Keypoint: With the increased frequency and severity of cyberattacks against healthcare systems, state and federal agencies strive to improve cybersecurity controls with varied success.

In November 2023, New York Governor Kathy Hochul announced proposed regulations that would be the first state regulations for hospitals in New York. The governor described the proposed regulation as a “nation-leading blueprint” that would complement the federal Health Insurance Portability and Accountability Act (HIPAA) Security Rule enforced by the U.S. Department of Health and Human Services (HHS).

On August 26, 2024, the United States Attorney’s Office for the District of Montana filed a False Claims Act (FCA) complaint against a Montana oncologist, alleging that the oncologist’s busy schedule led to excessive claims that violated the FCA. The complaint is unusual in that its chief theory is the amount of time the oncologist spent with patients, relative to what the Justice Department claims is the standard practice of other oncologists. In that respect, the complaint is a warning sign to busy physicians across the country.

This blog post begins by explaining how this Montana oncologist found himself on the Justice Department’s radar—a self-disclosure by the health system that previously employed the oncologist—before discussing what the Justice Department is alleging against the oncologist, as well as what other physicians should learn from this lawsuit.

In a landmark decision on June 28, 2024, the Supreme Court overturned a 40-year-old legal precedent known as Chevron deference. Established in 1984, Chevron deference mandated that judges defer to federal agencies concerning interpretations of ambiguous laws, as long as those interpretations were reasonable. This doctrine has been a cornerstone of administrative law, significantly impacting

On June 13, 2024, the Justice Department announced arrests in what it called the nation’s first criminal case against digital health company executives over allegations that those executives caused illegal prescriptions for controlled substances to be ordered by way of telehealth visits.

While the Justice Department has previously brought charges in telehealth cases involving things like orthotic braces or genetic testing, a case against digital health executives involving telehealth-prescribed controlled substances is a first.

On February 8, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) finalized long-awaited modifications to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 C.F.R. Part 2, which requires individuals or entities that receive federal funding and provide SUD treatment to implement additional privacy protections and obtain specific consent before using and disclosing SUD treatment records (see 42 C.F.R. § 2.11).

“Incident to” billing is widely practiced, and its regulations are generally well-known. But one Arizona physician recently found himself pleading guilty in federal court on April 3, 2024, to a criminal healthcare fraud charge over improperly billing Medicare and private payors for healthcare services that failed to abide by the rules over “incident to” billing. This blog post explores how this lack of compliance resulted in such a serious criminal consequence.

Most experienced False Claims Act (FCA) practitioners are all too familiar with the statutory provision requiring defendants to pay whistleblowers’ attorneys’ fees at the end of FCA cases. What is less commonly known is the provision that grants defendants their attorneys’ fees in certain circumstances.

One whistleblower learned about that provision the hard way, when on March 14, 2024, a Mississippi federal judge ordered that he pay over $1 million to cover the defendants’ attorneys’ fees, following grant of summary judgment to defendants in what the judge labeled a “frivolous” qui tam. This blog post looks at the case that led to such a large attorneys’ fees award and considers the types of cases in which these efforts are wise.

In the United States, mental health (“MH”) and substance use disorder (“SUD”) (collectively “MH/SUD”) have continued to represent areas of intense concern. During the COVID-19 pandemic, the MH struggles of essential workers and health care professionals were pushed to the forefront. However, issues related to MH/SUD have continued to escalate.

For years, law enforcement has bypassed traditional means of securing evidence by informal requests for documents from witnesses of crimes. At some point, that practice bled over into informal requests for healthcare providers’ documents, including documents reflecting protected health information (PHI). Healthcare providers, for the most part, have complied with these informal requests because, as the logic goes, law enforcement couldn’t possibly prosecute me for complying with law enforcement, right? Isn’t that entrapment?

This cooperative, well-intentioned practice by healthcare providers now appears to be drawing scrutiny from Congress. On December 12, 2023, members of Congress sent a letter to Health & Human Services Secretary Xavier Becerra announcing the results of a Congressional inquiry into the practice of pharmacies handing over patient information without legal process. In the face of that new scrutiny, which is sure to extend beyond pharmacies to all healthcare providers, what are healthcare providers to do when asked for PHI through informal means?

The Rise of Ketamine Clinics and Ketamine-Assisted Therapy

Ketamine clinics have been on the rise in the U.S. in recent years. As a byproduct of the common practice of prescribing drugs “off-label,” these clinics are not necessarily new in their operating model. Off-label use is the utilization of pharmaceutical drugs for, among other factors, unapproved indications. An approved indication occurs when the Food and Drug Administration (FDA) formally approves a given drug for a named medical condition.