Top Legal Challenges for the Health Care Industry in 2025

1. The Trump Takeover: New Administration, New Congress, and New Priorities Impacting Health Care Sector

Since President Trump’s inauguration, we have seen a flurry of presidential executive orders impacting the health care sector. Stakeholders are advised to keep a close eye on White House presidential actions and how the various federal agencies overseeing federal health care programs, such as the US Department of Health and Human Services (HHS) and Centers for Medicare and Medicaid Services (CMS), implement the president’s executive orders.

We expect President Trump and the Republican-controlled US Congress to push for health care policies long-favored by Republicans to reduce federal government spending in federal health care programs. Medicaid reform continues to be a top priority for Republican legislators who want to change Medicaid funding to “block grants”— set amounts given to states by the federal government to administer services — and add work requirements for Medicaid beneficiaries as a condition of health coverage. And while repealing the Affordable Care Act (ACA) seems to be off the table for now, Congress may target certain key provisions, such as the ACA premium tax credits passed by Congress under the Biden Administration, which reduce health insurance premiums paid by ACA marketplace exchange enrollees. These credits are set to expire at the end of 2025, and if Congress declines to extend them or eliminates them through legislation, it will result in higher premium payments for ACA enrollees and could cause a corresponding rise in the rate of uninsured individuals.

President Trump’s agency leadership picks will also influence health care policy. The president has nominated Robert F. Kennedy Jr. as the Secretary for HHS and Dr. Mehmet Oz as CMS Administrator. These selections have garnered attention due in part to the nominees’ lack of government experience and sometimes unconventional positions on health care delivery, pharmaceuticals, and vaccines. Kennedy was confirmed by the US Senate on February 13, and Oz is expected to be confirmed. Stakeholders should review the positions they have taken on health care policy and how they intersect with policies favored by President Trump. For example, Kennedy has been vocal in his criticism of vaccines and the food industry. As Secretary of HHS, he oversees public health guidance and food safety protocols, placing him in a position to influence policies impacting the pharmaceutical and food industries. Dr. Oz has championed privatizing Medicare in the past, and as the Administrator of CMS, he will play a key role in establishing program directives for Medicare and Medicaid and developing regulations targeted at reforming both federal programs.

Contributing Authors: David S. Greenberg and Moyo O. Koya

2. Increased Private Equity Opportunity in Health Care, But Likely With Expanding State Scrutiny

Private equity (PE) firms have demonstrated national growth in all aspects of the health care sector. This growth has continued, notwithstanding increased government scrutiny due to concerns about the impact of PE investment on the stability of provider organizations and quality of care, and the well-publicized financial failure of certain large PE-backed health care provider organizations. With the installment of a new federal Administration, we expect a more hospitable federal climate for PE investment in health care. Federal Trade Commission (FTC) efforts to curtail PE expansion in health care and, more broadly, the FTC’s skepticism of consolidation transactions in health care, for example, could diminish dramatically. Congress, which has not enacted legislation focused on PE investment in health care, is unlikely to take this initiative in 2025 (although it may continue to conduct hearings and make reports on this topic). However, state efforts to oversee proposed ownership in and control of health care entities are likely to continue. PE firms should evaluate this oversight climate when considering which states to focus investment efforts and, once investments are underway, to ensure timely compliance with applicable advance notice and regulatory review requirements.

For example, in Massachusetts, on January 8, Governor Maura Healey signed into law House Bill 4653 which enhances regulatory oversight in the state health care market, including robust reporting requirements for PE investors in provider entities. Despite a flurry of legislative activity in 2024, however, no other state enacted legislation that uniquely prohibits or limits PE investment in health care. In a widely reported decision, Governor Gavin Newson vetoed California legislation that would have required advance approval by the state attorney general of acquisitions or changes in control of a health care facility or provider group involving PE firms or hedge funds, for the stated reason that existing California regulatory authority to review health care transactions provided sufficient oversight. While PE-targeted legislation advanced in the Connecticut, Minnesota, Oregon, Pennsylvania, and Washington legislatures, none of these bills became law. These bills, or less aggressive versions of them, may be re-introduced in 2025, and other states may consider similar action.

