Around the Web

FBI: Healthcare Hit with Most Ransomware Attacks of Any Critical Sector

More scary statistics related to ransomware attacks on healthcare providers. Nearly half (47%) of healthcare IT professionals said their organizations experienced a ransomware attack in the past two years, up from 43% in 2021, according to a survey released by the Ponemon Institute

Ill-prepared providers must make the hard choice to pay or not to pay. The consequences can be devastating.

Ron Southwick, writing for Chief Healthcare Executive:

The Lehigh Valley Health Network in eastern Pennsylvania disclosed a ransomware attack last month, and said it would not pay. Lehigh Valley said a gang known as BlackCat, which has ties to Russia, launched the attack. The health network said this month that the ransomware group posted photos of cancer patients on the dark web, according to WPVI-TV in Philadelphia and other media outlets.

Around the Web

Ophthalmology Practice Agrees to Pay Over $2.9 Million to Settle Kickback Allegations

From the Eastern District of Texas:

Ophthalmology provider group, Arlington Ophthalmology Association, P.L.L.C. d/b/a Kleiman Evangelista Eye Centers (“K&E”), with offices located in Arlington, Dallas, Plano, Southlake, Mount Pleasant, and Gun Barrel City, Texas, has agreed to pay $2,902,505 to resolve False Claims Act allegations that it offered and paid kickbacks to optometrists to induce referrals of patients who were candidates for cataract surgery in in violation of the False Claims Act and Anti-Kickback Statute, announced Eastern District of Texas U.S. Attorney Brit Featherston.

This is a great example of how business practices common in other industries do not work in healthcare. Even if Medicare was not involved, Texas’ Patient Solicitation Act prohibits “offering to pay or agreeing to accept anything of value to secure or solicit a patient or patronage for or from a licensed professional.” It is called an “All-Payor” statute, meaning a violation is not limited to referrals for services paid by government health programs

Around the Web

DOJ Continues to Eye Clinical Researchers

Jonathan Porter, writing for Healthcare Law Insights, highlights several types of fraud associated with medical research and clinical trials: Clinical trial fraud, grant fraud, and failure to disclose ties to foreign governments, are all types of fraud associated with medical research and clinical trials. The Department of Justice, through it’s consumer protection branch, has become more interested in this type of fraud, which will necessarily impact researchers, including universities and research hospitals:

What is clear from these cases is that universities and hospitals must be aware that they have liability if their employees commit fraud or make false statements. Investing in a robust compliance program to root out fraud is critical, in order to both reduce False Claims Act risk and to save institutional reputation. Contact your Husch Blackwell attorney today with questions.

Around the Web

Safety vs. Hospitality: A Healthcare Dilemma

The root problem is our society is mentally sick. Violence is the symptom. All the security in the world won’t stop someone who is intent on hurting others. Any solution must address the problem.

Will Mattox, writing for D Magazine:

But the issue seems to be getting worse. The American Hospital Association says that 44 percent of nurses experienced physical violence, and 68 percent experienced verbal abuse during the pandemic. Given the rise of violence in the workplace in healthcare settings, one might expect these facilities to be as secure as a sporting event or airport, with metal detectors at every entrance, guests and staff asked to empty their pockets while being searched, and visible security forces throughout the facility.

But herein lies the growing tension in healthcare, especially around hospital operations and design. Healthcare leaders don’t want their facilities to feel like locked-down institutions. Walking into a new hospital these days is more likely to feel like entering the lobby of a luxury hotel with engaging art, attractive light fixtures, natural light, and multiple seating areas. A metal detector, security guard with a wand, or other deterrents might ruin the ambiance medical centers want to exude.

Around the Web

If the Government Cut Medicare Fraud, It Wouldn’t Have to Cut Medicare

From Merrill Matthews, writing for The Hill:

The point is that if the federal government were better at preventing Medicare and Medicaid fraud, the programs could save perhaps $100 billion a year or more. While that wouldn’t solve Medicare’s long-term financial challenges, it would certainly help delay the day of reckoning.

While no one defends the fraud, many politicians and bureaucrats don’t seem that interested in trying to fix it. Indeed, when Republican state legislators propose verifying state Medicaid rolls to ensure recipients are qualified, Democrats usually push back.

