|
Welcome
Welcome to our second issue of 2026 of The Health Record -- our healthcare law insights e-newsletter.
In this edition, we look at recent guidance from HHS urging healthcare providers to step up cybersecurity efforts, proposed Florida law changes regarding Medicaid and SNAP errors, the threat of hospital closures in Pennsylvania over the next few years, CISA’s guidance regarding insider threats, ChatGPT for healthcare, Virginia legislation impacting the ability of home health workers to unionize, the first (of potentially many) lawsuits regarding gender-care surgery, the FDA’s AI oversight for low-risk devices, and how doctors’ offices need to address AI and trustworthiness.
We also want to introduce you to two niche areas of practice that may be of particular interest to those in the healthcare field – medical spa legal services and workplace investigations.
Spilman’s medical spa team brings together decades of experience in the healthcare space, including healthcare regulation, corporate transactions, medical malpractice defense, and employment law. We provide strategic legal counsel to physicians, business owners, and investors across the full lifecycle of a medical spa – from startup and expansion to compliance, transactions, and legal defense. We understand both the business opportunities and the regulatory risks inherent in the rapidly evolving medical spa industry. Click here to learn more.
Spilman lawyers are also skilled in conducting independent, confidential internal investigations involving highly sensitive workplace matters. Our attorneys advise employers across a broad range of industries, including the healthcare sector. If you have any questions about workplace investigations, please reach out to us. You may also click here to learn more about our practice.
Smart Business Dealmakers Conference, February 19, Pittsburgh, PA
What are CEOs saying about today’s climate for dealmaking? Join Spilman and our own Ron Schuler at the 2026 Smart Business Dealmakers Conference to hear firsthand insights from Pittsburgh’s top business leaders. Dealmakers gathers hundreds of local CEOs, investors, lenders, and service providers so you can stay on top of M&A trends. This is sure to be a high-level conversation on the front lines of buying, selling, and scaling. Learn more and buy tickets here.
American Bar Association’s 2026 Workplace & Occupational Safety & Health Law Committee Midwinter Meeting, February 24-27, Puerto Rico
We are pleased to sponsor this ABA event featuring presentations by panelists representing management, union, employees, and government perspectives on hot topics and cutting-edge issues in the field of workplace and occupational safety law. Click here to learn more.
Thank you for reading!
Brienne T. Marco
Member, Chair of the Corporate Department, Co-Chair of the Health Care Practice Group, and Editor of The Health Record
| | |
“That includes ensuring that organizations continually patch vulnerabilities, update software, properly configure security settings and disable or remove unneeded software.”
Why this is important: The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently issued a newsletter advising regulated healthcare entities to harden their systems, software, and medical devices to safeguard protected health information. According to the January 2026 OCR Cybersecurity Newsletter, “System hardening is the process of customizing electronic information systems (e.g., computer systems and other electronic devices) to reduce their attack surface, thus reducing the number of weaknesses and vulnerabilities that an attacker can exploit.” OCR emphasizes three keys to hardening: (1) Patching known vulnerabilities; (2) Removing or disabling unneeded software and services; and (3) Enabling and configuring security measures. Hardening is not a “one-and-done” process; it requires an ongoing effort to identify threats and counter attackers’ ever-evolving tactics, and is essential for HIPAA Security Rule compliance. --- Joseph C. Unger
| | |
“If passed, new rules reflecting federal changes would impact Medicaid and SNAP recipients.”
Why this is important: Who needs to know about Medicaid and SNAP error reforms?
Businesses, especially those in healthcare like providers, payors, managed care organizations, pharmacies, long-term care operators, and supply chain vendors, are increasingly affected by federal and state efforts to reduce eligibility and payment errors in Medicaid and SNAP. These reforms bring heightened scrutiny, corrective-action mandates, and penalty regimes, impacting not only government program administrators but also private entities that rely on these benefits for revenue.
The crackdown on eligibility and payment errors involves tighter redeterminations, data-matching, and documentation standards. This can lead to increased denials, disenrollments, and recoupments. For providers and plans, this means potential delays in cash flow, post-payment audits, and expanded overpayment liability when claims are linked to ineligible coverage or improperly calculated cost-sharing.