At the same time, state legislatures have instituted or expanded government review and/or approval of health care consolidation transactions above a certain dollar threshold or meeting certain other criteria, including California (as noted above), Colorado, Connecticut, Illinois, Indiana, Massachusetts, Minnesota, New Mexico, New York, Oregon, and Washington. While these health care transaction oversight programs do not uniquely target PE investments, many apply to proposed PE investments in health care. PE firms should monitor these state oversight activities and use this information when making prospective investment decisions in the health care sector.

Contributing Authors: Michele L. Gipp, Anne M. Murphy, and Douglas A. Grimm

3. 2025 Tax Policy Implications for Health Care

With a large portion of the Tax Cuts and Jobs Act of 2017 (TCJA) expiring at the end of 2025, the Republican-controlled Congress and the Trump Administration are prioritizing the passage of a large tax bill (or possibly two smaller separate bills) to extend many provisions under the TCJA and make other tax reforms. In the absence of legislation to extend the TCJA, Americans would wake up to a $4 trillion tax increase on January 1, 2026, which makes passage of tax legislation in 2025 almost certain.

President Trump has advocated for lowering the corporate income tax rate from 21% to 15%, but it remains to be seen whether this will occur. Thus, for taxable corporate entities in the health care sector, there could be possible changes in US income tax rates in 2025. In addition, 2025 tax legislation will require significant revenue-raising measures to offset deficits, thereby putting certain tax benefits enacted under the Inflation Reduction Act of 2022 (IRA) at risk of repeal or modification. Health care providers, investors, real estate investment trusts, and physician groups that have utilized or seek to utilize certain provisions of the IRA to finance operating assets or capital projects (e.g., investment tax credits for investments in green energy projects) should pay close attention to how 2025 tax legislation or executive action may impact these provisions (or their implementation) under the IRA.

We further note that the Internal Revenue Services’ (IRS) 2024-2025 Priority Guidance Plan with respect to tax-exempt organizations identifies revised guidance on group exemptions and community health needs assessments as top priorities. Tax-exempt health care providers should keep an eye out for IRS regulatory action in 2025 that may impact group exemptions and community health needs assessments.

Contributing Authors: Jeffrey B. Tate and William R. Mitchell

4. AI and Health Care

As in prior recent years, we expect artificial intelligence (AI) to continue its exponential growth in the health care industry as large tech firms partner with digital health companies, health insurers, and providers. Federal legislators have yet to enact a comprehensive policy or standards regarding regulation of AI in health care and other industries, and we do not expect such legislation in 2025. On the executive level, HHS began the implementation of an AI strategy, as required by the Biden Administration’s 2023 Executive Order on the Safe, Secure, and Trustworthy Development and Use of AI. The US Department of Justice (DOJ) launched its Justice AI Initiative as a pathway to developing its AI policy. The DOJ also updated its Evaluation of Corporate Compliance Programs guidance to require prosecutors to evaluate whether a company’s compliance program includes safeguards to ensure that its deployment of new technologies, including AI, will not result in “deliberate or reckless misuse” that violates criminal laws or the company’s code of conduct. Health care companies are now expected to assess risks associated with these emerging technologies and implement appropriate policies, controls, training, and monitoring of associated risks.

Meanwhile, states have passed laws addressing the use of AI in health care. However, these laws are not unified or consistent and, in the absence of federal legislation, may lead to a patchwork quilt of conflicting or competing requirements for AI platforms operating across multiple states — California, Colorado, Virginia, and Utah are several examples. As a result, health care companies operating on a national basis may experience compliance challenges at the state level.

In the interim, health care providers and tech companies are collaborating to develop industry guidelines and best practices. For example, the Coalition for Health AI (CHAI) launched in March 2024 and now has approximately 3,000 members from across the industry. CHAI released an initial draft of its health AI framework in late 2024 and intends to finalize it in 2025. Additionally, the Consumer Technology Association has published a proposal for an AI regulatory framework. We expect these organizations and additional industry groups to continue development of guardrails for the development and implementation of AI in the health care industry in 2025.

