How to Select a Healthcare Attorney: A Complete Guide

If you’re starting a medical practice, facing regulatory compliance issues, or navigating healthcare transactions, you need a healthcare attorney who understands federal and state healthcare regulations beyond general business law when licensure requirements, fraud and abuse statutes, and reimbursement structures determine practice viability. Not a general corporate lawyer who handles healthcare occasionally. Not a business attorney unfamiliar with Stark Law or Anti-Kickback Statute. Not a litigator who doesn’t understand HIPAA requirements or Medicare conditions of participation. Healthcare attorneys provide regulatory compliance guidance, transaction structuring, and enforcement defense that general lawyers don’t handle.

Who You Need: Healthcare attorney with regulatory compliance experience in your specific sector (hospital systems, physician practices, surgery centers, telemedicine, pharmaceuticals), understanding of federal fraud and abuse laws and state-specific regulations, knowledge of reimbursement models and payor contracting, expertise in healthcare transactions and practice formation, relationships with regulatory agencies and industry professionals.

Critical Healthcare Regulatory Framework:

  • Stark Law prohibits physician self-referrals for designated health services when financial relationships exist. Strict liability statute with limited exceptions. Violations result in payment denial, refund obligations, civil monetary penalties, and potential exclusion. Different from general conflict of interest rules.
  • Anti-Kickback Statute criminalizes remuneration offered or received to induce referrals for federal healthcare program services. Intent-based statute with safe harbors protecting certain arrangements. Violations create False Claims Act liability beyond criminal penalties.
  • HIPAA Privacy and Security Rules govern protected health information use and disclosure. Business associate agreements required for third-party vendors handling PHI. Breach notification obligations when unauthorized access occurs. Enforcement through civil monetary penalties and potential criminal prosecution.
  • Medicare and Medicaid conditions of participation establish requirements for institutional providers receiving federal program reimbursement. Surveyed for compliance through state agencies. Deficiencies can result in termination from programs.
  • Corporate Practice of Medicine doctrine prohibits non-physicians from owning medical practices in many states. Limits practice ownership structures and employment arrangements. Friendly PC models and management services organizations must comply with doctrine requirements.

Additional Support Beyond General Lawyers: Unlike general business attorneys, healthcare lawyers provide Stark Law and Anti-Kickback Statute compliance analysis for compensation arrangements, HIPAA compliance programs including business associate agreement review, Medicare enrollment and credentialing assistance, state medical board investigation defense, Office of Inspector General audit response and negotiation.

Next Steps: Identify your specific healthcare sector and legal need (practice formation, regulatory compliance, transaction, enforcement matter), gather all relevant documents (existing contracts, organizational documents, correspondence with regulatory agencies), contact healthcare attorneys who regularly work in your sector, verify attorney understands current federal and state regulatory landscape, act promptly because healthcare enforcement matters have strict response deadlines and practice formation requires compliance before operations begin.

Why General Business Lawyers Can’t Handle Healthcare Matters

Most business attorneys form LLCs. Draft employment agreements. Review commercial contracts.

Wrong skill set for healthcare.

Healthcare law operates through dense regulatory framework. Federal statutes (Stark Law, Anti-Kickback Statute, False Claims Act, HIPAA). State regulations (medical practice acts, scope of practice, corporate practice of medicine). Reimbursement rules (Medicare conditions of participation, Medicaid provider agreements, commercial payor contracts).

General business attorneys don’t spend years learning healthcare regulations. They understand corporate formation. They negotiate standard employment terms. They review leases and vendor agreements.

Skills don’t transfer to healthcare practice.

Here’s why: forming a physician practice requires analyzing whether corporate practice of medicine doctrine applies in your state, structuring ownership to comply with applicable restrictions, ensuring compensation arrangements satisfy Stark Law exceptions and Anti-Kickback safe harbors, drafting physician employment agreements addressing call coverage and on-call compensation, and implementing HIPAA-compliant policies before seeing first patient.

Not simply filing articles of incorporation. Complex regulatory compliance embedded in formation process.

Business attorneys who “handle some healthcare” don’t understand Stark Law’s designated health services categories. They’ve never analyzed whether compensation arrangement fits within personal services exception. They don’t know which states prohibit corporate practice of medicine. They miss HIPAA business associate agreement requirements.

Consequences?

Operating practice structure that violates corporate practice of medicine (practice shut down, professional discipline). Signing contracts with Stark Law violations (Medicare payment denials, refund liability, civil monetary penalties up to $25,000 per violation). Failing HIPAA compliance (breach notification failures, Office for Civil Rights investigations, penalties up to $1.9 million per violation category per year).

Pick healthcare attorney first. Not business lawyer who thinks healthcare is “just another industry with some extra rules.”

Stark Law: Physician Self-Referral Prohibition

Stark Law (42 U.S.C. § 1395nn) prohibits physicians from referring Medicare/Medicaid patients for designated health services to entities with which physician has financial relationship, unless exception applies.

Most complex healthcare regulation. Strict liability—no intent requirement. Technical violations create liability even without improper motive.

Three elements trigger Stark:

  1. Physician makes referral
  2. For designated health service
  3. To entity with which physician (or immediate family member) has financial relationship

All three present? Must fit exception or referral prohibited.

Referrals: Broad definition. Includes ordering or requesting any designated health service, including test interpretation.

Example: Physician orders MRI for patient. That’s referral under Stark, even if physician doesn’t specify where patient should go.

Referral includes established plan of care physician supervises.

Designated health services (DHS): Eleven categories of services subject to Stark:

  • Clinical laboratory services
  • Physical therapy, occupational therapy, speech-language pathology
  • Radiology and imaging services
  • Radiation therapy services and supplies
  • Durable medical equipment and supplies
  • Parenteral and enteral nutrients, equipment, supplies
  • Prosthetics, orthotics, prosthetic devices and supplies
  • Home health services
  • Outpatient prescription drugs
  • Inpatient and outpatient hospital services

Not all medical services. But broad categories covering significant portion of healthcare services.

Financial relationships: Two types:

  1. Ownership or investment interest
  2. Compensation arrangement

Ownership interest: Any equity, debt, or other interest in entity.

Example: Physician owns 10% of imaging center. Has ownership interest. Any referrals by physician to that imaging center implicate Stark.

Compensation arrangement: Any payment or transfer of value between physician and entity.

Extremely broad. Includes direct compensation, indirect compensation through intermediaries, and in-kind benefits.

Example: Hospital employs physician. Employment relationship is compensation arrangement. Physician cannot refer to hospital for DHS unless compensation arrangement fits Stark exception.

Consequences of violation:

Stark is strict liability. No intent requirement. Technical violations create liability regardless of clinical appropriateness or whether arrangement is fair market value.

Penalties:

  • Denial of payment for prohibited referral services
  • Refund of amounts collected for services billed in violation
  • Civil monetary penalties up to $25,000 per prohibited referral (adjusted for inflation)
  • Civil monetary penalties up to $170,823 for circumvention schemes (2024 amount, adjusted annually)
  • Exclusion from federal healthcare programs (rare, reserved for egregious violations)

Violation also creates False Claims Act liability. Submitting claim for services billed in violation of Stark constitutes false claim. Creates treble damages exposure plus penalties.

