This week

• Ambulatory Surgery Centers
• Dentistry
• Food & Drug Administration
• Fraud & Abuse
• HIPAA
• Med Spa and Medical Aesthetics
• Medical Privacy
• MedTech
• Private Equity

Ambulatory Surgery Centers

• ​Ambulatory surgery centers are becoming essential to health system growth strategies as clinical, financial, regulatory, and competitive forces push care beyond hospital walls. Technology improvements and post-pandemic comfort with higher-acuity procedures have made ASCs viable for surgeries previously limited to hospitals, while federal and state policy changes, including inpatient-only list removals and relaxed certificate-of-need requirements, encourage the migration of care. Payers are directing procedures like colonoscopies and endoscopies to ASCs for cost efficiency, and patients prefer the convenience and streamlined experience. Health systems face barriers including the need for strategic clarity and understanding that running an ASC requires different competencies than running a hospital. Single-specialty centers in musculoskeletal care, spine, cardiac, and electrophysiology are accelerating, and ASCs are becoming a tool for physician recruitment and retention amid workforce shortages. Source: VMG Health​

Dentistry

• ​Dental practices are adopting data analytics solutions to transform patient care from reactive to proactive models. These platforms analyze patient records, treatment histories, financial transactions, and appointment trends to track performance indicators including patient retention, chair occupancy, and revenue cycle efficiency. The systems enable preventive care by identifying patterns in patient histories and treatment gaps, while value-based care frameworks assess success based on patient outcomes rather than procedure volume. Practices face implementation challenges including data fragmentation across systems and staff resistance, which are addressed through data integration platforms, intuitive interfaces with AI-powered recommendations, and compliance features such as data encryption and role-based access controls. Analytics also enhance revenue cycle management by identifying billing inefficiencies and support marketing efforts by tracking patient acquisition costs and campaign returns. Source: Healthcare Tech Outlook​

Food & Drug Administration

• ​The FDA deployed agentic AI capabilities for all agency employees. The systems plan, reason, and execute multi-step actions to achieve specific goals, with human oversight built in, and the tool is optional for staff. The agency previously deployed Elsa, an LLM-based tool, in May, which over 70% of staff now use. The agentic AI will assist with meeting management, pre-market reviews, post-market surveillance, inspections, compliance, and administrative functions. The models operate in a high-security GovCloud environment and do not train on input data or data from regulated industry. Source: FDA​

Fraud & Abuse

• ​A federal grand jury indicted a Houston man for using fraudulent prescriptions to obtain controlled substances from pharmacies across five states. Darrion Denard Brooks, 28, and co-conspirators allegedly used fictitious identification information and DEA registration numbers of at least five medical professionals without authorization to obtain prescriptions between November 2023 and March 2025. The scheme resulted in at least 11 fraudulent prescriptions for codeine and other controlled substances from eight pharmacies in Louisiana, Texas, Florida, Georgia, and Tennessee. Brooks faces one count of conspiracy and four counts of obtaining controlled substances by fraud, with a maximum penalty of four years in prison per count. DEA and HHS-OIG are investigating the case. Source: U.S. Department of Justice​
• ​The First Circuit ruled that clinical laboratories can rely on physician orders as evidence of medical necessity when billing Medicare, establishing a “safe harbor” for scienter under the False Claims Act unless whistleblowers produce specific evidence to rebut that reliance. The court affirmed summary judgment for MD Labs, a Nevada clinical laboratory, in a qui tam action brought by Omni Healthcare, a Florida medical group that alleged MD Labs defrauded Medicare by billing for medically unnecessary PCR urinary tract infection tests when cheaper bacterial urine culture tests would have sufficed. The court found Omni failed to produce evidence that MD Labs acted with actual knowledge, deliberate ignorance, or reckless disregard regarding the alleged lack of medical necessity at the time it billed Medicare. Omni’s owner admitted he deliberately instructed staff to order only PCR tests from MD Labs, even when providers requested bacterial urine culture tests, to build a False Claims Act case against the laboratory. The court rejected Omni’s evidence, which included internal emails, medical literature, absence of coverage determinations, and bundling practices, as insufficient to establish scienter.Source:CaseMine​

HIPAA

• ​The Department of Health and Human Services is proposing updates to the HIPAA Security Rule for the first time in more than two decades in response to 2024 data breaches affecting more than 182 million individuals across over 670 incidents. The rules eliminate “addressable” implementation specifications, requiring all safety features to be fully implemented, documented, and enforced. Organizations must encrypt all electronic protected health information in transit and at rest, implement multi-factor authentication for system access, and terminate employee access within 24 hours of departure. The updates mandate annual technology asset inventories and network mapping, require restoration of lost systems within 72 hours of cyber incidents, and establish continuous risk assessments as a requirement. Manual compliance approaches using spreadsheets and human-led audits will no longer meet the standards. Source: Healthcare IT Today​
• ​HHS has proposed expanding HIPAA Security Rule requirements to cover AI systems that handle patient health data. The January 2025 proposed rule, scheduled for finalization in May 2026, establishes that electronic protected health information used in AI training data, prediction models, and algorithms is protected under HIPAA and requires covered entities to maintain written inventories of AI software and monitor for vulnerabilities. The rule applies to both covered entities and business associates, while 12 states have enacted their own AI healthcare legislation. Civil penalties for violations can reach $50,000 per violation, and criminal penalties for knowing violations range from one to 10 years imprisonment with fines between $50,000 and $250,000. Healthcare providers must ensure AI tools use encrypted internal servers, as public server tools like ChatGPT do not comply with HIPAA Privacy and Security Rules. Source: Amundsen Davis​
• ​Mass tort attorneys face challenges retrieving and reviewing medical records for hundreds or thousands of clients. Under HIPAA, healthcare providers have 30 days to respond to written records requests, with an option for an additional 30-day extension. Records can be obtained through client consent, signed releases, limited power of attorney, or through subpoena or court order. The American Bar Association recommends attorneys follow HIPAA guidelines when handling medical records, including selecting retrieval partners who guarantee HIPAA compliance and implementing staff training. AI-powered tools can address challenges in medical records review, including volume, terminology, and inconsistent organization across providers. Source: U.S. Legal Support​