What’s clear is that there is a way to cut Medicare without hurting Medicare patients, and that’s to cut the fraud. But it’s much less work, and perhaps more politically rewarding, to just attack political opponents.

Most people would agree that Medicare fraud should be stopped, but that’s easier said than done. Medicare’s Prospective Payment System (PPS) is part of the problem. They pay first and ask questions later. By that time, the money is long gone.

The federal waste, fraud, and abuse laws are also complicated. Many well-meaning providers do not understand them. There is growing support for revamping the Anti-Kickback Statute.

Around the Web

Is Dropbox HIPAA Compliant?

A lot of my healthcare clients use Dropbox. Many assume, incorrectly, that it is HIPAA compliant. I am generally concerned with any service that declares itself to be HIPAA compliant. Like many services, Dropbox can be used in a HIPAA compliant manner, but the burden rests on the user, not on Dropbox.

From Samuel Okoruwa, writing for Cloudwards:

Dropbox offers health organizations a secure way to store sensitive files. It’s not HIPAA compliant in itself, but relies on the user to use it in HIPAA-compliant ways. 

Health organizations that use Dropbox to upload medical information bear the greater responsibility of protecting this information by issuing Dropbox a contract called a business associate agreement and correctly configuring their accounts. 

Health organizations can take steps to correctly configure their accounts by limiting health information access to only authorized users, monitoring user activity and evaluating third-party apps.

Around the Web

Exploring Data De-Identification in Healthcare

From Health IT Analytics:

Adequately de-identifying healthcare data is critical for health systems, payers, and other stakeholders to ensure HIPAA compliance. However, the advent of newer technologies, such as artificial intelligence (AI) and connected devices, has created questions about ensuring patient privacy while enabling data sharing and access to improve care and drive medical breakthroughs.

At its most basic, de-identification refers to the principle of being unable to re-identify a person based on the information in their medical record, which often involves removing or hiding information such as the individual’s name, date of birth, gender, or address.

Beyond this basic level of de-identification to obscure explicitly personal information, healthcare stakeholders need to be aware of additional information and levels of identifiability to protect patient information.

Many people misunderstand de-identification. Certainly, the patient’s name and other unique identifiers should be removed. But there is also identification inherent in the pattern of care, the diagnosis, prescriptions, and other characteristics which can be used to re-identify specific patients, especially when there is a known dataset.

“In other words, there are additional safeguards and controls that go beyond the mere extraction of personally identifiable information,” [Suraj Kapa, MD] said. “So fine, you eliminate the medical record number, you eliminate the name, you eliminate the address, you eliminate all this other stuff from individual records. However, say you’re running a large analytic function across, say, the US, on patients with a specific type of cancer and trying to understand what we call social determinants of health.”


Healthcare Empowered Ep. 1

Dr. Chad Glines and Dr. Caleb Braddock are well-known in North Texas. They are the founders and owners of Genesis Back & Neck, a chiropractic practice that provides spinal decompression therapy to patients.

What makes them different is their unique spinal decompression protocol. They have been clients of mine for many years. The last few years our focus has been on expanding their decompression practice nationally.

Today, they are have 21 locations around the country, and we are adding more every month. In this interview, we discuss their vision for decompression therapy, and the legal and regulatory challenges they have faced as they expand their brand nationally.


Texas Med Spa FAQ

What is a med spa?

The American Med Spa Association defines a medical spa as a hybrid between an aesthetic medical center and a day spa” with four core elements: (1) the provision of non-invasive (i.e. non-surgical) aesthetic medical services; (2) under the general supervision of a licensed physician; (3) performed by trained, experienced and qualified practitioners; (4) with onsite supervision by a licensed healthcare professional. AmSpa – Med Spa FAQ

While that definition is technically accurate, it obscures the point that because med spas offer medical services, they are considered medical practices in Texas and must comply with the rules and regulations that apply to traditional doctor’s offices.

What kinds of services do med spas offer?

