This week

• OIG Advisory Opinions
• Clinical Trials
• Corporate Practice of Medicine
• Cybersecurity
• Emerging Tech
• Fair Market Valuations
• Health Data
• HIPAA
• Legislation
• Private Equity

OIG Advisory Opinions

• ​The HHS OIG approved a telehealth platform arrangement involving management service organizations and physician corporations. The arrangement allows a management support organization and physician-owned professional corporation to contract with third-party telehealth platforms to lease clinicians and obtain administrative services including accounting, marketing, and IT support. OIG determined the proposal was protected by the federal anti-kickback statute safe harbor for personal services and management contracts because payments are fixed at fair market value and not based on referral volume or value. The arrangement aims to expand access to in-network telehealth services for patients in underserved and rural areas through contracts covering over 400 payors representing 80% of commercially covered lives and 65% of Medicare Advantage covered lives. OIG noted the decision could serve as a model for other management services and care delivery organizations considering similar arrangements. Source: OIG Advisory Opinion No. 25-03​
• ​The Office of Inspector General (OIG) has determined that a medical device company’s proposal to pay for third-party exclusion screening and compliance monitoring services would, if undertaken with the requisite intent, constitute prohibited remuneration under the Federal anti-kickback statute. The company intended to pay annual fees to a third-party for screening and monitoring that customers would otherwise pay, potentially inducing customers to purchase items or services reimbursable by Federal health care programs. OIG found that this arrangement could relieve customers of financial burdens and create risks of inappropriate steering and anti-competitive practices, as the payments may influence purchasing decisions. No regulatory safe harbor applied, and the OIG noted that the arrangement could result in sanctions, including civil monetary penalties and exclusion from federal health care programs. Source: OIG Advisory Opinion No. 25-04​

Clinical Trials

• ​Medical device manufacturers face critical decisions in clinical trial planning that can determine company survival. Companies must collect clinical data for pre-market submissions through processes that consume time and money while putting business existence at risk. Three pathways exist for medical device investigations based on risk levels: minimal risk, nonsignificant risk (NSR), and significant risk (SR) studies, with each requiring different oversight and regulatory requirements. Before conducting pivotal trials, companies must define their intended use, indications, and claims since FDA market authorization depends on clinical trial results. Companies should establish FDA communication plans and work with expert statisticians, clinicians, and regulatory counsel to mitigate risks and ensure proper execution. Source: Gardner Law​

Corporate Practice of Medicine

• ​Healthcare entities face compliance challenges when expanding across state lines due to varying corporate practice of medicine laws and ownership requirements. The corporate practice of medicine doctrine varies significantly by state, with jurisdictions like New York establishing strict prohibitions while others allow more flexibility in corporate structures. Professional entity ownership requirements differ across states, with some mandating wholly or majority ownership by licensed professionals while others like Delaware permit non-physician ownership under certain limitations. Healthcare entities may need to create new entities, revise ownership agreements, or establish management services organization structures to comply with jurisdictional requirements. Legal counsel recommends conducting thorough due diligence and preparing new governance agreements before expanding operations into new markets. Source: Stevens & Lee​

Cybersecurity

• ​Congress introduced bipartisan legislation to strengthen cybersecurity coordination between federal agencies protecting the healthcare sector. The Healthcare Cybersecurity Act of 2025 was introduced in the House by Representatives Jason Crow (D-CO) and Brian Fitzpatrick (R-PA), with a companion bill in the Senate by Senators Jacky Rosen (D-NV) and Todd Young (R-IN). The legislation would require the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to collaborate on cybersecurity improvements, establish a liaison between the agencies, authorize cybersecurity training for personnel, and conduct a study identifying sector risks. Healthcare cyberattacks have escalated with over 700 data breaches affecting 500 or more individuals reported annually for the past four years, including 278 million individuals affected in 2024. The 2024 Change Healthcare ransomware attack, which compromised an estimated 190 million records and disrupted healthcare operations nationwide, exemplifies the sector’s vulnerability to cyber threats. Source: HIPAA Journal​

