Beware Laws Affecting Healthcare Transactions

By Kim C. Stanger

Attorneys risk substantial fines, malpractice claims, and even jail time for violating any of several laws implicated in even simple healthcare transactions.  Federal and state healthcare laws potentially affect any financial transaction involving healthcare providers, including employment or service contracts, group compensation structures, investment interests and joint ventures, leases for space or equipment, marketing programs, and patient billing practices.  Failure to comply may result in significant fines and penalties for clients as well as malpractice claims—or worse—against their lawyers.  This article describes several statutes and regulations that can be traps for the unwary in healthcare transactions.

Federal Anti-Kickback Statute (“AKS”)

The federal AKS prohibits anyone from knowingly and willfully soliciting, offering, receiving, or paying any form of remuneration to induce referrals for any items or services for which payment may be made by any federal healthcare program unless the transaction is structured to fit within a regulatory exception.[i]  An AKS violation is a felony punishable by up to 10 years in prison, a $100,000 criminal penalty, a $100,000+ civil penalty, treble damages, and exclusion from participating in the Medicare or Medicaid programs.[ii]  An AKS violation is also a per se violation of the federal False Claims Act,[iii] which exposes defendants to mandatory self-reports and repayments, additional civil penalties of $11,000+ to $22,000+ per claim, treble damages, private qui tam lawsuits, and costs of suit.[iv]

The AKS is very broad: it applies to any form of remuneration, including compensation, kickbacks, items or services for which fair market value is not paid, business opportunities, perks, or anything else of value offered in exchange for referrals.  Consequently, it potentially affects any transaction between healthcare providers and any other potential referral source, including but not limited to their patients, employers, partners, or other providers.  It applies to persons on both sides of the transaction:  those who offer, solicit, pay, or receive the prohibited remuneration, including healthcare providers, managers, patients, vendors, and their attorneys.[v]

Despite its breadth, the AKS does have limitations.  First, it only applies to referrals for items or services payable by government healthcare programs such as Medicare or Medicaid.  If the parties to the arrangement do not participate in government programs or are not in a position to make referrals relating to government programs, then the statute should not apply.  Second, the statute does not apply if the transaction fits within specified statutory or regulatory “safe harbors.”[vi]  For example, exceptions apply to employment or personal services contracts, space or equipment leases, investment interests, and certain other relationships so long as those transactions are structured to satisfy each of the requirements relevant to the safe harbor.[vii]

Because the AKS is an intent-based statute, a violation might not occur even if the parties do not fit within a regulatory safe harbor; however, in that case, the test becomes whether “one purpose” of the remuneration is to induce referrals—a difficult standard to defend against.[viii]  If the parties cannot fit within a regulatory safe harbor, they may obtain an advisory opinion from the Office of Inspector General (“OIG”) concerning the proposed transaction.  Past advisory opinions are published on the OIG’s website,, and may provide guidance for others seeking to structure a similar transaction.

Eliminating Kickbacks in Recovery Act (“EKRA”)

EKRA was recently passed in response to the opioid epidemic and generally prohibits soliciting, receiving paying or offering any remuneration in return for referring a patient to a laboratory, recovery home, or clinical treatment facility unless the arrangement fits within limited regulatory exceptions.[ix]  Violations are punishable by up to 10 years in prison and a $200,000 criminal fine.[x]  Unlike the AKS, EKRA applies to claims payable by private as well as government payers.

Idaho Anti-Kickback Statute

Idaho has its own anti-kickback statute which prohibits paying or receiving a payment in exchange for referrals for healthcare services, or providing services with the knowledge that the patient was referred in exchange for a payment.[xi]  Violations may result in a $5,000 civil penalty.[xii]  Significantly, the Idaho AKS is broader than the federal statute:  it extends to payments to induce referrals for any healthcare services, not just those payable by federal programs.  And unlike the federal AKS, the Idaho AKS does not come with any regulatory safe harbors.  Fortunately, however, there do not appear to be any reported cases in which the Idaho AKS has been enforced.