In addition to providing aesthetic cosmetic treatments common in many spa settings, med spas provide services that cross the line into the practice of medicine. A small sample of these services include:

  • Laser Hair Removal
  • Botox injections and other dermal fillers
  • IV infusions
  • Platelet-Rich Plasma injections
  • Hormone therapy
  • Cosmetic surgeries

The Texas Medical Board refers to these types of services as Nonsurgical Medical Cosmetic Procedures and requires that an appropriately trained physician, or properly supervised midlevel practitioner, perform an appropriate patient assessment and issue an order for the medical cosmetic procedure. Title 22, Texas Administrative Code, Section 193.17, Nonsurgical Medical Cosmetic Procedures

What legal structure must med spas have?

Because med spas are medical practices, they must follow the requirements of Texas law regarding professional entities. Medical practices can only be structured as professional limited liability companies (PLLC) or professional associations (PA). Texas Business Organizations Code, Section 301.003(3)

They may not be formed as corporations or regular limited liability companies (LLC).

Who can own a med spa?

Medical services can only be offered through professional entities owned by physicians. Texas Business Organizations Code, Sec. 301.004, 006-007 In certain circumstances, non-physicians can co-own a medical practice with the physician. The only allowances are for podiatrists, chiropractors, optometrists, and sometimes physician assistants. Texas Business Organizations Code, Sec. 301.012

That means that nurse practitioners or unlicensed persons cannot form a “partnership” with physicians to own a med spa. Said another way, unless you are a physician, chiropractor, optometrist podiatrist, or physician assistant (in limited situations), you cannot own a med spa. This too is a violation of the Corporate Practice of Medicine.

Can a non-physician co-own a med spa with the physician?

In certain circumstances, non-physicians can co-own a medical practice with the physician. The only allowances are for podiatrists, chiropractors, optometrists, and sometimes physician assistants. Texas Business Organizations Code, Sec. 301.012 That means that nurse practitioners, registered nurses, estheticians, or unlicensed persons cannot form a “partnership” with physicians to own a med spa. Said another way, unless you are a physician, chiropractor, optometrist podiatrist, or physician assistant (in limited situations), you cannot own a med spa. This too is a violation of the Corporate Practice of Medicine.

Can a dentist be the “medical director” of a med spa?

I’ve seen mention that the Texas State Board of Dental Examiners allows dentists to use Botox for dental esthetic and dental therapeutic purposes. I cannot confirm that policy, but it would not be surprising as there are several therapeutic dental uses for Botox: high lip lines, Temporomandibular Joint Disorder, Bruxism, and dentures no longer fitting due to shifting jaw muscles. However, Botox for facial cosmetic purposes would not be in a dentist’s scope of practice.

In my view, dentists can only prescribe Botox and fillers for dental purposes. I do not think dentists can provide Botox for purely cosmetic purposes. The other issue is that since cosmetic Botox is a medical service, and dentists are not medical doctors, they cannot own or co-own a medical practice. Neither are dentists qualified to serve as “Medical Director” since they are not licensed to practice medicine in Texas.

What are some of the risks of a non-compliant med spa?

It is a violation of Texas’s Corporate Practice of Medicine doctrine for corporations or standard LLCs to provide medical services. Doing so could bring civil and criminal penalties. Texas Occupations Code, (Medical Practice Act), including sections 155.001, .003, 157.001, 164.052(a)(8),(13), and 165.001, .051, .101, .151, .156

Is the physician required to be on-site or at mid-level required to be on-site?

Either the midlevel or the physician can do the good-faith exam via telehealth or in person. They must be the ones to write the order for the medical procedure.

How often should a med spa perform good faith exams on patients?

At a minimum, a Good Faith Exam (GFE) should be performed annually, but may be required more often depending on the circumstances.

The good faith exam should be performed on any patient receiving treatment for the first time. From this GFE, the provider develops a treatment plan which will often include multiple treatments over several sessions. A GFE does not need to be performed for each session included in that treatment plan.

With that said, a new GFE should be performed:

  • If a patient seeks additional services not anticipated during the initial GFE, or not included in the initial treatment plan;
  • The patient discontinues the treatment plan, but then desires to resume treatment after a substantial delay; or
  • A patient’s health changes materially, either during the course of a treatment plan or thereafter.

There is no hard and fast rule. It is a question of the applicable medical standard of care. When in doubt, a physician or midlevel should decide if a GFE is required.