Emerging Tech

• ​Health systems across the U.S. are accelerating partnerships with tech companies to embed AI into clinical care, operations and administrative workflows. Mayo Clinic partnered with hellocare.ai in June to advance ambient clinical intelligence, aiming to support early detection, reduce clinician workload and enhance proactive inpatient care. Northwestern Medicine entered a multi-year collaboration with PathAI to transform pathology diagnostics through AI, including joint research, clinical innovation programs and co-development of machine learning-powered diagnostic algorithms. Oracle Health, Cleveland Clinic and G42 announced a partnership in May to build an AI-driven platform for healthcare delivery in both the U.S. and UAE, leveraging national-scale data analytics, clinical applications and precision medicine tools. These partnerships reflect a push among health systems and tech companies to ensure AI tools are grounded in clinical realities while benefiting from technical expertise. Source: Becker’s Hospital Review ## Fair Market Valuations
• ​Healthcare organizations must follow eight documentation steps to maintain compliance during fair market value processes for provider compensation arrangements. The documentation requirements include gathering provider profiles, service descriptions, business justifications, productivity metrics, compensation terms, FMV analyses, contract documents, and team approvals to meet Stark Law and Anti-kickback Statute requirements. Organizations should seek third-party FMV opinions when arrangements involve high referral risk, complex compensation structures, or when internal resources lack access to market data sources and valuation expertise. Primary care and orthopedic specialties present higher referral risks compared to pathology or emergency medicine, while arrangements involving co-management, telehealth, or value-based payments require specialized valuation approaches. Many healthcare organizations are moving FMV reviews in-house to reduce costs and improve turnaround times, but must ensure they have the resources and training to conduct these reviews effectively. Source: VMG Health​

Health Data

• ​Four states sent personal health data from their insurance websites to technology companies including Google, LinkedIn, and Snapchat. Nevada’s exchange transmitted prescription drug names and dosages to LinkedIn and Snapchat, while Maine and Rhode Island sent prescription information and doctor names to Google through analytics tools. Massachusetts Health Connector shared whether visitors reported being pregnant, blind, or disabled with LinkedIn. The Markup and CalMatters discovered this data sharing through web trackers on state exchanges established under the Affordable Care Act after auditing websites from all 19 states that operate their own health insurance marketplaces. Nevada and Massachusetts stopped transmitting data to these companies after reporters contacted them about the findings. Source: The Markup​

HIPAA

• ​The U.S. Department of Health and Human Services is implementing new HIPAA regulations in 2025 to strengthen patient privacy and security. The updates respond to the rise of telemedicine, growing use of electronic health records, and a 264% increase in ransomware attacks against healthcare systems in 2024. Healthcare organizations must comply with expanded patient access requirements by July 2025 and update vendor management practices by December 2025, while implementing multi-factor authentication, data encryption, and penetration testing. The regulations include new protections for reproductive health information and requirements for AI tools and telehealth platforms to comply with privacy and security rules. Healthcare professionals express concerns about the cost and technical complexity of implementing these changes, particularly for small practices with outdated technology. Source: Security Boulevard​

Legislation

• ​Texas lawmakers passed legislation requiring food manufacturers to remove certain ingredients or add warning labels to products. The Texas House approved SB 25 on May 26, 2025, with bipartisan support, targeting ingredients like Red 40 and titanium dioxide that are banned in other countries. The bill requires manufacturers to either eliminate these substances or display warnings stating the ingredient is not recommended by authorities in Australia, Canada, the European Union, or the United Kingdom. High fructose corn syrup was removed from the prohibited list after food companies opposed its inclusion, though legislators rejected industry efforts to eliminate the warning label requirement entirely. The legislation now awaits Governor Greg Abbott’s signature and would take effect September 1, 2025. Source: The Daily Intake​

Private Equity

• ​Private equity investors maintain interest in healthcare services and technology companies despite higher borrowing costs and increased regulatory scrutiny as of mid-2025. Macroeconomic volatility has compressed valuations and extended deal timelines through the first half of 2025, but demographic trends and fragmentation among provider groups continue to attract growth-oriented capital. PE firms are targeting outpatient care models, physician specialty platforms, behavioral health services, home-based care, AI-driven clinical decision support, and value-based care platforms. Federal enforcement from the FTC and DOJ has intensified challenges to physician group consolidation, while state laws increasingly require material change notifications for healthcare mergers and acquisitions. Labor shortages and wage inflation present additional risks, particularly for home health, skilled nursing facilities, and behavioral health settings. Source: ArentFox Schiff​