This week

• Data Breach
• Drug & Device
• Fraud & Abuse
• HIPAA
• Medicare / Medicaid
• Management Services Organizations (MSO)
• Mergers & Acquisitions (M&A)
• Substance Use Disorder (Part 2)
• Telehealth
• Texas Medical Board

Data Breach

• ​Texas Attorney has launched an investigation into what he describes as potentially the largest data breach in U.S. history, issuing Civil Investigative Demands to Blue Cross Blue Shield of Texas and Conduent Business Services LLC. The breach of Conduent’s system occurred between Oct. 21, 2024, and Jan. 13, 2025, exposing sensitive personal data of approximately 4 million Texans, including protected health information of Texas Medicaid recipients. The investigation will examine Conduent’s security measures, communications, and compliance with Texas law, as well as Blue Cross Blue Shield of Texas’ compliance with state law regarding confidential information protection. Conduent stated they acted promptly to contain and investigate the issue, engaged cybersecurity experts, and disclosed the incident through an 8-K filing. The company said there is no evidence that any underlying data has been misused, posted, or made publicly available. Source: KXXV​

Drug & Device

• ​The Consolidated Appropriations Act (H.R. 7148) passed on Feb. 3, 2026, with provisions that expand FDA authority over pediatric drug research and streamline generic drug approvals. The law allows FDA to require companies to study combination cancer treatments in children and grants the agency power to deem drugs misbranded when sponsors fail to pursue pediatric studies with diligence. The legislation extends the rare pediatric disease priority review voucher program through Sept. 30, 2029, and overturns a 2021 court decision by limiting orphan drug exclusivity to the specific use or indication for which a drug is approved, not the entire disease. The Act also requires FDA to disclose to generic drug applicants whether their formulations match brand drugs in composition and concentration for injectable, ophthalmic, and otic medications, and establishes an Abraham Accords Office at FDA in one of the Abraham Accords countries. Source: Brownstein​
• ​The FDA will restrict GLP-1 active pharmaceutical ingredients used in non-FDA-approved compounded drugs mass-marketed by companies including Hims & Hers and other compounding pharmacies. The agency cannot verify the quality, safety, or efficacy of these products. The FDA sent warning letters in fall 2025 and now prohibits companies from claiming compounded products are generic versions, use the same active ingredient as FDA-approved drugs, or are clinically proven to produce results. The agency will use enforcement tools including seizure and injunction against entities that manufacture, distribute, or market these products without addressing violations. Source: FDA​
• ​Novo Nordisk filed a lawsuit against Hims & Hers on Monday seeking a permanent ban on the telehealth company’s compounded versions of its Wegovy obesity drugs and damages for patent infringement. Hims announced Saturday it would stop offering its copycat obesity pill after facing scrutiny from the FDA and legal threats from Novo, though the company claims the lawsuit represents an attack on millions of Americans who rely on compounded medications. Novo estimated in January that as many as 1.5 million Americans are using compounded GLP-1 drugs, despite semaglutide being protected by U.S. patents through 2032 and no longer being in shortage. Hims’ stock fell more than 18% on Monday while Novo’s shares climbed more than 3%. The FDA announced Friday it planned to take legal action against Hims, including restricting access to ingredients and referring the company to the Department of Justice. Source: CNBC​

Fraud & Abuse

• ​The HHS Office of Inspector General issued guidance on January 27, 2026, establishing standards for pharmaceutical manufacturers offering prescription drugs through direct-to-consumer programs under the federal Anti-Kickback Statute. The bulletin addresses concerns that discounted drugs could induce purchases of other federally reimbursable products or services, or induce future purchases of the same drug through federal health care programs. OIG states that DTC programs carry low risk when they require valid prescriptions from independent prescribers, prohibit billing to federal programs, avoid conditioning access on future purchases, provide at least one full plan year of availability to federal health care program beneficiaries, and exclude controlled substances. The guidance applies to all manufacturer DTC programs regardless of whether they operate through TrumpRx, the government-sponsored platform referenced in the bulletin. The bulletin does not provide safe harbor protection and does not address vendor arrangements involved in operating DTC programs. Source:Ropes & Gray LLP​
• ​Medicare spending on genetic testing has surged to 43% of total Part B laboratory reimbursement in 2024, despite representing only 5% of test volume, triggering expectations of heightened enforcement actions. The HHS Office of Inspector General reported on January 28, 2026, that Part B genetic testing reimbursement increased $600 million from 2023 to 2024, reaching approximately $3.6 billion total, while non-genetic testing reimbursement remained flat. In 2024, 346 laboratories each received over $1 million in Part B payments for genetic tests, with 55 laboratories exceeding $10 million, and CPT code 87798 alone accounted for $443 million in reimbursement. The DOJ has already charged 36 defendants in 2024 and 49 defendants in 2025 related to genetic testing telemedicine schemes totaling over $2.2 billion in alleged fraud. Enforcement by HHS OIG and the Department of Justice is expected to intensify over the next 12-24 months, with many cases beginning through RAC or UPIC audits by Medicare contractors. Source: Katten​
• ​DOJ secured $6.8 billion in False Claims Act settlements and judgments in 2025, marking the statute’s highest dollar value in history. Whistleblower-driven qui tam filings reached 1,297 cases in fiscal year 2025, up from 980 in 2024, with these cases accounting for $5.34 billion of the total recoveries. Healthcare enforcement dominated at 84% of total recoveries ($5.7 billion), while DOJ expanded focus into trade fraud through a cross-agency Task Force with the Department of Homeland Security and increased cybersecurity enforcement with nine resolutions totaling $52 million. Government-initiated cases decreased to 401 matters in 2025 from 425 in 2024, while DOJ Deputy Assistant Attorney General Brenna Jenny signaled the agency will use dismissal authority more to manage the qui tam pipeline. DOJ and HHS reestablished their False Claims Act Working Group to coordinate healthcare enforcement in 2026. Source: Cadwalader​
• ​The DOJ Fraud Section charged 265 individuals and secured 235 convictions in 2025, with the Health Care Fraud Unit accounting for 194 charges and 150 convictions. The HCF Unit brought four corporate enforcement actions marking its first corporate criminal health care cases in nearly a decade and reported $15.02 billion in alleged losses. The Fraud Section conducted 15 corporate enforcement actions totaling over $1 billion in global monetary amounts, though 85% of that figure stems from an agreement with Boeing and a resolution with KBWB Operations LLC. The White House created a new DOJ Division for National Fraud Enforcement that will drive multi-district and multi-agency investigations. The Fraud Section installed permanent leadership in 2026, including a permanent chief, deputy assistant attorney general, and Senate-confirmed assistant attorney general. Source: Alston & Bird​

