This monthly update highlights key regulatory developments, enforcement trends, and compliance issues affecting health care providers across the continuum – from solo practices to hospitals and large physician groups. Each section includes practical action items to help you assess risk and prepare for upcoming obligations.  April developments reflect increased scrutiny of emerging care delivery models, including medical spa services and technology-assisted care. 

Regulatory Developments

Iowa CON Framework and Emerging Technology Risks

Iowa’s Certificate of Need (CON) program continues to evolve as policymakers evaluate the scope and applicability of facility and service regulation. The current CON framework is set forth at Iowa Code §§ 10A.711–10A.729, which governs review requirements for certain institutional health facilities, capital expenditures, and service expansions.  Recent legislative activity reflects continued interest in modifying CON requirements, particularly with respect to review thresholds and applicability. Providers considering new facilities, capital expenditures, or service line expansions should evaluate whether proposed projects trigger CON review or fall within available exemptions under current law.  

At the federal level, regulators continue to focus on emerging technology in healthcare, including the use of artificial intelligence in clinical decision-making, documentation, and administrative functions. Although comprehensive AI-specific regulation remains limited, existing requirements governing billing, documentation, and nondiscrimination apply regardless of the tools used, including obligations under 42 U.S.C. § 1320a-7k(d) (overpayments) and 45 C.F.R. Part 84 (Section 504 nondiscrimination).

Action Items:

  • Evaluate whether proposed expansions or capital projects trigger CON review under Iowa Code §§ 10A.711–10A.729. 
  • Confirm whether any statutory exemptions apply to planned projects. 
  • Inventory use of AI tools in clinical, billing, or administrative workflows. 
  • Ensure human oversight and documentation protocols remain in place when AI tools are utilized.

Contracting Focus

Medical Director Oversight and GLP-1 Expansion in Iowa Medical Spa and Wellness Models

Regulators and licensing boards are increasingly scrutinizing supervision and delegation arrangements in Iowa medical spa and wellness clinic settings. This scrutiny has intensified as providers expand services involving injectables and weight-loss medications, particularly GLP-1 receptor agonists (e.g., semaglutide and tirzepatide).  Demand for these therapies has also led to growth in compounded products, off-label prescribing, and direct-to-consumer care models, all of which raise additional regulatory and compliance considerations. In addition, emerging “next-generation” incretin-based therapies such as combination GLP-1 receptor agonists and other multi-agonist drugs are expected to further expand this space, increasing complexity around prescribing, supervision, and documentation.

In Iowa, medical spa services that constitute the practice of medicine must be performed by, or under the supervision of, a licensed physician, consistent with applicable scope of practice requirements. Physicians serving in a medical director role remain responsible for the medical services provided under their direction. Iowa Board of Medicine rules, including Iowa Admin. Code ch. 653-13 (Physician Practice) and Iowa Admin. Code r. 653-13.6, establish standards of physician practice and professional responsibility that apply regardless of the care setting. These responsibilities require meaningful physician involvement and cannot be satisfied through nominal or purely administrative oversight.  Delegation and supervision are also informed by Iowa Admin. Code ch. 653-15 (Physician Assistants) and applicable nursing board rules. Collectively, these requirements mandate that delegated medical services be performed under appropriate physician oversight and within the training and competence of the individual performing the service.

In addition to scope of practice considerations, compensation and ownership structures in these models may implicate the Anti-Kickback Statute, 42 U.S.C. § 1320a-7b(b), and applicable safe harbors at 42 C.F.R. § 1001.952, particularly where compensation is tied to volume, referrals, or service utilization.

Action Items:

  • Confirm that all GLP-1 and related therapies are prescribed and administered by appropriately licensed individuals or under proper physician supervision. 
  • Evaluate medical director arrangements to ensure active physician involvement, oversight, and accountability, consistent with Iowa Admin. Code r. 653-13.6. 
  • Review policies addressing compounded medications and off-label use, including sourcing, prescribing protocols, and documentation practices. 
  • Ensure patient evaluations support medical necessity and are not limited to questionnaire-based or asynchronous prescribing models. 
  • Evaluate compensation and ownership arrangements for compliance with federal fraud and abuse laws. 
  • Confirm that delegation protocols align with Iowa Admin. Code ch. 653-13 and ch. 653-15 and applicable scope of practice requirements.

