|
Welcome
Welcome to our third issue of 2026 of The Health Record -- our healthcare law insights e-newsletter.
In this edition, we look at the call on the Department of Education to broaden the definition of “professional” student, how North Carolina erased medical debt for a segment of their population, increased enforcement by HHS against information blocking by health IT developers, a proposed overhaul of the HIPAA Security Rule, the continuing uncertainty for hospitals surrounding tariffs, the latest on Virginia’s efforts to ban noncompete clauses for healthcare professionals, Virginia’s next step on changing medical malpractice laws, and the rapid growth of the medical spa industry and associated risks. The issue concludes with a look at the No Surprises Act and how Todd Biddle, a Member in our Huntington office, advises his clients on how to stay in compliance.
We also invite you to join us at one of the following events:
Who Owns Patient Data? IP and Privacy Issues in Health Data Management and Transactions Webinar, Presented by the Allegheny County Bar Association Health Law Section, March 23, 12pm EST
Join our own Shane Riley, a Member in our Pittsburgh office, for this program, providing attendees with an overview of issues regarding the ownership of patient data, the major privacy laws that apply to it, and how intellectual property rights can and cannot help to protect it. This program is suitable for attorneys of all experience levels and will provide insights for those working both as in-house counsel and in private practice. Click here to learn more.
West Virginia Chamber’s 2026 Women’s Leadership Summit, White Sulphur Springs, WV, March 25-27
We are very pleased to sponsor and participate in this conference, bringing together West Virginia’s most influential leaders for two days of inspiration, professional growth, and meaningful connection. Click here to learn more.
West Virginia State Bar Annual Meeting – Constitutional Conversations, Charleston, WV, April 19-20
As a sponsor, we invite you to join us for this top-tier event exploring the evolving landscape of constitutional law in a thoughtful and engaging way. Through practical presentations and meaningful discussions, speakers will share insights on core constitutional principles and how they intersect with today’s legal challenges. Click here to learn more.
Charleston SuperVision, Charleston, WV, June 18
SAVE THE DATE! Join us in Charleston on June 18 for our in-person SuperVision Labor & Employment Symposium, an all-day, free legal seminar. This program will dive into many hot topics of interest to business owners, HR professionals, and anyone who manages employees. More information will be coming soon!
Thank you for reading!
Brienne T. Marco
Member, Chair of the Corporate Department, Co-Chair of the Health Care Practice Group, and Editor of The Health Record
| | |
“Professional students will be able to borrow $100,000 more than other graduate students, but a proposed rule would exclude certain fields from the higher cap.”
Why this is important: Under the new federal lending caps established by the OBBBA, students classified as "professional" are eligible to borrow up to $200,000, double the $100,000 cap applicable to other graduate students. The Department of Education's (“ED”) proposed rule, published in late January 2026, limits the "professional" designation to only 11 enumerated fields, explicitly excluding programs such as nurse practitioner and physician associate training. Stakeholders, including the American Council on Education, have challenged this interpretation as inconsistent with the statute's text, arguing that ED’s definition is far too narrow and does not align with the much broader definition of professional degrees reflected in the OBBBA itself.
ED acknowledged the controversy in its proposal, clarifying that the designation only interprets the term for purposes of applying the new loan limits. Critics argue this position understates the material legal consequences, given that the classification determines access to $100,000 in additional federal borrowing capacity. The public comment period closed with approximately 65,000 submissions, and the Department is required to review all comments before issuing final regulations. Commenters broadly argued that the narrow definition could expose the final rule to legal challenge under the Administrative Procedure Act, particularly given the significant workforce and economic consequences for excluded healthcare and other professional fields. --- Shane P. Riley
| | |
“All of the state's 99 hospitals agreed to stop collecting certain debts dating back to 2014.”