HIPAA

• ​Researchers at New York University demonstrated that AI language models can re-identify patients from medical notes that have been stripped of HIPAA identifiers. The study used 222,949 clinical notes from 170,283 NYU Langone patients and trained a BERT-based model to predict six demographic attributes from de-identified records, achieving over 99.7% accuracy for biological sex. The linkage attack produced a maximum unique re-identification risk of 0.34%, approximately 37 times higher than baseline, which would potentially de-identify 800,000 patients if applied to the US population. The researchers note that this vulnerability exists within a multi-billion dollar market where hospitals and data brokers sell de-identified clinical notes to pharmaceutical firms, insurers, and AI developers, with insurance companies being the most likely beneficiaries. The paper, titled “Paradox of De-identification: A Critique of HIPAA Safe Harbour in the Age of LLMs,” recommends shifting de-identification research toward social contracts and legal consequences rather than technical solutions. Source: Unite.AI​
• ​The U.S. Department of Health and Human Services Office for Civil Rights proposed the first update to the HIPAA Security Rule since 2013 in December 2024, with finalization scheduled for May 2026. The proposal eliminates the distinction between “required” and “addressable” security measures, making all safeguards mandatory for health plans, healthcare providers, clearinghouses, and business associates. Organizations will need to conduct annual compliance audits, maintain technology asset inventories, implement multi-factor authentication on all systems accessing electronic protected health information, and encrypt data both at rest and in transit. The rule is expected to become effective in July or August 2026, with compliance deadlines falling before the end of 2026 or early 2027. In 2025, OCR levied more than $6.6 million in fines for HIPAA violations, with penalties ranging from $80,000 to $3,000,000. Source: Healthcare Law Insights​

Medicare / Medicaid

• ​Medicare launched a six-year pilot program that uses AI to review and deny treatment requests in six states starting January 2026. The program, called the Wasteful and Inappropriate Service Reduction Model, requires medical providers to obtain prior authorization for 14 types of procedures and devices for patients enrolled in traditional Medicare. The AI software identifies treatment requests it considers unnecessary or harmful and denies them. Traditional Medicare covers about half of the 67 million Americans on Medicare and has not previously required providers to submit authorization requests, unlike Medicare Advantage plans administered by private companies. Health economists who studied the program say it could reduce costs but needs monitoring to prevent harm to patients. Source: Fast Company​
• ​CMS issued a final rule that prohibits states from taxing Medicaid managed care organizations at higher rates than non-Medicaid organizations. The rule, published in February 2026, implements provisions from the One Big Beautiful Bill Act signed in July 2025 and affects seven states that currently have waivers for their MCO taxes: California, Illinois, Massachusetts, Michigan, New York, Ohio, and West Virginia. New York and California face the earliest compliance deadline of January 1, 2027, which threatens $3.7 billion in revenue for New York and $7.5 billion for California. The legislation also requires Medicaid expansion states to reduce the hold harmless threshold from 6% to 3.5% of net patient revenue by 2032, starting in fiscal year 2028. States must either reduce tax rates, eliminate taxes entirely, or find alternative revenue sources to fill budget gaps. Source: McDermott+​

Management Services Organizations (MSO)