Contributing Author: Douglas A. Grimm

5. Health Insurance Antitrust Litigation Kicks into High Gear

Last year, we saw two significant antitrust developments concerning the health insurance marketplace. First, more than 50 Blue Cross Blue Shield health plans and the Blue Cross Blue Shield Association settled a long-running provider class action alleging the Blues violated antitrust laws by illegally dividing the United States into “services areas” and agreeing not to compete and fixing the prices for health care services. The settlement, which includes both equitable relief and a $2.8 billion settlement fund, was preliminarily approved December 4, 2024, and health care providers have until March 4 to decide to opt out or object to the settlement. Health care providers seeking a monetary settlement from the fund have until July 29 to submit claims to the settlement administrator. Additional information concerning the settlement can be found here. We recommend health care providers closely examine the settlement agreement and posted information about how the settlement will be administered.

Second, another potentially massive health care provider antitrust class action is gearing up right now in In re Multiplan Health Insurance Provider Litigation, Civ No. 1:24-CV-06795 (N.D. Ill.), where the American Medical Association and dozens of health care facilities and providers allege that nearly all of the largest US health insurers engaged in price-fixing for the payment of out-of-network claims by using a single vendor, MultiPlan, to share pricing information and set common, low prices. These cases are still early in the litigation process. But health care providers with out-of-network claims affected by the alleged price-fixing could recover a significant monetary award or settlement if the litigation proceeds and is successful.

Contributing Authors: David S. Greenberg and Brian D. Schneider

6. OIG 2025 Health Care Compliance Priorities and Change at OIG

Recent updates to the HHS Office of Inspector General (OIG) Work Plan provide insights into government enforcement priorities for 2025. The Work Plan, updated by OIG on a monthly basis, summarizes the various audits, reviews, and inspections into health care programs and services that the agency is conducting based on areas the agency has identified as a high risk of fraud, waste, and abuse. Providers, suppliers, and others doing business in the health care industry should take note of OIG’s audit priorities as audit topics indicate the potential for increased government scrutiny and exposure. Providers and suppliers should also ensure they are assessing OIG’s priorities as part of their own internal risk assessments and audit activities.

Recent additions to OIG’s Work Plan indicate that the government is concerned with fraud and abuse in remote patient monitoring (RPM), provision of durable medical equipment, billing for skin substitutes, and optometric services provided to Medicare beneficiaries in nursing facilities. With respect to RPM, after seeing a dramatic increase in Medicare payments for RPM since 2018, the OIG will audit to ensure that RPM services are being furnished and billed in accordance with Medicare requirements. This comes on the heels of an OIG consumer alert warning the public of schemes to enroll Medicare patients and bill the government for RPM services without ever providing any legitimate services. Further, the OIG continues to have concerns with fraud and abuse involving durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS). This coincides with the continued aggressive prosecution of DMEPOS fraud (for instance, in October 2024, a doctor was sentenced to more than 10 years in prison for his role in a fraudulent scheme to prescribe DMEPOS without ever speaking to or treating the patients).

Based on a history of fraud and a recent sharp increase in Medicare Part B expenditures for skin substitutes, the OIG will conduct a study of Part B payments for these products, including reviewing billing trends to identify potentially noncompliant payments. The OIG will also perform an audit of optometrists billing for Part B services for Medicare enrollees in nursing facilities to determine whether services were appropriately documented and billed.

Finally in late January, President Trump fired HHS OIG Inspector General Christi Grimm. While Juliet Hodgkins, a longtime leader at OIG, is currently Principal Deputy Inspector General and atop the agency’s organizational chart, additional changes to OIG leadership are possible.

Contributing Authors: Hillary M. Stemple and Rebekkah R.N. Stoeckler

7. Intensifying Litigation Over Administrative Agency Deference and the FCA’s Qui Tam Provision

In 2024, we saw prominent challenges to health care enforcement through litigation. We expect this trend to continue this year.

In June 2024, as we explained here, the US Supreme Court overturned the Chevron doctrine — the legal principle that the judiciary should defer to a federal agency’s reasonable interpretation of an ambiguous statute — in Loper Bright Enterprises v. Raimondo. In the wake of Loper Bright, we expect an increase in challenges to HHS’s interpretations of federal statutes and its rulemakings. As we described here, here, and here, we expect that litigants may seek to use Loper Bright both as a sword to challenge health care-related agency actions and as a shield to defend against health care enforcement, particularly with respect to the Stark Law. In another case from 2024, Corner Post v. Federal Reserve, the Supreme Court further expanded the window for litigants to do so, holding that the default six-year statute of limitations for lawsuits brought under the Administrative Procedure Act begins to run not upon an agency’s final action but instead when an individual plaintiff is injured by that action. This potentially creates an unlimited time limit for challenging agency final rules.

