Texas Medical Board Notice of Proposed Rule Amendments and Statement Regarding Abortion Ban Exceptions

The Texas Medical Board (TMB) is proposing new rules to clarify how the state’s abortion ban exceptions apply to its enforcement process. This marks the beginning of a rulemaking process that will invite public participation and written comment.

The proposed rules, according to the TMB, are designed within the limits of existing laws to clarify the criteria the Board will consider if it receives a related complaint. The Board emphasizes that it does not have the authority to change or create new definitions in existing laws, nor does it have the power to regulate or prohibit abortion.

The Board is cautious about specifying particular conditions or scenarios that would qualify as exceptions. It recognizes the individuality of each patient and the complexity of medical practice, asserting that it is impractical and impossible to create a comprehensive list of situations that may arise in any given patient scenario.

The Board stresses the importance of “reasonable medical judgment,” which depends entirely on the patient’s unique circumstances and the expertise of the treating physician. Even if there were a list of conditions, it would not be enforceable without going through the standard process, given the varying impact of the same condition on different patients.


Justice Department, Federal Trade Commission and Department of Health and Human Services Issue Request for Public Input as Part of Inquiry into Impacts of Corporate Ownership Trend in Health Care

From DOJ Office of Public Affairs:

The Justice Department’s Antitrust Division, Federal Trade Commission (FTC), and Department of Health and Human Services (HHS) have launched a joint public inquiry into the increasing control of private-equity and corporate entities over healthcare. This inquiry aims to understand how certain healthcare market transactions may lead to increased consolidation, generate profits for firms, and potentially threaten patient health, worker safety, and the affordability and quality of care.

The agencies are seeking public comment on deals conducted by health systems, private payers, private equity funds, and other alternative asset managers that involve healthcare providers, facilities, or ancillary products or services. This includes transactions that would not be reported to the Justice Department or FTC for antitrust review under the Hart-Scott-Rodino Antitrust Improvements Act.

Research indicates that competition in healthcare provider and payer markets promotes higher quality, lower-cost healthcare, greater access to care, increased innovation, higher wages, and better benefits for healthcare workers. The responses to the RFI will inform the agencies’ enforcement priorities and future actions, including potential regulations aimed at promoting and protecting competition in healthcare markets and ensuring appropriate access to quality, affordable healthcare items and services.

The public, including patients, consumer advocates, doctors, nurses, healthcare providers and administrators, employers, insurers, and more, are invited to share their comments in response to the RFI within 60 days. The agencies are particularly interested in comments on a variety of transactions, including those involving dialysis clinics, nursing homes, hospice providers, primary care providers, hospitals, home health agencies, home- and community-based services providers, behavioral health providers, as well as billing and collections services.


HHS’ Office for Civil Rights Settles Second Ever Ransomware Cyber-Attack

From HHS Press Release:

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), reached a settlement with Green Ridge Behavioral Health, LLC under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) due to potential violations identified during an investigation following a ransomware attack, which affected over 14,000 individuals’ protected health information.

This incident marks the second settlement that OCR has reached with a HIPAA-regulated entity following a ransomware attack. The OCR’s investigation revealed that Green Ridge Behavioral Health had failed to accurately assess potential risks and vulnerabilities to electronic protected health information, implement adequate security measures, and monitor its health information systems effectively to guard against cyber-attacks.

As part of the settlement, Green Ridge Behavioral Health agreed to pay a fine and implement a corrective action plan, which will be monitored by OCR for three years, to address potential violations of the HIPAA Privacy and Security Rules. The CAP includes conducting a thorough risk analysis, developing a risk management plan, revising policies and procedures as needed to comply with HIPAA rules, providing workforce training, auditing third-party arrangements for proper business associate agreements, and reporting non-compliance by workforce members to the OCR.


NIST Publishes SP 800-66 Revision 2, Implementing the HIPAA Security Rule

From NIST Computer Security Resource Center:

The National Institute of Standards and Technology (NIST) has released the final version of Special Publication (SP) 800-66r2 (Revision 2), “Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide”.

SP 800-66 provides guidance for entities regulated by HIPAA on evaluating and managing risks associated with electronic Protected Health Information (ePHI). It outlines typical activities for an information security program and offers advice to improve cybersecurity posture and assist with HIPAA Security Rule compliance.

NIST’s Cybersecurity and Privacy Reference Tool (CPRT) includes mappings of the HIPAA Security Rule’s standards and implementation specifications to NIST Cybersecurity Framework Subcategories and SP 800-53r5 security controls. It also lists NIST publications relevant to each HIPAA Security Rule standard, which can be used as additional resources for implementing HIPAA Security Rule standards and implementation specifications.