Compliance Focus

Informed Consent and Documentation in AI-Assisted Care

As providers increasingly incorporate AI tools into clinical workflows, regulators are focusing on whether existing informed consent and documentation practices adequately reflect how care is delivered. While no uniform federal statute governs AI-specific consent, traditional informed consent principles continue to apply, including requirements that patients receive sufficient information to make informed decisions regarding their care.  Use of AI-assisted documentation or coding tools may increase risk if outputs are not reviewed and validated by licensed providers. Inaccurate or unsupported documentation may create exposure under the False Claims Act, 31 U.S.C. §§ 3729–3733, particularly where claims are submitted based on deficient records.  In addition, nondiscrimination requirements under 45 C.F.R. Part 84 (Section 504) apply regardless of whether care decisions are supported by automated tools, including potential concerns related to bias in algorithmic decision-making.

Action Items:

  • Review informed consent policies to address technology-assisted care where appropriate. 
  • Confirm that AI-assisted documentation is reviewed and validated by licensed providers. 
  • Evaluate whether patient communications accurately describe services being provided. 
  • Train staff on appropriate use and limitations of AI-assisted tools. 

Litigation and Risk Management Trends

Expansion of Consumer Protection and Licensing Enforcement
Recent enforcement trends reflect increased activity not only under federal fraud statutes, but also under state consumer protection laws and professional licensing frameworks. This is particularly evident in areas such as medical spas, weight-loss clinics, and direct-to-consumer healthcare models.  In Iowa, enforcement risk may arise under the Iowa Consumer Fraud Act, Iowa Code § 714H.3, as well as through disciplinary authority exercised by state licensing boards. These cases often focus on advertising practices, supervision, scope of practice, and whether services are provided in a manner consistent with professional standards.  Billing-related issues may also trigger repayment obligations under 42 U.S.C. § 1320a-7k(d) and 42 C.F.R. § 401.305.

Action Items:

  • Review marketing and advertising materials for compliance with Iowa Code § 714H.3 and applicable professional standards. 
  • Confirm that services are provided within licensure and scope of practice parameters. 
  • Evaluate supervision structures in higher-risk service lines. 
  • Document compliance efforts and corrective actions where issues are identified.

FAQ of the Month

“Do we need to disclose use of AI tools to patients?”

There is currently no uniform federal requirement mandating disclosure of AI use in all circumstances. However, existing informed consent principles require that patients receive sufficient information to understand the nature of their care.  If AI tools materially affect clinical decision-making, documentation, or communication, providers should consider whether disclosure is appropriate as part of the informed consent process. Clear documentation and provider oversight remain critical to reducing risk.

Upcoming Deadlines & Reminders

  • Section 504 Accessibility Requirements – Extended Compliance Date May 11, 2027: HHS has extended compliance deadlines for certain accessibility requirements under 45 C.F.R. Part 84, including web and mobile application accessibility for covered entities with 15 or more employees. 
  • HIPAA Claims Attachment Standards – Effective May 26, 2026: Covered entities should continue preparing for implementation of standardized electronic claims attachment transactions and electronic signature requirements under 45 C.F.R. Part 162. 
  • HIPAA Claims Attachment Compliance Deadline – May 26, 2028: Full compliance with the new transaction standards will be required within two years of the effective date. 
  • Monthly OIG Exclusion Screening: Conduct monthly exclusion screening as recommended by OIG guidance using the List of Excluded Individuals and Entities (LEIE). 
  • Medicare Revalidation (Rolling Deadlines): Providers should monitor for CMS revalidation notices and comply with deadlines stated in CMS communications. 
  • Iowa CON and Insurance Reform Developments (HF 2635): Providers should monitor implementation of HF 2635 (2026), which has been enrolled and sent to the Governor and, if signed, is scheduled to take effect July 1, 2026.