In September of 2024, judicial scrutiny of health care enforcement further intensified, as explained here, when US District Judge Kathryn Kimball Mizelle of the Middle District of Florida held in a historic decision that the federal False Claims Act’s (FCA) qui tam provision is unconstitutional. In a case titled Zafirov v. Florida Medical Associates LLC, Judge Mizelle found that the provision, which empowers relators to bring actions on behalf of the United States against those who are allegedly violating the FCA, are inconsistent with the structuring of the executive branch of government under Article II of the US Constitution. The government has appealed to the Eleventh Circuit. Health care organizations should pay close attention to this ongoing litigation, as a higher court ruling that strikes down the FCA’s qui tam provision would fundamentally alter FCA enforcement.

Contributing Authors: D. Jacques Smith and Pascal Naples

8. The Rise of Physician Unions

The National Labor Relations Board (NLRB) allows physicians to unionize as long as they are employees and not “supervisors,” as defined by the National Labor Relations Act (NLRA). This means that as health care employers trend toward reallocating supervisory duties from physicians to administrators, physicians will have an easier time showing that they are not “supervisors” and thus have the right to organize and unionize under the NLRA. Physicians’ right to unionize, however, has been permitted for several decades, but it is only recently that it has started to gain more traction. The rise in physician unionization is due to many factors, including physician burnout due to poor working conditions post-COVID-19, and the growing number of employed physicians. Recent data shows that nearly 80% of physicians are now employed by hospitals, health systems, or corporate entities rather than operating independent practices. Notably, the NLRB has expressly given resident physicians the right to unionize. What does this mean for health care facilities? Now more than ever before, health care facilities covered by the NLRA must be prepared to handle the various legal challenges associated with physician and resident unions.

Key legal challenges that health care facilities face with the rise in physician unions include potential Anti-Kickback Statute implications associated with higher compensation and better benefits, and also the risk of disruptions or providing subpar care to patients due to strikes. Physician unions can also have a negative impact on the health care facility’s ability to manage physician schedules, staffing, and clinical practice standards. Above all, if not handled properly, physician unions have the potential to negatively affect patient safety as they may interfere with medical staff operations and its confidential and protected peer review process. As a result, a key legal priority for a health care facility facing physician unionization is ensuring that the facility carefully navigates the collective bargaining process and agreements to ensure that they do not interfere with the facility’s ability to conduct vigorous peer review.

Contributing Authors: Annie Chang Lee and Daniel J. McQueen

9. Fraud, Waste, and Abuse in COVID-19 Health Care Programs

Nearly two years after the federal COVID-19 public health emergency ended, the fight against fraud, waste, and abuse in COVID-19 funding programs remains a top priority for the federal government. The 2024 report from the COVID-19 Fraud Enforcement Task Force (CFETF) highlights the ongoing multi-agency efforts to uncover and prosecute unlawful activities related to these programs. In the health care sector, numerous criminal prosecutions and FCA lawsuits have focused on the misuse of funds from the Provider Relief Fund (PRF) and fraudulent claims reimbursed through the COVID-19 Uninsured Program (UIP). For example, in September 2023, a Los Angeles-area physician was charged with defrauding the UIP by billing for services not covered or never provided, allegedly resulting in approximately $150 million in payments. (For our prior coverage of other enforcement actions related to the UIP, click here, here, and here.) Many of these enforcement actions have been supported by the Pandemic Response Accountability Committee (PRAC), established by the Coronavirus Aid, Relief, and Economic Security (CARES) Act to enhance transparency and coordinate oversight of federal pandemic-related expenditures.

We expect continued criminal and civil enforcement actions targeting parties that received funds from the PRF, UIP, and other COVID-19 programs. To assess their risks of repayment liabilities, health care providers should conduct a thorough review of the funds they received and ensure they complied with applicable program terms and conditions. Should the newly convened Congress pass legislation to extend applicable statutes of limitations and continue the PRAC beyond its scheduled sunset on September 30, enforcement activities could persist for years to come.

