost under the Affordable Care Act. The case centers on whether the task force’s 16 members, appointed by the HHS Secretary without Senate confirmation, are “principal officers” who require presidential appointment and Senate confirmation or “inferior officers” exempt from these requirements. Justices questioned both sides about the extent of the HHS Secretary’s supervision over the task force, with the government arguing the Secretary has sufficient oversight while plaintiffs contend the task force operates too independently. If the Court upholds the lower court ruling that found the task force’s structure unconstitutional, previously free preventive services could become subject to co-pays and deductibles.

Artificial Intelligence

• ​Texas Children’s Hospital has developed an AI model to assess bone age in pediatric patients, reducing radiologist image reading time by 30-50% since its November launch. The AI interprets X-rays to estimate bone age, which radiologists then verify, allowing them to focus on more complex procedures like interventional radiology. This bone age tool is part of Texas Children’s broader initiative that has produced twelve in-house AI solutions, including models for employee recognition, patient no-shows, and readmissions. The hospital maintains a comprehensive AI governance framework with representatives from clinical, operational, information security, and legal departments to ensure ethical use, prevent bias, and protect data privacy.
• ​The Trump Administration released two revised policies on April 3, 2025, replacing previous AI guidelines with new frameworks for federal agencies. OMB Memorandum M-25-21 encourages agencies to implement AI solutions that maximize taxpayer value while identifying healthcare applications as “high-impact AI” due to their role in medical devices, patient diagnosis, and insurance decisions. The second policy, OMB Memorandum M-25-22, requires agencies including HHS to update acquisition procedures for AI systems, establish cross-functional teams for decision-making, and ensure appropriate intellectual property terms in contracts. These updates must be completed by December 29, 2025, replacing policies from the previous administration that were rescinded through Executive Order 14179 in January 2025.

Business Associates

• ​Molecular Testing Labs (MTL) is suing its business associate Ntirety over alleged failures to comply with HIPAA Security Rule requirements following a March 12, 2025 ransomware attack. MTL claims Ntirety failed to implement appropriate safeguards required by their 2018 business associate agreement, which led to a breach of patient data by a suspected Russian cybercriminal group. Following the attack, Ntirety reportedly provided inadequate support and demanded payment for breach response assistance despite contractual obligations to provide such services. MTL is seeking indemnification for expenses related to the forensic investigation, breach notifications, credit monitoring, and potential regulatory actions after Ntirety failed to respond to formal demands.

Data Access and Breach

• ​Data silos in healthcare create fragmented information landscapes that hinder patient care, delay diagnosis, and force clinical staff to perform time-consuming clerical tasks. The Trusted Exchange Framework and Common Agreement (TEFCA) aims to break down these silos by connecting health information networks and imposing financial penalties for information blocking. Healthcare organizations can improve data integration by creating stakeholder incentives, implementing strong governance frameworks, empowering patients to control their data, and adopting cloud-native management technologies. Eliminating data silos optimizes clinical workflows, reduces errors, enables specialist collaboration, and creates a foundation for AI applications that can identify patients at risk for adverse outcomes.
• ​Blue Shield of California confirmed on April 9 that a misconfigured Google Analytics implementation exposed protected health information of 4.7 million patients between April 2021 and January 2024. The breach, identified as the largest healthcare data breach of 2025, potentially shared patient names, locations, gender, family size, medical services information, and search criteria with Google Ads for targeted advertising. Blue Shield stated no malicious actors were involved and the exposed data did not include Social Security numbers, driver’s licenses, or financial information. The company has advised affected members to monitor their accounts and credit reports for suspicious activity.
• ​The U.S. Department of Health and Human Services Office for Civil Rights has reached a $600,000 settlement with PIH Health, Inc. over HIPAA violations. The California health care network reported a June 2019 phishing attack that compromised 45 employee email accounts and exposed the protected health information of 189,763 individuals. OCR’s investigation found PIH failed to properly protect health information, conduct thorough risk analysis, and notify affected parties within the required timeframe. As part of the settlement, PIH must implement a corrective action plan including risk analysis, management planning, policy development, and staff training, which will be monitored by OCR for two years.

