|
What's New
- Accountable Care Organizations
- Cybersecurity
- Drugs & Devices
- EMTALA
- Fraud & Abuse
- HIPAA
- Medicare
- Med Spas
- Patient Rights
- Senior Living Facilities
|
|
|
Accountable Care Organizations
- Hospitals participating in CMS accountable care organizations require more than two years of maturity before seeing improvements in patient care costs and quality, according to a study comparing 121 ACO-participating hospitals with 853 non-participating hospitals from 2010 to 2013. Researchers found that hospitals with an ACO maturity score of zero performed worse than non-participants in acute myocardial infarction mortality rates and perioperative pulmonary embolism or deep vein thrombosis rates, but these differences disappeared as ACO maturity increased. The study showed that higher ACO maturity scores correlated with reductions in accidental punctures and lacerations among participating hospitals. Researchers noted that early ACOs focused primarily on enhancing care coordination and strengthening primary care rather than transforming inpatient care processes during the initial 18 months. Currently, only 1,450 of more than 5,000 Medicare-enrolled hospitals participate in CMS ACOs, leaving room for expansion as the agency aims to transition all traditional Medicare beneficiaries to accountable care by 2030. Source: American Journal of Managed Care
Cybersecurity
- Healthcare organizations face an escalating cybersecurity crisis with 33 attacks recorded in 2025 and global healthcare ransomware surging 31%. Over 90% of healthcare cyberattacks are phishing scams enhanced by AI, while healthcare data sells for up to 50 times more than financial information on black markets. Third-party vendors cause 50-60% of data breaches, prompting healthcare organizations to adopt the HITRUST framework for vendor risk assessment. The government is implementing mandatory cybersecurity standards through the Health Infrastructure Security and Accountability Act and proposed HIPAA Security Rule modifications requiring encryption, multi-factor authentication, and vulnerability testing. Healthcare providers are deploying AI-powered threat detection systems and zero-trust architectures to combat these threats in real time. Source: Information Security Buzz
Drugs & Devices
- Sixteen states have proposed or passed legislation to make ivermectin available over the counter despite scientific evidence showing the deworming drug does not treat COVID-19 or cancer. Idaho, Arkansas, and Tennessee have enacted such laws, while Louisiana passed a bill awaiting the governor’s signature, driven by social media claims that ivermectin treats cancer, COVID-19, foot pain, arthritis, lupus, and acne. High-quality clinical trials found ivermectin ineffective against COVID-19, and doctors report patients with treatable cancers have delayed treatment to try ivermectin, only to return with advanced disease. Despite state laws, pharmacies remain unable to sell ivermectin over the counter because it remains federally regulated by the FDA, with NBC News finding no pharmacists willing to dispense it without a prescription in states with permissive laws. Pharmacists cite liability concerns since the prescription drug lacks over-the-counter packaging with consumer directions and safety statements. Source: Ars Technica
EMTALA
- CMS rescinded July 2022 guidance on EMTALA obligations for pregnant patients and pregnancy loss cases. The Department of Health and Human Services and Centers for Medicare & Medicaid Services announced on June 3, 2025, that they are withdrawing two hospital guidance documents (QSO-22-22-Hospitals and QSO-21-22-Hospitals) and a letter from the former Secretary of Health and Human Services because these documents do not reflect current administration policy. CMS stated it will continue to enforce EMTALA, which protects all individuals who present to hospital emergency departments seeking examination or treatment, including for emergency medical conditions that place the health of a pregnant woman or her unborn child in serious jeopardy. The agency said it will work to rectify perceived legal confusion and instability created by the former administration’s actions. Source: CMS
Fraud & Abuse
- Healthcare fraud enforcement under the False Claims Act reached $1.67 billion in settlements and judgments in 2024, representing 57% of all FCA recoveries. The Department of Justice secured settlements from Independent Health ($98 million for upcoding Medicare diagnoses), Gilead Sciences ($202 million for kickbacks to HIV medication practitioners), and Teva Pharmaceuticals ($450 million for Medicare copay conspiracies and generic drug price fixing). Attorney General Pam Bondi and Deputy Assistant Attorney General Michael Granston have committed to enforcement, with DOJ guidance instructing prosecutors to prioritize healthcare fraud cases. The government recovers three dollars for every dollar spent fighting fraud, according to DOJ officials. Enforcement now extends beyond traditional healthcare to include Walgreens ($350 million for opioid prescription violations) and McKinsey ($650 million for consulting on OxyContin sales acceleration). Source: Forensic Risk
