|
Welcome
Welcome to our fifth issue of 2026 of The Health Record -- our healthcare law insights e-newsletter.
In this edition, we look at an increase in the frequency and severity of hacks on AI-enabled medical devices, the impact of workplace violence in the healthcare setting and what is being done to address it, recent trends in the occurrence and cost of malpractice litigation, the data breach that affected CMS, the data breach that affected Hims and Hers, medical debt lawsuits filed by Virginia hospitals, the patchwork of regulations governing health data, and North Carolina’s new Medicaid funding plan. In our Featured Attorney Q&A, Sara Chapman, a former Assistant General Counsel for a large medical center, shares her best advice for in-house attorneys on working with outside counsel.
We also invite you to join us at the following events:
DRI 2026 Employment and Labor Law Seminar, Boston, MA, May 20-22
This comprehensive seminar provides practitioners and HR professionals with a sharp, practical update on the legal and compliance issues shaping today’s workplace. Our own Eric Kinder is the Committee Vice Chair and will be speaking. Click here to learn more.
Spilman’s SuperVision Labor & Employment Symposium, Charleston, WV, June 18
2026 Workplace Masterclass: L&E Compliance, AI, & the Brave New Employment Landscape: A fast-moving, high-impact seminar for employers navigating the modern workplace. Join Spilman attorneys for our full-day SuperVision Symposium, designed to inspire confidence in navigating complex employment decisions. This complimentary symposium is tailored for business owners, C-suite executives, HR professionals, and anyone who manages employees. Dive into a day of valuable insights on employment topics such as AI, investigations, litigation, immigration, labor law, accommodations, and much more. Spend the day with us and leave armed with strategies and solutions to tackle the ever-changing world of labor and employment law. Please click here to learn more and register.
Thank you for reading!
Brienne T. Marco
Member, Chair of the Corporate Department, Co-Chair of the Health Care Practice Group, and Editor of The Health Record
| | |
“Adoption of AI-enabled and AI-assisted medical devices is increasing, despite serious concerns about the cybersecurity risks associated with the devices, and legacy devices continue to be used past end-of-support, despite those devices containing known and unpatched vulnerabilities.”
Why this is important: This is important as the use of AI-enabled medical devices continues to rise. However, confidence in the ability to mitigate the cybersecurity risks has not. Outside counsel and in-house attorneys must be vigilant in dealing with the review of these devices and paying close attention to the changing legal landscape surrounding their use. In modern healthcare, cybersecurity is now a huge part of patient safety, and AI technology continues to change at a rapid rate. A single breach in an AI medical device is not just a data leak; it is a potential clinical shutdown that delays patient care. This is why healthcare leaders must integrate legal and compliance into the beginning of the procurement process to ensure that risks are translated into clear leadership decisions. --- Sara E. Chapman
| | |
“They are also pushing Congress to pass the Save Healthcare Workers Act, a measure that would make it a federal crime to attack employees of hospitals and healthcare organizations.”
Why this is important: Workplace violence in emergency departments has reached a crisis point, and this article highlights why federal legislative action can no longer be deferred. According to a 2024 poll of members of the American College of Emergency Physicians, 91 percent of emergency physicians reported that they or a colleague were victims of violence in the past year. Beyond the human toll, the American Hospital Association estimates the cost of hospital violence reached more than $18 billion in 2023. The constant threat of assault is driving healthcare workers out of the field entirely, compounding existing shortages of nurses and physicians and threatening care access for patients. The bipartisan Save Healthcare Workers Act would make it a federal crime to assault hospital employees – creating the kind of deterrent that already exists for airline workers – yet the measure has stalled repeatedly despite broad support. For healthcare organizations focused on workforce stability, compliance, and operational resilience, this issue sits squarely at the intersection of patient safety, staff retention, and regulatory risk, making continued advocacy on this front both a strategic and ethical imperative.
--- Brienne T. Marco
| | |
“The results offer a snapshot of how legal risk continues to influence practice economics, specialty choice, and geographic variation.”
Why this is important: This article discusses the trends for malpractice claims and the rising insurance premiums with a statistical analysis of the same. While the trend lines are dependent on the field of medicine, the issue and the location of the claims, it is interesting to note that overall claims are declining, but insurance premiums are increasing. What this article does not analyze is whether verdicts and settlements over the past 10 years have outpaced inflation and/or present value, such that an increase in premiums could be a result of said increases in verdicts and settlements. Regardless of the cause, much like taxes, insurance premiums are a cost that will always be embedded in the healthcare industry. --- Matthew W. Georgitis
| | |
“The exposure is linked to a CMS provider directory data intended to help improve accuracy of insurer networks.”