Exceptions:

Stark includes numerous exceptions. Financial relationship that fits exception doesn’t violate Stark.

Major exceptions:

  • In-office ancillary services (physician can provide DHS in own office if meets requirements)
  • Personal services arrangements (compensation for services if meets six requirements)
  • Employment (physician employee compensation if meets requirements)
  • Fair market value compensation (payments for items/services at FMV, not considering referrals)
  • Space and equipment rental (leases meeting specific requirements)
  • Physician recruitment (hospital financial assistance for recruiting, with restrictions)

Each exception has detailed requirements. Must satisfy all elements precisely. Substantial compliance insufficient.

Personal services exception (most commonly used):

Six requirements:

  1. Written agreement signed by parties
  2. Covers all services furnished (or identifies each specific service)
  3. Aggregate services don’t exceed commercially reasonable necessity
  4. Term at least one year
  5. Compensation set in advance, consistent with fair market value, not considering referrals
  6. Services performed personally by physician (or immediate family member, or group practice members)

All six required. Missing one element? Exception doesn’t apply. Stark violation exists.

Example: Hospital contracts with physician to serve as medical director. Agreement written, one year term, FMV compensation. But compensation amount not set in advance—formula based on collections. Fails element 5 (set in advance requirement). Doesn’t fit exception. Stark violation.

Healthcare attorneys analyze compensation arrangements for Stark compliance by identifying whether arrangement creates financial relationship (almost always yes), determining if referrals occur for designated health services, evaluating which exceptions potentially apply, ensuring all exception requirements satisfied, and documenting compliance contemporaneously.

They know exception requirements intimately. They understand CMS guidance interpreting exceptions. They spot technical compliance failures general attorneys miss.

General business attorneys review physician contract, see fair market value compensation, think it’s compliant. Miss that compensation formula references collections (volumetric component potentially considering referrals). Or compensation not set in advance. Or agreement doesn’t specify services covered. Technical Stark violations embedded in seemingly reasonable contract.

Medical practice bills Medicare for services arising from referrals. Medicare conducts routine audit. Discovers Stark violations. Demands refund of all payments received for prohibited referrals. Practice owes hundreds of thousands. Civil monetary penalties assessed. Physician faces professional consequences.

Anti-Kickback Statute: Prohibition on Referral Inducements

Anti-Kickback Statute (42 U.S.C. § 1320a-7b(b)) criminalizes knowingly and willfully offering, paying, soliciting, or receiving remuneration to induce or reward referrals for items or services reimbursable by federal healthcare programs.

Criminal statute. Intent-based (unlike Stark’s strict liability). But extremely broad interpretation by courts.

Elements:

  1. Remuneration (anything of value)
  2. Offered, paid, solicited, or received
  3. Knowingly and willfully
  4. To induce or reward referrals or generate business
  5. For items or services reimbursable by federal healthcare programs

Remuneration: Courts interpret broadly. Includes cash payments, in-kind benefits, below-market leases, above-market compensation, gifts, entertainment, research funding, and virtually any transfer of value.

Even indirect benefits can constitute remuneration.

One purpose test: If one purpose of remuneration is to induce referrals, AKS violated—even if other legitimate purposes also exist.

Example: Hospital pays physician for medical director services. Compensation exceeds fair market value. One purpose for excess compensation is inducing physician’s referrals to hospital. AKS violation, even if physician actually performs medical director duties.

Contrast with Stark (strict liability regardless of intent). AKS requires knowing and willful conduct, but “one purpose” standard means intent threshold relatively low.

Penalties:

Criminal: Felony. Up to $100,000 fine per violation. Up to 10 years imprisonment.

Federal prosecutors rarely pursue criminal charges except egregious cases (blatant kickback schemes, significant amounts, pattern of conduct).

Civil monetary penalties: Up to $116,689 per violation (2024 amount, adjusted annually for inflation).

Exclusion from federal healthcare programs: Office of Inspector General can exclude individuals and entities. Exclusion prohibits participation in Medicare, Medicaid, all federal programs. Effectively ends healthcare practice or business.

False Claims Act liability: AKS violation creates per se False Claims Act violation. Any claims submitted pursuant to kickback arrangement are false claims. Treble damages plus penalties ($13,946 to $27,894 per false claim, 2024 amounts).

Safe harbors:

AKS includes safe harbors protecting arrangements from prosecution. Voluntary—arrangement not fitting safe harbor can still be lawful if no improper intent.

But practical reality: arrangements not fitting safe harbor face significant enforcement risk. Difficult to prove absence of improper intent. Healthcare industry heavily relies on safe harbor compliance.

Major safe harbors:

  • Investment interests (ownership in large companies meeting requirements)
  • Space rental (leases meeting six requirements)
  • Equipment rental (leases meeting six requirements)
  • Personal services and management contracts (seven requirements)
  • Employment (employee compensation not considering referrals)
  • Practitioner recruitment (hospital payments recruiting physicians, with restrictions)
  • Referral services (patient referral services meeting requirements)

Each safe harbor has specific requirements. Like Stark exceptions, must satisfy all elements precisely.

Personal services safe harbor (commonly used):

Seven requirements:

  1. Written agreement signed by parties covering specified period
  2. Agreement covers all services furnished during term
  3. Aggregate services don’t exceed commercially reasonable necessity
  4. Term at least one year (consistent with commercial reasonableness)
  5. Compensation set in advance
  6. Compensation consistent with fair market value
  7. Compensation not determined in manner considering volume or value of referrals

Similar to Stark personal services exception but distinct requirements. Must separately analyze both Stark exception and AKS safe harbor. Arrangement might fit one but not other.

Example: Physician provides consulting services to medical device company. Agreement one year, written, compensation set in advance at FMV. But agreement doesn’t specify all services—open-ended consulting “as requested.” Fails element 2 (must cover all services or specify each). Doesn’t fit safe harbor. If consulting arrangement part of scheme to induce physician’s use of company’s devices, potential AKS violation.

Relationship to Stark:

Independent statutes. Often overlap but different requirements.

Stark applies only to physicians, only to designated health services, only referrals, and only financial relationships.

AKS applies to anyone (physicians, hospitals, vendors, anyone), any healthcare services reimbursed by federal programs, and any inducement of referrals or generation of business.

Stark broader in some ways (strict liability), narrower in others (only physicians, only DHS).

Arrangement must comply with both Stark and AKS. Fitting Stark exception doesn’t guarantee AKS compliance. Fitting AKS safe harbor doesn’t guarantee Stark compliance.

Healthcare attorneys analyzing compensation arrangements evaluate both statutes independently, structure arrangements to comply with both, and document compliance with applicable Stark exceptions and AKS safe harbors.

General business attorneys don’t understand dual compliance requirement. They focus on fair market value compensation (reasonable business practice) without ensuring technical Stark and AKS compliance. They don’t recognize that “reasonable” business arrangements can violate fraud and abuse laws without proper structuring.