Why this is important: Rising medical costs and the debt associated with the same is a serious concern for many Americans. The hospitals in North Carolina have done their part in helping to ease that burden. All 99 of the state’s hospitals have agreed to stop collecting debts that date back to 2014. This is certainly a welcome relief to those affected and could act as a blueprint for other states to follow. Further, with the debt being more than 10 years old, the likelihood of collecting that debt is very low, meaning it was a smart business decision to cancel that debt for the hospitals’ balance sheets. While this is a small step towards solving the medical debt crisis in this country, it is nonetheless a step towards a solution. --- Matthew W. Georgitis
| | |
“Nearly a decade after Congress banned information blocking, the HHS is making progress on cracking down on health IT developers accused of the practice.”
Why this is important: “Last month, the ASTP/ONC said it was beginning to issue notices to health IT developers accused of information blocking. The announcement followed a warning from the HHS in the fall of an impending crackdown on information blocking, with officials saying they would increase resources and deploy ‘all available authorities’ to investigate potential violators.”
The ASTP is part of the U.S. Department of Health and Human Services (“HHS”) and is responsible for developing and overseeing the implementation of HHS strategies and policies related to data, technology, interoperability, and artificial intelligence across the department. It coordinates initiatives led by the HHS Chief Technology Officer and Chief Data Officer.
The 21st Century Cures Act, passed in 2016, prohibits information blocking. The Act defines information blocking as practices by individuals or entities that are likely to interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information, except as required by law or specified in an information blocking exception. ASTP/ONC has issued regulations addressing information blocking, including identifying limited exceptions, such as protecting privacy or ensuring security, where an entity will not be considered to have committed information blocking if its actions meet the conditions of the exceptions (45 CFR Part 171).
Examples of information blocking by an IT developer could include:
- Not enabling portal transmissions: If an EHR system allows patients to request direct transmission of their electronic health information but does not enable this capability, it may be considered interference with the information blocking rule.
- Taking more time than necessary to respond: A practice that takes several days to respond to patient requests for their electronic health information is likely interfering with the information blocking rule.
- Holding back all test results: If a practice has a policy to delay the release of all lab results until the ordering provider reviews them, it may be committing interference with the information blocking rule.
- Configuring the EHR: If an EHR is configured to prevent users from sending electronic health information, it may be considered interference with the information blocking rule.
Until recently, the government has not levied any penalties or enforcement actions. The latest announcement from the Assistant Secretary for Technology Policy within the Office of the National Coordinator for Health Information Technology (ASTP/ONC) should be taken seriously, as fines could be up to $1 million per violation for health IT developers and networks. This could lead to the termination of certain health IT certifications and cause providers to lose Medicare payments. --- Sara E. Chapman
| | |
“The HIPAA Security Rule may soon undergo its first major overhaul in over two decades.”
Why this is important: The article examines the proposed overhaul of the HIPAA Security Rule, which, if finalized, would represent the regulation's first major update in over two decades. Prompted by increasing cyberthreats and widespread healthcare data breaches, the U.S. Department of Health and Human Services' Office for Civil Rights issued a Notice of Proposed Rulemaking in January 2025 that would transition HIPAA from its current flexible, risk-based framework to a more prescriptive and standardized compliance model. Some of the core proposed changes would mandate detailed technology asset inventories and data flow maps, require biannual vulnerability scans and annual penetration testing, require multifactor authentication for systems handling protected health information (“PHI”), mandate encryption of PHI both at rest and in transit, and strengthen business associate oversight by requiring annual written certification of technical safeguards rather than simply relying on signed agreements. While finalization could occur as early as May 2026, the timeline remains uncertain, and covered entities are advised to begin identifying compliance gaps now in anticipation of a significantly more rigorous regulatory environment. --- Shane P. Riley
| | |
“Over the past year, hospitals have had to deal with various price hikes on certain products, as they rely on many medical supplies and pharmaceutical ingredients produced from suppliers abroad.”
