|
Welcome
Welcome to our 11th and final issue of 2025 of The Health Record -- our healthcare law insights e-newsletter.
In this edition, we look at the rise in the rates of physician attrition across specialties, the impact the federal government shutdown had on telehealth programs, how medical malpractice reforms have affected emergency department imaging services, the latest on the Conduent data breach, how more hospitals are focusing on patient experience, proposed new legislation in Pennsylvania that addresses the use of artificial intelligence in healthcare, and current trends in ransomware attacks.
2026 National Labor & Employment Law Symposium, February 1, 2026, Steamboat Springs, Colorado
For those of you interested in labor and employment law topics, please join this exclusive gathering of top national and international labor and employment lawyers for the latest legal updates in a close-knit, collegial atmosphere. More than a dozen sessions, in a roundtable format, will cover cutting-edge labor and employment topics. In between sessions, participants will have plenty of time to enjoy skiing in Steamboat Springs or networking over drinks or dinner. Click here to learn more.
A sincere thank you to everyone who read The Health Record this year. As we plan for 2026, please let us know what you would like to see in the new year. Do you have topics you would like us to discuss? A change in the format? Any other suggestions? We welcome all thoughts and suggestions. Email us and we will be sure to discuss the best ways to keep this publication a high level of value.
Thank you!
Brienne T. Marco
Member, Chair of the Corporate Department, Co-Chair of the Health Care Practice Group, and Editor of The Health Record
| | |
“The nationwide analysis of over 712,000 physicians revealed that physician attrition, the rate at which doctors leave their clinical practice, has increased substantially across specialties over the years studied.”
Why this is important: A recent study, conducted by the Harvard School of Medicine and published in the Annals of Medicine in October, found that between 2013 and 2019 (the period that was the focus of the study), physicians left the clinical practice of medicine at increasing rates. This conclusion was found to be true across all specialties, genders, geographies, and in both urban and rural settings, but some groups, such as female physicians and rural physicians, were found to be at increased risk. The authors believe the results reflect a systemic issue, and not individual problems. Attrition is one of many factors contributing to physician shortages. With a declining retention rate, the future supply of doctors is under more strain than ever. These trends affect access to care – if more physicians leave the practice, fewer patients can be seen. This is especially true in already underserved areas. Lisa Rotenstein, one of the authors of the study, observed that “Studies have demonstrated common factors that can improve the physician experience, including enhanced team support for practice, provision of technology that can reduce documentation burden, a strong culture of safety and mentorship, and leadership support.” --- Brienne T. Marco
| | |
“That’s left a patient population of mostly older adults with fewer options to seek specialists or get help when they can’t physically travel far from home.”
Why this is important: More than four million Americans depend on the Medicare fee-for-service plans' telehealth waivers to attend medical appointments from home. The 43-day federal government shutdown caused these telehealth waivers to lapse, forcing telehealth providers, ranging from specialty care centers to large hospitals, to decide whether to continue offering their services to Medicare patients without the guarantee of reimbursement or to halt virtual care for those patients altogether.
Many patients who rely on Medicare telehealth waivers are older adults with limited options for seeking specialized care when they cannot travel far from home. Some patients, such as those with dementia and other degenerative conditions, depend on continuity of care, so even if they only missed a few appointments during the government shutdown, it may impede their progress and have long-term impacts on their health. Other patients, such as those with diabetes and chronic lung disease, depend on regular virtual check-ins with their doctors to help manage their conditions. Without these regular virtual appointments, patients’ worsening conditions have not been caught in time, and some patients have ended up in the emergency room.
This article describes how the government shutdown affected Medicare patients and how various telehealth providers addressed virtual care for these patients. --- Arianna P. Webb
| | |
“Practicing ‘defensive medicine’ to avoid any threat of being sued is a common explanation for why physicians order low-value scans that provide little benefit to patients.”
Why this is important: If you or a family member has ever been to the emergency room in the past 20 years, you probably had the attending physician order multiple scans to rule out remote or highly unlikely causes of the symptoms. This was a common practice of physicians and was commonly called defensive medicine. This manner of practice was done as a perceived way of defending against a future malpractice claim, but what about states that have enacted tort reform? Has the practice of defensive medicine been impacted in those states? It might come as a surprise or as no surprise, depending on which side of the aisle you are on, but in states that have tort reform, the practice of defensive medicine has gone the way of the dodo, or at least the use of unnecessary scans has become less prevalent in states that have tort reform. This article discusses this trend and the findings of the study done by the Neiman Health Policy Institute on the impact of tort reform on the use of unnecessary scans. --- Matthew W. Georgitis
| | |
“In its first-quarter earnings report, Conduent said it did not experience any material impacts to its operating environment or costs from the January 2025 cyberattack itself; however, it did incur $25 million in non-recurring expenses from direct response costs.”
