The health care industry is, perhaps, the most regulated industry in the United States. Business practices that are common and acceptable in other industries may be illegal in the health care industry. Lawyers who do not routinely practice health care law and do not stay up to date on the complex web of laws and regulations applicable to health care providers need to be careful not to inadvertently provide incorrect advice in reliance on legal principles of another industry that do not translate to the health care industry. The purpose of this article is to outline examples of situations in which business practices commonly used in other industries may cause real legal issues in the health care industry. Some key health care laws are counterintuitive and esoteric, and what you don’t know may hurt you.

HEALTH CARE PROVIDERS CANNOT PAY FOR BUSINESS GENERATION

Paying for business generation is so commonplace that there are countless terms used to describe the practice: finder’s fees, referral fees, origination fees, sourcing fees, placement costs, etc. The list goes on. Some professions are sustained almost entirely on these types of fees.

But in the context of federal health care programs, the U.S. Department of Justice (DOJ) and the U.S. Department of Health and Human Services (HHS), Office of Inspector General (OIG), use a markedly different word to describe those arrangements: fraud.

The same types of arrangements that are ubiquitous in other sectors are prohibited by a federal criminal statute called the Anti-Kickback Statute (AKS),[1] which makes it a felony offense for anyone to knowingly and willfully solicit or receive any remuneration for referring an individual to a health care provider for the furnishing of a service payable under a federal health care program. The statute covers the other side of the transaction as well – anyone who knowingly and willfully offers or pays remuneration to induce a person to refer an individual to a health care provider for the furnishing of a service payable under a federal health care program is also guilty of a felony.

In plain terms, paying to receive health care referrals or being paid to make health care referrals may result in a wardrobe that is less business casual and more jail-appropriate.

Just ask Mary Smettler-Bolton, age 71, of Oakland County, Michigan. Her role in what appears to be a run-of-the-mill kickback scheme, under which the owners and operators of home health companies paid Ms. Smettler-Bolton for referrals, resulted in a federal conviction and a maximum potential penalty of 10 years in prison, according to a DOJ press release.[2]

Federal regulators take AKS violations seriously, citing the increased cost to federal health care programs caused by kickback schemes. In fact, the DOJ has an entire unit, staffed with 80 experienced white-collar prosecutors, focused exclusively on prosecuting health care fraud, including AKS violations.[3] And if the regulators don’t detect the conduct, you can bet the False Claims Act bar will; Congress explicitly provided that AKS violations may form the basis of a False Claims Act lawsuit,[4] including qui tam lawsuits brought by private plaintiffs.

HEALTH CARE PROVIDERS CANNOT POST PICTURES FROM WORK OR RESPOND TO NEGATIVE ONLINE POSTS ABOUT THEM

No one hates social media more than a hospital’s privacy officer.

Why, you ask? Consider a few common scenarios: A group of new lab techs gathers around a table for a group photo, not noticing the lab order that is plainly visible in the resulting social media post, “First Day!” A labor and delivery nurse posts a picture of a brand-new family, “Look at Mom and Dad, so proud!” A physical therapist posts a photo of a happy but exhausted patient after a successful session, “Progress!” In each of the situations, the people posting the photos are happy and clearly proud of the work they are doing. Many employers would literally pay to get that type of positive, organic social media interaction.

Enter the privacy officer, whose job it is to ruin the fun. What the privacy officer knows (and what our well-intentioned, if misguided, influencers will soon find out) is that disclosing “protected health information” (PHI) may violate the privacy rule[5] that HHS implemented in connection with the Health Insurance Portability and Accountability Act (HIPAA), as amended. PHI is defined broadly to include most types of “individually identifiable health information,”[6] almost certainly including the lab order and patients posted on social media.

The privacy rule generally requires health care providers to obtain a written “authorization” prior to disclosing PHI.[7] Verbal consent, especially in the context of social media posts, is typically not enough.[8] The privacy officer knows, from much experience, that written authorizations are usually not obtained prior to making a spontaneous social media post. So the privacy officer will likely be forced to analyze the situation as a potential PHI breach, a laborious analysis dictated by HHS regulations,[9] with the threat of HHS taking enforcement action lurking in the background. The privacy officer wonders, for perhaps the thousandth time, why they invented social media. It’s going to be a long day.