• ​Non-physicians cannot directly own medical spas in Texas due to the corporate practice of medicine doctrine, but they can participate through a Management Services Organization structure. The MSO model separates operations into two entities: a physician-owned professional limited liability company that controls all medical decisions and a non-physician-owned MSO that handles business functions through a Management Services Agreement. The MSO can provide office space, billing, marketing, and staff hiring, but cannot make medical decisions, direct patient care, or hire or fire physicians. Compliance requires fair market value compensation, adherence to the Anti-Kickback Statute, written documentation, and preservation of physician clinical autonomy. Licensed physicians can own 100 percent of a med spa practice, while physician assistants can hold only minority ownership stakes. Source: Hendershot Cowart P.C.​

Mergers & Acquisitions (M&A)

• ​Healthcare M&A activity is rebounding in 2026 with capital returning to the market, particularly in the middle market, but investors are demanding higher execution standards. Buyers prioritize proven operating models, durable reimbursement, and paths to margin improvement over growth narratives, with platform builds, physician practice management roll-ups, and bolt-on strategies driving deal flow in specialties including cardiology, gastroenterology, dermatology, musculoskeletal, behavioral health, and women’s health. Dealmakers are using earn-outs tied to EBITDA normalization, milestone-based payments, rollover equity, and staged acquisitions to bridge valuation gaps and manage physician retention risks. Technology and AI have become core diligence focuses, with buyers scrutinizing measurable ROI, data governance, regulatory compliance, and margin improvement capabilities. Rising labor costs, reimbursement headwinds in Medicaid-exposed specialties, and payor pressure continue to drive consolidation, while antitrust review and regulatory scrutiny of data practices remain concerns despite a generally more deregulatory tone in Washington. Source: Arnall Golden Gregory LLP​
• ​Quality of Revenue has become a more strategic indicator of enterprise value than EBITDA for dental service organizations, as it measures the integrity, timing, and sustainability of revenue across multi-specialty practices. DSOs operate without a universal practice management or billing platform, creating system-level limitations that compound as organizations expand through acquisition and apply assumptions related to revenue timing, coding interpretation, and contractual adjustments. Revenue quality risks concentrate in legacy accounts receivable and unresolved credit balances that accumulate in oral surgery practices where patients pay upfront while insurance adjudication occurs weeks or months later, as well as in inconsistently applied orthodontic family discounts and retail revenue streams that include whitening, aligners, and cosmetic procedures. During due diligence, legacy credit balances surface as quality of earnings adjustments that can reduce transaction value, delay closings, and lead to post-close financial leakage. DSOs with mature QoR practices shorten diligence cycles, reduce deal friction, and increase investor confidence. Source: VMG Health​

Substance Use Disorder (Part 2)

• ​Revised federal rules for substance use disorder records will be enforced beginning February 16, 2026, subjecting healthcare providers to penalties ranging from $145 to $2,190,294 per violation. The Part 2 regulations apply to federally assisted substance use disorder programs, which include entities that receive Medicare payments, maintain DEA registration for controlled substances used in treatment, or receive federal financial assistance. Programs must maintain confidentiality of records, obtain patient consent before disclosure, provide privacy notices, implement security safeguards, and execute agreements with service organizations. Recipients of substance use disorder records from Part 2 programs become subject to confidentiality obligations once they receive written notice that the records are protected. The Office for Civil Rights may begin investigation and enforcement activities on February 16, 2026, and the public may file complaints alleging violations. Source: Holland & Hart’s Health Law Blog​

Telehealth

• ​CMS has made permanent the use of real-time, two-way audio/video technology to satisfy direct supervision requirements for most Medicare Part B services, allowing physicians to supervise nonphysician practitioners remotely rather than being physically present in the office suite. The policy, which took effect January 1, 2026, stems from flexibilities first introduced between March 31, 2020 and December 31, 2025 during the COVID-19 public health emergency. The rule applies to most Medicare Part B services under 42 CFR § 410.26, excluding certain surgical procedures with global surgery indicators 010 or 090, and explicitly prohibits audio-only technology for supervision purposes. The Consolidated Appropriations Act, 2026, signed February 3, 2026, extended through December 31, 2027 the ability for patients to receive non-behavioral/mental health telehealth services at home without geographic restrictions, while permanently implementing this flexibility for behavioral/mental health care. CMS clarified in a February 4, 2026 FAQ that virtual-only telehealth practitioners whose only physical practice location is their home address must enroll that home address as a practice location. Source: Morgan Lewis​

Texas Medical Board

• ​The Texas Attorney announced he will not defend the Texas Medical Boardin a lawsuit filed by Dr. Mary Talley Bowden, a Houston ear, nose and throat specialist who received a public reprimand for prescribing ivermectin to a COVID-19 patient at a Fort Worth hospital in 2021. Paxton asked a judge to void the reprimand and accused the board of acting on personal animosity and spite. The case stems from Bowden sending a nurse to Texas Health Huguley Hospital to treat former Tarrant County Sheriff’s Deputy Jason Jones, despite the medical board determining she lacked privileges at the facility. Bowden argues a court order created legal ambiguity about her permission to treat the patient, though an appeals court had paused that order and she claims she was unaware of that ruling. The Texas Legislature passed a resolution last year commending Bowden for her COVID-19 treatment. Source: Houston Chronicle​