 advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, 

Rachel V. Rose, JD, MBA

There are many different definitions of the rule of law. Fundamentally, 

 “is the foundation for communities of justice, opportunity, and peace – underpinning development, accountable government, and respect for fundamental rights. Research shows that the rule of law correlates to higher economic growth, greater peace, less inequality, improved health outcomes, and more education.” It is premised on civility and applies to all citizens in the United States – regardless of their position.

In medicine, the right of privacy is an item that has been respected for eons. In the United States, one needs only to look to the United States Supreme Court Opinion in 

, 141 U.S. 250 (May 25, 1891), which held:

An injured woman’s right to refuse examination by the railroad company’s doctor.

To compel any one, and especially a woman, to lay bare the body, or to submit it to the touch of a stranger, without lawful authority, is an indignity.

No right is held more sacred, or is more carefully guarded, by the common law, than the right of every individual to the possession and control of his own person.

Quoting another judge, they added: “[t]he right to one’s person may be said to be a right of complete immunity: to be let alone.”

In the practice of medicine, privacy exists in various contexts including the ability of a patient with decision making capacity to self-discharge against medical advice (“AMA”) from a healthcare facility contrary to what his or her physician(s) perceive to be in the patient’s best interests, and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA"), which gives patients the right over their health information are two examples of privacy in healthcare. While there are exclusions which allow an individual’s protected health information (“PHI”) to be utilized and shared for purposes set forth in the law, there are exceptions, which require either patient consent, notice, or appropriate due process procedures in order to preserve an individual citizen’s Constitutional rights in the United States.

by the United States Supreme Court Opinion in 

Dobbs v. Jackson Women’s Health Organization

 (Decided June 24, 2022), there was a legacy that a right to privacy stems from the 1st, 4th, 5th, 9th, and 14th Amendments. In essence, there are guarantees in the Bill of Rights that create a “zone of privacy” but the Majority in 

From a healthcare standpoint, it is imperative for providers to appreciate that HIPAA does apply and that the law enforcement exception exists (45 CFR § 164.512(e), (f)) serves to preserve both the privacy and due process rights of an individual.

encroach into a variety of areas of privacy rights for both men and women. The rule of law serves as an equalizer so that everyone is held to the same laws, regardless of their status. When evaluating state laws or proposals, providers and other entities need to consider an individual’s rights, as well as those inherent in the U.S. Constitution.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, 

Articles

The rule of law is premised on civility and applies to all citizens in the United States – regardless of their position.

Civility: The rule of law and privacy post-Roe

Every state has its own requirements for physicians and other medical professionals such as nurse practitioners, physician assistants, and respiratory therapists – just to name a few. Three issues that are particularly germane to all types of medical professionals are as follows: (1) practicing within the scope of the license held by the individual; (2) if a non-physician, the ability to practice independently of a physician license; and (3) continuing to practice once a license is suspended.

Let’s focus on the State of Texas to address each of these issues.

Specific licensing boards in Texas define the scope of practice for different medical professionals. For example, the 

 that for an advanced practice registered nurse (APRN), the scope of practice includes three main facets:

Advanced practice education in a role and specialty;

Legal implications (e.g. compliance with the Nursing Practice Act and Board Rules); and

Scope of practice statements as published by national professional and advanced practicing nursing organizations.

A couple of items that every individual practitioner should be aware of are that the scope of practice is finite and that expansion of the scope may only be achieved by meeting all of the legal requirements, which vary with an individual’s particular license. In Texas, all APRNs are first licensed as RNs and they are required to maintain an RN license. The converse, that all RNs are APRNs is false. As it relates to the scope of practice, if an APRN is working in an RN role, then the scope of practice is limited to the RN license.

With respect to a non-physician practicing independently of a physician, this is a state-by-state inquiry. The 

 still requires a delegating physician; however Texas HB 278 (2019) removed the “face to face meeting requirement between physicians and APRNs, so long as a new agreement is signed.

This means that APRNs who enter into a prescriptive authority agreement on/after September 1, 2019 must have monthly meetings for the duration of the prescriptive authority agreement, and the meetings may take place via other means, such as via telecommunication. If an APRN chooses not to sign a new agreement, the law in effect on the date the agreement was entered into applies, and the face to face in person meetings are required. APRNs who provide care in Texas may wish to sign a new prescriptive authority agreement beginning September 1, 2019 in order to take advantage of the changes to Texas law.

A recent U.S. Department of Justice enforcement action, which was brought by the 

U.S. Attorney’s Office for the Southern District of Texas highlights the third issue

 – continuing to practice on a suspended license. On September 6th, a physician assistant who had his license suspended continued providing care in order to defraud Medicaid. Some key portions of the DOJ’s press release follow:

On July 20, 2021, the Texas Medical Board allegedly ordered the immediate suspension of Mendez’s physician assistant license, deeming him to be a “continuing threat to public welfare.” He was then prohibited from practicing medicine, according to the charges.

