Practice Compliance


Numerous regulations affect the healthcare industry, and it’s important for you to stay informed. Maintaining compliance protects your practice and reduces risk of legal consequences. Refer to the information and resources provided to help you successfully operate your rheumatology practice and remain in compliance. All covered physician practices should become familiar with these important topics:

  • Stark Law & the Anti-Kickback Statute
  • HIPAA policies and procedures
  • Office of Inspector General (OIG) Work Plan

Stark Law: Self-Referral Regulations

The Stark Law, also known as the Physician Self-Referral Law (Section 1877 of the Social Security Act 42 U.S.C. § 1395nn), prohibits physicians from referring patients to receive "designated health services" payable by Medicare or Medicaid from entities with which the physician or an immediate family member has a financial relationship, unless an exception applies.

  1. Prohibits healthcare providers from referring Medicare patients for certain health services to a business in which the physician has a financial or familial interest.
  2. Prohibits the billing of Medicare or other insurance providers for health services when an improper physician referral was made.
  3. Establishes several exceptions to the two provisions above and grants the secretary of the Department of Health and Human Services the authority to create specific exceptions for referrals to entities or medical provider businesses that will not result in a conflict of interest. Some of these exceptions require that whatever financial relationship exists reflects “fair market value.”

While the provisions seem somewhat burdensome, keep in mind that these limitations on healthcare referrals only apply to Medicare patients. The federal government’s purpose is to protect this category of people, specifically because the elderly (and in some cases, the disabled) are considered vulnerable populations who might be easy targets for unnecessary services.

In addition, the law narrows the category of Medicare patients to only those patients who receive a referral for designated health services.

The Center for Medicare & Medicaid Services defines a designated health service as anyone, or combination, of the following:

  • Clinical laboratory services
  • Durable medical equipment and supplies (DME)
  • Home health services
  • Inpatient and outpatient hospital services
  • Occupational therapy services
  • Outpatient prescription drugs
  • Outpatient speech-language pathology services
  • Parenteral and enteral nutrients, and prosthetic devices and supplies
  • Physical therapy services
  • Prosthetics, orthotics, and prosthetic devices and supplies
  • Radiation therapy services and supplies
  • Radiology and certain other imaging services

Services not listed here are not covered under the Stark Law and, therefore, are not subject to its requirements or penalties.

The Stark Law only applies to Medicare participants who receive a referral for a designated health service (DHS). This means that a referral for a private-payer or self-pay patient would not fall under Stark Law requirements. In addition, there are several exceptions to the referral rule, including referrals to academic medical centers; for in-office ancillary services (such a providing wheelchairs and blood glucose monitors); for physician services where the physician is a member of the same group practice; and for some clinical laboratory services (preventative screening and vaccinations).

Covered healthcare providers who violate the Stark Law are strictly liable. Strict liability is a form of legal liability in which the individual who violated the law is held responsible, even if they had no intention of doing so and the court can find no fault or specific action that the practitioner did that resulted in the violation.

Strict liability is the standard in a variety of settings. In the case of the Stark Law, proof that an improper referral was made is enough to impose liability, regardless of whether the physician knew of a potential financial or familial conflict.

Any HCP, healthcare system, or hospital found at fault could be required to refund all payments for the improper amounts collected; to pay up to $15,000 per improper referral; and to be excluded from all federal healthcare programs. If the violator is found to have done so intentionally, they could face civil penalties of up to $100,000 per violation.

To ensure there is no violation of the Stark Law, practices must evaluate any economic benefits they receive from entities to which they refer Medicare and Medicaid patients. It is important to verify whether they meet any of the almost 20 detailed and complicated “exceptions” described in the statute.

View the full outline of the Stark Law guidelines, along with the exceptions and ramifications of the rule.

Within the law itself, is a series of best practices for creating effective and Stark-compliant HCP contracts, known as safe harbor provisions. A safe harbor provision is a law or series of compliance steps that, if followed, will limit or eliminate liability if a violation is reported.

The Stark Law safe harbor provision has seven components. Healthcare employment contracts must:

  1. Have a duration of at least a year
  2. Be in writing and signed by both parties
  3. Specify an aggregate payment, which is set in advance
  4. Have a payment or salary provision that is reasonable and is at fair market value
  5. Not connect the payment or salary to the volume or value of business
  6. Specify the exact services to be performed
  7. Be commercially reasonable (Stark Law, 42 CFR § 411.357)

Health Insurance Portability and Accountability Act (HIPAA)

The rules of the Health Insurance Portability and Accountability Act (HIPAA) are published by the Department of Health and Human Services (HHS) and enforced by the Centers for Medicare and Medicaid Services (CMS) and the Office of Civil Rights (OCR). The primary focus of the law was to ensure the portability of health insurance coverage for Americans changing jobs. It was also designed to protect the privacy and security of patient records and bring uniformity to claims processing.

All healthcare organizations are affected in some way by HIPAA. The entities that are affected include all health care providers, health plans, employers, public health authorities, hospitals, life insurers, clearinghouses, billing agencies, information systems vendors, and service organizations.

