This week

• Cybersecurity
• Dentists
• Electronic Health Records
• Emerging Tech
• Fraud & Abuse
• HIPAA
• Non-Competes
• Price Transparency
• Private Equity

Cybersecurity

• ​Texas has enacted a law that shields small businesses from punitive damages in data breach lawsuits if they maintain compliant cybersecurity programs. Governor Greg Abbott signed S.B. 2610, which applies to businesses with fewer than 250 employees that implement cybersecurity programs containing administrative, technical, and physical safeguards conforming to industry-standard frameworks. The law scales requirements based on business size: companies with under 20 employees need password policies and training, those with 20-99 employees must implement CIS Controls Implementation Group 1, and businesses with 100-249 employees must adopt frameworks like NIST or HITRUST. Businesses compliant with HIPAA, Gramm-Leach-Bliley Act, or PCI DSS standards qualify for protection. The law takes effect September 1, 2025. Source: HIPAA Journal​

Dentists

• ​Texas Governor Abbott signed a state budget provision that reallocates $140 million to increase Medicaid dental reimbursement rates for specific procedure codes. The funding adjustment came after lobbying efforts by the Texas Dental Association and Texas Academy of Pediatric Dentistry following the Texas Health and Human Services Commission’s March 1, 2025 biennial fee review that left many procedure codes unchanged or reduced. Amendment 25 to the state budget directs HHSC to roll back all March 1 fee changes and instead apply uniform rate increases to 46 specific dental procedure codes including evaluations, x-rays, fluoride treatments, restorations, extractions, and crowns. The reallocation will be implemented in a revenue-neutral manner, meaning total Medicaid spending on dental services will not exceed projections under the March 1 fee schedule. The new rates will likely take effect on September 1, the budget implementation date. Source: Texas Dentists for Medicaid Reform​

Electronic Health Records

• ​Epic Systems controls electronic health record data for over half of U.S. acute care hospital beds, creating barriers for AI startups seeking access to healthcare information. Three lawsuits have been filed against EHR companies in the past year, including two against Epic, alleging anticompetitive behavior. CureIS filed the most recent lawsuit in May, claiming Epic violated the 21st Century Cures Act by refusing to provide client data when requested. The Centers for Medicare and Medicaid Services and the federal health IT office held a meeting this month to gather feedback on supporting digital health tools and announced plans to promote free and open data exchange standards. The industry is moving toward implementing these standards for prior authorization procedures by January 2027. Source: POLITICO​

Emerging Tech

• ​Texas has enacted the Texas Responsible Artificial Intelligence Governance Act (TRAIGA), becoming the fourth U.S. state to pass a cross-sector AI regulation law. The act will become effective on January 1, 2026, and focuses on preventing harm from AI misuse rather than regulating specific high-risk uses. Its provisions prohibit developers from creating AI to manipulate people, make discriminatory decisions, or produce deepfakes of children, and it requires state agencies to disclose their use of AI. The law empowers the state attorney general with enforcement, allowing for per-violation fines if a violation is not corrected within a 60-day cure period, and does not include a private right of action. A new Artificial Intelligence Council will be created under the state Department of Information Resources, which will include a regulatory sandbox for companies to test AI models. Source: IAPP​
• ​A business intelligence analyst has developed a framework to make predictive analytics more practical for healthcare implementation. Rohan Desai, who works at R1 RCM, published research proposing hybrid machine learning models that combine stacking, boosting techniques, and neural network-random forest models to address challenges in data integration, quality, model interpretability, and clinical relevance. The framework uses open-source tools like Python libraries and supports standard healthcare data formats including HL7 and CSV, making it cost-effective and suitable for low-resource settings. Desai has tested the framework using datasets from platforms like Kaggle but has not yet partnered with hospitals, though he seeks collaboration with research institutions such as Johns Hopkins, Mayo Clinic, and facilities in India. Source: Healthcare IT News​
• ​Rural healthcare providers face infrastructure limitations, staffing shortages, tight budgets, and lack of technical expertise that complicate AI adoption. Industry leaders suggest rural systems could bypass outdated technology and use AI to address gaps in access and care delivery. Rural clinics and hospitals are implementing AI through infrastructure workarounds and flexible pricing models. Source: Fierce Healthcare​