Idaho Fee Splitting Statutes

Idaho professional licensing acts may also prohibit fee splitting or other conduct relevant to transactions.  For example, the Idaho Medical Practices Act prohibits “[d]ividing fees or gifts or agreeing to split or divide fees or gifts received for professional services with any person, institution or corporation in exchange for referral.”[xiii]  Depending on how broadly the relevant licensing board decides to interpret the statute, it may prohibit certain remunerative relationships as well as investment interests in provider practices.  Violations may result in adverse licensure action.

Ethics in Patient Referrals Act (“Stark”)

The federal Stark[xiv] law prohibits physicians[xv] from referring patients for certain designated health services (“DHS”)[xvi] payable by Medicare to entities with which the physician (or a member of the physician’s family) has a financial relationship unless the transaction fits within a regulatory safe harbor.[xvii]  Unlike the AKS, Stark is exclusively a civil statute: violations may result in civil fines ranging up to $25,000+ per violation and up to $170,000+ per scheme in addition to self-reporting and repayment of amounts received for services rendered per improper referrals.[xviii]  Repayments can easily run into thousands or millions of dollars.  In addition, Stark law violations result in False Claims Act violations, thereby triggering the additional penalties and threat of qui tam suits discussed previously.

Unlike the AKS, Stark is a strict liability statute; it does not require intent, and there is no “good faith” compliance.  If triggered, Stark applies to any type of direct or indirect financial relationship between physicians or their family members and a potential provider of DHS, including any ownership, investment, or compensation relationship.[xix]  Thus, the statute applies to everything from ownership or investment interests to compensation among group members to contracts, leases, joint ventures, waivers, discounts, professional courtesies, medical staff benefits, or any other transaction in which anything of value is shared with referring physicians or their family members.

Like the AKS, Stark contains numerous safe harbors applicable to many common financial relationships;[xx] the parties must carefully structure their arrangements to fit within an applicable safe harbor if there are to be DHS referrals from the physician.  And like Stark, parties contemplating a suspect transaction may seek an advisory opinion from the Center for Medicare and Medicaid Services (“CMS”).  The CMS advisory opinions are published at

Idaho Stark Law?

Idaho does not have a statute similar to Stark, but Idaho Medicaid regulations allow the Department of Health and Welfare to “deny payment for any and all claims it determines are for items or services … provided as a result of a prohibited physician referral under [Stark,] 42 CFR Part 411, Subpart J.”[xxi]  The net effect is that a Stark law violation may result in penalties and repayments under Idaho regulations as well as federal law.

Civil Monetary Penalties Law (“CMPL”)

The federal CMPL is a broad statute that, among other things, prohibits certain transactions that have the effect of increasing utilization or costs to federally funded healthcare programs or improperly minimizing services to beneficiaries.[xxii]  For example, the CMPL prohibits offering or providing inducements to a Medicare or Medicaid beneficiary that are likely to influence the beneficiary to order or receive items or services payable by federal healthcare programs, including free or discounted items or services, waivers of copays or deductibles, etc.[xxiii]  This law may affect healthcare provider marketing programs as well as contracts or payment terms with Medicare or Medicaid patients.[xxiv]

The CMPL also prohibits hospitals from making payments to physicians to induce the physicians to reduce or limit medically necessary services covered by Medicare.[xxv]  Thus, the CMPL usually prohibits so-called “gainsharing” programs in which hospitals split cost-savings with physicians.[xxvi]  Finally, the CMP prohibits submitting claims for federal healthcare programs based on items or services provided by persons excluded from healthcare programs.[xxvii]  As a practical matter, the statute prohibits healthcare providers from employing or contracting with persons or entities who have been excluded from participating in federal healthcare programs.[xxviii]  Violations of the CMPL may result in administrative penalties ranging from $5,000+ to $100,000+ per violation depending on the conduct involved.[xxix]