Disclaimer: The information provided here is for general informational purposes only and does not constitute legal advice. No attorney-client relationship is created by this communication. Parties should consult with their own qualified attorney for advice regarding their specific legal situation.

For questions or assistance, contact Paul A. Drey or Emily E. Reiners of the Brick Gentry P.C. Healthcare & Regulatory Team.

This monthly update highlights key regulatory developments, enforcement trends, and compliance issues affecting health care providers across the continuum – from solo practices to hospitals and large physician groups. Each section includes practical action items to help you assess risk and prepare for upcoming obligations.

Regulatory Developments

New Federal Activity Emphasizes Billing Integrity and Accessibility Requirements

March 2026 saw significant federal activity focused on billing accuracy and administrative simplification. On March 24, 2026, HHS finalized new HIPAA standards governing electronic claims attachments and electronic signatures under the Administrative Simplification provisions, 45 C.F.R. Part 162. These standards are intended to replace manual processes such as fax and mail with standardized electronic transactions supporting claims documentation.

The final rule becomes effective May 26, 2026, with compliance required by May 26, 2028.

In parallel, CMS has continued to emphasize program integrity and fraud detection, including a Request for Information seeking stakeholder input on expanded enforcement tools and data-driven oversight mechanisms.

Recent CMS and OIG activity also continues to highlight improper payments tied to documentation deficiencies and inconsistencies between clinical records and billed services, reinforcing the government’s ongoing focus on billing integrity.

Providers should also be preparing for compliance obligations under HHS’s updated Section 504 regulations governing nondiscrimination and accessibility, 45 C.F.R. Part 84, with key accessibility-related requirements for many covered entities taking effect in May 2026.

Action Items:

  • Conduct targeted documentation audits in high-risk service areas.
  • Ensure clinical documentation supports medical necessity and level of service billed.
  • Provide refresher training to providers and coding staff on documentation requirements.
  • Evaluate internal controls around claims submission and supporting documentation.

Contracting Focus

Increased Scrutiny on Technical Compliance with Written Agreements

Recent enforcement activity continues to highlight technical deficiencies in contracting, particularly where agreements are expired, unsigned, or inconsistent with actual services performed. Even where compensation appears to be fair market value, the absence of a current written agreement remains a recurring basis for Stark Law exposure under 42 U.S.C. § 1395nn and its implementing regulations at 42 C.F.R. §§ 411.351 and 411.357.

Regulators also continue to evaluate these arrangements under the Anti-Kickback Statute, 42 U.S.C. § 1320a-7b(b), and applicable safe harbors at 42 C.F.R. § 1001.952.

Action Items:

  • Inventory all physician and vendor agreements and confirm execution status.
  • Identify and remediate expired or unsigned agreements.
  • Ensure contract terms align with actual services being performed.
  • Implement or update contract tracking systems to monitor renewal and signature requirements.

Compliance Focus

Ongoing Emphasis on Internal Auditing and Program Effectiveness

Recent OIG activity, including work plan updates and audit findings, continues to emphasize the importance of active internal auditing and monitoring. These expectations align with OIG’s General Compliance Program Guidance and the Department of Justice’s Evaluation of Corporate Compliance Programs.

In addition, the updated Section 504 regulations under 45 C.F.R. Part 84 expand expectations around nondiscrimination, effective communication, and accessibility, requiring organizations to evaluate not only policies but also operational practices and digital access.

Action Items:

  • Finalize and implement a 2026 compliance audit work plan.
  • Prioritize audits in high-risk areas, including billing, documentation, and referral arrangements.
  • Review nondiscrimination policies and procedures for alignment with Section 504 requirements.
  • Document audit findings and corrective actions.
  • Report audit results to leadership and governing bodies.

Litigation & Risk Management Trends

Expansion of Data Analytics and Continued False Claims Act Exposure

Government enforcement agencies continue to expand the use of data analytics to identify billing outliers and target providers for audit. Both government and commercial payors increasingly rely on extrapolation methodologies, increasing potential financial exposure.