However, Mendez allegedly continued to evaluate and treat patients at mental health clinics in Brownsville, Harlingen and Pharr and billed Medicaid for services he rendered during his suspension.

The indictment further alleges Mendez attempted to conceal his continued practice of medicine by using identities of other physicians and medical personnel. Specifically, Mendez allegedly created medical records under the identities of other physicians while they were traveling outside of the United States. The charges also allege Mendez submitted false statements to the Texas Medical Board in an effort to conceal his improper practice of medicine.

Mendez is charged with seven counts of health care fraud for which he faces up to 10 years in federal prison. If convicted of any of the four aggravated identity theft charges, he faces another two years which must be served consecutively to any other prison term imposed. All counts also carry as possible fine of up to $250,000.

In sum, these areas should be on every practitioner’s radar in order to remain legally compliant, continue to have the ability to work within the scope of the license, and avoid potentially criminal consequences.

A look at state requirements for practicing medicine.

Recent DOJ enforcement action a reminder about practicing medicine

 (CA) was issued by Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warning about Zeppelin Ransomware and its emphasis on this particular malware family’s focus on the healthcare sector. The highlights of the CA are as follows:

Zeppelin ransomware is a derivative of the Delphi-based Vega malware family and functions as a Ransomware as a Service (RaaS).

From 2019 through at least June 2022, actors have used this malware to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and 

especially organizations in the healthcare and medical industries

Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars.

Access to victim networks is gained through a RDP exploitation targeting SonicWall firewall vulnerabilities and phishing campaigns.

Data is exfiltrated prior to the files being encrypted. The ransomware demand is made and if the victim refuses to pay the ransom, the ransomware as a service (RaaS) attacker a note file is left on compromised systems.

“[t]he FBI has observed instances where Zeppelin actors executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys.” 

, “[o]rganizations lack sufficient levels of cyber-insurance coverage to protect themselves in case of a ransomware attack, with just 14% of businesses with 1,400 or fewer employees boasting coverage limits above $600,000.” This is significant because as the 

2022 IBM Cost of a Data Breach Report 2022

 the average data breach cost increased from $4.24 million to $4.35 million between 2021 and 2022. Some key take aways include:

Critical Infrastructure Lags in Zero Trust – 

Almost 80% of critical infrastructure organizations studied don't adopt zero trust strategies, seeing average breach costs rise to $5.4 million – a $1.17 million increase compared to those that do. All while 28% of breaches amongst these organizations were ransomware or destructive attacks.

 Ransomware victims in the study that opted to pay threat actors' ransom demands saw only $630,000 less in average breach costs compared to those that chose not to pay – not including the cost of the ransom. Factoring in the high cost of ransom payments, the financial toll may rise even higher, suggesting that simply paying the ransom may not be an effective strategy.

With these two issues in play, it underscores the importance of compliance. A preventative measure that is essential is continual security training with an emphasis on phishing, spear phishing, and other types of phishing attacks. An annual risk analysis that comprehensively evaluates the relevant technical, administrative, and physical safeguards.

The risk of ransomware underscores the importance of compliance.

Ransomware: New alert, assessing current cyber insurance coverage

In less than a month, the U.S. Department of Justice (DOJ) has settled various types of allegations ranging from altering patient medical records to get claims paid to paying kickbacks to physicians in order to induce the use of implantable cardiac devices. These types of conduct are material and offer corporate compliance officers and practice managers the opportunity to step back, assess policies and procedures, update training – both for HIPAA and fraud, waste, and abuse, and bring in outside consultants to assess risk.

.S. Attorney’s Office for the District of Massachusetts announced

 a $115,000 settlement with DJ Drugs & Surgicals Inc. “to resolve allegations that it altered patient medical records and submitted the altered medical records to Medicare in support of prior authorization requests. It should not be surprising that this type of settlement emerged out of D. Massachusetts given its 

2016 settlement with Warner Chilcott in the amount of $125 million

 to resolve both criminal and civil liability arising from the illegal promotion of various drugs. Specifically:

From 2009 to 2013, Warner Chilcott paid remuneration to physicians in order to induce those physicians to prescribe Warner Chilcott drugs, which is illegal. Warner Chilcott provided payments, meals, and other remuneration associated with so-called “Medical Education Events.” These events, which were often held at expensive restaurants, frequently contained minimal or no educational component, and were instead used to pay prescribing physicians in an attempt to gain a competitive advantage over other pharmaceutical companies. Warner Chilcott also paid numerous high-prescribing physicians to be “speakers” for the company for the primary purpose of obtaining prescriptions.

