🚨Are Your Vendors Protecting Patient Data? 🚨
If you’re a healthcare provider, you likely rely on vendors who handle patient information—your EHR system, billing company, IT support, and more. But how well do you know their security practices?
Before entrusting them with PHI (protected health information), conduct due diligence. Here are some red flags to watch for:
🔴 No mention of HIPAA compliance on their website? That’s a problem.
🔴 Misspelling HIPAA as “HIPPA”? If they can’t spell it, they probably don’t understand it.
🔴 No third-party security certifications? That’s a risk.
🔴 Small vendor with no resources for security audits? That could be a liability.
Don’t assume vendors know what they’re doing—ask tough questions. At the end of the day, your practice is responsible for protecting patient data, and a reckless vendor could expose you to massive penalties.
Have questions? Drop a comment or email me at wade@texashealthlaw.com.
🔒 Privacy is everyone’s responsibility. Take it seriously.
340B
- Multiple legal developments occurred in 340B program litigation across the United States. Two amicus briefs were filed supporting a state in a contract pharmacy law appeal case, while a court permitted withdrawal of a preliminary injunction motion in an HRSA audit process case. In a Medicare Advantage payment dispute, the court issued a split decision on accessing damages documentation. Six cases challenging HRSA’s rejection of drug manufacturers’ rebate models saw various legal actions, including the granting of intervention motions and the filing of amicus briefs supporting the defendant. Intervenors in one rebate model case filed supplemental authority, prompting responses from both the plaintiff and supporting amici.
Abortion
- Texas and Louisiana have filed lawsuits against a New York physician for providing telehealth abortion services across state lines. The cases challenge shield laws designed to protect out-of-state clinicians who prescribe abortion medication via telehealth, with New York Governor Hochul refusing to comply with extradition requests. Several states including Vermont, Maine, California, Colorado, Massachusetts, and New York have enacted shield laws to protect clinicians from legal consequences when providing abortion care to out-of-state patients. The outcomes of these cases could impact the broader landscape of telemedicine by setting precedents for how states can enforce healthcare laws beyond their borders.
Biometric Data
- Texas Representative Capriglione has introduced a bill (HB 3755) aimed at amending the state’s biometric privacy legislation. This bill seeks to include a definition of artificial intelligence and clarifies that the law does not pertain to AI or associated training, processing, or storage, unless conducted for the purpose of uniquely identifying a specific individual.
Data Breaches
- A new report analyzing 180 healthcare email breaches from 2024 to 2025 reveals that 43.3% of incidents involved Microsoft 365 misconfigurations. Healthcare organizations face an average breach cost of $9.8 million, with ransomware attacks increasing 264% since 2018. The HHS Office for Civil Rights has intensified enforcement, issuing significant fines including a $9.76 million settlement with Solara Medical Supplies. Despite a 50% increase in cybersecurity spending since 2018, 98.9% of breached organizations lacked basic email security protocols, and only 1.1% maintained a low-risk security posture. The OCR continues to push for proactive HIPAA compliance as email remains the primary attack vector in healthcare.
- Central Texas Pediatric Orthopedics, an Austin-based medical practice filed a data breach notice with the Texas Attorney General on March 6, 2025. The breach exposed sensitive patient information including names, medical information, health insurance details, and government-issued identification for at least 90,000 people. The practice has begun sending notification letters to affected individuals, though they have not posted a website notice or press release about the incident. The source of the breach remains unclear, as it could have originated from either CTPO directly or one of their vendors.
- In 2024, healthcare data breaches affected 53% of the U.S. population, with 13 breaches impacting over 1 million records each, including a record breach affecting 100 million individuals. In response, the Department of Health and Human Services issued a Notice of Proposed Rulemaking to modify HIPAA’s Security Rule, addressing AI systems and electronic protected health information for the first time. The new requirements mandate regulated entities to develop technology asset inventories, conduct risk analyses, and monitor vulnerabilities related to AI systems handling health data. Healthcare organizations must now implement AI governance programs that include maintaining lists of AI tools, reviewing data access protocols, and addressing security gaps. The proposed changes aim to protect against emerging threats like offensive AI, which can mutate and evade detection while learning from its environment.
Emerging Technologies
- A research paper published in the Journal of Theoretical and Computational Advances in Scientific Research presents a framework combining blockchain and AI technologies for healthcare data integration. The blockchain component provides a secure platform for sharing medical records between healthcare providers, patients, and researchers. AI algorithms process the integrated data to enable predictive analysis, automated diagnostics, and personalized treatment recommendations. The framework addresses challenges in healthcare data privacy, interoperability, and efficiency through secure data integration and intelligent decision-making.