Fraud & Abuse

• ​The U.S. District Court for the Northern District of Texas reduced a $448 million False Claims Act penalty against Healthcare Associates of Texas to $16.5 million. The court ruled on February 26, 2025, that the original penalty violated the Eighth Amendment’s Excessive Fines Clause as it was over 100 times the $2.75 million in actual damages from Medicare billing violations. The jury had found HCAT submitted 21,844 false claims, but the court determined that per-claim penalties resulted in disproportionate liability compared to the rules violations at issue. The court instead applied treble damages, setting a precedent for healthcare providers to raise constitutional challenges to excessive FCA penalties.
• ​The Eleventh Circuit ruled that merely alleging a scheme to submit false claims does not satisfy the “reliable indicia” standard under the False Claims Act and Rule 9(b). In United States ex rel. Vargas v. Lincare, Inc., the court partially reversed a dismissal, allowing claims about battery upcoding to proceed because relators provided specific claim details, but affirmed dismissal of co-pay waiver allegations where no specific claims were identified. The ruling clarifies that relators must either allege details of specific false claims or demonstrate direct personal knowledge of claim submissions. This decision reinforces the strict pleading requirements in FCA cases within the Eleventh Circuit, rejecting the notion that describing a fraudulent scheme alone is sufficient.
• ​Two former laboratory sales executives were sentenced to federal prison for violating the Anti-Kickback Statute. The scheme involved two rural Texas hospitals partnering with True Health Diagnostics laboratory, where hospitals billed insurers at higher rates for blood tests and shared revenues with marketers who paid physicians for referrals through fake investment opportunities. Eight individuals were indicted in 2022 for disguising kickbacks as investment returns to physicians who ordered tests from the affiliated laboratory.

Hospitals

• ​Preliminary data shows that “tens of thousands” of patients who were not “lawfully” in the United States were treated by Texas hospitals in recent months and the cost for their care is in the millions of dollars. Governor Greg Abbott ordered Texas hospitals last summer to collect citizenship status information from patients, with data from 558 hospitals expected to be finalized this week. Representative Mike Olcott has proposed a bill to formalize Abbott’s order into an annual report, citing concerns about rural hospital closures due to uncompensated care. Texas hospitals spend $3.1 billion annually on uninsured care, though advocates note much of this cost comes from the 4 million uninsured Texas citizens rather than non-citizens. The data collection began in November 2024, though it remains unclear if the forthcoming report covers just that month or subsequent months as well.

Medicare

• ​CMS issued its annual Hospital Inpatient Prospective Payment System and Long-Term Care Hospital Prospective Payment System Proposed Rule for FY 2026 on April 11, 2025. The proposal includes a 2.4% increase in operating payment rates for general acute care hospitals and a 2.6% increase for LTCH standard payment rates, with expected IPPS payment increases of $4 billion. CMS plans to discontinue the low wage index hospital policy following a court order, reduce the labor-related share from 67.6% to 66%, and modify the nursing and allied health payment formula by changing the order of operations for calculating reimbursable net costs. The proposal also announces the reallocation of FTE cap slots from two closed teaching hospitals and increases the uncompensated care payment pool to $7.14 billion for FY 2026, with comments due by June 10, 2025.
• ​Healthcare providers face potential revenue losses of $80 billion in 2026 due to looming Medicaid cuts, with hospitals at greatest risk if states drop expansion programs. Federal policy changes may include reducing assistance percentages, capping funds, intensifying eligibility requirements, and increasing scrutiny of payments, which could accelerate hospital closures particularly in rural and low-income areas. Healthcare organizations must respond by improving margins, expanding alternative revenue streams, optimizing operations, enhancing care coordination, and strengthening documentation compliance to survive these financial challenges.

Mergers & Acquisitions

• ​States are rapidly enacting health care transaction review laws that require pre-transaction notification and often approval from state agencies before health care entities can complete mergers, acquisitions, or ownership changes. These laws can be categorized into four types: those amending material change transaction processes, bills seeking disclosure, legislation enhancing antitrust laws, and proposals prohibiting private equity and hedge funds from controlling health care entities. California’s proposals AB 1415 and SB 351 seek to broaden the Office of Health Care Affordability’s review authority over transactions involving management services organizations and reinforce prohibitions against corporate practice of medicine, particularly targeting private equity and hedge funds.