Med Spa and Medical Aesthetics

• ​Med spa providers face felony charges for performing procedures without proper supervision from state-licensed physicians. An Arizona nurse was arrested for injecting Botox and prescription drugs without supervision from an Arizona-licensed medical director, after an undercover agent confirmed violations following a tip to the Attorney General’s office. The nurse worked at a med spa overseen by a non-resident physician who lacked Arizona licensure and now faces felony charges for practicing medicine without a license, conspiracy, and fraudulent schemes. State laws typically prohibit non-physician practitioners from performing services such as injectables and laser treatments without supervision from a state-licensed physician or, in some states, an advanced practice provider. Multiple states have prosecuted providers for violating scope-of-practice requirements, and enforcement efforts by state licensing boards and prosecutorial agencies are intensifying as the med spa industry grows. Source: Quarles Law Firm​
• ​Medical aesthetics practice owners can choose from four succession planning strategies to exit the market. The first option involves hiring an associate who transitions into ownership over time, requiring 7 to 10 years of planning before exit. The second strategy entails selling to private equity, where owners receive cash at closing and continue working as employees for 3 to 5 years, with planning recommended 6 to 8 years prior to exit. Owners can also sell to another private practice within 12 to 18 months of their planned exit. The fourth option allows owners to close the practice entirely, selling equipment and storing patient records according to state regulations and HIPAA guidelines. Source: VMG Health​

Medical Privacy

• ​Texas healthcare organizations must comply with multiple state laws that exceed HIPAA requirements. The Texas Medical Records Privacy Act (2001) and HB300 (2011) work alongside HIPAA, while the Texas Identity Theft Enforcement and Protection Act defines “sensitive personal information” more broadly than HIPAA’s PHI definition and requires breach notifications. The Texas Data Privacy and Security Act applies to non-PHI data such as marketing lists and website tracking information, requiring organizations to limit collection and obtain consent for uses like targeted marketing. The Texas Responsible AI Governance Act mandates patient notification when AI is used in diagnosis or clinical decision support, while SB1188 requires AI-generated diagnostic outputs to be reviewed under Texas Medical Board standards and prohibits storing data like credit scores in electronic health records. Organizations follow a “most protective law wins” approach and must train employees on all applicable Texas laws, not just HIPAA. Source: HIPAA Journal​

MedTech

• ​Courts are holding medtech companies liable under the Lanham Act for claims about proprietary technology, comparative performance, and regulatory status. The Federal Circuit ruled in Crocs, Inc. v. Effervescent, Inc. that statements about proprietary or patented technology can trigger liability if they create a false impression, rejecting the notion that intangible claims are immune from scrutiny. In Guardant Health, Inc. v. Natera, Inc., a jury awarded $292.5 million after finding that comparative performance claims based on non-equivalent studies misled clinicians about diagnostic test accuracy. The Second Circuit in Zesty Paws LLC v. Nutramax Laboratories, Inc. determined that superlatives like “#1” may be interpreted as factual in data-driven healthcare markets rather than puffery. Courts have also imposed over $1.4 million in sanctions in a case involving Raydiant Oximetry for baseless false advertising claims. Source: Gardner Law​

Private Equity

• ​Governor Gavin Newsom signed two laws in October 2025 that restrict private equity involvement in California healthcare and establish transaction reporting requirements. AB 1415 requires healthcare entities, management services organizations, and other parties to provide written notice to the Department of Health Care Access and Information at least 90 days before transactions involving material transfers of assets or operational control, with reporting requirements applying to transactions closing on or after April 1, 2026. SB 351 codifies California’s Corporate Practice of Medicine doctrine by prohibiting private equity groups and hedge funds from interfering with clinical judgment, controlling patient records, hiring or firing clinical staff based on competency, or setting parameters for payer contracts. The law renders noncompete clauses and non-disparagement provisions unenforceable in agreements with private equity or hedge fund-backed practices, though sale-of-business noncompete provisions remain valid. Both laws take effect January 1, 2026, and SB 351 does not grandfather existing management service organization arrangements or contracts. Source: Health Care Law Matters​
• ​States are implementing laws to restrict private equity ownership and control in healthcare. California prohibits private investors from interfering with physician and dentist judgment and bars contract terms that restrict provider competition or speech about care quality. Oregon restricts dual ownership in medical entities and management services organizations, and prohibits MSOs from controlling clinical operations including staffing levels, visit duration, diagnostic coding, and pricing. California, Massachusetts, and New Mexico require private equity groups, hedge funds, and MSOs to submit written notice and financial information for transactions involving material changes in control, while Massachusetts strengthened oversight with limits on sale-leaseback transactions between hospitals and REITs. Maine imposed a one-year moratorium on hospital purchases by private equity or REITs. Source: Consumer Financial Services Law Monitor​