Healthcare Providers

Since the 2022 overhaul of Colorado’s restrictive covenant statute, C.R.S. § 8-2-113, the Colorado legislature has made ongoing amendments to the law which continue the trend of limiting the effectiveness of restrictive covenants in the state. Most recently, the 2025 General Assembly took aim at the provisions of the statute regarding restrictive covenants’ applicability to select healthcare providers as well as buyers and sellers of a business.

Recently, Attorney General Pam Bondi purportedly issued an internal memorandum in response to Executive Order 14187 (“Protecting Children from Chemical and Surgical Mutilation”) concerning the treatment of transgender minors by medical practitioners, hospitals, clinics, and pharmaceutical companies. The memo set forth guidance for all Department of Justice (DOJ) employees to investigate individuals and entities who provide gender-affirming care to minor patients. To be clear, the memorandum—which has been posted in various locations on the internet and widely reported on by various media outlets but has not been verified as authentic by Husch Blackwell—is an internal policy statement directed to DOJ personnel and is not law. While it purports to issue “guidelines” pursuant to an executive order from the President, that executive order is itself under scrutiny (and has been partially enjoined).

On March 7, 2025, the U.S. Department of Health and Human Services (HHS) announced that its Office for Civil Rights (OCR) had initiated four investigations into unnamed medical schools and hospitals over allegations that the schools and hospitals “discriminate on the basis of race, color, national origin, or sex” by continuing to implement “DEI” programs.

This blog post explains what HHS OCR is investigating, what laws are at issue, and what those operating medical schools and hospitals with DEI programs should consider, given this and other federal attention to DEI.

On December 27, 2024, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued proposed changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule (the Proposed Rule) to strengthen the cybersecurity protections that HIPAA-regulated entities are required to maintain for electronic protected health information (ePHI).

Keypoint: With the increased frequency and severity of cyberattacks against healthcare systems, state and federal agencies strive to improve cybersecurity controls with varied success.

In November 2023, New York Governor Kathy Hochul announced proposed regulations that would be the first state regulations for hospitals in New York. The governor described the proposed regulation as a “nation-leading blueprint” that would complement the federal Health Insurance Portability and Accountability Act (HIPAA) Security Rule enforced by the U.S. Department of Health and Human Services (HHS).

On August 26, 2024, the United States Attorney’s Office for the District of Montana filed a False Claims Act (FCA) complaint against a Montana oncologist, alleging that the oncologist’s busy schedule led to excessive claims that violated the FCA. The complaint is unusual in that its chief theory is the amount of time the oncologist spent with patients, relative to what the Justice Department claims is the standard practice of other oncologists. In that respect, the complaint is a warning sign to busy physicians across the country.

This blog post begins by explaining how this Montana oncologist found himself on the Justice Department’s radar—a self-disclosure by the health system that previously employed the oncologist—before discussing what the Justice Department is alleging against the oncologist, as well as what other physicians should learn from this lawsuit.

In a landmark decision on June 28, 2024, the Supreme Court overturned a 40-year-old legal precedent known as Chevron deference. Established in 1984, Chevron deference mandated that judges defer to federal agencies concerning interpretations of ambiguous laws, as long as those interpretations were reasonable. This doctrine has been a cornerstone of administrative law, significantly impacting

On June 13, 2024, the Justice Department announced arrests in what it called the nation’s first criminal case against digital health company executives over allegations that those executives caused illegal prescriptions for controlled substances to be ordered by way of telehealth visits.

While the Justice Department has previously brought charges in telehealth cases involving things like orthotic braces or genetic testing, a case against digital health executives involving telehealth-prescribed controlled substances is a first.

On February 8, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) finalized long-awaited modifications to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 C.F.R. Part 2, which requires individuals or entities that receive federal funding and provide SUD treatment to implement additional privacy protections and obtain specific consent before using and disclosing SUD treatment records (see 42 C.F.R. § 2.11).

“Incident to” billing is widely practiced, and its regulations are generally well-known. But one Arizona physician recently found himself pleading guilty in federal court on April 3, 2024, to a criminal healthcare fraud charge over improperly billing Medicare and private payors for healthcare services that failed to abide by the rules over “incident to” billing. This blog post explores how this lack of compliance resulted in such a serious criminal consequence.