This week

• 340B
• Cybersecurity
• Data Privacy & Breach
• Emerging Tech
• Employee Benefits
• Fraud & Abuse
• HIPAA Privacy Rule
• Mergers & Acquisitions
• OIG Advisory Opinion
• Patient Harm
• Physician Compensation
• Telehealth
• Value-Based Arrangements

340B

• ​HRSA launched a pilot program on August 1, 2025 that will change how drug manufacturers provide 340B discounts to safety net healthcare providers. Under the new rebate model, covered entities will pay full price for drugs upfront and receive rebates later, rather than receiving discounts at the time of purchase as traditionally done. The pilot program applies only to manufacturers with products on the Medicare Drug Price Negotiation Selected Drug List, which includes 23 drugs subject to pricing negotiations under the Inflation Reduction Act. Manufacturer applications are due September 15, 2025, with the program beginning January 1, 2026, and HRSA is accepting public comments through August 30, 2025. The initiative follows disputes between HRSA and manufacturers over rebate models, which resulted in multiple lawsuits after HRSA blocked manufacturer attempts to implement such systems without approval. Source: Healthcare Law Blog ## Cybersecurity
• ​The Department of Justice secured a $9.8 million settlement from biotechnology company Illumina Inc. on July 30, 2025, marking the first False Claims Act case focused on cybersecurity compliance failures for medical devices. The settlement resolves allegations that Illumina misrepresented compliance with federal cybersecurity requirements for medical device software from January 2016 to April 2023, despite failing to incorporate adequate cybersecurity into product design and development. A former Illumina employee brought the whistleblower lawsuit under the False Claims Act, with the government later intervening in the case. The company allegedly certified compliance to the FDA while maintaining inadequate security programs and failing to correct known vulnerabilities. Illumina denied the allegations but agreed to settle to avoid litigation costs, paying $4.3 million in restitution and $1.9 million to the whistleblower, while stating it remediated the software issues between 2022 and 2024. Source: White & Case LLP​

Data Privacy & Breach

• ​West Texas Oral Facial Surgery notified 11,151 patients of a data breach following a network disruption on May 29, 2025. Third-party cybersecurity experts confirmed unauthorized network access had occurred, though the breach notice did not specify when. A file review completed on July 18, 2025, revealed exposed data included patient names, imaging files, birth dates in some cases, and treatment reasons. Electronic medical records, Social Security numbers, and financial information were not accessed. The Inc Ransom ransomware group claimed responsibility for the attack on June 18, 2025. Source: HIPAA Journal​
• ​Researchers have developed a server-rotating federated machine learning system that enables medical imaging AI models to be trained across different device manufacturers while preserving patient privacy. The system incorporates differential privacy techniques and cryptographic safeguards to prevent patient data from being reverse-engineered from model parameters. Testing on multi-center datasets containing MRI, CT, and digital X-ray images from multiple device manufacturers showed the approach matched or exceeded performance of traditional centralized and conventional federated methods. The framework includes adaptive normalization layers to handle vendor-specific imaging artifacts and scanner discrepancies without requiring data harmonization. Source: BioEngineer​

Emerging Tech

• ​The Texas Responsible Artificial Intelligence Governance Act will require businesses operating in Texas or serving Texas residents to implement comprehensive AI governance policies when it takes effect January 1, 2026. The law applies to both developers and deployers of AI systems, defined as machine-based systems that generate outputs such as content, decisions, predictions, or recommendations. Companies must establish policies covering AI system purpose, data usage, performance evaluation, post-deployment monitoring, user safeguards, anti-discrimination provisions, and user disclosure requirements. Businesses that receive violation notices from the Attorney General have 60 days to cure violations or stop using the non-compliant AI system portion. Texas also created an AI regulatory sandbox program that allows companies to test AI systems for up to 36 months with legal protections while meeting specific safeguard requirements. Source: IAPP​

Employee Benefits

• ​Healthcare employers face mounting regulatory compliance challenges following the 2025 Comprehensive Reform Act, which was signed into law on July 4, 2025. The Act adds complexity to existing requirements including Affordable Care Act compliance for variable-schedule employees, fiduciary oversight of retirement and health plans, and nondiscrimination testing under Code Sections 105(h) and 125. Healthcare organizations increasingly form health and welfare plan committees to manage fiduciary responsibilities and protect boards from litigation related to pharmacy benefit management agreements and excessive fees. Hospital mergers and acquisitions create additional risks when benefits integration is not properly reviewed, potentially resulting in unexpected liabilities from retiree medical plans, multiemployer pension withdrawal liability, or undocumented 403(b) plans. Employers using self-insured plans, flexible spending accounts, or health savings accounts must conduct annual nondiscrimination testing to avoid negative tax consequences for higher-earning participants. Source: Saul Ewing LLP​