Why this is important: A data breach at Conduent Business Solutions, a technology services company, has resulted in the possible theft of the protected health information of more than 10.5 million individuals. The article notes that this data breach is the largest known healthcare data breach to date in 2025. It has affected nearly twice as many individuals as the second-largest data breach in 2025, and it ranks as the eighth-largest healthcare data breach in history.
To minimize the risk of costly data breaches, providers should become familiar with the voluntary cybersecurity goals for healthcare and public health organizations published by the U.S. Department of Health and Human Services (HHS). The voluntary goals will help healthcare sector organizations prioritize the implementation of cybersecurity practices that will have the greatest impact on improving resilience to the most common attack vectors. The HHS cybersecurity strategy separates goals into two tiers: Essential Goals and Enhanced Goals. The Essential Goals are relatively low-cost, minimum foundational cybersecurity practices that will greatly improve cybersecurity, and the Enhanced Goals are intended to encourage the adoption of more advanced cybersecurity practices. The aim is to get all healthcare delivery organizations to adopt the Essential Goals to make it harder for cyber actors to gain access to their networks and incentivize them to mature their cybersecurity programs by adopting the Enhanced Goals. --- Joseph C. Unger
| | |
“A new survey of healthcare executives shows it’s emerged as a top priority, even as they acknowledge some digital investments have been slow to show returns.”
Why this is important: Since the COVID-19 crisis, hospitals have shifted their priority from crisis mode to improving the patient experience. Although patient safety measures have improved in the past few years, hospitals have realized the effect of staffing shortages and the need to provide virtual care through telehealth programs to an aging population. However, hospitals are not yet seeing a return on investment in their virtual care offerings, and vendors of such services will need to adapt to the pressure of an increased demand for a quicker return on investments. --- Charity K. Lawrence
| | |
“House Bill 1925, introduced on Oct. 6, aims to ensure that AI systems used in insurance and healthcare do not violate the state's anti-discrimination laws and that human oversight remains central to decision-making.”
Why this is important: The use of AI is exploding across the healthcare industry. It is being used by insurance companies in relation to claims-handling, by medical practices in their billing departments, and by clinicians in patient care. Pennsylvania legislators have introduced House Bill 1925 to ensure that the AI systems used by insurers and healthcare providers do not violate Pennsylvania’s anti-discrimination laws. The bill also seeks to ensure that human oversight remains central to decision-making. To prove compliance, insurers and healthcare providers would have to confirm to the Pennsylvania Department of Insurance that the AI systems they are using comply with existing anti-discrimination laws.
Large insurers like UnitedHealthcare, Humana, and CVS have already received governmental scrutiny and have even been sued around the country for using predictive algorithms to deny claims. In one class action, United Healthcare was sued because its claims-handling AI had a high error rate when evaluating claims, it overruled the patients’ physicians’ recommendations, and UnitedHealthcare refused to have the decisions reviewed by a human reviewer. Humana was sued because its claims-handling AI was allegedly denying rehabilitation care for elderly patients despite recommendations made by the patients’ physicians. Cigna was also subject to a class action lawsuit because its claims-handling AI was also denying claims without a human review. These lawsuits also included claims of disparate impact, lack of human oversight, and that the AI algorithms include biased data. In light of these issues, Pennsylvania legislators seek to ensure that if AI is used to handle insurance claims, the process is neutral, fair, and has human oversight.
Other states have similar proposed legislation, including California and New York. Understandably, insurers would prefer a single federal law that would address this issue instead of a patchwork of state laws. However, it is unlikely that Congress will pass such a national law in the near future. Consequently, insurers and healthcare providers will have to contend with individual state laws regulating AI for the foreseeable future. --- Alexander L. Turner
| | |
“When cybercriminals started conducting ransomware attacks, the focus was on file encryption, whereas double extortion tactics are now the norm, with data stolen prior to file encryption.”