Contributing Authors: Gayland O. Hethcoat II and David S. Greenberg

10. Cybersecurity Threats and HIPAA Compliance

Health care organizations face an increasingly perilous cybersecurity landscape, highlighted by the unprecedented Change Healthcare data breach in 2024 which compromised the data of more than 190 million individuals. This breach — the largest ever in the US health care system — demonstrates that even the most sophisticated organizations are vulnerable to cyber threats. Recent statistics from the HHS Office for Civil Rights (OCR) reveal a staggering 102% increase in large scale breaches from 2018 to 2023, with a record 167 million individuals affected in 2023 alone. These alarming figures underscore the urgent need for health care entities and their business associates to strengthen their defenses against hacking, ransomware, and other cyber threats, particularly in safeguarding electronic protected health information (ePHI) as mandated by the Health Insurance Portability and Accountability Act (HIPAA).

In response to this escalating threat environment, OCR has intensified its enforcement of ePHI security safeguards under the HIPAA Security Rule. This is evident in recent monetary settlements that the agency has announced as part of its Risk Analysis Initiative, which is focused on enforcing compliance with HIPAA covered entities and their business associates’ responsibility under the Security Rule to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Concurrently, on January 6, OCR published a Notice of Proposed Rulemaking (NPRM) aimed at significantly modifying the HIPAA Security Rule to enhance cybersecurity protections. The NPRM introduces extensive new obligations, including additional requirements for risk assessments, regular policy reviews, the implementation of multi-factor authentication, and the adoption of other modern security practices to ensure comprehensive protection of ePHI. While the future of these proposed changes remains uncertain given the Trump Administration’s deregulatory agenda, regulated entities must remain vigilant and proactive in their cybersecurity efforts, ensuring they are prepared to protect ePHI and maintain compliance with evolving threats and regulations.

Contributing Authors: Douglas A. Grimm and Gayland O. Hethcoat II

11. IRA Implementation and Pharma Challenges

Since the passage of the IRA in 2022, the provisions of the law that require CMS to directly negotiate reimbursement to be paid by the agency for a subset of drugs covered by Medicare Part D plans have been the subject of much focus and resulting legal challenges. The maximum fair prices (MFPs) for the first selected drugs, available here, will not go into effect until 2026. This year, CMS will begin the negotiation process for the next subset of Part D drugs, with the MFPs going into effect in 2027. CMS may select 15 Part D drugs from a list of the 50 highest-spend drugs under Part D to negotiate MFPs for 2027.

Additionally, the IRA changes to the Part D plan design took effect January 1. Changes include (1) elimination of the infamous “donut hole,” (2) a $2,000 out-of-pocket cost-sharing maximum for Medicare beneficiaries, and (3) replacement of the Coverage Gap Discount Program with the new Manufacturer Discount Program (MDP). Manufacturers desiring Part D coverage for their branded drugs (i.e., those sold under a new drug application or biologic license applications including biosimilars) must participate in the MDP and pay rebates on Part D beneficiary utilization of their branded drug products at a rate of 10% of the “negotiated price” up to the $2,000 out-of-pocket cost-sharing maximum and 20% thereafter.

Meanwhile, pharmaceutical manufacturers continue to challenge the legality of Health Resources & Services Administration (HRSA) guidance and positions related to 340B Drug Discount Program compliance. As a result of the selection of manufacturer drugs for negotiation under the IRA and the implementation of MFPs, several manufacturers proposed honoring the 340B ceiling price through a rebate model rather than an upfront discounted purchase price to avoid duplicate discounts for Medicare patients. Under the IRA, manufacturers are not required to offer a drug at the MFP if it was procured at the 340B price, but CMS punted on assisting in the identification of such duplicates. Accordingly, manufacturers suggested a rebate model to HRSA, which HRSA rejected. Since then, pharmaceutical manufacturers have filed multiple federal lawsuits seeking declaratory relief to force HRSA to recognize the validity of the rebate model. A summary of the cases is below. Stay tuned!

Contributing Author: Stephanie Trunk