Part II: The Investigation. Handling Licensing Board Investigations from Complaint to SOAH Hearing

This is a four-part series on Handling Licensing Board Investigations from Complaint to SOAH Hearing. In preparation for this series, I talked to several of the staff attorneys and investigators for the Texas Medical Board, the Board of Nursing, and the Board of Chiropractic Examiners. I asked them what advice they would give lawyers practicing before their boards. Some of the suggestions throughout this series come from the staff attorneys and others come from trial and error on my part through years of representing clients before these boards.

The series will present issues associated with the phases of the investigation and resolution:

  1. Part I – What’s Going On?
  2. Part II – The Investigation
  3. Part III – The Informal Settlement Conference (ISC)
  4. Part IV – The SOAH Hearing

The purpose of this series is to give licensees and their attorneys a greater understanding of the complaint and investigation process. Of course, each board is different and each investigation is driven by the issues and personalities involved. Licensees and their attorneys are encouraged to understand the rules and processes applicable to the relevant board. Further materials about the complaint, investigation, and hearing process are available on board websites.

Part II of this series explores the investigation and the discovery issues involved.

The Big Picture

The investigation process starts with a complaint. The complaint goes through a preliminary evaluation process and may be dismissed. If it passes this preliminary evaluation, the board will open a formal investigation during which a board investigator will gather information about the case, including medical records and witness statements.

When the investigation is complete, the information will be presented to a review committee. The committee will either refer the matter to litigation or be dismissed. The terminology of “referral to litigation” is most often used by the Texas Medical Board and simply means that the matter is assigned to one of their staff attorney for further handling, with the assistance of the investigator.

At this point, the matter could still be dismissed, but most likely will proceed to some type of Informal Settlement Conference (ISC) or proposed Agreed order. If it’s not resolved at this more informal stage, the matter goes to the State Office of Administrative Hearings (SOAH) for a more formal proceeding.

There is a big difference in terms of tone and focus from the complaint and the informal settlement conference, and the SOAH hearing. The first part of the investigation is more of an informal process. A SOAH proceeding has a much different tone, similar to a lawsuit. A judge will preside, without a jury, listen to testimony, and rule on evidence. After the SOAH proceeding, the judge will issue a ruling with findings of facts and conclusions of law. The licensing board will consider the ruling and take appropriate action.

The Complaint

Having explained the process in general, let’s get into the details of each step.

Complaints can be initiated in several ways. There is an online form or a written complaint form that can be downloaded. There is a complaint hotline that patients can call. Most complaints come from patients, but they can be initiated by the licensee’s fellow practitioners. Practitioners are required to report their peers if they feel like their conduct is a threat to public safety. Finally, complaints can be initiated by the board itself. This most often occurs if the licensee gets arrested or charged for a crime – e.g. driving while intoxicated.

Once a complaint has been initiated with the Texas Medical Board, there are no takebacks. The patient cannot withdraw it if they change their mind. That is not the case with the chiropractic board or the board of nursing, where they can be withdrawn. At some point, the ability to withdraw a complaint becomes moot because the complaint has progressed into the formal investigation phase where the investigator has likely have found other issues and does not the complaint to continue the process.

The complainant’s identity is confidential, with certain rare exceptions. But complaints cannot be anonymous. Anonymous complaints are dismissed without further action. See 22 Tex. Admin. § 178.4.

The Preliminary Evaluation

Once the complaint is filed, an investigator will be assigned to the file and they will communicate with the complainant as part of their preliminary evaluation.

The preliminary evaluation is not a detailed review of all the allegations and supporting facts. It is a narrow evaluation to determine if the licensing board has jurisdiction over the complaint.

The preliminary evaluation must be conducted within 45 days. Within 45 days, the board will know whether they have jurisdiction over the matter. It has been my experience that if the board determines they have jurisdiction, the matter will most likely be referred to a staff attorney to direct the handling in conjunction with an investigator to gather facts.

At the beginning of the preliminary evaluation, the licensee is notified and allowed to respond.

It is difficult for the licensee to adequately respond. While the licensee is told generally about the nature of the complaint, it is typically vague.