Hospital enters vendor contract with physician-owned company. Fair market value pricing. Legitimate business need. But physician refers patients to hospital. Compensation arrangement between hospital and physician’s company potentially implicates Stark and AKS. Without exception/safe harbor compliance, creates significant liability exposure.

HIPAA Privacy and Security Rules

Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules govern protected health information (PHI) use, disclosure, and safeguarding.

Most misunderstood healthcare regulation. Providers think HIPAA just “patient confidentiality.” Actually detailed regulatory framework with specific requirements.

Covered entities: HIPAA applies to three categories:

  1. Healthcare providers who transmit health information electronically in connection with HIPAA transactions
  2. Health plans
  3. Healthcare clearinghouses

Most healthcare providers are covered entities. Once provider bills insurance electronically, becomes covered entity subject to HIPAA.

Protected health information (PHI): Individually identifiable health information created, received, maintained, or transmitted by covered entity.

Identifiable = contains information identifying individual or reasonable basis to believe could identify individual.

Includes obvious identifiers (name, SSN, medical record number) plus 18 HIPAA identifiers (dates, geographic subdivisions smaller than state, telephone/fax, email, IP address, biometric identifiers, photos, other unique identifiers).

PHI includes paper records, electronic records, oral communications. Not limited to electronic information.

Privacy Rule:

Governs PHI use and disclosure.

Permitted uses without authorization:

  • Treatment, payment, healthcare operations (TPO)
  • Required by law
  • Public health activities
  • Victims of abuse, neglect, domestic violence
  • Law enforcement (limited circumstances)
  • Decedents
  • Research (with waiver or de-identified data)

All other uses require patient authorization or fit another HIPAA exception.

Treatment, payment, healthcare operations (TPO): Broad permission for routine healthcare activities.

Treatment: Provision, coordination, or management of healthcare. Includes consultations between providers, referrals.

Payment: Activities to obtain reimbursement. Includes billing, claims management, medical necessity determinations.

Healthcare operations: Management and administrative activities. Includes quality improvement, credentialing, legal and compliance, business planning.

TPO permission broad but not unlimited. Must be related to covered function. Cannot use TPO to disclose PHI for marketing or sale of PHI.

Minimum necessary standard: When using or disclosing PHI for non-treatment purposes, must limit to minimum necessary to accomplish purpose.

Doesn’t apply to treatment activities (providers can disclose whatever necessary for treatment).

Applies to payment and healthcare operations uses. Must implement policies limiting access to PHI based on job roles.

Patient rights: Patients have rights to:

  • Access their medical records (with limited exceptions)
  • Request amendments to records
  • Accounting of disclosures (limited circumstances)
  • Request restrictions on uses/disclosures (covered entity can decline most requests)
  • Receive privacy notice describing PHI practices

Business associate agreements: Covered entities use third-party vendors handling PHI (billing companies, IT vendors, consultants, cloud storage, shredding services, etc.).

Vendors handling PHI on behalf of covered entity are “business associates.” Must sign business associate agreement (BAA) before receiving PHI.

BAA requires business associate to:

  • Use PHI only for permitted purposes
  • Implement safeguards protecting PHI
  • Report breaches to covered entity
  • Return or destroy PHI at relationship termination
  • Comply with HIPAA Security Rule
  • Flow down BAA requirements to subcontractors

Covered entity cannot disclose PHI to vendor without BAA in place. Violation of HIPAA.

Common mistake: Healthcare providers use cloud services, email platforms, practice management systems without obtaining BAAs. Assumes vendor compliance. Wrong. Covered entity responsible for ensuring BAA exists before PHI disclosed.

Security Rule:

Establishes safeguards for electronic PHI (ePHI).

Three types of safeguards:

  1. Administrative (policies, training, risk analysis)
  2. Physical (facility access controls, device security)
  3. Technical (access controls, encryption, audit logs)

Some requirements “required.” Others “addressable” (implement if reasonable and appropriate, or document why not implementing and what alternative used).

Key requirements:

  • Risk analysis identifying ePHI vulnerabilities
  • Risk management plan implementing security measures
  • Workforce training on security policies
  • Access management limiting ePHI access to authorized users
  • Audit controls monitoring ePHI access
  • Transmission security for ePHI sent over networks
  • Business associate agreements with vendors handling ePHI

Encryption addressable but strongly recommended. OCR expects covered entities to encrypt ePHI unless documented reason not feasible.

Breach notification:

Breach = unauthorized acquisition, access, use, or disclosure of PHI compromising security or privacy.

Covered entities must:

  • Notify affected individuals within 60 days
  • Notify HHS if breach affects 500+ individuals (within 60 days)
  • Notify media if breach affects 500+ individuals in jurisdiction
  • Maintain log of breaches affecting fewer than 500 individuals, report annually to HHS

Penalties for breach notification failures separate from underlying HIPAA violation penalties.

Penalties:

Civil monetary penalties tiered by violation severity:

  • Tier 1 (no knowledge): $100-$50,000 per violation
  • Tier 2 (reasonable cause): $1,000-$50,000 per violation
  • Tier 3 (willful neglect, corrected): $10,000-$50,000 per violation
  • Tier 4 (willful neglect, not corrected): $50,000 per violation

Annual maximum per violation category: $1,893,314 (2024 amount, adjusted annually).

Criminal penalties for knowing violations:

  • Wrongful disclosure/obtaining: up to $50,000 fine and 1 year imprisonment
  • Under false pretenses: up to $100,000 fine and 5 years imprisonment
  • For commercial advantage/malicious harm: up to $250,000 fine and 10 years imprisonment

Healthcare attorneys implement HIPAA compliance programs by conducting risk assessments identifying vulnerabilities, drafting policies and procedures addressing Privacy and Security Rule requirements, training workforce on HIPAA obligations, preparing business associate agreements for vendors, implementing breach response protocols, and responding to Office for Civil Rights investigations.

They understand HIPAA applies to entire practice operations, not just medical records. Staff email discussing patients, phone conversations, faxes, physical security of files, computer access controls—all implicate HIPAA.

General business attorneys review HIPAA compliance superficially. They draft privacy notice without implementing actual policies. They don’t ensure business associate agreements in place before vendors access systems. They don’t understand minimum necessary requirements or breach notification obligations.

Practice suffers data breach. Discovers didn’t have business associate agreement with IT vendor. Didn’t encrypt electronic records. Delayed breach notification past 60-day deadline. Multiple HIPAA violations. Office for Civil Rights investigation. Civil monetary penalties. Reputation damage. Patient lawsuits.

Medicare Conditions of Participation

Medicare Conditions of Participation (CoPs) establish requirements for institutional providers (hospitals, skilled nursing facilities, home health agencies, etc.) to receive Medicare reimbursement.

Facilities must meet CoPs to be “certified” for Medicare participation. State survey agencies conduct surveys evaluating CoP compliance. Centers for Medicare & Medicaid Services (CMS) terminates Medicare agreements when CoPs not met.