During the same period of time, Warner Chilcott submitted false, inaccurate, or misleading prior authorization requests to federal health care programs for the osteoporosis medications Atelvia® and Actonel®. A prior authorization request contains protected health information, including biographical data and information concerning a patient’s medical condition. Warner Chilcott falsified and manipulated prior authorizations by providing false medical justifications for the prescriptions, often filling out the prior authorizations themselves. The fraudulent requests were provided to certain insurance companies in order to overcome restrictions that favored less expensive osteoporosis drugs. In some instances, Warner Chilcott sales representatives submitted these prior authorizations directly to insurance companies, holding themselves out to be physicians.

DOJ announced that Biotronik Inc. paid $12.95 million

 to resolve allegations that it violated the False Claims Act by “causing the submission of false claims to Medicare and Medicaid by paying kickbacks to physicians to induce their use of Biotronik’s implantable cardiace devices, such as pacemakers and defibrillators.” Moreover, several states also joined in the settlement given the types of payments that were made to physicians ranging from new employee training to holiday parties, winery tours, and lavish meals with no business purpose.

In sum, these types of fraud will continue to be a priority for the DOJ and Relators’ counsel alike. Having a robust and substantive compliance program in place can potentially mitigate the amount of a monetary penalty and/or criminal liability, as per the Justice Manual.

, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website,

These types of conduct are material and offer corporate compliance officers and practice managers the opportunity to step back, assess policies and procedures, update training – both for HIPAA and fraud, waste, and abuse, and bring in outside consultants to assess risk.

Recent DOJ settlements highlight compliance opportunities for providers

With remote working and devices being interconnected, it is imperative to appreciate the implications of accessing electronic information without consent, even if it’s a spouse. Importantly, passwords and consent should not be given to a spouse, partner, or roommate. If a person works in a sensitive field such as healthcare, law, accounting, or finance for example (not to mention government employees and contractors), then setting boundaries that adhere to a plethora of laws and professional obligations should be implemented. As an aside the application of providing access to electronic communications that are part of work, even personal archived emails, social media, or smart phones that are accessed without consent are subject to violating a variety of laws including the Computer Fraud and Abuse Act (1986), which enables individuals to use this federal criminal law to sue others for civil claims based on unauthorized access, as well as other laws explained below.

 that brings the significance of not securing information to light is the 25 page indictment brought by federal prosecutors against Seth Markin who allegedly stole from his then-girlfriend, an associate at a prominent law firm who was working at home during the pandemic on an acquisition deal related to a major pharmaceutical company’s acquisition of a therapeutic company. Additionally, the U.S. Securities and Exchange Commission also filed insider trading charges against Markin and one other person.

Enacted in 1986, the Stored Communications Act, 18 U.S.C. §§ 2701,

(SCA) has a primary purpose that is analogous to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule - to protect the privacy and unauthorized disclosure of stored electronic communications. While HIPAA is specific to protected health information (PHI) and the Security Rule is limited to electronic protected health information (ePHI), the SCA extends to stored electronic communications. As the 

 explains, “[e]lectronic storage is defined in 18 U.S.C. § 2510(17) as both any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof and the storage of such communication by an electronic communication service for purposes of backup protection of such communication.”Like HIPAA, which extends beyond external hackers, so does the SCA. In 

Ehling v. Monmouth-Ocean Hospital Service Corp.

, No. 2:11-cv-03305 (WJM) (D.N.J. Aug 20, 2013) the District Court for the State of New Jersey held 

which are configured to be private are indeed covered under the SCA

transmitted via an electronic communication service;

Although the court recognized and applied the “authorized user” exception – one of two exceptions in the SCA, caution should be taken regarding if the person providing authorization has the authority or right to do so. Also, if a person’s Facebook or other social media is linked to an email, separate permission is needed for each application. Also, as lawyers appreciate potential clients may reach out through private social media or a colleague may send a link to an article and reference a case that is been worked on. Regardless of whether the person gave the roommate or spouse permission, professional rules and other laws dictate otherwise.

The HIPAA Security Rule has Security Standards (45 CFR § 164.306(b)). As 

, “[t]he Security Rule is clear that reasonable and appropriate security measures must be implemented, see 45 CFR 164.306(b), and that the General Requirements of § 164.306(a) must be met.” The task of addressing the changing cybersecurity landscape on both a professional and a personal level may seem daunting and, in some ways, it is. Here are some compliance tips, which can be used in healthcare, a variety of other industries, and personally:

NIST is a great resource and utilizing its standards may mitigate liability. I always recommend 

SP 800-53 (rev. 5 is the current version)

Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide

 is designed to help the industry maintain the confidentiality, integrity and availability of electronic protected health information, or ePHI. The term covers a wide range of patient data, including prescriptions, lab results, and records of hospital visits and vaccinations.”