This is a letter from one of my cases before the Texas Medical Board. You will note that the letter includes general statutory allegations such as unlawful advertising, practice, inconsistent with health and health and welfare, and unprofessional conduct, which you will see in every case involving non-therapeutic prescribing or treatment.

That gives us the gist of the complaint, but it does not tell us much about the context. At least we know it has something to do with advertising. So in this case that’s all the information we received when they invited the practitioner to respond.

In hindsight, the complaint involved advertising IV infusions that could allegedly prevent COVID. This was long before the vaccinations existed. The licensee was trying to imply that her vitamin-enriched solutions would make you more healthy which would make you less susceptible to contracting COVID. The medical board was not pleased.

The challenge is how do you respond to such vague allegations?

This is where licensees typically make a series of mistakes. They fail to get a lawyer involved and casually send responses to the board, usually by email, and often with a tone of informality.

It is important to understand that the scope of the investigation is not limited by the complaint. If the board finds other potential violations, they can and will broaden their investigation. Neither the practitioner nor the investigator knows what information is going to be relevant.

In my view, the best course of action is to respond very narrowly and succinctly. You will have plenty of time as you go through this process to respond further.

If you are counsel representing a practitioner, it is also a good idea to call the investigator to try to get more information about the allegations. The chiropractic board, for example, has a policy of trying to give as much information to the licensee as possible while respecting the bounds of confidentiality. Not all boards may be quite as forthcoming. It depends on the board and the investigator, but it does not hurt to ask. Some boards want to facilitate this communication. They want to get as substantive of response as they can, so they can make that preliminary evaluation.

Is the Complaint Jurisdictional?

The key question in the preliminary evaluation is whether the complaint is jurisdictional. What does that mean?

The issue is whether this particular licensing board has the authority to handle the complaint and impose a penalty on the practitioner if warranted. The first question then is whether the complaint is about one of the board’s licensees.

This is not always a simple issue. Patients do not always know who the provider is. In some practices, the patient may never see the doctor. Perhaps the patient is treated by a nurse practitioner or physician assistant. The physician may not be on-site. Supervision is accomplished by reviewing samples of charts sometime after the care is provided. Not understanding the relationship, the patient may complain to the medical board about the nurse practitioner, or they may complain to the nursing board about the physician. In the case of a med spa, where a physician acts as the medical director, the patient may complain to the nursing board because they talked to a nurse practitioner.

Providers should be careful about blurring the lines about who is responsible for the care. If your client is in one of these multidisciplinary practices, make sure the website is clear about who is providing what care.

The next question is whether the complaint if taken as true states a violation of the board statute or board rule. Complaints can be dismissed because the subject of the complaint is not a violation. With that said, almost any complaint can constitute “unprofessional conduct” depending on the context. Many of the board rules are written to include a broad range of conduct.

If there is no jurisdiction, the board will dismiss the complaint. Depending on the allegations, the board may also refer the matter to the appropriate licensing board or state agency.

One exception is the Texas Medical Board. If they do not have jurisdiction over the practitioner, but feel like the practitioner is practicing medicine without a license, they will issue Cease and Desist letter.

Here’s an example of one such letter. This was sent to a nurse practitioner. The medical board felt like she was practicing beyond the scope of her delegation.

The letter is a notice of a hearing inviting the nurse to explain why a Cease and Desist Order should not be issued. The burden is on the practitioner, and in most cases, the Cease and Desist Order is issued.

Following an investigation, the complaint will be dismissed because the practitioner is not licensed by the Texas Medical Board. The board cannot issue penalties against a non-licensee, but it can issue a Cease & Desist Order because the board does regulate the practice of medicine. The board can also refer the matter to the Travis County District Attorneys’ office for possible criminal charges for the unauthorized practice of medicine.

Formal Investigation

If the board determines it has jurisdiction, the complaint is officially filed and a formal investigation is opened. The same investigator who conducted the preliminary evaluation will also handle the investigation. The transition from evaluation to investigation is just a continuation of the process. They just keep going with their investigation.

The licensee is now called the Respondent. Both the Respondent and the complainant are notified within this 45-day window of the result of the preliminary evaluation.

This is a notice letter from the Texas Medical Board that a formal investigation has been opened.

