Get answers to the most frequently asked questions about healthcare compliance laws, regulations, & authorities, including HIPAA, Stark Law, DHHS OIG, & more.

WHAT ARE THE PRINCIPAL LAW AND REGULATIONS GOVERNING HEALTHCARE COMPLIANCE?

The laws and regulations most common in healthcare enforcement are: 

  1. Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy and requires organizations to keep patients’ medical records secure.  
  2. Health Information Technology for Economic and Clinical Health (HITECH) Act expanded HIPAA to provide certain health IT compliance standards for electronic health records (EHR). 
  3. False Claims Act [31 U.S.C. § § 3729-3733] makes it illegal for providers to file a false claim to a federal payer. It includes a qui tam provision that allows people who are not affiliated with the government (otherwise known as relators or whistleblowers) to sue the wrongdoer on behalf of the U.S. government. 
  4. Civil Monetary Penalties Law (CMPL) [42 U.S.C. § 1320a-7a] authorizes the DHHS OIG to impose civil money penalties, an assessment, and program exclusion for various forms of fraud and abuse involving the Medicare and Medicaid programs. 
  5. Anti-Kickback Statute [42 U.S.C. § 1320a-7b(b)] prohibits organizations and providers from receiving a financial benefit for patient referrals if the federal government may be charged for all or part of the cost of these services. The goal of this is to prevent the influence of financial gain on medical treatment decisions.  
  6. Physician Self-Referral Law (Stark Law) [42 U.S.C. § 1395nn] prohibits physicians from referring patients with Medicare or Medicaid to a provider or entity with whom the physician or a member of the physician’s immediate family has a financial relationship. 
  7. Patient Protection and Affordable Act implemented new requirements for insurance, Medicaid, and more.  

WHO ARE THE MAJOR HEALTHCARE COMPLIANCE ENFORCEMENT AUTHORITIES?

Major healthcare compliance enforcement agencies include: 

  • The Department of Justice 
  • Department of Health and Human Services (DHHS) Office of Inspector General (OIG) 
  • Medicaid Fraud Control Units (MFCUs) 
  • Center for Medicare/Medicaid Services (CMS) 
  • DHHS Office of Civil Rights (OCR) 
  • Federal Bureau of Investigation (FBI) 
  • Drug Enforcement Agency (DEA) 
  • Defense Criminal Investigation Service (DCIS) 

WHAT IS A MEDICAID FRAUD CONTROL UNIT (MFCU)?

All 50 States, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have Medicaid Fraud Control units that investigate and prosecute Medicaid provider fraud as well as abuse or neglect. The MFCU is usually a part of the State Attorney General’s office. They employ teams of investigators, attorneys, and auditors and are separate and distinct from the State Medicaid agency. OIG, in exercising oversight for the MFCUs, annually recertifies each MFCU, assesses each MFCU’s performance and compliance with Federal requirements, and administers a Federal grant award to fund a portion of each MFCU’s operational costs. 

WHAT IS THE OFFICE OF CIVILS RIGHTS? 

The U.S. Department of Health and Human Services (DHHS) Office for Civil Rights (OCR) enforces a variety of civil rights laws, including protecting the privacy of patients under the Health Insurance Portability and Accountability Act (HIPAA), Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule.  They investigate and take enforcement actions against organizations with breaches of patient Protected Health Information.  

WHAT ARE THE CONSEQUENCES OF COMPLIANCE FAILURE?

The consequences of the absence of or ineffective compliance program can be serious and lead to violations of law and regulation that can result in aggravation of penalties from the DOJ, OIG, and CMS.  These may include severe financial penalties, criminal prosecution, and possible exclusion from participation in federally funded healthcare programs.   Civil DOJ settlements often result in the organization entering into a Corporate Integrity Agreement (CIA) with the OIG. In addition to government adverse actions, the organization may also be exposed to tort actions, as well as damaging publicity that negatively impacts their reputation with business partners, referral sources, and the patient community.