Fraud, Abuse & Enforcement

• ​CMS has imposed six-month, nationwide moratoria on new Medicare enrollment for hospices and home health agencies (HHAs), blocking initial enrollment applications and certain changes in majority ownership. The moratoria, coordinated with Vice President JD Vance’s Anti-Fraud Task Force, do not affect existing providers, who may continue serving Medicare beneficiaries. CMS has already suspended payments to 773 hospices and 23 HHAs suspected of fraud in Los Angeles alone, representing $70 million in suspended funds. This action follows an earlier moratorium on DMEPOS companies, bringing the total number of active CMS enrollment moratoria to three. Additional enforcement measures include nationwide hospice site visits, fingerprinting-based background checks for HHAs, a public hospice scoring system, and pre- and post-claim review of HHA claims in Florida, Illinois, Oklahoma, Ohio, North Carolina, and Texas. Source: CMS​
• ​Texas Children’s Hospital agreed to pay $10 million to settle healthcare fraud allegations brought by Texas Attorney General stemming from the hospital’s billing of Texas Medicaid for gender-transition procedures using false diagnosis codes. Under the settlement, negotiated in coordination with the U.S. Department of Justice, the hospital must establish the country’s first detransition clinic — a multidisciplinary facility providing care to patients who underwent gender-transition procedures — with all services funded by the hospital and free to patients for the first five years. Five physicians who performed gender-transition interventions will be permanently terminated and barred from future employment or credentialing at the hospital. Texas Children’s also agreed to cease providing gender-transition services, implement compliance and ethics measures, and amend its bylaws to require automatic revocation of privileges for any physician who violates Texas law prohibiting such interventions on minors. Source: Office of the Texas Attorney General​
• ​Federal prosecutors, courts, and regulators are pursuing health care fraud on multiple fronts, with recent actions spanning investor fraud, kickback schemes, and fraudulent export pricing. On May 6, a federal judge sentenced Parmjit Parmar, former CEO of Constellation Healthcare Technologies, to five years in prison and over $125 million in restitution after he pleaded guilty to conspiracy to commit securities fraud in a $212.5 million scheme that fabricated subsidiaries, falsified financial records, and misled investors into a take-private transaction. Modern Nuclear Inc., a mobile PET scan provider, agreed on May 1 to pay $8.3 million to resolve False Claims Act allegations that it paid above-fair-market-value fees to referring cardiologists as kickbacks, and entered into a five-year Corporate Integrity Agreement with HHS-OIG requiring an independent compliance expert. The 11th Circuit upheld wire fraud convictions on May 5 against Byramji Javat and Luis Soto, who between 2014 and 2017 fraudulently obtained medical equipment at export-only prices and resold it domestically, with Javat sentenced to 10 years and Soto to six, plus joint restitution of $29 million. Separately, AbbVie, AstraZeneca, Novartis, and Sanofi petitioned the Ninth Circuit for en banc rehearing to challenge the constitutionality of the FCA’s qui tam provisions, arguing that empowering private parties to sue over conduct the executive branch never deemed unlawful violates Article II. Source: ArentFox Schiff​
• ​Fair market value compensation and Stark Law compliance do not shield healthcare arrangements from liability under the federal Anti-Kickback Statute (AKS). The HHS Office of Inspector General, in updated FAQ guidance, stated that AKS liability turns on a facts-and-circumstances analysis of the parties’ intent, and that fair market value is “not a dispositive defense” under the statute. Satisfying a Stark Law exception also provides no automatic protection, as the two laws exist for different purposes and operate under separate legal frameworks — for example, a hospital providing event tickets to a referral source may violate the AKS even if the underlying financial relationship fits within a Stark exception. Healthcare entities must evaluate arrangements under both laws independently and, because the AKS is intent-based, should maintain documentation of the legitimate business purpose behind any arrangement involving remuneration and referral relationships. Protection from AKS liability requires either full compliance with an applicable safe harbor or a well-documented showing that the arrangement’s facts and circumstances are consistent with the statute. Source: Thompson Coburn LLP​

