This week

• Smart glasses from Meta, Google, and other tech companies pose significant legal risks across wiretap laws, healthcare privacy rules, workplace regulations, and disability rights because they record audio and video without any visible indication to people around the wearer, creating potential violations in everything from patient confidentiality to employee consent requirements.
• Privacy and data security have become make-or-break issues in M&A deals because buyers now face serious regulatory investigations, lawsuits, and operational headaches when they don’t properly assess a target company’s compliance with the complex web of US privacy laws, state breach notification requirements, and international data transfer restrictions that can derail deals and destroy value if overlooked.
• Ambulatory surgery centers are dangerously outpacing their operational capabilities by accepting higher-acuity patients with complex medical conditions before adequately upgrading their infrastructure, staffing protocols, and emergency preparedness systems, putting patient safety and regulatory compliance at serious risk.

Artificial Intelligence in Healthcare

• ​AI adoption in healthcare has moved from hesitation to integration, with roughly 40% of life sciences organizations reporting AI embedded throughout their operations. The speed of adoption is illustrated by AI scribes reaching 50% penetration across US healthcare systems in 18 months, compared to seven years for electronic medical records, with clinicians adopting the tools on their own initiative rather than through institutional procurement. Between 25% and 75% of healthcare practitioners, depending on jurisdiction, are already using AI to navigate patient histories, clinical questions, and treatment pathways, with the tools gaining traction primarily in workflow automation, scheduling, documentation, and data extraction. A structural barrier remains: approximately 80% of medical data is unstructured, sitting in PDFs, free text, and fragmented systems, creating opportunity for companies that can clean and contextualize that data for downstream AI use. On the investment side, standalone point solutions are losing ground to companies that can offer differentiated datasets, deep system integration, and auditable AI ecosystems, while the EU AI Act’s double layer of regulation on AI as a medical device risks raising costs and deterring innovators before the law is even fully in force. Source: McDermott​
• ​The Health Sector Coordinating Council has released an 87-page framework requiring healthcare organizations to integrate cybersecurity controls across the full AI lifecycle — from procurement and design through decommissioning. The framework covers clinical safety and ethics, privacy controls, generative AI and large language model risks, supply chain and concentration risks, and AI-specific incident response. Without governance structures in place, AI systems risk data leakage, operational disruption, bias, and patient harm. The HSCC recommends that organizations form an AI cyber governance committee composed of program leads, physician leaders, IT and security personnel, legal experts, and patient advocates. The framework is intended to complement, not replace, existing organizational governance activities. Source: TechTarget​
• ​Health care providers using AI face a layered web of state laws even as the federal government moves to assert national control over AI regulation. No comprehensive federal AI law exists, leaving states to apply technology-neutral statutes covering consumer protection, privacy, anti-discrimination, and professional licensing to AI use in clinical, administrative, and operational settings. California’s attorney general issued a legal advisory requiring health care providers to comply with existing state law — including unfair competition, professional licensing, anti-discrimination, and patient privacy laws — when deploying AI. On December 11, 2025, the Trump administration issued Executive Order 14365, directing the federal government to establish a national AI policy framework and to identify and challenge state laws that affect AI. Source: Reuters​