Failure to timely return identified overpayments may create exposure under the False Claims Act, 31 U.S.C. §§ 3729–3733, particularly in light of repayment obligations under 42 U.S.C. § 1320a-7k(d) and 42 C.F.R. § 401.305.

At the same time, providers should anticipate increased scrutiny of nondiscrimination and accessibility issues under federal civil rights laws, including Section 504, particularly where access to services or communication methods may be limited.

Action Items:

  • Analyze internal billing data for outliers compared to peer benchmarks.
  • Conduct internal reviews where anomalies are identified.
  • Develop a standardized audit response protocol.
  • Assess accessibility of services, including communication methods and digital platforms.
  • Maintain documentation supporting medical necessity and coding decisions.

FAQ of the Month

“What should we be doing now to prepare for Section 504 compliance requirements?”

Healthcare organizations should begin by reviewing nondiscrimination policies, communication practices, and accessibility of services in light of updated requirements under 45 C.F.R. Part 84.

This includes evaluating how services are provided to individuals with disabilities and assessing accessibility of electronic and information technology. Organizations should identify gaps and develop a plan to address them prior to applicable May 2026 compliance requirements for covered entities.

Upcoming Deadlines & Reminders

  • CMS Program Integrity RFI – Comments Due March 30, 2026: Providers may wish to evaluate and respond to CMS’s request for input on expanded fraud detection and enforcement tools.
  • Monthly OIG Exclusion Screening: Conduct monthly exclusion screening as recommended by OIG guidance using the List of Excluded Individuals and Entities (LEIE). Screening should be completed before the end of each month, with documentation retained.
  • Medicare Revalidation (Rolling Deadlines): CMS continues to issue revalidation notices on a rolling basis. Providers should monitor for revalidation letters and comply with deadlines stated in CMS notices or published revalidation due dates.
  • Section 504 Accessibility Requirements – May 2026: Covered healthcare entities should prepare for compliance with updated nondiscrimination and accessibility requirements under 45 C.F.R. Part 84, including accessibility of services and digital platforms.
  • HIPAA Claims Attachment Standards – Effective May 26, 2026: Covered entities should begin preparing for implementation of standardized electronic claims attachment transactions and electronic signature requirements under 45 C.F.R. Part 162.
  • HIPAA Claims Attachment Compliance Deadline – May 26, 2028: Full compliance with the new transaction standards will be required within two years of the effective date.
  • Corporate Transparency Act (If Applicable): Entities should confirm whether any current Beneficial Ownership Information reporting obligations apply under 31 U.S.C. § 5336 and current FinCEN guidance, particularly for foreign reporting companies.

Disclaimer: The information provided here is for general informational purposes only and does not constitute legal advice. No attorney-client relationship is created by this communication. Parties should consult with their own qualified attorney for advice regarding their specific legal situation.

For questions or assistance, contact Paul A. Drey or Emily E. Reiners of the Brick Gentry P.C. Healthcare & Regulatory Team.

This monthly update highlights key regulatory developments, enforcement trends, and compliance issues affecting health-care providers across the continuum – from solo practices to hospitals and large physician groups. Each section includes practical action items to help you assess risk and prepare for upcoming obligations.

Regulatory Developments

Continued Enforcement Focus on Data Security and Billing Integrity

Federal regulators continue to prioritize HIPAA Security Rule compliance under 45 C.F.R. Part 164, Subpart C, particularly the required risk analysis under 45 C.F.R. § 164.308(a)(1)(ii)(A). Agencies also remain focused on timely reporting and repayment of identified overpayments under the 60-Day Rule, 42 U.S.C. § 1320a-7k(d) and 42 C.F.R. § 401.305. In addition, referral relationships and marketing arrangements continue to receive scrutiny under the Anti-Kickback Statute, 42 U.S.C. § 1320a-7b(b). Recent enforcement activity from HHS’s Office for Civil Rights and the Department of Justice underscores a consistent message: regulators expect proactive compliance infrastructure, documented oversight, and timely corrective action.

