Hello Reader,

My message

Wade

What's New

• Academic Medical Centers
• Data Breach
• Fraud & Abuse
• Health Data
• Insurance Coverage
• Long-Term Care
• Medicare Advantage
• Mergers & Acquisitions
• Part 2
• Regulation

Academic Medical Centers

• ​The Department of Justice’s Final Rule implementing Executive Order 14117 creates significant restrictions for Academic Medical Centers engaged in international clinical research. The rule, published January 8, 2025, prohibits or limits transactions involving sensitive personal data with “Countries of Concern” including China, Russia, Iran, North Korea, Cuba, and Venezuela, targeting eight categories of “Covered Data” such as biometric identifiers, genomic data, and health information. Academic Medical Centers must review existing and proposed international collaborations, ensure vendors aren’t affiliated with designated countries, and implement enhanced data governance frameworks to maintain compliance. Violations carry severe penalties, including civil fines up to $368,136 or twice the transaction amount, and potential criminal penalties of up to $1 million and 20 years imprisonment for willful violations. Source: Foley & Lardner LLP​

Data Breach

• ​Vision Upright MRI has settled with the HHS Office for Civil Rights for HIPAA violations after a data breach exposed 21,778 patients’ medical images. The California-based imaging provider never conducted a required HIPAA risk analysis and failed to notify affected individuals within the mandatory 60-day timeframe following breach discovery. Under the settlement terms, Vision Upright MRI paid $5,000 and must implement a two-year corrective action plan including breach notifications, risk analysis, management plans, HIPAA-compliant policies, and staff training. Source: HHS.gov​

Fraud & Abuse

• ​The Department of Justice has prioritized False Claims Act theories in its criminal enforcement agenda. The Criminal Division’s top priorities include health care fraud and government contracts fraud, trade and customs fraud, and violations of controlled substances laws—all central focuses of False Claims Act enforcement. These enforcement priorities suggest the DOJ views civil FCA liability and criminal penalties as connected pathways in addressing high-priority misconduct. Businesses in regulated industries now face potential parallel criminal investigations alongside civil FCA scrutiny, making robust compliance systems increasingly critical. Recent changes to DOJ enforcement policies regarding self-disclosure, cooperation, and remediation further emphasize that compliance missteps may carry heavier penalties than before. Source: Skadden, Arps, Slate, Meagher & Flom LLP​

Health Data

• ​Patient data faces significant vulnerabilities when health tech companies fold, due to inadequate regulations and inconsistent security practices. Despite the health tech industry’s growth to $908.5 billion in 2023 with projections to reach $3.1 trillion by 2033, approximately 90% of health tech startups eventually fail, as exemplified by Forward’s abrupt closure in 2024 which left patients struggling to retrieve health records and maintain prescription access. Currently, only 20 states have instituted rules for patient health data protection, with most safeguards relying on user agreements that 91% of consumers don’t read, as seen when 23andMe’s bankruptcy prompted customers to rush to delete their data before possible transfer. Security experts recommend companies implement solid encryption, access controls, proper data deletion procedures with 30-day buffers, and rapid response plans to protect patient information when companies shut down. Source: Healthcare Brew​

Insurance Coverage

• ​The Tenth Circuit Court of Appeals has ruled that hospital excess liability insurance policies must treat each patient claim as a separate “medical incident.” The May 2, 2025 decision in AdHealth Limited v. PorterCare Adventist Health Systems affirmed that each claim must individually exceed the $2 million self-insurance retention to qualify for excess coverage. PorterCare had sought $40 million in coverage after settling lawsuits from thousands of patients exposed to infection risks due to inadequate sterilization procedures. The court rejected PorterCare’s argument that all claims constituted a single medical incident, instead interpreting the policy language “any one person” as unambiguously limiting coverage to individual claimants. The ruling highlights the importance of policy language in determining how multiple related claims will be treated for insurance purposes. Source: Carlton Fields​

