This week

• Antitrust
• Centers for Medicare & Medicaid Services
• Data Privacy and Breach
• HIPAA
• Non-Competes
• Telehealth

Antitrust

• ​U.S. Judge Jeffrey Cummings denied the Federal Trade Commission’s request to block GTCR LLC’s $627 million acquisition of Surmodics Inc. on November 10. The FTC, joined by Illinois and Minnesota, argued the merger would give GTCR control of more than 50% of the U.S. outsourced hydrophilic coatings market, as GTCR already owns Biocoat, the second provider in the market. Judge Cummings ruled that the defendants rebutted the presumption of illegality under Section 7 of the Clayton Act, finding that a proposed divestiture of Biocoat assets to Integer Holdings would mitigate competitive harm and that medical device manufacturers maintain their own coating capabilities. The FTC will not appeal the decision. Surmodics expects to close the transaction soon. Source: Mogin Law LLP​

Centers for Medicare & Medicaid Services

• ​CMS established a mandatory value-based payment model that will apply to nearly one-quarter of physicians in select specialties beginning January 1, 2027. The Ambulatory Specialty Model targets clinicians treating heart failure and low-back pain in approximately one-quarter of U.S. metropolitan areas, evaluating performance across four categories: Quality, Cost, Improvement Activities, and Interoperability. The model operates with two-sided risk, allowing payment adjustments to Medicare Part B claims ranging from -9% to +9% in 2029, with performance measured on a two-year lag through December 31, 2033. Clinicians must have treated at least 20 episodes per year to participate and will be exempt from MIPS reporting requirements during their participation years. CMS will publish participant lists and selected geographies in 2026. Source: Healthcare Law Blog​
• ​CMS has authorized retroactive processing of telehealth and hospital-at-home claims that were previously rejected due to the October 1, 2025 lapse in Medicare statutory payment provisions. Congress restored the provisions through passage of the Continuing Appropriations, Agriculture, Legislative Branch, Military Construction and Veterans Affairs, and Extensions Act, 2026. On November 6, 2025, CMS instructed Medicare Administrative Contractors to return telehealth claims submitted on or before November 10, 2025, that had been deemed non-payable. Practitioners must resubmit returned claims and refund beneficiary payments for services now covered retroactively. Medicare Administrative Contractors also began returning claims for the Acute Hospital Care at Home initiative on November 10, 2025, for dates of service on or after October 1, 2025. Source: Health Law Diagnosis​

Data Privacy and Breach

• ​Metrocare Services, a Dallas, TX-based provider of mental health services to individuals in North Texas, has identified an impermissible disclosure of patient information. On September 9, 2025, an employee sent an encrypted email from their work account to a personal email account, and the email was later shared on an unauthorized network. The investigation confirmed that the encrypted email contained the protected health information of approximately 8,600 patients, including names, medical record numbers, appointment times, doctors’ names, dates of service, and duration and costs of service. Source: HIPAA Journal​

HIPAA

• ​A federal court dismissed a Texas lawsuit that challenged both a 2024 HIPAA reproductive health care privacy rule and sought to invalidate the entire 2000 HIPAA Privacy Rule. On November 24, 2025, Judge James Wesley Hendrix of the U.S. District Court for the Northern District of Texas dismissed the case without prejudice based on a joint stipulation between Texas and HHS. The Texas Attorney General had filed the 2024 lawsuit against the U.S. Department of Health and Human Services, alleging the agency exceeded its statutory authority when issuing the HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule in April 2024. The lawsuit included a proposed remedy to challenge the validity of the 2000 HIPAA Privacy Rule. The dismissal ends this challenge to HIPAA’s validity, though questions remain about whether states will continue to challenge regulations following the Supreme Court’s decision in Loper Bright. Source: Quarles Law Firm​
• ​60% of healthcare organizations have experienced a HIPAA-related incident or near miss, according to a survey of 613 healthcare professionals conducted in May and June 2025. Internal employee error accounted for 49% of these incidents, while vendor or third-party breaches caused 10%. While 59% of organizations expressed confidence in their vendors’ HIPAA compliance, only 33% conduct annual vendor risk assessments, and just 69% require HIPAA training from vendors. Civil penalties for violations range from $127 to $63,973 per violation with an annual cap of $1,919,173, while criminal penalties can reach $250,000 per violation and include one to 10 years in prison. Source: Yahoo News​

Non-Competes

• ​Texas courts enforce noncompete agreements that meet three criteria under the Texas Business and Commerce Code, while California declares such provisions illegal. Over 300 companies have relocated their headquarters to Texas in the past 10 years, with nearly half coming from California alone. Texas requires noncompetes to be ancillary to an enforceable agreement, reasonable as to time and geographic area, and no more restrictive than necessary to protect the employer’s business interests. Texas courts will apply Texas law on noncompete enforcement even when employment agreements select another state as the governing law, as established in Exxon Mobil Corp. v. Drennen. Texas courts recommend limiting noncompete terms to a maximum of five years and generally find industry-wide restrictions on employee work unenforceable. Source: The Texas Lawbook​

Telehealth

• ​The DEA is preparing to release a fourth extension of COVID-19 telemedicine flexibilities for prescribing controlled medications, signaling continuation of pandemic-era rules that affect ketamine clinics. During the pandemic, the DEA temporarily waived requirements of the Ryan Haight Online Pharmacy Consumer Protection Act, which traditionally required in-person medical evaluations before providers could prescribe controlled substances like ketamine via telemedicine. The waiver permitted clinicians to prescribe controlled substances after two-way, real-time telemedicine visits, provided the prescription served a legitimate medical purpose and complied with state and federal law. The full text of the new rule remains under review and is not yet available for public comment. Clinics should monitor DEA announcements, update protocols to ensure practitioners are properly licensed, maintain documentation of telemedicine visits and prescription records, and establish protocols for patient screening and post-treatment follow-up. Source: Healthcare Law Insights​