Why this is important: In February, the U.S. Supreme Court struck down the President’s far-reaching global tariffs, and shortly thereafter, a federal judge in New York ruled that companies that paid tariffs are due refunds. Notwithstanding these landmark decisions, the healthcare sector remains in a state of financial and operational limbo because of a lack of clarity over ongoing policy direction or the potential for refunds. Unanswered questions – such as who qualifies for refunds, how to claim them, and whether Congress will get involved – make it nearly impossible for healthcare organizations to plan budgets or manage supply chain costs effectively. This matters deeply for patient care, as broad tariffs on medical supplies and equipment could lead to product shortages and steep cost increases that hospitals, especially those with tight margins, cannot simply absorb. In short, tariff policy instability is not just a trade issue – it has direct consequences for the cost, availability, and quality of healthcare in the United States. --- Brienne T. Marco
| | Virginia Bill Bans Non-Compete Clauses for Healthcare Professionals | | |
By Michael S. Garrison
On March 4, 2026, the Virginia General Assembly approved Senate Bill No. 170, which limits the enforceability of restrictive covenants, or non-compete clauses, for certain terminated employees. If signed by the Governor, the bill would invalidate non-competes for employees who are laid off without severance benefits or other monetary payment, unless they are terminated for cause.
Click here to read the entire article.
| |
“Virginia lawmakers reshaped — and then advanced — a bill that significantly alters the legal landscape for medical malpractice claims, including more than doubling how much someone can be awarded in damages to $6 million starting next year.”
Why this is important: Lawmakers are looking to make significant changes to Virginia's medical malpractice law. A one-page bill filed in January, introduced by Republican Senator Mark D. Obenshain of Rockingham, is now eight pages long. At inception, the Bill was introduced to merely disallow the interest accrued in malpractice cases before a final verdict to be included in the cap for damages, but now it seeks to increase the damages cap and would extend Virginia’s statute of limitations to a broader range of medical malpractice lawsuits.
After years of incremental increases to state law caps on damages, which started at $1.5 million in 1999 and currently stands at $2.7 million, Senate Bill 536 (the “Bill”) is looking to make a giant leap to increase the cap to $6 million by July 2027. The Bill also includes cap increases to be set every two years thereafter based on federal cost-of-living data. The rewritten legislation now also provides that malpractice claims “not reasonably known or discoverable to the patient” can come forward after two years.
Proponents of the bill cite the obvious benefits for victims of medical malpractice and their ability to seek redress, while criticisms include concerns that professional malpractice premiums would increase and jeopardize access to medical malpractice insurance coverage for free clinics, among other impacts on access to healthcare. Despite these criticisms, the Bill was approved by an 18-4 vote in the House Courts of Justice Committee and is headed for the full House of Delegates. --- Jennifer A. Baker
| |
“Patchy regulatory oversight, inadequate physician supervision and high client expectations make medical spas complex health care liability risks because they blur the lines between medical procedures and cosmetic services, experts say.”
Why this is important: A medical spa is a facility that combines traditional spa services with medical aesthetic treatments such as injectables, laser procedures, and prescription-based therapies. Medical spas are expanding rapidly across the globe due to strong consumer demand for aesthetic treatments. As the industry grows, healthcare professionals must navigate an increasingly complex legal and regulatory framework.
The rapid growth of the medical spa industry has led to a variety of business models. A key reason for this variability is that state laws differ not only on which professionals may perform specific procedures, but also in who may own or control a medical practice. These differences often stem from the corporate practice of medicine (“CPOM”) doctrine, a legal principle that restricts the ability of non-physicians or business entities to practice medicine or employ physicians to provide medical services.
The scope and application of the CPOM doctrine vary significantly depending on the state where the medical spa is located. Additionally, determining which medical spa procedures constitute the practice of medicine requires a careful review of each state’s statutes, regulations, and professional licensing rules. In some jurisdictions, the CPOM doctrine strictly prohibits non-physician ownership of medical practices, effectively requiring that medical spas providing medical services be owned by licensed physicians. Other states permit physician assistants and nurse practitioners to own medical spas; however, these professionals must still perform services within the scope of their licenses – often requiring physician supervision. Other states impose few explicit restrictions, allowing a wider range of ownership structures so long as licensed professionals perform medical procedures.