Fraud & Abuse

• ​The Department of Justice Civil Division announced five enforcement priorities targeting private sector DEI initiatives, antisemitism, gender-affirming care, sanctuary jurisdictions, and expanded denaturalization proceedings. The Civil Division will pursue False Claims Act investigations against federal fund recipients with DEI policies and those allegedly participating in or allowing antisemitism, including government contractors and higher education institutions. The Division plans to investigate healthcare providers, pharmaceutical companies, and online pharmacies for violations of the Food, Drug, and Cosmetic Act related to off-label use of drugs in gender-affirming care. Source: Mayer Brown​
• ​The Department of Health and Human Services’ Office of Inspector General issued an unfavorable advisory opinion determining that a medical device company’s proposal to pay for exclusion screening services for its customers would potentially violate the federal Anti-Kickback Statute. The medical device company proposed to pay approximately $450,000 annually to a third-party screening company to monitor the device company for exclusion from federal healthcare programs on behalf of its customers—hospitals, health systems, and ambulatory surgery centers—who required this screening as a condition of doing business. The OIG concluded that paying these fees would constitute remuneration to customers that could induce them to purchase items or services reimbursable by federal healthcare programs. The agency expressed concern that the per-customer fee structure created anti-competitive risks and could improperly steer customers toward the device company over competitors unable or unwilling to offer similar payments. The OIG also noted that the arrangement raised the risk of the screening company acting as a “gatekeeper” of referrals, since customers conditioned their business on the device company’s payment of the screening fees. Source: Epstein Becker Green​
• ​Federal prosecutors charged 11 people, including Brooklyn business owner Kevin Valdhans, in a Medicare fraud scheme that submitted $10 billion in bogus claims. The defendants were part of a criminal organization based in Eastern Europe that bought more than 30 legitimate companies to conduct Medicare fraud. The group’s leader operated from Russia, with eight Estonian citizens, one United States citizen, and Valdhans from the Czech Republic among those charged. Investigators said the organization stole the identities of more than 1 million Americans and received $41 million from Medicare plus $900 million from Medicare Supplemental Insurers. The operation, which included G&I Ortho Supply in Gravesend billing for catheters that Medicare members never requested, lasted until September. Source: CBS New York​

HIPAA

• ​State laws are expanding health data privacy protections beyond HIPAA’s limited scope to regulate consumer health data collected by non-healthcare entities. HIPAA only applies to healthcare providers and insurers, leaving consumer-generated health data from wellness apps, digital platforms, and advertising technologies unprotected, while the FTC’s enforcement authority remains limited to breaches of personal health records and deceptive practices. California’s Consumer Privacy Rights Act (CPRA), Washington’s My Health My Data Act, and New York’s S. 929 (enacted March 2024) now require any entity collecting health-related data to obtain consent, provide transparency, and enable data deletion rights. The Maxwell v. Amazon lawsuit demonstrates the stakes, alleging Amazon’s advertising software collected location data through apps like The Weather Channel to infer visits to mental health clinics and reproductive care centers. Washington’s law includes a private right of action allowing individuals to sue for violations, while California’s Delete Act requires data brokers to register with the state and enables centralized deletion requests across all registered brokers. Source: Clark Hill PLC​

Non-Competes

• ​Texas Governor Greg Abbott signed Senate Bill 1318 on June 20, 2025, imposing new restrictions on non-competition agreements for healthcare professionals. The law, which takes effect September 1, 2025, limits non-compete covenants for physicians, dentists, physician assistants, and nurses to one year after termination and restricts the geographic scope to a five-mile radius from their primary practice location. Healthcare professionals can buy out their non-compete agreements for an amount not exceeding their annual salary, and all covenant terms must be clearly stated in writing. Physicians who are involuntarily discharged without good cause will have their non-compete agreements voided. The new requirements apply only to covenants entered into or renewed on or after September 1, 2025. Source: Jackson Walker​

Price Transparency

• ​The Centers for Medicare & Medicaid Services requests public input on hospital price transparency data accuracy and completeness through a formal Request for Information with comments due by July 21, 2025. The agency seeks feedback on six specific questions to improve compliance and enforcement processes for hospital pricing data in response to a Presidential Executive Order and a Government Accountability Office recommendation. Federal law requires hospitals to publish their standard charges in machine-readable files, and since July 1, 2024, hospitals must affirm the accuracy and completeness of these files. CMS indicates that stakeholders have raised concerns about whether missing pricing information in the files means hospitals have not established charges with payers or have failed to comply with disclosure requirements. The agency will accept responses through an online form and may use the input to develop future policies and processes. Source: CMS​

Private Equity

• ​Oregon enacted Senate Bill 951, creating the nation’s most comprehensive restrictions on private equity healthcare investment. Governor Tina Kotek signed the law on June 9, 2025, prohibiting management services organizations (MSOs) from having overlapping ownership or control with contracted medical practices. The dual-engagement restrictions take effect January 1, 2026, for new market participants, while existing entities have until January 2029 to comply. Violations constitute unlawful trade practices, allowing the Oregon Attorney General to pursue civil penalties and private plaintiffs to seek damages, including punitive damages and attorney’s fees. Governor Kotek positioned the legislation as a model for other states considering similar restrictions on private equity healthcare investments. Source: Dechert​