Why this is important: The Centers for Medicare and Medicaid Services (CMS) recently took the National Provider Directory offline after the Trump administration inadvertently exposed Social Security numbers of at least 100 health providers in a downloadable data file in a part of the directory that is primarily intended for insurers and researchers. Launched in July 2025, the National Provider Directory is a database accessible by the public that allows beneficiaries to find providers who accept Medicare and Medicaid. CMS blamed user error on the part of healthcare providers for the Social Security numbers being entered in the wrong place. CMS assures the public that the inadvertent disclosure is being addressed internally and that patients using an online search tool likely would not have been able to access this sensitive information, while also acknowledging that there are areas where data integrity processes could be strengthened. Some privacy officials are sounding the alarms that privacy safeguards need to be bolstered to avoid such inadvertent disclosures. --- Jennifer A. Baker
| | |
“The exposed data may include names, contact information, and other details related to the support requests people filed.”
Why this is important: As healthcare companies continue to be a magnet for hackers, the latest notable victim is Hims & Hers, one of America’s largest direct-to-consumer telehealth brands, with annual revenues approaching $1 billion. On February 4, the company detected suspicious activity on its third-party customer service platform, and following an investigation, found that between February 4 and 7, attackers had accessed or stolen customer service tickets without authorization.
It is common practice for healthcare companies to outsource their customer support to third-party platforms; however, every one of those platforms then becomes another door for a hacker to try to get through. In this instance, it was just customer service tickets that were stolen, and the company has confirmed that no medical records or doctor communications were compromised. Nevertheless, when it comes to healthcare companies handling such sensitive conditions, even a list of names and contact details is information people want to keep private.
This instance is another reminder of how important agreements are with third-party service providers. We must ensure they are held to a high standard for data privacy and security, and that protections and protocols are included should a data incident occur. Spilman Thomas & Battle can assist with the review and drafting of provisions to ensure you and your customers’ data are protected. --- Suzanne Y. Pierce
| | |
“Researchers say many cases begin with unclear pricing and billing, and can escalate into wage garnishment and financial hardship.”
Why this is important: According to Stanford and George Washington Universities, research reveals that Virginia hospitals filed 1.15 million lawsuits against patients between 2010 and 2014 in an effort to collect over $1.4 billion in medical debt. More than one-third of these lawsuits led to wage or bank account garnishments. Cynthia Fisher, founder of PatientRightsAdvocate.org, which advocates for healthcare price transparency, argues that these practices are unfair to the American worker, as the medical facilities often do not have to prove that the charges were appropriate. Fisher further explains that patients receive care without any disclosure of anticipated charges, which are often billed weeks and/or months later. Patients often find that their accounts are being sent to collections before they have even learned of the amount owed and/or had an opportunity to dispute the charges. While there is a federal law, the Hospital Price Transparency Rule, that requires hospitals to post their prices online, Fisher hopes to expose other questionable practices such as up-charges for minuscule considerations, i.e., paying 10 times the price of an aspirin, and bills that are “up-coded” where the service is listed at a higher level than what was actually performed. VCU Health, which filed the most court actions against patients between January 2018 and July 2020, says they are taking a closer look at the data, but also expresses concerns about its integrity. UVA Health spokesperson Eric Swensen says that it has not filed lawsuits against patients since 2019, opting instead to expand financial assistance, including discounts and lien elimination. --- Jennifer A. Baker
| |
“Healthcare organizations are struggling to navigate the compliance landscape amid a pullback in federal enforcement, a wave of state legislation and emerging voluntary initiatives, experts say.”
Why this is important: The U.S. system for protecting health data is appearing increasingly outdated as patients share more personal information through apps, wearable devices, and AI tools. HIPAA, the primary federal health privacy law, was designed for healthcare providers and insurers, not for the large number of consumer technology companies that now collect and process sensitive health information. As a result, more health data is falling outside traditional federal protections.
Experts argue that federal enforcement has become inconsistent and fragmented. Although previous efforts attempted to expand oversight of consumer health data, current enforcement priorities are less clear, and responsibility is spread across multiple agencies that do not always coordinate effectively. This has created uncertainty for organizations trying to comply with privacy requirements.