Houston Dental Clinic Operator Convicted in $6M Pediatric Fraud Scheme

From Press Release, United States Attorney’s Office, Southern District of Texas:

  • Rene Gaviola, operator of Floss Family Dental Care clinic in Houston, admitted to submitting fraudulent claims to Medicaid for pediatric dental services that were not provided.
  • Gaviola confessed to employing unlicensed individuals to practice dentistry on Medicaid-insured children and operating the clinic without any licensed dentists, billing Medicaid as if licensed professionals provided the services.
  • He further admitted to paying kickbacks to marketers and caregivers of Medicaid-insured children for bringing them to Floss, and to laundering Medicaid funds from the clinic’s business account to his personal account in transactions exceeding $100,000.
  • From 2019 to 2021, Floss billed Medicaid nearly $6.9 million for pediatric dental services, of which Medicaid paid approximately $4.9 million.
  • Gaviola pleaded guilty and awaits sentencing on April 16, facing potential penalties including up to 10 years for conspiracy to commit health care fraud, payment of kickbacks, and money laundering, as well as potential fines in the hundreds of thousands.

Physician’s Assistant Convicted at Trial of Amniotic Fluid Scam

From Press Release, United States Attorney’s Office, Northern District of Texas:

  • A 36-year-old physician’s assistant at a Fort Worth pain management clinic has been convicted of conspiracy to commit health care fraud and 12 counts of healthcare fraud.
  • The PA submitted claims to Medicare for injections of unapproved amniotic fluid for pain management.
  • Although some amniotic products are FDA-approved for wound care, they are not approved for pain management, making the injections medically unnecessary and non-reimbursable by Medicare.
  • He used an amniotic product called “Cell Genuity,” which was not covered by Medicare for either wound care or pain management. He initially asked patients to pay out of pocket for the injections, but many refused due to the high cost and questionable efficacy.
  • The PA identified another product, “Fluid Flow,” that he believed could be reimbursed by Medicare. Instead of purchasing this more expensive product, he continued to use Cell Genuity but billed Medicare under Fluid Flow’s unique code. This resulted in significant profits for the clinic and himself.
  • The PA now faces up to 240 years in federal prison – 20 years per count.

OIG Publishes a New Guidance Resource and a Report

OIG released our General Compliance Program Guidance (GCPG). The GCPG is a reference guide for the health care compliance community and other health care stakeholders. The GCPG provides information about relevant Federal laws, compliance program infrastructure, OIG resources, and other items useful for understanding health care compliance. The GCPG is voluntary guidance that discusses general compliance risks and compliance programs. The GCPG is not binding on any individual or entity. Download the guide in whole or access individual sections.


Texas Attorney General’s Medicaid Fraud Control Unit Helps Secure 49-Month Sentence and Over $5 Million Restitution in Orthopedic Supplies Fraud Case

This is a common tale. It seems like most of my time is spent explaining to clients why you cannot pay marketers a percentage of the revenue derived from patients they refer to them. Press Release from Texas Attorney General:

Griffin obtained patients by offering and paying kickbacks to marketers as well as disguising illegal payments as marketing services and outsourced business services. Griffin then submitted false claims to both Medicaid and Medicare for orthopedic equipment that was never provided, not medically necessary, and not authorized by a physician.


HHS Office of Civil Rights Requiring Healthcare Providers to Use HIPAA-compliant Telehealth Platforms by August 10

HHS Office of Civil Rights is requiring all healthcare providers to use HIPAA-compliant telehealth platforms by Aug. 10. When the Public Health Emergency ended in May, CMS provided a transition period for covered health care providers to come into compliance with the HIPAA Rules with respect to their provision of telehealth.

The transition period will expire at 11:59 p.m. on August 9, 2023.

Per CMS, the list below includes some vendors that represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA.

  • Skype for Business / Microsoft Teams
  • Updox
  • VSee
  • Zoom for Healthcare
  • Google G Suite Hangouts Meet
  • Cisco Webex Meetings / Webex Teams
  • Amazon Chime
  • GoToMeeting
  • Spruce Health Care Messenger

Note: OCR has not reviewed the BAAs offered by these vendors, and this list does not constitute an endorsement, certification, or recommendation of specific technology, software, applications, or products. There may be other technology vendors that offer HIPAA-compliant video communication products that will enter into a HIPAA BAA with a covered entity. Further, OCR does not endorse any of the applications that allow for video chats listed above.

Also note, Facebook Live, Twitch, TikTok, and similar video communication applications are public facing, and should not be used in the provision of telehealth by covered health care providers.


Period of Enhanced Oversight for New Hospices in Arizona, California, Nevada, & Texas

CMS is placing newly enrolling hospices located in Arizona, California, Nevada, and Texas in a provisional period of enhanced oversight. Over the last 12 months, we’ve received numerous reports of hospice fraud, waste, and abuse. The number of enrolled hospices has also increased significantly in these states, raising serious concerns about market oversaturation.

“New hospices” include those 1) newly enrolling in the Medicare Program (starting July 13, 2023); 2) submitting a change of ownership (CHOW) that meets all the regulatory requirements under 42 CFR 489.18; and 3) undergoing a 100% ownership change that doesn’t fall under 42 CFR 489.18.

This enhanced oversight can be from 30 days to 1 year.