HIPAA[xxx] Privacy and Security Rules

The HIPAA privacy rules prohibit most healthcare providers, health plans (including employee group health plans that are administered by third parties or have more than 50 participants), and their “business associates”[xxxi] from using, disclosing, or selling protected health information (“PHI”) without the patient’s authorization unless certain exceptions apply.[xxxii]  The HIPAA security rule requires covered entities and business associates (including lawyers who receive PHI from or on behalf of their healthcare client) to implement certain administrative, technical and physical safeguards to protect electronic PHI.[xxxiii]  HIPAA violations may result in fines of $119+ to $59,000+ per violation; violations involving “willful neglect” are subject to a mandatory fine of $11,000+ to $59,000+ per violation.[xxxiv]

A separate violation exists for each individual affected by the violation and/or each day that the covered entity or business associate fails to satisfy a required standard[xxxv]; accordingly, penalties can rack up very quickly.  To make matters worse, covered entities and business associates must voluntarily self-report breaches of unsecured PHI to affected individuals and the government, thereby increasing the potential for HIPAA sanctions.[xxxvi]

If you are handling a transaction involving covered entities and/or their business associates (e.g., services contracts, sales contracts, practice acquisitions, etc.), chances are you will need to consider and address HIPAA requirements in your transaction.  Among other things, covered entities must execute business associate agreements (“BAAs”) with their business associates that require the business associate to comply with HIPAA conditions; the BAAs themselves must contain required terms.[xxxvii]

Similarly, business associates must execute BAAs with their subcontractors.[xxxviii]  Accordingly, BAAs have become ubiquitous in the healthcare industry.  They even apply to lawyers who receive PHI in the course of providing services for clients.  Failure to properly structure BAAs or other PHI-related transactions exposes your clients—and you—to unanticipated HIPAA liability.

Medicare Reimbursement Rules

The Centers for Medicare & Medicaid Services (“CMS”) has promulgated volumes of rules and manuals governing reimbursement for services provided under federal healthcare programs.  The rules govern such items as when a healthcare provider may bill for services provided by another entity, supervision required for such services, and the location in which such services may be performed to be reimbursable.

In addition, the amount of government reimbursement may differ depending on how the transaction is structured, e.g., whether it is provided through an arrangement with a hospital or by a separate clinic or physician practice.  The rules concerning reimbursement and reassignment should be considered in structuring healthcare transactions if the entities intend to bill government programs for services or maximize their reimbursement under such programs.


The foregoing is only a brief summary of some of the more significant laws and regulations that may affect common healthcare transactions.  As in all cases, the devil is in the details (as well as the Code of Federal Regulations and CMS Medicare Manuals).  Attorneys who represent healthcare providers should review the relevant laws and regulations whenever structuring a healthcare transaction, especially if that transaction involves potential referral sources or implicates federal healthcare programs.

Kim C. Stanger is a partner in the Boise office of Holland & Hart, LLP, and the chair of the firm’s Health Law Group. His practice focuses exclusively on healthcare issues, including state and federal fraud and abuse laws, HIPAA, licensing, and other compliance or transactional matters.

[i] 42 U.S.C. § 1320a-7b(b).

[ii] 42 U.S.C. §§ 1320a-7 and 1320a-7b(b)(2)(B); 42 C.F.R. §§ 1003.300 and 1003.310.  The civil penalty is subject to an annual inflation-related increase.  45 C.F.R. § 102.3.

[iii] 42 U.S.C. § 1320a-7b(g); 31 U.S.C. § 3729.

[iv] 31 U.S.C. §§ 3729 and 3730; 42 U.S.C. §§ 1320a-7a and 1320a-7k(d); 28 C.F.R. §§ 85.5 and 1003.200(a) and (b)(k). The civil penalties are subject to inflation-related increases.  28 C.F.R. § 85.5.