Survey process:

State survey agencies (typically health departments) conduct periodic surveys—typically every 12-36 months depending on facility type and compliance history.

Surveys evaluate compliance with federal CoPs and state licensing requirements simultaneously.

Surveyors tour facility, review medical records and policies, interview staff and patients, observe care delivery.

Surveys result in one of several outcomes:

  • Compliance (no deficiencies or minor issues corrected during survey)
  • Deficiencies cited requiring plan of correction
  • Immediate jeopardy (situation causing or likely to cause serious injury, harm, impairment, or death) requiring immediate correction
  • Termination track (substantial compliance failures leading to Medicare agreement termination)

Deficiency citations:

Surveyors cite deficiencies at scope and severity levels:

  • Scope: isolated, pattern, widespread
  • Severity: minimal harm, actual harm, immediate jeopardy

Most serious: immediate jeopardy. Requires immediate plan of correction. Facility can face termination if not corrected.

Condition-level deficiencies: Failure to meet CoP requirements (versus standards within CoP). More serious than standard-level deficiencies.

Plan of correction:

Facilities cited with deficiencies must submit plan of correction describing how deficiencies corrected, date of correction, and systemic changes preventing recurrence.

State agency reviews plan, may request revisions. May conduct revisit survey verifying corrections implemented.

Enforcement remedies:

When facilities fail to meet CoPs, CMS can impose remedies:

  • Directed plan of correction (CMS requires specific corrective actions)
  • Directed in-service training
  • Temporary management
  • Civil monetary penalties (varies by severity, typically $50 to $28,665 per day)
  • Suspension of payment for new admissions
  • Termination of Medicare provider agreement

Termination most serious. Facility cannot bill Medicare for services. Effectively shuts down most facilities economically.

Key CoPs by provider type:

Hospitals (42 CFR 482): Covers governing body, medical staff, nursing services, pharmaceutical services, infection control, quality assessment/performance improvement, medical records, emergency services.

Medical staff requirements particularly complex. Credentialing, privileging, peer review, quality monitoring.

Skilled nursing facilities (42 CFR 483): Covers resident rights, admission/discharge/transfer, quality of care, nursing services, dietary services, infection control, quality assurance.

Quality of care standards detailed. Covers pressure ulcers, falls, medication errors, unnecessary drugs, abuse/neglect.

Home health agencies (42 CFR 484): Covers patient rights, comprehensive assessment, plan of care, quality assessment/performance improvement, infection control, personnel qualifications.

Recently revised (January 2023) with performance improvement requirements, unified quality reporting.

Ambulatory surgery centers (42 CFR 416): Covers governing body, surgical services, quality assessment/improvement, medical staff, medical records, infection control.

Less complex than hospital CoPs but still detailed requirements.

Common deficiency areas:

Across provider types, common citations include:

  • Infection control failures
  • Medication administration errors
  • Inadequate staffing
  • Incomplete medical records
  • Quality assessment/performance improvement deficiencies
  • Governing body oversight failures
  • Patient rights violations

Healthcare attorneys assist with CoP compliance by preparing for surveys (mock surveys, policy review), responding to deficiency citations with plans of correction, challenging deficiency citations through informal dispute resolution, appealing enforcement actions and terminations, defending civil monetary penalties, and negotiating settlement agreements with CMS.

They understand survey process, know what surveyors look for, and can identify high-risk areas proactively.

General business attorneys don’t understand CoP survey process. They treat deficiency citations like routine business citations, don’t recognize termination risk. They miss appeal deadlines. They draft inadequate plans of correction not addressing systemic issues.

Facility receives condition-level deficiencies. Submits weak plan of correction. CMS rejects plan. Imposes termination. Facility loses Medicare certification. Cannot operate. Business destroyed.

Corporate Practice of Medicine Doctrine

Corporate Practice of Medicine (CPOM) doctrine prohibits non-physicians from owning medical practices and employing physicians in many states.

Rationale: Protect physician independent medical judgment from corporate profit motives. Prevent commercialization of medicine.

Not federal law. State-specific doctrine varying significantly by jurisdiction.

States prohibiting corporate practice:

Approximately half of states prohibit or restrict corporate practice of medicine through statute, regulation, or court decisions.

Examples of restrictive states: California, Texas, Illinois, New York, Ohio, Colorado.

Restrictions vary. Some states absolute prohibition. Others permit with restrictions. Some unclear or not enforced.

States permitting corporate practice:

Remaining states generally permit non-physician ownership of medical practices.

Examples: Florida, Nevada, Arizona, Maryland, North Carolina.

Even permissive states may have restrictions on specific specialties or practice types.

Typical restrictions in CPOM states:

Non-physicians cannot:

  • Own medical practices directly
  • Employ physicians to provide medical services
  • Control physicians’ clinical decision-making
  • Share in professional fees from medical services

Rationale: Physician professional judgment must not be subordinate to corporate interests.

Permitted practice structures in CPOM states:

Professional corporation (PC) or professional association (PA): Physicians form PC/PA. All shareholders must be licensed physicians (or sometimes include limited non-physician professionals like nurse practitioners, depending on state).

Non-physician investors cannot own equity in PC/PA.

Friendly PC model: Non-physician entity (business investors, hospital, management company) contracts with physician-owned PC/PA providing management services.

PC/PA maintains ownership and clinical control. Management company handles business operations (billing, HR, IT, facilities, marketing).

Management fee paid to management company. Must be fair market value, not based on referrals, compliant with Stark and AKS.

Physicians retain ownership and clinical control. Management company provides business support but doesn’t employ physicians or own practice.

Management services organization (MSO): Similar to friendly PC model.

MSO provides comprehensive management services to physician practice. Physicians own PC, retain clinical control. MSO handles business operations.

Compensation structure critical. MSO fee cannot be structured such that MSO effectively receives professional fees or controls practice economics.

Equity-adjacent structures: Some arrangements attempt to give non-physicians economic participation without technical ownership:

  • Stock options granted to management company (exercisable when physician retires)
  • Equity appreciation rights (cash payments based on practice value increase)
  • Profit participation in practice earnings

These structures legally questionable in strict CPOM states. Risk challenge as CPOM violation disguised as different arrangement.

Fee splitting prohibition:

Related to CPOM doctrine: prohibition on fee splitting between physicians and non-physicians.

Physician cannot share professional fees with non-physician.

Management fees to MSO not “fee splitting” if structured as payment for services at fair market value. But if management fee is percentage of collections or otherwise tied to professional fees, may constitute prohibited fee splitting.

CPOM compliance issues:

Common violations:

  • Non-physician investors owning medical practice directly
  • Management agreements giving management company control over clinical decisions
  • Compensation arrangements where non-physician receives share of professional fees
  • Management fees not at fair market value or based on collections
  • Agreements giving management company veto power over physician decisions

Consequences of violation:

  • Practice operating illegally (state may seek injunction shutting down practice)
  • Physician professional discipline (license suspension or revocation)
  • Contracts unenforceable (physician might avoid payment obligations under illegal contract)
  • Fraud and abuse exposure (CPOM violations often also implicate Stark/AKS)

Recent developments:

Private equity investment in physician practices increased dramatically. Challenges CPOM doctrine.