Penalties and enforcement are also on the rise. When error rates exceed certain thresholds, sanctions, enhanced corrective actions, and repayment obligations may be triggered. Contractors and delegated entities can find themselves liable through contract flow-downs, indemnity provisions, and exposure under the False Claims Act if billing or eligibility support is inaccurate or insufficiently documented.
Operational disruptions are another concern. Renewed eligibility churn elevates bad-debt risk, point-of-service collections, and patient financial counseling burdens. Pharmacy and DME vendors may face greater prior authorization scrutiny and after-the-fact denials due to documentation gaps.
For retailers and pharmacies accepting SNAP, stricter error controls and penalties for trafficking or improper acceptance can lead to disqualification and civil money penalties. Robust tender controls, employee training, and incident response protocols are essential to avoid violations.
Reputational risk is also significant. Publicized enforcement actions, payment suspensions, or exclusion risks can impact partnerships with payers and providers, disrupt network participation, and concern investors.
What do we need to do?
To navigate these challenges, businesses should focus on enhancing eligibility and billing processes. Implement strong front-end checks to verify coverage before services, conduct regular re-verifications, and document reliance on available data sources. Align claim edits and prior authorization rules with the latest coverage policies.
Improving documentation and record retention is crucial. Use standardized checklists for proving medical necessity, meeting coverage rules, and obtaining required signatures. Maintain clear audit trails for eligibility decisions, benefit coordination, and claim submissions, preserving records for the required periods.
Strengthening oversight of contractors is also important. Review and update agreements with business associates, third-party administrators, revenue-cycle vendors, and enrollment supporters. Include stronger audit rights, performance standards tied to error rates, indemnity protections, and defined workflows for correcting issues.
Prepare for overpayments by developing clear written protocols to detect, calculate, and promptly refund overpayments. Analyze root causes to fix recurring problems and show proactive remediation during audits.
Invest in training and monitoring. Deliver targeted training to staff on current eligibility and billing rules. Regularly track denial rates, recoupments, and error indicators, escalating unusual patterns quickly.
For SNAP-accepting businesses, enforce strict point-of-sale controls to block ineligible purchases, train employees thoroughly on SNAP guidelines, and document investigations of any incidents along with corrective steps.
What are our next steps?
Medicaid and SNAP policies continue to evolve quickly at the federal and state levels. Leadership should assign clear executive responsibility for tracking these programs, form cross-functional teams to evaluate impacts and implement updates, hold regular board briefings on trends and remediation progress, and work closely with legal counsel to interpret new rules, revise policies, and prepare for audits or investigations.
By proactively addressing these areas, businesses can better protect revenue, minimize disruptions, and maintain strong compliance in a changing regulatory environment.
If you'd like assistance assessing your specific exposure, bolstering controls, updating contracts, or preparing for audits tied to these Medicaid and SNAP error-reduction efforts, Spilman can assist. --- Kevin L. Carr
| | |
“Inadequate state funding makes running hospitals in Pennsylvania more challenging than in other states, which could contribute to the closure of more than a dozen hospitals over the next five years, according to a new study commissioned by the Hospital and Healthsystem Association of Pennsylvania.”
Why this is important: A new study warns that inadequate state funding is making it harder to operate hospitals in Pennsylvania than in other states, potentially leading to the closure of 12 to 14 more hospitals within the next five years. Since 2016, 25 hospitals have already shut down. The projected closures would increase average patient travel time to the nearest hospital by 22 minutes and result in an estimated $900 million in lost wages due to job losses. The report emphasizes that without timely and targeted state support, hospitals will struggle to sustain services or invest in workforce, technology, and infrastructure.
Rural hospitals are particularly vulnerable. A recent report from the Pennsylvania Health Cost Containment Council found that 22 rural hospitals posted combined operating losses of $80 million in fiscal 2024, driven by lower reimbursement rates, aging populations, and declining patient volumes. Pennsylvania hospitals receive just 87 cents per dollar of Medicare spending compared to $1.26 per dollar on average nationally, and the state’s Medicaid program pays only 71 cents per dollar of care costs, contributing to a $3.3 billion statewide revenue shortfall. Additional federal legislation is expected to reduce Affordable Care Act enrollment by 95,000 and Medicaid coverage by 300,000 in the state, further straining hospital finances. By 2030, hospital operating margins are projected to fall between negative 3.3 percent and negative 10.8 percent, underscoring the urgency of reforms such as higher Medicaid reimbursement, medical liability changes, and administrative streamlining.
