October 13, 2025

The Health Record - Healthcare Law Insights, V 2, Issue 10, 2025

Jennifer Baker, Matthew Georgitis, Brienne Marco, Emily Merritt, Bryan Neft, Alexander Turner, Joseph Unger

Spilman Thomas & Battle, PLLC

+ Follow Contact

Facebook

Send

Embed

Volume 2, Issue 10, 2025

Welcome to our tenth issue of 2025 of The Health Record -- our healthcare law insights e-newsletter.

In this edition, we look at pharmaceutical tariffs, HIPAA compliance challenges for small medical practices, the impacts of inflation on medical malpractice claims, current trends for cyber insurance claims and ransomware losses, the effect of private equity ownership of hospitals, the use of AI to process Medicare claims, and the potential regulation of AI in healthcare. We also tap our own Emily Merritt as she discusses immigration and the latest regarding the H-1B visas.

Trump’s Pharma Tariffs could Raise Drug Prices for Consumers, but Exemptions may Blunt Impact

“In a Truth Social post, Trump said that any branded or patented pharmaceutical products brought into the U.S. would face a 100% tariff starting Oct. 1.”

Why this is important: The Trump administration recently imposed a 100 percent tariff on imported pharmaceuticals. Ostensibly, this new tariff could significantly raise prices and restrict availability for foreign-produced drugs. However, a number of exemptions may limit the impact of the tariff. For instance, the tariff does not apply to generic medications, which account for nine out of ten prescriptions filled in the United States.

Countries that have already negotiated tariffs with the Trump administration are also likely to be exempted. For those who are not exempted, new tariffs could derail future drug development and raise prices. --- Bryan S. Neft

HIPAA Compliance Challenges for Small Medical Practices

“Despite financial constraints, HIPAA compliance and cybersecurity are not optional.”

Why this is important: Compliance with HIPAA Rules can pose considerable challenges for small and medium-sized medical groups due to limited financial resources, forcing them to make difficult decisions as to the allocation of funds. Profits and revenue boosts often take precedence over HIPAA compliance and cybersecurity improvements, but the latter are not optional and cannot be ignored. In recent years, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has made it clear that small medical practices will be penalized for non-compliance, as these groups have increasingly been targeted by hackers and ransomware groups, finding them more ill-prepared than larger medical groups, which often have dedicated HIPAA and cybersecurity staff. OCR’s data shows alarming increases in hacking-related data breaches and ransomware attacks between 2018 and 2023.

Despite easy access to HIPAA Rules and readily available resources created by OCR to help small medical groups achieve and maintain compliance, there are several areas where they typically fall short. First, these small medical groups often fail to document all HIPAA compliance efforts, which is the first inquiry OCR makes when investigating complaints of a data breach. Second, small medical groups are also required to conduct an accurate and comprehensive risk analysis in the event of a data breach investigation. Failure to conduct this mandatory risk analysis is the most commonly identified HIPAA violation. Risk analysis should be conducted annually, or sooner in the event that new technology is incorporated in the practice’s operations. The Department of Health and Human Services has created useful tools to assist small and medium-sized medical groups with the risk analysis process.

Other areas where small and medium-sized medical groups fall short is with regular staff training on HIPAA policies and procedures and security awareness; maintaining business associate agreements with all vendors; implementing strong access controls to IT systems; developing and testing an incident response and business continuity plan; prioritizing cybersecurity spending in order to secure emails, protect against malware, and encrypt sensitive data; and keeping up with regulatory changes.

HIPAA compliance is an ever-evolving and continuous process that requires an appropriate investment in time and resources to avoid costly and disruptive OCR investigations. If your organization needs help in establishing and/or maintaining HIPAA compliance, please contact a member of Spilman’s Health Care Practice Group for assistance. --- Jennifer A. Baker

Inflation Drives $4 Billion Surge in Medical Malpractice Losses Over Past Decade

“Rising economic factors and lawsuit abuse push medical malpractice claim costs to decade highs, The Doctors Company reports.”

