Get answers to the most frequently asked questions about healthcare compliance laws, regulations, & authorities, including HIPAA, Stark Law, DHHS OIG, & more.

WHAT ARE THE PRINCIPAL LAWS AND REGULATIONS GOVERNING HEALTHCARE COMPLIANCE?

Common laws and regulations used in healthcare enforcement include:

  1. Health Insurance Portability and Accountability Act (HIPAA) protects patients’ privacy and requires organizations to keep patients’ medical records secure.  
  2. Health Information Technology for Economic and Clinical Health (HITECH) Act expanded HIPAA to provide certain health IT compliance standards for electronic health records (EHR). 
  3. False Claims Act (FCA), 31 U.S.C. § § 3729-3733, makes it illegal for providers to file a false claim to a federal payer. FCA includes a qui tam provision that allows people who are not affiliated with the government, otherwise known as relators or whistleblowers, to sue the wrongdoer on behalf of the U.S. government. 
  4. Civil Monetary Penalties Law (CMPL), 42 U.S.C. § 1320a-7a, authorizes HHS OIG to impose civil money penalties, an assessment, and program exclusion for various forms of fraud and abuse involving the Medicare and Medicaid programs. 
  5. Anti-Kickback Statute (AKS), 42 U.S.C. § 1320a-7b(b) prohibits organizations and providers from receiving a financial benefit for patient referrals if the federal government reimburses for all or part of the cost to render the service or item to the patient.. The goal of the AKS is to prevent the influence of financial gain on making a medical treatment decision. 
  6. Physician Self-Referral Law, also known as the Stark Law, 42 U.S.C. § 1395nn, prohibits physicians from referring Medicare or Medicaid patients to a provider or entity with whom the physician or a member of the physician’s immediate family has a financial relationship.
  7. Patient Protection and Affordable Care Act implemented requirements for entities that participate in the Medicare or Medicaid programs to implement compliance programs. 

WHO ARE THE MAJOR HEALTHCARE COMPLIANCE ENFORCEMENT AUTHORITIES?

Government agencies, bureaus and offices that enforce compliance in the healthcare industry include:

  • Department of Justice (DOJ)
  • Department of Health and Human Services (HHS) Office of Inspector General (OIG) 
  • Medicaid Fraud Control Units (MFCUs) 
  • Centers for Medicare & Medicaid Services (CMS)
  • Office for Civil Rights (OCR) 
  • Federal Bureau of Investigation (FBI) 
  • Drug Enforcement Agency (DEA) 
  • Defense Criminal Investigation Service (DCIS) 

WHAT IS A MEDICAID FRAUD CONTROL UNIT (MFCU)?

All 50 States, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have an assigned Medicaid Fraud Control unit that investigates and prosecutes Medicaid provider fraud, as well as cases of patient abuse or neglect. The MFCU is typically a part of the State Attorney General’s Office. They employ teams of investigators, attorneys, and auditors and are separate and distinct from the State Medicaid Agency. The OIG, in exercising oversight for the MFCUs, annually recertifies each MFCU, assesses each MFCU’s performance and compliance with Federal requirements, and administers a Federal grant award to fund a portion of each MFCU’s operational costs.

WHAT IS THE OFFICE FOR CIVIL RIGHTS? 

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces a variety of civil rights laws, including protecting the privacy of patients under the Health Insurance Portability and Accountability Act (HIPAA), the Privacy, Security, and Breach Notification Rules, and the Patient Safety Rule. OCR investigates and takes enforcement actions against covered entities and business associates involved in breaches of patients’ protected health information.

WHAT ARE THE CONSEQUENCES OF COMPLIANCE FAILURE?

Healthcare organizations that fail to implement a compliance program, or have an ineffective compliance program, can face serious consequences. The absence of or an ineffective compliance program can lead to violations of law and regulation, which may result in aggravated penalties imposed by DOJ, HHS OIG or CMS. Penalties may include severe financial penalties, criminal prosecution, and possible exclusion from participation in federally funded healthcare programs, such as Medicare, Medicaid and CHIP. DOJ civil settlements often result in the organization entering into a Corporate Integrity Agreement (CIA) with the OIG. In addition to government adverse actions, the organization may also be exposed to tort actions, as well as damaging publicity that negatively impacts their reputation with business partners, referral sources, and the patient community.