--- Shane P. Riley
| | |
“The guidance includes proven strategies for proactively preventing, detecting, mitigating, and responding to insider threats.”
Why this is important: Data breaches increasingly undermine consumers’ faith in their privacy and the protection they expect of their sensitive medical information, arguably the most delicate data to the public. Verizon performed a study in 2018, which concluded that 56 percent of all healthcare security privacy breaches resulted from internal sources. In addition, Metomic, a cybersecurity firm, found that the percentage of healthcare organizations reporting no insider cybersecurity incidents has declined from 34% in 2019 to 24% in 2024. These breaches range from the viewing of medical records by snooping employees with a lack of knowledge about HIPAA, to the intentional stealing of medical histories by personnel for personal profit.
CISA (Cybersecurity and Infrastructure Security Agency) has been prompted by these alarming statistics to issue new guidance to increase the protection of the public and patients’ faith in the system. CISA suggests the use of multi-disciplinary teams to combat violations of patient privacy. These teams should consist of HR, the CSO, general counsel and others, including law enforcement. A team should be more effective in identifying and reducing cybersecurity threats.
CISA’s guidance is referred to by the acronym “POEM” which stands for “Plan, Organize, Execute and Maintain.” Under the POEM framework, a threat management team should be created to plan and structure the goal of the team. The team should then organize a culture in which employees report breaches or threats and then execute on this plan with appropriate and effective policies and procedures, including extensive education of the employees. Finally, this plan should be monitored or maintained to continue the usefulness of the team as threats evolve. People, both employees and patients, are the center of this proposed approach. Institutions are increasingly adopting CISA’s recommendations to secure the vital information of the public and to gain the faith of the healthcare consumer in the system. --- Lynn P. Michael
| | |
“However, OpenAI now offers ChatGPT for Healthcare that can support HIPAA compliance under specific conditions.”
Why this is important: ChatGPT is increasingly being integrated into various professional workflows, including the healthcare industry. However, in most instances, ChatGPT is not HIPAA compliant. The information input is used to train the algorithm. ChatGPT does not enter into a Business Associate Agreement for its Free, Plus, Team, or Enterprise versions, meaning that Protected Health Information (PHI) cannot be used compliantly on these platforms.
In January 2026, ChatGPT introduced ChatGPT for Healthcare, specifically designed for hospitals, clinicians, and regulated healthcare environments. This version claims to have the necessary safeguards and controls to support HIPAA compliance, including enterprise-grade security, administrative, and governance features. According to OpenAI, PHI entered into this product is not used to train the algorithm, and they will enter into a Business Associate Agreement with healthcare organizations.
However, even with ChatGPT for Healthcare, organizations must manage it closely to ensure compliance and protect patient information. It is crucial for health systems to educate their employees on the proper use of AI and to manage the tool carefully to maintain HIPAA compliance. --- Sara E. Chapman
| | |
“But to do that, they must first get HB1263/SB378 through the state legislature.”
Why this is important: The renewed organizing efforts among Virginia’s home healthcare workers are unfolding at the same time that lawmakers are considering a significant piece of legislation—HB1263/SB378—that could reshape the labor landscape for publicly funded home care services. The bill would repeal Virginia’s longstanding prohibition on collective bargaining for state public employees, a restriction rooted in the Jim Crow era. In its place, the legislation would establish a Virginia Home Care Authority to serve as the employer of record for Medicaid-funded home care workers, and it would create a Public Employee Relations Board to oversee labor relations, including union recognition elections and dispute resolution.
If this measure passes, Virginia would join states such as California, New York, and Illinois in adopting a state authority model that enables home care workers—who typically work in private homes and are paid through Medicaid—to unionize. This shift would not only formalize a bargaining structure for these workers but also influence expectations across the broader home health and personal care sectors. Even employers not directly covered by the bill could experience increased pressure around wages, benefits, scheduling, and workplace policies as the labor environment evolves.