Why this is important: If you made a bet that nuclear verdicts were on the rise in medical malpractice cases, then pack your bags for Vegas because you just hit black on the roulette table. It seems that every day brings a new record verdict in a medical malpractice case. Well, it might not be every day, but year over year, those “wow” verdicts that make the hair on the back of your neck stand up have been happening at a much higher rate. This article goes in-depth on the underlying numbers, and while there is no silver bullet to explain why nuclear verdicts are on the rise, what is undeniable is that they are increasing in number and should be considered when evaluating the value of a case. --- Matthew W. Georgitis

Cyber Insurance Claims Fall but Ransomware Losses Increase

“Attacks are down year-over-year; however, successful attacks are proving even costlier to mitigate, according to the Mid-Year Risk Report from the cyber risk management company Resilience.”

Why this is important: Healthcare has long been targeted by cybercriminals due to the high value of patient records, and the fact that hospitals cannot tolerate disruption, as it risks patient safety. The industry is extensively targeted by ransomware groups as there is a higher probability that the ransom will be paid to prevent the publication of stolen data and ensure a fast recovery. Data on cyberattacks indicate that providers are improving in attack prevention, but successful attacks are resulting in higher payouts.

A potential cause of cybersecurity gaps is a focus on compliance with the HIPAA Security Rule, which is more than two decades old. A focus on compliance may help avoid penalties by regulators, but may not be effective in reducing risks or adequately protecting against modern threats. To address these gaps, practices should prioritize improving their cybersecurity posture by, among other things, implementing training programs that address phishing, social engineering, and proper data handling procedures. --- Joseph C. Unger

Private Equity Hospitals have Fewer Staff in Emergency Rooms, and More Deaths, Study Finds

“Private equity firms reduced staffing and salaries in those emergency departments, and researchers suggested that could be tied to the increased mortality in the emergency departments.”

Why this is important: A recent study by researchers at Harvard Medical School, the University of Pittsburgh, the University of Chicago, and published in the Annals of Internal Medicine, found that hospitals experienced increased mortality in the emergency department after being acquired by private equity. Specifically, emergency departments in hospitals owned by private equity were found to have had seven additional deaths per 10,000 visits than hospitals not owned by private equity. Additionally, the study found that private equity hospitals transferred patients more frequently. This study, which is not the first to look into patient safety concerns with private equity ownership of hospitals, suggests that reduced staffing and salaries for personnel in the emergency departments could be the cause of the increases in mortality rates and patient transfers. --- Brienne T. Marco

AI will Soon have a Say in Approving or Denying Medicare Treatments

“It will affect Medicare patients, and the doctors and hospitals who care for them, in Arizona, Ohio, Oklahoma, New Jersey, Texas, and Washington, starting Jan. 1 and running through 2031.”

Why this is important: The Center for Medicare Services is expected to begin a pilot program to utilize AI technology to weed out wasteful “low-value” services. The process will be akin to a process of prior authorizations. The timing of the announcement was awkward, given that the Trump administration had previously unveiled a voluntary effort by private health insurers to revamp and reduce their own use of prior authorizations. The pilot will initially target procedures involving skin and tissue substitutes, electrical nerve stimulator implant, and knee arthroscopy on the belief that those procedures are particularly vulnerable to fraud, waste, and abuse. There is real concern in the medical community that the AI initiative is designed to reduce medical services and create a process whereby a patient has to appeal a denial to potentially obtain coverage. A majority of physicians surveyed believe that the denials will exacerbate avoidable patient harms and escalate unnecessary waste. There is also a fear that the program will not be transparent as to what will or will not be covered, leaving patients without needed and traditionally offered care. --- Bryan S. Neft

States are Ramping Up AI Regulation. How should Healthcare Respond?

“Industry leaders should engage with state lawmakers on AI bills, given many legislators have limited experience with the technology or in healthcare more broadly, experts said during a HIMSS summit.”

Why this is important: With the use of AI spreading throughout our economy, there has been a significant increase in proposed legislation to regulate it. The rise in this proposed legislation is at the state level. Over 1,000 AI-related bills have been introduced in state legislatures throughout the country. That is an increase of 300-500 AI bills from 2024. There is a need for these state-level laws regulating healthcare-related AI technology due to the federal government’s lack of oversight and desire to deregulate the development of AI.

