Medical regulatory compliance
Staying in compliance with rules and regulations is an important part of the duty of a family physician.
These federal statutes are designed to prevent fraud, abuse and privacy violations, and ultimately lead to more compassionate and equitable health care for your patients. Whether you’re running your own private practice or employed in a health care system setting, adhering to medical regulatory requirements is vital.
Consequences for compliance violations can be severe, and we recommend working with legal counsel for a deeper explanation or consultation about medical compliance issues.
Improper referrals
In order to encourage medical practitioners to keep a patient’s best interest in mind and to prevent fraud, the federal government has multiple regulations to curb improper referrals. Two of these rules are the Anti-Kickback Statute (AKS) and Stark Law.
Anti-Kickback Statute (AKS)
The Anti-Kickback Statute is a criminal statute that prohibits health care providers from receiving or providing bribes for referrals that generate Medicare or Medicaid program business. The statute calls these bribes remuneration, and remuneration can include both monetary and non-monetary valuables.
Exceptions have been made within the statute to allow exceptions. These exceptions are called safe harbors. Selected examples of Anti-Kickback Statute safe harbors include:
Investment interests
Sale of practice
Discounts
Warranties
Local transportation
Each safe harbor has requirements that must be met to qualify. For a full list of AKS safe harbors, visit the Code of Regulations 1001.952 Exceptions.
Stark law
Also known as the Physician Self-Referral Law, Stark law is a civil statute that prohibits physician self-referrals. Self-referrals include referrals with which a physician has a financial interest in the referred party. Like the Anti-Kickback Statute, Stark applies to physicians or health care providers who provide care to Medicare, Medicaid or other federal health program recipients.
Stark carves out exceptions for referrals. Some Stark law exceptions include:
Office space rental
Equipment rental
Physician recruitment
Isolated transactions
Bona fide charitable donations by a physician
Read further into the exceptions list of 411.357 for additional information about exceptions and qualifications.
Privacy and security
Health details are personal and confidential, and family physicians need to ensure that their practice ensures the privacy and security of patient data.
HIPAA
The Health Insurance Portability and Accountability Act — often referred to as HIPAA — is a law that establishes standards around the use and disclosure of protected health information (PHI). Health care providers, health plans and business associates using PHI are bound to HIPAA’s rules.
HIPAA requires that electronic transactions be transmitted using standard formats. Key takeaways include:
Adhering to HIPAA standards is crucial to protecting patient information.
Information blocking rule
One provision of the 21st Century Cures Act goes beyond the parameters of HIPAA to make blocking health information illegal.
Under HIPAA, covered entities such as physicians and other health care providers may share protected health information (PHI) that pertains to treatment, payment or operations but are not required to do so. In contrast, under the Information Blocking Rule that CMS and the former Office of the National Coordinator for Health IT (ONC) (now known as Office of the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health IT, or ASTP/ONC) published to implement that provision of the Cures Act, health care providers must share electronic health information (EHI) with other authorized entities, including patients, unless a specific exception applies.
The rule applies to the full scope of EHI as defined in 45 CFR §171.102, which includes all electronic protected health information (ePHI) in a patient’s designated record set. This replaces the earlier limited scope that applied only to a core set of data elements, defined as the United States Core Data for Interoperability (USCDI). For reference, the current USCDI data elements are available from ASTP.
The rule outlines categories of allowable exceptions, including preventing harm and protecting patient privacy and security. Details about these exceptions are available in ASTP/ONC’s official guidance.
The Information Blocking Rule is now actively enforced. As of July 31, 2024, CMS began applying financial disincentives to health care providers found to have committed information blocking, including reductions in Medicare payments and exclusion from federal programs such as the Merit-based Incentive Payment System (MIPS) and the Medicare Shared Savings Program (MSSP). Additional information can be found on the ASTP/ONC FAQ page dedicated to information blocking disincentives.
Physicians and practices should ensure they are in full compliance with the rule and maintain documentation when invoking any exceptions.
How to report suspected information blocking
If you suspect a health care provider, EHR vendor or other organization is information blocking, the preferred reporting method is through ASTP/ONC’s Information Blocking Portal. Reports may also be submitted online through the OIG Hotline or by calling 1-800-HHS-TIPS (1-800-447-8477).
Have additional questions? You may also consult the following resources:
Good-faith estimate and the No Surprises Act
The No Surprises Act was enacted as part of the Consolidated Appropriations Act of 2021. It established protections against out-of-network balance billing and established an independent dispute resolution (IDR) process.
The good-faith estimate (GFE) is a notification that outlines an uninsured or self-pay individual’s expected charges for a scheduled or requested item or service.
What does this mean for family physicians?
Family physicians must provide a good faith estimate if one is requested. Though not a bill, a GFE shows a list of expected, itemized charges for a health care service or product. The CMS has provided a model notice for this purpose and a sample good-faith estimate for use.
Patients can dispute the bill if the billed amount is more than $400 over the GFE. A dispute then goes through the IDR process.
The GFE must be provided within the following regulatory timeframes:
If the item or service is scheduled at least three days in advance, the GFE must be provided no later than one business day after the item or service was scheduled.
If the item or service is scheduled at least 10 business days in advance, the GFE must be provided no later than three business days after the item or service was scheduled.
If a patient requests a GFE or asks to discuss the cost of an item or service, the GFE must be provided within three business days of the request.
A GFE is not required if the item or service is scheduled within three business days or not scheduled in advance (e.g., walk-in urgent care, emergency services, etc.).
GFE workflow
Step 1: Identify no-insurance or self-pay patients.
Step 2: Provide required notice. A physician or provider is responsible for informing all self-pay patients of their right to a GFE of expected charges when scheduling occurs or when questions about the costs arise.
Step 3: Determine the timing of the GFE. The timing of the physician or provider’s delivery of the GFE depends on whether and how far out the date of service is scheduled.
Step 4: Provide a GFE. The convening physician or provider must submit the GFE to the patient in written form, either on paper or electronically, based on the patient’s preference. The convening provider is the physician or provider who receives the initial request for a GFE from an uninsured or self-pay patient and who is responsible for scheduling the primary service.