Categories
Health Law Highlights

Wade’s Health Law Highlights for March 25, 2025

Abortion

  • Texas Attorney General Ken Paxton announced the arrest of Maria Margarita Rojas, a 48-year-old midwife who operated multiple clinics in the Houston area. Rojas, known as “Dr. Maria,” was charged with performing illegal abortions and practicing medicine without a license, both serious offenses under Texas law. Her network included three clinics—in Waller, Cypress, and Spring—where unlicensed individuals allegedly posed as medical professionals. The Attorney General’s office has filed for a temporary restraining order to shut down these facilities and may seek civil penalties of at least $100,000 per violation under the Texas Human Life Protection Act of 2021. Texas law specifically holds abortion providers, not patients, criminally responsible for unlawful procedures.
  • A second person has been arrested in connection with illegal abortion services at clinics operated by a midwife near Houston. Jose Manuel Cendan Ley, a 29-year-old medical assistant, faces charges of performing an illegal abortion and practicing without a license, while Rojas was previously arrested for operating three clinics that allegedly performed illegal abortion procedures. Texas Attorney General Ken Paxton announced that Rubildo Labanino Matos was also arrested for practicing medicine without a license in connection to the investigation. Texas law bans abortion at all stages of pregnancy with exceptions only for life-threatening conditions, with those convicted of performing illegal abortions facing up to 20 years in prison. This case represents the first criminal charges filed under Texas’s near-total abortion ban.

AI in Healthcare

  • AI healthcare models trained on limited institutional data face challenges in broader applications. Healthcare institutions currently train AI models using data from their own populations, creating systems that work well locally but fail when deployed in different settings due to variations in practice patterns, genetic factors, and lifestyle differences across regions. The isolation of medical data in institutional silos prevents AI from reaching its potential to standardize and improve healthcare globally. To address this, healthcare organizations must implement cross-institutional data sharing frameworks and ensure AI models are trained on diverse populations. The solution requires collaboration between health systems, regulatory support, and transparent validation processes to create AI models that can be trusted and effective across all healthcare settings.
  • A Harvard Medical School study found that an open-source AI model called Llama 3.1 405B performed equally well as GPT-4, a leading proprietary model, in diagnosing complex medical cases. Researchers compared both models on 92 challenging cases from The New England Journal of Medicine, with results published March 14 in JAMA Health Forum. The NIH-funded research was conducted by Harvard Medical School in collaboration with clinicians from Beth Israel Deaconess Medical Center and Brigham and Women’s Hospital. Open-source models offer advantages by allowing hospitals to keep patient data in-house rather than transmitting it to external servers required by closed-source models.
  • Google is developing multiple AI healthcare initiatives, including TxGemma for drug discovery, Articulate Medical Intelligence Explorer for patient data collection, and a “co-scientist” chatbot for research assistance. The company has partnered with medical centers like Beth Israel Deaconess in Boston and Princess Maxima Center in the Netherlands, where doctors report tasks that once took days now complete in seconds. Meanwhile, Congress continues to extend pandemic-era telehealth rules through short-term solutions rather than permanent legislation, causing concern among healthcare providers about long-term investment in remote care technologies.
  • The FUTURE-AI framework provides international consensus guidelines for developing trustworthy healthcare AI systems through six guiding principles: fairness, universality, traceability, usability, robustness, and explainability. Developed by a consortium of 117 experts from 50 countries over a two-year period, the framework includes 30 detailed recommendations covering the entire AI lifecycle from design to deployment. FUTURE-AI is designed as a dynamic framework that will evolve with technological advancements and stakeholder feedback to ensure AI tools are technically robust, clinically safe, ethically sound, and legally compliant.