Fraud & Abuse

• ​Texas Attorney General sued Eli Lilly, accusing the drugmaker of bribing medical providers to prescribe its medications. The lawsuit alleges the company engaged in kickback schemes to induce providers to prescribe its profitable drugs, including GLP-1 medications Mounjaro and Zepbound used for weight loss and diabetes treatment. The action follows a previous lawsuit against insulin manufacturers, including Lilly, over pricing practices with pharmacy benefit managers. Lilly denied the allegations, stating the claims stem from a corporate relator whose accusations have been dismissed by multiple courts and the federal government. Source: Reuters​
• ​Dr. Ajay Aggarwal agreed to pay $2,053,515 to settle allegations that he defrauded federal healthcare programs by billing for procedures he did not perform. The 63-year-old Houston anesthesiologist and pain medicine doctor allegedly billed Medicare and Workers’ Compensation programs for the surgical implantation of neurostimulator electrodes from November 2021 to March 2023. Instead of performing these invasive procedures that typically require operating rooms and pay thousands of dollars, Aggarwal allegedly provided patients with electro-acupuncture treatments that involved inserting monofilament wire a few millimeters into patients’ ears and taping neurostimulators behind the ear in his clinic. The investigation involved multiple agencies including the U.S. Postal Service Office of Inspector General, Department of Labor Office of Inspector General, and Department of Health and Human Services Office of Inspector General. The settlement resolves allegations only, with no determination of liability. Source: U.S. Attorney’s Office, Southern District of Texas​

HIPAA Privacy Rule

• ​The HHS Office for Civil Rights published updated HIPAA Privacy Rule guidance that expands permitted disclosures of protected health information for value-based care arrangements and broadens patient access rights. The guidance includes a FAQ stating that healthcare providers can disclose PHI to participants in accountable care organizations and other value-based care arrangements without patient authorization when the disclosure supports treatment activities. The update follows a July 30, 2025 White House event where the Trump Administration announced commitments from tech firms to improve healthcare interoperability through data exchange platforms. OCR also updated guidance to specify that individuals can now access consent forms for treatment as part of their health information rights under HIPAA. The changes support CMS efforts to create a digital healthcare ecosystem that reduces provider burden while improving patient outcomes. Source: HIPAA Journal​
• ​The HHS Office for Civil Rights updated its HIPAA Privacy Rule FAQs to provide guidance on protected health information disclosures to value-based care arrangements and patient access rights. The updates support CMS’ July 2025 health tech ecosystem initiative, which aims to create a patient-centric healthcare system through interoperability frameworks and commitments from tech companies, app developers, and payers. OCR clarified that covered entities can disclose PHI to participants in value-based care arrangements for treatment purposes without patient authorization, reasoning that the Privacy Rule’s definition of “treatment” incorporates interaction between multiple entities. The guidance also expanded the types of information patients can request to include consent forms for treatment, adding to the existing list of medical records, billing records, lab reports, and other health data. The FAQs provide clarity to help covered entities navigate HIPAA compliance as federal initiatives work to make the health tech ecosystem more interconnected. Source: TechTarget​

Mergers & Acquisitions

• ​F-reorganizations under federal tax law provide healthcare companies a method to preserve Employer Identification Numbers during mergers and acquisitions, avoiding disruptions to Medicare enrollment and regulatory approvals. Healthcare entities rely on EINs for Medicare enrollment, state licensing, DEA registration, and commercial payer contracts, making EIN changes during transactions costly due to re-enrollment requirements with CMS, credentialing delays, and potential business interruptions. Under IRC § 368(a)(1)(F), F-reorganizations allow businesses to undergo structural changes while the IRS treats pre- and post-reorganization entities as the same taxpayer, preserving the EIN and associated contracts and tax attributes. Private equity firms, health systems, and MSO platforms increasingly use this structure to avoid Medicare enrollment hurdles that can take months and maintain continuity of state licenses tied to EINs. Texas law provides mechanisms including statutory conversions, reverse triangular mergers, and cross-jurisdictional reincorporations to implement F-reorganizations while preserving entity continuity. Source: Clark Hill PLC​