The hospital’s chief marketing officer is also having a long day. One of the system’s employed physicians emailed this morning, demanding “DECISIVE ACTION” to address “the insidious misinformation one of our patients posted online” (emphasis in original). The misinformation the physician is referencing is a Google review that accuses the physician of “malpractice that gave me a heart attack” (1 star). But, the physician points out, the patient’s heart attack “had absolutely nothing to do with [the physician’s] quality of care and everything to do with the patient’s love for fast food and cheese curds” (emphasis in original).

The physician would like the chief marketing officer to “GO ON THE OFFENSIVE” and post a detailed rebuttal explaining how the patient’s choices, and not the clinical decision-making of the physician, are to blame for the patient’s ailments. While marketing officers in other industries can and do rebut false reviews, our chief marketing officer is constrained by the same privacy rules that apply to the above social media posts. Disclosing the patient’s dietary choices and lifestyle, even to rebut a misleading public review, would likely involve a disclosure of PHI in violation of the privacy rule.

HEALTH CARE PROVIDERS CANNOT PROVIDE SERVICES AT A DISCOUNT OR FOR FREE

Helping people in need by either providing services, supplies or medications for free or at a discount sounds like a good thing, right? If a patient is having problems paying the full cost of a service or medication, providers often want to help by agreeing to waive their cost-sharing amounts under their health coverage as an accommodation to the patient. However, doing so can raise legal issues. From the payor’s perspective, there are two potential issues. First, payors typically contract with providers to pay, in part, based on the provider’s usual charges. The OIG has taken the position that routinely waiving copayments misrepresents the provider’s actual charges. Second, payors require copays and deductibles as a mechanism to curtail overutilization of services and reduce costs. Waiving cost-sharing is counterproductive to these goals.[10]

In the 1994 Special Fraud Alert: Routine Waivers of Copayments or Deductibles Under Medicare Part B,[11] the OIG warned against the following practices: 1) advertisements that state, “Medicare Accepted as Payment in Full,” “Insurance Accepted as Payment in Full” or “No Out‐of‐Pocket Expenses”; 2) advertisements that promise that “discounts” will be given to Medicare beneficiaries; 3) the routine use of “financial hardship” forms, which state that the beneficiary is unable to pay the coinsurance/deductible (i.e., there is no good faith attempt to determine the beneficiary’s actual financial condition); 4) the collection of copayments and deductibles only when the beneficiary has Medicare supplemental insurance (Medigap) coverage (i.e., the items or services are “free” to the beneficiary); 5) charges to Medicare beneficiaries that are higher than those made to other persons for similar services and items (the higher charges offset the waiver of coinsurance); and 6) the failure to collect copayments or deductibles for a specific group of Medicare patients for reasons unrelated to indigency (e.g., a supplier waives coinsurance or deductible for all patients from a particular hospital in order to get referrals).

The OIG has indicated that it will not enforce the Civil Monetary Penalties Law (CMPL) and the AKS against providers who waive copays and deductibles based on the legitimate and documented financial hardship of the patient. The CMPL specifically excludes from the definition of “remuneration” the waiver of copays and deductibles if all of the following conditions are satisfied: 1) The waiver is not offered as part of any advertisement or solicitation, 2) the person does not routinely waive coinsurance or deductible amounts and 3) the person a) waives the coinsurance and deductible amounts after determining in good faith that the individual is in financial need or b) fails to collect coinsurance or deductible amounts after making reasonable collection efforts.[12]

On July 8, 2024, the OIG updated its “General Questions on Fraud and Abuse Authorities” (FAQs)[13] related to the AKS and the CMPL with clarifications regarding waiving patients’ cost-sharing amounts pursuant to health care providers’ financial assistance policies. In the new FAQs (specifically Nos. 13-16), the OIG cites the AKS safe harbor and CMPL exception for waivers of cost-sharing amounts, which permits providers to waive patients’ cost-sharing amounts, provided that the waivers are not routine, not advertised, and made based on a good-faith, individualized assessment of financial need.

Generally, it’s recommended that providers draft and implement a financial assistance policy that is consistently followed to make sure all patients in similar situations are addressed in the same manner and that proper documentation of a patient’s need is obtained. Using the federal poverty level is a good benchmark, but providers can incorporate “presumptive” categories of people entitled to financial assistance in their financial assistance policies, such as those on Medicaid. Providers can and often do add or permit other categories, such as the high cost of care and other special circumstances.