Cybersecurity

  • HIPAA regulations require healthcare providers and business associates to protect patient information in electronic communications. When communicating PHI to patients via email or text, covered entities must either encrypt the information or warn patients about security risks and obtain their consent to proceed with unsecured communications. For communications from patients, providers can assume email is acceptable if initiated by the patient, though warning about risks is recommended. Communications with other providers or third parties require stricter security measures, as simply warning about risks is insufficient; these messages must comply with Security Rule standards through encryption or other safeguards.
  • Healthcare data breaches reached record levels in 2024, with a 9.96% increase from 2023. The healthcare sector ranks second to finance in sensitive data volume, with 68% of medical devices expected to be connected by 2025, creating increased security risks through wireless communication and cloud storage. The industry faces future challenges from quantum computing threats, with NIST developing post-quantum cryptography standards while organizations still struggle with basic security measures like multi-factor authentication.
  • A vulnerability in ChatGPT identified last year is being exploited to target healthcare organizations, with 35% of analyzed organizations unprotected due to security misconfigurations. A recent report documented over 10,000 cyberattack attempts in one week, despite the vulnerability being classified as medium severity. The American Hospital Association warns these attacks could lead to data breaches, unauthorized transactions, and regulatory penalties. Healthcare remains the costliest sector for cyberattacks, with the average breach costing nearly $11 million—more than three times the global average.
  • The U.S. Department of Health and Human Services’ Office for Civil Rights has reached a $227,816 settlement with Health Fitness Corporation for HIPAA Security Rule violations. The settlement, which marks the fifth enforcement action in OCR’s Risk Analysis Initiative, resolves an investigation triggered by four breach reports filed between October 2018 and January 2019, where electronic protected health information became discoverable online due to a server misconfiguration. Health Fitness failed to conduct a thorough risk analysis until January 2024, affecting approximately 4,304 individuals whose data was exposed beginning in August 2015 but not discovered until June 2018. Under the agreement, Health Fitness must implement a corrective action plan including annual risk analyses, risk management planning, and policy development, which OCR will monitor for two years.

Dentistry

  • [The Texas Health and Human Services Commission has adopted an amendment to the Texas Government Code](Adopted Rules Title 25) that requires providers to be reimbursed for teledentistry services. This amendment allows dentists to use synchronous audiovisual technologies to conduct oral evaluations of established clients. As a result, oral evaluations are now more accessible, reducing unnecessary travel for clients in the Texas Health Steps Program.

FDA

  • FDA regulations prohibit compounding pharmacies from creating “essentially a copy” of commercially available drugs unless the modification produces a “significant difference” for an individual patient. Adding B12 to name brand weight loss drugs does not automatically exempt them from being considered copies under Sections 503A and 503B of the Federal Food, Drug, and Cosmetic Act. For a compounded drug to be permissible, the prescribing practitioner must document that the modification creates a significant difference for the specific patient. The FDA established these rules to prevent compounders from circumventing regulatory requirements by making minor changes to commercially available medications.

Medicaid

  • Medicaid program integrity involves both federal and state responsibilities, with states handling day-to-day administration while the federal government provides support and oversight. There is no comprehensive measure of fraud in Medicaid, though most fraud is committed by providers rather than beneficiaries, with the Health Care Fraud and Abuse Control program recovering $3.4 billion across Medicaid and Medicare in FY 2023. Improper payments, which had a 5.1% rate in 2024, are not equivalent to fraud, as 79.1% resulted from insufficient documentation or administrative errors rather than payments to ineligible recipients. HHS and CMS develop strategies to address program integrity issues, focusing on prevention and early detection rather than just recovery of misspent funds.

Mergers & Acquisitions

Privacy

Tax Exemption

  • [The Fifth Circuit Court of Appeals affirmed that Memorial Hermann Accountable Care Organization does not qualify for tax-exempt status under Section 501(c)(4)](Accountable Care Organization Denied Tax-Exempt Status | Gordon Feinblatt LLC). The court applied the “substantial non-exempt purpose” test, determining that Memorial primarily benefited healthcare providers and insurance companies rather than promoting social welfare. Memorial had argued for the application of the “primary purpose test” from Treasury Regulations, but the court rejected this approach while noting it would have reached the same conclusion under either standard. Though currently binding only in Louisiana, Mississippi, and Texas, the ruling suggests Accountable Care Organizations elsewhere may face similar tax treatment.