In response, many states have begun passing their own consumer health privacy laws. These laws impose different requirements depending on the state, the type of organization, and the type of data involved. The growing number of state laws has created a complicated regulatory patchwork that companies and consumers must navigate.
Consumer behavior is also changing faster than regulation. Patients increasingly value convenience and access to their information and are voluntarily entering sensitive medical details into AI tools and health apps without fully understanding how that information may be used, shared, or sold. Experts warn that this trend is moving health data into environments with fewer protections and greater exposure risks.
At the federal level, comprehensive privacy legislation appears unlikely in the near future because lawmakers remain divided on major issues such as whether federal law should override state laws and whether individuals should be able to sue for privacy violations directly. As a result, healthcare organizations are encouraged to prepare for stricter and more varied state regulations while also educating patients about the risks of sharing health information through unsecured channels. --- Shane P. Riley
| |
“More than 3 million North Carolinians rely on Medicaid for healthcare.”
Why this is important: On April 30, 2026, North Carolina Governor Josh Stein signed into law a $319 million Medicaid funding plan designed to prevent the program from running out of money by the end of May. The bill passed with nearly unanimous support in the General Assembly, securing healthcare for the more than 3 million North Carolinians who rely on the program. The law implements a three-month lookback period for work-requirement verification, which is more restrictive than the federal one-month lookback. The bill also requires that patients pay the most in copays allowed by federal law, which 14 organizations, including the American Cancer Society, warn will create a deterrence for patients who need medical care from seeking such care. Further, some Democrats opposed the Bill because approximately 27,000 pregnant women and children, the most vulnerable populations, would be denied coverage because of their immigration status, including victims of human trafficking, green card holders and others with legal status. This law is only a short-term fix, as the program is faced with a $1 billion cost increase in the next fiscal year. --- Lynn P. Michael
| | Featured Attorneys Question & Answer | | This is our Featured Attorney Q&A to introduce you to our large healthcare law team. To help you get to know our team a little better, we are highlighting attorneys in each issue by asking them a healthcare-related question. We hope their responses will be insightful for you. | |
Sara E. Chapman
Senior Attorney
Office 304.697.8580
schapman@spilmanlaw.com
Q: As the former Assistant General Counsel for a large medical center, you have a unique perspective when it comes to healthcare legal risk management, regulatory matters, and operational compliance. What is your best advice for in-house counsel when dealing with these issues, potential litigation and utilizing outside counsel?
A: Having served as General Counsel for a major medical center, I’ve learned that healthcare risk management isn’t just about knowing the law; it’s about translation and relationships. You are the bridge between the rigid requirements of regulatory compliance and the fluid, high-stakes reality of clinical operations. New issues arise constantly, and no amount of planning could ever prepare you for most of them. Often, the questions fall in a gray area for which you have no clear direction.
You also must have the ability to talk to people from various specialties, who frequently do not have much time to listen to a long legal explanation. The most important thing you can do is learn how to efficiently provide information that is easy to digest. The most successful in-house teams don’t act as a roadblock; they act as strategic partners. The goal is to translate complex hurdles into purposeful information. When clinical staff understand the why behind a policy, compliance becomes a shared mission rather than a burden.
Successful in-house attorneys use outside counsel for their technical specialty, but remember that they do not know the landscape of your company as well as you do as the in-house attorney. Outside firms know the law, but you know the culture and the specific risk tolerance of your board. This is why it is imperative to collaborate with outside counsel. You have a unique perspective on your company that should not be undervalued. Provide them with the political and operational nuances of the facility so they can deliver functional business solutions rather than abstract legal theories.
At Spilman, we pride ourselves on building relationships with our clients and getting to know the nuances of their business and their level of risk tolerance. We consider ourselves to be strategic partners who provide practical solutions, not just a recitation of the law. If you are looking for assistance with compliance matters, we hope you will give us a call. We look forward to getting to know you.
| | |
This is an attorney advertisement. Your receipt and/or use of this material does not constitute or create an attorney-client relationship between you and Spilman Thomas & Battle, PLLC or any attorney associated with the firm. This e-mail publication is distributed with the understanding that the author, publisher and distributor are not rendering legal or other professional advice on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use.
Responsible Attorney: Michael J. Basile, 800-967-8251
| | | | |