Action Items:

  • Confirm your HIPAA Security Risk Analysis is current and reflects ransomware and third-party access risks.
  • Conduct a tabletop exercise to test breach response procedures.
  • Audit internal billing practices for medical necessity documentation and modifier usage.
  • Review referral and marketing relationships for written documentation and regulatory compliance.

Contracting Focus

Fair Market Value and Commercial Reasonableness

Compensation arrangements remain one of the most common enforcement triggers under the Stark Law, 42 U.S.C. § 1395nn and its implementing regulations at 42 C.F.R. §§ 411.351 and 411.357, as well as under the Anti-Kickback Statute, 42 U.S.C. § 1320a-7b(b), and its regulatory safe harbors at 42 C.F.R. § 1001.952. Regulators are evaluating not only whether contracts exist, but whether they are commercially reasonable, supported by fair market value, and consistent with actual operational practices. Agreements that appear compliant on paper may still present risk if services are not performed as documented or if compensation methodology raises referral concerns.

Action Items:

  • Review expiring physician, medical director, and management agreements.
  • Confirm services described in agreements are actually performed and documented.
  • Update fair market value support when compensation changes.
  • Ensure compensation formulas do not take into account the volume or value of referrals where prohibited.

Compliance Focus

Board and Leadership Oversight Expectations

Both the Department of Justice and the Office of Inspector General have emphasized active
governance oversight in compliance programs, including in the DOJ’s Evaluation of Corporate Compliance Programs guidance and OIG’s updated General Compliance Program Guidance. A written compliance plan alone is no longer sufficient. Regulators increasingly expect demonstrable leadership engagement, meaningful reporting structures, and documented oversight at the executive and board levels. The absence of documentation often becomes as problematic as the absence of compliance activity itself.

Action Items:

  • Ensure compliance reporting occurs regularly at the executive or board level.
  • Document leadership discussions regarding compliance risks.
  • Confirm anonymous reporting mechanisms are accessible and functional.
  • Update annual compliance training to reflect current enforcement priorities.

Litigation & Risk Management Trends

Overpayments, False Claims Exposure, and Employment Claims

Failure to timely return identified overpayments can create exposure under the False Claims Act, 31 U.S.C. §§ 3729–3733. Courts have interpreted “identified” broadly once a provider is put on notice of a potential overpayment, placing increased importance on prompt internal investigation and documentation. Healthcare employers also continue to face retaliation claims under 31 U.S.C. § 3730(h), wage-and-hour disputes under the Fair Labor Standards Act, 29 U.S.C. § 201 et seq., and restrictive-covenant challenges, depending on evolving state-law standards. Strong internal documentation and consistent employment practices significantly reduce litigation risk.

Action Items:

  • Establish a written overpayment investigation protocol.
  • Document steps taken once a billing issue is discovered.
  • Audit wage classification for exempt and non-exempt employees.
  • Review restrictive covenants for enforceability under current law.

FAQ of the Month

“If we identify a potential overpayment but are still investigating, when does the 60-day clock start?”

Under 42 U.S.C. § 1320a-7k(d) and 42 C.F.R. § 401.305, the repayment obligation is triggered
once an overpayment is “identified.” Courts have held that identification occurs when a provider has actual knowledge of the overpayment or acts in reckless disregard or deliberate ignorance. The regulation defines “identified” as when a provider has determined, or should have determined through reasonable diligence, that an overpayment was received. Prompt investigation, written documentation of findings, and timely repayment when required are critical to mitigating False Claims Act exposure.