Privacy, Cybersecurity & Data Protection

• ​The California Supreme Court’s ruling in J.M. v. Illuminate Education Inc. narrows who qualifies as a “provider of healthcare” under the Confidentiality of Medical Information Act while lowering the threshold plaintiffs must meet to allege a breach. The court held that Illuminate, a K-12 education technology company whose software was used for educational planning rather than healthcare delivery, is not a provider of healthcare under the CMIA, reversing the Fourth Appellate District’s 2024 expansive interpretation. Under a new standard for Section 56.101, a CMIA violation requires showing a significant risk of unauthorized access or use, with no proof of actual viewing or affirmative disclosure required, though mere loss of possession is not always sufficient. The court also ruled that J.M. lacked standing under the California Customer Records Act because Illuminate’s contract was with the Ventura County Office of Education, rejecting the “intended beneficiary” theory and distinguishing “customer” from “consumer.” The opinion flagged AI-facilitated and automated cybercrime as a basis for declining to require proof of human viewing, and a concurrence indicated that encryption of sensitive data may shield companies from liability. Source: Cooley​
• ​AI PCs shift PHI risk from centralized cloud infrastructure directly onto endpoints, fundamentally restructuring HIPAA compliance obligations for healthcare organizations. Unlike traditional PCs, AI PCs run AI models locally on dedicated hardware, enabling clinical documentation, image analysis and point-of-care workflows without routing data through external systems — eliminating certain cloud-related exposure vectors but making each device a higher-value target. Clinical applications, EHR sessions and folders containing PHI must be explicitly excluded via enterprise policy from on-device features such as screen snapshots, semantic search indexes and ambient transcription, and AI PCs must generate immutable audit logs integrated into SIEM tools to satisfy HIPAA’s accounting of disclosures requirements. Retention policies must automatically purge AI caches and transcripts under minimum necessary principles, and devices must support remote wiping of AI data stores upon loss, theft or employee offboarding. Healthcare organizations should begin deployment with a use-case inventory identifying where local AI processing creates measurable workflow value, then conduct a HIPAA risk analysis specific to AI PC capabilities, while aligning with NIST Cybersecurity Framework 2.0, zero-trust principles and proposed HIPAA Security Rule updates — including multifactor authentication, encryption, network segmentation and continuous monitoring. Source: HealthTech Magazine​
• ​Privacy and data security now rank alongside intellectual property and employment as core diligence requirements in M&A transactions, exposing buyers to regulatory investigations, class actions, and operational disruption when compliance failures go undetected. The US regulatory framework is sector-specific rather than unified, meaning acquirers must map exposure across HIPAA, GLBA, COPPA, state consumer privacy laws, and biometric data statutes — each of which can affect valuation and integration strategy. Privacy policies function as enforceable legal commitments, and the absence of “transfer of assets” language in a target’s policy can block data sharing with a buyer absent additional notices or consent mechanisms. All 50 states and the District of Columbia impose breach notification requirements, and diligence should focus not merely on whether breaches occurred but on whether they were detected promptly, reported as required, and remediated — since gaps in incident response signal broader governance failures. Cross-border transactions face additional constraints under the GDPR and laws in jurisdictions such as China, where outbound data transfers may require regulatory approval, affecting both pre-closing diligence and post-closing data consolidation. Source: Morgan Lewis​
• ​Smart glasses from Meta, Google, and competitors create overlapping legal exposure under wiretap law, HIPAA, biometric statutes, the NLRA, and the ADA because the devices record audio and video without any visible cue that recording is occurring. Thirteen states require all-party consent to record a conversation, and because most smart glasses capture audio by default, wearers in those states cannot rely on implied-consent defenses that depend on a subject’s awareness of the recording. In healthcare settings, a staff member’s consumer smart glasses can constitute an impermissible HIPAA disclosure the moment the device captures a patient’s face, a chart, or a clinical conversation, and Meta does not sign business associate agreements, making its platform categorically incompatible with PHI workflows. Employers who issue blanket no-recording bans risk NLRA violations under the Stericycle standard, but narrowly drawn policies tied to specific confidentiality and safety interests — and confined to work time and work areas — have survived NLRB challenge, as seen in the January 2026 UPS ruling. Smart glasses also qualify as ADA-covered assistive technology for employees and patients with vision, hearing, or cognitive disabilities, meaning a flat refusal to permit their use, without engaging the interactive process or offering a conditioned accommodation, likely violates Title I or Title III. Source: Dickinson Wright Health Law Blog​