A complicating factor is the federal Medicaid funding outlook. Home healthcare companies rely heavily on Medicaid reimbursement to pay their workers, and the article notes that Congress recently enacted more than $800 billion in Medicaid cuts over the next decade. Reduced federal funding may limit the state’s ability to support higher wage standards or expanded benefits, even as organizing efforts push in that direction. Employers could find themselves navigating a difficult balance between rising labor expectations and constrained reimbursement rates.
The political context in Virginia has also shifted. A similar bill passed the General Assembly last year but was vetoed by then-Governor Glenn Youngkin. With Governor Abigail Spanberger now in office—someone viewed as more supportive of worker-focused legislation—the prospects for HB1263/SB378 are stronger. Her administration has emphasized accountability and affordability, and she is widely seen as more receptive to establishing a formal bargaining structure for home care workers.
For healthcare employers, these developments underscore the importance of monitoring legislative activity closely. Changes to the legal framework governing home care workers could influence workforce dynamics, competitive pressures, compliance obligations, and operational planning across the sector. Early awareness and preparation will help organizations adapt effectively as the policy landscape continues to evolve. --- Kevin L. Carr
| |
“In a legal first, a jury in New York has awarded $2 million in damages to a patient who received gender-affirming surgery as a minor.”
Why this is important: The first trial over malpractice related to gender-affirming care provided to a minor was just concluded in New York. In the broader context of gender-affirming care for unemancipated minors, we should anticipate more malpractice claims brought by the minor once they achieve the legal age of adulthood. This raises a whole host of legal quagmires, such as can the medical providers bring in the parents who consented to the treatment as third-party defendants? What is the statute of limitations for this type of claim? Typically, for minors, it is one year after reaching the age of majority. While this is certainly a small segment of society that receives this type of care, it is definitely something to keep an eye on, as the individuals who have undergone gender-affirming care become adults. --- Matthew W. Georgitis
| |
“The FDA clarified that many low-risk AI-enabled software tools and consumer wearables fall outside medical device regulation when clinicians can independently review the device’s clinical recommendations.”
Why this is important: In January 2026, the FDA issued nonbinding guidance clarifying regulatory oversight of certain low-risk digital health products, including AI-enabled software and wearable devices. The guidance reiterates that general wellness products, such as fitness trackers and health apps that pose minimal risk and promote healthy lifestyles, are typically subject to enforcement discretion and do not require FDA regulation. It also clarifies that clinical decision support software falls outside FDA medical device oversight when it provides recommendations that clinicians can independently review and are not the sole basis for clinical decisions.
Taken together, the guidance signals a risk-based regulatory approach under which many AI tools and consumer wearables that influence health behavior or support clinicians, but do not make autonomous or unreviewable medical decisions, may avoid premarket review and other regulatory requirements. High-risk products that diagnose, treat, or prevent disease remain fully regulated. This contributes to broader FDA efforts to modernize digital health oversight, including a 2025 pilot program with CMS to evaluate digital health tools using real-world data, while emphasizing that the guidance reflects current policy thinking rather than creating new legal obligations. --- Shane P. Riley
| |
“If AI will work in the medical field (or any other field it's used in), we need to develop specific and useful standards.”
Why this is important: As a time-saver, many doctors are using AI transcription services to transcribe information during patient encounters, which automatically enters the transcribed data into the patient’s medical chart. AI chatbots are also expected to become more commonplace as a means to respond to basic medical questions asked by patients. With the advancement of AI in the healthcare industry, Ram D. Sriram, Chief of the Software and Systems Division for the National Institute of Standards and Technology’s Information Technology Laboratory (ITL), argues the need for AI standards on reliability and trustworthiness.
