Please enable JavaScript to view all aspects of this website.

Healthcare Compliance

What is Healthcare Compliance?

Health care compliance refers to proactive steps taken by healthcare organizations to prevent fraud, waste, and abuse. This definition describes a compliance program as a long-term, active method of ensuring that legal and ethical standards are being met and conveyed throughout a healthcare organization. Integral to compliance culture is an organized plan with steps, also known as compliance elements. It is not uncommon in any of the documents that discuss compliance to find references to ethics, culture, and code of conduct.

Law of Compliance

Providing healthcare compliance is an essential part of every medical practice. Within a practice's administration, there are usually multiple individuals whose sole responsibility is to ensure the practice meets all regulations, safeguards patient and worker information, and adheres to standard medical data sharing practices. Healthcare compliance revolves around enforcing the Medicare and Medicaid Portability and Accountability Act (HIPAA), which was enacted by the U.S. Department of Health & Human Services (HHS).

The purpose of healthcare compliance is to assist with the prevention of erroneous healthcare claims submission to healthcare insurance carriers (federal, state, and commercial). Below is a quick summary of a few (but certainly not all) of the acts and statutes related to healthcare compliance.

  • False Claims Act (FCA): Those who knowingly submit, or cause to be submitted, false or fraudulent claims to the federal government are subject to civil liability under the FCA. Knowledge and knowing refer to a person having actual knowledge of information or acting in deliberate ignorance or reckless disregard for its truth or falsity. The FCA can be violated even without a specific intent to defraud.

Example: Despite not seeing a patient, a physician knowingly bills for their services.

  • Anti-Kickback Statute (AKS): By law, it is illegal to knowingly and willfully reward or induce patient referrals for items or services covered by government health insurance programs by paying, offering, soliciting, or receiving any remuneration directly or indirectly. There are always updates to the AKS that healthcare organizations should familiarize themselves with.

Example: To reward patients who bring (refer) other patients to the doctor's office, the medical office provides gift certificates to a popular coffee shop.

  • Physician Self-Referral Law (Stark Law): Often called the Stark Law, the Physician Self-Referral Law governs physician self-referrals. A physician may not refer patients to an entity with which he or she or a member of his or her immediate family has a financial relationship to receive "designated health services" covered by Medicare or Medicaid unless an exception to this rule applies.

Example: A physician owns a pharmacy and only writes prescriptions for their Medicare patients for which the patient must go to the physician’s pharmacy.

  • HIPAA (Privacy and Security): Regulations protecting the privacy and security of certain health information were required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS published what is known as the HIPAA Privacy Rule and the HIPAA Security Rule to comply with this requirement. As part of the Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, certain health information is protected by national standards. Security Standards for the Protection of Electronic Protected Health Information, or the Security Rule, sets up national guidelines to help protect some health information held or transferred electronically.

Example: Employees accessing data that is not authorized for their use.


Why is Compliance Important?

The creation of an efficient compliance program can protect providers from state and federal punishments whether that be for administrative, civil, and/or criminal charges. Although implementing an effective compliance program is voluntary, the Office of the Inspector General, the U.S. Department of Justice, the Department of Justice for each state, and State and Federal Courts consider whether a provider has an effective compliance program when handing out penalties for administrative, civil and/or criminal violations. 

Providers found guilty of gross negligence or criminal misconduct may be investigated and prosecuted by the OIG and other government agencies. Administrative sanctions (exclusions from federal health care programs), civil sanctions (restitution, fines, and exclusions) and criminal sanctions can all be imposed by the OIG. Additionally, both the OIG and the U.S. Courts analyze what constitutes an effective compliance program based on the same seven elements. A variety of factors are considered by both the OIG and the courts based on an organization's size, resources, and structure. The main difference is in the legal stage in which both the OIG and the courts analyze the compliance program of an organization. For federal district judges, the Federal Sentencing Guidelines ("FSG") are a set of rules that they must follow when sentencing criminals or organizations that commit crimes. In deciding a criminal sentence, the court will examine and analyze the organization's compliance program and commitment to comply with the law. When setting a sentence for an organization, federal district judges will analyze industry practice, the size of the organization, and similar misconduct to determine how effective their compliance program is. This tool allows federal judges to conduct a detailed analysis of the steps taken by an organization to comply with the law.


As part of the assessment of whether the organization had a compliance program if it was found guilty of criminal misconduct, the court must examine whether the program was effective at preventing said illegal misconduct. Lastly, a compliance program must be more than efficient at preventing a practice from future government penalties, but it must also set practices up with a higher level of standards than before. As a result, morale will be boosted while the culture of the practice remains compliant and ethical. 

Organizations need to structure and implement an ethical compliance program in accordance with the seven core elements outlined below, which establish an ethical culture in the organization through education, communication, and proactive measures.

1. Policy guides, procedures, and guidelines that describe the organization's commitment to complying with all applicable federal and state standards.

Example: Your compliance plan can be a written policy. By describing procedures and standards in your compliance plan, you will be able to develop your compliance program. A standard or procedure might be, for instance, to conduct coding reviews on a set number of healthcare providers every three years. 

2. There should be a compliance officer and a compliance committee responsible for overseeing the compliance process.

Example: How likely is it that your organization will hire a designated compliance officer? In the case of small healthcare offices, will the office manager serve as a point of contact for your organization's compliance needs?

3. The compliance officer and the organization's employees should receive effective training and education.

Example: When are employees to be trained under your compliance plan? The employees will be required to take a test to make sure they understand the concept of the plan. Are you offering various educational formats such as videos or slide presentations as part of your compliance training?

