January 27, 2019

The Key Federal Statutes Regulating Doctors

Healthcare regulations seem to grow more complex with every passing year.  Doctors are expected to know, and comply with, an alphabet soup of federal statutes and associated regulations governing everything from employment to patient privacy to personal finances, and everything in between.  In order to simplify matters, we have prepared the following summary of the federal statutes we most often encounter in our practice. 

This list is by no means exhaustive and does not cover topics that more generally apply to the healthcare industry as a whole, such as the Affordable Care Act (ACA or, more colloquially, Obamacare), the Medicare Access and CHIP Reauthorization Act (MACRA), and similar laws.  Instead, these are the statutes that are most likely to affect individual doctors and small groups as they provide direct patient care.


The Anti-Kickback Statute (AKS) and the similar, but distinct, Stark Law both have the goal of removing financial incentives from physicians’ consideration of treatment options for their patients.  Generally speaking, the AKS prevents physicians from receiving anything of value in exchange for referring any patients to any third parties for any particular treatment, while the Stark Law prohibits physicians from referring patients to any treatment facilities in which the physician has an ownership interest.

Both the AKS and the Stark Law carry significant penalties for violations.  Violations of the AKS can result in criminal convictions for Medicare fraud, while violations of the Stark Law can result in penalties totaling hundreds of thousands of dollars, and violations of either can result in being permanently banned from treating Medicare patients.  Additional information about the Stark Law and AKS can be found here.


The Emergency Medical Treatment and Active Labor Act (EMTALA),  was enacted in 1986 as an effort to eliminate the practice of “patient dumping” – refusing to treat patients or transferring patients to public hospitals simply because they are uninsured or otherwise unable to pay for treatment.  EMTALA applies to nearly all hospitals in the United States, and in essence, it prohibits any hospitals that accept Medicare from refusing to treat emergency room patients until after they have been examined and, if necessary, stabilized.

Violating EMTALA can carry significant fines, including civil penalties of up to $50,000.00 per violation.  These violations can be assessed against hospitals and physicians, so all doctors who work in emergency medicine in a hospital setting should be familiar with its requirements.


Unlike most of the other statutes on this list, the False Claims Act (FCA) is not a healthcare-specific statute.  Instead, it applies whenever false claims for payment are knowingly presented to the federal government.  In the healthcare context, the FCA most commonly arises when potentially fraudulent claims are submitted to Medicare or Medicaid for reimbursement. 

Often, these potentially fraudulent claims are revealed through audits performed by the Office of the Inspector General (OIG) for the Center for Medicare and Medicaid Studies (CMS).  The consequences for violating the FCA can be severe, and include civil penalties of up to $11,000 per violation, plus three times the actual amount paid to the provider.  In some cases, the OIG can also refer doctors to the Department of Justice for criminal prosecution.


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is possibly the most asked about and confusing federal laws regulating the practice of medicine.  HIPAA affects many areas of healthcare, from insurance eligibility to tax savings plans.  However, the area that most affects doctors is Title II of HIPAA, which focuses on the privacy of patients’ protected health information. 

A more extensive summary of the HIPAA rules applicable to patient privacy can be found here. In brief, HIPAA creates obligations for doctors to safeguard their patients’ health information under what is commonly called the Privacy Rule.  If doctors fail to follow those safeguards, they can incur substantial civil penalties.  In fact, the fines can reach up to $50,000.00 depending on how egregious the violation is.  Although rare, there have even been criminal prosecutions in cases where healthcare providers have deliberately accessed medical records in knowing violation of the statute.


The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009 with the goal of incentivizing doctors to move away from paper records and toward Electronic Health Records (EHR).  The Department of Health and Human Services provided billions of dollars in subsidies to encourage doctors to adopt EHR systems, with the idea that EHR provided more accurate and more easily transmissible patient records that could improve the quality of care a patient received while being treated by different physicians.

Additionally, the HITECH Act amended HIPAA to impose some additional requirements designed to protect against the improper access of protected health information (PHI).  Specifically, with the enactment of the HITECH Act, healthcare providers are now required to secure patient data electronically, which often must be done through encryption.  In the event of a data breach that compromises PHI, healthcare providers must also comply with data breach notification requirements or face significant penalties.. 


Like the FCA, the Occupational Safety and Health Administration (OSHA) regulations do not exclusively apply to healthcare providers.  Instead, OSHA provides a framework for workplace safety in a variety of contexts.  However, there are certain regulations that apply specifically to doctors.  In Arizona, much of the regulatory framework that applies to doctors is actually set up under state law through a federally-approved state plan.  The Arizona plan allows state inspectors to conduct an inspection, without notice, at any reasonable time and, upon discovery of violations, levy fines of up to $7,000 per violation.  Additional information on the OSHA regulations and consequences for failing to comply with those regulations can be found here.


The above is just a general overview of some of the most common issues we see arise under federal law.  It’s important to remember that additional requirements can be imposed by state and local law.  For example, Phoenix and Scottsdale both have licensing and zoning requirements for businesses that must be considered as part of an overall regulatory compliance framework.  If you have specific questions about whether you are in compliance with a statute, you should speak with an experienced healthcare lawyer.