In order to be useful, information generated by AI will need to be correct, rendering it trustworthy. In addition, the datasets AI tools use for information must be reliable. Standards will be critical to evaluating AI tools in order to create more reliable and trustworthy output. The work at the National Institute of Standards and Technology (NIST) will help influence voluntary AI standards in the healthcare industry, which will help bolster innovation, not hinder it. An example of AI’s benefits can be taken from the use of stem cell treatment for macular degeneration. A patient can grow his or her own cells to serve as stem cell implants to preserve a patient’s vision impacted by age-related macular degeneration. During the manufacturing process, these living cells undergo transformations, increasing the risk to the patient. However, AI technology is being used to predict which cells will work best for a patient, thus minimizing that risk.
Mr. Sriram expresses his belief that AI will help doctors, not replace them. He argues that the technology will augment intelligence and can make access to healthcare more readily available. While acknowledging the risks associated with AI in the healthcare industry, Mr. Sriram argues that those risks can be managed with the right framework. NIST is working to help appropriately consider and manage those risks with their free tool found here. --- Jennifer A. Baker
| | Featured Attorneys Question & Answer | | This is our Featured Attorney Q&A to introduce you to our large healthcare law team. To help you get to know our team a little better, we are highlighting attorneys in each issue by asking them a healthcare-related question. We hope their responses will be insightful for you. | |
Eric E. Kinder
Member
Office 304.340.38.93
ekinder@spilmanlaw.com
Q: As someone who regularly advises employers of healthcare workers, what guidance would you give an employer regarding mandatory vaccination policies and how to handle requests for exemptions?
A: COVID-19 vaccine requirements have transitioned from federal mandates to policies set forth by states, localities, and facilities. But the responses to the mandate from the Centers for Medicare and Medicaid Services (CMS) have helped establish guidelines for all healthcare facilities to apply. Importantly, the Centers for Disease Control and Prevention (CDC) still recommends that healthcare workers get updated vaccines for respiratory viruses each year, as do the departments of health of numerous states. But what should your facility do when you receive requests for exemptions under a mandatory vaccination policy?
While most of the attention has been on religious exemption requests, the Americans with Disabilities Act (ADA) and similar state laws still require employers to provide reasonable accommodations to employees who have a medical reason for refusing to be vaccinated. That right, however, is still subject to the limitation that an accommodation cannot pose an undue hardship on the operation of the employer’s business or pose a direct threat to employees or others.
A “direct threat” is a significant risk of substantial harm that cannot be eliminated or reduced by reasonable accommodation. This defense requires an individualized, objective assessment based on current medical knowledge, not stereotypes, and must be a significant risk of substantial harm, not just a minor or speculative risk. An employer should consider four factors in determining if a direct threat exists.
- The duration of the risk;
- The nature and severity of the potential harm;
- The likelihood that the potential harm will occur; and
- The imminence of the potential harm.
Even if an unvaccinated employee poses a direct threat to the workplace under this individual analysis, employers still must consider whether remote work or a leave of absence would be viable.
While employees who are seeking an exemption for religious reasons must establish that their belief is bona fide, courts and agencies are loath to contest the religious beliefs of individuals. Accordingly, requests for religious exemptions should be reasonably accommodated unless doing so would cause “an undue hardship on the conduct of the employer’s business.” The United States Supreme Court has held that an undue hardship exists where an employer can show that “granting an accommodation would result in substantial increased costs in relation of the conduct of its particular business.”
As that relates to individuals in the healthcare field, courts have held that an employer would suffer an undue hardship if forced to allow an unvaccinated employee to interact with medically compromised patients or fellow employees. Importantly, healthcare facilities can make this determination of harm by considering not just the request of the single employee but the impact that would occur based on accommodating other employees across the healthcare system. Nonetheless, employers should consider the possibility of alternative reasonable accommodations individually, but employers are not required to search for alternative accommodations if truly futile. But be warned that this futility exception is narrow.
A decision to establish a vaccine requirement in the healthcare setting remains one that should be based on the latest and best science, but employers need to be cognizant of legal needs to accommodate requests for exemption when presented.
| | |
This is an attorney advertisement. Your receipt and/or use of this material does not constitute or create an attorney-client relationship between you and Spilman Thomas & Battle, PLLC or any attorney associated with the firm. This e-mail publication is distributed with the understanding that the author, publisher and distributor are not rendering legal or other professional advice on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use.
Responsible Attorney: Michael J. Basile, 800-967-8251
| | | | |