4. The compliance officer, the organization's employees, and the Medicare Advantage-related contractors should maintain effective lines of communication so at least employees and contractors can ask questions, seek clarification, and report potential or actual noncompliance without fear of retaliation.

Example: Will a hotline be implemented? Is the hotline connected directly to the compliance contact? Is it possible to deliver a message to compliance? To prevent retaliation, what measures will you take to protect the person's identity? Who among the senior staff will be aware of the communication or investigation?

5. Publication of disciplinary guidelines to enforce standards.

Example: When you implement a compliance plan or program, how will you let all employees know about it? What kind of compliance guidelines will you post? All stakeholders, including the President/CEO and members of the board, will be held accountable? What would the compliance point of contact do if the President/CEO of the company acted contrary to the compliance program?

6. Monitors and audits internal procedures, including risk assessments.

Example: Internal monitoring refers to coding and billing spot checks. How often will compliance conduct this activity? What will compliance do when coding and billing errors have been detected? Audits are more formal and sometimes involve an outside consultant. How often will you have an audit to ensure that the monitoring is effective?

7. To ensure prompt response to detected violations and to develop corrective actions.

Example: Describe in your compliance plan the steps you'll take if someone breaks your compliance plan. A warning will be issued, or will this person be fired? Suppose a compliance breach occurs at a high level - the President/CEO or board of directors - what will the compliance contact do in that instance? Every compliance plan should have a designated group of members to discuss such actions.


To ensure federal, state, and commercial insurance dollars are not misappropriated, healthcare organizations must comply with medical regulations. In addition, healthcare compliance plans and programs can also be of great use to organizations. The organization can detect issues early so they can be fixed, such as problems with medical coding and billing, through an effective compliance program. Moreover, compliance programs establish a positive tone for the organization, demonstrating its leadership and employees care about compliance.

The Office of Inspector General has observed various types of healthcare organizations for many years and has identified some that are more prone to compliance problems. Always maintain a culture of compliance to ensure that your organization is acting legally and ethically.

It is important to remember that the size of the organization does matter when it comes to healthcare compliance. You may not need a compliance committee or a dedicated compliance person for a small healthcare organization that has a compliance program. Smaller healthcare companies might have the office manager serve as the compliance officer. Conversely, the greater the size of the healthcare organization, the higher the level of compliance risks that will be involved. For larger organizations to operate efficiently, more checks and balances need to be implemented. To determine which risk areas an organization should focus on for the purpose of drafting a compliance program, participants noted that they mainly follow the guidance for the OIG compliance program, as well as special fraud alerts, work plans and fraud settlements. Additionally, provider associations, peer groups, clients, and employees provide input on potential risk areas. Considering the emphasis on federal health care programs may overshadow the importance of scrutinizing private payers on the same issues.

When handing out penalties for criminal, civil, or administrative violations, the Office of the Inspector General, the U.S. Department of Justice, each state's Department of Justice, and state and federal courts look at whether a provider has an effective compliance program. 


If an organization is not actively implementing its compliance programs, it will be unable to reap the benefits of them. It is often problematic to create a healthcare compliance program that is just utilized as a display case, which means the program was never intended to be such as it appears on paper. In the case of an investigation into healthcare compliance - and if the issues are identified in the organization's compliance plan - the investigator will ask the organization why it understood the core elements of compliance when designing the plan but ignored it.

Therefore, when handing down a sentence to an organization, federal district judges will consider the effectiveness of its compliance program by analyzing applicable industry practice, the size of the organization, and similar misconduct. This provides an effective tool for federal judges to conduct detail analysis on the steps taken by an organization to comply with the law. If the organization is convicted of criminal misconduct, the court shall analyze if the organization had a compliance program, and, if so, whether the program was effective in preventing illegal conduct. 

An effective healthcare compliance program can benefit a number of healthcare entities. These include but are not limited to:

  • Hospitals
  • Nursing facilities
  • Physicians and physician groups
  • Durable medical equipment (DME) suppliers
  • Laboratories
  • Home health providers
  • Hospice providers
  • Third-party billing companies
  • Ambulance suppliers
  • Pharmaceutical manufacturers 


Finally, for the compliance program to be considered effective, it must not only prevent and detect criminal conduct, but it must also create a culture within the organization that promotes ethical conduct and compliance with health care laws, rules, and regulations. 

Our Services

Our healthcare experts provide you the following services:

Alt Text


Healthcare Practice Audits.

Healthcare Billing Audits.

Controlled Substance Audits.

Healthcare Sampling and Extrapolation.

Alt Text

Practice Information

Healthcare Practice Startup and Formation.

Staff and Provider Training.

Policies and Procedures.

Chief Compliance Officer Functions.

Alt Text


Compliance Plans.

Medical Expert Services.

Healthcare Fraud Litigation Support.

False Claims Act Litigation Support.

Get In Touch

Let's discuss your needs and how we can assist you.

Sarasota Office

Phone: (800) 653-2106

6841 Energy Ct, Sarasota, FL 34240

Miami Office

Phone: (800) 653-2106

701 Waterford Way Suite 340, Miami, FL 33126

Michigan Office

Phone: (800) 653-2106

Fax: (248) 644-6324

1441 W Long Lake Rd Suite 310, Troy, MI 48098

Alt Text

Fast Deliver
Alt Text

Great Quality
Alt Text

Best Service