HIPAA
- The US Department of Health and Human Services Office for Civil Rights has escalated enforcement of HIPAA risk analysis requirements through a dedicated initiative that has resulted in nine settlements totaling over $1 million in penalties since October 2024. The Risk Analysis Initiative targets healthcare entities that fail to conduct proper assessments of potential risks to electronic protected health information, a requirement under the HIPAA Security Rule that OCR describes as the foundation for cybersecurity practices. Healthcare organizations face increasing pressure as ransomware breaches have surged 264% since 2018, with settlements ranging from $10,000 to $350,000 for violations involving breaches affecting between 4,304 and 585,621 individuals. The enforcement effort has continued across both the Biden and Trump administrations, with OCR finding that many entities’ risk analyses were based on incomplete inventories of where protected health information is stored and transmitted. The initiative encompasses various breach types including ransomware attacks, server misconfigurations, and unauthorized access to medical imaging systems. Source: ArentFox Schiff
- Healthcare organizations continue to struggle with HIPAA compliance implementation despite awareness of their obligations, according to survey results from hundreds of organizations across the United States. The survey found that many organizations have not appointed dedicated HIPAA Privacy Officers with sufficient decision-making authority and continue to provide training less frequently than annually, often excluding business associates from compliance education. Organizations also lack written documentation for complex or emerging risks, with some not updating their HIPAA risk assessments in several years despite increasing cybersecurity threats. Only a minority of respondents indicated they feel confident their organization could effectively respond to an Office for Civil Rights compliance audit or data breach investigation. The Office for Civil Rights is scrutinizing risk assessments under its enforcement initiative, with organizations facing a high probability of financial penalties for noncompliance. Source: HIPAA Journal
Medicare
- Medicare paid $124 million for evaluation and management services billed alongside eye injections that violated federal requirements. The Office of Inspector General found that for 42 percent of the 3.3 million intravitreal injections provided during June 2022 through May 2023, providers billed for evaluation and management services on the same day using modifier 25, which bypassed system controls designed to prevent improper payments. Documentation for 22 of 24 sampled services did not support the use of modifier 25, as the services were not significant and separately identifiable from the injection procedures. The Centers for Medicare & Medicaid Services lacked adequate internal controls to detect and prevent these potentially improper payments, including clear requirements for modifier 25 use and medical reviews of claims. The audit recommends that CMS update billing requirements, conduct medical reviews to recover up to $124 million in improper payments, and provide better education to providers about appropriate billing practices. Source:HHS.gov
Med Spas
Patient Rights
- The Fifth Circuit upheld Texas parental consent requirements that prevent minors from confidentially accessing contraception at federally funded Title X clinics. Alexander Deanda, a father of three daughters, filed suit in 2020 challenging the Department of Health and Human Services’ administration of Title X, arguing he wanted notification if his children sought contraceptives based on his Christian beliefs. Title X, enacted in 1970, provides family planning services to low-income individuals and in 2021 HHS prohibited parental consent requirements for minors seeking services. The district court ruled in Deanda’s favor, finding that federal law did not preempt Texas Family Code provisions requiring parental consent for medical care, but the Fifth Circuit avoided deciding the constitutional question of balancing parental and minor rights by using the doctrine of constitutional avoidance. The ruling threatens minors’ access to confidential reproductive care through mechanisms like judicial bypass. Source: Harvard Law Review
Senior Living Facilities
|
|
|
|
|
Wade Emmert
Partner & Healthcare Practice Group Leader
Board Certified, Health Law // Certified Information Privacy Professional (CIPP/US) // Artificial Intelligence Governance Professional (AIGP) // Certified in Cybersecurity (ISC2 CC)
|
|
|
|
|
Thanks for reading! If you loved it, tell your friends to subscribe. To change your email or preferences manage your profile. You can unsubscribe here.
901 Main Street, Suite 5500, Dallas, TX 75202
|
|
|