• Compliance for Your Practice

    Anti-kickback, Stark, HIPAA, and Information Blocking Rule

    Whether you work at a hospital or own your own practice, it is vital that you establish a compliance program designed to help you avoid fraud, abuse, and privacy violations. Federal regulations around these activities include the

       

    Anti-kickback & Stark: Improper Referrals

    What is the anti-kickback rule?

    The anti-kickback statute makes it illegal for providers (including physicians) to knowingly and willfully accept bribes or other forms of remuneration in return for generating Medicare, Medicaid or other federal health care program business.

    A physician cannot offer anything of value to induce federal health care program business. The anti-kickback statute has been revised to allow exceptions or safe harbors.

    Anti-kickback Safe Harbors

    • Investments in large publicly-held health care companies
    • Investments in small health care joint ventures
    • Space rental
    • Equipment rental
    • Personal services and management contracts
    • Sales of retiring physicians' practices to other physicians
    • Referral services
    • Warranties
    • Discounts
    • Employee compensation
    • Group purchasing organizations
    • Waivers of Medicare Part A inpatient cost-sharing amount
    • Increased coverage
    • Reduced cost-sharing amounts or reduced premium amounts offered by health plans to beneficiaries
    • Price reductions offered to health plans by providers
    • Investments in ambulatory surgical centers (ASCs)
    • Joint ventures in underserved areas
    • Practitioner recruitment in underserved areas
    • Sales of physician practices to hospitals in underserved areas
    • Subsidies for obstetrical malpractice insurance in underserved areas
    • Investments in group practices
    • Specialty referral arrangements between providers
    • Cooperative hospital services organizations

    What is Stark II?

    Stark II is Phase II of the law that prohibits physician self-referrals.

    The law applies to any physician who provides care to Medicare, Medicaid or other federal health program recipients and says that the physician cannot refer the patient for certain designated health services to any entity with which the physician has a financial interest. That is, unless one of Stark's exceptions apply.

    What is Stark III?

    Stark III is short for Stark II, Phase III of the physician self-referral prohibition. Stark III provides further clarifications and modifications to Stark II, Phase II, especially regarding physicians in group practice and the relationships between physicians and hospitals.

    Notable Changes in Stark II, Phase III

    • Eliminates the safe harbor proposed in Phase II within the fair market value definition for physician compensation;
    • Considers a physician to "stand in the shoes'' of a physician organization of which he or she is a member;
    • Clarifies that an independent contractor physician is a "physician in a group practice" when under a contractual arrangement directly with the group practice and is performing services in the group practice's facilities;
    • Permits group practices to impose certain practice restrictions on recruited physicians;
    • Clarifies that group practices can determine productivity bonuses by directly taking into account the volume and value of items and services that are provided "incident to'' the physicians' professional services, in certain circumstances;
    • Adds a 45-minute transportation time test as an alternative to the 25-mile rule to the intra-family rural referrals exception
    • Adds a holdover provision in the exception for personal service arrangements;
    • Clarifies that a "rural area," a location not included in the Metropolitan Statistical Areas (MSA), may be a micropolitan area. (See the MSA listing at the Office of Management and Budget(www.whitehouse.gov) to determine MSA status.)
    • Expands the geographic area into which a rural hospital may recruit a physician;
    • Permits a more generous income guarantee under certain circumstances in the case of a physician who is recruited to replace a deceased, retiring or relocating physician;
    • Revises the nonmonetary compensation exception to allow physicians to repay certain excess nonmonetary compensation within the same calendar year to preserve compliance;
    • Allows an entity with a formal medical staff to provide one local medical staff appreciation event per year;
    • Clarifies that a hospital may list a physician's name on it's web site or in advertisements as a medical staff incidental benefit but physician payments for referral services must be within both an exception and an anti-kickback safe harbor;
    • Adds a written certification option as an alternative to the requirement for a bona fide written offer under the exception for retention payments in underserved areas.
    • Expands the exception for retention payments in underserved areas to permit retention payments to be made in the case of a physician who certifies that he or she has a bona fide opportunity for future employment and the arrangement satisfies all other conditions of the exception.

    HIPAA: Privacy and Security

    The Health Insurance Portability and Accountability Act (HIPAA) requires electronic transactions be transmitted using standard formats.

    Breach Notification Requirements

    Obligations to notify patients of a breach of their protected health information (PHI) has been expanded and clarified under the new rule. Under the previous rule, a breach was not presumed reportable and was determined by whether or not there was a likelihood of “harm to the individual.”

