Physician Practice Compliance: How Do Stark, Aks, and Hipaa Apply?

OIG compliance program guidance specifies written standards, training, monitoring, reporting, enforcement, response, and a designated officer. CMS Conditions of Participation (CoPs) impose operational requirements for hospitals, ASCs, and physician practices billing Medicare. Annual risk assessments identify evolving compliance risks across billing, referrals, documentation, and HIPAA. Effectiveness is measured by ability to detect, report, and remediate issues before external action. Strong healthcare regulatory counsel calibrates each program element to the practice's risk profile.

State medical board rules govern physician licensure, continuing medical education, prescribing authority, and disciplinary procedures. Scope of practice limits define what services physicians, PAs, NPs, and other providers may legally perform. Supervisory and collaborative agreements with mid-level providers require careful drafting to satisfy state requirements. Telehealth practice across state lines requires multi-state licensure or interstate compact participation. Coordinated healthcare regulations counsel tracks each state's evolving rules and updates protocols.

Stark Law prohibits physician referrals for designated health services (DHS) to entities with which the physician has a financial relationship. DHS categories include clinical lab, imaging, physical therapy, durable medical equipment, home health, and outpatient drugs. Stark exceptions (in-office ancillary services, bona fide employment, personal services) preserve common arrangements. Stark violations trigger automatic claim disallowance, repayment, and potential False Claims Act liability. Strong health care fraud counsel reviews each financial relationship against the proper exception.

The Anti-Kickback Statute (AKS) criminalizes any remuneration intended to induce or reward referrals of federal healthcare program business. AKS safe harbors (42 CFR Section 1001.952) provide frameworks for employment, personal services, space and equipment rental. The 2020 Sprint regulations modernized value-based safe harbors and Stark exceptions to enable coordinated care models. Marketing arrangements, medical director agreements, and management services contracts require AKS-specific review. Coordinated false claims act counsel structures each arrangement to fit a safe harbor.

HIPAA Privacy Rule governs use and disclosure of protected health information (PHI) for treatment, payment, and operations. Security Rule (45 CFR Section 164.302-318) requires administrative, physical, and technical safeguards for electronic PHI. Breach Notification Rule mandates notice to affected individuals, HHS OCR, and (for large breaches) media within 60 days. Business Associate Agreements (BAAs) flow HIPAA obligations to vendors handling PHI for the practice. Strong HIPAA compliance counsel updates policies as HHS OCR enforcement priorities evolve.

Recovery Audit Contractors (RACs) review Medicare claims on contingency, focusing on coding errors, medical necessity, and documentation. Zone Program Integrity Contractors (ZPICs and UPICs) investigate potential fraud through claims data analytics and on-site reviews. Commercial payer audits target similar issues plus medical policy compliance and prior authorization documentation. Audit responses require timely production of medical records, coding rationale, and supporting documentation. Coordinated medicare billing fraud counsel manages each audit phase to limit assessments.

DOJ healthcare fraud investigations involve grand jury subpoenas, civil investigative demands (CIDs), and qui tam complaints under seal. False Claims Act liability includes treble damages, per-claim penalties ($13,946 to $27,894), and federal program exclusion. Qui tam relators (whistleblowers) receive 15 to 30% of recoveries, motivating insider reporting. Settlements combine monetary recovery, corporate integrity agreements (CIAs), and individual accountability. Experienced federal and state fraud defense counsel manages document preservation and resolution.

State medical board investigations may arise from patient complaints, peer reports, criminal arrests, malpractice settlements, and referrals. Possible sanctions include reprimand, restriction, probation, suspension, surrender, and revocation by severity. Reporting to the National Practitioner Data Bank (NPDB) triggers cascading effects on hospital privileges and payer credentialing. Due process rights include notice, hearing, evidence review, and judicial appeal under state APA. Coordinated medical license defense counsel preserves the license and downstream credentialing.