Private equity cannot own medical practices in CPOM states directly. Uses friendly PC/MSO structures. Physicians retain nominal ownership. Management company (private equity-funded) controls business operations and receives management fees.

Some question whether arrangements comply with CPOM in substance versus form. Management company economic control may constitute de facto ownership.

State enforcement varies. Some states not actively enforcing CPOM despite technical violations. Others investigating arrangements aggressively.

Healthcare attorneys structuring practice ownership analyze whether state enforces CPOM doctrine (statute, regulation, case law, enforcement history), determine permitted ownership structures, draft management services agreements complying with CPOM restrictions, ensure compensation arrangements not prohibited fee splitting, and maintain physician clinical independence.

They know state-specific rules. They structure arrangements providing investors economic return while maintaining CPOM compliance. They understand relationship between CPOM compliance and Stark/AKS compliance (must satisfy both).

General business attorneys don’t understand CPOM exists. They structure medical practice like any business—investors own equity, employ physicians. In CPOM state, entire structure illegal. Practice shut down. Physician loses license. Investors lose investment.

Or business attorney structures MSO arrangement giving management company control over clinical decisions or basing fees on collections. Violates CPOM. Also creates Stark and AKS issues. Multiple regulatory violations from single transaction.

Telemedicine Regulations and Licensing

Telemedicine expanded dramatically, particularly post-COVID. Regulatory landscape complex and evolving.

State licensure requirements:

Physicians must be licensed in state where patient located during telemedicine encounter.

Traditional rule: Physician must hold license in every state where treating patients via telemedicine.

Some states enacted telemedicine-specific exceptions during COVID emergency. Many expired. Others made permanent.

Interstate Medical Licensure Compact (IMLC):

Interstate compact allowing expedited licensure in multiple states.

40 states participate (as of 2024). Physician licensed in compact member state and meeting eligibility criteria can apply for expedited licenses in other compact states.

Not single multi-state license. Still requires obtaining individual license in each state. But streamlined application process.

Eligibility requirements:

  • Primary state of practice license
  • Board certification
  • No disciplinary history
  • Completion of certain requirements

Prescribing regulations:

DEA registration required in state where patient located for prescribing controlled substances via telemedicine (with COVID-era exceptions that have largely expired).

Some states impose additional restrictions on telemedicine prescribing:

  • Requiring prior in-person examination
  • Prohibiting initial controlled substance prescriptions via telemedicine
  • Requiring specific documentation

Ryan Haight Act governs online prescribing of controlled substances. Generally requires at least one in-person medical evaluation before prescribing. Exception for telemedicine through certain circumstances, but narrow.

Standard of care:

Telemedicine encounters must meet same standard of care as in-person encounters.

Physician cannot hide behind telemedicine limitations. Must conduct appropriate evaluation, order necessary tests, refer when indicated.

If standard of care requires physical examination and telemedicine encounter doesn’t permit adequate examination, physician must see patient in person or refer.

Technology requirements:

States increasingly require:

  • HIPAA-compliant platforms for telemedicine
  • Audio-video capability (not just telephone)
  • Secure messaging for follow-up
  • Electronic health record documentation

Reimbursement:

Medicare expanded telemedicine coverage during COVID public health emergency. Many expansions extended through 2024, with some made permanent and others set to expire.

State Medicaid programs vary in telemedicine coverage. Some robust, others limited.

Commercial payors vary. Some pay telemedicine same as in-person (parity laws in some states). Others reimburse at lower rates or don’t cover certain telemedicine services.

Fraud and abuse considerations:

Telemedicine arrangements must comply with Stark and AKS.

Common issues:

  • Telemedicine companies paying physicians to provide consultations (potential AKS issue if compensation considers referrals or tests ordered)
  • Kickbacks for telemedicine platform referrals
  • Telemedicine encounters generating ancillary services billed by affiliated entities (Stark concerns)

Office of Inspector General issued telemedicine fraud alert warning about arrangements where:

  • Telemedicine companies pay physicians fees not consistent with FMV for actual services
  • Companies generate revenue from tests/DME ordered during telemedicine encounters
  • Physicians have financial relationships with entities providing ancillary services

Corporate practice of medicine:

Telemedicine companies must comply with CPOM in states where doctrine applies.

Non-physician-owned telemedicine companies cannot employ physicians in CPOM states. Must use independent contractor arrangements or friendly PC models.

Healthcare attorneys advising on telemedicine analyze licensure requirements in states where patients located, ensure DEA and prescribing compliance, review platform HIPAA compliance and business associate agreements, structure physician relationships complying with CPOM, analyze Stark and AKS implications of compensation and referral arrangements, and navigate state-specific telemedicine regulations.

They track rapidly evolving regulations—COVID emergency measures, permanent changes, new state laws.

General business attorneys treat telemedicine like any technology business. They don’t understand licensure requirements, prescribing restrictions, fraud and abuse implications. They structure arrangements violating multiple regulations.

Telemedicine company operates in 20 states. Physicians only licensed in home state. Illegal practice of medicine in 19 states. Prescribing controlled substances without proper DEA registration. Paying physicians above FMV to generate orders for affiliated lab testing (AKS violations). Company shut down. Executives face criminal investigation.

Warning Signs: When to Avoid an Attorney

Not all attorneys claiming healthcare expertise actually have it.

No healthcare regulatory experience: Attorney handles general business litigation or corporate work, thinks healthcare “just another industry.”

Healthcare law requires specialized knowledge of federal fraud and abuse statutes, HIPAA, Medicare regulations, state medical practice acts. Not generalizable from other industries.

No current regulatory knowledge: Attorney handled healthcare matters years ago but not current on recent developments.

Healthcare regulations change constantly. Stark Law regulations revised substantially in recent years. HIPAA enforcement increased. Telemedicine regulations evolved dramatically. Attorney without current knowledge gives outdated advice.

Promises certain compliance outcomes: “This structure definitely complies with Stark” or “HIPAA won’t be an issue.”

Healthcare regulations contain ambiguity. Many arrangements fall in gray areas. OIG and CMS interpretations evolve. Competent healthcare attorney identifies risks, structures to minimize exposure, but cannot guarantee regulatory approval.

No enforcement experience: Attorney drafts contracts and corporate documents but never defended OIG investigation, Medicare audit, medical board complaint, or HIPAA enforcement.

Understanding how regulations enforced critical to compliance advice. Attorney who’s only done transactional work doesn’t appreciate enforcement priorities and consequences.

Treats HIPAA superficially: “Just sign this privacy notice and you’re HIPAA compliant.”

HIPAA requires comprehensive compliance program—risk assessment, policies and procedures, workforce training, business associate agreements, breach response protocols, ongoing monitoring. Not single document or one-time checklist.

Doesn’t understand payor contracting: Healthcare attorney should understand Medicare/Medicaid enrollment, credentialing, commercial payor contracting, billing and coding, reimbursement models.