Adopt a Remote Worker checklist for working from home and traveling. Some fundamental items are: (1) secure WiFi at home and when traveling (use a hotspot); (2) ensure that if you are 

 your Apple products (or other devices and software) that your private messages are not connected to another person’s account – whether family, friend, or colleague; (3) educate yourself and understand how your private messages on social media may end up being looked at by a spouse, roommate, or child (hint: if you get alerts know where the alerts are going and who has access to your phone, tablet, or email account); (4) set policies and procedures and have workforce members and contractors review and sign off on them, so they understand the potential legal liability that may come with sharing information; and (5) if you are a small business (or even a one person physician practice or law firm), have your disaster recovery plan as well as incapacity plan in place and pick a trusted person and have the information in a safe deposit box to be accessed only when needed.

. Workforce members should also be educated as part of cybersecurity and HIPAA training on social engineering, phishing, and wrongful disclosure of both PHI and personally identifiable information.

In sum, there is a lot to digest. Approaching one’s business and personal life from a risk mitigation standpoint can help avoid significant liability, especially during an unforeseen change in circumstances, just as the recent indictment referenced herein substantiates.

If a person works in a sensitive field such as healthcare, law, accounting, or finance then setting boundaries that adhere to a plethora of laws and professional obligations should be implemented. 

Utilizing NIST Safeguards to reduce liability under the Stored Communications Act

Specifically found in the Constitution (particularly in the Bill of Rights) or have been found under Due Process, fundamental rights are those rights that have been recognized by the U.S. Supreme Court has necessitating a high degree of protection from government encroachment. The July 8th Executive Order 

 states, “[f]undamental rights – to privacy, autonomy, freedom, and equality – have been denied to millions of women across the country, with grave implications for their health, lives, and wellbeing.” Men’s lives, as well as those of a woman’s living children, will also be impacted. As the 

 further substantiates, “[t]hese deeply private decisions should not be subject to government interference.” One area that is germane to the fundamental right to privacy is addressed in Section 4 of the Executive Order – protecting privacy, safety, and security. Specifically:

Sec. 4. Protecting Privacy, Safety, and Security. (a) To address potential heightened safety and security risks related to the provision of reproductive healthcare services, the Attorney General and the Security of Homeland Security shall consider actions, as appropriate and consistent with applicable law, to ensure the safety of patients, providers, and third parties, and to protect the security of clinics (including mobile clinics), pharmacies, and other entities providing, dispensing, or delivering reproductive and related healthcare services.

(b) To address the potential threat to patient privacy caused by the transfer and sale of sensitive health-related data and by digital surveillance related to reproductive healthcare services, and to protect people seeking reproductive health services from fraudulent schemes or deceptive practices:

(i) The Chair of the Federal Trade Commission (FTC) is encouraged to consider actions, as appropriate and consistent with applicable law (including the Federal Trade Commission Act, 15 U.S.C. 41 

.), to protect consumers’ privacy when seeking information about and provision of reproductive healthcare services.

(ii) The Secretary of Health and Human Services shall consider actions, including providing guidance under the Health Insurance Portability and Accountability Act, Public Law 104-191, 110 Stat. 1936 (1996) as amended by Public Law 111-5, 123 Stat. 115 (2009), and any other statutes as appropriate, to strengthen the protection of sensitive information related to reproductive healthcare services and 

(iii) The Secretary of Health and Human Services shall, in consultation with the Attorney General, consider actions to educate consumers on how best to protect their health privacy and limit the collection and sharing of their sensitive health-related information.

HIPAA plays a critical role in protecting PHI

, which includes 18 identifying factors of PII that can be de-identified in order to protect a patient’s fundamental relationship with his/her health information. “The executive order comes about a week after the 

 clarifying that, with limited exceptions, medical clinics, physicians and other healthcare providers are not required - and in many cases, not permitted - to disclose patients' private information to law enforcement authorities.” Even if the law enforcement exception is invoked, there are safeguards, including Due Process, so that a request for a disclosure of PHI, including the 18 identifying factors when they relate back to PHI, cannot exceed that what is required by law. 

The only branch of our Federal Government, which can essentially change what 

 did - overturning 50 years of precedent – is Congress. Considering re-establishing as law what was lost when the 

 Opinion was issued in June 2022, a bipartisan group of Senators took the initiative to introduce the 

, which would fill a significant gap in U.S. privacy law.

There is a lot to unpack from both the Majority and the Dissent in 

. Ensuring that every patient’s privacy is protected is required by covered entities and business associates alike. Stay tuned for more updates in this evolving legal landscape.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website,

There is a lot to unpack from both the Majority and the Dissent in Dobbs.