This is another example of a notice layer, but this one is a formal investigation for a cease and desist hearing.

Discovery Tools

Once a formal investigation is opened, the board will use various discovery tools to investigate the matter. They will interview witnesses, request documents through subpoena power, and refer the matter for expert review, if necessary.

This is an example of the Texas Medical Board using its subpoena power.

The investigation remains confidential. See 22 Tex. Admin. § 178.4. The respondent will not see the transcripts of interviews with the complainant or witnesses unless it reaches a SOAH hearing. These investigations can last some time.

The board is required to give you notice every 90 days that the investigation is ongoing. Understand that many of these cases are complex and take time. You may get several of these letters, especially from the medical board, especially if standard of care issues are involved and the board engages an expert to review the records.

Initial Requests

When the board opens a formal investigation, they will send the Respondent a request for a narrative and one or more requests for documents. In the example above, the medical board requires the respondent to explain in detail how supervision of the mid-level practitioner by the physician is accomplished at this clinic (Item #2). The board wants copies of supervision agreements (Item #3, with reference to a forthcoming 14-day subpoena) and a narrative about the services provided at the clinic (Item #4).

The board can require the practitioner to provide a narrative and provide documents. One of the obligations of licensure is that the licensee agrees to cooperate in formal investigations. Failure to respond is itself a violation that will result in a penalty. It is customary for the Board of Nursing to file “Formal Charges” with SOAH if the licensee does not respond.


When asking for documents, the board will provide a standard form subpoena and a standard business records affidavit they require the provider to sign, notarize, and return. The subpoena will require a response by a certain date. In my experience, however, the investigators are willing to grant additional time to respond.

When responding to the subpoenas, have your clients produce the records directly to you. Then have a frank conversation with them to make sure you have been provided all the responsive documents. It will be easy for them to produce electronic records. However, there may be other hard-copy records in storage. You must produce those documents too.

Review the documents for obvious errors, altered records, or recent additions. I’ve had clients change dates or create records after the fact, including very descriptive exam notes or supervision logs. Board investigators review a lot of records and will notice alterations. The cover-up is always worse than the initial mistake.

Narrative Responses

If the licensee has hired an attorney, the attorney should draft the narrative response with factual assistance from the practitioner. Attorneys should be advocates for their clients, but recognize their audience is the investigator, the investigation committee, and ultimately the ISC panel members. You are not advocating to an unbiased jury. Most of the ISC panel members are providers too. They will see right through your spin. Put them in your client’s position. Let them see the situation through your client’s eyes.

As with the documents your client provides to you, take what your client says with a grain of salt. On rare occasions, clients will flat-out lie to you. Sometimes they will spin the facts or convince themselves of a fact that is not entirely accurate. Most of the time, they think they did not do anything wrong and so they want to put themselves in the best light possible. Be very cautious about the statements you make back to the licensing board. Make sure you have a very upfront and blunt conversation with your client.

You should also limit your narrative as narrowly as possible. The scope of the investigation is not limited by the complaint. Answer what you have to, but do not go beyond the issue. You could be inadvertently opening additional lines of investigation. This is not your only chance to speak. You can always submit a supplemental narrative response later in the process, such as before the ISC or a SOAH hearing.

Expert Review

If there is a standard of care issue, the board will send the matter out to up to three experts for review. They will send the results of the investigation out to two experts. If both experts come back with the same opinion, it stops there. If they have different opinions, one finding a fault and another not, then they’ll send it to a third expert.

That’s not the case with all boards. The nursing board and the chiropractic board, only send materials out to one expert. I’m told by the medical board staff attorneys that the vast majority of these types of reviews come back with no finding of a violation of the standard of care. I think that is probably true, but it doesn’t mean that that stops the investigation. Just because the licensee’s conduct did not violate the standard of care does not mean the practitioner did not violate a board rule or that there was no unprofessional conduct.

If the expert reports indicate there is a violation of the standard of care, you should review consider obtaining your own expert review and report in opposition. It might be persuasive to the ISC panel members and can be used in a SOAH trial if that is in your future.

Up Next: The Informal Settlement Conference

In Part III: The Informal Settlement Conference, I’ll review the informal settlement process employed by the board and how Agreed Orders are negotiated.