Long-Term Care

• ​A federal court has struck down key provisions of the Centers for Medicare & Medicaid Services’ staffing mandate for long-term care facilities. The Northern District of Texas vacated requirements for 24/7 registered nurse staffing and minimum staffing ratios of 3.48 hours per resident per day that were set to begin implementation in May 2026. The court determined CMS exceeded its statutory authority by contradicting existing law that requires RN services for only eight consecutive hours daily and by imposing uniform staffing ratios that fail to account for facilities’ unique needs. This ruling follows the Supreme Court’s decision in Loper Bright Enterprises v. Raimondo, which limits federal agencies to authority clearly delegated by Congress and enhances judicial oversight of regulatory actions. While providing regulatory relief, long-term care facilities should continue addressing staffing challenges and monitor potential appeals of this decision. Source: Troutman Pepper Locke​

Medicare Advantage

• ​UnitedHealth Group faces multiple federal investigations amid leadership changes and financial struggles. According to The Wall Street Journal, the Department of Justice has been conducting a criminal fraud investigation into UnitedHealthcare’s Medicare Advantage business since at least summer 2024, though the company claims no knowledge of such an investigation. This comes alongside an existing antitrust probe examining the relationship between UnitedHealthcare and Optum, plus a civil investigation into Medicare Advantage billing practices. UnitedHealth reported poor first-quarter performance in 2025 with medical costs exceeding expectations. The company’s stock has reached multi-year lows following these developments. Source: Fierce Healthcare​

Mergers & Acquisitions

• ​Healthcare transaction activity hit its lowest point since Q3 2020, with Q4 2024 volumes decreasing 10.4% from Q3 and 11.7% compared to Q4 2023. Professional Services, Outsourced Services, and Behavioral Health dominated the landscape, accounting for 73.2% of all transactions, with significant deals including New Enterprise Associates’ $1.3 billion acquisition of NeueHealth and Cencora’s $4.6 billion purchase of Retina Consultants of America. Despite an overall 4.9% decline in 2024 transactions compared to 2023, certain sectors showed growth, including Behavioral Health (+7.5%), Managed Care (+10.6%), and Specialty Outpatient Facilities (+14.0%). Healthcare investors continue to face regulatory scrutiny and elevated interest rates, though the incoming Trump administration is expected to create a more favorable M&A environment in 2025 with a less aggressive approach to merger regulation and potential tax cuts. Source: [Ankura](https://www.jdsupra.com/legalnews/quarterly-healthcare-transactions-4427961/

Part 2

• ​The U.S. Department of Health and Human Services has updated 42 CFR Part 2 to align substance use disorder record confidentiality requirements with HIPAA and HITECH standards. The New Rule allows patients to sign a single consent form for future disclosures rather than requiring separate authorizations for each disclosure, while also implementing HIPAA-like breach notification requirements. Penalties for violations now include both civil fines up to $1.5 million per calendar year and criminal penalties up to $250,000 with potential imprisonment from one to ten years. Healthcare entities subject to Part 2 must update their policies regarding patient consent, information disclosure, medical records, breach notification, privacy notices, and data storage. Organizations must comply with these new requirements by February 16, 2026 to avoid significant penalties in the increasingly stringent enforcement landscape. Source: Katton​

Regulation

• ​The Federal Trade Commission and Department of Justice have directed federal agency heads to identify anticompetitive regulations for potential elimination, with a focus on healthcare sector regulations. Following President Trump’s Executive Order 14267, agencies must submit their lists by June 18, 2025, to facilitate review of regulations that create monopolies, establish barriers to entry, or otherwise limit market competition. The May 5 joint letter specifically highlights concerns about healthcare regulations under the Affordable Care Act potentially pushing low-cost insurance plans out of the market and inducing vertical consolidation that raises prices. The letter also notes that pharmaceutical regulations may delay the introduction of more affordable medicines, though no specific regulations were identified for elimination. This initiative follows the DOJ’s launch of an Anticompetitive Regulations Task Force and the FTC’s Request for Information seeking public input on regulations with anticompetitive effects. Source: Epstein Becker Green​