These intersect with regulatory compliance constantly. Attorney without reimbursement knowledge can’t advise on practice operations effectively.

Not familiar with Office of Inspector General: OIG enforces fraud and abuse laws, issues advisory opinions and compliance guidance, conducts audits and investigations.

Healthcare attorney should know OIG advisory opinion process, compliance program guidance, fraud alerts. Should monitor OIG work product.

Uses non-healthcare forms: Attorney uses standard employment agreement template not tailored to healthcare. Uses generic business associate agreement not meeting HIPAA requirements. Uses LLC operating agreement without addressing CPOM concerns.

Healthcare arrangements require specialized agreements addressing regulatory requirements. Generic forms create compliance failures.

No relationship with healthcare consultants: Healthcare attorneys often work with specialized consultants—Stark/AKS compliance consultants, coding and billing experts, HIPAA privacy officers, healthcare accountants.

Attorney operating in isolation without consultant network less effective.

Trust instincts during consultation. Healthcare attorney should demonstrate deep regulatory knowledge. Should discuss Stark, AKS, HIPAA specifically. Should reference OIG guidance, CMS regulations, recent enforcement actions.

General business attorney talking about “setting up your practice” without mentioning fraud and abuse compliance or HIPAA won’t provide adequate guidance for healthcare operations.

Questions to Ask During Initial Consultation

Healthcare matters involve complex regulations. Ask detailed questions evaluating attorney expertise.

Experience questions:

  • “What percentage of your practice is healthcare law?”
  • “Which healthcare sectors do you work with most (hospitals, physician practices, surgery centers, telemedicine, other)?”
  • “Have you defended healthcare enforcement actions (OIG investigations, Medicare audits, medical board complaints)?”
  • “How do you stay current on healthcare regulatory changes?”

Regulatory knowledge questions:

  • “How would you analyze this arrangement for Stark Law compliance?” (for transactions)
  • “What Stark exception or AKS safe harbor would apply to this compensation arrangement?”
  • “What HIPAA requirements apply to my practice type?”
  • “Does corporate practice of medicine apply in our state and how does it affect ownership structure?”

Specific scenario questions:

  • “I want to hire physicians—what regulatory issues do I need to address?”
  • “Hospital wants to recruit me and offer income guarantee—what compliance requirements apply?”
  • “I’m starting telemedicine practice serving multiple states—what do I need to know?”
  • “We received OIG subpoena—what should we do?”

Enforcement questions:

  • “Have you responded to Office of Inspector General investigations?”
  • “Have you defended medical board complaints?”
  • “Have you handled Medicare audits or overpayment demands?”

Cost questions:

  • “How do you structure fees for healthcare matters?” (hourly, flat fee for specific services, retainer arrangements)
  • “What would compliance program implementation cost?”
  • “What would transactional work cost for practice formation or acquisition?”

Red flag questions:

  • “Can you guarantee this arrangement complies with Stark and AKS?” (They should explain risks, not guarantee)
  • “Do I really need to worry about HIPAA?” (Answer should be yes with explanation)

Attorney’s answers reveal healthcare law depth. Vague responses indicate limited healthcare experience. Detailed regulatory discussions with specific statutory and regulatory references indicate genuine expertise.

Ask about recent healthcare matters (without violating confidentiality): Practice formations handled? Transactions closed? Enforcement matters defended? Types of healthcare clients?

Experienced healthcare attorney discusses matters specifically, references regulatory guidance (OIG advisory opinions, CMS interpretive guidance, Stark commentary), explains enforcement landscape, demonstrates current knowledge.

Attorney claiming healthcare expertise but unable to discuss Stark exceptions, AKS safe harbors, or HIPAA business associate requirements probably lacks healthcare law experience.

Pick Healthcare Attorney When

You’re forming medical practice or healthcare business requiring corporate structure, compensation arrangement with financial relationship between physicians and entities providing designated health services, considering hospital employment or recruitment arrangement as physician, purchasing or selling medical practice or healthcare business, facing Office of Inspector General investigation or Medicare audit, responding to medical board complaint or licensure investigation, implementing HIPAA compliance program or responding to breach, credentialing with Medicare or commercial payors, structuring telemedicine practice operating across state lines, entering management services organization or private equity transaction.

Pick general business attorney when you need commercial real estate lease unrelated to healthcare operations, employment agreements for purely administrative staff without patient care duties, general corporate matters not implicating healthcare regulations, or business issues not involving patient care, medical services, protected health information, or healthcare reimbursement because healthcare law requires specialized regulatory knowledge that general business attorneys don’t possess.

Frequently Asked Questions

What’s the difference between Stark Law and Anti-Kickback Statute?

Both federal fraud and abuse laws prohibiting certain financial relationships. Different requirements and penalties.

Stark Law:

  • Civil statute (not criminal)
  • Strict liability (no intent required)
  • Applies only to physicians
  • Applies only to designated health services
  • Applies only when financial relationship exists
  • Violations result in payment denial, refunds, civil monetary penalties, potential exclusion

Anti-Kickback Statute:

  • Criminal statute (felony)
  • Intent-based (“knowingly and willfully”)
  • Applies to anyone (physicians, hospitals, vendors, etc.)
  • Applies to any services reimbursed by federal healthcare programs
  • Applies to remuneration intended to induce referrals
  • Violations result in criminal penalties, civil monetary penalties, exclusion, False Claims Act liability

Key practical differences:

Stark technical compliance matters. Arrangement might be legitimate business deal with fair market value compensation, but technical Stark failure (doesn’t fit exception precisely) creates liability.

AKS focuses on intent. Legitimate business arrangements with proper intent generally don’t violate AKS even if don’t fit safe harbor precisely. But improper intent (paying for referrals) violates AKS even if arrangement superficially looks legitimate.

Compliance approach:

Must analyze both statutes independently. Arrangement might comply with one but not other.

Best practice: Structure arrangements to fit Stark exception AND AKS safe harbor. Provides maximum protection.

If can’t fit safe harbor but have legitimate business purpose and no improper intent, AKS risk lower. But still exists.

If can’t fit Stark exception, arrangement violates Stark regardless of intent or business justification.

Healthcare attorneys evaluate both statutes for every financial relationship in healthcare. They don’t assume compliance with one guarantees compliance with both.

Do I need HIPAA compliance if I’m small practice?

Yes. Practice size doesn’t determine HIPAA applicability.

HIPAA applies when: Practice is healthcare provider transmitting health information electronically in connection with HIPAA transactions (billing insurance electronically).

Most medical practices bill insurance electronically. Therefore covered entities subject to HIPAA.

Solo practitioner billing Medicare electronically = covered entity. Must comply with HIPAA Privacy and Security Rules.

Large hospital system billing Medicare electronically = covered entity. Must comply with HIPAA.

Same requirements apply regardless of size. Privacy Rule, Security Rule, Breach Notification Rule all apply.

Small practice compliance:

HIPAA regulations don’t provide exemption for small practices. But practical compliance may differ.