Corporate Practice of Medicine & Private Equity

• ​California and Oregon have produced the first enforcement actions under state laws barring corporate control of medical practices, resulting in a $2.3 million penalty against Aspen Dental Management and a scrapped hospital staffing deal in Eugene. California Attorney General Rob Bonta found that Aspen Dental — backed by Leonard Green & Partners and Ares Management — exceeded its role as a back-office support organization and participated in managing dental practices, violating the state’s corporate-medicine ban. In Oregon, U.S. District Judge Mustafa Kasubhai ruled that hospital operator PeaceHealth’s plan to bring in Atlanta-based ApolloMD amounted to an end-run around the state’s ban on corporate control of medical practices, after which PeaceHealth agreed to retain the incumbent physician group, Eugene Emergency Physicians. Both states passed their laws last year, aimed at strengthening longstanding corporate-medicine bans — on the books in about 30 states — that had become ineffective through lax enforcement and private-equity workarounds such as the “friendly physician” model and support-organization structures. Vermont’s state Senate advanced similar legislation, and Bonta has signaled intent to go further than the California statute by targeting the friendly-physician model directly. Source: Wall Street Journal​
• ​California’s corporate practice of medicine doctrine is under active judicial and legislative pressure that threatens the continuity agreements at the core of MSO-PC structures used by private equity and telehealth platforms statewide. A trial court ruled in Art Center Holdings, Inc. v. WCE CA Art, LLC that a private equity-backed MSO engaged in the unlicensed practice of medicine by using a continuity agreement to exercise broad discretion over ownership transfers within a physician-owned professional corporation. On appeal, the California Attorney General filed an amicus brief arguing that any contractual mechanism allowing an MSO to effectuate a physician ownership change raises CPOM concerns, regardless of whether clinical decisions are directly affected, while the California Medical Association filed a competing brief on April 15, 2026, urging a facts-and-circumstances standard rather than a categorical prohibition. Two laws effective January 1, 2026 — SB 351, which codifies CPOM prohibitions targeting private equity and hedge fund control over clinical and operational functions, and AB 1415, which requires 90 days’ advance notice to the Office of Health Care Affordability before closing material health care transactions — reinforce the AG’s position at the legislative level. Because many health care organizations structure their agreements to comply with California law as a national baseline, an appellate ruling adopting the AG’s approach would carry compliance consequences well beyond California’s borders. Source: Faegre Drinker Biddle & Reath LLP​
• ​Private equity in healthcare and life sciences is shifting from financial engineering to operational value creation as valuation resets, constrained capital, and higher financing costs force investors to be more disciplined. The market has bifurcated: differentiated assets still command premium prices, while lower-tier assets face wider bid-ask spreads, longer negotiations, and more structural complexity. Investors are sourcing under-the-radar businesses with niche dynamics, diversifying across healthcare segments, and driving portfolio companies through leadership changes, M&A, and pricing improvements rather than relying on multiple expansion. On AI, the most durable assets are seen as those grounded in physical products, specialist infrastructure, and embedded services—such as medical devices and critical care—while AI’s most credible near-term use cases are workflow automation, scheduling, and administrative efficiency rather than platform-level disruption. Continuation vehicles are gaining use as exit pathways remain constrained, but require a track record of performance, a credible path to exit, and clear alignment between general and limited partners. Source: McDermott Will & Emery​

AI in Healthcare

• ​The Pennsylvania State Board of Medicine filed suit against a generative AI company for the unauthorized practice of medicine, alleging that its platform enabled users to create chatbot characters posing as licensed health care professionals. During its investigation, state regulators interacted with a chatbot identified as a “doctor of psychiatry” that had logged over 45,000 user interactions, provided a false medical license number, and offered to conduct a mental health assessment. The Board is seeking an injunction to bar the platform from continuing to operate in this capacity. The action follows a February 2025 Federal Trade Commission injunction against an AI platform marketing itself as a “robot lawyer” for the unauthorized practice of law, and New York legislation introduced in 2025 to prohibit AI chatbots from impersonating licensed professionals. California, Illinois, Nevada, Utah, and Maine are among the states moving toward similar regulatory measures. Source: MG+M The Law Firm​
• ​Healthcare organizations deploying AI must navigate a layered compliance framework that begins with HIPAA but extends well beyond it. PHI — defined as individually identifiable information created, used, or disclosed in the course of treatment, diagnosis, or billing — cannot be processed through publicly available AI models, and any use must either fall within HIPAA’s treatment, payment, or operations exceptions or be covered by a valid authorization under 45 CFR 164.508, which carries technical requirements distinct from a standard consent form. Even when a TPO exception applies, PHI cannot be used to train a general-purpose model without a proprietary closed-loop system, appropriate permissions, and destruction protocols. Business associate agreements with AI vendors must expressly address processing, aggregation, de-identification, and data transmission, and HIPAA functions only as a regulatory floor — states including California, Washington, and Colorado impose additional or more restrictive requirements that organizations operating across state lines must separately evaluate. Ownership of AI training data and model outputs must be allocated by contract, and AI tools providing clinical decision support may also trigger FDA regulation. Source: Morgan Lewis​
• ​All 20 AI scribe vendors approved by the Ontario government for use by healthcare providers produced inaccurate or incomplete medical notes in tests conducted by the province’s auditor general. Nine vendors hallucinated patient information, 12 recorded information incorrectly, and 17 missed details about mental health issues discussed in two simulated patient-doctor conversations. Errors included fabricated referrals for blood tests or therapy, incorrect medication names, and omitted mental health details — findings the auditor general concluded could result in inadequate or harmful treatment plans. Despite these results, the accuracy metric accounted for only 4 percent of a vendor’s approval score, while a metric for domestic presence in Ontario carried 30 percent weight, meaning a vendor could score zero on accuracy and still gain approval. The auditor general recommended that IT departments require physicians to confirm review of AI-generated notes before those notes are entered into patient records. Source: Ars Technica​