CONCLUSION

Health care law is not for the uninitiated. Its idiosyncrasies can turn otherwise routine legal work into a minefield for the unsuspecting practitioner, and the above examples are just the tip of the iceberg. Health care providers can also face steep fines or other consequences for seemingly innocuous oversights, like:

• Forgetting to sign a contract[14]
• Forgetting to check this database,[15] or this one,[16] and (just to be safe) this one,[17] this one,[18] and this one too,[19] prior to hiring or contracting with certain individuals
• Forgetting to include the correct esoteric contract clause in the correct esoteric contract[20]
• And so many others

When dealing with any issue that might have regulatory health care implications, sometimes it’s best to phone an expert to seek guidance – because what you don’t know may hurt you.

---

ABOUT THE AUTHORS

Cori Loomis is a health care attorney with McAfee & Taft who draws upon her extensive experience working in both private practice and public service to represent and counsel providers on a broad range of transactional, operational, legislative, administrative and regulatory compliance matters. In addition to working in private practice for more than 20 years, she previously served as the compliance officer and HIPAA privacy official for OU and as general counsel for the Oklahoma State Medical Association.

 

 

 

 

 

Luke Moyer is a health care lawyer with McAfee & Taft whose practice encompasses the areas of health care transactions, day-to-day business consulting, federal and state administrative and regulatory compliance and HIPAA and health privacy matters. He is a certified information privacy professional/United States (CIPP/US), with extensive experience advising health care providers on emerging areas of privacy and security risk. He received his undergraduate degree from OSU and his J.D. from the TU College of Law.

 

 

 

 

---

ENDNOTES

[1] 42 U.S.C. §1320a-7b(b).

[2] Press Release, U.S. Dept. of Justice, “Michigan Woman Convicted of $1.4M Health Care Kickback Scheme,” (Nov. 22, 2024), https://bit.ly/4t5HxDN.

[3] U.S. Dep’t of Just., Criminal Div., Health Care Fraud Unit, https://bit.ly/4rfVbCI (last visited Oct. 7, 2025).

[4] 42 U.S.C. §1320a-7b(g).

[5] 45 C.F.R. Part 164, Subpart E.

[6] 45 C.F.R. §160.103.

[7] 45 C.F.R. §164.508.

[8] 45 C.F.R. §164.506(b)(2).

[9] 45 C.F.R. Part 164, Subpart D.

[10] (42 USC 1390a‐7b(b)). Violations may result in a five-year prison term, $25,000 criminal penalty, $50,000 administrative penalty, treble damages and exclusion from Medicare and Medicaid (Id.; 42 CFR 1003.102). The Affordable Care Act also made an AKS violation an automatic violation of the False Claims Act, which may result in additional penalties of $5,500 to $11,000 per claim submitted and repayment of amounts improperly received (42 USC 1320a‐7a(a)(7); 42 CFR 1003.102).

[11] https://bit.ly/4t70PbX.

[12] (42 USC 1320a‐7a(i)). The AKS also contains an exception for cost‐sharing waivers for inpatient hospital services if certain conditions are satisfied (see 42 USC 1001.925(k)).

[13] https://bit.ly/4rfVtJO.

[14] See, e.g., 42 C.F.R. §411.357 (listing exceptions to the so-called Stark Law, many of which require contracts to be “signed by the parties”).

[15] U.S. Dep’t of Health & Human Servs., Office of Inspector Gen., Exclusions Database, https://exclusions.oig.hhs.gov (last visited Oct. 10, 2025).

[16] U.S. Gen. Servs. Admin., System for Award Management (SAM), Exclusions Search, https://sam.gov/search/?index=ex (last visited Oct. 10, 2025).

[17] U.S. Dep’t of Health & Human Servs., Health Res. & Servs. Admin., Nat’l Practitioner Data Bank, Continuous Query, www.npdb.hrsa.gov/hcorg/pds.jsp (last visited Oct. 10, 2025).

[18] Okla. State Bd. of Med. Licensure & Supervision, Licensee Search, www.okmedicalboard.org/search (last visited Oct. 10, 2025).

[19] Ctrs. for Medicare & Medicaid Servs., Open Payments, https://openpaymentsdata.cms.gov (last visited Oct. 10, 2025).

[20] See, e.g., 42 C.F.R. 420.302 (establishing a “[r]equirement for access clause in [certain health care] contracts”); 45 C.F.R. §164.504(e) (establishing requirements for “[b]usiness associate contracts”).