Small practice typically has:

  • Simpler IT systems (less complex security measures needed)
  • Fewer workforce members (less extensive training)
  • Fewer business associates (fewer BAAs needed)
  • Less complex operations (simpler policies)

But must still:

  • Conduct risk assessment
  • Implement administrative, physical, technical safeguards
  • Train workforce
  • Obtain business associate agreements
  • Have breach response plan
  • Provide patients privacy notice and respect patient rights

Common small practice mistakes:

Assuming HIPAA doesn’t apply because “too small.”

Using personal email for patient communications without encryption or business associate agreement with email provider.

Not obtaining business associate agreements from IT vendors, billing companies, cloud storage providers.

No written policies or training.

No risk assessment or security measures.

Consequences same regardless of practice size. OCR investigates small practices. Civil monetary penalties apply. Breach notification obligations apply.

Healthcare attorneys help small practices implement HIPAA compliance appropriately scaled to practice size and resources. Compliance doesn’t require enterprise solutions, but does require meeting regulatory requirements.

Not optional. Not size-dependent. Every covered entity must comply.

Can I employ physicians in my state?

Depends on whether state enforces corporate practice of medicine doctrine.

States prohibiting corporate practice:

Approximately half of states prohibit or restrict non-physician ownership of medical practices.

In these states, you generally cannot:

  • Own medical practice as non-physician
  • Employ physicians to provide medical services
  • Control physician clinical decisions

Examples: California, Texas, Illinois, New York, Ohio, Colorado.

Even within restrictive states, rules vary. Some have statutory prohibition. Others enforce through medical board regulations or court decisions.

States permitting corporate practice:

Remaining states generally permit non-physician ownership and employment of physicians.

Examples: Florida, Nevada, Arizona, Maryland, North Carolina.

Even permissive states may restrict certain specialties or practice types.

How to determine if you can employ physicians:

Consult healthcare attorney in your state. They know whether state enforces CPOM and extent of restrictions.

Even in permissive states, consider:

  • State medical practice act
  • Medical board regulations
  • Case law
  • Enforcement history

Alternative structures if CPOM prohibits employment:

If cannot employ physicians directly:

  • Independent contractor arrangements (physicians as independent contractors, not employees)
  • Management services organization model (physicians own practice PC, you provide management services)
  • Friendly PC model (similar to MSO)

These structures allow non-physician business participation while physicians maintain ownership and clinical control.

Must be structured carefully to comply with CPOM and avoid fee-splitting prohibition.

Fraud and abuse considerations:

Even if state permits physician employment, must comply with Stark and AKS.

Employment compensation must fit Stark employment exception and AKS employment safe harbor.

Requirements include:

  • Compensation fair market value
  • Compensation not determined by volume or value of referrals
  • Compensation commercially reasonable even without referrals

Healthcare attorney analyzes both state CPOM rules and federal fraud and abuse laws when structuring physician employment or engagement.

Don’t assume you can employ physicians like any other employees. Healthcare highly regulated. Structure must comply with applicable restrictions.

What happens if I receive Medicare audit letter?

Medicare audits come in several forms. Response depends on audit type.

Audit types:

Prepayment review: Medicare Administrative Contractor reviews claims before payment. Requests medical records supporting claims. Denies payment if documentation insufficient or services not medically necessary.

Postpayment review: MAC reviews paid claims. Requests records. If determines overpayment, demands refund.

CERT/PEPPER audit: Comprehensive Error Rate Testing and Program for Evaluating Payment Patterns Electronic Report. Statistical sampling identifying error rates and unusual billing patterns.

RAC audit: Recovery Audit Contractor conducts large-scale review of paid claims identifying overpayments.

ZPIC/UPIC investigation: Zone Program Integrity Contractor (now Unified Program Integrity Contractor) investigates suspected fraud. Most serious. Not routine audit.

Initial response:

Read notice carefully. Identify:

  • Type of audit (prepayment, postpayment, RAC, UPIC)
  • Claims being reviewed
  • Records requested
  • Deadline for response (typically 30-45 days, varies)

Don’t ignore. Deadline firm. Late response = automatic denial.

Gather records:

Collect medical records and documentation supporting claims under review.

Review records before submission. Ensure documentation supports:

  • Medical necessity
  • Services actually provided as billed
  • Appropriate coding
  • Signature and date requirements met

If documentation insufficient, improves nothing to submit. But required to respond.

Consult healthcare attorney:

Routine prepayment review for small number of claims? May handle without attorney.

Large postpayment review demanding refund? Consult attorney.

RAC audit with extrapolated overpayment demand? Definitely need attorney.

UPIC investigation? Immediately retain healthcare attorney experienced in fraud defense. Do not respond without counsel.

Appeal rights:

If claims denied or overpayment determined, have appeal rights.

Five-level Medicare appeals process:

  1. Redetermination (MAC reconsiders)
  2. Reconsideration (Qualified Independent Contractor)
  3. Administrative Law Judge hearing
  4. Medicare Appeals Council review
  5. Federal district court

Deadlines: 120 days to file each level appeal after receiving decision from prior level.

Don’t miss deadlines. Waive appeal rights if don’t timely file.

Extrapolation:

RAC and other audits may use extrapolation. Audit statistically valid sample of claims. Apply error rate to universe of similar claims. Demand repayment based on extrapolated overpayment.

Can result in huge overpayment demands from small sample.

Example: RAC audits 30 claims. Finds 40% error rate. Extrapolates to 1,000 similar claims over review period. Demands repayment on 400 claims even though only audited 30.

Extrapolation methodology can be challenged. Complex statistical and legal arguments. Requires healthcare attorney experienced in RAC appeals.

Criminal investigation risk:

Most audits are civil (seeking overpayment recovery). But fraud indicators can lead to criminal investigation.

UPIC investigation may indicate criminal investigation already underway or contemplated.

If audit involves fraud allegations, immediately consult healthcare attorney with fraud defense experience. May need criminal defense counsel as well.

Don’t make statements without counsel. Don’t provide information beyond what legally required.

Healthcare attorneys experienced in Medicare audits help with gathering and reviewing documentation, preparing audit response submissions, evaluating whether overpayment determination correct, filing and prosecuting appeals through administrative process, negotiating repayment plans or settlements, and defending extrapolation methodology.

They understand Medicare coverage rules, coding requirements, documentation standards. They know what auditors look for.

Without healthcare counsel, providers often:

  • Miss appeal deadlines
  • Submit inadequate documentation
  • Fail to challenge incorrect denials
  • Accept overpayment demands without evaluating validity
  • Make damaging statements to investigators

Medicare audit can result in significant financial exposure. Take seriously. Respond appropriately with healthcare legal guidance.

How do I know if my compensation arrangement complies with Stark and Anti-Kickback?

Complex analysis requiring healthcare attorney review. But general framework:

Step 1: Identify financial relationship.

Does arrangement involve payment or transfer of value between physician and entity providing designated health services?

If yes, financial relationship exists. Stark potentially applies if physician refers for DHS.

Step 2: Determine if Stark applies.