[v] United States v. Anderson, 55 F. Supp. 2d 1163 (D. Kan. 1999).

[vi] 42 U.S.C. § 1320a-7b(3); 42 C.F.R. § 1001.952.

[vii] 42 U.S.C. § 1320a-7b(3); 42 C.F.R. § 1001.952.

[viii] United States v. Kats, 871 F.2d 105 (9th Cir. 1989); United States v. Greber, 760 F.2d 68 (3d Cir.), cert. denied, 474 U.S. 988 (1985).

[ix] 18 U.S.C. § 220(a).

[x] 18 U.S.C. § 220(a).

[xi] I.C. § 41-348.

[xii] I.C. § 41-327.

[xiii] I.C. § 54-1814(8).

[xiv] The Stark law is named for its congressional sponsor, United States Representative Fortney H. “Pete” Stark.  U.S. ex rel. Thompson v. Columbia/HCA Healthcare Corp., 125 F.3d 899, 900–901 (5th Cir. 1997).

[xv] “Physician” is defined as “a doctor of medicine or osteopathy, a doctor of dental surgery or dental medicine, a doctor of podiatric medicine, a doctor of optometry, or a chiropractor.”  42 C.F.R. § 411.351.

[xvi] “Designated health services” include clinical laboratory services; physical therapy, occupational therapy and speech-language pathology services; radiology and other imaging services; radiation therapy; durable medical equipment and supplies; prosthetics, orthotics, prosthetic devices and supplies; home health services; outpatient prescription drugs; inpatient and outpatient hospital services; and parenteral and enteral nutrients.  42 C.F.R. § 411.351.

[xvii] 42 U.S.C. § 1395nn; 42 C.F.R. § 411.353.

[xviii] 42 U.S.C. § 1395nn(g); 42 C.F.R. §§ 1003.300 and 1003.310.  The civil penalties are subject to an annual inflation adjustment.  45 C.F.R. § 102.3.

[xix] 42 C.F.R. §§ 411.351, 411.353, and 411.354.

[xx] 42 C.F.R. §§ 411.355 to 411.357.

[xxi] IDAPA

[xxii] 42 U.S.C. § 1320a-7a.

[xxiii] 42 U.S.C. § 1320a-7a(a)(5); 42 C.F.R. § 1003.100(a).

[xxiv] See OIG Special Advisory Bulletin, “Offering Gifts and Other Inducements to Beneficiaries” (August 2002); OIG Special Fraud Alert, “Routine Waiver of Part B Co-Payments/Deductibles” (May 1991).

[xxv] 42 U.S.C. § 1320a-7a(b).

[xxvi] See, e.g., OIG Special Fraud Alert, “Gainsharing Arrangements and CMPs for Hospital Payments to Physicians to Reduce or Limit Services to Beneficiaries” (July 1999).

[xxvii] 42 U.S.C. § 1320a-7a(a)(1)(C) and (2).

[xxviii] OIG Special Advisory Bulletin, “The Effect of Exclusion from Participation in Federal Healthcare Programs” (Sept. 1999).

[xxix] 42 U.S.C. § 1320a-7a; 42 C.F.R. part 1003.  Many of the civil penalties are subject to annual inflation adjustments.  45 C.F.R. § 102.3.

[xxx] Health Insurance Portability and Accountability Act of 1996.

[xxxi] “Business associates” are generally those entities who create, maintain, use, access or transmit protected health information on behalf of a covered entity.  45 C.F.R. § 160.103.

[xxxii] 45 C.F.R. § 164.500 et seq.

[xxxiii] 45 C.F.R. § 164.300 et seq.

[xxxiv] 45 C.F.R. § 160.400 et seq.

[xxxv] 45 C.F.R. § 160.406.

[xxxvi] 45 C.F.R. § 164.400 et seq.

[xxxvii] 45 C.F.R. §§ 164.502(e) and 164.504(e).

[xxxviii] Id.