Why this is important: This article highlights the evolving landscape of ransomware attacks, the responses of victims, and the broader implications for cybersecurity practices and legal considerations. According to the report cited in the article, 85 percent of victims of ransomware attacks in 2019 paid the ransom, but in the third quarter of 2025, that number reached an all-time low with only 23 percent of victims paying the ransom. As companies have become more sophisticated in their security protocols, cybercriminals have adapted as well. The author notes that, historically, ransomware attacks focused on file encryption, but recently, cybercriminals have begun stealing the information prior to encrypting it. In fact, 76 percent of all attacks in the third quarter of 2025 involved data theft. By stealing the data, cybercriminals up the ante with the threat of reputational risk, not just the loss of data (which in some cases may be recoverable through file backups). The author also notes that we have seen changes in the method of attack, with remote access compromises exceeding phishing/social engineering attacks in the third quarter of 2025. In some particularly disturbing cases, employees were bribed with a percentage of the ransom to provide remote access to their company’s systems. The article underscores the growing prevalence of ransomware attacks, the strategies employed by attackers, and the decisions victims face regarding whether to pay ransoms. --- Brienne T. Marco
| | Featured Attorney Question & Answer | | This is our Featured Attorney Q&A to introduce you to our large healthcare law team. To help you get to know our team a little better, we are highlighting attorneys in each issue by asking them a healthcare-related question. We hope their responses will be insightful for you. | | |
Brienne T. Marco
Member; Chair, Corporate Department; and Co-Chair, Health Care Practice Group
304.380.6608 - Harrisburg, PA
304.720.4060 - Charleston, WV
bmarco@spilmanlaw.com
Q: Mergers and acquisitions in the healthcare industry are uniquely complex due to regulatory, compliance and patient care considerations. As the Chair of Spilman’s Corporate Department and Co-Chair of Spilman’s Healthcare Practice Group, you have seen your fair share of these types of transactions and are well-versed in this area of law. What are your best practice recommendations for a successful transaction?
A: A successful transaction requires open lines of communication, the right team members, thorough diligence, and careful planning. The best practices described below are broadly applicable across industries, but are especially relevant to highly regulated, people-focused sectors like healthcare.
-
Involve all key stakeholders and keep the lines of communication open. Key stakeholders such as, but not limited to, representatives from human resources, information technology, procurement, medical staff leadership, compliance, facilities, and operations, will provide the legal and finance teams (who often lead the transaction) with valuable insight to help shape the direction of the deal.
-
Find a good support team. Every transaction is different and involves unique challenges. Access to a robust legal team with a diverse skill set covering environmental law, real estate, employment and employee benefits, labor matters, tax, intellectual property, privacy and data security, and regulatory matters can help you work through the unique situations that arise in your deal, manage expectations, and mitigate risks. In the healthcare industry, it is especially important to have access to counsel with knowledge of the healthcare regulatory landscape, from privacy laws to fraud and abuse laws, to state-level health regulations, to CMS, OIG, and state licensing requirements. Your legal team should also include a good quarterback to keep everyone organized and moving toward the common goal.
-
Conduct rigorous due diligence and keep it organized. Whether you are the seller or the purchaser in the transaction, thorough and organized diligence is paramount. The seller’s diligence investigation of its own records or the records of the company being divested informs the seller of its risks in the transaction and allows the seller to appropriately limit its representations and warranties in the definitive agreement. From the purchaser’s perspective, diligence is important not only for spotting issues that may necessitate a change in direction or modification of the terms of the agreement, but also for ensuring the purchaser has the information that it needs to run the business after closing.
-
Address regulatory matters early. In the healthcare industry in particular, there are regulatory hurdles to jump for most transactions. Whether your transaction requires a certificate of need or other state approval, a Hart-Scott-Rodino (HSR) Act filing, or you have a laundry list of permits, licenses and certifications to transfer, the regulatory filings can impact the viability of your transaction and the timing of your closing. Identifying and addressing these early will help you to manage the expectations of your leadership team.
- Begin planning for the transition early. Transition planning should occur before and during the transaction. A Transition Services Agreement (TSA) is a key part of documenting that plan. In a transaction involving a health system, hospital or other healthcare provider, the goal of the TSA should be the orderly transfer of operational control without disruption of patient services. All of the key stakeholders should be involved in the negotiation of portions of this agreement.
In short, healthcare mergers and acquisitions require a strategic, orderly approach that balances legal complexity with operational realities. By fostering collaboration among key stakeholders, assembling experienced advisors who understand the healthcare regulatory environment, conducting comprehensive due diligence, proactively addressing regulatory matters, and planning for seamless transitions, parties can navigate even the most intricate deals. If your organization is looking for assistance with an upcoming transaction, we hope you will give us a call.
| | |
This is an attorney advertisement. Your receipt and/or use of this material does not constitute or create an attorney-client relationship between you and Spilman Thomas & Battle, PLLC or any attorney associated with the firm. This e-mail publication is distributed with the understanding that the author, publisher and distributor are not rendering legal or other professional advice on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use.
Responsible Attorney: Michael J. Basile, 800-967-8251
| | | | |