Upcoming Deadlines & Reminders

  • Monthly OIG Exclusion Screening: Conduct monthly exclusion screening as recommended by OIG guidance using the List of Excluded Individuals and Entities (LEIE). Screening should be completed before the end of each month, with documentation retained.
  • Medicare Revalidation (Rolling Deadlines): CMS continues to issue revalidation notices on a rolling basis. Providers should monitor for revalidation letters and calendar submission deadlines immediately upon notice. Revalidation typically must be completed within 60 days of CMS notification to avoid deactivation.
  • HIPAA Security Risk Analysis Review: While HIPAA does not impose a fixed annual deadline, organizations that conduct risk analyses on a calendar-year cycle should schedule completion during Q1 2026 to maintain consistency with 45 C.F.R. § 164.308(a)(1)(ii)(A).
  • Overpayment Monitoring and Repayment Protocols: Ensure internal processes are in place to identify, investigate, and timely return overpayments in accordance with 42 U.S.C. § 1320a-7k(d) and 42 C.F.R. § 401.305.
  • Corporate Transparency Act (If Applicable): Entities subject to the Corporate Transparency Act should confirm applicable Beneficial Ownership Information reporting obligations under 31 U.S.C. § 5336 and current FinCEN guidance. Enforcement timelines have been subject to ongoing federal litigation, and reporting obligations should be verified prior to filing.
  • Annual Compensation Review Preparation: Organizations anticipating mid-year compensation adjustments should begin Stark Law and fair market value review processes early in the year to allow adequate documentation prior to implementation.

Disclaimer: The information provided here is for general informational purposes only and does not constitute legal advice. No attorney-client relationship is created by this communication. Parties should consult with their own qualified attorney for advice regarding their specific legal situation.

For questions or assistance, contact Paul A. Drey or Emily E. Reiners of the Brick Gentry P.C. Healthcare & Regulatory Team.

This monthly update highlights key regulatory developments, enforcement trends, and compliance issues affecting health-care providers across the continuum – from solo practices to hospitals and large physician groups. Each section includes practical action items to help you assess risk and prepare for upcoming obligations.

Regulatory Developments

HIPAA Notice of Privacy Practices Updates Due February 16, 2026

Covered entities must update their Notice of Privacy Practices (NPP) by February 16, 2026 to comply with HIPAA Privacy Rule amendments addressing substance use disorder (SUD) records under 42 CFR Part 2.  The amendments affect providers that create or maintain SUD-related records, including mental health practices, primary care providers, hospitals, and integrated care settings. Even providers that do not offer substance use disorder treatment must update their NPP, as the obligation applies broadly to covered entities and is not limited to Part 2 programs.  Under the revised rule, Part 2 records may generally be disclosed for treatment, payment, and health care operations based on a single written consent, rather than requiring separate consents for each disclosure. At the same time, heightened protections remain in place, including limits on redisclosure and restrictions on using SUD records in criminal, civil, or administrative proceedings against a patient.  Many existing NPPs do not reflect these changes or treat SUD records the same as other protected health information. Those notices should be reviewed and updated to avoid compliance gaps and patient confusion.

Action Items:

  • Review your current NPP for compliance with the 2026 HIPAA updates, even if you do not provide SUD treatment services.
  • Update posted notices, including websites, patient portals, and intake materials, by February 16, 2026.
  • Ensure staff understand that SUD records remain subject to heightened privacy protections despite expanded consent rules.

Contracting Focus

Employment vs. Independent Contractor Arrangements in Health Care

Health-care providers frequently use independent contractor arrangements for clinical services, coverage, or specialized roles. In practice, many of these relationships function more like employment, which can create legal, tax, and regulatory risk if the structure does not match how the individual is actually treated.  Misclassification issues arise when contractors are subject to the same scheduling, supervision, and operational controls as employees, or when contracts do not clearly define responsibilities, compensation, and termination rights. In health care, these risks can extend beyond wage-and-hour concerns and affect reimbursement, licensure, supervision requirements, and liability exposure.  Recent enforcement and audit activity across multiple agencies has increased scrutiny of contractor arrangements, particularly in settings involving clinical supervision, use of facility resources, and long-term or exclusive relationships.

Action Items:

  • Review whether individuals classified as independent contractors are truly operating with appropriate independence.
  • Confirm that contractor agreements clearly define scope of services, compensation, scheduling authority, and termination rights.
  • Evaluate whether supervision, documentation, and coverage requirements are consistent with the contractor model.