Prior Authorization & Payer Reform

• ​CMS regulations and health plan voluntary commitments are reshaping prior authorization through two parallel tracks: process reform and reduction in the number of services requiring authorization. CMS’s 2024 Advancing Interoperability rule imposed requirements on certain health plans covering electronic prior authorization technology, approval timelines, and public reporting, with major provisions taking effect in 2027; a proposed 2026 rule would extend similar requirements to medications covered under a health plan’s medical benefit. In June 2025, AHIP and Blue Cross Blue Shield Association members pledged to approve at least 80% of prior authorization requests in real time when submitted electronically, standardize the submission process, ensure all denials are reviewed by a licensed clinician, and maintain continuity of care across plan changes — commitments that also apply to commercial plans outside CMS’s jurisdiction. On the volume side, health plans have eliminated 11% of prior authorizations since the 2025 pledge, representing 6.5 million fewer authorizations, and at least one national plan has committed to eliminating authorization requirements for 30% of services. Key uncertainties remain around whether providers — particularly those in rural areas or with fewer resources — will be positioned to use the new electronic systems once health plans are required to implement them in 2027. Source: McDermott+​

HIPAA, Data Privacy & Cybersecurity

• ​Healthcare data breaches cost an average of $9.77 million per incident — the highest of any industry for 13 consecutive years — because traditional document systems cannot enforce HIPAA at the architecture level, leaving audit logs editable, records alterable, and access controls subject to drift. HIPAA’s Privacy Rule, Security Rule, and HITECH Act require minimum necessary access, technical safeguards for electronic PHI, and breach notification obligations, with penalties for uncorrected willful neglect reaching $50,000 per violation and $1.9 million per category annually — and any third-party platform handling ePHI must execute a Business Associate Agreement before storing a single record. Blockchain addresses the compliance gap by making records immutable, generating cryptographic hashes that detect any alteration, and enforcing role-based access through smart contracts rather than manual permissions, satisfying all four technical safeguards required by NIST Special Publication 800-66r2. Current applications include patient consent forms recorded with timestamps and non-repudiation, treatment agreements with full version histories, and billing claims linked to verified documents — a structure that targets the $68 billion in annual U.S. healthcare fraud driven largely by billing manipulation. Implementation requires AES-256 encryption before data touches the blockchain, role-scoped access configured to the minimum necessary standard, a Business Associate Agreement executed prior to launch, and quarterly audits covering activity logs, smart contract behavior, and access permissions. Source: Vocal Media​

Regulatory Compliance & Accessibility

• ​HHS has extended its Section 504 digital accessibility compliance deadlines to May 11, 2027, for entities with 15 or more employees, and May 10, 2028, for those with fewer than 15 employees, aligning with DOJ mandates. The rule, published May 9, 2024, covers any entity receiving federal financial assistance from HHS — including hospitals, clinics, insurers, and long-term care providers — and requires that websites, mobile apps, patient portals, third-party platforms, and kiosks conform to WCAG 2.1, Level A and AA standards. Covered entities bear responsibility for third-party digital tools operating on their behalf, such as telehealth platforms, appointment schedulers, and payment portals. Noncompliance can result in loss of federal funding, HHS Office for Civil Rights enforcement, or private litigation under Section 504’s private right of action. Limited exceptions apply to archived content, pre-existing electronic documents not in active use, user-uploaded public forum content, individualized password-protected records, and social media posts predating the compliance deadline. Source: Healthcare Law Insights​

Employment & Labor

• ​ViaQuest Residential Services agreed to pay $975,000 to settle a federal lawsuit alleging it misclassified home health Program Managers as overtime-exempt under the Fair Labor Standards Act. Kenneth Simmons filed suit in January 2023, arguing that Program Managers spent the bulk of their time on direct patient care rather than managerial duties, making them nonexempt regardless of their titles; 106 current and former Program Managers ultimately joined the case. Under the FLSA, white-collar exemptions require that an employee’s primary duty be executive or administrative in nature — job titles and written job descriptions are not dispositive. Healthcare employers face heightened exposure because supervisory employees in that sector routinely perform both managerial and patient-facing tasks, and a misclassification applied uniformly across a role can affect every employee holding that position. Periodic classification reviews measured against the FLSA’s primary duty test, conducted with counsel, can identify misclassification before it produces collective or class action liability. Source: Sheppard​

Health Technology & Innovation

• ​Robotic telesurgery is moving toward mainstream adoption, backed by $41 million in funding and a planned 2027 launch by startup Sovato, which aims to connect urban surgeons with rural patients via remote robotic systems. Sovato, founded in 2022 and backed by Intuitive Surgical and Teladoc Health, plans to deploy its platform through health system partners in early 2027, using AT&T’s Wavelength network to minimize lag and avoid the public internet. A June 2025 roadmap published in the World Journal of Surgery established network, cybersecurity, and infrastructure standards for remote robotic-assisted procedures. A barrier to adoption is cost: rural hospitals would need their own robotic surgical systems, and Intuitive’s da Vinci system runs between $600,000 and $3.1 million, plus $95,000 to $225,000 in annual service fees. Surgeon shortages and burnout further complicate the model, as expanding remote surgical volume adds demands on a workforce already under strain. Source: Healthcare Brew​