Top Hospital Compliance Issues: HIPAA and Stark Law

Jun 24, 2020 | Blog

HIPAA and Stark Law share several common characteristics. Both are a complex set of laws and regulations governing medical practice. Both constantly change as new regulations are added. Both require a high degree of effort to maintain compliance. Both also impose heavy penalties for violations, which have included multi-million dollar lawsuits for some. Hospitals should follow compliance standards for HIPAA and Stark Law to protect themselves, their employees, and their patients.

When the Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996, it required Health and Human Services (HHS) to regulate the privacy and security of health information. The Privacy Rule establishes national rules for the safeguarding, use, and disclosure of private health information. The Security Rule governs the confidentiality, integrity, and security of electronic private health care information. Both rules are relevant to healthcare entities.

Without careful attention to HIPAA regulations and adherence to best practices for compliance, HIPAA violations can occur. Learning about common threats to compliance can also reduce the risk of HIPAA violations. Recent changes to technology, including artificial intelligence and the increasing prevalence of ransomware, make it more important than ever to guard patient information carefully. Watch for these six common HIPAA violations and follow best practices to help your healthcare entity avoid them.

Top 6 HIPAA Violations and How to Avoid Them

  1. Hacking and Malware. Installing antivirus software and firewalls can protect against data theft and destruction. Frequently changing passwords provides another layer of protection.
  2. Loss and Theft of Devices. You can be held responsible for personal health information stolen from a laptop or phone if the information wasn’t secured properly. Data should be password-protected and encrypted. Devices should also be stored in a safe location.
  3. Unsecured Data. Personal health information, whether stored in physical or digital files, should be properly stored and only accessible to those who need it. If information is stored digitally, passwords and encryption are vital. Healthcare entities using artificial intelligence are required to sign a business associate agreement to ensure data can be stored securely and that the AI follows HIPAA regulations.
  4. Employee Use and Disclosure. All employees should understand that they can only share health information needed by medical staff, dependents, and those with power of attorney.
  5. Insufficient Staff Education. Not only is staff education important to protect your patients and your practice, it’s also legally required. Although the law does not define a time interval for training, it’s best practice to train employees annually on HIPAA law.
  6. Improper Records Disposal. Employees must be trained on how to dispose of records This includes shredding of paper files and removing files from all locations on the computer system.

Once you and your staff understand HIPAA regulations, you should also receive training on Stark Law. Even though Stark Law governs physician referral rather than patient records, it’s still important for everyone involved in patient care to understand the law in order to assist in maintaining hospital compliance.

Stark Law Basics

In a nutshell, Stark Law prohibits physicians from receiving kickbacks for patient referrals. Although it may sound simple, Stark Law, with its provisions, regulations, exceptions, and clarifications, can be complex in practice. The penalties for violations, even accidental ones, are severe. They include hefty fines — up to $15,000 for each incident, plus up to three times the amount of the government repayment. Intentional violations lead to even harsher penalties, including debarment or exclusions.

Stark Law consists of three separate provisions (known as Stark I, Stark II, and Phase III) that regulate physicians’ financial interest in patient referrals. Physicians are barred from referring patients to an entity in which he or she has a direct or indirect financial interest. Financial interest is defined as ownership, investments, or compensation structures. Stark Law also stipulates that healthcare entities may not present a bill or claim for a direct health service from a prohibited referral.

Exceptions to Stark Law

In some instances, a financially beneficial referral isn’t illegal. The three provisions of Stark Law and subsequent legislation define over 30 exceptions to the prohibition against referrals to direct health services. Some of these include:

  • In-office ancillary services
  • Academic medical centers
  • Physician services when the physician is a member of the same group practice
  • Some clinical laboratory services
  • Implants in ambulatory surgical centers

There are other exceptions, of course, and regulations governing Stark Law exceptions change frequently. In order to remain in compliance, healthcare entities should verify that their arrangements satisfy the most current regulations, even if they were in compliance under previous versions of Stark Law.

Some Stark Law violations can occur accidentally, such as when physicians fail to sign a contract renewal, omit Stark Law exceptions from a contract, make alternative payment arrangements, or fail to track compensation. That’s why it’s so important to ensure your organization follows best practices. Careful adherence to regulations and proper documentation can protect you.

7 Best Practices for Stark Law Compliance

  • Create a detailed database of all physician arrangements and ensure all arrangements meet Stark Law requirements including exception rules, signatures from all parties, no referral relationships, proper documentation, and reviews of payment and performance.
  • Update documentation whenever physician arrangements change.
  • Carefully document payment between parties.
  • Audit physician relationships.
  • Ensure Stark Law is part of your compliance program. Regularly train employees on relevant Stark Law requirements.
  • Develop appropriate policies, procedures, and communication around Stark Law compliance.
  • Respond with corrective action quickly if offenses occur.

In the ever-changing world of healthcare regulation, HIPAA and Stark Law compliance can be complex. Given the stiff penalties for non-compliance and current technological threats to privacy and security, it’s more important than ever to implement best practices so that your hospital stays in compliance, keeping your practice and your patients as safe as possible.

Learn more from Verisys about how you can ensure your providers’ credentials meet all government and regulatory standards.

Learn more about how Verisys can assist your HCOs in meeting all government and regulatory standards.

Verisys Written by Verisys
Verisys transforms provider data, workforce data, and relationship management. Healthcare, life science, and background screening organizations rely on our comprehensive solutions to discover their true potential. Visit to learn how we turn problems into power.

  • Secure, configurable, and proven solutions
  • Accurate, compliant, and complete information
  • NCQA, URAC, and ISO accreditations/certifications

Follow us on LinkedIn