Fraud & Abuse Enforcement

• ​A royalty arrangement between an orthopedic medical device company and its physician consultants would violate the Federal Anti-Kickback Statute if the requisite intent were present. The arrangement would have paid physicians a percentage of net sales across an entire product line in exchange for services such as teaching, training, and reviewing clinical outcomes, with exclusions for sales tied to the consultants’ own procedures or facilities. The OIG found the compensation methodology still took into account business generated between the parties because royalty calculations reflected purchases resulting from consultants’ recommendations to other providers, and that teaching and proctoring roles placed consultants in positions to influence peers’ purchasing decisions. The OIG determined the arrangement qualified for no AKS safe harbor and posed risks of patient steering, skewed clinical decision-making, and increased costs to federal health care programs. Royalty and consulting arrangements remain common in the medical device industry and may be structured to satisfy a safe harbor or present low AKS risk, but compensation that varies with product sales will draw regulatory scrutiny. Source: Thompson Coburn LLP​
• ​The former CEO and a sales executive, along with a Texas physician and six marketers, agreed to pay a combined $2 million+ to settle False Claims Act allegations that they ran a kickback scheme disguised as managed service organization (MSO) investment distributions to induce laboratory test referrals billed to Medicare, Medicaid, and TRICARE. Susan Hertzberg, former CEO, and Matthew Theiler, former VP of Sales, each agreed to pay $600,000 to resolve allegations that from 2015 to 2017 they approved and implemented an arrangement in which marketers paid doctors kickbacks — including for medically unnecessary testing — disguised as MSO distributions, and expanded the scheme to a second Texas hospital after being warned to stop. Dr. Frederick Brown of Missouri City, Texas, agreed to pay $309,055 to resolve allegations that he received payments from two MSOs, Ascend MSO of TX LLC and Indus MG LLC, in exchange for ordering laboratory tests from Little River Healthcare and True Health Diagnostics LLC. Six marketers, including Thomas Gray Hardaway, William Todd Hickman, Ginny Jacobs, Scott Jacobs, and their associated entities, agreed to pay a total of $550,000 for their roles in distributing the kickbacks. The civil settlements for Hertzberg, Theiler, Brown, Hickman, and Hardaway are in addition to amounts owed in the related criminal case, United States v. Susan Hertzberg, et al., No. 6:22-CR-3-JDK (E.D. Tex.), bringing the DOJ’s total False Claims Act recoveries from MSO-disguised kickback schemes to over $61 million since 2019. Source: U.S. Department of Justice​
• ​Healthcare companies that self-disclose criminal misconduct to the DOJ under its March 2026 Corporate Enforcement and Voluntary Self-Disclosure Policy can avoid criminal prosecution entirely, but must voluntarily disclose to a DOJ criminal component, fully cooperate, remediate the misconduct, and have no aggravating factors or prior criminal adjudication within the past five years. Companies that fall short of full qualification still receive a 50%–75% fine reduction, while those that do not self-disclose at all receive no more than a 50% reduction. Healthcare entities may also self-disclose under the separate OIG Health Care Fraud Self-Disclosure Protocol, which covers criminal, civil, and administrative violations and yields a lower damages multiplier than OIG’s standard 1.5 times single damages, along with a presumption against integrity agreement obligations and suspended overpayment reporting requirements — but always results in some monetary penalty, unlike a full DOJ declination. Because OIG coordinates with DOJ on self-disclosure matters, conduct reported to OIG may still reach DOJ, and the two programs are not mutually exclusive. With DOJ white-collar prosecutions up more than 10% in 2025, OIG completing over 900 investigations in just six months of that year, and the Trump administration establishing a Task Force to Eliminate Fraud and a National Fraud Enforcement Division in early 2026, healthcare entities that fail to self-disclose face both the loss of these benefits and negative signaling to federal enforcers. Source: McDermott Will & Emery​

Medicare Payment & CMS Programs

• ​CMS confirmed that DMEPOS suppliers bidding in the Round 2028 Nationwide Remote Item Delivery competitive bidding area may use multiple locations collectively to satisfy state and local licensure requirements, so long as at least one included location holds any license required for a given state or area. Round 2028 will cover a nationwide competitive bidding area under a Remote Item Delivery model encompassing Class II continuous glucose monitors, insulin pumps, urological supplies, ostomy supplies, hydrophilic urinary catheters, and off-the-shelf back, knee, and upper-extremity braces. Small suppliers that cannot independently meet all state licensure requirements may form a network under 42 C.F.R. § 414.418, with contract eligibility based on the network’s collective compliance with enrollment, accreditation, and licensing requirements. CMS will screen all bids — for both lead and non-lead items — to verify they are bona fide, and may request narratives and documentation such as manufacturer invoices, price lists, letters of intent, or signed quotes showing that bidders accounted for all costs, overhead, and desired profit. Bidder registration and the bid window are targeted for late summer or early fall 2026, contract awards for late summer or early fall 2027, and the program is set to begin no later than January 1, 2028. Source: Foley & Lardner​
• ​CMS overhauled its Increasing Organ Transplant Access (IOTA) Model on June 1, 2026, with changes to participation rules, payment structures, and patient notification requirements taking effect July 1, 2026. The mandatory participation threshold rises from 11 to 15 kidney transplants per baseline year, and military and VA medical facilities are now excluded from eligibility. Payment calculations will now include Medicare Advantage patients alongside Medicare Fee-for-Service beneficiaries, with the maximum upside risk payment holding at $15,000. The composite graft survival rate will apply a risk-adjustment methodology adapted from the Scientific Registry of Transplant Recipients framework and will exclude dual-organ transplants other than kidney/pancreas combinations. Transplant hospitals must now notify Medicare beneficiary waitlist patients within 10 days when their status changes to ineligible for organ offers, including the reason, reactivation information, and notification to the patient’s dialysis facility and managing clinician. Source: CMS​