Compliance Focus

Responding to ICE Requests in Health-Care Settings

Health-care providers increasingly face questions about how to respond when Immigration and Customs Enforcement (ICE) agents request information or access to patients or facilities. While providers must comply with applicable law, HIPAA and state privacy laws continue to apply.  ICE agents do not have automatic authority to access patient information. HIPAA generally prohibits disclosure of protected health information without patient authorization unless a specific exception applies. Administrative warrants or subpoenas may not require immediate compliance and should be reviewed carefully. Patient-care areas also raise heightened privacy and safety concerns.  Providers should be prepared to respond calmly and consistently, without interfering with law enforcement activity or disclosing information unnecessarily.

Action Items:

  • Develop or update a written policy addressing law-enforcement requests, including ICE inquiries.
  • Train front-desk and clinical staff not to release information or grant access without appropriate authorization.
  • Identify a single internal point of contact for law-enforcement interactions.

Litigation & Risk Management Trends

Balancing Patient Privacy and Law Enforcement Requests

Recent complaints and enforcement actions show that providers face risk on both sides from improper disclosures of patient information to failures to follow internal procedures when law enforcement is involved.  Common problem areas include staff releasing information without authorization, inconsistent responses across departments or locations, lack of documentation of law-enforcement interactions, and confusion between administrative requests and judicial orders. Regulators and investigators increasingly expect providers to demonstrate reasonable, documented decision-making, even in high-pressure situations.

Action Items:

  • Confirm that privacy policies clearly address responses to law-enforcement requests.
  • Ensure interactions with law enforcement are documented and reviewed internally.
  • Align privacy, security, and risk-management teams on response protocols.

FAQ of the Month

“If ICE asks for patient information, do we have to comply?”

Not automatically.  HIPAA generally prohibits disclosure of protected health information without patient authorization unless a specific exception applies. Whether disclosure is permitted depends on the type of request, the information sought, and applicable federal and state law. In many cases, providers may decline immediate disclosure and request time to review the request with legal counsel.  Providers should not ignore ICE requests, but they should not comply without understanding their legal obligations.

Upcoming Deadlines & Reminders

  • February 16, 2026: Updated HIPAA Notice of Privacy Practices must be implemented and posted.
  • Q1 HIPAA Security Risk Assessments: Many organizations target early-year completion.
  • Professional License Renewals: Several health professions renew in Q1; verify staff deadlines.
  • Policy Reviews: Early 2026 is an ideal time to update privacy, compliance, and emergency response policies.

Disclaimer: The information provided here is for general informational purposes only and does not constitute legal advice. No attorney-client relationship is created by this communication. Parties should consult with their own qualified attorney for advice regarding their specific legal situation.

For questions or assistance, contact Paul A. Drey or Emily E. Reiners of the Brick Gentry P.C. Healthcare & Regulatory Team.

Brick Gentry P.C. is pleased to announce the relaunch of our Healthcare Law Update, a monthly publication designed for Iowa’s healthcare providers, including hospitals, clinics, rural health systems, behavioral health organizations, physician groups, and individual practitioners.

Beginning January 2026, our healthcare practice group will provide regular insights on key legal and regulatory developments affecting healthcare entities and providers across the State of Iowa. Each monthly update will feature:

  • Regulatory and compliance changes, including HIPAA, Stark/AKS, telehealth, reimbursement, credentialing, and licensing.
  • Litigation trends and notable case developments impacting healthcare providers.
  • Federal and state guidance relevant to Iowa’s hospitals, clinics, physician groups, behavioral health providers, and individual practitioners.
  • Practical considerations for administrators, executives, and boards.
  • Hands-on considerations necessary to navigate healthcare contracts.

As state and federal requirements continue to evolve, our goal is to offer clear, Iowa-focused guidance that helps organizations and individuals navigate operational and legal challenges throughout 2026 and beyond.

We welcome suggestions from healthcare leaders and partners regarding topics of interest for future updates. Please contact us with questions or ideas.