Fraud & Abuse
- A Plano pharmacist was sentenced to 17.5 years in prison and ordered to pay $115 million in restitution for orchestrating a $145 million healthcare fraud scheme. Between 2014 and 2017, Dehshid Nourian and his co-conspirators paid bribes to doctors who prescribed unnecessary compound creams to federal workers, which were mixed by teenagers for $15 but billed to the Department of Labor for up to $16,000 per prescription. The pharmacies collected $90 million through this scheme while attempting to evade $24 million in taxes through money laundering operations. A federal jury convicted Nourian on multiple counts of healthcare fraud, money laundering, and tax evasion, leading to the forfeiture of $405 million in assets including brokerage accounts, real estate, and vehicles. The case represents the largest healthcare fraud forfeiture in Department of Justice history.
- An El Paso physician has agreed to pay $468,626 to resolve allegations under the Federal False Claims Act. The United States alleged that Dr. John Patterson received kickbacks from Nursemind Home Care Inc. to falsely certify ineligible patients for hospice services, resulting in fraudulent claims to federal healthcare programs. Patterson received cooperation credit for assisting with the investigation and agreeing to testify in related criminal cases. The investigation led to the criminal prosecution of Nursemind Home Care owner Zenia Chavez, who pleaded guilty to conspiracy charges.
- Texas has secured a $40 million settlement from Molina Healthcare through the state’s Healthcare Program Enforcement Division. The case involved Molina Healthcare, a Fortune 500 company that manages care for Medicaid STAR+PLUS program members who are disabled, blind, or over 65 years old. The settlement stems from allegations that Molina failed to conduct timely assessments of Medicaid beneficiaries and hid this non-compliance from Texas authorities. A whistleblower initiated the case under the Texas Health Care Program Fraud Prevention Act’s qui tam provisions.
- Healthcare fraud enforcement will remain a priority despite potential regulatory rollbacks under a second Trump administration, according to a new report. The COVID-19 Fraud Enforcement Task Force has pursued over 3,500 criminal cases and secured $1.4 billion in seizures, with nursing homes facing scrutiny over false claims and misuse of relief funds. Recent court decisions, including Zafirov which ruled whistleblower-led False Claims cases unconstitutional, and Loper Bright which eliminated deference to regulatory agencies, may provide new defenses for healthcare providers. The Supreme Court’s Jarkesy decision, requiring jury trials for civil penalties, could impact 20 pending cases before the HHS Departmental Appeals Board.
Office of Inspector General
- The U.S. Department of Health and Human Services Office of Inspector General has released updated compliance guidance for nursing facilities, marking its first revision since 2008. The guidance focuses on preventing fraud and abuse through proper billing practices, documentation requirements, and monitoring of financial arrangements between facilities and referral sources. Nursing facilities must implement robust compliance programs that include regular audits, staff training, and oversight from responsible individuals including investors. The OIG specifically highlights concerns about joint ventures, pharmacy arrangements, hospice relationships, and “tunneling” practices that could violate anti-kickback laws.
- A federal audit found that Texas failed to fully comply with federal waiver and state health, safety, and administrative requirements at all 20 adult day activity and health service facilities examined. The Office of Inspector General (OIG) reported 253 instances of provider noncompliance, including deficiencies in facility maintenance, staff qualifications, and regulatory adherence. Of the 20 audited providers, 19 failed to meet one or more health and safety requirements, while 19 also violated administrative regulations. The report recommended corrective actions, improved oversight, and enhanced facility staffing and training. Texas agreed with the recommendations and outlined steps to address the issues.
Patents
- A Federal Circuit addressed the patentability of “obvious” pharmaceutical dosing methods, In the case of ImmunoGen, Inc. v. Stewart, the parties agreed that a method of using the recited immunoconjugate (also known as IMGN853) to treat FOLR1-expressing ovarian cancer or cancer of the peritoneum was known in the art at the time of filing. Therefore, whether the claims were patentable from an obviousness perspective turned on whether the recited dosing limitation of “6 mg per kg of AIDW of the patient” would have been obvious to a person of ordinary skill in the art (POSITA) at the time of filing. The Court determined that the dosing method would have been obvious to try since it overlapped with known dosing schemes, and therefore, was not patentable. The ruling sets a high bar for proving non-obviousness of dosing regimens for known drugs, even when dealing with unpredictable effects.
Weight Loss Drugs
- A U.S. District Court ruled in favor of the FDA on March 5, 2025, denying the Outsourcing Facilities Association’s motion for a preliminary injunction and stay regarding tirzepatide compounding. The case emerged after tirzepatide products Mounjaro and Zepbound were placed on the drug shortage list in December 2022 due to high demand, allowing compounding facilities to produce copies under specific regulations. The FDA declared the shortage resolved, ending the compounding permission for 503A pharmacies immediately and setting a March 19, 2025 deadline for 503B facilities. The OFA filed an appeal on March 10, 2025, while questions remain about whether modified compound versions of the drug could continue under patient-specific need provisions. The FDA has not yet taken a position on these modified compounds, though their status may depend on whether they are considered copies of commercially available products.