Employment & Benefits

• ​An overtime-exempt employee who occasionally performs nonexempt work retains exempt status under the FLSA so long as the employee’s primary duty remains exempt work. The U.S. Department of Labor’s Wage and Hour Division confirmed this in one of four opinion letters issued May 29, 2026, addressing a scenario in which hospital specialists took up to two nonexempt staff nurse shifts per week on weekends while receiving additional hourly pay — a practice DOL said does not violate the FLSA’s salary-basis requirement. A second letter held that a quarterly bonus calculated as a percentage of each employee’s total earnings — including both straight-time and overtime earnings — satisfies FLSA requirements, provided the bonus does not include amounts previously excluded from the employee’s regular rate and does not dilute the overtime portion of the ratio. The two remaining letters addressed compensability of off-site travel during meal periods and pre-shift activities and waiting time. The letters are part of DOL’s opinion letter program, relaunched in mid-2025, which is open to employers, employees, labor unions, and HR professionals. Source: HR Dive​
• ​The Departments of Labor, Treasury, and Health and Human Services have proposed a rule that would create a new category of limited excepted benefit for fertility services, allowing employers to offer standalone fertility coverage outside their major medical plans. Like dental and vision excepted benefits, fertility benefits structured under the proposal would be exempt from many ACA and HIPAA market reform requirements. To qualify, a plan must direct substantially all benefits toward diagnosis or treatment of infertility, cap lifetime benefits at $120,000 per participant, be offered separately from the primary group health plan, and include a written notice of limitations. Employees could enroll in the fertility benefit even if they decline other employer-sponsored coverage, and employers must make non-excepted group health coverage available. The rule is open for public comment, and if finalized, would take effect for plan years beginning on or after January 1, 2027. Source: Benefits Law Advisor​

Pharmaceutical Patent Litigation

• ​The U.S. Supreme Court unanimously held in Hikma Pharmaceuticals USA Inc. v. Amarin Pharma, Inc., that routine generic drug marketing activities do not constitute active inducement of patent infringement under 35 U.S.C. § 271(b). Justice Ketanji Brown Jackson, writing for the Court, replaced the Federal Circuit’s “could be read” standard with a requirement that the defendant “actively encouraged” infringing uses through “affirmative” steps. The case involved Hikma’s generic icosapent ethyl, approved under a skinny label covering only the unpatented severe hypertriglyceridemia indication, with Amarin’s patented cardiovascular-risk-reduction use carved out. The Court rejected each category of Hikma’s communications — including its label, press releases, website and patient information leaflet — as either compliance with law, omissions or statements too vague to constitute inducement. The Court noted that inducement need not be express but must be “clear” and “affirmative,” and it did not foreclose the possibility that other facts could satisfy the standard. Source: McGuireWoods​

Facility Operations

• ​Ambulatory surgery centers are taking on higher-acuity patients faster than their operational infrastructure can keep pace, driven by advances in anesthesia and minimally invasive techniques and pressure from payers to shift care to lower-cost settings. ASC patients increasingly present with comorbidities including cardiac and pulmonary conditions, diabetes, renal disease, obstructive sleep apnea, and obesity, creating greater anesthesia risk and postoperative monitoring demands. Clinical capability to perform a procedure does not equal operational readiness to manage every patient associated with it, and gaps frequently exist in emergency preparedness, pre-admission testing, staffing competency validation, medication management, and patient selection criteria. Accrediting organizations and regulatory surveyors are giving increased scrutiny to operational alignment as outpatient acuity rises, and centers that do not proactively assess readiness face elevated risks to patient safety, staffing performance, and regulatory compliance. ASCs that align clinical expansion with infrastructure investments — including updated policies, transfer and escalation protocols, and leadership engagement in daily operations — are better positioned for long-term growth. Source: VMG Health​