Many of these bills prohibit or require monitoring of the use of AI by insurers to handle claims. Large insurers like UnitedHealthcare, Humana, and CVS have already been subject to governmental scrutiny and have even been sued for using predictive algorithms to deny claims. In one class action, UnitedHealthcare was sued because its claims-handling AI had a high error rate when evaluating claims, it overruled the patients’ physicians’ recommendations, and UnitedHealthcare refused to have the decisions reviewed by a human reviewer. Humana was sued because its claims-handling AI allegedly denied rehabilitation care for elderly patients despite recommendations made by the patients’ physicians. Cigna was also subject to a class action because its claims-handling AI denied claims without a human review. These lawsuits also included claims of disparate impact, lack of human oversight, and that the AI algorithms included biased data. State legislators are seeking to ensure that if AI is used to handle insurance claims, the process is neutral, fair, and has human oversight.

State legislators are also concerned about the impact the use of AI has on mental health. Increasingly, people are turning to mental health chatbots for mental health issues. There is a concern that AI is not capable of delivering effective mental health care. More alarming are the cases of teenagers who have died by suicide after being consumed by their relationship with AI. State legislators are seeking to understand these issues and ensure proper safeguards are in place to protect people when they are at their most vulnerable.

As with all new technologies, the technology often is far out ahead of regulation. State legislators are now playing catch-up and trying to not only understand AI, but also reel it in before their constituents are harmed by it. Time will tell whether these efforts will be successful. --- Alexander L. Turne

Featured Attorneys Question & Answer

This is our Featured Attorney Q&A to introduce you to our large healthcare law team. To help you get to know our team a little better, we are highlighting attorneys in each issue by asking them a healthcare-related question. We hope their responses will be insightful for you.

Emily R. Merritt

Associate

Q: As someone well-versed in labor and employment law, we wanted to get your thoughts regarding two key issues affecting the healthcare industry: immigration and H-1B visas. With all of the activity related to immigration issues and the latest regarding the fees for H-1B visas, what are your best suggestions for healthcare facilities moving forward in this changing environment?

A: There are several impacts on human resources when it comes to this administration, and many things to be aware of that may be coming. This is especially true for the healthcare industry. As we all know, the Executive Order “Protecting the American People Against Invasion” stepped up the enforcement of immigration laws through the U.S. Immigration and Customs Enforcement, the U.S. Department of Homeland Security, and the U.S. Department of Health and Human Services. This includes the enforcement of the Immigration and Nationality Act, and, as such, civil penalties, removal, and detention have increased.

All businesses are subject to I-9 audits and ICE raids. It is imperative that you keep accurate records, such as I-9 forms and any supporting documents. But keeping accurate records may not be enough. We suggest having legal counsel conduct an internal audit to ensure you have proper documentation, and it is very important that your employees have an established process to maintain those records and that they know how to respond to any worksite enforcement actions. ICE raids can be chaotic, so it is recommended that you train your employees on how to react in those situations. Training is key and can make an ICE raid just another component of a daily routine.

On September 21, 2025, changes were implemented for H-1B visas. The “Restriction on Entry of Certain Nonimmigrant Workers” imposes a $100,000 fee on new H‑1B visa petitions filed by employers for beneficiaries who are outside the U.S. This does not apply to H‑1B renewals, extensions, or petitions filed before the effective date. That being said, the American Hospital Association has asked that healthcare workers be exempt, and the American Medical Association petitioned DHS to exempt physicians, residents, and fellows. The impacts on the healthcare industry could be far and wide. Recruitment can suffer, the availability of trained and experienced staff will decrease, and the obvious financial impacts can be significant. This is especially true for healthcare facilities in rural areas. And, of course, this is all subject to litigation and regulatory impacts. As quickly as this new policy came down, it can just as quickly pivot. We will be watching for any clarifications and will be reporting any updates.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.