    Under the new rule, a breach is presumed reportable unless a covered entity can demonstrate low probability that the patient’s privacy or security of PHI was compromised based on a four-factor risk analysis. The new rule does not change the actual reporting and timeframe requirements.

    Notice of Privacy Practices (NPPs)

    Practices must amend their NPPs to reflect the changes to privacy and security rules, including those related to breach notification, disclosures to health plans, and marketing and sale of PHI. In addition, if a practice participates in fundraising, an amendment will also need to be made to the NPP to inform patients of their right to opt-out of those communications.  

    The new rules eliminate the requirements to include communications concerning appointment reminders, treatment alternatives, or health-related benefits or services in NPPs. However, the rules do not require this information be removed either.

    Amended NPPs will need to be posted in the office. Copies should be provided to all new patients and do not need to be redistributed to existing patients. Copies should be made available to anyone by request.  Practices that maintain a website should post the updated NPP on their website, which is a requirement of the existing HIPAA Privacy Rule.  

    Business Associate Agreements

    The new rules expand the list of individuals and companies who are considered business associates to include:

    • Patient Safety Organizations and others involved in patient safety activities
    • Health information organizations, including health information exchanges and e-prescribing gateways, personal health record vendors, and any other individual or company involved in the transmittal and maintenance of PHI

    Transaction Standards

    All entities transmitting and receiving electronic health care transactions must use the 5010 version of the standards, which require upgrading or replacing software used to conduct electronic transactions, such as claims submissions, eligibility inquiries, and receipt of electronic claims acknowledgments and reports.

    Some standards that physician practices should take note of are:

    • You may continue to use a P.O. Box address in the "pay to" information on your claims but a physical address is required in the billing provider information (the 2010AA loop).
    • You must include 9-digit zip codes with billing and service facility locations.
    • Version 5010 includes a pay to plan loop (2010AC) that allows addition of information about a payer that has paid a claim under subrogation rules.
    • Up to 12 diagnosis codes may be submitted on a claim.
    • A paperwork section of the claim notifies Medicare that you are sending additional documentation to support a claim and an ID number of your choosing that will connect the claim and the documentation. Your Medicare Administrative Contractor (MAC) provides a cover sheet for faxing or mailing the documentation. The ID number you assigned in your claim should be included on the cover sheet so that the documentation can be added to the claim.

    AAFP HIPAA Templates

    HIPAA Manuals for AAFP Members

    Information Blocking Rule

    One provision of the 21st Century Cures Act goes beyond the parameters of HIPAA to make blocking health information illegal.

    Under HIPAA, covered entities such as physicians and other health care providers may share protected health information (PHI) that pertains to treatment, payment, or operations but are not required to do so. In contrast, under the Information Blocking Rule that CMS and the former Office of the National Coordinator for Health IT (ONC) (now known as Office of the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health IT, or ASTP/ONC) published to implement that provision of the Cures Act, health care providers must share electronic health information (EHI) with other authorized entities, including patients, unless a specific exception applies.

    The rule applies to the full scope of EHI as defined in 45 CFR §171.102, which includes all electronic protected health information (ePHI) in a patient’s designated record set. This replaces the earlier limited scope that applied only to a core set of data elements, defined as the United States Core Data for Interoperability (USCDI). For reference, the current USCDI data elements are available here.

    The rule outlines categories of allowable exceptions, including preventing harm and protecting patient privacy and security. Details about these exceptions are available in ASTP/ONC’s official guidance.

    The Information Blocking Rule is now actively enforced. As of July 31, 2024, CMS began applying financial disincentives to health care providers found to have committed information blocking, including reductions in Medicare payments and exclusion from federal programs such as the Merit-based Incentive Payment System (MIPS) and the Medicare Shared Savings Program (MSSP). Additional information can be found on the ASTP/ONC FAQ page dedicated to information blocking disincentives.

    Physicians and practices should ensure they are in full compliance with the rule and maintain documentation when invoking any exceptions.

    How to report suspected information blocking

    If you suspect a health care provider, EHR vendor or other organization is information blocking, the preferred reporting method is through ASTP/ONC’s Information Blocking Portal. Reports may also be submitted online through the OIG Hotline or by calling 1-800-HHS-TIPS (1-800-447-8477). 

    Have additional questions? You may also consult the following resources:

    Copyright © 2026 American Academy of Family Physicians. All Rights Reserved.