Healthcare Regulatory: Compliance, Fraud Defense, and Investigation

The Stark Law prohibits a physician from referring Medicare patients to an entity with which the physician has a financial relationship unless the relationship satisfies a specific statutory exception, and healthcare compliance and regulatory counsel advising on a Stark Law compliance program must evaluate whether each physician compensation arrangement satisfies the applicable exception's fair market value and commercial reasonableness requirements and whether any identified technical violations qualify for self-disclosure under the Stark Law self-referral disclosure protocol.

A False Claims Act investigation of a healthcare organization typically begins with a qui tam complaint filed under seal by a whistleblower, and healthcare fraud defense counsel must evaluate whether the government's theory of liability is supported by the specific billing or coding practices at issue and whether voluntary self-disclosure before the investigation becomes public produces a better outcome than waiting for the government to develop its case independently.

The HIPAA Privacy Rule and Security Rule establish the framework for protecting individually identifiable health information, and healthcare laws counsel advising on HIPAA compliance must evaluate whether the organization's policies satisfy the applicable administrative, physical, and technical safeguard requirements, whether the organization's business associate agreements with vendors contain all required provisions, and whether the breach notification procedures satisfy the 60-day notification deadline that applies when a breach of unsecured protected health information occurs.

The healthcare regulatory requirements applicable to telehealth and digital health platforms vary by state, and digital health laws and regulations counsel advising on a telehealth program must evaluate whether the applicable state medical practice act requires the treating physician to be licensed where the patient is located, whether the platform's collection and use of patient-generated health data triggers HIPAA obligations or is governed exclusively by the FTC Act, and whether the platform's prescribing practices comply with the Ryan Haight Act.

A healthcare provider whose license is threatened by a state medical board must respond with a comprehensive factual and legal defense that addresses each allegation supporting the proposed adverse action, and healthcare practice management counsel representing a provider must evaluate whether the board's investigation procedure complied with applicable due process requirements and whether expert testimony is available to support the provider's defense on the clinical merits.

A hospital board's fiduciary obligations include the duty of care, the duty of loyalty, and, for nonprofit hospitals, the duty to ensure that the organization's assets are used in furtherance of its charitable mission, and healthcare management solutions counsel advising on hospital governance must evaluate whether the board's conflict of interest policy effectively manages conflicts that arise from physician employment arrangements and vendor contracts.

When the Office of Inspector General or the Centers for Medicare and Medicaid Services opens an investigation, the healthcare organization must immediately preserve all potentially relevant documents and assess the scope of the government's inquiry. Healthcare regulations counsel managing the response must evaluate whether the organization's attorney-client privilege protections are intact and whether mandatory disclosure obligations require reporting the potential violation before the government formally demands a response.

A healthcare organization that has received a civil monetary penalty, a corporate integrity agreement, or a notice of exclusion from federal healthcare programs can challenge the severity of the sanction through administrative appeal procedures, and healthcare compliance and regulatory counsel managing a sanctions reduction proceeding must evaluate whether the penalty calculation correctly applied the statutory per-claim amounts and whether the organization's compliance program and remediation efforts satisfy the standards for penalty reduction.