Non-Competes

• ​Arkansas passed legislation that voids noncompete agreements restricting physicians’ practice within their scope. The law, expected to take effect around July 15, 2025, applies to medical doctors and osteopaths licensed under Arkansas statutes. The Act does not specify whether it will invalidate existing physician noncompete agreements or only apply to future contracts. While physician noncompetes are now prohibited, other restrictive covenants such as non-solicitation agreements, confidentiality agreements, and standard employment terms remain enforceable for physicians in Arkansas.

Pharmacies & Benefit Managers

• ​The pharmacy industry confronts significant challenges as 29% of retail pharmacies closed between 2010-2021, with closures disproportionately affecting communities serving Medicaid and Medicare patients. Drug shortages persist due to vulnerable supply chains heavily dependent on foreign manufacturing of pharmaceutical ingredients from China and India, which legislative efforts like California’s CalRx initiative and the federal Affordable Drug Manufacturing Act aim to address. President Trump’s February 2025 Executive Order mandates enhanced transparency in drug pricing, requiring agencies to propose new guidelines within 90 days. The pharmacy sector is simultaneously exploring artificial intelligence to improve medication management and patient care, though implementation faces obstacles including high costs, potential lack of human touch, data quality concerns, and ethical considerations around patient information.
• ​CMS published a final rule requiring Part D pharmacies to enroll in the Medicare Transaction Facilitator Data Module to facilitate the Medicare Drug Price Negotiation Program established by the Inflation Reduction Act. The Data Module will help manufacturers verify eligibility and accelerate retrospective refunds to pharmacies for the ten negotiated drug products in 2026, while an optional Payment Module will facilitate fund transfers and manage claims revisions. Enrollment begins in June 2025 after the rule takes effect on June 3, with chain pharmacies able to enroll through one centralized submission and dispensing entities permitted to use Pharmacy Service Administrative Organizations to receive Maximum Fair Price refunds.
• ​In a federal court ruling, Tennessee’s “any willing pharmacy” law was deemed preempted by ERISA because it impermissibly affected plan structure rather than merely regulating costs. The McKee decision aligns with the Tenth Circuit’s ruling in PCMA v. Mulready, which invalidated Oklahoma’s law requiring PBMs to follow certain pharmacy network standards. Courts have consistently held that while states can regulate PBM reimbursement rates, they cannot interfere with plan operation or network design. Self-funded group health plans currently face conflicting state PBM laws across multiple jurisdictions, creating a regulatory challenge that requires resolution by either the Supreme Court or Congress.

Ransomware

• ​Three healthcare organizations—DaVita, Bell Ambulance, and Alabama Ophthalmology Associates—recently suffered ransomware attacks that compromised sensitive patient data including names, Social Security numbers, and medical information. The Bell Ambulance attack affected 114,000 individuals while the Alabama Ophthalmology Associates breach impacted 131,576 people, with different ransomware groups claiming responsibility for each attack. Healthcare organizations remain prime targets for cybercriminals due to the sensitive nature of patient data, with ransomware attacks against the sector increasing 300% since 2015 according to Microsoft. Security experts recommend focusing on basic security measures like strong passwords, multifactor authentication, and properly segmented networks to protect healthcare systems from these threats.
• ​The U.S. Department of Health and Human Services Office for Civil Rights has reached a settlement with Comprehensive Neurology regarding a HIPAA Security Rule violation following a ransomware attack. The December 2020 breach compromised the protected health information of 6,800 individuals, including names, clinical information, insurance details, and Social Security numbers. OCR’s investigation determined that the neurology practice failed to conduct a thorough risk analysis of potential vulnerabilities to electronic protected health information. Under the settlement terms, Comprehensive Neurology must implement a corrective action plan monitored for two years and paid $25,000 to OCR, marking the agency’s 12th ransomware enforcement action and 8th enforcement action in its Risk Analysis Initiative.