OIG Advisory Opinion

• ​The Office of Inspector General approved a physician ownership arrangement in a medical device company that develops emergency stroke treatment products. The OIG concluded that the arrangement met the conditions of the small entity investment safe harbor. Physician owners comprise 35 percent of the company’s ownership, below the 40 percent threshold that triggers heightened scrutiny under federal regulations. The company certified that investment terms remain consistent across all investors and that profit distributions will be proportional to capital investments. OIG will not impose administrative sanctions on the company under sections 1128A(a)(7) or 1128(b)(7) of the Social Security Act. Source: OIG Advisory Opinion No. 25-09​

Patient Harm

• ​Hospitals failed to capture half of patient harm events that occurred among hospitalized Medicare patients, according to an Office of Inspector General review. The OIG traced harm events from a 2022 report and found that hospitals often applied narrow definitions of harm, with staff not considering many events to be harm or stating it was not standard practice to capture them. Of the harm events hospitals did capture, few were investigated and even fewer resulted in improvements for patient safety. The OIG recommends that the Agency for Healthcare Research and Quality (AHRQ) and CMS work with partners to align harm event definitions and create a patient harm taxonomy, that CMS ensure surveyors prioritize Medicare Quality Assurance and Performance Improvement requirements, and that CMS instruct Quality Improvement Organizations to help hospitals identify weaknesses in their incident reporting systems. Increased federal leadership is needed to drive progress in patient safety after nearly 20 years of high patient harm rates nationwide. Source: OIG Report​

Physician Compensation

• ​Physicians and hospitals are generating higher revenues by increasing workload rather than receiving better reimbursement rates. From the second quarter of 2023 to 2025, median net gain per employed physician rose 8% while median revenue per provider unit of work increased 12% for physicians, but median net patient revenue per provider work unit declined 7%. Support staffing levels dropped 13% over two years, creating potential obstacles for future growth. Hospital operating margins improved to 3% when including shared service costs and 6.6% without those allocations, driven primarily by outpatient revenue increases. The trends reflect ongoing Medicare reimbursement declines that force providers to complete more work to maintain income levels. Source: Fierce Healthcare​

Telehealth

• ​States are implementing permanent telehealth regulations to replace pandemic-era emergency rules as federal waivers approach expiration. The DEA and HHS extended telemedicine prescribing waivers through December 31, 2025, allowing providers to prescribe controlled substances via telehealth without prior in-person examinations. New York finalized rules in May 2025 requiring in-person medical evaluations before prescribing controlled substances through telemedicine, with exceptions for recent evaluations, temporary coverage, and emergency situations. States including California, Delaware, Florida, New Hampshire, and Texas have enacted or proposed legislation with varying approaches to telehealth prescribing requirements. The DEA proposed a special registration system in March 2023 that would establish three types of registrations for remote prescribing of controlled substances with enhanced verification and monitoring requirements. Source: Healthcare Law Blog​
• ​Telemedicine has become a cornerstone of mental health services, with telehealth services for mental health issues increasing 16 to 20 times during the first year of the COVID-19 pandemic according to RAND Corporation data. A nationwide poll by the American Psychiatric Association found that over half of Americans would choose telehealth for mental health needs, with more than one-third preferring it outright. AI-powered platforms from companies like Teladoc Health and IBM Corporation now enable predictive analytics for early intervention in conditions like anxiety and depression, while digital mental health counseling apps like Calm and SilverCloud Health provide 24/7 support through chatbots and virtual therapists. Pittsburgh-area clinics have reduced wait times for psychiatric evaluations by up to 40% through telemedicine implementation, though experts warn against over-reliance on virtual care for cases like schizophrenia. Federal legislation has bolstered telehealth reimbursement and cross-state licensing, but challenges remain around data privacy and equitable access for low-income populations. Source: WebProNews​

Value-Based Arrangements

• ​The American Medical Association has released guidance to help private practices navigate partnerships with “aggregator entities” that manage value-based care arrangements. These aggregators are specialized private companies that help physicians handle the complexities of value-based care without requiring practices to fully invest in the technical infrastructure themselves. The AMA resource addresses three core areas: evaluating aggregator business models, understanding physician considerations when working with aggregators, and planning for potential termination of these relationships. According to Dr. Alexander Sun from the AMA’s Professional Satisfaction and Practice Sustainability unit, the guidance helps practices determine whether aggregator partnerships align with their value-based care goals. The resource is part of the AMA’s broader Business of Medicine education program, which includes materials on revenue-cycle management and accountable care organizations. Source: American Medical Association​