For medical spa owners, investors, and healthcare professionals, this state-by-state variation creates substantial compliance challenges. A business model that is permissible in one jurisdiction may violate CPOM restrictions in another. Medical spas considering expansion, or new entrants to the industry, must carefully evaluate the CPOM rules in each state where they intend to operate. Understanding these differences is essential not only for regulatory compliance but also for managing liability risk in a rapidly growing sector of the healthcare market. Spilman's medical spa team is well-versed in all of these issues. If you have any questions, please visit our Medical Spa section of our website and reach out to any of our attorneys. --- Michael S. Garrison and Sarah W. King
| | Featured Attorneys Question & Answer | | This is our Featured Attorney Q&A to introduce you to our large healthcare law team. To help you get to know our team a little better, we are highlighting attorneys in each issue by asking them a healthcare-related question. We hope their responses will be insightful for you. | |
Todd A. Biddle
Member
Office 304.697.8567
tbiddle@spilmanlaw.com
Q: The No Surprises Act (“NSA”) was created to protect patients from large and unexpected surprise bills for out-of-network emergencies and certain non-emergency services provided in in-network healthcare facilities. As someone who handles a variety of issues facing healthcare facilities, what are your recommendations for facilities to stay in compliance with this new law?
A: Compliance with the NSA requires healthcare providers and facilities to pay particular attention with respect to reimbursement, billing, notification, and disclosure practices. Providers and facilities need to have cross-functional implementation teams that include, but are not limited to, legal, regulatory compliance, billing, finance, operations, the provider network, and information technology to ensure compliance with the NSA. Although there are others, the following is a list of some initial recommendations for NSA compliance:
1. Post disclosures on patient rights. Providers and facilities should publicly display a one-page notice that, in plain language, advises the patients of their rights under the NSA. The notice should be displayed in the provider’s office, the facilities’ registration and emergency departments, and the provider and facilities’ websites.
2. Establish or update internal procedures. Providers and facilities should establish or update relevant policies, standard operating procedures, and workflows. For instance, there should be a process to identify insurance status – insured versus uninsured/self-pay – to determine which rules apply, i.e., whether they are seeking in-network or out-of-network services. Frontline and billing staff should be trained on all new or updated internal procedures to avoid violating balance billing prohibitions.
3. Provide Good Faith Estimates (“GFEs”). A GFE is a written breakdown of expected charges for medical items or services to be provided to uninsured or self-pay patients. It includes the primary service, plus related costs like anesthesia, imaging, or lab tests, helping patients avoid surprise bills. A GFE should also include a disclaimer that additional services may be added and that the GFE is only an estimate. Providers and facilities should be prepared to send a GFE upon scheduling or at the patient’s request.
4. Manage Out-Of-Network (“OON”) billing. Providers and facilities must prohibit balance billing for emergency services and non-emergency services provided by an OON provider at an in-network facility. They should use official notice and consent forms if they intend to ask patients to waive balance billing protections.
5. Establish strategies for payment disputes. Providers and facilities should adopt a decision-making process regarding when it is financially prudent to accept a payor’s initial payment as payment in full to reduce administrative costs by avoiding the open negotiation period and the Independent Dispute Resolution process.
In short, implementing cross-functional teams will help providers and facilities navigate the complexities of the NSA, including the non-exhaustive list identified above, and ensure compliance therewith. If your organization is looking for assistance with an upcoming transaction, we hope you will give us a call.
| | |
This is an attorney advertisement. Your receipt and/or use of this material does not constitute or create an attorney-client relationship between you and Spilman Thomas & Battle, PLLC or any attorney associated with the firm. This e-mail publication is distributed with the understanding that the author, publisher and distributor are not rendering legal or other professional advice on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use.
Responsible Attorney: Michael J. Basile, 800-967-8251
| | | | |
