On December 27, 2024, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued proposed changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule (the Proposed Rule) to strengthen the cybersecurity protections that HIPAA-regulated entities are required to maintain for electronic protected health information (ePHI).

On January 8, 2025, a federal grand jury in Virginia returned an indictment against a hospital. This rare criminal event in healthcare alleges that Chesapeake Regional Medical Center conspired to defraud the United States and committed healthcare fraud. Hospitals are almost never criminally charged, as federal investigations into hospitals are nearly always civil proceedings under the False Claims Act. This post explains how this hospital’s alleged actions rose to the level that merited criminal indictment.

On November 15, 2024, the California Board of Pharmacy issued a public notice of its intent to modify Cal. Code Regs. tit. 16 § 1708.2, which governs the discontinuation of pharmacy businesses in California. The regulation currently states:

“Any permit holder shall contact the board prior to transferring or selling any dangerous drugs, devices or

Keypoint: With the increased frequency and severity of cyberattacks against healthcare systems, state and federal agencies strive to improve cybersecurity controls with varied success.

In November 2023, New York Governor Kathy Hochul announced proposed regulations that would be the first state regulations for hospitals in New York. The governor described the proposed regulation as a “nation-leading blueprint” that would complement the federal Health Insurance Portability and Accountability Act (HIPAA) Security Rule enforced by the U.S. Department of Health and Human Services (HHS).

On September 9, 2024, the U.S. Department of Labor (DOL), Health and Human Services (HHS), and Treasury (collectively, the Departments) issued a Final Rule clarifying and adding additional requirements on health plans to provide equitable access to health insurance coverage for treatment of mental health and substance use disorders (SUDs), as required by the Mental Health Parity and Addiction Equity Act of 2008 (MHPAEA) and implementing regulations at 45 C.F.R. Part 146 and 147 (the 2024 Final Rule).

MHPAEA is a federal law that prevents group health plans and health insurance issuers (collectively, Health Plans) that provide mental health or substance use disorder benefits from imposing less favorable benefit limitations on those benefits than it does for a medical condition or surgical procedure. This means that Health Plans cannot impose additional financial requirements or apply non-quantitative treatment limitations (NQTLs) to these benefits more stringently than those applied to medical/surgical benefits.

On August 26, 2024, the United States Attorney’s Office for the District of Montana filed a False Claims Act (FCA) complaint against a Montana oncologist, alleging that the oncologist’s busy schedule led to excessive claims that violated the FCA. The complaint is unusual in that its chief theory is the amount of time the oncologist spent with patients, relative to what the Justice Department claims is the standard practice of other oncologists. In that respect, the complaint is a warning sign to busy physicians across the country.

This blog post begins by explaining how this Montana oncologist found himself on the Justice Department’s radar—a self-disclosure by the health system that previously employed the oncologist—before discussing what the Justice Department is alleging against the oncologist, as well as what other physicians should learn from this lawsuit.

Engaging in management and investor conversations about maintaining and growing a business is critical, no matter the industry. Whether you’re discussing normal business sustainability, organic growth, or contemplating a sale, these discussions become more complex when practicing physicians are the business’s revenue generators. These conversations must be handled carefully to comply with the spirit and letter of healthcare’s strict fraud and abuse laws. To ensure these discussions are both productive and compliant, it’s essential to navigate these complex regulations effectively.

On February 8, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) finalized long-awaited modifications to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 C.F.R. Part 2, which requires individuals or entities that receive federal funding and provide SUD treatment to implement additional privacy protections and obtain specific consent before using and disclosing SUD treatment records (see 42 C.F.R. § 2.11).

On November 6, 2023, the Office of Inspector General (“OIG”) issued its long-awaited General Compliance Program Guidance (“Guidance”) “to help advance the industry’s voluntary compliance efforts in preventing fraud, waste, and abuse in the health care system.” Although the Guidance is nonbinding, it reflects the OIG’s expectation that compliance programs become increasingly sophisticated in their approach to identifying and managing compliance risks as healthcare delivery and payment models continue to evolve.

The Department of Health and Human Services (HHS) through its Office of Inspector General (OIG), announced plans for significant updates and modernization of OIG compliance program guidance (CPG) to improve their accessibility and usability for healthcare entities.[1] Originally issued in 1998, the CPG provide healthcare organizations across the industry with guidance on developing, implementing, and maintaining internal compliance controls. In the 25 years since, the OIG has issued multiple and specific CPGs that apply to particular segments of the healthcare industry including Medicare Advantage organizations, hospitals, home health agencies, nursing homes, and clinical laboratories. However, over time the CPGs have not sufficiently kept up with the innovations and growth of the healthcare industry.