Does physician refer patients for designated health services to entity with financial relationship?

Stark only applies if:

  • Physician makes referrals
  • For designated health services (11 categories)
  • To entity with financial relationship

If all three elements present, must fit Stark exception or prohibited.

Step 3: Evaluate Stark exceptions.

Analyze whether arrangement fits Stark exception. Common exceptions:

  • Employment (physician employee, employment terms commercially reasonable, compensation FMV and not considering referrals)
  • Personal services (written agreement, one year term, compensation set in advance and FMV, services commercially reasonable, etc.)
  • Fair market value (payment for items/services at FMV not considering referrals)

Each exception has specific elements. Must satisfy all precisely.

Step 4: Evaluate AKS.

Does arrangement involve remuneration that could be intended to induce referrals?

If yes, analyze whether fits AKS safe harbor. Common safe harbors:

  • Employment (bona fide employment, compensation not considering referrals)
  • Personal services (written agreement, one year term, commercially reasonable services, compensation set in advance and FMV, not considering referrals)

Safe harbor requirements similar but not identical to Stark exceptions. Analyze independently.

Step 5: Document compliance.

If arrangement fits exception and safe harbor, document compliance contemporaneously:

  • Written agreements meeting all requirements
  • Fair market value analysis (often third-party valuation)
  • Documentation showing compensation set in advance
  • Evidence services commercially reasonable
  • Regular monitoring ensuring ongoing compliance

Red flags indicating non-compliance:

  • Compensation varies based on referrals or collections
  • Compensation above fair market value for actual services
  • Services not actually performed or not commercially reasonable
  • Agreement not in writing or doesn’t cover all required elements
  • Compensation formula considering volume or value of referrals
  • Part-time arrangement with compensation disproportionate to time
  • “Consulting” arrangements where consultant provides little value

Fair market value:

Critical component. Compensation must be fair market value for actual services provided, without considering referrals.

What is FMV? Amount arms-length parties would pay for services in competitive market, without considering referrals or business generated.

Determining FMV often requires compensation survey data or third-party valuation. Particularly for physician compensation, medical directorships, call coverage arrangements.

Commercial reasonableness:

Compensation arrangement must be commercially reasonable even without referrals.

If only reason for arrangement is generating referrals, not commercially reasonable regardless of FMV.

Example: Hospital pays physician excessive medical director fees for minimal work. Compensation might be technically FMV for hours stated, but arrangement not commercially reasonable if services provide little value.

Ongoing compliance:

Compliance not one-time analysis. Arrangements change over time.

Must monitor:

  • Whether services actually performed as contracted
  • Whether compensation remains FMV as services change
  • Whether referral patterns changed affecting analysis
  • Whether agreement terms followed precisely

Healthcare attorneys analyzing compensation arrangements review agreement terms against Stark and AKS requirements, conduct or obtain fair market value analysis, identify compliance gaps and risks, recommend restructuring if needed, document compliance analysis, and implement monitoring for ongoing compliance.

They don’t just say “looks fine” without analysis. They systematically evaluate every element of applicable exception and safe harbor. They identify where arrangement fails to comply and how to fix it.

General business attorneys see reasonable compensation for actual services, assume compliant. Miss technical Stark or AKS failures creating liability exposure.

Legal Disclaimer

IMPORTANT NOTICE: This content is provided for general educational and informational purposes only and does not constitute legal advice.

This guide is designed to help readers understand general concepts related to selecting a healthcare attorney and navigating healthcare regulatory requirements. However, it should not be relied upon as legal advice or as a substitute for consultation with qualified legal counsel.

Key Points:

Not Legal Advice: The information contained in this guide does not create an attorney-client relationship between the reader and any law firm, attorney, or legal professional. No attorney-client relationship exists unless expressly established through a written engagement agreement.

Jurisdiction-Specific Laws: Healthcare laws and regulations vary significantly by jurisdiction and change frequently. Federal regulations (Stark Law, Anti-Kickback Statute, HIPAA, Medicare Conditions of Participation) and state laws (medical practice acts, corporate practice of medicine, scope of practice, licensing requirements) differ and evolve through rulemaking, guidance, and court decisions. This guide provides general information that may not apply to your particular situation or jurisdiction.

Not Comprehensive: This guide does not cover all aspects of healthcare law, regulatory compliance, or attorney selection. It is intentionally simplified for educational purposes and omits numerous technical details, exceptions, and nuances that may be critical to your specific matter.

Consult Qualified Counsel: Before making any decisions regarding practice formation, compensation arrangements, regulatory compliance, healthcare transactions, or any healthcare-related legal matters, you should consult with a qualified healthcare attorney licensed in your jurisdiction who can provide advice tailored to your specific facts and circumstances.

Time-Sensitive Information: Healthcare regulations change constantly through new statutes, regulations, sub-regulatory guidance, and enforcement actions. While this guide reflects regulations and practices current as of its publication date, requirements may have changed since then. Stark Law, Anti-Kickback Statute, HIPAA, Medicare regulations, and state laws all evolve continuously. Always verify current requirements with qualified healthcare legal counsel.

Regulatory Complexity: Healthcare regulatory compliance involves numerous federal and state requirements that interact in complex ways. Compliance with one regulation does not guarantee compliance with others. Arrangements must satisfy Stark Law, Anti-Kickback Statute, HIPAA, state fraud and abuse laws, corporate practice of medicine restrictions, and other applicable requirements simultaneously.

No Guarantees: Following the guidance in this article does not guarantee regulatory compliance or protection from enforcement actions, audits, or investigations. Each healthcare matter involves unique facts requiring individualized legal and regulatory analysis.

Enforcement Risk: Healthcare enforcement actions carry serious consequences including payment denials, refund obligations, civil monetary penalties, exclusion from federal healthcare programs, professional discipline, and potential criminal prosecution. Regulatory compliance requires careful legal analysis before implementing arrangements or practices.

Liability Limitation: Neither the author nor any affiliated parties accept liability for any actions taken or not taken based on information in this guide. Readers assume all risks associated with using this information.

Third-Party Information: Any references to specific regulations, statutes, enforcement actions, or compliance requirements are provided for illustrative purposes only and may be incomplete or simplified. Penalty amounts are adjusted annually for inflation. Readers should independently verify all regulatory information with qualified healthcare counsel and appropriate government sources.

When to Seek Legal Help: You should consult a qualified healthcare attorney before structuring financial relationships with physicians or healthcare entities, forming a healthcare practice or business, entering healthcare transactions, responding to government audits or investigations, implementing compliance programs, or making any decisions with healthcare regulatory implications.

Finding Qualified Counsel: Contact state bar associations, American Health Law Association, or search attorney directories for healthcare attorneys with relevant regulatory experience in your specific sector. Verify credentials, bar standing, healthcare law specialization, and regulatory compliance experience before engaging any attorney.

By reading this guide, you acknowledge that you understand it is for educational purposes only and that you will seek appropriate legal counsel for any specific healthcare law questions or regulatory compliance matters.

Leave a Reply

Your email address will not be published. Required fields are marked *