– Paul Drey & Emily Reiners

Brick Gentry, P. C., and the Iowa Healthcare Law Blog are excited to announce that Emily Reiners is now a shareholder with Brick Gentry and will be a key contributor to the Iowa Healthcare Law Blog.  Emily brings her past healthcare experience from her time as an attorney in private practice and at Unity Point.  She brings a keen understanding of regulatory and compliance law issues in the healthcare arena, as well as superior skills in drafting and reviewing healthcare contracts and advising healthcare professionals in Iowa.  Her approach and knowledge of the important issues make her a trusted advisor to those with whom she works.  We are so pleased that she is now part of our Brick Gentry Healthcare Team.

MACRA’S QUALITY PAYMENT PROGRAM HAS GONE LIVE – ACTION REQUIRED IN 2017 TO AVOID PART B PAYMENT REDUCTIONS IN 2019 – QPP BASICS TO KNOW IN GETTING STARTED

A new Congress has convened, a new administration is at the helm, and repeal of the Affordable Care Act (ACA) is on the docket, an action of consequence for, among other things, the Medicare Shared Savings Program (MSSP), primary care medical homes, and other Medicare-developed alternative payment models (APMs). On the other hand, the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), establishing a Medicare Part B Quality Payment Program (QPP), is bipartisan legislation of little debate. The American Medical Association, the American Hospital Association, and over 100 other health care entities have appealed to the Administration to preserve value-based care.  https://www.premierinc.com/wp-content/uploads/2017/01/Jan-25-letter1-24-17-Administration.pdf. So, even in the midst of ACA uncertainty, MACRA and its QPP are moving forward. The Centers for Medicare and Medicaid Services (CMS), by rule, has developed a QPP structure that went live on January 1, 2017.

Continue Reading MACRA’s Quality Payment Program Has Gone Live

Medicare/Medicaid Reform and ACA Repeal on the Horizon, MACRA Moves Forward for Now

The new administration’s agenda for health care may have come into clearer focus with President-Elect Donald Trump’s nomination of House Representative Tom Price, MD, a Republican from Georgia, as Secretary of Health and Human Services (HHS) and Seema Verma, MPH, as CMS Administrator. The American Medical Association (AMA) released a statement of strong support for Congressman Price, encouraging a swift confirmation vote. “Dr. Price,” the AMA said, “has been a leader in the development of health policies to advance patient choice and market-based solutions as well as reduce excessive regulatory burdens that diminish time devoted to patient care and increase costs.”

Continue Reading President-Elect Trump Names Rep. Tom Price, MD (R-GA) as HHS Secretary, Seema Verma, Health Care Consultant, as CMS Administrator

QRUR Informal Review Also Available.

Physicians and other eligible professionals and practices who failed to meet criteria for satisfactory PQRS reporting in calendar year (CY) 2015 now face a negative 2% adjustment in Medicare Part B payments for CY 2017. Physicians who believe CMS has inappropriately determined that a negative PQRS payment adjustment applies to them have until November 30* to request an informal review.  CMS set forth the following instructions for requesting an informal review.  *Deadline for requesting informal review of VM calculations now extended to December 7, 2016.

Continue Reading Time Remains to File a request for Informal Review of CY 2017 PQRS Negative Payment Adjustment

On October 14, 2016, the Centers for Medicare & Medicaid Services (CMS) released its final rule implementing the new Quality Payment Program for physicians in lieu of the repealed sustainable growth rate factor (SGR). Rather than facing substantial annual reductions in Medicare payment fees as a result of the SGR, physicians now have two interrelated pathways to earn quality-based, cost efficient incentive payments under Medicare:  the Merit-based Incentive Payment System (MIPS) or Advanced Alternative Payment Models (Advanced APMs). MIPS consolidates three existing quality-based incentives programs – the Physician Quality Reporting System (PQRS), the Physician Value-based Payment Modifier (VM), and the Medicare Electronic Health Record (EHR) Incentive Program – while maintaining an ongoing focus on achieving quality and cost efficiencies through use of certified EHR technology (CEHRT).

Continue Reading CMS publishes Final MACRA Rule for MIPS and APM Incentives