HIPAA and the Anti-Kickback Statute are more similar than different

August 31, 2018

Providers should evaluate Anti-Kickback and HIPAA compliance simultaneously.

Originally passed in 1972, the Anti-Kickback Statute (AKS) is one of the pre-eminent federal fraud and abuse statutes because of its impact on healthcare providers, pharmaceutical, and medical device relationships. Fundamentally, the AKS is a criminal statute that prohibits transactions intended to induce or reward referrals for items or services reimbursed by the government payers. Like most laws, there are “safe harbors:” categories of conduct that, if met, do not necessarily render the activity illegal. On July 29, 1991, the Office of the Inspector General issued the first in a series of regulations implementing the safe harbors.

In 1996, the AKS was further amended through the Health Insurance Portability and Accountability Act (HIPAA), Pub. L. 104-191 (August 1996). HIPAA made three material changes to the AKS:

  • extending the statute to apply to services covered by the “federal health care programs,”
  • adding a new safe harbor concerning certain risk-sharing arrangement, and
  • enhancing communication between the OIG public.

Subsequently, in 2010, the Patient Protection and Affordable Care Act (ACA) became law and made a number of changes to the AKS, including “expanding” its intent standard and specifying that violations of the AKS may trigger liability under the False Claims Act.

When most people think of HIPAA, they think of the privacy and security of protected health information, establishing the requirement for a National Provider Identifier, and the portability of health insurance.

However, recent False Claims Act cases further highlight the nexus between the AKS and HIPAA. The AKS makes it unlawful for a person to knowingly and willfully; offer, pay, solicit or receive; any remuneration (directly or indirectly); to induce or in return for a referral or for recommending a referral, or purchasing or recommending or arranging for the purchase; of covered items or services; paid for by any federal health care program. 42 U.S.C. § 1320a-7b(b); Social Security Act § 1128B(b). Analogous to the AKS, it is prohibitive to directly or indirectly receive “remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information.” 42 U.S.C. 164.502(a)(5)(ii). Both statutes provide for both civil and criminal penalties.

Physicians should be aware that pharmaceutical and medical device companies have resorted to wantonly disregarding patient privacy protections and paying (directly or indirectly) to gain access to medical records in order to increase sales, a clear violation of both HIPAA and the AKS. Physicians should be conscience of accepting meals, speaking engagements and services, and granting access to pharmaceutical representatives. If they fail to disclose everything to the patient and gain their consent, that could form the basis of a false claim, particularly when submitting a claim for payment or a prescription that is paid for by a government payer. In sum, physicians should assess both their HIPAA and AKS compliance simultaneously to reduce the risk of a HIPAA or AKS violation and make certain there is not the potential for a False Claims Act case.

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.