Legal and Regulatory Compliance

The Stark Law is three separate provisions that sets limitation and governs physician self-referral for Medicare and Medicaid patients. The Stark law only applies to “designated health services,” which include most ancillary services, such as clinical laboratory services, outpatient prescription drug services, and physical and occupational therapy and imaging services (e.g., MRI, CT, ultrasound). Many of the Stark exceptions require that whatever financial relationship exists reflects “fair market value.”

To ensure there is no violation of Stark, practices must evaluate any economic benefits they receive from entities to which they refer Medicare and Medicaid patients. It is important to verify whether they meet any of the almost 20 detailed and complicated “exceptions” described in the statute.

View the full outline of the Stark Law Guidelines, along with the exceptions and ramifications of the rule.

The rules of HIPAA are published by the Department of Health and Human Services (HHS) and enforced by the Centers for Medicare and Medicaid Services (CMS) and the Office of Civil Rights (OCR). The primary focus of the law was to ensure the portability of health insurance coverage for Americans changing jobs. It was also designed to protect the privacy and security of patient records and bring uniformity to claims processing.

All healthcare organizations are affected in some way by HIPAA. The entities that are affected include all health care providers, health plans, employers, public health authorities, hospitals, life insurers, clearinghouses, billing agencies, information systems vendors, and service organizations.

The three main rules of HIPAA are:

• Privacy Rule: Organizations must identify the uses and disclosures of protected health information (PHI) and put into effect appropriate safeguards to protect against an unauthorized use or disclosure of that PHI. When material breaches or violations of privacy are identified, the organizations must take reasonable steps to solve those problems in order to limit exposure of PHI. Compliance with HIPAA’s PHI guidelines was required of all covered entities, regardless of size, by April 14, 2004. Additionally, under the final rules, patients have expanded rights to understand and control how their health information is used.
• Security Rule: Defines the administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information.  Covered entities are required to implement basic safeguards to protect electronic protected health information from unauthorized access, alteration, deletion, and transmission. The final rule states that all covered entities, with the exception of small health plans, had to be compliant by April 21, 2005.
• Electronic Transactions Standards:  While software vendors do most of the work to make computer systems HIPAA compliant, medical practices must have policies and procedures in place to ensure the submission of the necessary data elements to complete each transaction. For each transaction, the standard dictates a certain set of required data elements, optional data elements, format, and content. In addition, practices will have to ensure that their software vendors build language into each contract to ensure compliance with the law. Under the HIPAA regulations, there are more than 400 different formats for transmitting to payers "standard" health care data such as benefits, eligibility, and payment information – these are under consideration to be consolidated into 20 standard "HIPAA-compliant" transaction standards.

HIPAA calls for severe civil and criminal penalties for noncompliance, including:

• fines up to $25,000 for multiple violations of the same standard in a calendar year
• fines up to $250,000 and/or imprisonment up to 10 years for known misuse of individually identifiable health information

Administrative Simplification in the Affordable Care Act
The Affordable Care Act (ACA) expanded the provisions in HIPAA to support administrative simplification. These new requirements include operating rules for the HIPAA-named standards, a standard for electronic funds transfer, and a national health plan identifier.

It is imperative for physician practices to maintain HIPAA compliance on a daily basis by conducting an organizational assessment and determining if there are any gaps that may exist. It is also important to assign a team or staff member to manage and coordinate HIPAA compliance within the practice by doing quarterly educational sessions as well as developing policies and procedures for the practice to ensure compliance.

View the complete requirements and standards of the privacy requirements of the HIPAA Regulations and Guidance >

Compliance Program

With the ongoing focus of fighting healthcare fraud and abuse the Office of the Inspector General (OIG) has worked to help physician practices develop a compliance program in their organization. The compliance guidance is geared towards promoting adherence to the statues and regulations applicable to federal health programs to prevent and reduce improper conduct.

The OIG has indicated that the approach to a compliance plan in physician practices should be incremental and flexible when developing and implementing a compliance program. Physician practices should view compliance programs as a response to working towards compliance on a continued basis to identify issues within the practice and prevent problems from occurring in the future.

A compliance program also sends an important message to practice staff that while mistakes will occur, employees have an ethical duty to report erroneous or fraudulent conduct, so that it may be corrected.

Download the ACR Office Compliance Plan to help with developing a compliance program that best fits your practice’s organizational needs.

Work Plan

The OIG Work Plan is released each year and gives a summary of the new and ongoing reviews and activities that will be pursued with respect to HHS programs and operations during the current fiscal year and beyond.