The three main rules of HIPAA are:

  • Privacy Rule: Organizations must identify the uses and disclosures of protected health information (PHI) and put into effect appropriate safeguards to protect against an unauthorized use or disclosure of that PHI. When material breaches or violations of privacy are identified, the organizations must take reasonable steps to solve those problems to limit exposure of PHI. Compliance with HIPAA’s PHI guidelines require of all covered entities, regardless of size, by April 14, 2004. Additionally, under the final rules, patients have expanded rights to understand and control how their health information is used.
  • Security Rule: Defines the administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information. Covered entities are required to implement basic safeguards to protect electronic protected health information from unauthorized access, alteration, deletion, and transmission. The final rule states that all covered entities, with the exception of small health plans, had to be compliant by April 21, 2005.
  • Electronic Transactions Standards: While software vendors do most of the work to make computer systems HIPAA compliant, medical practices must have policies and procedures in place to ensure the submission of the necessary data elements to complete each transaction. For each transaction, the standard dictates a certain set of required data elements, optional data elements, format, and content. In addition, practices will have to ensure that their software vendors build language into each contract to ensure compliance with the law. Under the HIPAA regulations, there are more than 400 different formats for transmitting to payers’ "standard" health care data such as benefits, eligibility, and payment information – these are under consideration to be consolidated into 20 standard "HIPAA-compliant" transaction standards.

HIPAA calls for severe civil and criminal penalties for noncompliance, including:

  • Fines up to $25,000 for multiple violations of the same standard in a calendar year
  • Fines up to $250,000 and/or imprisonment up to 10 years for known misuse of individually identifiable health information

View the complete requirements and standards of the privacy requirements of the HIPAA Regulations and Guidance.

The Affordable Care Act (ACA) expanded the provisions in HIPAA to support administrative simplification. The HIPAA Administrative Simplification regulations include several provisions designed to streamline and simplify healthcare transactions. Through the use of standards, operating rules, unique identifiers, and code sets, these provisions can help the healthcare community save time and money.

The National Standards Group (NSG), on behalf of HHS, has created a new fact sheet that summarizes a number of these important provisions. The fact sheet also includes links directly to the regulations for easy reference and provides information on how to remain compliant with the HIPAA Administrative Simplification regulations.

It is imperative for physician practices to maintain ongoing HIPAA compliance by conducting an organizational assessment and determining if any gaps exist. It is also important to assign a team or staff member to manage and coordinate HIPAA compliance within the practice by doing quarterly educational sessions as well as developing policies and procedures for the practice to ensure compliance.

For questions on HIPAA compliance or training, contact the ACR practice department at

Office of Inspector General (OIG) Work Plan and Compliance

Each year, the Office of Inspector General (OIG) produces an annual work plan that presents the major initiatives and priorities they intend to undertake to assist the U.S. Department of Health and Human Services (HHS) in fulfilling its responsibilities to taxpayers and Medicare beneficiaries. The plan details the assignment areas and resources that the OIG plans to devote to evaluating the efficiency, effectiveness, and integrity of the Medicare programs and operations.

The Work Plan is updated quarterly, and each project is categorized as initiated, in development, or planned.

  • Initiated: The project is underway; the description of the project includes the calendar quarter in which we expect to complete the project.
  • In Development: The project team is determining the project’s scope and completion date.
  • Planned: The project has been identified by our office, and formal work has not yet begun.

Each quarter, projects that are new or have been updated, postponed, canceled, terminated, suspended, or issued as reports are marked as such. For a list of issued reports, please view the Audit Reports page on their website.

The OIG Work Plan is released each year and gives a summary of the new and ongoing reviews and activities that will be pursued with respect to HHS programs and operations during the current fiscal year and beyond.

If you or your healthcare entity has any questions pertaining to healthcare compliance or would like to have an audit review, contact the ACR practice department at

With the ongoing focus of fighting healthcare fraud and abuse the OIG has worked to help physician practices develop a compliance program in their organization. The compliance guidance is geared towards promoting adherence to the statues and regulations applicable to federal health programs to prevent and reduce improper conduct.

The OIG has indicated that the approach to a compliance plan in physician practices should be incremental and flexible when developing and implementing a compliance program. Physician practices should view compliance programs as a response to working towards compliance on a continued basis to identify issues within the practice and prevent problems from occurring in the future.

A compliance program also sends an important message to practice staff that while mistakes will occur, employees have an ethical duty to report erroneous or fraudulent conduct, so that it may be corrected.

Download the ACR Office Compliance Plan to help with developing a compliance program that best fits your practice’s organizational needs.

Become a Member

Join a community that aims to help you excel in your specialty. ACR/ARP members receive discounted registration fees, access to publications, unparalleled resources, and more.

Join Today
Become a Member
We use cookies on our website to improve our service to you and for security purposes. By continuing to use our site without changing your browser cookie settings, you agree to our cookie policy and the use of cookies. See ACR Policies